Let’s face reality, you can offer and sell the best service in the world but (often) the average customer/user will judge it by the ‘cover’: if it doesn’t look good, it’s crap, if it’s stylish then maybe they’ll appreciate the rest.

You can explain that it’s about security, that it’s important to have active UTM services (TRUE?!?), that the product is good, but if you leave a banal Deny Message in default dull gray… that’s all that counts. watchguard http-proxy deny message

And let’s be honest, besides being unattractive, it’s also not very functional: the WebBlocker Category doesn’t always hit the mark or returns Uncategorized for Aunt Becca’s website with which the user does business, leading to phone calls or emails to request unblocking. Alternatively, you can enable the WebBlocker Override, but for which categories or for which users? Do you trust the user’s common sense?! […] Indeed!

What do you think about customizing and enriching the Deny Message like this instead? watchguard http-proxy deny message custom

Unleash our imagination

What does it take? I grab the first HTML template I find online, a touch-up to the CSS, add a bit of fancy JavaScript, and BAM!

It doesn’t work…

No detailed specifications, but as much as I’ve tried in the lab, either there’s a limit on the code length, or something about internal parsing, or something else that I’m not willing to delve into. The fact is that the code returned to the browser is truncated.

So?

1
<meta http-equiv="refresh" content="0; url=https://mioserver.contoso.local/customdeny.html?url=%(url-host)%&reason=%(reason)%&user=%(user-name)%">

BAM!

Now we’re talking! In our default Deny Message, we’ve added a nice redirect inside the <head></head> tags pointing to a customdeny.html page on the internal web server mioserver.contoso.local, and we’re passing all the variables we’re interested in as query strings.

Customize Deny Page - 101

Setting aside the graphical appearance, let’s first define the variables to show the user in customdeny.html.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
<script>
	var params = new URLSearchParams(window.location.search);
	var url = params.get("url");
	var reason = params.get("reason");
	var user = params.get("user");

	document.addEventListener("DOMContentLoaded", function () {
		document.getElementById("reason").appendChild(document.createTextNode(reason));
		document.getElementById("user").appendChild(document.createTextNode(user));
		document.getElementById("host").appendChild(document.createTextNode(url));
	});
</script>
<div>
	<p id="host"><b>Site: </b></p>
	<p id="reason"><b>Reason: </b></p>
	<p id="user"><b>User: </b></p>
</div>

These defined are the fundamental ones, but if desired, we could also add the others supported by our Firebox:

  • %(transaction)% - Includes Request or Response to show which side of the transaction caused the packet to be denied
  • %(method)% - Includes the request method from the request
  • %(url-path)% - Includes the path component of the URL
  • %(serial)% - Includes the serial number of the Firebox
  • %(firewall)% - Includes the Firebox name

Okay, everything is very nice, but what about that fabulous REQUEST UNBLOCK button that was there before, just a click away?

Deny Page with unblock request and mail send

Let’s add the email recipient and two distinct JavaScript functions: requireUnlock and sendUnlock, why?

In the first one, we’ll force the user to justify their request because it’s scientifically proven that only a few of the most daring will attempt to unblock random website by writing down on paper that they need it for work. In the second function we’ll start the email with the attached justification.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
var recipient = "[email protected]";
function requireUnlock() {
	let req = prompt("Reason:", "");
	if (req == null || req.trim().length < 5) {
		alert("Valid reason required");
	}
	else {
		sendUnlock(req);
	}
}

function sendUnlock(unlockReason) {
	var subject = "Unblock request;
	var row1 = "User:\t" + user;
	var row2 = "Site:\t" + url;
	var row3 = "Blocked as:\t" + reason;
	var row4 = "Reason:\t" + unlockReason;
	var message = row1 + "\n" + row2 + "\n" + row3 + "\n" + row4;
	var mailData = encodeURIComponent(message);
	window.location.href = "mailto:" + recipient + "?subject=" + subject + "&body=" + mailData;
}
1
<button onclick="requireUnlock()">REQUEST UNBLOCK</button>

And here is the result: if the user correctly justifies the request, a pre-filled email will be created to send using the default mail client. watchguard http-proxy deny message richiedi sblocco watchguard http-proxy deny message sblocco notify mail

Otherwise, if the justification is empty or less than 5 characters in length, we’ll display an error message. watchguard http-proxy deny message access denied

Not bad, right? Now all that’s left is to customize with proper branding your customdeny.html, and if you are up for a no-brainer copy/paste, you’ll find the complete code at the end of the article.

