Why Proxy?

Without a proxy server, if a user accesses a secure HTTPS site only the domain name (subject) in the SSL certificate will be visible to the Web Filter. Block or allow decisions can only be made based on this domain rather than the full URL. Thus, URL patterns for HTTPS sites may not operate correctly.

If you configure a Rocket appliance as a trusted man in the middle (TMITM / MITM) proxy server then all HTTPS requests can be examined just like HTTP requests. When a user requests a secure website, such as banking site, the encrypted request will be sent to the proxy server. The proxy server will then decrypt it in order to read the full URL.

  • Learn more about SSL decryption in our whitepaper, SSL Explained.)
  • Learn more about authentication with the proxy here.

If the Proxy Server determines the request should be allowed, it will then carry out the request on the client’s behalf over SSL as expected. If the site should be blocked, then the request will be denied and the user will see a block page.

Mobile devices may also be configured to use the proxy server. It is not recommended that you use the proxy server in conjunction with the Lightspeed Systems Mobile Filter on laptops. Make sure you configure mobile devices with a proxy server hostname that will resolve both on the inside and outside of your network.

The proxy server listens on TCP port 8080 on Rocket appliances where the Proxy Server role is enabled.

The following diagram shows a Rocket appliance that has been configured as a proxy server.

Proxy Server Network Diagram

To configure a Rocket appliance as a proxy server:

  • 1. Configure the Proxy Server on the Rocket appliance.
    • Connect the Management interface on the Rocket appliance to a port on your LAN switch.
    • Log in to this appliance.
    • Click Web Filter, then click Proxy Server.
    • Select (check) the Decrypt SSL traffic checkbox.
    • Review the remaining options on the Proxy Server page and configure them as needed for your application, then click Save.
  • 2. Install the SSL certificate from the Rocket appliance on devices as a trusted root authority.
    • Download the SSL certificate from the Rocket appliance and install it on your proxy clients. You can push it out through a GPO (Microsoft Exchange) or ZENworks (Novell) at the same time that you push out the proxy settings.

The SSL certificate can be downloaded from the Rocket appliance by going to the http://(fqdn)/lsaccess/proxycert URL. You will need to use the FQDN of the proxy to access the URL and download the certificate.

  • 3. Configure your network.
    • In an Active Directory environment, use Group Policy Objects (GPOs) to enforce the use of the proxy server.
    • In a Novell environment, use ZENworks to enforce the use of the proxy server.

Note:

  • iOS 9.1 and above: Use the Web Filter for iOS app to filter content on and off the network, without requiring a proxy. See Web Filter for iOS in the Mobile Filter documentation for more information.
  • iOS 6.0 and above: Use Lightspeed Systems Mobile Manager to push a forward proxy configuration that requires no user intervention to use the Rocket appliance proxy server. This is an alternative Web Filter solution that does not require Lightspeed Systems Mobile Browser app. See the Mobile Manager Global Proxy page in the Mobile Manager documentation for more information.

Note: T-Mobile 4G and LTE Devices Are Not Supported

T-Mobile’s implementation caching servers is not compatible with the proxy module in the Lightspeed Systems Rocket. T-Mobile redirects lookup requests to their caching servers in most instances using a 301 redirect. This allows users to retrieve cached versions of web pages that would normally be blocked by the Rocket appliance. T-Mobile is aware of the issue but as of this time has not taken any steps to resolve. Refer to the “How to make internet settings in T-Mobile U8150-A?” and “Proxy servers disrupting service” discussions on the T-Mobile Support forum for more information.

Installing the ISO

Another method for deploying the Web Filter is to install a virtual Rocket on your network. This Rocket can be installed with other Rockets on your network but should not be assigned to any role other than Web Filter.

Requirements

16g of RAM
500g of HDD
2 CPUs
1 interface assigned to the network
Set the virtual host operating system to FreeBSD 11 – 64-bit

Installing a virtual Rocket

  1. Download the most recent ISO file.
  2. Open a virtual machine monitor and use the ISO file to mount the virtual Rocket (as a CD-ROM) in your virtual environment.
Note: We recommend only using one of the following virtual machine monitors when adding our virtual Rocket to your network.

  • -Xen
  • -VM Ware
  • -Hyper-V
  • Connect to the virtual Rocket.

  • Login with the default user name and password:
    • Username: admin
    • Password: admin
  • When the Rocket Configuration window opens, select Interface from the configuration Main Menu and press Enter.
  • Select the default interface from the list of management interfaces and press Enter to save the configuration.
  • Note: The default interface name will vary depending on your VM environment, but is noted with an asterisk.

  • Select Network and press Enter.
  • Enter the IP Address, Netmask and Default Router that you have selected for the virtual Rocket. Click the Tab button to select Save, then press Enter on your keyboard to save the Management NIC configuration.
    Note DHCP is not supported. You must assign static IP addresses to the virtual Rocket.
  • Select Exit to log out.
  • Note: Now that the virtual Rocket is on and running, follow our Web Filter Implementation guide to continue configuring your Web Filter.

    Setting Up the Proxy

    The following step illustrate how to setup Selective proxy:

    Learn more about: Creating a PAC File

    How to Upload PAC file to Rocket

    1. Click Web Filter, then click Proxy Server.

    2. On the Proxy Server page navigate to Forward Proxy > PAC Files.

    3. In the PAC Files grid, click the green “+” icon. This action opens the following page:

    4. In the Upload PAC File form, click Browse and select the PAC file to upload from your computer.

    5. Enter a brief description, then click Save to upload the PAC file, or click Cancel to discard your changes and return to the previous page.

    Note: To delete (permanently remove) a PAC file, mouse over the item you wish to remove, then click the X on the right side of the row. You will be prompted to confirm the action.
    Note:  Click the name to download the PAC file. It will automatically be downloaded onto your computer.

    Push Trusted CA Certificates to all Devices

    In order for proxying to be a smooth experience, it is necessary for the devices being proxied to trust your proxy by adding the Web Filter’s proxy SSL certificate to your devices. In order to do that you will first need to access your proxy certificate from your Web Filter.

    You can access your certificate by navigating to Settings > Appliance > SSL Certificates > Download Links. Click Download  or navigate to the URL to download your certificate.

     

    Pushing an SSL certificate to several devices at once:

    Pushing an SSL certificate to BYOD devices:

    You can access individual instructions for pushing SSL certificates to BYOD devices by navigating to:
    YOURDOMAIN.com/lsaccess/proxycerthelp (replace YOURDOMAIN.com with the URL of your Rocket.)
    This pathway includes instructions for all major operating systems and web browsers.