Community Forum

Resolved
0 votes
I'm running ClearOS 7.3 (Home Essentials) in a non-transparent mode with no authentication required. I am unable to log in to a microsoft account from within MS Office. I get a message "Sorry, we are having some temporary server issues." which I don't get if I physically bypass the proxy server.

I have made use of Title and in particular the IP/FQDN lists for "Office 365 portal and shared" and "Office 365 authentication and identity" (required items only) and have put them in /etc/clearos/firewall.conf

[Note that the webpage lists a number of IPs as ....../32 which ClearOS does not view as a valid IP address - I've just left off the /32 as it is my understanding that this is just a way of expressing a subnet which contains only one IP address - tell me if I am confused! I have left all the other /xx components in the IP address list]

One the the lists of FQDNs does use wildcards on a couple of entries which ClearOS will not accept in firewall.conf. For these I have left off the wildcard in the hope that it will apply to all subdomains under these domain names. Is that how it works? If not then maybe that is my problem.

If my understanding is correct I have put the entries in the correct location. I also tested the format of the required lines by first putting a few entries in via webconfig. I have also enabled "reverse address lookups" in "gateway/content and filter proxy/content filter engine". I read somewhere that this was necessary if putting FQDNs in firewall.conf

A total of 307 entries appear in webconfig in the bypass rules in "gateway/content and filter proxy/web proxy server".

I don't have any trouble logging in to Google services and didn't have to do anything to make it work which surprised me.

Anyone have any experience with this? I assume someone does! It looks like a good area for ClearOS to work on, particularly as those required lists of IPs and FQDNs are updated on a frequent basis!
Sunday, June 04 2017, 08:32 AM
Share this post:
Responses (3)
  • Accepted Answer

    Sunday, June 04 2017, 09:31 PM - #Permalink
    Resolved
    0 votes
    I can't answer all your points as I don't use the proxy or content filter and I think my understanding may be wrong. I'll have to investigate further but it will take me a while (days)

    Have you read the docs here and here? Especially note the the proxy bypass rules may need to be set up in both ClearOS and the Browser.

    I has thought that one part of proxy bypass was to exempt LAN PC's entirely from the proxy, so I will need to see all the screens to work out what is happening.

    The reason for not using FQDN's in firewall rules is that the firewall resolves the FQDN only when the firewall is refreshed. Unfortunately big users such as Micro$oft and Google round-robin the IP the FQDN resolves to. This means you may end up allowing one IP for google.com, but later a user is seeing google.com resolving to a different IP address which has not been exempted.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, June 04 2017, 09:03 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,
    Thanks for your reply. It raises a couple of questions for me. (It may be just due to my ignorance of computer security / networking; my background is in transaction processing so I have a fair degree of ignorance in this area!)

    1. What is the difference between the bypass rules in "gateway/content filter and proxy/web proxy server" and the global settings exception IPs list in "gateway/content filter and proxy/content filter proxy" ? One difference is that the exception IP list can only contain IPs whereas the bypass list can contain both IPs and domain names.
    I have assumed that the exception IP list specifies those IPs which will pass through the proxy without being compared to any filter criteria whereas IPs/domain names in the bypass list will bypass the proxy server completely (& I am assuming that there is a difference between passing through and bypassing).

    2. Your comment saying the the firewall and proxy server are completely separate suggests that there is an error in the design and/or implementation of webconfig where the two are directly linked.
    If you use webconfig to put IPs or domain names in the bypass list for the proxy server those items are recorded by webconfig in /etc/clearos/firewall.conf. That is why I put the entries in firewall.conf because that is where webconfig puts entries for proxy bypassing!

    In addition to this, if I put the domain names in an exception list in the content filter I would then need to put them in each filter group. There doesn't appear to be a global domain name exception list as there is for IPs. (If you are wondering how I have filter groups when I don't use authentication I am using client IPs to determine filter groups - manual editing outside of webconfig required but not difficult with simple directions available in clearos documentation & forums.)

    Comments most welcome!
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, June 04 2017, 09:03 AM - #Permalink
    Resolved
    0 votes
    The firewall and proxy/content fileter are completely separate items and it is best not to edit firewall.conf. Instead of editing firewall.conf use the custom firewall module or add the rules to /etc/clearos/firewall.d/local (but it won't help in this case as the proxy blocks before the firewall). Also it is not a good idea putting FQDN's into the firewall, if you did. they do not work as you expect.

    Go to the link you posted and click on the "Expand to see the authentication and identity FQDNs" section. Add the FQDN's to the ClearOS proxy exception list.
    The reply is currently minimized Show
Your Reply