Chrome OS Deployment Methodologies for K-12
Resolution
Introduction
Chromebooks and GlobalProtect
GlobalProtect App Configuration and Deployment from the Google Chromebook Management Console
View the User Settings for the GlobalProtect App
Configure Policies and Settings for Everyone in an Org Unit
Test the Connection
Squid Proxy Server Configuration and Deployment
Setup the Chrome Plugin (background.min.js file)
Deploy the Chrome Plugin
Setup the PHP Script (index.php and syslog.php files)
Deploy the PHP Script
Configure the Firewall to Parse the Syslog Messages
Chromebooks and SSL Forward Proxy
Introduction
Google Chromebooks are an inexpensive and popular way to provide a computing resource for students. As more K-12 institutions adopt programs for providing each student with computer resources, sometimes referred to as “one to one”, there is a requirement to safely enable applications, users, and content. Palo Alto Networks offers unprecedented security and flexibility to Chromebook end users, regardless of their location (on or off network). The following reference guide has been created to encourage administrators to leverage all Palo Alto Networks next-generation technologies for the benefit of Chromebook users.
Chromebooks and GlobalProtect
Many K-12 institutions now offer its students the ability to take Chromebooks off the local network (i.e. home). While new initiatives offer greater flexibility for education, they also introduce complexity as it relates to safely enabling applications, users, and content. Although products exist that administrators can apply to a specific use-case (i.e. content filtering), they are always lacking in other key areas (i.e. threat prevention, data exfiltration, logging, correlation, etc.). The native integration that the Palo Alto Networks platform offers can provide administrators complete visibility and control of remote devices via GlobalProtect. Specific to Chrome OS, there are two parts to enabling this capability:
- Configuration and deployment of the GlobalProtect App from the Google Chromebook Management Console.
- Configuration and deployment of a Squid proxy server to present a response page if the user attempts to browse the internet without the GlobalProtect App enabled.
Prerequisites
This configuration article assumes that GlobalProtect is already configured on the firewall according to best practices per the Palo Alto Networks technical documentation, and is functional on non-Chrome OS devices.
GlobalProtect App Configuration and Deployment from the Google Chromebook Management Console
The Chromebook Management Console enables administrators to customize and deploy the GlobalProtect app from a centralized location. The following configuration steps have been taken from the GlobalProtect Documentation. It is highly recommended to read through the guide for additional details.
View the User Settings for the GlobalProtect App
- From the Chromebook Management Console, select Device Management > Chrome management > App management.
- The console displays the list of apps configured in all organization (org) units in your domain and displays the status of each app. Click an app Status to display the org units to which that status is applied.
- Select the GlobalProtect app and then select User settings
- If the app is not present, SEARCH for GlobalProtect in the Chrome Web Store
- If the app is not present, SEARCH for GlobalProtect in the Chrome Web Store
-
Select the org unit where you want to configure settings and configure Force Installation
- Force Installation – Install this app automatically and prevent users from removing it.
- Selecting the top-level org unit applies settings to everyone in that unit; selecting a child org unit applies settings only to users within that child org unit.
- Force Installation – Install this app automatically and prevent users from removing it.
- Create a text file in JSON format that uses the following syntax and includes the FQDN or IP address of your GlobalProtect portal:
{ "PortalAddress": { "Value": "portalfqdn.com " } }
- On the User settings page, select UPLOAD CONFIGURATION FILE and then Browse to the GlobalProtect settings file.
- SAVE the changes. Settings typically take effect within minutes, but it might take up to an hour to propagate through the organization.
Test the Connection
- After Chrome Management Console successfully deploys the app, Test the GlobalProtect app for Chrome OS
Squid Proxy Server Configuration and Deployment
- Install a Squid proxy server via public or private infrastructure.
- Setup a response page to force users to enable GlobalProtect and place it in /usr/share/squid3/errors/en
- More information regarding error page customization can be found on the Ubuntu website. Below is a sample page:
<!DOCTYPE html> <html> <head> <title>Please Enable Global Protect to browse the internet</title> <style type="text/css"> <!-- html, body, #tbl_wrap { height: 100%; width: 100%; padding: 0; margin: 0; } #td_wrap { vertical-align: middle; text-align: center; } --> </style> </head> <body> <table id="tbl_wrap"><tbody><tr><td id="td_wrap"> <!-- START: Anything between these wrapper comment lines will be centered --> <div style="display: inline-block;"> <h1>Please Enable Global Protect to browse the internet</h1> <h2><a href="https://chrome.google.com/webstore/detail/globalprotect/nicidmbokaedpmoegdbcebhnchpegcdc"</a>Get The ChromeBook Global Protect Client Here</h2> </div> <!-- END: Anything between these wrapper comment lines will be centered --> </td></tr></tbody> </table> </body> </html>
- More information regarding error page customization can be found on the Ubuntu website. Below is a sample page:
- Use the following squid.conf:
#Whitelist sites acl whitelist dstdomain chrome.google.com acl whitelist dstdomain gstatic.com acl whitelist dstdomain googleapis.com acl whitelist dstdomain accounts.google.com acl whitelist dstdomain clients1.google.com acl whitelist dstdomain clients2.google.com acl whitelist dstdomain clients3.google.com acl whitelist dstdomain www.ipchicken.com acl whitelist dstdomain FQDN.OF.VPN.SITE (example: vpn.school.edu) acl whitelist dstdomain FQDN.OF.PROXY (example: proxy.school.edu) #GP Public Terminated VPN IP acl from_gp src XXX.XXX.XXX.XXX (IP of vpn.school.edu) # rules allowing non-GP-authenticated users to whitelist http_access allow whitelist # rules allowing GP users http_access allow from_gp #catch-all rule http_access deny all
- From the Chromebook Management Console, select Device management > Chrome management > User Settings.
