Microsoft Windows

One-to-One Devices

This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding shared devices and multiuser servers.

It is preferable for client devices to be set to use your non-transparent proxy. However, this is usually inconvenient and the transparent proxy can be used. Be aware of the transparent proxy's limitations.

  • The network that the device is being connected to should have its user identification profile set to Single User Devices.
  • If possible, configure your wireless network to use 802.1x (WPA2 Enterprise) authentication and to send RADIUS accounting updates to your Web Gateway / UTM.
  • If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
  • If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate.

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate:

  • Download the new certificate from the Web Proxy page, or directly from https://<your Web Gateway / UTM host name>/opendium.crt.
  • Double click the downloaded file.Open certificate

     

  • Click Install Certificate, which will launch the Certificate Import Wizard.Certificate import wizard

     

  • Select Local Machine and click Next.Certificate import wizard

     

Click Yes in the User Account Control box which pops up.

Account control
  • Select Place all certificates in the following store and click Browse
  • Select Trusted Root Certification Authorities and click Ok.Certificate store
  • Click Next in the Certificate Import Wizard.Certificate import wizard
  • The final page of the wizard lets you review your settings. Click Finish and the certificate will be imported.Certificate import wizard
  • A security warning will be displayed saying that Windows cannot validate the certificate. This is normal, click Yes.Security warning
  • The Certificate Import Wizard will pop up a box announcing that the certificate was successfully imported.Import success

Setting the proxy on the device is optional, but can be done by following these steps:

  • Click the Start button
  • Type "control panel"
  • Click the control panel icon
  • Open internet options
  • Click the Connections tab
  • Click LAN Settings
  • Tick Use a proxy server
  • Set the proxy address to your proxy's fully qualified host name (e.g. proxy.example.com) and the port to 3128
  • Click Ok
  • Click Apply
  • Click Ok in the Internet Properties window

Troubleshooting

These instructions explain how to confirm that the Opendium interception certificate is installed on a stand alone Windows machine. Windows versions 8 and 8.1 have a different style start menu to Windows versions 7 and 10, but the procedure is the same in all cases.

  • Click Start or press the Windows key, then type mmc and click the mmc command.Start

     

    Start mmc
  • If a User Account Control dialog pops up asking if you would like to allow Microsoft Management Console to make changes, click Yes.User account control
  • Microsoft Management Console will then start, go to File -> Add/Remove Snap-in...Microsoft management console
  • Add the certificate snap-in by double clicking or highlighting Certificates and clicking Add.Snap-ins
  • Select the Computer account radio button and click Next.Certificates snap-in
  • Leave the Local computer radio button selected and click Finish.Select computer
  • You should now see Certificates (Local Computer) in the right hand pane.Snap-ins
  • Click Ok, which will take you back to MMC and should show Certificates (Local Computer) in the left hand pane.Microsoft management console
  • Select Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates
  • You should see the Opendium certificate listed in the right hand pane.Microsoft management console
  • For more details, double click the certificate and click the Details tab.Details

Shared Devices

This section covers devices which are shared between multiple users (one user logged in at a time), and are connected to the Windows domain. Scroll down for information regarding multiuser servers.

Client devices must be set to use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol. This should be done through Windows Group Policy.

The network that the device is being connected to should have its user identification profile set to Workstations.

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate. This should be done through Windows Group Policy.

Windows Group Policy Configuration

  • TO BE COMPLETED - steps to configure proxy

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate:

  • Download the new certificate from the Web Proxy page, or directly from https://<your Web Gateway / UTM host name>/opendium.crt.
  • Go to administrative tools on your domain controller and open Group Policy Management.Administrative tools
  • Right click and edit Default Domain Policy within your domain.Group Policy Management
  • Select Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities.Group Policy Management
  • Right-click the right hand pane and click Import..., which will start the certificate import wizard.Group Policy Management
  • Click Next on the first page of the import wizard.Certificate Import Wizard
  • Enter the file name of the new certificate, or use the Browse button to select it and click Next.Certificate Import Wizard
  • The certificate location should be shown as Trusted Root Certification Authorities. If not, use the Browse button to set the store to Trusted Root Certification Authorities or Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities, and then click Next.Certificate Import Wizard
  • The final page of the wizard lets you review your settings. Click Finish and the certificate will be imported into the GPO and it should then distribute across your domain.Certificate Import Wizard
  • You should now see the new certificate in the right hand pane of the Trusted Root Certification Authorities area.Group Policy Management
  • To double check the new certificate is correct, double click on it and select the Details tab.Certificate Details

Troubleshooting

If Internet Explorer on a Windows machine which is logged onto the domain pops up an authentication box rather than automatically authenticating by Kerberos, check that the clock on both the workstation and the domain controller are correct. The Opendium server provides an NTP service and we recommend that your machines use this to keep their clocks synchronised.

Multiuser Servers

This section covers servers which allow logins for multiple concurrent users, and are connected to the Windows domain.

Client devices must be set to use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol. This should be done through Windows Group Policy.

The network that the device is being connected to should have its user identification profile set to Multiuser Servers.

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate. This should be done through Windows Group Policy.

Please see the shared devices section, above, for group policy configuration.

Limitations

  • Not all applications respect the proxy server settings and traffic for such software is instead caught by the transparent proxy and it is not possible to authenticate this traffic. The Single User Devices and Workstations user identification profiles expect only one user to be logged into each device at any one time and can therefore infer which user the transparent proxy traffic belongs to based on the authentication credentials contained in the most recent non-transparent proxy traffic. Inferring traffic ownership in this way is not possible for systems that have multiple concurrent users, and therefore transparent proxy traffic from Multiuser Servers will not have an owner associated with it. Therefore, transparent proxy traffic will not be logged against an individual user, and will be filtered according to the Unidentified Users Policy Modelling report.
  • Not all applications support authenticated web proxy servers, and of those which do, some do not support Kerberos single signon. The Single User Devices and Workstations user identification profiles use heuristics to prevent broken software from being required to authenticate, and instead infers the traffic's ownership as described above. When the profile is set to Multiuser Servers these heuristics are disabled and all software using the non-transparent proxy is required to authenticate. This may result in some applications failing to connect to the internet, or spurious pop-up authentication boxes.