User Guide Version 9.5.8

Transcription

1 User Guide Version Document version /20/2008

2 2 IMPORTANT NOTICE Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER S LICENSE The Appliance described in this document is furnished under the terms of Elitecore s End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund. LIMITED WARRANTY Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and Commtouch respectively and the performance thereof is under warranty provided by Kaspersky Labs and by Commtouch. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus. Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware. DISCLAIMER OF WARRANTY Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law. In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore s or its supplier s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose. In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages. RESTRICTED RIGHTS Copyright Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad , INDIA Phone: Fax: Web site:

3 3 Contents Technical Support 6 Typographic Conventions 7 Notation conventions 7 Preface 8 Guide Organization 8 Cyberoam Basics 9 Benefits of Cyberoam 9 Accessing Cyberoam 9 Accessing the Web Admin Console 11 Getting Started 15 Dashboard 17 Management 19 Setting up Zones 19 Create Zone 20 Setting up Users 22 Define Authentication 22 Define User 24 Setting up Groups 31 Firewall 42 Create Firewall rule 45 Manage Firewall 50 Host Management 58 Virtual Host 62 Create Virtual host 62 Delete Virtual host 65 Setting up Logon Pools 66 Traffic Discovery 67 Live Connections report 67 Today s Connection History 73 Policy Management 77 Surfing Quota policy 78 Access Time policy 81 Internet Access policy 84 Bandwidth policy 92 Data Transfer policy 103 NAT Policy 107 Zone Management 109 Manage Zone 109 Delete Zone 110 Group Management 112 Manage Group 112 User Management 120 Search User 120 Live User 121 Manage User 123 Logon Pool Management 134

4 4 Search Node 134 Update Logon Pool 135 System Management 138 Configure Network 138 Configure DNS 138 Dynamic Host Configuration Protocol (DHCP) 140 View Interface details 143 Configuring Dynamic DNS service 145 PPPoE 147 Manage Gateway 149 DoS Settings 152 Reset Console Password 157 System Module Configuration 158 Manage Data 159 Client Services 164 Customize Access Deny messages 169 Upload Corporate logo 170 Customize Login message 171 Disable Warning messages 172 HTTP Client Login page template 173 GUI Language Settings 174 Time settings 175 HTTP Proxy Management 176 Manage HTTP Proxy 176 Configure HTTP Proxy 177 Manage Servers 179 Monitoring Bandwidth Usage 180 Migrate Users 185 Migration from PDC server 185 Migration from External file 186 Customization 188 Schedule 188 Define Schedule 188 Manage Schedule 190 Services 192 Define Custom Service 192 Manage Custom Service 193 Create Service Group 196 Update Service Group 197 Delete Service Group 198 Categories 199 Web Category 200 File Type Category 208 Application Protocol Category 211 Access Control 216 Logging 218 Syslog Configuration 219 Log configuration 221 Product Licensing & Updates 224 Product Version information 224 Upgrade Cyberoam 225 Download 228 Clients 228

5 5 Appendix A Audit Log 229 Appendix B Logs 236 Appendix C Web Categories 272 Appendix D Services 276 Appendix E Application Protocols 278 Menu wise Screen and Table Index 279

6 6 Technical Support You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office elitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad Gujarat, India. Phone: Fax: Web site: Cyberoam contact: Technical support (Corporate Office): Web site: Visit for the regional and latest contact information.

7 Typographic Conventions Material in this manual is presented in text, screen displays, or command-line notation. Item Convention Example Server Client User Username Part titles Bold and shaded font typefaces Machine where Cyberoam Software - Server component is installed Machine where Cyberoam Software - Client component is installed The end user Username uniquely identifies the user of the system Report Topic titles Shaded font typefaces Introduction Subtitles Bold & Black typefaces Notation conventions Navigation link Bold typeface Group Management Groups Create it means, to open the required page click on Group management then on Groups and finally click Create tab Name of a particular parameter / field / command button text Cross references Lowercase italic type Hyperlink in different color Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked refer to Customizing User database Clicking on the link will open the particular topic Notes & points to remember Prerequisites Bold typeface between the black borders Bold typefaces between the black borders Note Prerequisite Prerequisite details 7