- Scroll down to Network > Proxy Settings.
- Under the Proxy Mode drop down list, select Always use the proxy specified
- Under Proxy Server URL enter the IP address or FQDN of the proxy server.
- Note that the proxy server needs to be accessible via a public IP address or hostname on the public internet.
- Note that the proxy server needs to be accessible via a public IP address or hostname on the public internet.
- SAVE the configuration via the bottom right of the Google Admin window.
Note: There are limitations of using a proxy to force the browsing traffic to always use GlobalProtect. Many public Wi-Fi hotspots use captive portals that require authentication or to accept terms and conditions of connecting to the network. It is impossible to configure the squid proxy file, squid.conf, to accommodate or bypass these conditions. Having a configurable option in the Google Admin Console to force the GlobalProtect client to always be on would simplify this scenario by not needing to use the proxy server for the block page. This is currently a limitation to Chrome OS and the bug that has been filed can be viewed here. We encourage the readers to open a feature request with Google Chrome product team to influence their decision to support an Always ON VPN from with Chrome OS.
Chromebooks and User-ID
Due to the fact Chrome OS devices cannot be joined to an Active Directory domain, a free Chrome OS plugin can be leveraged to provide User-ID functionality. This plugin consists of a Chrome Extension, a PHP-based webserver, and a Palo Alto Networks firewall.
The Chrome Extension for User-ID, the sample PHP scripts to use, and general instructions on getting this setup can be found here. At a high-level, the general workflow is as follows:
- The Chrome plugin pulls the user information and generates a HTTP POST to PHP script. The POST request includes the IP address and user name from the Chromebook.
- The PHP script pulls the information from the GET/POST request. The PHP server then processes the information and passes it to the syslog.php script which sends a syslog message to the firewall.
- The firewall acts as a syslog receiver. A custom syslog filter parses incoming syslog UDP traffic from the PHP server and applies the User-ID mappings from the received syslog messages.
Setup the Chrome Plugin (background.min.js file)
- Change #yourGoogleDomain# to your Google domain.
- Change #locationToIndex.php# to the location of the PHP script on a server of your choice.
- Change both instances of #yourGoogleDomain# to your Google domain.
- Create an apps@yourGoogleDomain account.
- Zip and publish the app.
- Once published, deploy to Org/Sub-Org of your choosing (root level is recommended).
Setup the PHP Script (index.php and syslog.php files)
- Change #yourPANBoxManagementIP# to the IP address of the interface that will receive the syslog messages (usually the management interface).
- Change #ThisWebServerHostname# to the hostname of the webserver where the PHP script resides.
- Change #FQDNofThisWebServer# to the FQDN of the webserver where the PHP script resides.
- Change #ThisIPAddress# to the IP address of the webserver where the PHP script resides.
- Copy the files to the same folder on a server capable of running PHP (a server running IIS).
- HTTPS access can be secured via wildcard or unique certificate if desired.
Configure the Firewall to Parse the Syslog Messages
- Navigate to Device > User Identification > User Mapping > Edit.
- Navigate to Syslog Filters > Add.
- Change the Type to Field Identifier.
- Enter the following information below the Field Identifier exactly as shown:
- Click on OK to close the Syslog Parse Profile window
- Click OK to close the Palo Alto Networks User-ID Agent Setup Window.
- From the User Mapping tab, click Add under Server Monitoring.
- Enter the Network Address of the PHP server as well as the AD domain name for the Default Domain Name.
- Select the Syslog Parse Profile created in Step 2.
- Commit and test the configuration.
Chromebooks and SSL Forward Proxy
Chrome OS is designed in a way that certain types of traffic occur at the user-level (i.e. general web browsing), while other types of traffic occur at the device-level (i.e. user login page, software updates, etc.). This presents a problem when enabling SSL Forward Proxy, as the certificate can only be deployed at the user-level, thus disrupting tasks essential for Chrome OS to function properly.
As a result, a whitelist containing specific URLs is required to mitigate the issue.
Prerequisites
This configuration article assumes that SSL Forward Proxy is already configured according to best practices per the Palo Alto Networks technical documentation, and is functional on non-Chrome OS devices. It also assumes that the certificates have already been deployed to the Chrome OS devices.
- Within the firewall, navigate to Objects > Custom Objects > URL Category > Add, and enter the current list of URLs provided in the link above.
- Click OK
- Navigate to Policies > Decryption, and add the newly created Custom URL Category to the Service/URL Category tab.
- Click OK
- Commit and test the configuration