What is Gateway?
GoGuardian Gateway is a cloud-based proxy filtering and monitoring solution for enrolled/managed devices utilizing SSL decryption implemented on managed devices via Lightweight Directory Access Protocol (LDAP) authentication, Proxy Auto-Config (PAC) file and Certificate Authority deployment via third party device management software such as Active Directory, JAMF, or Google Admin Console.
Description of Gateway Components
Proxy Auto-Configuration (PAC) - A proxy auto-config file defines how web browsers and other user agents can automatically choose the appropriate proxy server for fetching a given URL. The PAC gives the device instructions on how to route particular web requests. Requests can be direct to their destination servers (exceptions) or will be to the proxy server. GoGuardian PAC files will be downloaded from manage.goguardian.com/installations/gateway/pac. This must be deployed to devices with an MDM.
Certificate Authority (CA) - A certificate authority is an entity that issues digital certificates.
Root Certificate - A root certificate allows our product to execute SSL decryption to inspect filtered/monitored page content and re-encrypt and send the responses to client devices without the client devices rejecting the traffic due to mismatched requested and received certificates. Pushing our certificate allows our products to effectively filter and monitor the internet on managed devices. This will be downloaded at manage.goguardian.com/installations/gateway/pac. This must be deployed to devices with an MDM.
Lightweight Directory Access Protocol (LDAP) - LDAP is an industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. The LDAP configuration must be set at manage.goguardian.com/installations/gateway/ldap.
User Injection - automatically logs users in to be filtered/monitored by GoGuardian Admin Gateway based on the device's assignment within the MDM without the user inputting their email and password for authentication. User injection is configured by appending a variable at the end of the PAC URL. For User Injection setup instructions, please read this article. User Injection requires access to GoGuardian's DNS servers.
Domain Name System (DNS) - DNS is a system for associating domain names into IP addresses. User Injection requires access to GoGuardian's DNS servers.
|What is it?||Why?|
|LDAP server with access to all managed user accounts.
Users signing into a managed device will be required to authenticate with username and password. This allows for differentiated filtering and per-user reporting.
|Device management software such as JAMF, Active Directory, Google Admin Console, etc.||
Certificate Authority and Proxy Auto-Config file must be deployed to devices using a third party device management software solution. Third party solution must support PAC and CA deployment.
|Managed user accounts tied to LDAPS Server||Users will be required to sign in via username/password to access the internet.|
For a complete deployment guide, please refer to the article Deploying GoGuardian Gateway.
GoGuardian Gateway has several items which much be deployed to devices, typically by a mobile device manager (MDM) such as JAMF, Mosyle, or Azure. These include a root certificate, a PAC file, and potentially other files like a DNS profile.
If there are any issues with deploying required GoGuardian Gateway components with your MDM, we strongly encourage reaching out to the MDM's manufacturer's support and referring to their documentation.
User Injection requires the use of GoGuardian's DNS servers. Setting up DNS on client devices will vary depending on the operating system.
As part of your iOS deployment of Gateway, when you need to use User Injection, you will need to download a Profile to push to your client devices to use in conjunction with the GoGuardian DNS App. This is specific to iOS deployments only. Click on the link below to download. https://manage.goguardian.com/installations/gateway/resources
For more information, please read the User Injection instructions article.
Other Operating Systems
If using a non-iOS operating system, please refer to your MDM's documentation for how to configure DNS servers for client devices.
When using GoGuardian Admin Gateway, the user experience varies depending on if user injection is configured.
If user injection is not configured, the user will need to sign in with their credentials each time they open an application which connects to the internet. The credentials should be their school associated email address and password based on the LDAP directory.
If the PAC URL is configured with variable syntax for users, users will not be prompted to sign in. For User Injection setup instructions, please read this article.
Users will be able to browse and will be filtered based on their school's GoGuardian Admin policy configuration.
Confirm Successful PAC and Certificate Deployment
For Gateway to work successfully, both the PAC file and the root certificate must be successfully deployed by an MDM. While troubleshooting, it's useful to confirm that these have been successfully deployed onto a client device.
On a client device, you can verify the PAC and root certificate in different ways depending on the Operating System.
System Preferences > Profiles > MDM Profile
This section will show the certificate to confirm deployment. If it's missing from here, try to redeploy that component.
System Preferences > Network > Advanced button > Proxies tab
On the left pane, please click on Automatic Proxy Configuration. You should see the PAC URL here if it was successfully deployed. If it isn't there, try to redeploy that component from the MDM.
Settings > General > Profiles and Device Management > MDM Profile > More Details
Here you will find security.goguardian.com if the certificate has successfully been deployed. If it is missing, redeploy that component.
Settings > General > Profiles and Device Management > MDM Profile > Restrictions
This will show the PAC URL to confirm deployment. If it's missing from here, try to redeploy that component.
User Injection requires the use of GoGuardian DNS servers. To ensure that DNS is working properly, you can open terminal and execute the following command:
If this returns one of GoGuardian's DNS servers, this verifies that DNS is properly configured. There are four good results:
If the nslookup command returns something other than those four DNS servers, please double check the DNS configuration that is set in your MDM.
Targeted users to be filtered and monitored by GoGuardian Gateway will be required to sign into a captive portal using their domain-managed credentials via LDAP authentication. Setting up GoGuardian's connection to the server properly via LDAP is a vital step that must be completed for GoGuardian Gateway to allow users to access the internet.
For LDAP troubleshooting, please refer to the article LDAP Configuration Troubleshooting.
Note: If user injection is being used, users will not need to sign in. Their credentials should be pulled from the LDAP server based on the assigned user in the MDM.
GoGuardian Gateway Diagnostic Page
Navigating to status.goguardian (specifically without the .com portion) in a browser will show you if your GoGuardian Admin Gateway is connected properly, and it will also show the authenticated user.
This is useful to ensure that filtering is occurring for the right user, and also to check if user injection is working properly.
If users filtered and/or monitored by gateway experience issues like unexpected authentication popups or pages not loading correctly, the diagnostics tool is a great starting point: https://manage.goguardian.com/products/diagnostics/network-diagnostics
Please enter a student's email address who has used Gateway in the past 24 hours. The results of the diagnostic tool will show Errors and Blocks.
If there are any resulting errors, look for associated URLs and add them into the exceptions list within the PAC file.
The main thing that will need to be maintained for GoGuardian Admin Gateway is the PAC file Hostname Exceptions List. This is located at https://manage.goguardian.com/installations/gateway/pac. You will need to Edit one of the PAC configurations to view the list.
Please ensure that any necessary resources for your MDM are allowed in this section. Most MDMs should provide a resource for recommended sites to allow. For example, here is JAMF's recommended allowed sites list.
It would be good practice to stay up to date with recommended allowances per your school's MDM, and ensuring they're added into the Hostname Exceptions list.
MDM Device Management
If you are adding more devices at the end of a school year, or modifying your MDM's overall configuration, please ensure that the Gateway deployment is properly scoped to all required devices.