What is GoGuardian Admin Gateway Deployment?
GoGuardian Admin gateway is a cloud-based proxy filtering and monitoring solution used to deploy on any managed device.
After the requirements for a GoGuardian Gateway deployment have been met (see requirements HERE), follow the steps in this article to implement GoGuardian Admin via the Gateway deployment on managed devices.
For initial setup, consider deploying the following settings to a small subset of managed users or an isolated test OU to avoid causing browsing interruptions or trouble during configuration and troubleshooting. Once configuration has been confirmed on a target device, the settings can be pushed out to the rest of the desired managed devices.
NOTE: All directions specified here apply to Active Directory/Windows Server, but functions such as configuring/implementing an LDAP server, installing a CA, or implementing PAC files exist on most device management platforms. Consult the device management software (JAMF, Azure, Linux, etc) manufacturer documentation or support team for instructions specific to the implemented software solution.
- Navigate to manage.goguardian.com. From here, click on "Products" then on "GoGuardian Gateway"
- There are two tabs on this page: "LDAP Settings" and "PAC Settings." Begin configuring GoGuardian's connection to the LDAP server by clicking the button "Add new LDAP settings."
- Complete the following fields for General Settings:
- Name - desired name for LDAP server settings
- Domain - desired managed domain connected to the LDAP server such as "goguardian.com"
NOTE: The domain specified here will be tied to the end-user's authentication. Example: If the student's email is email@example.com the domain should match the desired domain the student will type into the proxy prompt.
- Host - WAN IP/port for primary domain controller where LDAP server is located. NOTE: For Google LDAP, input ldap.google.com for "Host" and Port 636 for "Port."
- LDAP Base DN - Specified base domain name path - "Domain" will be used by default example: If "domain" is GoGuardian.com, the default LDAP Base DN will be (DC=goguardian,DC=com). Base DNs with partitions may be specified here.
- Connect with SSL - Check this box if LDAPs is configured (LDAP over SSL)
If StartTLS is enabled for the target LDAP server, uncheck the SSL box.
NOTE: GoGuardian requires using either StartTLS or SSL for LDAP server connections.
- User Filter Expression - Enter a filter expression here to specify which field accessible via LDAP should be used as username when filtered/monitored end users are prompted to authenticate prior to browsing the internet. Leave the default User Filter Expression for Google LDAP. Some common fields are samaccountname and userprincipalname which would translate to (SamAccountName=%s) and (UserPrincipalName=%s), respectively.
- Click the "Save" button at the bottom right corner.
- After successfully fulfilling the required fields from step 3, Authentication Credentials in the section below General Settings will be required to successfully connect GoGuardian to the specified LDAP server configured in step 3.
- Username - Enter a username here with administrative read access to the LDAP server.
- Password - Enter the password for the user specified in step 4.1
- Client Certificate - OPTIONAL this field is required for LDAP servers configured via Google Admin Console but is otherwise optional and can be added via LDAP server administration in addition to Username and Password as authentication credentials. Value must be pasted into the field including START and END lines.
- Client Key - OPTIONAL this field is required for LDAP servers configured via Google Admin Console but is otherwise optional and can be added via LDAP server administration in addition to Username and Password as authentication credentials. Value must be pasted into the field including BEGIN and END lines.
- After successfully fulfilling the required fields within Authentication Credentials from step 5, click the save button at the bottom right corner. All fields saved within step 5 will be stored securely and will not be viewable or editable without re-entering all of the required fields.
- Once all the required fields have been filled and saved, check the diagnostic results at the top right corner of the General Settings modal. If there is a failure, please be sure the administrative account is active and ensure port forwarding is enabled for all TCP traffic to/from your server's WAN address and specified port (default 636 for SSL) from GoGuardian servers: 126.96.36.199, 188.8.131.52, and 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124. Firewall configuration is not necessary for Google LDAP configurations.
- If failures persist after appropriate hosts/ports are forwarded, please see: Troubleshooting LDAP connectivity
- After the LDAP diagnostic indicates all results are successful, continue on to the PAC Settings tab and click the button to add a new PAC (Proxy Auto-Config) configuration.
- Fill out the required fields for the new PAC configuration
- Name - Required add a name to distinguish the specified PAC configuration file from any others that may be configured.
- Description - OPTIONAL add a description here for the PAC configuration file.
- Direct on Proxy Failure - OPTIONAL - in the event of an outage in which proxied outbound or inbound traffic cannot be properly sent to or received from GoGuardian's cloud proxy servers, this check mark will allow all traffic unfiltered to managed user accounts. If left unchecked, in the event of an outage, internet will not be accessible.
