Configure the Notice and Consent Banner for ProxySG Management Console

book

Article ID: 205662

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

A notice and consent banner provides notice to users of computer networks, computers, and other systems and resources. Users are required to accept the terms in the banner prior to authentication. The banner is often presented to users before a login process, and it requires users to acknowledge and agree to the message before they can log in or access resources on the network.

This article covers implementing the notice and consent banner for access to the management console. The banner is displayed after the user enters the address and port for the HTTPS reverse proxy service for the banner, and it prompts the user to accept the conditions before proceeding. This solution utilizes CPL code to create banner policy.

Resolution

How a user logs in with a Management Console banner

  1. The user enters the address and port for the HTTPS reverse proxy service (such as https://proxysg:444) in a web browser.
  2. The browser displays the banner if it was not previously accepted during their browser session.
  3. The user provides consent by clicking a button or link in the banner.
  4. The browser redirects to the Management Console.
  5. The user enters their credentials and logs in to the Management Console.

 

Create an HTTPS Reverse Proxy Service for the Management Console Banner

As a prerequisite step for creating a Notice and Consent banner for the ProxySG appliance Management Console, you must create a service to intercept HTTPS requests destined for the ProxySG appliance.


In the following procedure, settings in step 4 must match the settings in the existing HTTPS-Console management service.

Tip: To check the HTTPS-Console management service settings, in the Management Console, select Configuration > Services > Management Services. Select HTTPS-Console and then click Edit. View the settings on the Edit dialog.

  1. In the Management Console, select Configuration > Services > Proxy Services.
  2. On the Proxy Services tab, click New Service. The Management Console displays the New Service dialog.
  3. Specify the following:
    • Name: Enter any name, and make note of it. You will reference the service name in policy. For example, enter AdminBanner and reference this name when you create the CPL policy.
    • Service Group: Standard
  4. Under Proxy settings, specify the following:
    • Proxy: HTTPS Reverse Proxy
    • Keyring: Use the keyring that is selected for the HTTPS-Console service. If you are using the appliance's default self-signed certificate, select Default.
    • CCL: Use the CCL selected for HTTPS-Console service.
    • SSL protocols: Leave the default options selected, or select the protocols that your organization allows.
  5. Under Listeners, select New. The Management Console displays the New Listener dialog.
  6. Specify the following:
    • Source address: All
    • Destination address: Enter the IP address for the Management Console.
    • Port Range: 444 (or other unused port)
    • Action: Intercept
  7. Select OK. The New Listener dialog closes and you return to the New Service dialog. The new listener information is listed in the table.
  8. Click OK. The dialog closes and you return to the Proxy Services tab. The new service is listed in the Standard service group section (or the service group you selected in step 3).
  9. Click Apply to save your settings.

 

Modify and Install the Management Console Banner CPL

Install the following CPL code in a VPM CPL Layer or the Local Policy file.


;;;;;;;;;;;;;;;;;;;;;;;;;; Notice and Consent Banner CPL ;;;;;;;;;;;;;;;;;;;;;;;;;;
<Proxy>
; Allow requests to the MC's Notice and Consent banner
; The service name must match the name you entered when you created the service
ALLOW service.name="AdminBanner"

; This is the Notice and Consent message that will be displayed prior to accessing the Management Console.
; It is in HTML format and each line must start with >
; Modify it to say want you want.
define string __NoticeAndConsent_format
    ><html>
    ><head>
    ><title>Notice</title>
    ><script>
    >function Accept() {
    >}
    ></script>
    ></head>
    ><body>
    ><!-- REPLACE THE FOLLOWING WITH YOUR MESSAGE -->
    >Click on Accept after reading this message.
    ><!-- The following is the Accept button, which you can customize. -->
    ><p><a href="$(exception.details)" onclick="Accept();">Accept</a>
    ></body>
    ></html>
end

; Policy Rules
<Proxy>  condition=!__is_notify_internal_admin_login_banner
    service.name="AdminBanner" policy.NoticeAndConsent

<Proxy "handle HTML Notification internal requests">
  [Rule]
    url=/notify-NoticeAndConsent? force_exception(notify, "$(url.scheme)://$(url.host):$(url.port)/accepted-NoticeAndConsent$(url.query)", __NoticeAndConsent_format)
    ALLOW url=/accepted-NoticeAndConsent? request.header.Cookie="notified-NoticeAndConsent=1" action.__Redirect_to_console(yes)
    ALLOW url=/accepted-NoticeAndConsent? request.header.Referer="" action.__NoticeAndConsent_accepted_to_verify(yes)
    url=/accepted-NoticeAndConsent? force_exception(invalid_request)
    ALLOW url=/verify-NoticeAndConsent? request.header.Cookie="notified-NoticeAndConsent=1" action.__Redirect_to_console(yes)
    ALLOW url=/verify-NoticeAndConsent? action.__NoticeAndConsent_verify_to_verify2(yes)
    ALLOW url=/verify2-NoticeAndConsent? request.header.Cookie="notified-NoticeAndConsent=1" action.__Redirect_to_console(yes)
    url=/verify2-NoticeAndConsent? force_exception(notify_missing_cookie)

