Smoothwall Advanced Proxy
Configuring the web proxy – Smoothwall
Prerequisite
On your users’ devices, configure the web browser to use port 800 on the Smoothwall Filter as the web proxy, that is, a nontransparent proxy.
Procedure
On the WEB PROXY menu, under the Web proxy submenu, click Settings.
To deploy the web proxy, under the Global option section, for Guardian, select “Enable”.
To configure the web proxy, under the Available proxy settings section, click Advanced » the Web filter options section:For the File upload policy, select if you want to “Allow unlimited uploads”, “Block all uploads” or “Restrict upload size to” a certain number of each of the options if you want:Block advanced proxy bypass interrupted NTLM solve single component host persistent incoming X-Forwarded-For. – To take the client IP address from the X-Forwarded-For header, inserted by downstream proxy or load balancer. If you want access to servers running on non-standard ports, enter them and to add them to the list on your keyboard press the Logging options section:Select if you want to Enable Proxy an Organization name and from the Filtering logging mode list, select a if you want to log Client hostnames, Client user-agents, Advert blocks and Local the Cache options section:Enter the Global cache size for disk space that you want to allocate for caching web the Max and min object size that can be stored in the the Max object size that can pass in and out of the the Do not cache these domains, enter the domains that should be excluded from the web the Internet Cache Protocol (ICP) section: If you want to allow ICP compatible proxies to query the Smoothwall Filter cache, for the ICP server select the Enable the ICP server IP addresses of other ICP-enabled proxies on the LAN that the Smoothwall Filter should query, and press Enter on your keyboard to add it to the the Load balancing section:If your Smoothwall solution makes use of a load balancer, enter the virtual IP address to add it to the list and on your keyboard press Return.
To save your changes, click Save.
To restart the web proxy, click Save and restart or Save and restart with cleared cache.
Tip: Always perform a proxy service restart to make sure that changes are reflected correctly in the proxy server configuration.
Follow-up Task
Test that on a user’s device, when you go to, that the Smoothwall blocks access to the site and displays a block page.
You can edit the default policies and create new policies to suit your organization.
Settings Page – Smoothwall
Use this page to configure the Smoothwall Filter web proxy to suit your organizational needs.
Navigation: WEB PROXY > Web proxy > Settings.
Global option
Enable
Indicates that the Smoothwall Filter web proxy is turned on. This is selected by default.
Disable
Turns off the Smoothwall Filter web proxy.
Available proxy settings
Interface
The interface and address used for the automatic configuration script and the manual browser proxy settings.
Address
Advanced »
Shows the additional settings for the Smoothwall Filter, logging, the cache, the Internet Cache Protocol and load balancing.
Web filter options
File upload policy
Controls how the Smoothwall Filter handles file uploads.
Settings
Description
Allow unlimited uploads
All file uploads are allowed.
Block all uploads
All file uploads are blocked.
Restrict upload size to
Files lower than the size specified are allowed.
HTTP strict mode
This option determines the web proxy’s behavior when processing HTTP/1xx response codes; specifically, response code 100 Continue. When HTTP strict mode is turned on, the web proxy does not forward responses with an Expect: 100 Continue header to the client. Although this is a HTTP protocol violation, some client applications have been found to not function correctly when such responses are forwarded. The default behavior is where HTTP strict mode is turned off. Therefore, the web proxy always forwards responses with Expect: 100 Continue headers to the clients.
Block advanced proxy bypass attempts
Proxy avoidance services, such as UltraSurf, might be used to bypass the Smoothwall Filter. With this turned on (default behavior), such services are blocked when the initial connection is detected, and a 15-minute partial ban enforced for the user who made the attempt.
Whilst the bypass client is open and attempting to reconnect, all traffic is blocked. If the client is closed, most traffic is allowed during the ban, but any domains that don’t use Server Name Indication (SNI) to identify themselves remain blocked. This might result in some legitimate sites being blocked for the remainder of the ban, as without SNI, proxy bypass services are indistinguishable from legitimate traffic.
You can create a custom report to view the connection attempts. Make sure that the UltraSurf IPs reporting section is included.
Resume interrupted NTLM connections
The Smoothwall Filter resumes interrupted NTLM connections caused by non-standard web browser behavior by default. If restrictive Active Directory account lockout policies are in place, turn off this parameter.
Resolve single component hostnames
The Smoothwall Filter makes no attempt to interpret single component host names not fully qualified by default. Turn off this parameter to stop from trying to interpret single component host names not fully qualified.
Server persistent connections
Indicates that the Smoothwall Filter allows server persistent connections by default. Turn off this option if you’re experiencing 502 Bad gateway errors when accessing some websites.
Via headers
These are used to trace by default, for both the request and response, the proxies a connection has been made through. The Smoothwall Filter adds its own entry into the Via header, and the header added by Squid. Some websites might attempt block users browsing through a proxy. Turn off this option to prevent the addition of headers by both the Smoothwall Filter and Squid.
Honor incoming X-Forwarded-For
Indicates that the Smoothwall Filter can take the client IP address from the X-Forwarded-For header, inserted by downstream proxy or load balancer. Using the IP address contained within the header clients can then be identified within the Smoothwall.
Note: Do not turn on the Honor incoming X-Forwarded-For option if you’ve turned on Leak client IP with X-Forwarded-For headers with an upstream proxy, or with client IP address spoofing.