- Direct during out of school hours - OPTIONAL - check the box here to avoid filtering or monitoring user activity while the user/device is considered "Out of School." Configure out of school settings by following the guide available HERE.
- Hostname Exceptions - Administrators may choose to bypass traffic for certain types of applications/websites such as ecommerce websites, banking, and healthcare, Itunes or App Store due to privacy concerns. Itunes or the App store for example will not work properly if all traffic is inspected. Google, for example, has a running list of domains that should be added as exceptions to proxy filtering HERE to ensure all Google services operate correctly. Add trusted domains here to bypass GoGuardian Gateway SSL decryption.
- IP Exceptions - Add trusted IP addresses here to bypass GoGuardian Gateway SSL decryption.
- After the required fields are configured from step 9, click "Save" at the bottom right corner and return to the PAC settings tab. Click the button at the top of this page to download the root certificate.
- Push the GoGuardian root certificate via Active Directory or other domain management software. Instructions for configuring via Group Policy Object and Registry are below - setup instructions may vary depending on domain management software. Please review third party domain management software documentation or contact third party support for directions on how to implement a Trusted Root Certificate for managed devices.
NOTE: Additional administrative templates will be required to push a Trusted Root Certificate for Mozilla Firefox: https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
- Within Active Directory, access Administrative Tools -> Group Policy Management
- Within the directory tree, right click the root of the domain and create a new policy for the GoGuardian SSL Root Certificate. NOTE: It may be more desirable to test GoGuardian CIP on a specific OU with one or more test devices. Create and apply the GPO accordingly. Additional settings can be applied specifically to the desired OU.
- Open Group Policy Objects to edit the newly created policy in step 11.2 and navigate to Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies
- Right click Trusted Root Certification Authorities
- Select Import and use the Certificate Import Wizard to import/push the downloaded GoGuardian CA file titled ca.cer.
- Implement The GoGuardian Proxy Auto-Config (PAC) URL by navigating to the GPO within the Group Policy Management Console created in step 11.2. Click edit.
Deploy PAC via Group Policy Preferences
- Navigate to User Configuration -> Preferences -> Control Panel Settings.
- Right click Internet Settings, then click New -> Internet Explorer 10
- Click Connections tab, then LAN Settings tab.
- Navigate back to the browser at manage.goguardian.com -> Products -> Cloud Internet Proxy -> PAC Settings -> Click Copy PAC URL for the PAC configuration created in step 9.1-9.5.
- In the LAN Settings GPO configuration, paste the copied URL into the Address field, then click OK.
Deploy PAC via Registry Key
- Navigate to User Configuration -> Preferences -> Registry
- Right click within the registry window, then click New -> Registry Item
- Fill out the fields exactly as follows:
Action: Create or Update
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings
Value Name: AutoConfigURL
Value Type: REG_SZ
Value Data: ***exact PAC URL goes here***
(Note: Device may need to be restarted before Registry key is applied)
Lock down Autoconfig Settings with GPO
- Navigate to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer
- In the panel, select the template for "Disable Changing Automatic Configuration Settings"
- Select "Enabled", click OK
- In the panel, select the template for "Disable Changing Connection Settings"
- Select "Enabled", click OK
Test the deployment
Now that the GoGuardian servers can authenticate users via LDAPS, the PAC file and Root Certificate are both deployed to target devices via administrative policy, here are the recommended steps:
1. Signing into one of the devices and accessing the internet. Be sure to use an account's credentials that can be queried by the specified admin account in the LDAP configuration.
As soon as the device attempts to connect to the internet, the device should prompt for a username and password.
2. Enter credentials for a managed user account. If the prompt box disappears, the GoGuardian server has matched the account within the LDAP database. All traffic will now be filtered and monitored via GoGuardian Admin as long as the device/user's traffic falls outside of the exceptions list configured in the customized PAC file.
3. In GoGuardian, confirm the OU of the user in order to determine which filtering policy will be active for this account. To do this, run a global search of the user in GoGuardian Admin and make note of their OU (as follows):
4. Next, examine the filtering configuration to identify the policy applied to this test user. To do this, navigate to Filtering -> Configuration and find the policy applied to the user's OU.
5. Identify a site that should be blocked according to the user's assigned GoGuardian filtering policy.
6. Last, navigate to the site on the test device. Confirm that the GoGuardian block page ("Restricted" message, gray background and blue padlock) appears on the restricted site.
Once the account is up and running, deploy the configuration to the rest of the desired devices and configure GoGuardian Admin filtering using the documentation available here: https://help.goguardian.com/hc/en-us/articles/360037910031.