Secure Web Gateway Guardian3 Administrator s Guide

Transcription

1 Secure Web Gateway Guardian3 Administrator s Guide

2 Smoothwall Guardian3, Administrator s Guide, December 2013 Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Guardian3. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall. For more information, contact: [email protected] Smoothwall Ltd. All rights reserved. Trademark notice Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. Acknowledgements Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Guardian3 contains graphics taken from the Open Icon Library project openiconlibrary.sourceforge.net/ Address Web Telephone Fax Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom [email protected] USA and Canada: United Kingdom: All other countries: USA and Canada: United Kingdom: All other countries:

3 Contents Chapter 1 Introducing Guardian Who should read this guide?... 1 Other Documentation and User Information... 1 Chapter 2 Installing Guardian Before Installing... 3 Installing Guardian Guardian... 4 Quick Links... 4 Web Filter Policies... 4 HTTPS Inspection Policies... 4 Content Modification Policies... 5 Anti-malware Policies... 5 Block Page Policies... 5 Policy Objects... 5 Web Proxy... 6 Web Proxy... 7 Upstream Proxy... 7 Authentication... 7 MobileProxy... 7 Chapter 3 Deploying Web Filtering... 9 Getting Up and Running... 9 Blocking and Allowing Content Immediately Blocking Locations Excepting Computers from Web Filtering About Shortcuts About Guardian3 s Default Policies About the Default Web Filter Policies About the Default Authentication Policies Chapter 4 Managing Web Security Overview of the Web Proxy Global Options Advanced Web Proxy s Using PAC Scripts Using a Built-in Script Using a Custom Script Managing the Configuration Script Limiting Bandwidth Use Ordering Bandwidth Limiting Policies Editing Bandwidth Limiting Policies Deleting Bandwidth Limiting Policies Configuring WCCP i

4 Contents Managing Upstream Proxies Overview Configuring an Upstream Proxy Configuring Source and Destination Filters Using a Single Upstream Proxy Working with Multiple Upstream Proxies Managing Blocklists Viewing Blocklist Information Manually Updating Blocklists Managing Block Pages Customizing a Block Page Using a Custom HTML Template Using an External Block Page Configuring a Block Page Policy Managing Block Page Policies Working on Block Pages Chapter 5 Working with Policies An Overview of Policies Types of Policies How Policies are Applied Guardian Getting Started Working with Category Group Objects Creating Category Group Objects Creating User-defined Categories Editing Category Group Objects Deleting Category Group Objects Working with Time Slot Objects Creating a Time Slot Editing a Time Slot Deleting a Time Slot Working with Location Objects Creating a Location Object Editing Location Objects Deleting Location Objects Working with Quota Objects About the Default Quota Object Creating Quota Objects Editing Quota Objects Deleting Quota Objects Managing Web Filter Policies Creating Web Filter Policies Editing Web Filter Policies Deleting Web Filter Policies Managing HTTPS Inspection Policies Enabling HTTPS Inspection Policies Creating an HTTPS Inspection Policy Editing HTTPS Inspection Policies Deleting HTTPS Inspection Policies Configuring HTTPS Inspection Policy s Clearing the Generated Certificate Cache ii

5 Smoothwall Guardian3 Administrator s Guide Managing Content Modification Policies Creating a Content Modification Policy Editing Content Modification Policies Deleting Content Modification Policies Managing Anti-malware Policies Creating an Anti-malware Policy Configuring Anti-malware Protection Configuring Anti-malware Status Information Editing Anti-malware Policies Deleting Anti-malware Policies Using the Policy Tester Other Ways of Accessing the Policy Tester Working with Policy Folders Creating a Policy Folder Editing Policy Folders Deleting Policy Folders Censoring Web Form Content Chapter 6 Managing Authentication Policies About Authentication Policies Creating Authentication Policies Creating Non-transparent Authentication Policies Creating Transparent Authentication Policies Managing Authentication Policies Editing Authentication Policies Deleting Policies Managing Authentication Exceptions Identification by Location Connecting to Guardian About Non-transparent Connections About Transparent Connections Authentication Scenarios New Content Filtering Changing the Listening Port Providing Filtered Web Access to the Public Requiring Authentication to Browse the Web Using Multiple Authentication Methods Controlling an Unruly Class Chapter 7 Guardian Alerts, Logs and Reports About Guardian Alerts Web Filter Logs Configuring Web Filter Logs Monitoring Log Activity in Realtime Searching for/filtering Information Exporting Data Guardian Reports Chapter 8 Working with MobileProxy About MobileProxy Enabling MobileProxy Generating Client Keys iii

6 Contents Specifying MobileProxy Servers Configuring Proxy Exceptions Managing MobileProxy Server Keys Index iv

7 Chapter 1 Introducing Guardian3 Guardian3 is an intelligent, web content filter which dynamically analyzes, understands and categorizes all web content requested by your users. Guardian3: Dynamically stops objectionable content Can help increase employee productivity Provides web security and malware protection Has comprehensive reporting functionality Provides user authentication. Who should read this guide? System administrators maintaining and deploying Guardian3 should read this guide. Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, see Other Documentation and User Information Your Smoothwall System comes with the following guides. Smoothwall Installation and Setup Guide contains complete information on installing and configuring your Smoothwall System initially. Smoothwall Administrator s Guide is a guide to working with your Smoothwall System. contains support, self-help and training information as well as product updates. 1

8 Introducing Guardian3 2

9 Chapter 2 Installing Guardian3 In this chapter: What to do before installing Guardian3 How to install Guardian3. Review of Guardian3 pages. Before Installing You install Guardian3 by adding it to your existing Smoothwall System. Before installing, you should check your system is up-to-date. To check for updates: 1 Start a web browser, browse to your Smoothwall System, authenticate yourself and navigate to System > Maintenance > Updates page. 2 Click Refresh updates list to check that you have all the latest updates installed on your Smoothwall System. 3 If there are any updates available, download and install them. See your Smoothwall System Administrator s Guide if you need more information. Installing Guardian3 After checking that you have the latest updates installed, you are ready to install Guardian3. To install Guardian3: 1 Navigate to the System > Maintenance > Modules page. 2 In the Available modules list, select Guardian3 and click Install. Your Smoothwall System installs Guardian3. 3 Navigate to the System > Maintenance > Shutdown page: 4 Select Immediately and click Reboot. 5 After your Smoothwall System has rebooted, re-authenticate yourself and log in again. You are now ready to start configuring and using Guardian3. 3

10 Installing Guardian3 Guardian Guardian The Guardian section contains the following sub-sections and pages: Quick Links Page Getting started This page provides an overview of what comprises a web filter policy, a link to the default policies and an introduction to policy wizards. For more information, see Chapter 5, Guardian Getting Started on page 43. Shortcuts This page provides direct links to tasks you might do on a daily basis, such as blocking and allowing sites and running reports. For more information, see Chapter 3, About Shortcuts on page 14. Quick block/ allow Policy tester This page enables you to block or allow content immediately. For more information, see Chapter 3, Blocking and Allowing Content Immediately on page 10. The policy tester enables you to test whether a URL is available to a specific person at a specific location and time. For more information, see Chapter 5, Using the Policy Tester on page 68. Web Filter Policies Pages Manage policies Policy wizard Location blocking Exceptions Outgoing This is where you manage how web filtering policies are applied. For more information, see Chapter 5, Managing Web Filter Policies on page 52. This is where you can configure a custom web filtering policy. For more information, see Chapter 5, Creating Web Filter Policies on page 53. Enables you to block computers at a specific location from accessing web content. For more information, see Chapter 3, Blocking Locations on page 11. Here you can exempt computers from any web filtering. For more information, see Chapter 3, Excepting Computers from Web Filtering on page 11 This is where you configure outgoing settings for a censor policy for content and/or files posted using web forms. For more information, see Chapter 5, Censoring Web Form Content on page 71. HTTPS Inspection Policies Pages Manage policies Policy wizard s This is where you manage HTTPS inspection policies that decrypt and inspect encrypted communications. For more information, see Chapter 5, Managing HTTPS Inspection Policies on page 56. This is where you create custom policies for managing encrypted communications. For more information, see Chapter 5, Creating an HTTPS Inspection Policy on page 57. This is where you manage CA security certificates and configure HTTPS interception messages. For more information, see Chapter 5, Configuring HTTPS Inspection Policy s on page 59. 4

11 Smoothwall Guardian3 Administrator s Guide Content Modification Policies Pages Manage policies Policy wizard This is where you manage content modification policies that apply recommended security rules and enforce SafeSearch in browsers. For more information, see Chapter 5, Managing Content Modification Policies on page 61. Enables you to create custom policies for applying security rules and enforcing SafeSearch in browsers. For more information, see Chapter 5, Creating a Content Modification Policy on page 62. Anti-malware Policies Pages Manage policies Policy wizard Status page s This is where you manage policies that protect against malware. For more information, see Chapter 5, Managing Anti-malware Policies on page 64. This is where you can create custom policies to protect against malware. For more information, see Chapter 5, Creating an Anti-malware Policy on page 64. Enables you to customize anti-malware information shown when downloading files. For more information, see Chapter 5, Configuring Anti-malware Status Information on page 67. This is where you enable malware protection. For more information, see Chapter 5, Creating an Anti-malware Policy on page 64. Block Page Policies Pages Manage policies Policy wizard Block pages This is where you manage block page policies. For more information, see Chapter 4, Managing Block Page Policies on page 39. This is where you create and edit block page policies. For more information, see Chapter 4, Configuring a Block Page Policy on page 38. This is where you create and edit block pages. For more information, see Chapter 4, Managing Block Pages on page 34. Policy Objects Pages Category groups User defined Time slots Locations This is where you manage content categories used when applying a web filtering policy. For more information, see Chapter 5, Working with Category Group Objects on page 43. This is where you manage custom content categories. For more information, see Chapter 5, Creating User-defined Categories on page 45. This is where you create and manage time slot policy objects for use in content filtering policies. For more information, see Chapter 5, Working with Time Slot Objects on page 48. This is where you create and manage location policy objects for use in content filtering policies. For more information, see Chapter 5, Working with Location Objects on page 49. 5

12 Installing Guardian3 Web Proxy Pages Quotas This is where you create and manage quota policy objects for use in content filtering policies. For more information, see Chapter 5, Working with Quota Objects on page 50. Web Proxy The Web proxy section contains the following sub-sections and pages: 6

13 Smoothwall Guardian3 Administrator s Guide Web Proxy Pages s Automatic configuration Bandwidth limiting WCCP This is where you configure and manage web proxy settings. For more information, see Chapter 4, Overview of the Web Proxy on page 17. This is where you create and make available proxy auto-configuration (PAC) scripts. For more information, see Chapter 4, Using PAC Scripts on page 21. This is where you can manage how much bandwidth is made available to clients. For more information, see Chapter 4, Limiting Bandwidth Use on page 24. This is where you can configure Guardian3 to join a Web Cache Coordination Protocol (WCCP) cache engine cluster. For more information, see Chapter 4, Configuring WCCP on page 26. Upstream Proxy Pages Manage policies Proxies Filters This is where you manage upstream proxy policies. For more information, see Chapter 4, Working with Multiple Upstream Proxies on page 32. This is where you configure upstream proxy settings. For more information, see Chapter 4, Configuring an Upstream Proxy on page 28. This is where you manage upstream proxy source and destination filters. For more information, see Chapter 4, Configuring Source and Destination Filters on page 29. Authentication Pages Manage polices Policy wizard Exceptions Ident by location This is where you manage authentication policies which determine which web filter policies are applied. For more information, see Chapter 6, Managing Authentication Policies on page 84. This is where you create and edit authentication policies. For more information, see Chapter 6, Creating Authentication Policies on page 75. This is where you can exempt content from authentication. For more information, see Chapter 6, Managing Authentication Exceptions on page 85. This is where you configure identification of groups and/or users by their location. For more information, see Chapter 6, Identification by Location on page 85. MobileProxy Pages s On this page, you configure global MobileProxy server settings. For more information, see Chapter 8, Enabling MobileProxy on page 98. 7

14 Installing Guardian3 Web Proxy Pages Proxies Exceptions On this page, you manage MobileProxyservers for use with mobile devices. For more information, see Chapter 8, Specifying MobileProxy Servers on page 98. On this page, you specify proxy exceptions. For more information, see Chapter 8, Configuring Proxy Exceptions on page

15 Chapter 3 Deploying Web Filtering In this chapter: How to get content filtering up and running quickly How to block or allow content immediately Shortcuts to daily tasks About Guardian3 s default web filter policies About Guardian3 s default authentication policies. Getting Up and Running By default, Guardian3 comes with a comprehensive set of web filter policies and an authentication policy which you can use immediately in order to protect your users and your organization. The following section explains how to use these policies to get web filtering up and running quickly. Tip: Log in to our support portal and read about initial setup considerations, testing and refining filter settings and tips on content filtering. To get up and running: 1 On users computers, configure the web browser to use port 800 on Guardian3 as the web proxy, i.e. non-transparent proxying. 2 Navigate to the Web proxy > Web proxy > s page. 3 Check that the Guardian option is enabled. 4 Scroll to the bottom of the page and click Save and Restart. Guardian3 starts to provide web security. 5 On a user s computer, browse to Guardian3 blocks access to the site and displays a block page 9

16 Deploying Web Filtering Getting Up and Running You can edit the default policies and create new policies to suit you organization. For more information, see Chapter 5, Working with Policies on page 41. Blocking and Allowing Content Immediately Guardian3 enables you to block or allow content immediately without having to create or edit a web filter policy. To block or allow content immediately: 1 Browse to the Guardian > Quick links > Quick block/allow page. 2 Enter the URL to the content you want to block or allow. 3 Click Block or Allow depending on what you want. Guardian3 immediately blocks or allows the content and adds the URL to the appropriate custom blocked or allowed content lists. 10

17 Smoothwall Guardian3 Administrator s Guide Blocking Locations Guardian3 enables you to block web-enabled resources at a specific location from accessing content. To block a location: 1 Browse to the Guardian > Web filter > Location blocking page. 2 Locate the location and click Block. Guardian3 blocks any web-enabled resources at that location from accessing web content. For more information on locations, see Chapter 5, Working with Location Objects on page 49. Excepting Computers from Web Filtering Guardian3 enables you to except specific computers from any web filtering. You can configure exceptions based on the source IP address or the destination IP address. Configuring Source Exceptions A source exception IP using a non-transparent connection will have unfiltered access to the Internet if configured to use port 801. A source exception IP going through an interface where transparent proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to Guardian3. A source exception IP using a transparent connection requires no client browser configuration. 11

18 Deploying Web Filtering Getting Up and Running To configure a source exception: 1 Browse to the Guardian > Web filter > Exceptions page. 2 In the Manage source exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR notation of the computers to be exempted and click Save. Guardian3 exempts the computer(s) from any web filtering. 12

19 Smoothwall Guardian3 Administrator s Guide Configuring Destination Exceptions A destination exception IP which goes through an interface where transparent proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to Guardian3. To configure a destination exception: 1 Browse to the Guardian > Web filter > Exceptions page. 2 In the Manage destination exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR notation of the computers to be exempted and click Save. Guardian3 exempts the computer(s) from any web filtering. 13

