Without a proxy server, if a user accesses a secure HTTPS site only the domain name (subject) in the SSL certificate will be visible to the Web Filter. Thus, block or allow decisions can only be made based on this domain rather than the full URL.
If you configure a Rocket appliance as a proxy server then all HTTPS requests can be examined just like HTTP requests. When a user requests a secure website, such as banking site, the encrypted request will be sent to the proxy server. The proxy server will then decrypt it in order to read the full URL.
If it is determined to be an allowed request, the proxy server will then carry out the request on the client's behalf over SSL as expected. If the site is a blocked site, then the request will be denied and the user will see a block page.
Mobile devices may also be configured to use the proxy server. It is not recommended that you use the proxy server in conjunction with the Lightspeed Systems Mobile Filter on laptops. Make sure you configure mobile devices with a proxy server hostname that will resolve both on the inside and outside of your network.
The proxy server listens on TCP port 8080 on Rocket appliances where the Proxy Server role is enabled.
To configure a Rocket appliance as a proxy server, follow the steps below.
|T-Mobile 4G and LTE Devices Are Not Supported|
T-Mobile's implementation caching servers is not compatible with the proxy module in the Lightspeed Systems Rocket. T-Mobile redirects lookup requests to their caching servers in most instances using a 301 redirect. Basically, this allows users to retrieve cached versions of web pages that would normally be blocked by the Rocket appliance. T-Mobile is aware of the issue but as of this time has not taken any steps to resolve. Refer to the "How to make internet settings in T-Mobile U8150-A?" and "Proxy servers disrupting service" discussions on the T-Mobile Support forum for more information.
- Configure your network.
- In an Active Directory environment use Group Policy Objects (GPOs) to enforce the use of the proxy server.
- In a Novell environment use ZENWorks to enforce the use of the proxy server.
- Configure your Rocket or Bottle Rocket appliance as a proxy server.
- Connect the Management port on the Rocket appliance to a port on your LAN switch.
- Log in to this appliance.
- Click Administration and then click Server Roles.
- Check (select) Proxy Server.
- Click Save.
You should also install the SSL certificate from the Rocket appliance since some SSL sites will not work if the certificate is not installed as a trusted root authority.
You need to download the SSL certificate from the proxy/Rocket appliance and install it on any of your proxy clients. You can push it out through a GPO (Microsoft Exchange) or ZENWorks (Novell) at the same time that you push out the proxy settings.
The SSL certificate can be downloaded from the Rocket appliance by going to the http://(fqdn)/lsaccess/proxycert URL. You will need to use the FQDN of the proxy to access the URL and download the certificate.
For iOS devices running iOS 6.0 and above you can use Lightspeed Systems Mobile Manager to push a global proxy configuration that requires no user intervention to use the Rocket appliance proxy server. This is an alternative Web Filter solution that does not require Lightspeed Systems Mobile Browser app. See the Mobile Manager Global Proxy wiki page on the Mobile Manager wiki for more information.