Allow access to web servers on these additional ports
The Smoothwall Filter only allows requests to servers running on a certain subset of privileged ports by default, that is, ports lower than 1024, such as HTTP (80), HTTPS (443) and FTP (21). If you want access to servers running on non-standard ports, enter them here.
Logging options
Proxy logging
We recommend that you turn off this option when Filter logging mode is turned on. This is because the Smoothwall Filter proxy logs are duplicated subsets of the Smoothwall Filter logs. Turning off proxy logging can lead to improved performance by reducing system storage and processing demands.
Organization name
A meaningful name to identify the Smoothwall Filter in your organization. Organization names are also referenced in certain web reports.
Filter logging mode
The logging mode.
Setting
Normal
Select this option to generate proxy logs with all recorded data.
Anonymized
Select this option to generate filter logs with anonymous username and IP address information.
Disabled
Select this option to turn off content filter logging. Select to turn off the logging of the types of browsers used by users.
Client hostnames
Select whether to record host names of devices using the Smoothwall Filter. When turned on, you can generate web filter data incorporating host name information. It’s important that DNS servers exist on the local network and are correctly configured with the reverse DNS of all devices if this option is selected, otherwise performance will suffer.
Client user-agents
Select whether to record the types of browsers used by users.
Advert blocks
Select whether to log information about advert blocking.
Local accesses
Select whether to log local accesses made through the web proxy to either localhost, or IP addresses 127. 0. *. Typically, these accesses are logged. However, some configurations might cause clients to swamp the log files, in which case, you can turn off this logging.
Cache options
Global cache size
The amount of disk space allocated to the Smoothwall Filter for caching web content. Web and FTP requests are cached. HTTPS requests and pages including username and password information aren’t cached. The specified size must not exceed the amount of free disk space available. The cache size should be configured to an approximate size of around 40% of the system’s total storage capacity, up to a maximum of around 1. 5 gigabytes. Larger cache sizes can be specified but might not be entirely beneficial and can adversely affect page access times. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection. For slower external connections such as dial-up, the cache can dramatically improve access to recently visited pages.
Max and min object size that can be stored in the cache
Enter the largest object size (Max object size) that is stored in the cache. Any object larger than the specified size is not cached. This prevents large downloads filling the cache. The default of 30720 kilobytes (30 MB) should be adjusted to suit the needs of your users. Enter the smallest object size (Min object size) that is stored in the cache. Any object smaller than the specified size is not cached. This can be useful for preventing large numbers of tiny objects filling the cache. The default is no minimum – this should be suitable for most purposes.
Max object size that can pass in and out of proxy
Enter the maximum amount of outbound data (Max outgoing size) that can be sent by a browser in any one request. This can be used to prevent large uploads or form submissions. The default no limit. Enter the maximum amount of inbound data (Max incoming size) that can be received by a browser in any one request. This limit’s independent of whether the data is cached or not. This can be used to prevent excessive and disruptive download activity. The default is no limit.
Do not cache these domains
Used to specify domains that should be excluded from the web cache. You can use this to make sure that old content of frequently updated websites isn’t cached. Enter domain names without the www prefix, one entry per line. To apply the option to any subdomains, enter a leading period, for example:.
Internet Cache Protocol (ICP)
ICP server
Indicates that ICP compatible proxies can query the Smoothwall Filter cache. ICP is a technique employed by proxies to determine if an unfulfilled local cache request can be fulfilled by another proxy’s cache. ICP proxies work together as cache peers to improve cache performance across a LAN. We recommend that you use ICP for LANs with multiple Smoothwall Filter proxy servers; non- Smoothwall proxies must use port 801 for HTTP traffic.
ICP server IP addresses
The IP addresses of other ICP proxies on the LAN that the Smoothwall Filter should query. Use in conjunction with the ICP server option turned on to allow two-way cache sharing.
Load balancing
Direct Return Server Virtual IP
The virtual IP address assigned for communication to the Smoothwalls in the cluster. Not the actual IP address of the load balancer. You must make sure that this virtual IP address doesn’t respond to ARP queries because ARP behavior is what sets this type of virtual IP address apart from a simple alias.
Setup Smoothwall Express 3.0 as a second layer web proxy …
Home
Security
General IT Security
How-tos
RoboOx
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Last Updated:
Jan 17, 2018
5 Minute Read
Spice
Reply (14)
Subscribe
Share
Facebook
Twitter
Reddit
LinkedIn
Robo Ox
RoboOxIT Systems Administrator at Alde Valley AcademyEngland, United Kingdom14 years in IT
804
Contributions
50
Best Answers
54
Helpful Posts
1
Projects
Main Areas of Contribution:
Spiceworks General Support |
Active Directory & GPO |
General Windows |
Windows Server |
Windows Phone
Register. Track Progress. Earn Credits.
Learning has never been so easy!
Sign Up
Frequently Asked Questions about smoothwall advanced proxy
What is Smoothwall proxy?
A Smoothwall web proxy will send internet traffic out via the default gateway configured on an interface. … When the Smoothwall is used as a firewall with directly connected internet connections, it’s possible to route traffic out via a specific internet connection based on source networks.
How do you turn off a smoothwall?
Turn off this option to prevent the addition of headers by both the Smoothwall Filter and Squid….Settings Page.Global optionDisableTurns off the Smoothwall Filter web proxy.1 more row
How do I get around smoothwall client?
Bypassing the proxy can be done in two ways.Adding the target domains/IP Addresses to proxy bypass settings on the client.Adding IP addresses to the transparent proxy bypass settings on the Smoothwall.