8 8 Preface Welcome to Cyberoam s - User guide. Cyberoam is an Identity-based UTM Appliance. Cyberoam s solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions. Cyberoam s perfect blend of best-of-breed solutions includes User based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Detection and Prevention (IDP), and VPN. Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection. Default Web Admin Console username is cyberoam and password is cyber Cyberoam recommends to change the default password immediately after installation to avoid unauthorized access. Guide Organization This Guide provides information regarding the administration, maintenance, and customization of Cyberoam and helps you manage and customize Cyberoam to meet your organization s various requirements including creating groups and users and assigning policies to control internet access. How do I search for relevant content? For help on how to perform certain task use Contents For help on a specific menu or screen function use Menu wise Screen and Table Index This Guide is organized into three parts: Part I Getting started It describes how to start using Cyberoam after successful installation. Part II Management It describes how to define groups and users to meet the specific requirements of your Organization. It also describes how to manage and customize Cyberoam. 1. Define Authentication process and firewall rule. 2. Manage Groups and Users. Describes how to add, edit and delete Users and User Groups 3. Manage & Customize Policies. Describes how to define and manage Surfing Quota policy, Access Time policy, Internet Access policy, Bandwidth policy and Data transfer policy 4. Manage Logon Pools. Describes how to add, edit and delete Logon Pools 5. Manage Cyberoam server Part III Customization Customize Services, Schedules and Categories. Describes how to create and manage Categories, Schedules and Services and Cyberoam upgrade process.

9 9 Cyberoam Basics Cyberoam is an Identity-based UTM Appliance. Cyberoam s solution is purpose-built to meet the security needs of corporate, government organizations, and educational institutions. Cyberoam s perfect blend of best-of-breed solutions includes Identity based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Detection and Prevention (IDP), and VPN. Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection. It also provides assistance in improving Bandwidth management, increasing Employee productivity and reducing legal liability associated with undesirable Internet content access. Benefits of Cyberoam 1. Boost Employee productivity by a. Blocking access to the sites like Gaming, Shopping, news, Pornography 2. Conserve bandwidth by a. Controlling access to non-productive site access during working hours b. Controlling rate of uploading & downloading of data 3. Load balancing over multiple links a. Improved User response time b. Failover solution c. Continuous availability of Internet d. Reduced bandwidth bottlenecks 4. Enforce acceptable Internet usage policies 5. Comprehensive, easy-to-use reporting tool enabling the IT managers to compile reports on Internet and other resources usage and consumption patterns Accessing Cyberoam Two ways to access Cyberoam: 1. Web Admin Console General Administration using Web Admin Console Following configurations can be performed only from Web Admin Console: DNS and DHCP firewall rules content filtering categories and policies user authentication method and integration with external authentication servers access control antivirus and anti spam filtering policies VPN connection policies multiple gateways user and user groups bandwidth and internet access policy IDP policies and signature In addition, Dashboard, reports including traffic discovery and bandwidth usage graphs can be viewed only from Web Admin Console. 2. CLI Console

10 10 a) Using Console Interface via remote login utility TELNET b) Direct Console connection - attaching a keyboard and monitor directly to Cyberoam server General Administration using CLI Console Use CLI console for troubleshooting and diagnose network problems in details. Additionally you can also: Restart management services Restart and shutdown Cyberoam View log information Update MTU and MSS value Configure static and dynamic routes Upgrade Cyberoam and restore backup Restore to factory default settings Reset and change password Enable/disable LAN Bypass (only if Cyberoam is deployed as Bridge) Accessing CLI Console via remote login utility - TELNET Access Cyberoam Console with the help of TELNET utility. To use TELNET, IP Address of the Cyberoam server is required. Use command telnet <Cyberoam IP address> to start TELNET utility from command prompt and log on with default password admin Screen - Console login screen Accessing CLI Console using SSH client Access Cyberoam Console using any of the SSH client. Cyberoam server IP Address is required. Start SSH client and create new Connection with the following parameters: Hostname - <Cyberoam server IP Address> Username admin Password admin

11 11 Accessing the Web Admin Console Cyberoam Web Admin Console (GUI) access requires Microsoft Internet Explorer 5.5+ or Mozilla Firefox 1.5+ and Display settings as True color (32 bits) Log on & log off from the Cyberoam Web Admin Console The Log on procedure verifies validity of user and creates a session until the user logs off. Log on procedure To get the log in window, open the browser and type IP Address in browser s URL box. A dialog box appears prompting you to enter username and password to log on. Use the default user name cyberoam and password cyber if you are logging in for the first time after installation. Asterisks are the placeholders in the password field. Log on Methods HTTP log in To open unencrypted login page, in the browser s Address box, type address of Cyberoam> Screen - HTTP login screen HTTPS log in Cyberoam provides secured communication method which encrypts the User log on information and which prevents unauthorized users from viewing the user information. For this, Cyberoam uses https protocol. The secure Hypertext Transfer Protocol (HTTPS) is a communication protocol designed to transfer encrypted information between computers over the World Wide Web. HTTPS is http using a Secure Socket Layer (SSL). A secure socket layer is an encryption protocol invoked on a Web server that uses HTTPS.