  [Rule]
    service.name=!"AdminBanner" action.__delete_notify_cookies(yes)
    request.header.Cookie="notified-NoticeAndConsent=1" action.__Redirect_to_console(yes)


<Cache "suppress DRTR for HTML Notification internal URLs">
    condition=__is_notify_internal_admin_login_banner webpulse.categorize.mode(none)

; Definitions
define action __Redirect_to_console
  request_redirect( 302, "(.*)", "https://$(url.host):8082" )
  set( exception.response.x_header.X-Content-Type-Options, "nosniff" )
  set( exception.response.x_header.Cache-Control, "no-store")
  set( exception.response.x_header.Strict-Transport-Security, "max-age=31536000; includeSubdomains")
  set( exception.response.x_header.X-Frame-Options, "DENY" )
end

define condition __is_notifiable_admin_login_banner
    http.method=GET url.scheme=(http, https) request.header.User-Agent="^(Mozilla|Opera)" request.header.Range=!"" request.header.If-Range=!"" request.header.If-Range=!""
end

define condition __is_notify_internal_admin_login_banner
    url=/notify-NoticeAndConsent?
    url=/accepted-NoticeAndConsent?
    url=/verify-NoticeAndConsent?
    url=/verify2-NoticeAndConsent?
end

define condition __NoticeAndConsent_should_notify
    condition=__is_notifiable_admin_login_banner condition=!__is_notify_internal_admin_login_banner request.header.Cookie=!"notified-NoticeAndConsent=1"
end

define Proxy policy NoticeAndConsent
<Proxy>
    condition=__NoticeAndConsent_should_notify action.__NoticeAndConsent_original_to_notify(yes)
end

define action __NoticeAndConsent_accepted_to_verify
  request_redirect( 302, "(.*)/accepted-NoticeAndConsent\?(.*)", "$(1)/verify-NoticeAndConsent?$(2)" )
  set( exception.response.header.Set-Cookie, "notified-NoticeAndConsent=1 $(url.cookie_domain); secure; HttpOnly" )
  set( exception.response.header.P3P, 'CP="NOI CUR OUR NOR STA"' )
  set( exception.response.x_header.X-Content-Type-Options, "nosniff" )
  set( exception.response.x_header.Cache-Control, "no-store")
  set( exception.response.x_header.Strict-Transport-Security, "max-age=31536000; includeSubdomains")
  set( exception.response.x_header.X-Frame-Options, "DENY" )
end

define action __NoticeAndConsent_original_to_notify
  request_redirect( 302, "([a-z]+://[^/]+)/.*", "$(1)/notify-NoticeAndConsent?$(url.path:encode_base64)" )
  set( exception.response.x_header.X-Content-Type-Options, "nosniff" )
  set( exception.response.x_header.Cache-Control, "no-store")
  set( exception.response.x_header.Strict-Transport-Security, "max-age=31536000; includeSubdomains")
  set( exception.response.x_header.X-Frame-Options, "DENY" )
end

define action __delete_notify_cookies
  delete_matching( request.header.Cookie, "^notified-(NoticeAndConsent)=" )
end

define action __NoticeAndConsent_verify_to_verify2
  request_redirect( 302, "(.*)/verify-NoticeAndConsent\?(.*)", "$(1)/verify2-NoticeAndConsent?$(2)" )
  set( exception.response.header.Set-Cookie, "notified-NoticeAndConsent=1; secure; HttpOnly" )
  set( exception.response.header.P3P, 'CP="NOI CUR OUR NOR STA"' )
  set( exception.response.x_header.X-Content-Type-Options, "nosniff" )
  set( exception.response.x_header.Cache-Control, "no-store")
  set( exception.response.x_header.Strict-Transport-Security, "max-age=31536000; includeSubdomains")
  set( exception.response.x_header.X-Frame-Options, "DENY" )
end
;;;;;;;;;;;;;;;;;;;;;;;;;; END Notice and Consent Banner CPL ;;;;;;;;;;;;;;;;;;;;;;;;;;