Variations

If you don’t want or can’t use an internal web server, try inserting the relevant JavaScript parts directly into the Firebox’s Deny Message. In this case, the JavaScript variables should be defined as follows:

1
2
3
var url = "%(url-host)%";
var reason = "%(reason)%";
var user = "%(user-name)%";

However, keep an eye on the total length of the code and forget about base64-encoded images like the ones you see in the example. Use an <img/> src that is accessible to everyone or avoid images altogether.

Another option to consider, with some programming knowledge, is to use the sendUnlock function to call a Web Service, perhaps even with SSO authentication, to handle sending the email without going through the user’s Outlook… speaking like a PRO I’d say it would enhance the User Experience ;)

The copy/paste solution

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta charset="utf-8" />
    <title>Access Denied</title>
    <style type="text/css">
        html, body {
            height: 100%;
            margin: 0;
            font: normal 1em Arial;
            color: #666;
            background: #fff;
        }

        h1 {
            font: bold 3.5em Arial;
            font-style: italic;
            color: #373737;
        }

        h2 {
            font: bold 2em Tahoma;
            color: #d61e1e;
        }

        .outer {
            padding-top: 10%;
            margin: 0 auto;
            text-align: center;
            width:50%;
        }

        .inner {
            border: solid 10px #4c4c4c;
            padding: 20px;
            width: fit-content;
        }

        .btn {
            color: #fff;
            background-color: #0066CC;
            padding: 10px 30px;
            border: solid #0066cc 2px;
            box-shadow: rgba(0, 0, 0, 0.15) 0px 2px 8px;
            border-radius: 50px;
            transition: 500ms;
            transform: translateY(0);
            display: flex;
            flex-direction: row;
            align-items: center;
            cursor: pointer;
            margin: auto;
        }

            .btn:hover {
                transition: 500ms;
                padding: 10px 40px;
                transform: translateY(-0px);
                background-color: #5cad4b;
                border: solid #0066cc 2px;
            }
    </style>

    <script>
        var params = new URLSearchParams(window.location.search);
        var url = params.get("url");
        var reason = params.get("reason");
        var user = params.get("user");
        var recipient = "[email protected]";

        function requireUnlock() {
            let req = prompt("Request reason:", "");
            if (req == null || req.trim().length < 5) {
                alert("Reason required");
            }
            else {
                sendUnlock(req);
            }
        }

        function sendUnlock(unlockReason) {
            var subject = "Website unblock request";
            var row1 = "User:\t" + user;
            var row2 = "Site:\t" + url;
            var row3 = "Blocked as:\t" + reason;
            var row4 = "Reason:\t" + unlockReason;
            var message = row1 + "\n" + row2 + "\n" + row3 + "\n" + row4;
            var mailData = encodeURIComponent(message);
            window.location.href = "mailto:" + recipient + "?subject=" + subject + "&body=" + mailData;
        }

        document.addEventListener("DOMContentLoaded", function () {
            document.getElementById("logo").src = imageSrc;
            document.getElementById("reason").appendChild(document.createTextNode(reason));
            document.getElementById("user").appendChild(document.createTextNode(user));
            document.getElementById("host").appendChild(document.createTextNode(url));
        });

    </script>
</head>
<body>
    <div class="outer">
        <div class="inner">
            <img id="logo" width="20%;" />
            <h1>
                <b>ITsBalto Company</b>
            </h1>
            <h2>
                Access Denied
            </h2>
            <p style="font-weight: bold;">
                Communicate the following information to support or click the button to request access via email:
            </p>
            <div style="text-align: left; border: 2px solid #d61e1e; padding: 10px;">
                <p id="host"><b>Site: </b></p>
                <p id="reason"><b>Reason: </b></p>
                <p id="user"><b>User: </b></p>
                <p>
                    <button onclick="requireUnlock()" class="btn" id="btn">RICHIEDI SBLOCCO</button>
                </p>
            </div>
        </div>
    </div>

    <script>
        const imageSrc = "";
    </script>
</body>
</html>