12 HTTPS protocol opens a secure hypertext transfer session with the specified site address. To open login over secure HTTP, type address of Cyberoam> Screen - HTTPS login Screen Elements Login User name Password Specify user login name. If you are logging on for the first time after installation, please use default username cyberoam Specify user account Password 12

13 13 Log on to Login button If you are logging on for the first time after installation, please use default password cyber To administer Cyberoam, select Web Admin Console Logs on to Web Admin Console Click Login Table - Login screen elements Screen Components Cyberoam displays Dashboard as soon as you logon to the Web Admin Console. Dashboard provides a quick and fast overview of all the important parameters of Cyberoam appliance. Navigation menu Navigation menu on the leftmost side provides access to various configuration pages. Menu consists of sub-menus and tabs. On clicking menu item, submenu is displayed. On clicking submenu item, the associated tabs are displayed. To view page associated with tab, click the required tab. Button bar The button bar on the upper rightmost corner provides access to several features like: Dashboard Console It provides immediate access to CLI by initiating a telnet connection with CLI without closing Web Admin console. It avoids toggling between consoles especially when management service is to be restarted (RMS). Support - Open a customer login page for creating a Technical Support Ticket. It is fast, easy and puts your case right into the Technical Support queue. Wizard Network Configuration wizard will guide you step-by-step through configuration of the network parameters like IP address, subnet mask and default gateway for Cyberoam. Cyberoam Appliance and Registration information Online help Use Logout button to log out from the Web Admin Console. Use F1 key for page specific help Use F2 key to return to home page Use F10 key to return to Dashboard

14 14 Web console Authorization and Access control By default, Cyberoam has four types of user groups: Administrator group Log in as Administrator group User to maintain, control and administer Cyberoam. Administrator group User can create, update and delete system configuration and user information. Administrator can create multiple administrator level users. Manager group Manager group User can only view the reports. User group User group User is the user who accesses the resources through Cyberoam. Clientless group Clientless User group User who can bypass Cyberoam Client login to access resources. Cyberoam itself takes care of login of this level user. Refer to Access Configuration to implement IP address based access restriction/control for administrators and managers. Log out procedure To avoid un-authorized users from accessing Cyberoam, log off after you have finished working. This will end the session and exit from Cyberoam.

15 15 Getting Started Once you have configured network, you can start using Cyberoam. PART 1 1. Start monitoring Once you have installed Cyberoam successfully, you can monitor user activity in your Network. Depending on the Internet Access policy configured at the time of installation, certain categories will be blocked or allowed for LAN to WAN traffic with or without authentication. 2. View Cyberoam Reports Monitor your Network activities using Cyberoam Reports. To view Reports, log on to Reports from Web Admin Console using following URL: IP Address> and log on with default username cyberoam and password cyber. View your organization s surfing pattern from Web Surfing Organization wise report View your organization s general surfing trends from Trends Web Trends report View your organization s Category wise surfing trends from Trends Category Trends report 3. Discover Network Application Traffic Detect your network traffic i.e. applications and protocols accessed by your users. To view traffic pattern of your network, log on to Cyberoam Web Admin Console using following URL: IP Address> and log on with default username cyberoam and password cyber. View amount of network traffic generated by various applications from Traffic Discovery Live Connections Application wise 4. Configure for User name based monitoring As Cyberoam monitors and logs user activity based on IP address, all the reports generated are also IP address based. To monitor and log user activities based on User names, you have to configure Cyberoam for integrating user information and authentication process. Integration will identify access request based on User names and generate reports based on Usernames. If your Network uses Active Directory Services, configure Cyberoam to communicate your ADS. Refer to Cyberoam ADS Integration guide for more details. If your Network uses LDAP, configure Cyberoam to communicate your LDAP. Refer to Cyberoam LDAP Integration guide for more details. If your Network uses Windows NT Domain Controller, configure for Cyberoam to communicate with Windows Domain Controller. If your Network uses RADIUS, configure for Cyberoam to communicate with RADIUS.

16 16 5. Customize Cyberoam creates default firewall rules based on the Internet Access configuration done at the time of installation. You can create additional firewall rules and other policies to meet your organization s requirement. Cyberoam allows you to: 1. Control user based per zone traffic by creating firewall rule. Refer to Firewall for more details. 2. Control individual user surfing time by defining Surfing quota policy. Refer to Policy Management- Surfing Quota policy for more details. 3. Schedule Internet access for individual users by defining Access time policy. Refer to Policy Management-Access time policy for more details. 4. Control web access by defining Internet Access policy. Refer to Policy Management-Internet Access policy for more details. 5. Allocate and restrict the bandwidth usage by defining Bandwidth policy. Refer to Policy Management- Bandwidth policy for more details. 6. Limit total as well as individual upload and/or download data transfer by defining data transfer policy. Refer Data transfer policy for more details.

