Edinburgh Product Release
The Smoothwall administrative User Interface has been updated to make it easier to navigate and more aesthetically pleasing. The main navigation menu has now moved from the left hand side of the page to the top; this brings the layout in line with user feedback.
There is a new style of local navigation menu which allows you to see and navigate between every item within the section. This also acts to show you where you are in the product by highlighting the tab you are under, the section you are in and the page you are on.
The context-sensitive help is now integrated within the page, allowing you to perform actions whilst reading the relevant documentation. At the top of the page the search bar has taken a more prominent position in the header area.
These changes also help support future updates to further consolidate and improve the navigation.
Improved 'time spent browsing' report
Filtering 'metric' reporting sections will now include 'time spent' performing a particular activity.
The summarization starts after results have been filtered, to produce a list of domains and an allocated amount of time, with other hits to the same domain. The results can be ordered by total amount of time spent per domain.
This option alters how data is summarized and presented, giving a more accurate total time per domain.
New certificate management page to create, delete, import and export certificates Includes the certificates for:
- Man in the Middle (MITM) used for decrypting HTTPS traffic to filter its contents
- Global Proxy
- User facing HTTPS services (including SSL login, the portal UI and Connect for Chromebooks - does NOT include the Admin UI)
It has previously been difficult to establish a single continuous chain of trust easily on a Smoothwall System.
Certificates were difficult to manage, with different sources of trust necessitating export and import of many certificates, further complications were added by desynchronized certificate expiry dates.
Introducing the concept of a “default” Certificate Authority allows the System Administrator to set a CA to be used by all services under the Certificate Management system
- Can be automatically generated or imported by the System Administrator using the import functionality
- Generates dynamic certificates needed for all services to be trusted
- Dynamic certificates are updated automatically as needed
This feature does NOT change which certificates are in use, all existing certificates will be migrated and still be used with no need for any action to be taken.
Alongside migrated certificates a new default CA will be created allowing customers to chose to move to the new system. A whitepaper will follow for further help in how to switch and use this feature. Benefits:
- Using the automatically created CA, you only need to export one certificate for all clients to trust the Smoothwall
- Import a CA from AD - then all clients that trust the AD will automatically trust the Smoothwall; no export needed at all
- Changing the hostname does not require a redistribution of all the certificates
Improved handling of non-SNI traffic
The SNI extension provides the domain name for a transparent HTTPS request. Unfortunately many sites do not populate it, and so only the IP address is known.
As well as the existing options of “block non-SNI traffic” or “Allow HTTPS traffic with no SNI header for the ‘Transparent HTTPS incompatible sites’” there are now two new options:
- Get the name of the site from the certificate and filter based on that
- Continue to allow ‘Transparent HTTPS incompatible sites’ through without further filtering but if they’re not in that list get the name from the certificate and filter based on that
Smoothwall can now filter based on the name in the certificate - no more need to exempt sites that didn’t give all the information the Smoothwall needed.
IP Spoofing (exposing the true client IP address) available in all Guardian authentication policies
The option to enable spoofing is now shown for all transparent and non-transparent authentication policies. With spoofing enabled, the Source NAT policy rule for “Local traffic - Guardian” will not be applied to the spoofed traffic.
Spoofing ensures that traffic leaves the Guardian module with the source IP address of the client trying to reach the Internet. Applications:
- Customer wants to use bandwidth module which needs to see the client’s actual IPs rather than it just all being hidden behind Guardian
- Customer has an upstream device (like a firewall) and they want it to see the IPs of the originating clients, rather than just looking like it’s coming from Guardian
Handling of traffic that matches non-spoofing authentication policies has not been changed.
Disk space estimation
The datastore settings page has been improved to show available disk space.
The feature looks at the current average rate of storage of log data, and uses this to estimate the number of months until the partition is likely to be 'full' and auto pruning will occur.
New installation page for Decrypt and Inspect (MITM) certificate
Smoothwall offers a new page through which users can download and self install the certificate used for decrypt and inspect. Instructions give step by step guidance on installing the file on all major browsers and operating systems.
This feature is ideal for BYOD as they are not centrally managed devices and so can't have the certificate pushed out by the sysadmin.
For security reasons the client can’t be automatically directed to the page, so it is recommended customers use their wireless system to direct, or advertise the link out.
New authentication diagnostics have now been added for DNS SRV records (vital to Active Directory) and TCP connection checks.
Hovering over the results status symbol in the diagnostic screen now gives a brief ‘help’ on the meaning of the problem and how best to begin addressing it.
The process of adding BYOD devices has been simplified in Edinburgh.
New tests analyze the BYOD logs for potential problems, indicating whether there are any issues preventing the BYOD authentication from working successfully.
Other Edinburgh Improvements
Negotiate Kerberos/NTLM (transparent) Web proxy - Removes need to create authentication exceptions for applications that couldn’t authenticate Rather than choosing one and having problems with any clients (and particularly applications) that couldn’t use the selected, we can negotiate and use whichever works
Redirect to hostname improvements- now we can redirect to the load balancer Operations such as SSL login and block pages redirect the client back to particular pages on Smoothwall via IP address, hostname or, now, via the load balancer
More user friendly authentication messages- including configuration error messages when user authentication fails
Block page link to login page- Allows unauthenticated users to login when presented with block page