20 Deploying Web Filtering About Guardian3 s Default Policies About Shortcuts Guardian3 provides a number of shortcuts to tasks you might carry out on a daily basis. To access the shortcuts: 1 Browse to the Guardian > Quick links > Shortcuts page. 2 Click on a link to be taken to the task s page. About Guardian3 s Default Policies The following sections discuss Guardian3 s default web filtering and authentication policies. About the Default Web Filter Policies Guardian3 s default web filtering default policies are: Web filter policies these policies allow users access to custom specified content, access to specific web sites at lunch time and Microsoft Windows updates. They also block core and custom specified undesirable content and adverts and enforce file security. To review this policy, browse to the Guardian > Web filter > Manage policies page. For information on customizing web filter policies, see Chapter 5, Managing Web Filter Policies on page 52. HTTPS inspection policies these policies can be enabled to allow users to access online banking sites securely while inspecting encrypted traffic and checking security certificates. To review these policies, browse to the Guardian > HTTPS inspection > Manage policies page. For information on customizing HTTPS inspection policies, see Chapter 5, Managing HTTPS Inspection Policies on page 56. Content modification policies these policies apply recommended security rules and force search engines to use SafeSearch functionality. To review these policies, browse to the Guardian > Content modification policies > Policy page. For information on customizing content modification policies, see Chapter 5, Managing Content Modification Policies on page 61. Anti-malware policy this policy protects against malware and viruses. To review this policy, browse to the Guardian > Anti-malware > Manage policies page. For information on customizing anti-malware policies, seechapter 5, Managing Anti-malware Policies on page

21 Smoothwall Guardian3 Administrator s Guide About the Default Authentication Policies Guardian3 comes with the following authentication policy ready for use: Non-transparent authentication policy any user s browser configured to use Guardian3 on port 800 as its web proxy will have this authentication policy applied to it. For information on creating more authentication policies, see Chapter 6, About Authentication Policies on page

22 Deploying Web Filtering About Guardian3 s Default Policies 16

23 Chapter 4 Managing Web Security In this chapter: Overview of web proxy settings Using PAC scripts Limiting bandwidth and configuring WCCP Managing upstream proxies Managing blocklists Configuring block pages. Overview of the Web Proxy The following sections provide an overview of Guardian3 s web proxy settings. To access Guardian3 s web proxy settings: 1 Navigate to the Web proxy > Web proxy > s page. Global Options The following table lists Guardian3 s global web proxy setting: Guardian Select Enable to enable content filtering and Guardian3 s web proxy. 1 Click Advanced to access advanced web proxy settings which are documented in the following sections. 17

24 Managing Web Security Overview of the Web Proxy Advanced Web Proxy s The following advanced web proxy settings are available. Web Filter Options The following optional advanced web filter settings are available: s HTTP strict mode File upload policy Resume interrupted NTLM connections Resolve single component hostnames Allow access to web servers on these additional ports Logging Options By default, this option is enabled. However, for certain client applications going through Guardian3 you may need to disable this so as to handle problems, for example, with headers that the applications send. The following options are available: Allow unlimited uploads All file uploads are allowed. Block all uploads All file uploads are blocked. Restrict upload size to Files below the size specified are allowed. By default Guardian3 resumes interrupted NTLM connections caused by non-standard web browser behavior. Enable This is the default setting. Select this setting to configure Guardian3 to resume interrupted NTLM connections. Disable Select this setting to disable resumption of interrupted NTLM connections when restrictive Active Directory account lockout policies are in operation. By default, Guardian3 makes no attempt to interpret single component hostnames which are not fully qualified. Enable Select this setting to enable Guardian3 to attempt to interpret single component hostnames which are not fully qualified if single component hostnames are being used. Disable Select this setting to stop Guardian3 from trying to interpret single component hostnames which are not fully qualified. By default, Guardian3 only allows requests to servers running on a certain subset of privileged ports, i.e. ports below 1024, such as HTTP (80), HTTPS (443) and FTP (21). If you require access to servers running on non-standard ports, enter them here. The following advanced logging settings are available: Proxy logging Organization name We recommend that you disable this option when Filter logging mode is enabled. This is because Guardian3 proxy logs are effectively duplicated subsets of Guardian3 web filter logs. Disabling proxy logging can lead to improved performance by reducing system storage and processing requirements. Enter a name which can be used to identify Guardian3 in your organization. Organization names are also referenced in certain web reports. 18

25 Smoothwall Guardian3 Administrator s Guide Filter logging From the drop-down list, select one of the following logging modes: mode Normal Select this option to generate proxy logs with all recorded data. Anonymized Select this option to generate proxy logs with anonymous username and IP address information. Disabled Select this option to disable content filter logging. Client hostnames Select one of the following options: Log Select this option to record hostnames of computers using Guardian3. When enabled, filter logs and reports incorporating hostname information can be generated. It is important that DNS servers exist on the local network and are correctly configured with the reverse DNS of all machines if this option is enabled, otherwise performance will suffer. Do not log Select this option to disable the logging of hostnames of computers using Guardian3. Client useragents Log Select to record the types of browsers used by users. Select one of the following options: Do not log Select to disable the logging of the types of browsers used by users. Explicitly allowed Select one of the following options: sites Log Select this option to log information on explicitly allowed sites. Do not log Select to disable the logging of information on explicitly allowed sites. Advert blocks Select one of the following options: Log Select this option to log information on advert blocking. Do not log Select to disable the logging of information on advert blocking. Cache Options The following advanced, optional cache settings are available: Global cache size The size entered here determines the amount of disk space allocated to Guardian3 for caching web content. Web and FTP requests are cached. HTTPS requests and pages including username and password information are not cached. The specified size must not exceed the amount of free disk space available. The cache size should be configured to an approximate size of around 40% of the system s total storage capacity, up to a maximum of around 2 gigabytes. Larger cache sizes can be specified, but may not be entirely beneficial and can adversely affect page access times. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection. For slower external connections such as dial-up, the cache can dramatically improve access to recently visited pages. 19

26 Managing Web Security Overview of the Web Proxy Max and min object size that can be stored in the cache Max object size that can pass in and out of proxy Do not cache these domains The values entered here determine the maximum and minimum sizes of objects stored the cache. Max object size Enter the largest object size that will be stored in Guardian3 s cache. Any object larger than the specified size will not be cached. This prevents large downloads filling the cache. The default of bytes (30 MB) should be adjusted to suit the needs of your end-users. Min object size Enter the smallest object size that will be stored in Guardian3 s cache. Any object smaller than the specified size will not be cached. This can be useful for preventing large numbers of tiny objects filling the cache. The default is no minimum this should be suitable for most purposes. The values entered here determine the maximum sizes of objects which can pass through the web proxy. Max outgoing size Enter the maximum amount of outbound data that can be sent by a browser in any one request. This can be used to prevent large uploads or form submissions. The default no limit. Max incoming size Enter the maximum amount of inbound data that can be received by a browser in any one request. This limit is independent of whether the data is cached or not. This can be used to prevent excessive and disruptive download activity. The default is no limit. Used to specify domains that should be excluded from the web cache. This can be used to ensure that old content of frequently updated web sites is not cached. Enter domain names without the www prefix, one entry per line. To apply the option to any subdomains, enter a leading period, for example:.example.com 20

27 Smoothwall Guardian3 Administrator s Guide Internet Cache Protocol The following advanced, optional Internet Cache Protocol (ICP) settings are available: ICP server ICP server IP addresses Load Balancing Select one of the following options: Enable Select to allow ICP compatible proxies to query Guardian3's cache. ICP is a technique employed by proxies to determine if an unfulfilled local cache request can be fulfilled by another proxy s cache. ICP-enabled proxies work together as cache peers to improve cache performance across a LAN. ICP is recommended for LANs with multiple Guardian3 proxy servers; non- Smoothwall proxies must use port 801 for HTTP traffic. Disable Select to disable Guardian3 as an ICP server. Use this area to enter the IP addresses of other ICP-enabled proxies on the LAN that Guardian3 should query. Use in conjunction with the ICP server option enabled to allow two-way cache sharing. The following load balancing option is available: Direct Return Server Virtual IP Enables you to use a load balancing device which uses a virtual IP with Guardian3. Enter the IP address on which Guardian3 can accept load balanced connections. Assuming a load balancer has been setup, Guardian3 will form part of its cluster. Note: This IP address must not respond to ARP queries, as ARP-ing behavior is what sets this type of Virtual IP apart from a simple alias. Using PAC Scripts Guardian3 enables you to create and make available proxy auto-config (PAC) scripts which determine which IP addresses and domains to access via Guardian3 and which to access directly. Guardian3 supports built-in PAC scripts and custom PAC script templates. 21

28 Managing Web Security Using PAC Scripts Using a Built-in Script A built-in script is an auto configuration script which you can customize with additional settings such as exceptions. To use a built-in script: 1 Browse to the Web proxy > Web proxy > Automatic configuration page. 2 Select Built-in and configure the following settings: Bypass proxy server for local addresses Select this option to not use Guardian3 when connecting to local addresses. When selected, this option makes users browsers bypass the Guardian3 proxy if the address is a hostname only, for example: myhostname. Browsers will not bypass the Guardian3 proxy if the address is a fully qualified domain name (FQDN) for example: myhostname.example.local. 22

29 Smoothwall Guardian3 Administrator s Guide Refer to the proxy by domain name Exception domains and IP addresses Exception regular expression domains Select this option so that the Guardian3 proxy uses its domain name instead of IP addresses in the configuration file. Note: Before enabling this option, ensure that you have a valid DNS configuration which resolves correctly for this hostname. This option must be enabled when using Kerberos authentication to use proxy automatic configuration. In this text box, enter an IP address, IP address range, network address or hostname that users may access directly. For example: /24 hostname.local Optionally, click Advanced to access the Exception regular expression domains area. In the text box, enter one regular expression domain per line that users may access directly. For example: ^(.*\.)?youtube\.com$ ^(.*\.)?ytimg\.com$ would disable usage of Guardian3 for youtube.com, ytimg.com and subdomains such as but not, for example, fakeyoutube.com. 3 Click Save. Guardian3 creates the script and makes it available at: Your_System_IP_address/proxy.pac Using a Custom Script A custom script provides advanced functionality by enabling you to use a script customized to suit your organization. Tip: You can use the built-in template as starting point for creating a custom script. On the Web proxy > Web proxy > Automatic configuration page, click Download and save the default script to a suitable location. Edit the file to suit your requirements and save it using a different name. See below for how to upload it. To use a custom script: 1 After configuring the custom script, browse to the Web proxy > Web proxy > Automatic configuration page. 2 Select Custom script template and click Browse. Locate and select the script and click Upload. Guardian3 uploads the script and makes it available at: proxy.pac 23

30 Managing Web Security Limiting Bandwidth Use Managing the Configuration Script You define the policy for each interface, by configuring which proxy address the configuration script should direct clients to. To manage the configuration script: 1 Browse to the Web proxy > Web proxy > Automatic configuration page. 2 In the Manage configuration script area, from the Interface drop-down list, select the address the configuration script should direct clients to. 3 Click Save. Limiting Bandwidth Use By default, Guardian3 does not limit bandwidth use. However, it is possible to configure bandwidth limiting policies which can, for example, stop a user or group of users from overloading your Internet connection. To create a bandwidth limiting policy: 1 Navigate to the Web proxy > Web proxy > Bandwidth limiting page. 2 Click Create a new policy. The policy wizard is displayed. Complete the following steps: Step Step 1: Who Step 2: What From the Available users or groups list, select the user(s) and/or group(s) to whom the policy will apply. For information on users and groups, see Chapter 14, Authentication and User Management on page 157. Tip: Enter a name or part of a name and Guardian3 will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what is to be filtered. For information on categories, see Chapter 5, Working with Category Group Objects on page 43. Tip: Enter the name or part of the name and Guardian3 will search for content that matches. Click Add and, when you have selected all the content, click Next to continue. 24

31 Smoothwall Guardian3 Administrator s Guide Step Step 3: Where Step 4: When Step 5: Action From the Available locations list, select where the policy will apply. For more information on locations, see Chapter 5, Working with Location Objects on page 49. Tip: Enter the name or part of the name and Guardian3 will search for locations that match. Click Add and, when you have added the location(s), click Next to continue. From the Available time slots list, select when the policy will apply. For more information on time slots, see Chapter 5, Working with Time Slot Objects on page 48. Tip: Enter the name or part of the name and Guardian3 will search for time slots that match. Click Add and, when you have added the time slot(s), click Next to continue. Limit bandwidth to Enter the number of kilobytes per second to which bandwidth is limited when this policy is applied. Shared between clients Select this option to share the bandwidth specified between all clients on the network. If this option is not selected then the limit specified applies to each client, determined by IP, not by user or group. Note: A user or group may be able to draw on bandwidth from several policies. Note: Each step must be completed in order to create the policy. If you skip a step, Guardian3 creates a policy folder in which you can store policies. For more information on policy folders, see Chapter 5, Working with Policy Folders on page Select Enable policy to enable the policy and then click Confirm. Guardian3 displays the settings you have selected. 4 Review the settings and click Save to create the policy. Guardian3 creates the policy and makes it available on the Web proxy > Web proxy > Bandwidth limiting page. Ordering Bandwidth Limiting Policies It is possible to order bandwidth limiting policies. Ordering policies enables you, for example, to apply one policy to a user and another policy to the group the user belongs to. To order bandwidth limiting policies: 1 Browse to the Web proxy > Web proxy > Bandwidth limiting page. 2 Drag and drop the policy you want applied first to the top of the list and click Save. Guardian3 applies the order specified when applying the policies. Editing Bandwidth Limiting Policies You can edit an existing bandwidth limiting policy to suit your organization s requirements. To edit a bandwidth limiting policy: 1 Browse to the Web proxy > Web proxy > Bandwidth limiting page and locate the policy you want to edit. 2 Click the Edit policy button. Guardian3 displays the policy settings. 3 Make the changes necessary, see Limiting Bandwidth Use on page 24 for more information on working with policies. 25

32 Managing Web Security Configuring WCCP 4 Click Confirm. Guardian3 displays the settings you have selected. Review them and click Save to save the changes to the policy. Guardian3 updates the policy and makes it available on the Web proxy > Web proxy > Bandwidth limiting page. Deleting Bandwidth Limiting Policies You can delete a bandwidth limiting policy you no longer require. To delete a bandwidth limiting policy: 1 Browse to the Web proxy > Web proxy > Bandwidth limiting page and locate the policy you want to delete. 2 Click the Delete policy button. Guardian3 prompts you to confirm that you want to delete the policy. Click Delete. Guardian3 deletes the policy. Configuring WCCP Guardian3 can be added to a Web Cache Communication Protocol (WCCP) cache engine cluster. When enabled, Guardian3 broadcasts its availability to a nominated WCCP-compatible router. The WCCP-compatible router can forward web traffic and perform load balancing across all the WCCP capable proxies it is aware of. Both HTTP and HTTPS traffic can be transparently proxied via WCCP Note: WCCP-compatible routers forward web traffic in a transparent mode over a GRE tunnel, therefore you must configure a transparent authentication policy for the interface which will receive redirected traffic. For information on transparent authentication policies, see Chapter 6, Creating Transparent Authentication Policies on page 80. For more information on configuring WCCP on your router, see ios/11_2/feature/guide/wccp.html To configure WCCP: 1 Browse to the Web proxy > Web proxy > WCCP page. 26