17 17 Dashboard Cyberoam displays Dashboard as soon as you logon to the Web Admin Console. Dashboard provides a quick and fast overview of all the important parameters of Cyberoam appliance that requires special attention such as password, access to critical security services, system resources usage, IDP alerts, and notifications of subscription expirations etc. are displayed. Dashboard page is completely customizable. Minimize or reposition each section (System Information, License Information, Gateway status information, Usage summary etc.) by dragging and dropping. Each section has an icon associated with it for easy recognition when minimized. Optionally click Reset to restore the default dashboard setting. Customizable Dashboard allows to place the sections that are pertinent to the user and requires special attention for managing Cyberoam on the top and the information used less often moved to the bottom. Available sections on Dashboard are as follows: Alert Messages Appliance Information License Information Installation Information. Use Check for Upgrades link to check for the upgrade availability. DoS attack status Recent IDP Alerts Recent Spyware Alerts HTTP Traffic Analysis User Surfing pattern Usage Summary Recent Mail Viruses detected Recent HTTP and FTP Viruses detected System Resources System Status Gateway status HA Details (if High availability is configured) Section Recent Spyware Alerts doclet is added on the Dashboard to provide a level of visibility to spyware infected hosts to help stop the further propagation of spyware outside your network. Apart from preventing spyware from entering and infecting your network, the Cyberoam can now also detect any unwanted applications and Spyware infected hosts that are already there in the network i.e. network infected before Cyberoam was deployed and provides alert on Dashboard. Dashboard displays following Alerts: The default Web Admin Console password has not been changed. Default Telnet Console password is not changed. <Service name(s)> base management is allowed from WAN. This is not a secure configuration. We recommend to use a good password. Your Cyberoam Appliance is not registered. <module name(s)> modules will expire within 5/10/20 days. Be sure to buy the subscription to stay protected. <module name(s)> module(s) expired

18 18 Note Use F10 key to return to Dashboard from any of the pages The button bar on the upper rightmost corner of all the pages also provides access to Dashboard. Screen - Dashboard

19 19 Management Setting up Zones PART 2 A Zone is a logical grouping of ports/physical interfaces and/or virtual subinterfaces if defined. Zones provide flexible layer of security for the firewall. With the zone-based security, the administrator can group similar ports and apply the same policies to them, instead of having to write the same policy for each interface. Default Zones Types LAN Depending on the appliance in use and on your network design, Cyberoam allows to group one to six physical ports in this zone. Group multiple interfaces with different network subnets to manage them as a single entity. Group all the LAN networks under this zone. By default the traffic to and from this zone is blocked and hence the highest secured zone. However, Cyberoam allows traffic between the ports belonging to the same zone. DMZ (DeMilitarized Zone) - This zone is normally used for publicly accessible servers. Depending on the appliance in use and on your network design, Cyberoam allows to group one to five physical ports in this zone. WAN Zone used for Internet services. It can also be referred as Internet zone. Local - Entire set of physical ports available on the Cyberoam appliance including their configured aliases are grouped in LOCAL zone. In other words, IP addresses assigned to all the ports fall under the LOCAL zone. VPN - This zone is used for simplifying secure, remote connectivity. It is the only zone that does not have any assigned physical port/interface. Whenever the VPN connection is established, port/interface used by the connection is automatically added to this zone and on disconnection; port is automatically removed from the zone. Like all other default zones, scanning and access policies can be applied on the traffic for this zone. Cyberoam provides single zone of each type. These are called System Zones. Administrator can add LAN and DMZ zone types. By default, entire traffic except LAN to Local zone service likes Administration, Authentication and Network is blocked.

20 Create Zone Select System Zone Create to open the create page Screen - Create Zone Screen Elements Create Zone Zone Name Zone Type Specify name of the Zone Select zone type LAN Depending on the appliance in use and on your network design, Cyberoam allows to group one to six physical ports in this zone. Group multiple interfaces with different network subnets to manage them as a single entity. Group all the LAN networks under this zone By default the traffic to and from this zone is blocked and hence the highest secured zone. However, traffic between ports belonging to the same zone is allowed. DMZ (DeMilitarized Zone) - This zone is normally used for publicly accessible servers. Depending on the appliance in use and on your network design, Cyberoam allows to group one to five physical ports in this zone. WAN Zone for the Internet services. Only one WAN zone is allowed, hence additional WAN zones cannot be created. VPN - This zone is used for simplifying secure, remote connectivity. It is the only zone that does not have an assigned physical port/interface. Whenever the VPN connection is established, port/interface used by the connection is automatically added to this zone and on disconnection; port is automatically removed from the zone. Select Port Multiple LAN is not possible if Cyberoam is placed deployed as Bridge Click the port to be included in from the Available Port(s) list and click to move to the Member Port(s) list. Selected port will be the 20

