How To - Setup Remote (1-to-1) Filtering aka Seamless Filtering

How To: Setup Remote (1-to-1) Filtering aka Seamless Filtering

In order to remotely filter your devices, we will need several things in place beforehand. The first of which is an A record (host record) setup in your internal DNS to point at the internal IP address of the Cipafilter. The second thing we'll need is another A record set to point at the public facing IP address of the Cipafilter ( or to the public ip address you are forwarding traffic from ). This will allow your devices to proxy via a hostname, which is important as it allows for a seamless transition between intranet and internet.

The hostname you setup in DNS must be different than the hostname set on the IP Settings page of the Cipafilter.

Once your DNS records are in place, we will need a SSL certificate that has been setup for the hostname. This certificate will need to be imported into the Cipafilter. If you prefer, you can opt to use our Let's Encrypt integration which will generate a SSL certificate for free, renews itself every 90 days, and requires no management. In order to do either of these, you will need to go to navigate to General --> Customization --> Portal Certificate. Here you can generate the Let's Encrypt cert or generate a CSR and upload the files for your SSL cert. If you have a wildcard cert for your domain, you will need to contact support to get it imported.



Once we have these pieces in place, we will then need to make the Cipafilter's proxy accessible to the internet. In order to do this, you will need to navigate to Next Generation Firewall --> Web Filtering.



Click on the "Insert Remote-Filtering (1-to-1) Rule" at the bottom of the page and click on "Save and Apply". This will create a new rule on your Cipafilter that looks like this:



You must require authorization on this subnet rule. If not, your proxy will be freely accessible to the internet and traffic from your public IP will start to become blacklisted by various ISPs. This is set to required by default.

You must not change the transparent proxy option from NO. Doing so will cause issues with connectivity. This is set to NO by default.

Once we have our DNS setup, our SSL cert generated and our proxy accessible to the internet, we'll need to verify the port we are using for proxy services is open. The filter's default proxy port is 6226, but you can verify this by going to Next Generation Firewall --> Web Filtering --> Advanced Configuration. We highly recommend using the default of 6226 or another port that isn't commonly used ( i.e. avoid 80, 443, 808, 1080, 3128, 8080, and 8118 ).



Finally, we need to decide how we are going to distribute our proxy settings to our clients. We can do so in one of two ways:

We recommend the use of a PAC (proxy auto-configuration) file for further customization and security. The PAC file will encrypt credentials sent via proxy requests, and gives you flexibility as a script based file that can be tailored to your needs. The Cipafilter provides a PAC file template to be distributed to your devices under Next Generation Firewall --> Web Filtering --> Advanced Configuration. The URL to point your devices to is located here. We highly recommend using HTTPS with HTTP failover. You can also configure options for DNS and proxy exceptions.



Alternatively, you can distribute proxy settings via GPP, Google Admin, or your management suite. This method is not considered best practice, as it sends the users credentials in clear text.

    • Related Articles

    • How To - Pushing Proxy Settings with Google Admin Console

      This article is relevant for users on version 9.0 and above. Issue This article will detail how to properly push proxy settings with the Google Admin Console. Google provides a way to push proxy settings for either your users within your Google Apps ...
    • How to: Configure Let's Encrypt

      This KB article is applicable to users on versions 10.0 and above. Issue This KB will detail how to configure Let's Encrypt. Let's Encrypt is a free, self renewing certificate introduced in version 10 firmware. Let's Encrypt provides a custom ...
    • Manual - Web Filtering

      The first thing to decide with regard to Web filtering is whether to run individual subnets in transparent or non-transparent (proxy server) mode. Transparent mode  — no client configuration is required, the Cipafilter simply intercepts all traffic ...
    • Chrome - SSL Certificate Installation

      This network employs a technology called SSL filtering which allows your network's administrators to filter out harmful or inappropriate Web content such as viruses and pornography. In order for this technology to work effectively, the network's ...
    • Manual - Appendix II: Privacy / remote access disclosures

      Your Cipafilter contains several features which, while designed to enhance usability and provide for excellent support, may create privacy concerns for some.  In the interest of maintaining openness and an informed user base, these features are ...