Transparent or explicit HTTP proxy and multi-user objects

Multi-user objects

The networks of options allows several authentications from the same IP address (see the option Multi-user objects). For example, applications and data can be accessed from a remote computer (TSE server) by applying user-based filtering. This Multi-user application only applies to HTTP and HTTPS traffic.

Below is a brief description of the mechanisms that allow multi-user authentication. The various modes are covered in the following sections.

Cookie mode

Cookie mode makes it possible to use Multi-user objects. During the initial connection to every new website visited, the web browser captures authentication data in an authentication cookie that has several attributes. This data is then forwarded in requests that follow, to be intercepted by the firewall, which can then apply its policy.

Only in unsecured HTTP connections, web browsers display an error message instead of the content of queried websites because authentication cookies cannot use the "Secure" attribute together with the "SameSite” attribute.
The web browser must be manually configured to enable browsing on websites queried in HTTP:

  • In Google Chrome:
    • Go to chrome://flags/,
    • Set the attribute Cookies without SameSite must be secure to Disabled,
    • Restart the browser.
  • In Firefox:
    • Go to about:config,
    • Set the attribut network.cookie.sameSite.noneRequiresSecure to false,
    • Restart the browser.
  • In Microsoft Edge:
    • Go to edge://flags/,
    • Set the attribute Cookies without SameSite must be secure to Disabled,
    • Restart the browser.

Authentication offered by the browser (HTTP code 407)

The Proxy-Authorization - HTTP code 407 method can be used only for explicit proxies. The HTTP protocol provides a field dedicated to authentication. The browser will prompt the user to authenticate via a message window and the connection information will be relayed to the firewall via the HTTP header. The security policy can then be applied.

The "Proxy-Authorization" (HTTP 407) authentication method via the browser does not allow the SSL (certificates) and SPNEGO methods as they do not involve the authentication portal, even though it needs to be enabled.

NOTE
If an object is added to or deleted from the list of Multi-user objects, ensure that no authentication process relating to this object has been saved. Using Stormshield Network Realtime Monitor, check the use of this object in the User module and delete the authentication of any authenticated users by right-clicking on them – action "Delete user from ASQ".

Transparent proxy (implicit)

The transparent or implicit proxy filters user requests without any configuration on the client workstation (no proxy declaration in the browser). The firewall’s proxy will then intercept and filter all requests in order to allow or deny access to a website, for example.

This mode is recommended as it meets all requirements: authentication of the user according to the selected method, SSL filtering (blocking of websites in HTTPS, for example), etc. While this mode can use all features, it cannot use the transparent authentication SSO agent method.

Single user Multi-user objects (Cookie mode)
Methods Inspections Methods Inspections
All methods All inspections All methods
except SSO agent
All inspections

Explicit proxy

When a proxy is entered in the browser, two modes of authentication are possible:

  • Standard or Cookie mode

This mode is easy to set up thanks to the Explicit HTTP proxy rule creation wizard, available in the Filtering module. Two rules are generated – one redirects traffic to the explicit HTTP proxy, and the other applies the filter policy. Prescriptions with regard to user authentication have to be stipulated in a rule to be inserted between the two rules that the creation wizard generates, after the redirection to the HTTP proxy and before authorizing traffic via the Explicit HTTP proxy.

  • Authentication offered by the browser (HTTP code 407)

The feature Proxy-Authorization - HTTP code 407 can be enabled in the advanced properties of the HTTP protocol module (Proxy tab) accessible via the menu Application protection.

There are however certain restrictions to these modes, as shown in the table below:

Single user Multi-user objects
Standard mode "Proxy-Authorization" code 407 Cookie mode "Proxy-Authorization" code 407
Methods Inspections Methods Inspections Methods Inspections Methods Inspections
All
methods
All inspections except on SSL traffic
Filtering by user
  • LDAP
  • RADIUS
  • Kerberos
  • SSO Agent

Δ passwords in plaintext (encoded in base 64)
All inspections except on SSL traffic
Filtering by user
All methods except SSO agent All inspections except on SSL traffic
Filtering by user (HTTP only)
  • LDAP
  • RADIUS
  • Kerberos

Δ passwords in plaintext (encoded in base 64)
All inspections except on SSL traffic
Filtering by user

Content filtering can only be applied to HTTP traffic.
Filtering by user can be applied to HTTP and HTTPS, except for multi-user networks in Cookie mode (HTTP only).

Explicit mode involves HTTP traffic via the CONNECT method. HTTPS traffic is then encapsulated in HTTP and the method for sending requests makes it possible set up a relationship of trust between the client and the server.