SonicWall won't forward web proxy login
Posted on 2010-11-21
My customer uses an outside web proxy provider that has two methods of authenticating users: 'IP Range Authentication' and 'Explicit User Authentication'. Up until recently, this customer has just wanted to apply a single default web policy to all users, so we enabled 'IP Range Authentication' on the proxy service provider's console, provided the outside IP of the SonicWALL router, and configured the 'Web Proxy' option in the SonicWall (TZ 190 running SonicOS Enhanced 184.108.40.206-23e) to forward all web traffic to the provider's server (port 8080), which meant we didn't have to bother with all the proxy settings on the individual stations. This has worked just fine until now that the customer would like to have more granular control and reporting.
So the problem is that we switched from 'IP Range' to "Explicit User Authentication', but for some reason the login prompt from the proxy server doesn't come up when a user opens their browser. Instead it's a 'Cache Access Denied' error page coming from the proxy server (squid). I first thought it was a problem on the service provider's end, but I found that if I enable the proxy server on a machine inside the network instead of the Web Proxy page on the SonicWall it seems to work fine (i.e. login dialog box comes up when a user opens the browser, enters their username and password, and can continue to browse the Internet).
Something important to note: I'm aware that an LDAP-integrated solution is better in some circumstances, but aside from the fact that this form of authentication is what the customer wants, they are also in the middle of a domain migration from an underdeveloped Active Directory. This is also why I'm not going to just be able to setup a simple group policy as they have several thin clients that aren't even members of any domain yet. The web proxy forward mechanism on the SonicWall works well to solve this problem, but for some reason won't pass the login dialog prompt onto the user when we enable it on the proxy server.
In an effort to get something going I actually tried enabling the Premium CFS filter on the SonicWall to see if I could just move filtration to it to get around the problem, but found a totally new problem in that when I enable it on the SonicWall for some reason it seems to do nothing at all - no dialog prompt but no error either... just lets you browse the Internet as though there's no filter or authentication mechanisms at all.