33 Smoothwall Guardian3 Administrator s Guide 2 Select the option you require and configure its settings: Option No WCCP WCCP version 1 WCCP version 2 Select to disable WCCP. Select this option to enable WCCP version 1. Version 1 does not require authentication for caches to join the cluster, and only supports a single coordinating router. WCCP router IP Enter the WCCP router s IP address. Select this option to enable WCCP version 2. Version 2 can be more secure than version 1, as it supports authentication for caches to join the cluster, providing a level of protection against rogue proxies on the LAN. In addition, it supports multiple coordinating routers. Note: Currently, WCCP version 2 in Guardian3 only supports routers configured to use the hash assignment method and GRE for both the forwarding and return methods. Password Enter the password required to join the WCCP cluster. WCCP passwords can be a maximum of 8 characters. Cache weight Enter a cache weight to provide a hint as to the proportion of traffic which will be forwarded to this particular cache. Caches with high weights relative to other caches in the cluster will receive more redirected requests. Device IP addresses Enter the IP addresses of one or more WCCP version 2 routers. 3 Click Save. Guardian3 saves the settings. 4 On the Web proxy > Authentication > Manage policies page, create a transparent authentication policy using the authentication method you require and select WCCP as the interface. For more information, see Chapter 6, Creating Transparent Authentication Policies on page 80. Guardian3 completes the WCCP configuration. Managing Upstream Proxies Guardian3 enables you to configure and deploy policies which manage access to upstream proxies. The policies can: Allow or deny access to upstream proxies based on network location Direct web requests to a specific upstream proxy depending on the type of request Provide load balancing and failover. The following sections explain how to configure and deploy upstream proxy policies. Overview Managing upstream proxies entails: Configuring upstream proxy settings, for more information see Configuring an Upstream Proxy on page 28 Creating source and destination filters, for more information see Configuring Source and Destination Filters on page 29 Configuring a single upstream proxy for all web requests, see Using a Single Upstream Proxy on page 31, or deploying upstream proxy policies to combine multiple upstream proxies and use load balancing and failover, for more information, see Working with Multiple Upstream Proxies on 27

34 Managing Web Security Managing Upstream Proxies page 32. Configuring an Upstream Proxy The following section explains how to configure an upstream proxy. To configure an upstream proxy: 1 Browse to the Web proxy > Upstream proxy > Proxies page. 2 Configure the following settings: Name IP/ Hostname Port Comment Enter a name for the upstream proxy. Only the following characters and numbers are allowed in a proxy name:., abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ The name Default is invalid as it is reserved as the name of the default proxy. Enter the IP address or the hostname of the upstream proxy. Enter the port number to use on the upstream proxy. Optionally, enter a comment or description. 28

35 Smoothwall Guardian3 Administrator s Guide 3 Click Advanced to access the following, optional settings: Credential forwarding Username Password Load balance ratio Select one of the following credential forwarding options: Disabled Select this option to use the static username and password entered below when logging in to the upstream proxy. Username only Forward the username of the client making the request with the password entered below when logging in to the upstream proxy. This allows the upstream proxy to identify individual users without revealing their passwords. Note: This requires proxy authentication, NTLM authentication or NTLM identification to be enabled, otherwise usernames cannot be determined by Guardian3. Username and password Forward the username and password of the client making the request when logging in to the upstream proxy. This could be used if both Guardian3 and the upstream proxy are authenticating against the same directory server, but should be used with caution as it reveals client credentials. Note: This option requires proxy authentication to be used, not NTLM. Otherwise, plaintext usernames and passwords cannot be determined by Guardian3. Note: Guardian3 can only log in to upstream proxies which require basic proxy authentication, not NTLM or any other authentication scheme. Enter a static username for use when credential forwarding is disabled. Enter a static password for use when credential forwarding is disabled, or when forwarding usernames only. Enter a load balance ratio value. Values are relative. For example, if one upstream proxy has the value: 2 and another upstream proxy has the value: 1 and both use the round robin load balancing method, then the proxy with value: 2 will receive twice as many web requests as the proxy with value:1. For more information, see Configuring Multiple Upstream Proxy Policies on page Click Save. Guardian3 adds the upstream proxy to the list of current upstream proxies. 5 Repeat the steps above to add other upstream proxies. Configuring Source and Destination Filters Guardian3 enables you to create source and destination filters which are used when applying upstream proxy policies. Configuring a Destination Filter Guardian3 uses destination filters to determine which upstream proxy policy to apply based on the destination domain(s), IP(s) or destination URL regular expressions. 29

36 Managing Web Security Managing Upstream Proxies To create a destination filter: 1 Browse to the Web proxy > Upstream proxy > Filters page. 2 Configure the following settings: Type Name Comment IPs/Hostnames Select Destination. Enter a name for the destination filter. Optionally, enter a description or comment. Enter a destination IP address or hostname. 3 Optionally, click Advanced and configure the following setting: Destination regular expression URLs Optionally, click Advanced. Enter one regular expression URL, including the protocol, per line. Note: The full URL is not available for HTTPS requests. 4 Click Save. Guardian3 adds the filter and lists it in the Upstream proxy filters. 5 Repeat the steps above to add more destination filters. Configuring a Source Filter Guardian3 uses source filters to determine which upstream proxy policy to apply based on the source IP(s), subnet(s) or IP range(s) of the client machine(s). To create a source filter: 1 Browse to the Web proxy > Upstream proxy > Filters page. 2 Configure the following settings: Type Select Source. 30

37 Smoothwall Guardian3 Administrator s Guide Name Comment IPs/Hostnames Enter a name for the filter. Optionally, enter a description or comment. Enter a source IP address, IP address range, network address or hostname. For example: /24 hostname.local Note: Hostnames require reverse DNS look-ups to be performed. 3 Click Save. Guardian3 adds the filter and lists it in the Upstream proxy filters area. 4 Repeat the steps above to add more source filters. Using a Single Upstream Proxy After configuring upstream proxy settings, see Configuring an Upstream Proxy on page 28, you can use a single upstream proxy for all web requests. To use a single upstream proxy: 1 Browse to the Web proxy > Upstream proxy > Manage policies page. 2 In the Global options area, configure the following settings: Default upstream proxy Allow direct connections Leak client IP with X- forwarded-for header This setting determines the default proxy which is used when upstream proxies are not available, not configured or not allowed by policies. From the drop-down list, select an upstream proxy. Select this option to allow direct connections to origin servers. If allowed, direct connections will be made as a final fall-back if the default proxy is unavailable or not configured. For more information, see Enforcing Upstream Proxy Usage on page 33. Select this option to send the originating IP addresses of client requests upstream. 31

38 Managing Web Security Managing Upstream Proxies 3 Click Save. Guardian3 starts using the single upstream proxy. Working with Multiple Upstream Proxies The following sections discuss general upstream proxy behavior, how to load balance using multiple upstream proxy policies and how to enforce upstream proxy usage. About Upstream Proxy Behavior There are three potential destinations for a web request forwarded to an upstream proxy. These are as follows, in order of precedence: 1 A pool of one or more proxies which are allowed by the upstream proxy policies, to service the request. 2 The default proxy, if configured. 3 Direct forwarding of requests to their origin servers, if allowed. An origin server is defined as the target destination of web request, i.e. the server from which a requested resource originates. Upstream proxy policies are additive. Guardian3 checks requests against all the policies, in order. Any proxy which is allowed to service a particular request is added to the proxy pool in step 1. If the final pool for a request contains two or more proxies, load-balancing and fail-over rules decide which one will be sent the request. Note: The rules above only apply to requests serviced by Guardian3. If a client behind Guardian3 is able to obtain direct, unfiltered web access, the client s requests will be treated no differently from other Internet traffic. Configuring Multiple Upstream Proxy Policies By configuring multiple upstream proxy policies, you can balance the web request load across two or more upstream proxies. To load balance using upstream proxy policies: 1 On the Web proxy > Upstream proxy > Proxies page, configure the upstream proxies you will be using. See Configuring an Upstream Proxy on page 28 and Configuring Source and Destination Filters on page 29 for more information. 2 Browse to the Web proxy > Upstream proxy > Manage policies page and click Advanced. 32

39 Smoothwall Guardian3 Administrator s Guide 3 Configure the following settings: Load balancing method Upstream proxy Source filter Destination filter Action Comment Enabled From the drop-down list, select the load balancing method you require. The following methods are available: Source IP Based on the client s IP address, Guardian3 selects one proxy from the set of allowed proxies and uses it as long as that proxy is available. For example: three requests for example.com from one machine might all go via proxy A; three requests from the machine next to it might all go via proxy B. Username Based on the client s username, Guardian3 selects one proxy from the set of allowed proxies and uses it as long as that proxy is available. For example: three requests for example.com while logged in as Alice might all go via proxy A; three requests while logged in as Bob might go via proxy B, even if Bob has the same IP as Alice. Round-robin Guardian3 cycles through the proxies one by one. Three requests for example.com, with three proxies allowed to serve the request, would send one request via each. Note: This method requires Guardian3 to be configured for username and password based authentication. See Chapter 6, About Authentication Policies on page 75 for more information. From the drop-down list, select the proxy for which you are configuring the policy. From the drop-down list, select Everything. From the drop-down list, select Everything. Select Allow. Optionally, enter a comment describing the proxy. Select to enable the policy. 4 Click Save. Guardian3 creates the policy and lists it in the Upstream proxy policies table. 5 Configure policies for other upstream proxies by repeating steps 2 and 3 above. Once you have configured policies for the upstream proxies you require, Guardian3 will check any web requests against the policy table and each of the proxies will be allowed to service the request, so load balancing and failover rules will be used to pick the most suitable proxy. Guardian3 monitors availability of upstream proxies automatically and avoid forwarding requests to unavailable proxies. If none of the proxies permitted to service a request are available, Guardian3 will use the default proxy. If the default proxy is not available, or if no default proxy is configured, the request will be forwarded directly to its origin server. Enforcing Upstream Proxy Usage If you want to prevent web requests from being forwarded directly to their origin servers when other permissible upstream proxies are unavailable, disable the Allow direct connections option. Note: As the Allow direct connections option eliminates the last option for forwarding requests in failure scenarios, only use it to implement strict requirements that all traffic go through an upstream proxy. For finer-grained control of direct connection behavior, you can configure policies using the dummy upstream proxy option None. For example, to prevent only YouTube traffic from being sent directly, enable the Allow direct connections option, then create a policy with upstream proxy None, action Block, and a destination filter corresponding to the youtube.com domain. 33

40 Managing Web Security Managing Blocklists Conversely, to allow direct access only for requests to certain sites, disable Allow direct connections and create None, Allow policies matching those requests for which direct access is permissible. This may be useful for bandwidth conservation, if direct access is routed over a slower link than access to the upstream proxies. Managing Blocklists A blocklist is a group of pre-configured settings which is updated on a regular basis by Guardian3. A blocklist maintains Guardian3 s list of undesirable, inappropriate or objectionable content. Guardian3 automatically checks for and installs blocklist updates. You can also check for and install blocklist updates manually. Viewing Blocklist Information To view blocklist information: 1 Navigate to the System > Maintenance > Licenses page. Note: The information displayed depends on the product you are using. Blocklist subscription status is displayed. By default, Guardian3 checks for updated blocklists hourly. When a new blocklist becomes available, Guardian3 automatically downloads and installs it. Note: As Guardian3 complies with Internet Watch Foundation (IWF) guidelines, this mode of working is mandatory. Visit for more information. Manually Updating Blocklists To manually update blocklists: 1 Navigate to the System > Maintenance > Licenses page. 2 Click Update. The latest blocklists are installed and displayed in the Blocklists subscription area. Note: In order to download blocklists, you must have a valid blocklist subscription. To obtain a blocklist subscription, please contact your Guardian3 reseller or Guardian3 directly. Managing Block Pages When an end-user s web request is blocked, Guardian3 displays its default block page which tells the user that they have been blocked from accessing the web content they requested. It also shows other information such as which group the user is in, what the blocked content is categorized as and the computer s IP address. Which block page Guardian3 displays is determined by the block page policies in use. The following sections explain about the different block pages you can use, how to create a block page policy and how to manage block page policies. You can configure Guardian3 to display the following different types of block pages: A block page which you have customized, for more information, see Customizing a Block Page on page 35 Guardian3A block page located at a specified URL, see Using an External Block Page on page

41 Smoothwall Guardian3 Administrator s Guide Customizing a Block Page You can customize the default block page in many ways, including supplying a new message about why a block occurred and using different graphics. To customize a block page: 1 Navigate to the Guardian > Block page > Block pages page. 2 Configure the following settings: Name Comment Enter a name for the block page. Enter a comment describing the block page. 3 Select the Manually create contents for block page option and configure the following settings: Block message Quota message Quota button label This is the default message shown when a user is blocked from accessing content because of the web filter policy that applies to them. You can use this text or enter a custom message explaining to the user what has happened. This is the default message shown when a user tries to access content which is time limited because of the web filter policy that applies to them. You can use this text or enter a custom message. For more information on quotas, see Chapter 5, Working with Quota Objects on page 50. This is the text used on the quota button which users must click to start using their quota of time to access the content. You can use this text or enter custom text. 35

42 Managing Web Security Managing Block Pages Sub message Administrator's address Accept the default message, or enter a custom, secondary message. Optionally, enter a administrator s address, for contact purposes. 4 Optionally, click Advanced and configure the following settings: Custom title image Custom background image Show unblock request This option determines the image displayed at the top of the block page. Note: To use a custom title image, the image must be 551 x 79 pixels. To specify a custom title image: 1 Click Browse. 2 In the dialog box that opens, browse to and select the image. Click OK. 3 Click Upload. This option determines the image displayed as a background on the block page. Note: To use a custom title image, the image must be 551 x 552 pixels. To specify a custom background image: 1 Click Browse. 2 In the dialog box that opens, browse to and select the image. Click OK. 3 Click Upload. Optionally, select to display a button on the block page which allows users to request that a blocked page be unblocked. Clicking the button on the block page opens a pop up form which when completed sends the request via the server used for alerts. Show client Optionally, select to display the user s username, if applicable. username Show Optionally, select to display the administrator's address. address Show client IP Optionally, select to display the IP address of the user s workstation. Show client Optionally, select to display the workstation s hostname on the block page. hostname Show user Optionally, select to display the users group membership, if applicable. group Show unblock controls Show reason for block Show bypass controls Optionally, select to display controls on the block page which allow administrators to add domains and URLS to the custom allowed or custom blocked content categories. For more information, see Working on Block Pages on page 39. Optionally, select to display the reason why the web request was blocked. Optionally, select to display temporary bypass controls on the block page. These controls allow users with bypass privileges to temporarily bypass the Guardian3.For more information, see Customizing a Block Page on page 35. Note: When an HTTPS inspection policy is enabled, see About the Default Web Filter Policies on page 14, and a user visits a site with an invalid certificate, Guardian3 s temporary bypass will not work. This is because Guardian3 must check the certificate before authentication information for bypass can be detected. In this case, bypass controls will be visible on the block page if enabled, but will not work. 36

43 Smoothwall Guardian3 Administrator s Guide Show URL of blocked page Use custom title image Show categories matched Use custom background image Optionally, select to display the URL of the blocked web request. Select if you have specified a custom title image, see above for more information. Optionally, select to display the filter category that caused the page to be blocked, if applicable. Select if you have specified a custom background image, see above for more information. 5 Click Save to save the block page and make it available for use in a block page policy. Using a Custom HTML Template Guardian3 enables you to use a custom HTML file as a block page. To use a custom HTML file as a block page: 1 Download and edit the HTML template available here: Support Portal & Knowledge Base The template can be edited to use your organization s branding and display information on users and reasons for blocking requests. 2 When finished editing, archive the template and any files it uses in a zip file. 3 Navigate to the Guardian > Block page > Block pages page and configure the following settings: Name Comment Enter a name for the block page. Enter a comment describing the block page. 4 Select the Import HTML template from zip archive option. Click Browse. Locate and select the archive. 5 Click Upload. Guardian3 uploads and unpacks the archive and makes it available for use in a block page policy. Using an External Block Page Guardian3 enables you to specify an external page as a block page. To use an external page as a block page: 1 Navigate to the Guardian > Block page > Block pages page and configure the following settings: Name Enter a name for the block page. Comment Enter a comment describing the block page. Redirect to block page Select to enable Guardian3 to use an external block page. Block page URL Enter the block page s URL. 2 Click Save to make it available for use in a block page policy. 37