21 Create button member of the zone. Virtual Interfaces will also be available for selection if defined. Specify zone description Saves the configuration and creates zone Table Create Zone 21

22 22 Setting up Users Define Authentication Cyberoam provides policy-based filtering that allows defining individual filtering plans for various users of your organization. You can assign individual policies to users (identified by IP address), or a single policy to number of users (Group). Cyberoam detects users as they log on to Windows domains in your network via client machines. Cyberoam can be configured to allow or disallow users based on username and password. In order to use User Authentication, you must select at least one database against which Cyberoam should authenticate users. Cyberoam supports user authentication against: an Active Directory an Windows NT Domain controller an LDAP server an RADIUS server an internal database defined in Cyberoam To filter Internet requests based on policies assigned, Cyberoam must be able to identify a user making a request. When the user attempts to access, Cyberoam requests a user name and password and authenticates the user's credentials before giving access. User level authentication can be performed using the local user database on the Cyberoam, an External ADS server, RADIUS server, LDAP or Windows NT Domain Controller. For external authentication, integrate Cyberoam with ADS, LDAP or Windows NT Domain Controller. If your network uses an Active Directory service, configure Cyberoam to communicate with ADS. If your network uses a Windows Domain controller, configure Cyberoam to communicate with Domain controller. If your Network uses LDAP, configure Cyberoam to communicate with LDAP server. If your Network uses RADIUS server, configure Cyberoam to communicate with RADIUS server. Cyberoam can prompt for user identification if your network does not use Windows environment. Cyberoam Authentication It is necessary to create users and groups in Cyberoam if installed Non PDC environment. Before users log on to Cyberoam, Administrator has to create all the users in Cyberoam, assign them to a Group and configure for Cyberoam authentication. Refer to Define Group and Define User for details on creating groups and users. When user attempts to log on, Cyberoam authenticates user.

23 Select User Authentication Settings to open configuration page Screen Cyberoam Authentication Screen Elements Configure Authentication & Integration parameters Integrate with Select Cyberoam as the authentication server Default Group Allows to select default group for users Click Default Group list to select Update button Updates and saves the configuration Table Cyberoam Authentication screen elements 23

24 Define User User Users are identified by an IP address or a user name and assigned to a group. All the users in a group inherit all the group policies. Refer to Policy Management to define new policies. User types Cyberoam supports three types of Users: 1. Normal 2. Clientless 3. Single Sign on Normal User has to logon to Cyberoam. Requires Cyberoam client (client.exe) on the User machine or user can use HTTP Client component and all the policy-based restriction can be applied. Clientless Does not require Cyberoam client component (client.exe) on the User machines. Symbolically represented as User name (C) Single Sign On If User is configured for Single Sign On, whenever User logs on to Windows, he/she is automatically logged to the Cyberoam. Symbolically represented as User name (S) Use the given decision matrix below to decide which type of the user should be created. Decision matrix for creation of User Feature Normal User Clientless User Single Sign on User User Login required Yes No No Type of Group Normal Clientless Yes No No Yes Yes No Apply Login restriction Yes Yes Yes Apply Surfing Quota policy Yes No No Apply Access Time policy Yes No No Apply Bandwidth policy Yes Yes Yes Apply Internet Access policy Yes Yes Yes Apply Data Transfer policy Yes No Yes Table - Create User - Decision matrix 24

25 25 Add a User Prerequisite Group created for Normal Users only Select User User Add User to open add user page Screen - Add User Screen Elements User Information Name Username Password Confirm Password Windows Domain Controller Only if Authentication is done by Windows NT Domain Controller User Type Specify name of the User Specify a name that uniquely identifies user & used for logging Specify Password Specify password again for conformation Should be same as typed in the Password field Displays Authentication Server IP Address Specify the user group type. Depending on user group type, default web

