Proxy authentication by means of a pop up prompt for a username and password

[hwits]

Hi all

I've set up a server for a client and I'm trying to get the standard pop up to auth against the proxy when a user browses the web.

I've tried captive portal which is not a good fit since it interferes with mail.

Note that Zentyal is not acting as a domain controller (DC), and the PCs do not auth against the Zentyal server when users log in.

Is there a way to obtain the desired outcome without having to make the Zentyal server a DC?

Thanks for the help!

[christian]

Is there a way to obtain the desired outcome without having to make the Zentyal server a DC?

Sure    there are two different concepts and unless you are looking for SSO which would rely on Kerberos that is tightly linking to DC in Zentyal implementation, there is no link between proxy and DC.

In order to enforce prompt for credential while using proxy, you must:
- use explicit proxy (authentication doesn't work with transparent proxy)
- configure rules that will grant access only to authenticated users, adding group membership control if needed.

The way these rules are configured slightly differs between Zentyal 2.x and 3.x but at the end, same principle remains: authentication internet access through explicit proxy should be granted only to authenticated users... et voilà 

Notice that this has nothing to do with filtering 

[hwits]

Thanks Christian.

My question is more around how do I configure Zentyal to display the prompt when auth is required?

If I enable the explicit proxy in my browser, I do not get a prompt for authentication.

Thanks

[christian]

Sorry, I though my answer was clear (enough) 
You do not configure Zentyal to send authentication prompt. You configure proxy to require authentication and proxy, when web browser requests URL, will send back "HTTP 407" code to browser and this will trigger prompt for authentication.
In order to force proxy to send back such HTTP 407 code, you have to configure proxy so that no anonymous access is allowed, as explained in my previous post.

[hwits]

Thanks Christian. I appreciate the in depth advice.

I've added a user group 'Proxy Web Users' and added a user to it. On the 'access rules' screen, should I select the 'source' as a 'user group' which is 'proxy web users'.

From what I can understand (and read in other posts), I need to configure the rule where the decision should be something that includes 'authorise'.

I have the 'allow all', 'deny all', and 'apply filter profile'. I'm thinking that there is an option missing to do with 'authorise'.

Is there a prerequisite step required to trigger the option?

Thanks once again for your help. I can provide screenshots if required.

[christian]

I don't have any 3.x server currently available to look at configuration detail and, having played a bit with 3.x I remember that is slightly differs from 2.2 from this standpoint.
I also agree that documentation is not very helpful  because it doesn't really describe this "authentication" concept. A la Microsoft, this is hidden, kind of, behind the group membership concept.
You have to define rule based on group membership , this will prompt user for authentication.

Be sure not to have overlapping rule allowing unauthenticated access