44 Managing Web Security Managing Block Pages Configuring a Block Page Policy By default, Guardian3 displays a standard block page whenever it blocks a web request by users. You can configure Guardian3 to display a specific block page when a web request is blocked based on unsuitable or objectionable content, location or time. To configure a block page policy: 1 Browse to the Guardian > Block page > Policy wizard page. 2 Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where Step 4: When Step 5: Action From the Available users or groups list, select who will see the block page when content is blocked. Click Next to continue. From the Available categories or category groups list, select what categories or category groups will trigger the content being blocked. Click Next to continue. For information on categories, see Chapter 5, Working with Category Group Objects on page 43. From the Available locations list, select where the policy applies. Click Next to continue. For information on locations, see Chapter 5, Working with Location Objects on page 49. From the Available time slots list, select when the policy applies. Click Next to continue. For information on time slots, see Chapter 5, Working with Time Slot Objects on page 48. Select which block page to use. For information on the types of block pages you can use, see Chapter 4, Managing Block Pages on page Select Enable policy to enable the policy and click Confirm. 38

45 Smoothwall Guardian3 Administrator s Guide 4 Guardian3 displays the settings you have specified for the policy. Review the settings and then click Save to save the policy and make it available on the manage policies page. Managing Block Page Policies Block page policies are managed on the manage policy page. Guardian3 processes policies in order of priority, from top to bottom, until it finds a match. You can change the order by dragging and dropping them on the page. To manage block page policies: 1 Browse to the Guardian > Block page > Manage policies page. 2 To change the order of the policies displayed, select a policy and drag it to the position you require. 3 Click Save to save the change(s). Guardian3 re-orders the policies. Working on Block Pages Depending on how a block page is configured, there may be controls to add URLS and domains to user-defined blocked or allowed categories as well as temporary bypass features to allow users with the correct privileges to access the blocked content. Adding to User-defined Categories Note: The availability of these options depends on how the block page is configured. For more information, see Customizing a Block Page on page 35. To add to user-defined categories: 1 Configure the following settings on the block page: Control From the User-defined categories drop-down list, select one of the following options: Custom blocked content Add the blocked URL or domain to the custom blocked category. Custom allowed content Add the blocked URL or domain to the custom allowed category. 39

46 Managing Web Security Managing Block Pages Temporary Bypass Enables temporary bypass of the block page if the user has the necessary privileges. Select from the following options: 30 seconds Temporarily bypass the block page for 30 seconds. 5 minutes Temporarily bypass the block page for 5 minutes. 30 minutes Temporarily bypass the block page for 30 minutes. When prompted, enter the bypass password. Note: The temporary bypass and control options use non-standard port 442. This is to enable administrator access controls to be used without affecting these features. 40

47 Chapter 5 Working with Policies In this chapter: An overview of policies, what comprises them and what types of policy you can create Working with objects that make up a policy Configuring and managing policies Using the policy tester. An Overview of Policies Policies determine how Guardian3 handles web content to best protect your users and your organization. You can create and deploy custom policies to fit your organization. Deploying custom policies entails: Configuring custom policies based on your organization s Acceptable Usage Policies (AUPs); for more information, see Types of Policies on page 41 Configuring authentication policies; for more information, see Chapter 6, Creating Authentication Policies on page 75 Configuring users browsers or network connections to use Guardian3 as their web proxy or default gateway; for more information, see Chapter 6, Connecting to Guardian3 on page 86. Types of Policies Guardian3 enables you to create the following types of policies: Web filter policies Web filter policies determine whether to allow, block, soft block or whitelist web content that a user has requested. For more information, see Managing Web Filter Policies on page 52 HTTPS inspection policies when enabled, HTTPS inspection policies determine whether to decrypt and inspect encrypted content in order to determine to handle the content based on web filter policies. HTTPS inspection policies can also be used to validate web site certificates. For more information, see Managing HTTPS Inspection Policies on page 56 Content modification policies Content modification policies can be used to identify and stop malicious content embedded in web pages from being accessed. For information, see Managing Content Modification Policies on page 61. Anti-malware policies Anti-malware policies are used to against malware and viruses. For information on customizing anti-malware policies, see Managing Anti-malware Policies on page 64. How Policies are Applied How Guardian3 applies policies depends on the original web request from a user. The following diagrams give a high-level view of what happens when a user makes a non-encrypted (HTTP) web request and an encrypted (HTTPS) web request. 41

48 Working with Policies An Overview of Policies Applying Policies to a HTTP Web Request Applying Policies to a HTTPS Web Request 42

49 Smoothwall Guardian3 Administrator s Guide Guardian Getting Started The Getting started page explains policies and policy objects. Working with Category Group Objects A category group object is a collection of URLs, domains, phrases, lists of file types and/or security rules. Guardian3 uses category group objects in policies to determine if a user should be allowed access to the content they have requested using their web browser. 43

50 Working with Policies Working with Category Group Objects Creating Category Group Objects The following section explains how to create a category group object to be used in a web filter policy. To create a category group object: 1 Browse to the Guardian > Policy objects > Category groups page. 2 In the Manage category groups area, configure the following settings: Name Comment Content categories Enter a name for the category group. Optionally, enter a comment to make it easier to remember what the category contains. Select the content you want to include in the category group object. Click [ + ] to access and view any sub-categories available. Tip: Click the Advanced view option to access more detailed information on the content. 3 Click Save. The category group object is saved and added to the list of groups of content available. 44

51 Smoothwall Guardian3 Administrator s Guide Creating User-defined Categories You can define new categories of content for use in category group objects to suit you organizations requirements. To define a category: 1 Browse to the Guardian > Policy objects > User defined page. 2 Configure the following settings: Name Comment Domains & URLs Enter a name for the category. Optionally, enter a comment describing the category. Enter one domain or URL per line. For example: example.com Do not include www. in URLs. 3 Optionally, click Advanced to access the following settings: Search term filtering Enter one search term, surrounded by delimiters, per line for example: ( hardcore ) (xxx) Spaces before and after a term are not removed, thus simplifying searching for whole words. Parenthesis are required. You can use the following delimiters: [] () {} <> 45

52 Working with Policies Working with Category Group Objects URL patterns Headers to override File extensions Enter a URL pattern per line, for example: ( adultsite sexdream ) The example above looks for URLs containing either the word adultsite or the word sexdream. You can use the following delimiters: [] () {} <> Note: If the URL pattern you enter contains a delimiter, you must use a different delimiter to contain the whole pattern. For example: [ mysearchwith(abracket) ] Here you can specify if Guardian3 should use the requested site s capability to override HTTP headers sent to it and redirect users to other content. For example, if a student tries to access inappropriate Youtube content, Guardian3 can request YouTube to override the request and redirect them to YouTube Education. Also, if your organization uses Google Apps, you can configure Guardian3 to request Google Apps to prevent users from accessing their personal Google accounts. Note: To use YouTube Education, you must sign up for an account and obtain a key. See for instructions. To request a redirect to YouTube education: 1 Enter a value in this format: X-YouTube-Edu-Filter: AbcdEfghIjklmnOpq_rstU To request a restriction by Google Apps: 1 Enter a value in this format: X-GoogApps-Allowed-Domains: example.org, example.net Note: For a Google Apps restriction, HTTPS interception is required as Google Apps uses HTTPS throughout. For more information, see Managing HTTPS Inspection Policies on page 56. Enter one file extension, e.g..doc, or MIME type, e.g. application/octetstream per line. You must include the dot (.) when entering file extensions. 4 Click Save. Guardian3 creates the content category and makes it available on the Guardian > Policy objects > Category groups page. Searching for URLs in User-defined Categories You can search in user-defined categories to determine which ones match a particular URL. Note: A search can take up to a minute to complete. To search for a URL in a category: 1 Browse to the Guardian > Policy objects > User defined page. 2 In the Enter URL field, enter the URL you want to search for. 3 Click Find categories. Guardian3 displays the names and components of any categories in which the URL was found. Editing Category Group Objects You can edit category group objects to suit you organizations requirements. To edit a category group object: 1 Browse to the Guardian > Policy objects > Category groups page. 46

53 Smoothwall Guardian3 Administrator s Guide 2 From the Category groups list, select the object you want to edit and click Edit category group. Guardian3 displays the object in the Manage category groups area. Click [ + ] to access and view any sub-categories available. Tip: Click the advanced view option to access more detailed information on the content and subcategories. 3 Select any new content you want to add to the object and de-select any content you want to remove from the object. 4 Click Save. Guardian3 saves and applies the changes. Deleting Category Group Objects You can delete category group objects you no longer require. To delete a category group object: 1 Browse to the Guardian > Policy objects > Category groups page. 2 From the Category groups list, select the content category object you want to delete and click Delete category group. Guardian3 deletes the object. Note: You cannot delete a category group object if it is in use in a policy. You must first remove the object from the policy. 47

54 Working with Policies Working with Time Slot Objects Working with Time Slot Objects You can configure Guardian3 to allow or stop users accessing the Internet during certain time periods depending on the time and day. Creating a Time Slot The following section explains how to create a time slot for use in a web filter policy. To create a time slot: 1 Navigate to the Guardian > Policy objects > Time slots page. 2 Configure the following settings: Name Comment Enter a name for the time slot. Optionally, enter a comment to help identify when the period is used 3 In the time-table, click and drag to select the periods of time you want to include in the time slot. 4 Click Save. Guardian3 creates the time slot and adds it to the list of time slots. It also makes the time slot available where applicable on the policy wizard pages for inclusion in policies. Editing a Time Slot The following section explains how to edit a time slot. To edit a time slot: 1 Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area, locate the time slot you want to edit. 2 Click the Edit time button. Guardian3 displays the time slot in the time-table. Tip: You can use the Clear and Edit in full-text mode options to make changes the time slot. 48

55 Smoothwall Guardian3 Administrator s Guide 3 Make the changes you require and click Save. Guardian3 makes the changes and saves the time slot. Deleting a Time Slot The following section explains how to delete a time slot. To edit a time slot: 1 Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area, locate the time slot you want to delete. 2 Click the Delete time button. Guardian3 deletes the time slot. Working with Location Objects Guardian3 enables you to create locations into which you can place resources such as desktop and laptop computers. You can use a location to block the resources at the location from accessing external networks or the Internet. Creating a Location Object To create a location object: 1 Browse to the Guardian > Policy objects > Locations page. 2 In the Manage location area, configure the following settings: Name Enter a name for the location object. 49

56 Working with Policies Working with Quota Objects Addresses Enter an IP address, hostname, IP range or a subnet of the resource(s), for example: For a computer, enter: For a range of computers, enter: For content identified by a hostname, enter: roaming_laptop 3 Optionally, click Advanced and configure the following settings to define exceptions to any address ranges you specified in the previous step: Exceptions Enter an individual IP, hostname, IP range or a subnet of the resource(s), for example: To make an exception for a computer, enter: To make an exception for a range of computers, enter: Click Save. Guardian3 adds the resources to the location object and lists it in the Locations list. Editing Location Objects You can edit a location object. To edit a location object: 1 On the Guardian > Policy objects > Locations page, in the Locations area, select the location and click the Edit location button. 2 Make the changes you require and click Save, Guardian3 displays the settings. 3 Click Save. Guardian3 updates the resources in the location object and lists it in the Locations list. Deleting Location Objects You can delete location objects you no longer require. Note: You cannot delete a location object if it is in use in a policy. You must first remove the object from the policy. To delete a location object: 1 Browse to the Guardian > Policy objects > Locations page. 2 In the Locations list, locate the location object you want to delete and click the Delete location button. Guardian3 deletes the location object. Working with Quota Objects Guardian3 s quota objects enable you to limit user access to content on a daily basis. When a quota is used in a web filter policy, users to whom the policy is applied are prompted to confirm that they want to access the content and are told how long their quota is and how much of the quota they have left. 50

57 Smoothwall Guardian3 Administrator s Guide About the Default Quota Object Guardian3 comes with a default quota object which is ready for use in a web filtering policy. When used, the default quota limits access to the relevant content to 60 minutes per 24 hours. Users will be prompted every 10 minutes to confirm that they want to continue using their quota. Default quotas are reset daily at 04:00. You can edit the default quota but you cannot remove it there must always be a default in case the quota action is used in a web filtering policy. For more information on using quotas and web filtering policies, see Creating Web Filter Policies on page 53. Creating Quota Objects Creating a quota object entails specifying who the quota applies to, how long the quota is, how often to prompt the user to confirm that they want to continue using their quota and when the quota is reset. To create a quota object: 1 Browse to the Guardian > Policy objects > Quotas page. 2 Click Create a new quota and configure the following settings: Available users or groups Duration Prompt every Reset at Enable quota From the list, select the user(s) and/or group(s) to whom the quota will apply. Tip: Enter a name or part of a name and Guardian3 will search for names of users and groups that match. Click Add. Move the slider to set the duration of the quota. From the drop-down list, select how often users will be prompted to confirm that they want to use more of their quota. From the drop-down list, select when to rest the quota. Select to enable the quota. 3 Click Save. Guardian3 creates the quota and lists it on the Guardian > Policy objects > Quotas page. 4 Drag and drop the quota object to the correct position. 51

58 Working with Policies Managing Web Filter Policies Note: Quotas are applied as listed on the Guardian > Policy objects > Quotas. You must consider their position when using them. Take, for example Bob. Bob is a member of the Staff group. The Staff group has a quota of 60 minutes. However, because of Bob s responsibilities, he needs a quota of 120 minutes. To ensure Bob gets the quota he needs, create a quota object that applies to Bob and, on the Guardian > Policy objects > Quotas page, list it above the Staff quota object. When Guardian3 applies the web filtering policy to the Staff group, it will check for quotas and allow Bob 120 minutes while other people in the Staff group will get 60 minutes. If Bob s quota object is listed below the Staff group s quota object, Bob will get 60 minutes just like everyone else. For more information on using quotas and web filtering policies, see Creating Web Filter Policies on page 53. Editing Quota Objects It is possible to edit a quota object s settings. To edit a quota object: 1 On the Guardian > Policy objects > Quotas page, locate the quota you want to change and click its Edit quota button. Guardian3 displays the settings. 2 Make the changes required. See Working with Quota Objects on page 50 for more information on the settings available. 3 Click Save. Guardian3 edits and updates the quota and lists it on the Guardian > Policy objects > Quotas page. Deleting Quota Objects You can delete a quota object when it is no longer required. To delete a quota object: 1 On the Guardian > Policy objects > Quotas page, locate the quota you want to change and click its Delete quota button. Guardian3 deletes the quota and removes it from the Guardian > Policy objects > Quotas page. Managing Web Filter Policies Guardian3 processes web filter policies in order of priority, from top to bottom, until it finds content that matches. When it finds a match, Guardian3 applies the action, block, allow, whitelist, soft block or limit to quota as configured in the policy. You can review the default web filter policies on the Guardian > Web filter > Manage policies page and you can change the order by dragging and dropping policies in the list. The following sections discuss how to create, edit and delete web filter policies. 52

59 Smoothwall Guardian3 Administrator s Guide Creating Web Filter Policies You can create custom web filter policies to allow or block specific content, allow access to specific web sites at certain times or apply an acceptable usage policy (AUP) to meet your organization s requirements. To create a web filter policy: 1 Browse to the Guardian > Web filter > Policy wizard page. 2 Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where Step 4: When From the Available users or groups list, select the user(s) and/or group(s) to whom the policy will apply. Tip: Enter a name or part of a name and Guardian3 will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what is to be filtered. Tip: Enter the name or part of the name and Guardian3 will search for content that matches. Click Add and, when you have selected all the content, click Next to continue. From the Available locations list, select where the policy will apply. Tip: Enter the name or part of the name and Guardian3 will search for locations that match. Click Add and, when you have added the location(s), click Next to continue. From the Available time slots list, select when the policy will apply. Tip: Enter the name or part of the name and Guardian3 will search for time slots that match. Click Add and, when you have added the time slot(s), click Next to continue. 53