26 console access control will be applied. Refer to Web console Authorization and Access control for more details. Available option: Administrator, Manager, User Click User type list to select Number of simultaneous login(s) allowed OR Unlimited Refer to Add Clientless User on how to create clientless user Customize the maximum number of concurrent logins allowed to the user Specify number of concurrent logins allowed to the user OR Allows unlimited concurrent logins to the user The setting specified will override the setting specified in client preference. User MAC Binding Bind with MAC address For example, If in Client preferences, the number of concurrent logins allowed is 5 and here you have specified 3, then this particular user will be allowed to login from 3 machines concurrently and not from 5 machines. By binding User to MAC address, you are mapping user with a group of MAC addresses hence user will be able to login and access the Internet only from the specific machines. This will prevent anyone from impersonating someone else even if they have changed their IP address. MAC address list Group Information Group View details link Login Restriction Select any one option Enable MAC binding by clicking Enable Specify MAC addresses e.g. 01:23:45:67:89:AB Once you enable MAC bindng user will be able to login through prespecified machines only. To configure multiple MAC addresses use comma e.g. 01:23:45:67:89:AB, 01:23:45:67:89:AC or specify each address in a new line. Specify in Group in which user is to be added. User will inherit all the group policies. Click Group list to select Open a new Window and displays details of the selected Group Refer to View Group details table for more details Allows to apply login restriction Available options 1) All Nodes Allows Users to login from all the nodes in the network 2) Group Nodes only Allows Users to login only from the nodes assigned to the group 3) Selected Nodes only Allows Users to login from the selected nodes only. Refer to Apply Login Node Restriction for details. Nodes from which the User is 26

27 allowed login can be specified after creating the user also. Click to select Personal details link Allows to enter personal details of the user Personal information Only if Personal details link is clicked Birth date Specify date of birth of user Add button Review button Click Calendar to select date Specify Id of User Adds user Click to add Opens a new page and displays the user details for reviewing. Review details before adding to make sure details entered are correct. Click to review View Group details table Screen Elements Group name Surfing Quota policy Access Time policy Internet Access policy Bandwidth policy Data transfer policy Allotted time (HH:mm) Expiry date Used minutes Click Submit to add user Table - Add User screen elements Displays name of the Group Displays name of the Surfing Quota policy assigned to the group Displays name of the Access Time policy assigned to the group Displays name of the Internet Access policy assigned to the group Displays name of the Bandwidth policy assigned to the group Displays name of the Data Transfer policy assigned to the group Displays total allotted surfing time to User Displays User policy Expiry date Displays total time used by the user in minutes At the time of creation of user, it will be displayed as 0:0 Close button Closes window Table - View Group details screen elements Apply Login Node Restriction 27

28 Screen Elements Select Node(s) button Only if the option Selected Node(s) Only is selected Logon Pool name Select Opens a new page and allows to select the node Click to select the Node for restriction Logon Pool from which the Node/IP address is to be added Click Logon Pool name list to select Selects the Node OK button Cancel button Multiple nodes can also be selected Click to apply restriction Cancels the current operation Table - Apply Login Node Restriction screen elements 28

29 Add Clientless users Clientless Users are the users who can bypass Cyberoam Client login to access resources. It is possible to add a single clientless user as well as more than one clientless user at a time. When you add multiple clientless users, users are represented by IP addresses and not by the name. Add multiple clientless users Prerequisite Clientless Group created Logon Pool created Select User Clientless Users Add Range to open create user page and add multiple clientless users in one go but with the IP addresses in the continuous range. Screen - Add multiple Clientless users Screen Elements Host Group Details Host Group name Is Host Group public Bandwidth policy Specify name of Logon Pool Public IP address is routable over the Internet and do not need Network Address Translation (NAT) Click to enable, if IP addresses assigned to the Users are public IP addresses By default, group bandwidth policy is applied to the user but you can override this policy. Specify Bandwidth Policy to be applied. Click Bandwidth Policy list to select. Check the policy details by clicking View details link Specify full description 29

30 Machine details From To Machine name Select Group Group Create button Specify range of IP Address that will be used by Users to login Specify Machine name Specify Group in which User is to be added Click Group list to select Adds multiple Clientless Users. Creates Clientless users with given IP addresses as their username. Table - Add multiple Clientless users screen elements Add single Clientless user Prerequisite Group created Logon Pool created Select User Clientless Users Add Users to open create user page and add single user or multiple clientless users with the arbitrary range of IP address. Screen - Add single Clientless user Screen Elements Username IP Address Group Specify a unique name used for logging Specify IP address. Cyberoam will suggest IP address in the drop down the moment you type the initial digits of IP address. For example, when you type , Cyberoam will display list of IP addresses starting with that can be allowed to the user for logging. Specify Group in which User is to be added. User will inherit all the group policies. Name Click Group list to select Specify actual name of the user Specify Id of User Add User button Click to add more than one user. Use to remove user details from the list. Create button Click to register user Table - Create single Clientless user screen elements NOTE Duplicate Usernames cannot be created Only bandwidth and Internet access policy can be applied to clientless users Unlimited surfing quota and access time policy are applied automatically Data transfer policy is not applicable 30

