We help IT Professionals succeed at work.

Accessing external WLAN captive portals when a company proxy is set

The client notebooks (Windows 10) of our company can only access the Internet using a proxy in our security infrastructure. When they are connected to an external (W)LAN, they use Citrix Netscaler VPN for connecting internal services and our secure proxy. That perfectly works.

If they try to access an external WLAN with a captive portal web page though (for example in a hotel), they have to disable the proxy first, so that the captive portal can be loaded.

If users are allowed to remove the proxy, users easily find out, that they can access the web bypassing our secure proxy.

Do you have any idea how to connect to a WLAN with a captive portal when a company proxy is mandantory? Is there maybe a WLAN-connection-client with an internal browser and individual proxy settings?

Best regards!
Chris
Comment
Watch Question

If a proxy is mandatory, and the proxy has a private address that is only accessible when connected over VPN, then unless the proxy is disabled, it is not possible to access a captive portal that is outside of the network.

As your supposed "WLAN Connection Client" is a web browser, as the captive portal could be on any IP address, or any host name, it would not be possible to restrict the "WLAN Connection Client" to only specific host names or IP addresses. You could try allowing access to RFC1918 addresses and IPV6 link local addresses without a mandatory proxy, but I've seen captive portals that are on public addresses, and non local IPv6 addresses...

I would suggest looking for an alternative to a mandatory proxy for roaming users, perhaps a hosted service such as Cisco Umbrella ?

Author

Commented:
Hi Arne,

thanks a lot for your answer! Unfortunately the private proxy currently has to be set according to the security policy of our (governmental) data provider.

Also thanks for your idea concerning alternatives. We will suggest our data provider to think about solutions like Cisco Umbrella.

Have a nice weekend and best regards!
Chris
I usually create a wrapper around the browser to temporarily remove the Proxy config from registry.
Note: this is not possible if proxy is enforced via a machine policy.. a regular user can't write to HKLM

Something like:
rem turn off proxy
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /d 0 /f
rem run IE for portal
start iexplore.exe
rem wait for user
timeout /t 300
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /d 1 /f

Of course this can be made nicer like checking for the Internet connection and turn on proxy as soon as possible...

Author

Commented:
Hi Michael,

that's a great idea! We'll try to implement such a warpper.

Best regards!
Chris