60 Working with Policies Managing Web Filter Policies Step Step 5: Action Select one of the following actions to use when applying this policy: Create policy folder Select this action when configuring a policy at a central installation where you need to create policy folders for multiple locations or groups. Block Select this action to block the selected content. Allow Select this action to allow the content. Guardian3 may also categorize the content and apply any content modification policies in place. You can use this option to create specific exceptions to broad blocking policies. Another possible use is to prevent over-blocking of diverse content such as news articles, which may fall under a variety of categorizations depending on the type of news article. Whitelist Select this action to whitelist the selected content. When content is whitelisted, Guardian3 does not examine it any further. Whitelisting is applied early on when Guardian3 is checking URLs. Content which is whitelisted will not be subjected to outgoing filtering or dynamic content analysis. Content modification policies may still be applied, unless the categorization of the original, unmodified URL matches the whitelist. Whitelisting content may help to conserve system resources and prevent unintentional blocking when dealing with trusted content, such as online banking sites or Windows updates. Soft block Select this action to soft block the selected content. Anyone trying to access the content will be prompted by Guardian3 to confirm that they want to access content. Limit to quota Select this action to apply a quota when applying the policy. When the policy is applied, Guardian3 will check the quotas defined on the Guardian > Policy objects > Quotas page and limit access to the requested content based on the quota object s settings. Note: Any content being streamed or downloaded by a user will not be stopped when the user s quota runs out. Note: Each step must be completed in order to create the policy. If you skip a step, Guardian3 creates a policy folder in which you can store policies. For more information on policy folders, see Working with Policy Folders on page Select Enable policy to enable the policy and click Confirm. 4 Guardian3 displays the settings you have selected. Review them and click Save to create the policy. Guardian3 creates the policy and makes it available on the Guardian > Web filter > Manage policies page. You must now specify in what order Guardian3 should apply the policy. 54

61 Smoothwall Guardian3 Administrator s Guide 5 Browse to the Guardian > Web filter > Manage policies page. 6 Locate the policy in the Filtering policies area. Drag and drop the policy to where you want Guardian3 to apply it. For example, if you have created a policy which allows media students to access advertising content during their lunch break, drag the policy to the top of the list of policies. 7 Click Save. Guardian3 re-orders and applies the filtering policies and allows all users in the media student group to access adverts during their lunch break. Editing Web Filter Policies You can edit an existing web filter policy to suit your organization s requirements. To edit a web filter policy: 1 Browse to the Guardian > Web filter > Manage policies page and locate the policy you want to edit. 2 Click the Edit policy button. Guardian3 displays the policy settings on the Guardian > Web filter > Policy wizard page. 3 Make the changes necessary, see Creating Web Filter Policies on page 53 for more information on working with policies. 4 Click Confirm. Guardian3 displays the settings you have selected. Review them and click Save to save the changes to the policy. Guardian3 updates the policy and makes it available on the Guardian > Web filter > Manage policies page. Deleting Web Filter Policies You can delete a web filter policy you no longer require. To delete a web filter policy: 1 Browse to the Guardian > Web filter > Manage policies page and locate the policy you want to delete. 2 Click the Delete policy button. Guardian3 prompts you to confirm that you want to delete the policy. Click Remove. Guardian3 deletes the policy. 55

62 Working with Policies Managing HTTPS Inspection Policies Managing HTTPS Inspection Policies The following sections discuss how to create, edit and delete HTTPS inspection policies. HTTPS inspection policies enable you to inspect and manage communication between users on your network and web sites which use HTTPS by configuring an inspection method for different user groups, destinations and locations. Guardian3 processes HTTPS inspection policies in order of priority as listed on the Guardian > HTTPS inspection > Manage policies page, from top to bottom, until a match is found. You can change the order by dragging and dropping policies in new positions. Guardian3 comes with three pre-configured HTTPS inspection policies which handle the following content: Online banking when enabled, this policy allows end-users to do online banking without communications being decrypted and inspected All encrypted content accessed by unauthenticated IPs when enabled, this policy decrypts and inspects all encrypted content that users at unauthenticated IPs try to access Certificate validation enabled by default, this policy check secure certificates on web sites. Any sites whose certificates are self-signed, out of date or otherwise invalid will be blocked. Enabling HTTPS Inspection Policies The following section explains how to enable HTTPS inspection policies that are listed on the Guardian > HTTPS inspection > Manage policies page. To enable HTTPS inspection policies: 1 Browse to the Guardian > HTTPS inspection > Manage policies page. 2 Locate the policy you want to enable, click on the Enabled button and select Enable. 3 Repeat the step above for any other policies you want to enable and then click Save. Guardian3 enables the policies. Note: When, for the first time, you enable a HTTP inspection policy which decrypts and inspects content Guardian3 informs you that users browsers must have the Guardian3 CA certificate in order for the policy to work. You can click on Guardian CA certificate in the text displayed and download the certificate ready for import into browsers. See Managing Certificates on page 60 for more information on how to import the certificate. 56

63 Smoothwall Guardian3 Administrator s Guide Creating an HTTPS Inspection Policy When an HTTPS inspection policy is in place, Guardian3 displays a warning page informing users who try to access a HTTPS web site that their communication with the site is being monitored. Users must actively accept the monitoring by clicking Yes in order to continue to the site, or click No to end the communication. Note: You must configure HTTPS settings and certificates in order for an HTTPS inspection policy to work. For more information, see Configuring HTTPS Inspection Policy s on page 59. To create an HTTPS inspection policy: 1 Browse to the Guardian > HTTPS inspection > Policy wizard page. 2 Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where From the Available users or groups list, select who the policy will apply to. Tip: Enter a name or part of a name and Guardian3 will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what is to be inspected. Tip: Enter the name or part of the name and Guardian3 will search for content that matches. Click Add and, when you have added all the categories or category groups, click Next to continue. From the Available locations list, select where the policy will apply. Tip: Enter the name or part of the name and Guardian3 will search for locations that match. Click Add and, when you have added the location(s), click Next to continue. 57

64 Working with Policies Managing HTTPS Inspection Policies Step Step 4: When Step 5: Action From the Available time slots list, select when the policy will apply. Tip: Enter the name or part of the name and Guardian3 will search for time slots that match. Click Add and, when you have added the time slot(s), click Next to continue. Select one of the following actions to apply: Create policy folder Select this action when configuring Guardian3 at a central installation where you need to create policy folders for multiple locations or groups. Decrypt and inspect Select this action to decrypt and inspect the encrypted content. Validate certificate only Select this action to check secure certificates on web sites. Any sites whose certificates are self-signed, out of date or otherwise invalid will be blocked. Do not inspect Select this action to not inspect the communication. An example of using this would be to not intercept communication with banking sites if a blanket policy of inspecting all HTTPS communication was in place. Note: Each step must be completed in order to create the policy. If you skip a step, Guardian3 creates a policy folder in which you can store policies. For more information on policy folders, see Working with Policy Folders on page Select Enable policy to enable the policy and then click Confirm. 4 Guardian3 displays the settings you have selected. Review them and click Save to create the policy. Guardian3 creates the policy and makes it available on the Guardian > HTTPS Inspection > Manage policies page. You must now specify in what order Guardian3 should apply the policy. 5 Browse to the Guardian > HTTPS Inspection > Manage policies page. 6 Locate the policy in the HTTPS policies area. Drag and drop the policy to where you want Guardian3 to apply it. For example, if you have created a policy which does not inspect the Google HTTPS AdSense site when accessed by marketing students, drag the policy to the top of the list of policies. 7 Click Save. Guardian3 re-orders and applies the HTTPS inspection policies and allows all users in the marketing student group to access the Google AdSense site. 58

65 Smoothwall Guardian3 Administrator s Guide Editing HTTPS Inspection Policies You can edit an existing HTTPS inspection policy to suit your organization s requirements. To edit a HTTPS inspection policy: 1 Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy you want to edit. 2 Click the Edit policy button. Guardian3 displays the policy settings on the Guardian > HTTPS inspection > Policy wizard page. 3 Make the changes necessary, see Creating an HTTPS Inspection Policy on page 57 for more information on working with policies. 4 Click Confirm. Guardian3 displays the settings you have selected. Review them and click Save to save the changes to the policy. Guardian3 updates the policy and makes it available on the Guardian > HTTPS inspection policies > Manage policies page. Deleting HTTPS Inspection Policies You can delete a HTTPS inspection policy you no longer require. To delete a HTTPS inspection policy: 1 Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy you want to delete. 2 Click the Delete policy button. Guardian3 prompts you to confirm that you want to delete the policy. Click Remove. Guardian3 deletes the policy. Configuring HTTPS Inspection Policy s For HTTPS inspection policies to work, you must configure HTTPS inspection policy settings. Configuring these settings entails exporting certificate authority certificates, import them into the list 59

66 Working with Policies Managing HTTPS Inspection Policies of trusted CA certificates on the computers in your network and configuring warning and confirmation messages that are displayed to users when communications are being decrypted and inspected. Managing Certificates Managing certificate authority (CA) certificates entails exporting them and then installing them on end-users computers. Without certificates on users computers, HTTPS inspection policies cannot work. To export a certificate: 1 Browse to the Guardian > HTTPS inspection > s page. 2 Click Export. Guardian3 generates the Guardian CA Cert.crt file. Save the certificate and import it into the list of trusted CA certificates on the computers in your network on which you want to implement HTTPS filtering. Tip: At the time of writing, to import the certificate on a PC running Internet Explorer 8: from the Tools menu, select Internet Options. On the Content tab, click Certificates and then click Import. Run the Certificate Import Wizard and place the certificate in Trusted Root Certification Authorities store. In Firefox 3 on Windows XP, from the Tools menu, select Options. Click Advanced and display the Encryption tab. Click View Certificates and then click the Authorities tab. Click Import, browse to where the certificate is stored and click Open. When prompted, select Trust this CA to identify web sites and click OK, OK and OK. For Active Directory, you can deploy the certificate using a group policy. Consult your Active Directory documentation for more information. Configuring Warning Information When implemented, Guardian3 displays a warning page informing users who try to access HTTPS web site(s) that their communication with the site(s) is being decrypted and inspected. Users must actively accept the decryption and inspection in order to continue to the site. To configure HTTP inspection policy settings: 1 Browse to the Guardian > HTTPS inspection > s page. 60

67 Smoothwall Guardian3 Administrator s Guide 2 In the Manage HTTPS interception warning area, configure the following settings: Warning message Confirmation button label Warning frequency Accept the default message or enter a custom message informing users that their HTTPS connections will be decrypted and filtered if they continue to the site they have requested. Accept the default label or enter a new label to display on the button users must click to confirm that they accept that their HTTPS connections will be decrypted and filtered. Once they have clicked on the button, they will be able to continue to the site they requested. These settings determine how often the warning message is displayed. Daily Select to display the warning daily. Weekly Select to display the warning weekly. 3 Click Save to save the settings. Clearing the Generated Certificate Cache It is possible to clear Guardian3 s cache of certificates generated for use with HTTPS inspection policies. To clear the cache: 1 Browse to the Guardian > HTTPS inspection > s page and click Clear. Guardian3 clears the cache. Managing Content Modification Policies The following sections discuss how to create, edit and delete content modification policies. A content modification policy can apply recommended security rules, determine if Internet searches should use SafeSearch functionality, warn about address spoofing and more. It can also ignore content thus making it possible to exempt content from modification for specific users or locations. 61

68 Working with Policies Managing Content Modification Policies Creating a Content Modification Policy You can create a content modification policy that enforces or ignores security rules and/or SafeSearch for specific users at certain locations. To create a content modification policy: 1 Browse to the Guardian > Content modification > Policy wizard page. 2 Complete the following steps: Step Step 1: Who Step 2: What to target Step 3: Where From the Available users or groups list, select who the policy applies to. Tip: Enter a name or part of a name and Guardian3 will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what the policy applies to. Tip: Enter the name or part of the name and Guardian3 will search for matches. Click Add and, when you have selected the categories or category groups, click Next to continue. From the Available locations list where the policy will apply. Tip: Enter the name or part of the name and Guardian3 will search for locations that match. Click Add and, when you have selected the location(s), click Next to continue. 62

69 Smoothwall Guardian3 Administrator s Guide Step Step 4: Action Select one of the following options: Create policy folder Select this action to group related rules in a policy folder. You can then use Apply or Ignore actions within this folder. For more information on policy folders, see Working with Policy Folders on page 70. Apply Select this action to modify the categories and category groups selected. Ignore Select this action to exempt the categories and category groups from being modified. Note: Usually creating a policy which ignores content implies that there is another policy which modifies content. For example, there might be an Apply policy which enforces SafeSearch for everyone, and another Ignore policy which exempts certain users who need unrestricted search. In such a case, on the Guardian > Content modification > Manage policies page, the Ignore policy which creates the exception must be placed before the Apply policy which modifies the content. From the Available categories or category groups list, select the content modification to apply and click Add. Note: If you are creating a policy that ignores content, the options here are disabled. Note: Each step must be completed in order to create the policy. If you skip a step, Guardian3 creates a policy folder in which you can store policies. For more information on policy folders, see Working with Policy Folders on page Select Enable policy to enable the policy and click Confirm. 4 Guardian3 displays the settings you have selected. Review them and click Save to create the policy. Guardian3 creates the policy and makes it available on the Guardian > Content modification > Manage policies page. You must now specify in what order Guardian3 should apply the policy. 5 Browse to the Guardian > Content modification > Manage policies page. 6 Locate the policy. Drag and drop the policy to where you want Guardian3 to apply it. For example, if you have created a policy which exempts search results from modification for users in the teachers group, drag the policy to the top of the list of policies. 63

70 Working with Policies Managing Anti-malware Policies Editing Content Modification Policies You can edit an existing content modification policy to suit your organization s requirements. To edit a content modification policy: 1 Browse to the Guardian > Content modification > Manage policies page and locate the policy you want to edit. 2 Click the Edit policy button. Guardian3 displays the policy settings on the Guardian > Content modification > policy wizard page. 3 Make the changes necessary, see Creating a Content Modification Policy on page 62 for more information on working with policies. 4 Click Confirm. Guardian3 displays the settings you have selected. Review them and click Save to save the changes to the policy. Guardian3 updates the policy and makes it available on the Guardian > Content modification > Manage policies page. Deleting Content Modification Policies You can delete a content modification policy you no longer require. To delete a content modification policy: 1 Browse to the Guardian > Content modification > Manage policies page and locate the policy you want to delete. 2 Click the Delete policy button. Guardian3 prompts you to confirm that you want to delete the policy. Click Remove. Guardian3 deletes the policy. Managing Anti-malware Policies The following sections discuss how to create, edit and delete anti-malware policies. Anti-malware policies provide protection against many malware threats, including viruses, worms, spyware and trojans by scanning content passing through Guardian3. Creating an Anti-malware Policy An anti-malware policy provides protection by scanning content requested by users. The following section explains how to create an anti-malware policy and configure anti-malware settings. Note: Anti-malware scanning is not enabled by default. You must enable anti-malware scanning in order to apply any anti-malware policies you have created and enabled. For more information, seeconfiguring Anti-malware Protection on page

71 Smoothwall Guardian3 Administrator s Guide To create an anti-malware policy: 1 Browse to the Guardian > Anti-malware > Policy wizard page. 2 Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where Step 4: Action Guardian3 From the Available categories or category groups list, select what is to be scanned. Tip: Enter the name or part of the name and Guardian3 will search for content that matches. From the list of locations, select where the policy will apply. Tip: Enter the name or part of the name and Guardian3 will search for locations that match. Click Add and when you have added the location(s), click Next to continue. Select one of the following options: Create policy folder Select this action when configuring Guardian3 at a central installation where you need to create policy folders for multiple locations or groups. Scan Select this action to scan the content specified for malware. Do not scan Select this action to allow the user to access the content without scanning it for malware. Note: Each step must be completed in order to create the policy. If you skip a step, Guardian3 creates a policy folder in which you can store policies. For more information on policy folders, seeworking with Policy Folders on page Select Enable policy to enable the policy and click Confirm. 4 Guardian3 displays the settings you have selected. Review them and click Save to create the policy. Guardian3 creates the policy and makes it available on the Guardian > Anti-malware > Manage policies page. You must now specify in what order Guardian3 should apply the policy. 65

