Apple Mac OS X

One-to-One Devices

This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding shared devices and multiuser servers.

It is preferable for client devices to be set to use your non-transparent proxy. However, this is usually inconvenient and the transparent proxy can be used. Be aware of the transparent proxy's limitations.

  • The network that the device is being connected to should have its user identification profile set to Single User Devices.
  • If possible, configure your wireless network to use 802.1x (WPA2 Enterprise) authentication and to send RADIUS accounting updates to your Web Gateway / UTM.
  • If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
  • If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. OS X devices can automatically log in to the captive portal using the WISPr protocol.

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate:

  • Launch Safari and browse to https://<your Web Gateway / UTM host name>/opendium.crt (This URI is displayed on the Web Proxy page)
  • Go to downloads
  • Double click the certificate
  • Enter the machine's password when prompted and click Modify keychain
  • The Keychain Access window will appear showing the Opendium certificate
  • Double click the Opendium certificate
  • Expand the Trust section in the pop up window and set it to Always Trust

Setting the proxy on the device is optional, but can be done by following these steps:

  • Launch System Preferences
  • Click Network Settings
  • Click Advanced
  • Open the Proxies tab
  • Set the proxy address to your proxy's fully qualified host name (e.g. proxy.example.com) and the port to 3128 for the HTTP, HTTPS, FTP and Gopher protocols
  • If the machine is not connected to a network that is sending RADIUS accounting updates, you can tick the "Proxy server requires password" box and enter the user's login credentials to reduce the reliance on the captive portal.

Shared Devices

This section covers devices which are shared between multiple users (one user logged in at a time), and are connected to the Windows domain. Scroll down for information regarding multiuser servers.

Client devices must be set to use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol.

  • The network that the device is being connected to should have its user identification profile set to Workstations.
  • Launch System Preferences
  • Click Network Settings
  • Click Advanced
  • Open the Proxies tab
  • Set the proxy address to your proxy's fully qualified host name (e.g. proxy.example.com) and the port to 3128 for the HTTP, HTTPS, FTP and Gopher protocols

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate:

  • Launch Safari and browse to https://<your Web Gateway / UTM host name>/opendium.crt (This URI is displayed on the Web Proxy page)
  • Go to downloads
  • Double click the certificate
  • Enter the machine's password when prompted and click Modify keychain
  • The Keychain Access window will appear showing the Opendium certificate
  • Double click the Opendium certificate
  • Expand the Trust section in the pop up window and set it to Always Trust

Troubleshooting

Shared devices should transparently authenticate using Kerberos single signon. If the device pops up authentication boxes rather than automatically authenticating, check that the clock on both the device and the domain controller are correct. The Opendium server provides an NTP service and we recommend that your machines use this to keep their clocks synchronised.

Multiuser Servers

This section covers servers which allow logins for multiple concurrent users, and are connected to the Windows domain.

Client devices must be set to use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol.

The network that the device is being connected to should have its user identification profile set to Multiuser Servers.

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate.

Please see the shared devices section, above, for device configuration.

Limitations

  • Not all applications respect the proxy server settings and traffic for such software is instead caught by the transparent proxy and it is not possible to authenticate this traffic. The Single User Devices and Workstations user identification profiles expect only one user to be logged into each device at any one time and can therefore infer which user the transparent proxy traffic belongs to based on the authentication credentials contained in the most recent non-transparent proxy traffic. Inferring traffic ownership in this way is not possible for systems that have multiple concurrent users, and therefore transparent proxy traffic from Multiuser Servers will not have an owner associated with it. Therefore, transparent proxy traffic will not be logged against an individual user, and will be filtered according to the Unidentified Users Policy Modelling report.
  • Not all applications support authenticated web proxy servers, and of those which do, some do not support Kerberos single signon. The Single User Devices and Workstations user identification profiles use heuristics to prevent broken software from being required to authenticate, and instead infers the traffic's ownership as described above. When the profile is set to Multiuser Servers these heuristics are disabled and all software using the non-transparent proxy is required to authenticate. This may result in some applications failing to connect to the internet, or spurious pop-up authentication boxes.