31 Setting up Groups Group Group is a collection of users having common policies and a mechanism of assigning access of resources to a number of users in one operation/step. Instead of attaching individual policies to the user, create group of policies and simply assign the appropriate Group to the user and user will automatically inherit all the policies added to the group. This simplifies user configuration. A group can contain default as well as custom policies. Various policies that can be grouped are: 4. Surfing Quota policy which specifies the duration of surfing time and the period of subscription 5. Access Time policy which specifies the time period during which the user will be allowed access 6. Internet Access policy which specifies the access strategy for the user and sites 7. Bandwidth policy which specifies the bandwidth usage limit of the user 8. Data Transfer policy which specifies the data transfer quota of the user Refer to Policy Management for more details on various policies. Group types Two types of groups: 9. Normal 10. Clientless Normal A user of this group need to logon to Cyberoam using the Cyberoam Client to access the Internet Clientless A user of this group need not logon to Cyberoam using the Cyberoam Client to access the Internet. Access control is placed on the IP address. Symbolically represented as Group name (C) Use the below given decision matrix to decide which type of group will best suited for your network configuration. Decision matrix for creation of Group Feature Normal Group Clientless Group Logon into Cyberoam required Yes No Type of User Normal Clientless Yes No No Yes Apply Login restriction Yes No Apply Surfing Quota policy Yes No Apply Access Time policy Yes No Apply Bandwidth policy Yes Yes Apply Internet Access policy Yes Yes Apply Data transfer policy Yes No Table - Group creation - Decision matrix 31

32 Add a New Group Prerequisite All the policies which are to be added to the Group are created Logon Pool created if login is to be restricted from a particular Node/IP Address Select Group Add Group to open add group page Screen - Create Group Screen Elements Create Group Group name Group type Specify Group name. Choose a name that best describes the Group. Specify type of Group Click Group type to select Select Normal if Group members are required to log on using Cyberoam Client Surfing Quota Policy Only if Group type Select Clientless if Group members are not required to log on using Cyberoam Client Specify Surfing Quota Policy for Group Click Surfing Quota Policy list to select 32

33 33 is Normal Access Time Policy Only if Group type is Normal By default, Unlimited policy is assigned to the Clientless Group type Refer to Surfing Quota Policy for more details Specify Access Time policy for Group Click Access Time Policy list to select By default, Unlimited policy is assigned to Clientless Group type Internet policy Access Refer to Access Time Policy for more details Specify Internet Access policy for Group Click Internet Access policy list to select Bandwidth Policy Refer Internet Access policy for details Specify Bandwidth Policy for Group Click Bandwidth Policy list to select Data Transfer policy Only if Group type is Normal Refer Bandwidth Policy for details Specify data transfer policy for Group Click Data Transfer policy list to select Refer Data Transfer Policy for details MAC Binding Enable MAC binding if required. By binding MAC, all the group users will be mapped with MAC addresses defined in User configuration and user will be able to login through pre-specified machines only. User Authentication Settings User Authentication Session time out Authentication Session timeout is the number of minutes that an authenticated connection can be idle before the user must authenticate again. Click to enable session timeout on group basis. By default, this option is disabled. Keep Alive Request for HTTP Client Login Restriction Select any one option The minimum timeout that can be configured is 3 minutes and maximum is 1440 minutes (24 hours) Keep-Alive requests are constantly exchanged between server and client to check the connectivity between them. More number of concurrent HTTP client users, more number of keep-alive requests. Hence, Cyberoam recommends to disable Keep-alive request if there are more number of concurrent HTTP client users. By default, this option is enabled. Apply login restriction if required for the users defined under the Group Available options 1) Allowed login from all nodes Allows Users defined under the Group to login from all the nodes 2) Allowed login from the selected nodes Allow Users defined under the Group to login from the selected nodes only. Specifies IP address from where User can login

34 34 Click Select Node, opens a new window and allows to select IP Address Refer to Select Node table for more details Refer to Apply Login Node restriction for more details Click to select Select Node button Only if Allowed Login from selected node option is selected for Login restriction Create button Cancel button Opens a new page and allows to select the node Click to select the Node Creates Group Cancels the current operation and returns to the Manage Group page Table - Create Group screen elements Note It is not necessary to add user at the time of the creation of Group. One can add users to the group even after the creation of group. Apply Login Node Restriction

35 Screen Apply Login Node Restriction Screen Elements Logon Pool name Select Logon Pool from which the Node/IP address is to be added Click Logon Pool name list to select User will be allowed to login from the selected nodes only. Click to select Node OK button Multiple nodes can also be selected Applies login restriction and closes the window Click to apply restriction Cancel button Cancels the current operation Table - Apply Login Node Restriction screen elements Import AD group (only if Active Directory authentication is implemented) If Active Directory authentication is implemented and Cyberoam is configured to communicate with AD server, Administrator can import user groups created in AD server. Once you have configured and added AD details, select User Authentication Settings and click Import Group (s) link against the AD server from which you want to import AD groups. 35

36 36 Screen Import Group Wizard Follow the on-screen steps: Step 1. Specify Base DN. Cyberoam will fetch AD groups from the specified Base DN. To import users from default AD Container:

37 37 To import users from custom AD Container: If multiple custom containers are created, repeat the entire process for each container. Step 2. Select Groups that are to be imported in Cyberoam. Use <Ctrl> + Click to select multiple groups. All the groups (both imported and not imported groups) created in AD are displayed. * besides the group name indicates that the group is already imported to Cyberoam. Use arrows to move groups across the group lists.

38 38 Step 3. Select various policies (Surfing Quota, Access time, Bandwidth, Internet Access and Data transfer) and user authentication time out to be applied on the group members. By default, Attach to all the Groups is enabled, hence Cyberoam will attach same policies to all the imported Groups i.e. common policies across the imported groups. Do not enable Attach to all the Groups for the policy if you want to specify: different policy for all the groups specific policy to all the groups specific policy to a specific group. For example if you want to specify different Internet Access policy to different groups, do not enable Attach to all the Groups Screen Define same policy to all the imported Groups

39 39 Screen Define different policies to different Groups Step 4. If you have disabled Attach to all the Groups, specify policies to be applied to each group Screen Define specific policy for a Group Step 5. View Results page displays successful message if groups are imported and policies are successfully attached else appropriate error message will be displayed. Once you close the Wizard, Manage Groups page will be opened. All the imported groups are appended at the end of the list.

40 40 Screen Groups imported and common policies attached successfully Screen Groups imported and specific policies attached to specific Group

41 41 All the imported groups are appended at the end of the list on the Manage Group page. If user is the member of multiple AD groups, Cyberoam will decide the user group based on the order of the groups defined in Cyberoam. Cyberoam searches Group ordered list from top to bottom to determine the user group membership. The first group that matches is considered as the group of the user and that group policies are applied to the user. Re-ordering of groups to change the membership preference is possible using Wizard.

42 42 Firewall A firewall protects the network from unauthorized access and typically guards the LAN and DMZ networks against malicious access; however, firewalls may also be configured to limit the access to harmful sites for LAN users. The responsibility of firewall is to grant access from Internet to DMZ or Service Network according to the Rules and Policies configured. It also keeps watch on state of connection and denies any traffic that is out of connection state. Firewall rules control traffic passing through the Cyberoam. Depending on the instruction in the rule, Cyberoam decides on how to process the access request. When Cyberoam receives the request, it checks for the source address, destination address and the services and tries to match with the firewall rule. If Identity match is also specified then firewall will search in the Live Users Connections for the Identity check. If Identity (User) found in the Live User Connections and all other matching criteria fulfills then action specified in the rule will be applied. Action can be allow or deny. You can also apply different protection settings to the traffic controlled by firewall: Enable load balancing between multiple links Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP traffic. To apply antivirus protection and spam filtering, you need to subscribe for Gateway Anti Virus and Gateway Anti Spam modules individually. Refer to Licensing section for details. Implement Intrusion detection and prevention. To apply IDP policy you need to subscribe for Intrusion Detection and Prevention module. Refer to Licensing section for details. Enable VPN traffic scanning Configure content filtering policies. To apply content filtering you need to subscribe for Web and Application Filter module. Refer to Licensing section for details. Apply bandwidth policy restriction By default, Cyberoam blocks any traffic to LAN. Default Firewall rules At the time of deployment, Cyberoam allows to define one of the following Internet Access policies using Network Configuration Wizard: Monitor only General Internet policy Strict Internet policy Depending on the IAP, Cyberoam creates two default firewall rules. Default firewall rules for Monitor only IAP 1. Masquerade and Allow entire LAN to WAN traffic for all the authenticated users after applying following policies: Internet Access policy User specific Bandwidth policy User specific Anti Virus & Anti Spam policy Allows SMTP, POP3, IMAP and HTTP traffic without scanning 2. Masquerade and Allow entire LAN to WAN traffic for all the users without scanning SMTP, POP3, IMAP and HTTP traffic