72 Working with Policies Managing Anti-malware Policies 5 Browse to the Guardian > Anti-malware > Manage policies page. 6 Locate the policy. Drag and drop the policy to where you want Guardian3 to apply it. For example, if you have created a policy which does not scan archives that system administrators want to download, drag the policy to the top of the list of policies. Configuring Anti-malware Protection The following section explains how to enable anti-malware scanning and set a maximum size for files to be scanned. To configure anti-malware protection: 1 Navigate to the Guardian > Anti-malware > s page. 2 Configure the following settings: Anti-malware scanning Select Enable to activate malware scanning. 66

73 Smoothwall Guardian3 Administrator s Guide Max file size to scan File uploads Enter the maximum file size to scan in megabytes. The value can be between 1 MB and 100 MB. Note: To download files larger than 100 MB with malware scanning enabled, you may need to create an anti-malware policy which never scans files from these sites. Sites which stream audio/ video over HTTP may also experience problems when malware scanning is enabled. Select Scan or Do not scan as required. 3 Click Save to apply the malware protection. Configuring Anti-malware Status Information You can configure Guardian3 to display information on files being scanned for malware. To configure the information displayed: 1 Navigate to the Guardian > Anti-malware > Status page page. 2 Configure the following settings: Status page title After download After scan This text displays information on the name and size of the file being downloaded. Accept the default or enter new text. The keywords %%FILENAME%% and %%FILESIZE%% can be used to provide file-specific information. This information is displayed after the file has been downloaded and while it is being scanned. Accept the default or enter new text. This text is a message displayed when the file has been scanned. Users are provided with a link to save the file to their computer following a successful scan. Accept the default or enter new text. 67

74 Working with Policies Using the Policy Tester Auto-start downloads Select to automatically download the file after it has been scanned and approved for download. 3 Click Save to apply any changes. Note: If requested content fails the malware scan, Guardian3 will deny the download. To allow such downloads, you should first be confident that the requested content is safe before creating a policy which allows the content to be downloaded. Editing Anti-malware Policies You can edit an existing anti-malware policy to suit your organization s requirements. To edit an anti-malware policy: 1 Browse to the Guardian > Anti-malware > Manage policies page and locate the policy you want to edit. 2 Click the Edit policy button. Guardian3 displays the policy settings on the Guardian > Anti-malware > Policy wizard page. 3 Make the changes necessary, seecreating an Anti-malware Policy on page 64 for more information on working with policies. 4 Click Confirm. Guardian3 displays the settings you have selected. Review them and click Save to save the changes to the policy. Guardian3 updates the policy and makes it available on the Guardian > Anti-malware > Manage policies page. Deleting Anti-malware Policies You can delete an anti-malware policy you no longer require. To delete an anti-malware policy: 1 Browse to the Guardian > Anti-malware > Manage policies page and locate the policy you want to delete. 2 Click the Delete policy button. Guardian3 prompts you to confirm that you want to delete the policy. Click Remove. Guardian3 deletes the policy. Using the Policy Tester Guardian3 s policy tester enables you to determine what policy actions would apply for a given URL and, optionally, a specific user or group at a specific location and/or time. This is done by the policy tester sending an impersonated request for access to a URL. Tip: Use the policy tester to check possible negative side effects of adding a user/group, time slot or location to a Guardian policy. 68

75 Smoothwall Guardian3 Administrator s Guide To use the policy tester: 1 Browse to the Guardian > Quick links > Policy tester page. 2 Configure the following settings: URL Who Where When Detailed diagnostics Enter the URL to be requested. If the URL contains www, enter that too. Optionally, select the group(s) or user who would make the request. Group From the drop-down list, select the group(s) who would make the request. User Enter the name of the user making the request. Optionally, select the location(s) or IP address from which the content would be requested. Location From the drop-down list, select the location(s) from which the request would be made. IP address Enter the IP address from which the request would be made. Optionally, select at what time or during which time slot(s) the content would be requested. Time Enter the time at which the content would be requested. Time slot Specify the time slot(s) during which the content would be requested. Tip: It is possible to impersonate a request made in the past. For example, you can check if someone could have accessed a URL previously. Optionally, select this to determine what policy actions would apply to resources such as images, javascript, CSS tags, HTML5 multimedia tags and other resources at the URL. Note: Hyperlinks to other pages are not tested. 69

76 Working with Policies Working with Policy Folders 3 Click Test. For each Guardian policy enabled at that time, Guardian3 displays what action has been applied regarding the URL and the options you specified. When testing a URL which results in a redirect, the URL to which the original is redirected and its status are displayed. This enables you to policy test the redirect URL. For information on URL statuses, see: Note: The policy tester can impersonate a user or group(s) attempting to access web content. Guardian3 does not log impersonated requests. However, an upstream proxy may capture and log the request as coming from the user or group(s) being impersonated. Other Ways of Accessing the Policy Tester The policy tester is also available: On the Dashboard page. If the Web filter option is enabled on the System > Preferences > User interface page, you can run quick policy tests. On user portals. If the policy tester has been enabled for a user portal, it will be available when users access the portal. For more information, see Chapter 13, Enabling the Policy Tester on page 142 and the Working with Policy Folders Policy folders enable you to organize and apply policies according to whatever criteria are most appropriate to your organization. For example, by default, Guardian3 blocks all adverts for all users all the time in every location. If you want to allow some users and/or groups to access adverts sometimes and others to access them always at specific locations, you can accomplish this by creating a policy folder which contains a general web filter policy allowing access to adverts. You can then add policies to the folder specifying which groups are allowed access, at what times and in which locations. Using policy folders makes it easier to understand the policy table on the manage policies page and more accurately reflects how a policy is applied to specific groups. Creating a Policy Folder You create a policy folder by using a policy wizard. To create a policy folder: 1 When running a policy wizard, do not add a policy object for the criterion you want to use to determine the type of policy folder. For example, if you want to create a web filter policy folder to contain policies that can be applied to specific groups and/or users, do not add any users or groups to the policy. 2 When configuring the policy action, select Create policy folder. After you have completed the policy wizard, Guardian3 makes the policy folder available on the manage policies page. 3 To add a policy to a folder, browse to the relevant manage policies page, locate the policies folder and click Add policy to folder. Guardian3 opens the folder and displays it on the policy wizard page. 4 Add the policy object, for example a group to which you want to apply the policy and click Confirm. Guardian3 displays the policy settings. Review the settings and then click Save. Guardian3 creates the policy, places it in the policy folder and makes it available on the manage policies page. 70

77 Smoothwall Guardian3 Administrator s Guide Editing Policy Folders You can edit policy folders by changing the policy objects it contains. To edit a policy folder: 1 On the relevant manage policies page, locate the policy folder and click Edit policy folder. Guardian3 opens the folder and displays it on the policy wizard page. 2 Make changes to the policy object(s) included in the folder by adding or removing them as required. 3 Click Confirm, review the changes and click Save to apply the changes and update the folder. Deleting Policy Folders You can delete policy folders you no longer require. To delete a policy folder: 1 On the relevant manage policies page, locate the policy folder and click Delete policy folder. Click Remove when prompted to confirm that you want to delete the folder. Guardian3 deletes the folder and removes it from the relevant manage policies page. Censoring Web Form Content The following section explains how to create and apply a censor policy for content and/or files posted using web forms. A censor policy consists of a filter, an action and a time period. To create and apply a censor policy: 1 Browse to the Services > Message censor > Policies page. 71

78 Working with Policies Censoring Web Form Content 2 Configure the following settings: Service Filter Time period Action Log severity level Group Comment Enabled From the drop-down menu, select one of the following options: Web filter outgoing Select to apply the policy to content and/or files being posted in web forms, such as to message boards or Wikipedia, using HTTP. Web filter secure outgoing (HTTPS) Select to apply the policy to content and/or files being posted in web forms, such as to message boards or Wikipedia, using HTTPS. Note: A HTTPS inspection policy must be deployed for this to work. See Managing HTTPS Inspection Policies on page 56 for more information. Click Select to update the policy settings available. From the drop-down menu, select a filter to use. For more information on filters, see Chapter 13, Creating Filters on page 154. From the drop-down menu, select a time period to use, or accept the default setting. For more information on time settings, see Chapter 13, Time Periods on page 153. From the drop-down menu, select one of the following actions: Block - Content which is matched by the filter is blocked. Allow - Content which is matched by the filter is allowed and is not processed by any other filters. Guardian3 enables you to store all blocked content, no blocked content or only blocked content above a certain severity level. If you want Guardian3 to only store blocked content above a certain severity level, you must assign severity levels to the content. The Log severity level option enables you to this. From the drop-down list, select the severity level to assign to content that has been blocked by this policy. Note: You must also configure the options for storing blocked content on the Guardian > Web filter > Outgoing page. See below for more information. From the drop-down list, select the group to which you want to apply the policy. Optionally, enter a description of the policy. Select to enable the policy. 3 Click Add and, at the top of the page, click Restart to apply the policy. 72

79 Smoothwall Guardian3 Administrator s Guide 4 Browse to the Guardian > Web filter > Outgoing page. 5 Configure the following settings: MessageCensor filtering and logging Store blocked content Store blocked content above severity level Select Enable to enable censoring of content and/or files posted using web forms. Select this option if you want Guardian3 to store content it blocks. Note: This option does not apply to content posted using HTTPS. If you have selected to store blocked content, from the drop-down list, select one of the following options: Always store Guardian3 stores all blocked content and makes it available for review in the web filter log. 4 to 5 Select a severity level above which Guardian3 stores the blocked content and makes it available for review in the web filter log. For more information, see the Log severity option above. Note: This option does not apply to content posted using HTTPS. 6 Click Save. Guardian3 applies the policy. 73

80 Working with Policies Censoring Web Form Content 74

81 Chapter 6 Managing Authentication Policies In this chapter: About and working with authentication policies About exceptions to authentication and identification by location About and how to configure transparent and non-transparent connections to Guardian3 Some example scenarios of how to use authentication to manage web access. About Authentication Policies Note: By default, Guardian3 comes with an authentication policy in place. To use it, you configure your users web browsers to use Guardian3 as their web proxy. For more information, see Creating a Nontransparent Connection Manually on page 87. Guardian3 uses authentication to: Identify users and assign them to groups, so that Guardian3 can apply different policies to each group Allow access to registered users or trusted workstations Provide logging and auditing facilities in case of misuse Show in real time which users are accessing content. An authentication policy is comprised of a connection type, an authentication method, port information and a location. Guardian3 can use several different authentication methods to identify a user or group, with different requirements and restrictions. Authentication policies determine which method is used. They also determine which interfaces and ports Guardian3 listens on for web requests. Creating Authentication Policies Guardian3 enables you to create the following types of authentication policies: Non-transparent authentication policies this type of policy is applied to users whose web browsers are configured to connect to the Internet using Guardian3 as their web proxy. For more information, see Creating Non-transparent Authentication Policies on page 76 Transparent authentication policies this type of policy is applied to users whose computers network connection uses Guardian3For more information, see Creating Transparent Authentication Policies on page

82 Managing Authentication Policies Creating Authentication Policies Creating Non-transparent Authentication Policies Non-transparent authentication policies enable you to apply a web filter policy and authentication requirements to a user or group of users. To create a non-transparent authentication policy: 1 Browse to the Web proxy > Authentication > Policy wizard page. 2 Select Non-Transparent and from the Method drop-down list, select one of the following authentication methods: Method No authentication Kerberos Kerberos (Terminal Services compatibility mode) Proxy authentication Proxy authentication (Terminal Services compatibility mode) Identify users by their IP address only. All requests are assigned to the Unauthenticated IPs group. Identify users by using the Kerberos keytab stored on Guardian3. For more information, see Chapter 14, Managing Kerberos Keytabs on page 173. For information on Kerberos pre-requisites and troubleshooting, see Appendix A, About Kerberos on page 246. Identify users by using the Kerberos keytab stored on Guardian3. For more information, see Chapter 14, Managing Kerberos Keytabs on page 173. For information on Kerberos pre-requisites and troubleshooting, see Appendix A, About Kerberos on page 246. This method is designed to work with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server Identify users by requesting a username and password from the user s browser. This authentication method prompts users to enter a username and password when they try to web browse. The username and password details are encoded in all future requests made by the user s browser. Identify users by requesting a username and password from the user s browser. This method is designed to work with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server

83 Smoothwall Guardian3 Administrator s Guide Method NTLM identification NTLM identification (Terminal Services compatibility mode) NTLM authentication Identify users according to the username logged into their Microsoft Windows workstation. Note: NTLM identification does not verify a user's credentials. It should only be used where all client workstations are secured and members of a Microsoft Windows domain. Unsecured clients can spoof their credentials. Note: Guardian3 supports NTLM on Microsoft operating system software and browsers only. NTLM should not be used with any other browser or platform, even if the platform claims to support NTLM. NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames. Identify users according to the username logged into their Microsoft Windows workstation. Can be used in conjunction with Microsoft Terminal Services. Note: NTLM identification does not verify a user s credentials. It should only be used where all client workstations are secured and members of a Microsoft Windows domain. Unsecured clients can spoof their credentials. Note: Guardian3 supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames. This method works with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server Identify users according to the username logged into their Microsoft Windows workstation, and validate their credentials with the domain controller. Prerequisites: There must be a computer account for Guardian3 in Active Directory The account specified on the Services > Authentication > s page must have permission to join the computer to the domain. Note: Guardian3 supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames 77

84 Managing Authentication Policies Creating Authentication Policies Method NTLM authentication (Terminal Services compatibility mode) Redirect users to SSL Login page (with background tab) Redirect users to SSL Login page (with session cookie) Identify users according to the username logged into their Microsoft Windows workstation, and validate their credentials with the domain controller. Can be used in conjunction with Microsoft Terminal Services. Prerequisites: There must be a computer account for Guardian3 in Active Directory The account specified on the Services > Authentication > s page must have permission to join the computer to the domain. Note: Guardian3 supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames. This method works with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server Identify users with the Guardian3 authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Guardian3 authentication service supports only one user per client IP address. Using this method, the SSL Login page automatically refreshes itself so that the authentication time-out period does not elapse; because of this, the user must leave the SSL Login page open at all times. Select this method if a user s browser cannot accept cookies. This method is also suitable if a user s browser plugins or applications require the authenticated session to remain active. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Guardian3 system is encrypted. To securely logout, the user must click Logout on the SSL Login page. For information on SSL Login, see your Smoothwall System Administrator s Guide. Identify users with the Guardian3 authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Guardian3 authentication service supports only one user per client IP address. Using this method, Guardian3 stores a session cookie on the user s browser. The cookie removes the need for the user to reauthenticate. This method is useful for users of tablet PCs and other mobile devices which have problems keeping tabs in browsers open in the background. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Guardian3 system is encrypted. To securely logout, the user must click Logout from the SSL Login page. For information on SSL Login, see your Smoothwall System Administrator s Guide. 78

85 Smoothwall Guardian3 Administrator s Guide Method Core authentication Ident Identification by Location Kerberos (via redirect) NTLM identification (via redirect) Identify users with the Guardian3 authentication service. If no user is logged in, identify the user by their IP address and assign the request to the Unauthenticated IPs group. The Guardian3 authentication service supports only one user per client IP address. Core authentication is typically used with the SSL Login page. For example, anonymous users can be allowed to certain sites only, but users can optionally log in to gain a higher level of access. Identify users according to the username returned by an Ident server running on their workstation. Guardian3 supports Ident for compatibility with any Ident-enabled networks your organization may already be using. Networks supporting Ident authentication require an Ident server application to be installed on all workstations that can be queried by Ident-enabled systems. The user does not need to enter their username as it is automatically supplied by the Ident server application. Once a user s Ident server has identified the user, the user s web activities will be filtered according to their authentication group membership. For details of how to configure this with your choice of Ident server, please refer to the ident server s administrator's guide. Note: Ident does not verify a user s credentials. It should only be used where all client workstations are secured and running an Ident server controlled by the network administrator. Unsecured clients can spoof their credentials. Identify users by their IP address. Assign a group based on the identification by location policy configured for their location. Identification by location is typically used where certain clients do not support the authentication method used by the rest of the network. For more information, see Identification by Location on page 85. For information on locations, see Chapter 5, Working with Location Objects on page 49. Identify users with the Guardian3 authentication service. If no user is logged in, redirect Web requests to the Kerberos login page, which obtains the username logged into their Microsoft Windows workstation. For information on Kerberos pre-requisites and troubleshooting, see Appendix A, About Kerberos on page 246. The Guardian3 authentication service supports only one user per client IP address. Identify users with the Guardian3 authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation. The Guardian3authentication service supports only one user per client IP address. Note: This option is for backwards compatibility with earlier versions of Guardian. 79

86 Managing Authentication Policies Creating Authentication Policies Method NTLM authentication (via redirect) Identify users with the Guardian3authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation and validates their credentials with the domain controller. The Guardian3authentication service supports only one user per client IP address. Note: This option is for backwards compatibility with earlier versions of Guardian. 3 Configure the following settings: Interface Port Enabled From the drop-down list, select the interface on which to apply the authentication policy. From the drop-down list, select the port on which to apply the authentication policy. Select to enable the policy. 4 Click Next and add the location at which the policy will apply. 5 Click Next and review the options for handling unauthenticated requests. When requests are permitted without requiring authentication, for example, entries on the Web proxy > Authentication > Exceptions page, Guardian3 assigns them to the Unauthenticated IPs group. If you want to assign them to a different group, add the group to the Included groups list. 6 Click Next, select Enabled and click Confirm. Guardian3 displays the policy settings. 7 Review the settings and click Save to make the policy available for use. Creating Transparent Authentication Policies Transparent authentication policies enable you to apply a web filter policy and authentication requirements to a user or group of users. To create a transparent authentication policy: 1 Browse to the Web proxy > Authentication > Policy wizard page. 80

87 Smoothwall Guardian3 Administrator s Guide 2 Select Transparent and, from the Method drop-down list, select one of the following authentication methods: Method No authentication Kerberos Kerberos (Terminal Services compatibility mode) Redirect users to SSL Login page (with background tab) Redirect users to SSL Login page (with session cookie) Identify users by their IP address only. All requests are assigned to the Unauthenticated IPs group. Identify users by using the Kerberos keytab stored on Guardian3. For more information, see Chapter 14, Managing Kerberos Keytabs on page 173. For information on Kerberos pre-requisites and troubleshooting, see Appendix A, About Kerberos on page 246. Identify users by using the Kerberos keytab stored on Guardian3. For more information, see Chapter 14, Managing Kerberos Keytabs on page 173. For information on Kerberos pre-requisites and troubleshooting, see Appendix A, About Kerberos on page 246. This method is designed to work with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server Identify users with the Guardian3 authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Guardian3 authentication service supports only one user per client IP address. Using this method, the SSL Login page automatically refreshes itself so that the authentication time-out period does not elapse; because of this, the user must leave the SSL Login page open at all times. Select this method if a user s browser cannot accept cookies. This method is also suitable if a user s browser plugins or applications require the authenticated session to remain active. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Guardian3 system is encrypted. To securely logout, the user must click Logout on the SSL Login page. For information on SSL Login, see your Smoothwall System Administrator s Guide. Identify users with the Guardian3 authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Guardian3 authentication service supports only one user per client IP address. Using this method, Guardian3 stores a session cookie on the user s browser. The cookie removes the need for the user to reauthenticate. This method is useful for users of tablet PCs and other mobile devices which have problems keeping tabs in browsers open in the background. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Guardian3 system is encrypted. To securely logout, the user must click Logout from the SSL Login page. For information on SSL Login, see your Smoothwall System Administrator s Guide. 81

88 Managing Authentication Policies Creating Authentication Policies Method Core authentication Identification by location Kerberos (via redirect) NTLM identification (via redirect) NTLM authentication (via redirect) Identify users with the Guardian3 authentication service. If no user is logged in, identify the user by their IP address and assign the request to the Unauthenticated IPs group. The Guardian3 authentication service supports only one user per client IP address. Core authentication is typically used with the SSL Login page. For example, anonymous users can be allowed to certain sites only, but users can optionally log in to gain a higher level of access. Identify users by their IP address. Assign a group based on the identification by location policy configured for their location. Identification by location is typically used where certain clients do not support the authentication method used by the rest of the network. For more information, see Identification by Location on page 85. For information on locations, see Chapter 5, Working with Location Objects on page 49. Identify users with the Guardian3 authentication service. If no user is logged in, redirect Web requests to the Kerberos login page, which obtains the username logged into their Microsoft Windows workstation. For information on Kerberos pre-requisites and troubleshooting, see Appendix A, About Kerberos on page 246. The Guardian3 authentication service supports only one user per client IP address. Identify users with the Guardian3 authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation. The Guardian3 authentication service supports only one user per client IP address. Note: NTLM identification does not verify a user's credentials. It should only be used where all client workstations are secured and members of a Microsoft Windows domain. Unsecured clients can spoof their credentials. Identify users with the Guardian3 authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation and validates their credentials with the domain controller. The Guardian3 authentication service supports only one user per client IP address. 3 Configure the following settings: Interface From the drop-down list, select the interface on which to apply the authentication policy. Note: For more information on the WCCP interface option, see Chapter 4, Configuring WCCP on page

89 Smoothwall Guardian3 Administrator s Guide HTTPS Spoofing Enabled Filter HTTPS traffic Select this option to transparently intercept HTTPS connections. Allow HTTPS traffic with no SNI header for the 'Transparent HTTPS incompatible sites' category Select this option to allow HTTPS traffic without a server name indication (SNI) field in its header. This allows access to content in the Transparent HTTPS incompatible sites content category based on a best-guess of the destination host by using DNS reverse lookup. For more information on content categories, see Chapter 5, Working with Category Group Objects on page 43. Note: When enabled, web requests allowed by this option will bypass any deployed HTTPS policies and will not be subjected to inspection or certificate checking. Note: This option is not applicable when configuring an authentication policy folder. For more information on folders, see Chapter 5, Working with Policy Folders on page 70. Select this option to allow upstream services to see network traffic as coming from the originating client s IP address rather than Network Guardian s IP address. Note: This option is only available when configuring a policy which uses a bridged interface. Select to enable the policy. When disabled, no filtering is performed on HTTPS requests from clients without deployed proxy settings. Note: Transparent HTTPS interception is not compatible with Internet Explorer running on Windows XP or earlier. 4 Click Next and add the location at which the policy will apply. 5 Click Next and review the options for handling unauthenticated requests. When requests are permitted without requiring authentication, for example, entries on the Web proxy > Authentication > Exceptions page, Guardian3 assigns them to the Unauthenticated IPs group. If you want to assign them to a different group, add the group to the Included groups list. 6 Click Next, select Enabled and click Confirm. Guardian3 displays the policy settings. 7 Review the settings and click Save to make the policy available for use. 83

90 Managing Authentication Policies Managing Authentication Policies Managing Authentication Policies Guardian3 applies authentication policies in the order they are displayed on the Web proxy > Authentication > Manage policies page. You can re-order the policies by dragging and dropping them in new positions. To access authentication policies: 1 Browse to the Web proxy > Authentication > Manage policies page. Guardian3 displays the current authentication policies. Editing Authentication Policies You can make changes to authentication policies by editing them. To edit an authentication policy: 1 On the to the Web proxy > Authentication > Manage policies page, locate the policy you want to change. 2 Click the Edit policy button. Guardian3 displays the policy on the Web proxy > Authentication > Policy wizard page. 3 Make the changes you require, see Creating Authentication Policies on page 75 for more information on the settings available. 4 Click Confirm, review your changes and then click Save to save and apply the changes. Guardian3 applies the changes and prompts you to restart the Guardian3 proxy. 5 Click Restart proxy. Guardian3 restarts the proxy. Deleting Policies You can delete authentication policies you no longer require. To delete an authentication policy: 1 On the to the Web proxy > Authentication > Manage policies page, locate the policy you want to delete. 2 Click the Delete policy button. Guardian3 prompts you to confirm that you want to delete the policy. 84

91 Smoothwall Guardian3 Administrator s Guide 3 Click Delete. Guardian3 deletes the policy and prompts you to restart the Guardian3 proxy. 4 Click Restart proxy. Guardian3 restarts the proxy. Managing Authentication Exceptions You can configure Guardian3 to allow access to content without requiring authentication. For example, automatic Windows updates can be accessed without user authentication. Tip: Log in to our support portal and read more about applications known not to support authenticated proxies and how to put an authentication exception in place for them. To create an exception: 1 Browse to the Web proxy > Authentication > Exceptions page. 2 Select the content to be excepted from authentication and click Add. 3 Click Save to create the exception. Identification by Location You can configure Guardian3 to identify groups and/or users by the location in which they are situated. This ident by location status can be used to configure an identification by location authentication policy. Note: The settings configured on this page are only used when Identification by Location is selected as the method in an authentication policy. See Creating Authentication Policies on page 75 for more information. 85

92 Managing Authentication Policies Connecting to Guardian3 To configure identification by location: 1 Browse to the Web proxy > Authentication > Ident by location page. 2 From the Selected location drop-down list, select the location. 3 Select the groups and/or users to include in the location and click Add. 4 Click Confirm. Guardian3 lists the location in the Location to group mappings table. Connecting to Guardian3 The following sections explain how to connect non-transparently and transparently to Guardian3. About Non-transparent Connections Non-transparent connections from users web browsers to Guardian3 are suitable when content is accessed using HTTPS or when using NTLM or proxy authentication or identification in terminal services compatibility mode. Connecting to Guardian3 non-transparently entails configuring users web browsers to use Guardian3 as the web proxy using one of the following methods: Manually Web browser LAN settings are manually configured, see Creating a Non-transparent Connection Manually on page 87 for more information Automatic configuration script Web browser LAN settings are configured to receive proxy configuration settings from an automatic configuration script which is generated by Guardian3, see Configuring Non-transparent Connections Using a PAC Script on page 87 for more information 86

93 Smoothwall Guardian3 Administrator s Guide WPAD automatic script Web browser LAN settings are configured to detect proxy settings, see Configuring a Non-transparent Connection Using a WPAD Automatic Script on page 88 for more information. Creating a Non-transparent Connection Manually Note: The following instructions apply to Internet Explorer 7. For information on other browsers, see the documentation delivered with the browsers. To create a non-transparent connection manually: 1 On users computers, start Internet Explorer, and from the Tools menu, select Internet Options. 2 On the Connections tab, click LAN settings. 3 In the Automatic configuration area, check that Automatically detect settings and Use automatic configuration script are not selected. 4 In the Proxy server area, select Use a proxy server for your LAN 5 Enter Guardian3's IP address and port number 800 and select Bypass proxy server for local addresses. 6 Click Advanced to access more settings. In the Exceptions area, enter Guardian3 s IP address and any other IP addresses to content that you do not want filtered, for example, your intranet or local wiki. 7 Click OK and OK to save the settings. Configuring Non-transparent Connections Using a PAC Script A proxy auto-config (PAC) script is a file generated by Guardian3. Once configured, any changes to connections are automatically retrieved by the user s web browser. For information on working with PAC scripts, see Chapter 4, Using PAC Scripts on page 21. Note: The following instructions apply to Internet Explorer 7. For information on other browsers, see the documentation delivered with the browsers. To configure a non-transparent connection using a PAC script: 1 On the user s computer, start Internet Explorer, and from the Tools menu, select Internet Options. 2 On the Connections tab, click LAN settings. 3 Configure the settings as follows: Automatically detect settings Use automatic configuration script Address Deselect this option. Select this option. 4 Ensure that no other proxy settings are enabled or have entries. Enter the address of the script. Tip: To locate the address, navigate to the Web proxy > Web proxy > s page. The address is listed in the Automatic configuration script address area. Note: You may need to restart the web browser for the settings to take effect. 87

94 Managing Authentication Policies Authentication Scenarios Configuring a Non-transparent Connection Using a WPAD Automatic Script Note: This method is only for administrators familiar with configuring web and DNS servers. End-user browsers must support WPAD the latest versions of Microsoft Internet Explorer support this method. The WPAD method works by the web browser pre-pending the hostname wpad to the front of its fully qualified domain name and looking for a web server on port 80 that can supply a wpad.dat file. The file works in the same way as the automatic configuration script and tells the browser what web security policy it should use. To use WPAD: 1 Configure your network to use Guardian3 as the network web proxy. Consult your network documentation for more information on how to do this. 2 Using a local DNS server or Guardian3 s static DNS, add the host 'wpad.yourdomainname' substituting your own domain name. The host must resolve to Guardian3 s IP address. 3 Configure users browsers to automatically detect LAN settings. Note: Users computers must be configured with the same domain name as the A record. However, the Microsoft Knowledge Base article Q suggests that WPAD does not work on Windows Microsoft suggests that you should use a DHCP auto-discovery method using a PAC script. See the article for more information. About Transparent Connections You configure transparent connections from users computers Guardian3 by configuring computers network connections to use Guardian3 as the default gateway. In order for a transparent policy to work, the following must be in place: DNS must be set up correctly on your network so that user computers can resolve the short form of Guardian3 s hostname, for example: resolve mysystem for the hostname mysystem.example.com User computers and Guardian3 must be within the same DNS domain Internet Explorer must be configured to authenticate automatically with intranet sites. Authentication Scenarios The following are high level examples of how you can configure Guardian3 to suit your organization s authentication requirements. New Content Filtering Changing the Listening Port Anna runs an Internet cafe. She is replacing her current content filter with Guardian3 because of its superior filtering. To avoid reconfiguring each workstation, she needs Guardian3 to listen on the same port as before, which was port Anna goes to the Web proxy > Authentication > Policy page which shows the default configuration of no authentication on port 800. She clicks the Edit button on the entry displayed which takes her to the Web proxy > Authentication > Policy wizard page. On this page, all fields apart from interface and port are disabled. She changes the port to 3128 and saves her changes, and a message prompts her to restart Guardian3. 88

