Sophos Web Appliance: Configuring Users' Browsers to Use the Web Appliance with a Group Policy Object

  • Article ID: 38786
  • Rating:
  • 5 customers rated this article 2.4 out of 6
  • Updated: 02 Mar 2013

This article explains how to create a Group Policy Object (GPO) on your Active Directory server to automatically configure all of the users' browsers within your Active Directory Organizational Unit (OU) to use the Web Appliance as their web proxy. With the minor change of selecting your domain rather that an OU, you can apply the following procedure to create a GPO for your entire domain.

The advantage of using GPOs is that they enforce the specified change, which removes the dependency on user actions from the task. Also, the configuration task can be done centrally in one quick and simple operation. The disadvantage is that it only works for Internet Explorer browsers on Windows systems. So users who prefer a different browser or work on other computer platforms cannot have their browsers configured this way. There are similar ways to configure Firefox browsers, and these are described in the articles that are listed in the note near the end of this article.

Caution: While some settings pushed out by GPO can be reversed by disabling the setting (for example, disabling Logoff on the Start Menu), others can only be removed by pushing out the original setting (such as Folder Redirection). Proper testing should be done before deciding to push out significant changes using a GPO.

Note: The following instructions are shown using the Group Policy Object Editor that comes with Windows 200x, not the newer Group Policy Management Console.

  1. On your Active Directory server, open the Active Directory Users & Computers MMC for your OU.



  2. Right-click on your OU and select Properties.



  3. In the Properties dialog box for your OU, select the Group Policy tab.



  4. Click the New button to create a new GPO, which you can edit and then push out to all the computer accounts in your OU.



  5. Rename the GPO to suit your purposes.

Editing your GPO

  1. Navigate to the Group Policy tab for your OU, if you are not already there:
    1. On your Active Directory server, open the Active Directory Users & Computers MMC for your OU.
    2. Right click on your OU and select Properties.
    3. In the Properties dialog box for your OU, select the Group Policy tab.

  2. Click to highlight the GPO that you created.

  3. Click the Edit button to open a Group Policy Object Editor window in which you can make any required changes.



  4. Open User Configuration > Windows Settings > Internet Explorer Maintenance and select Connections. In the right pane, right-click Proxy Settings and select Properties.



    The Proxy Setting dialog box is displayed.

  5. Enter the fully qualified domain name of the Web Appliance. Ensure that the Use same proxy server option is selected, and click OK.



    The default refresh interval for GPOs is 60-120 minutes (90 +/- 30) to prevent too many computers from trying to refresh at the same time.

  6. To manually enforce the GPO, either:
    • Restart the computer.
      Note: Logging off and logging on only updates the User Configuration portion of the GPO. The Computer Configuration portion is not updated.
    • Or, run one of the following commands:
      In Windows XP:
      • To update both machine policies and user policies, enter: gpupdate
      • To update only machine policies, enter: gpupdate /target:Computer
      • To update only user policies, enter: gpupdate /target:User
      Note: By default gpupdate will only load changes to the GPO. To refresh the entire GPO, regardless of changes made, add the /force switch to the end of the command.
      In Windows 2000:
      • To update machine policy, enter: secedit /refreshpolicy machine_policy
      • To update user policy, enter: secedit /refreshpolicy user_policy



      Note: By default secedit will only load changes to the GPO. To refresh the entire GPO, regardless of changes made, add the /enforce switch to the end of the command.

Note: If some of your users are using Firefox, they can install an extension called "switchproxy" that adds a tool bar allowing them to set proxies, and switch between them, on the fly. There is also a website that has created .msi packages for Firefox that can be deployed via Active Directory and another site that provides instructions for creating .msi and .adm files to deploy and configure Firefox with a GPO:


Support for problems with third-party products that this article discusses may be provided by the manufacturer of that product. Sophos does not support such third-party products. The third-party products that this article discusses are manufactured by companies that are independent of Sophos. Sophos makes no warranty, implied or otherwise, about the performance or reliability of these products.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments