RansNet Doc - Integrating Menlo Security for web isolation

Integrating HSG with Menlo Security

Menlo Security has been named by Gartner Inc. to the Visionaries quadrant of the 2018 Gartner Magic Quadrant for Secure Web Gateways. The Menlo Security Isolation Platform (MSIP) is a global, 24x7 cloud service, that protects enterprises from cyber attacks by isolating and executing all web content in the MSIP platform, away from the endpoints.

RansNet Hotspot Gateway (HSG) combined with MSIP is an ideal web security solution with seamless UX experience. HSG simplifies the network administrator's job with numerous authentication methods to allow internet access to large number of enterprise and transient users while helping the security team enforce internet policies on both enterprise and BYOD devices.

Once authorized by HSG, the user’s web sessions and all active contents (e.g. video, JavaScript, Flash, etc.), whether good or bad, are fully executed and contained in the Isolation Platform. Only safe, malware-free rendering information is delivered to the user’s endpoint, eliminating any possibility of authorized user device being compromised by harmful web contents.

User experience (traffic flow)

User device associates to wireless SSID broadcasted by AP
AP forwards user connection request to HSG, which will issue DHCP IP to user device
After getting DHCP IP address, user launches browser for Internet access (some devices will auto trigger CNA portal)
HSG intercepts user browsing request, and (if not authenticated user) redirects user browser to a customisable splash/login page
- the splash page can be customized with a link, asking user to download and install SSL cert (for MSIP web isolation purpose)
- can combine multiple authentication options
  - Enterprise/corporate user login: this integrates with company AD or pre-loaded authorized accounts
  - Guest/Transient user login: this can be self-registration via email/SMS or social sign, with restricted/controlled access.

NOTE: to simplify user experience, we can enable seamless relogin features (client sticky or portal sticky), so that only the first time user is prompted to download SSL cert and authenticate (eg. step #4 only happens once). Subsequent connections are seamless to all users.

To manually download Menlo security root CA cert, please download directly from below links

- For cloud deployment (CN = Menlo Security Root CA)
- For on-premise deployment (CN = RansNet Singapore Root CA)

An example to install cert to your chrome browser (can google other browser setting to import)

Download one of above cert (depending on your deployment mode)
Launch chrome and go to "Customize and control Google Chrome" > Settings > Under HTTPS/SSL > Manage certificates
Click on "Authorities" tab, Click on Import and select your downloaded cert, tick on all the "Trust...." options and OK.

CONFIGURATION ON HSG

!#this section is optional. needed only for on-premise deployment. replace 172.16.60.100/101 with on-premise box IP addressip host menlo-cmr.ransnet.com 172.16.60.100 rewriteip host menlo-iso.ransnet.com 172.16.60.101 rewriteip host xhr-safeweb.ransnet.com 172.16.60.101 rewriteip host safeweb.ransnet.com 172.16.60.101 rewrite!#exempt DNAT for HSG local IP or other private resourcefirewall-dnat 00 exempt all dst 192.168.80.0/24 remark "local LAN"firewall-dnat 01 exempt all dst 2.1.2.1 remark "HSG loopback"firewall-dnat 02 exempt all dst 49.128.58.64/28 remark "RansNet SGNOC"firewall-dnat 07 exempt all dst 13.229.252.0/24 remark safe.menlosecurity.com!#use DNAT to intercept web requests and forward everything else to HSG local proxy servicesfirewall-dnat 80 redirect all tcp dport 80 src 192.168.80.0/24 rdport 3128 remark "proxy rewrite for menlo"firewall-dnat 81 redirect all tcp dport 443 src 192.168.80.0/24 rdport 3129 remark "proxy rewrite for menlo"!#permit access to local proxy service from local LANfirewall-input 80 permit all tcp dport 3128 src 192.168.80.0/24 remark "permit access to local proxy"firewall-input 81 permit all tcp dport 3129 src 192.168.80.0/24 remark "permit access to local proxy"!#use HSG proxy-server to re-route browsing request to Menlo MSIP platformsecurity proxy-server proxy-access 10 permit src 192.168.80.0/24 remark "permitted LAN for proxy access" proxy-chain proxy0-ba84e0d6b90056d38dd370355286d154.menlosecurity.com,proxy1-ba84e0d6b90056d38dd370355286d154.menlosecurity.com port 3129 safe.menlosecurity.com proxy-access 10 start!

To generate Menlo proxy-chain string

Login to https://admin.menlosecurity.com/
Settings --> Proxy Auto Config, create and view PAC file copy out below string to apply to above HSG config.

You also need to add your network public WAN IP to Menlo admin portal.