95 Smoothwall Guardian3 Administrator s Guide Providing Filtered Web Access to the Public Brian is a network administrator for a university. Staff and student web access is unfiltered, but Brian wants to provide filtered web access for a new conference centre open to the public. He does not want delegates to need to configure a proxy in their browsers. Brian configures Guardian3 to listen in transparent mode. On the Web proxy > Authentication > Policy wizard page, he selects Transparent and No authentication and leaves the other options at their defaults. After adding this entry, on the Web proxy > Authentication > Policy page, he can see the new transparent authentication policy so he removes the default entry for port 800. He then configures the firewall and DHCP servers on the network to route traffic through Guardian3. Requiring Authentication to Browse the Web Charlotte is a hotel manager. The hotel provides Internet access to guests via their own laptops and shared PCs in the lobby. The wireless network is secured but Charlotte needs to know which guest is responsible for web traffic in case of misuse. She wants a simple system which doesn t require guests to register their wireless devices. Charlotte creates a local user account for each room, with names like room23 and a random simple password. Guests are told the password for their room when they check in if they request Internet access, and the password is changed when they check out. Charlotte then configures Guardian3 in transparent mode on the Web proxy > Authentication > Policy page by adding a new entry for Transparent and Redirect to SSL Login, leaving the other options at their defaults. She removes the entry for port 800 before restarting Guardian3. Using Multiple Authentication Methods Donald is a college system administrator. His network contains Windows PCs, Macs, and network points for student laptops. Donald wants to provide authentication across the network using single sign on wherever possible. For Macs, Donald creates a location on the Guardian > Location > Policy wizard page, which he names Macs. This location contains the IP address ranges assigned to macs. On the Web proxy > Authentication > Policy page, he edits the default entry for port 800, changing the authentication method to NTLM authentication. Then he adds a new entry, choosing Ident authentication for the location Macs. This is displayed above the entry for NTLM on the policy page. Finally he adds an entry for the laptops for transparent connections and Redirect to SSL Login. Using group policy and central admin tools, he configures the Windows PCs and Macs to use Guardian3, and installs an Ident server on the Macs. Windows and Mac users now authenticate to Guardian3 using their desktop login session, but laptop users are presented with the SSL Login screen when they browse. Controlling an Unruly Class Ellen is a secondary school teacher. Ellen s students are supposed to be reading about the Civil War but are inclined to waste time when her back is turned. Ellen needs to be able to ban students from accessing the Internet as a punishment for misbehavior. While the students are working, Ellen looks around the room and also monitors web usage on the Logs and reports > Realtime > Web filter page. She sees that one of her students, Fred, is watching videos on YouTube, so she goes to the Services > Authentication > User activity page, scrolls to his login entry, and selects Ban. This takes her to the temporary bans page where she configures the ban to expire at the end of the lesson. When Fred clicks on another video, he is shown the block page. 89

96 Managing Authentication Policies Authentication Scenarios 90

97 Chapter 7 Guardian Alerts, Logs and Reports In this chapter: Configuring alerts Reviewing realtime and logged information Generating reports Backing up and restoring data. About Guardian Alerts You access the Guardian alerts and their settings on the Logs and reports> Alerts > Alerts page. Alert Guardian Violations Guardian upstream proxy status Guardian URL violations Guardian Web Proxy Failover Status Constantly monitors Guardian3 activity and generates warnings about suspicious or blocked web access. Web proxy failover status notifications occur when the web proxy either fails over, or fails back. Monitored once every five minutes Monitors URL activity once every five minutes. Web proxy failover status notifications occur when the web proxy either fails over, or fails back. Monitored once every five minutes Configuring the Guardian Violations Alert When configured and enabled, Guardian3generates warnings about suspicious or blocked web accesses. 91

98 Guardian Alerts, Logs and Reports About Guardian Alerts To set the alert: 1 On the Logs and reports > Alerts > Alert settings page, configure the following settings: Forbidden user accesses Monitor for blocked accesses Select to alert when the warning and caution thresholds are exceeded. Warning threshold Accept the default threshold, or enter a threshold above which a warning alert is generated. Caution threshold Accept the default threshold, or enter a threshold above which a caution alert is generated. Exclude adverts Select to exclude adverts when monitoring the number of accesses. Note: The alert will be triggered only if the method used to authenticate users supplies a username. For more information on authentication methods, see Chapter 6, Managing Authentication Policies on page 75. Forbidden IP address accesses 2 Click Save to save and apply the settings. Configuring the Guardian URL Violations Alert When configured and enabled, Guardian3 generates warnings about suspicious URL activity. To set the alert: 1 On the Logs and reports > Alerts > Alert settings page, configure the following settings: URLs to monitor Warning threshold Caution threshold 2 Click Save to save and apply the settings. Monitor for blocked accesses Select to alert when the warning and caution thresholds are exceeded. Warning threshold Accept the default threshold, or enter a threshold above which a warning alert is generated. Caution threshold Accept the default threshold, or enter a threshold above which a caution alert is generated. Exclude adverts Select to exclude adverts when monitoring the number of accesses. Enter a URL or part of a URL to monitor. Guardian3 will search for each entry exactly as entered. For example, any of the following entries: example.com real would match: Enter the number of URL matches above which a warning alert is generated. Enter the number URL matches above which a caution alert is generated. 92

99 Smoothwall Guardian3 Administrator s Guide Web Filter Logs Web filter logs provide detailed, configurable and searchable information on web filtering activity regarding user and group activity, source IPs, requested URLs, categories of web content requested and domains recorded. Configuring Web Filter Logs To access and configure the web filter log: 1 Navigate to the Logs and reports > Logs > Web filter page. Guardian3 displays the currently configured log entries. 2 Click Advanced, the following options are displayed: Option Username Source IP Group Code URL Select to display the usernames of users making web requests. Select to display source IP addresses that web requests are coming from. Select to display the logs for groups of users. Select to display the HTTP response status code. Select to display the URLs of the requested web resources. Note: When content matches a web filter policy, Guardian3 displays a link to the policy. To exclude certain types of URLs: 1 Click Exclude to display the drop-down menu. 2 Select which URLs to exclude from the viewer. The options are: Images Select to exclude all images. Javascript Select to exclude Javascript resource requests. CSS Select to exclude CSS resource requests. User defined Enter a regular expression to find and exclude a web resource. 3 Close the drop-down menu. Guardian3 excludes the web resource(s) specified and refreshes the displayed log entries. 93

100 Guardian Alerts, Logs and Reports Web Filter Logs Option Category Policy Domain SNI Select to display the categories a request was categorized as being in. Depending on how the request was categorized, Guardian3 may also display the following status information: Infected malware was found in the content. The name of the malware found is displayed. Denied access to the content was denied. The name(s) of the category/ categories which caused the request to be denied is displayed. Select to display which web filtering policy has been applied to the content. For more information on policies, see Chapter 5, Working with Policies on page 41. Select to display log entries recorded against domains. Select to display when an HTTPS request has not included a server name indication (SNI) field in its header. For more information on SNI, see Chapter 6, Creating Transparent Authentication Policies on page 80. Note: If an HTTPS request with no SNI field fails, the Code field will display 0. 3 Select the options you want to display. Guardian3 updates what is displayed. Monitoring Log Activity in Realtime It is possible to monitor web filter log activity in realtime. To monitor activity in realtime: 1 On the Logs and reports > Logs > Web filter page, click Realtime. Guardian3 displays the currently configured log options in realtime in a table of log entries and in the web filter graph. The results are updated automatically. Tip: To get a closer look at what is happening at a specific time, locate and click on that time in the graph. Guardian3 stops the realtime display and shows what has been logged at the time you clicked on. 2 To stop realtime monitoring, click Realtime. Guardian3 stops displaying realtime data. Searching for/filtering Information Guardian3 enables you to search for/filter information in a number of ways. To search for/filter information: 1 On the Logs and reports > Logs > Web filter page, use one or more of the following methods: Method Graph Time Free search term Group On the graph, locate and click on the time you are interested in. Guardian3 displays what was logged at the time you clicked on. Click in the date and time picker and specify when to search from. Click Apply. Guardian3 displays search results from the time specified and two hours forward. In the Username, Source IP, Code, URL or Domain column(s), enter one or more search terms. Guardian3 displays the search results. From the Group column drop-down menu, select the group you want to search for. 2 Depending on your search criteria, Guardian3 updates the information displayed. 94

101 Smoothwall Guardian3 Administrator s Guide Exporting Data It is possible to export logged data in comma-separated (CSV) format. To export data: 1 On the Logs and reports > Logs > Web filter page, configure or search for the data you want export. For more information, see Configuring Web Filter Logs on page 93 and Searching for/filtering Information on page Click Export. Follow your browser s prompts to save and export the data. Guardian Reports Guardian3 provides a number of Guardian reports which supply information on IP activity, sites visited and much more. Report types Blogs Category analysis Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines Contains reports on bloggers, blogs and WordPress activity. Contains reports on categories by hits and bandwidth and categories and the users who viewed sites within them. Contains reports on Dailymotion, Flickr, Fotolog, ImageShack, ImageVenue and YouTube. Contains reports on BBC News, CNet, CNN, general news and Slashdot. Contains reports on IMDB and Wikipedia. Contains reports on Amazon, Craigslist, EBay and shopping and online auctions. Contains reports on Delicious, Digg, Reddit and StumbleUpon. Contains reports on Bebo, Facebook, Friendster, Hi5, Linkedin, MySpace, Orkut, general social networking and Twitter. Contains reports on BBC Sport, ESPN and general sport. Contains reports on AOL, Google, search engines, Windows Live and MSN and Yahoo. For information on working with reports, see Chapter 15, Reporting on page

102 Guardian Alerts, Logs and Reports Guardian Reports 96

103 Chapter 8 Working with MobileProxy In this chapter: Configuring Guardian3 to deploy MobileProxy on mobile devices. Note: Please contact your Smoothwall representative to get the MobileProxy software and documentation on how to deploy it on devices. About MobileProxy Guardian3 s MobileProxy enables you to enforce your organization s web filtering policy on mobile devices owned by your organization. Note: Currently, MobileProxy works with mobile devices running Mac OS X. Deploying MobileProxy entails: Enabling MobileProxy and allowing external access for the MobileProxy server service on the external interface, see Enabling MobileProxy on page 98 Generating the MobileProxy client key for use on mobile devices, see Generating Client Keys on page 98 Specifying MobileProxy servers that devices can use, see Specifying MobileProxy Servers on page 98 Specifying exceptions for content that should not blocked, see Configuring Proxy Exceptions on page

104 Working with MobileProxy About MobileProxy Enabling MobileProxy The following section explains how to enable MobileProxy. To enable MobileProxy: 1 Browse to the Web proxy > Mobile proxy > s page. 2 In the Global options area, select Enable and click Save. When prompted, click Restart Proxy. Guardian3 restarts the proxy service and enables MobileProxy. 3 On the System > Administration > External access page, for the external interface, from the Service drop-down list, select MobileProxy server (61001). Click Add. Guardian3 makes MobileProxy available as an external service. Generating Client Keys Each MobileProxy-protected device must have a client key installed on it. Client keys are installed when installing the MobileProxy software on the device. For more information, see the MobileProxy Installation and Setup Guide for the devices. For information in working with server keys, see Managing MobileProxy Server Keys on page 100. Note: If you do not have a copy of the MobileProxy software for devices, contact your Smoothwall representative. To generate a client key: 1 Browse to the Web proxy > Mobile proxy > s page. 2 In the Manage MobileProxy keys area, click Download. Guardian3 generates the client key and prompts you to save it. 3 Save the client key in a secure location for use when you install the MobileProxy software on devices. Specifying MobileProxy Servers This is where you specify the proxy servers that will provide proxying for MobileProxy-protected devices. Note: All MobileProxy servers configured on this page must have the MobileProxy server key installed. See Managing MobileProxy Server Keys on page 100 for more information. 98

105 Smoothwall Guardian3 Administrator s Guide To specify proxy servers: 1 Browse to the Web proxy > Mobile proxy > Proxies page. 2 Configure the following settings: Server name Server address Comment Enter a name with which to identify the MobileProxy server. Enter the IP address or hostname of the MobileProxy server. Optionally, add other information on the MobileProxy server. 3 Click Save. Guardian3 saves the settings and lists the server in the MobileProxy servers area. Editing MobileProxy Servers You can make changes to a listed MobileProxy server. To edit a MobileProxy server: 1 On to the Web proxy > Mobile proxy > Proxies page, in the MobileProxy servers area, click the Edit proxy button for the proxy server you want to change. Guardian3 displays the settings in the Manage MobileProxy servers area. 2 Make the changes required, see Specifying MobileProxy Servers on page 98 for more information about the settings available. 3 Click Save. Guardian3 saves the changes and applies them. Deleting MobileProxy Servers You can delete a listed MobileProxy server. To delete a MobileProxy server: 1 On to the Web proxy > Mobile proxy > Proxies page, in the MobileProxy servers area, click the Delete proxy button for the proxy server you want to delete. Guardian3 prompts you to confirm that you want to delete the proxy server. 2 Click Delete. Guardian3 deletes the proxy server. 99

106 Working with MobileProxy Managing MobileProxy Server Keys Configuring Proxy Exceptions Guardian3 enables you to specify exceptions that MobileProxy should not proxy for on mobile devices. To specify an exception: 1 Browse to the Web proxy > Mobile proxy > Exceptions page. 2 Enter a valid hostname or IP address for each exception. Note: We recommend that you check that exceptions you configure are supported by the browsers used on MobileProxy-protected devices. Managing MobileProxy Server Keys When installing MobileProxy software on devices, a client key is also installed. In turn, all MobileProxy servers configured on the Web proxy > Mobile proxy > Proxies page must have the corresponding MobileProxy server key installed. The server key can be installed in one of the following ways: Replicating it from the Smoothwall System which supplied the client key, for more information, see Chapter 18, Centrally Managing Smoothwall Systems on page 233. Downloading it from the Smoothwall System which supplied the client key and manually uploading it to the MobileProxy servers. The following section explains how to manually upload the server key. To manually upload the server key: 1 On the Smoothwall System which supplied the client key, browse to the Web proxy > Mobile proxy > s page. 2 Click Advanced to access server key settings. Click Download and when prompted save the key in a secure location which the MobileProxy servers can access. 3 For all MobileProxy servers that do not get the server key via replication, browse to the Web proxy > Mobile proxy > s page and click Advanced. 4 Click Browse and locate the server key. Click Upload, the server key is uploaded and made available. MobileProxy-protected devices will now be able to use the proxy server. 100

107 Index A alerts administration login failures 91 guardian upstream proxy status 91 guardian URL violations 91 url violations 92 authentication core 79, 82 identification by IP 79, 82 NTLM 77, 78 SSL background tab 78, 81 session cookie 78, 81 B bandwidth limiting 24 blogs 95 C category analysis 95 D documentation 1 E enable filtering 9 F filters about 53, 57, 62, 64 H https inspection policies 56 I identification NTLM 77 image and video sharing 95 installing 3 1st Edition L leak client ip with x-forwarded-for header 31 load balancing 33 M message censor filtering enable 73 N news 95 P pages guardian anti malware policies manage policies 5 policy wizard 5 settings 5 status page 5 block page policies block pages 5 manage policies 5 policy wizard 5 content modification policies manage policies 5 policy wizard 5 https inspection policies manage policies 4 policy wizard 4 settings 4 policy objects category groups 5 locations 5 quotas 6 time slots 5 user defined 5 quick links getting started 4 quick block/allow 4 shortcuts 4 web filter policies exceptions 4 location blocking 4 manage policies 4 outgoing 4 policy wizard 4 web proxy authentication exceptions 7 ident by location 7 manage polices 7 policy wizard 7 mobile proxy exceptions 8 proxies 8 settings 7 upstream proxy 101

108 Index filters 7 manage policies 7 proxies 7 web proxy automatic configuration 7 bandwidth limiting 7 settings 7 wccp 7 policies https inspection 56 policy tester 68 Q quotas 50 R reference and educational 95 reports blogs 95 category analysis 95 image and video sharing 95 news 95 reference and educational 95 shopping and online auctions 95 social bookmarking 95 social networking 95 sport 95 web portals and search engines 95 S shopping and online auctions 95 sni 83 social bookmarking 95 social networking 95 sport 95 T training 1 1st Edition U upstream proxies 31 allow direct connections 31 default proxy 31 leak client ip with x-forwarded-for header 31 load balancing 33 url violations alert 91, 92 W web filtering configuring manual 87 web portals and search engines

109 Smoothwall Guardian3 Administrator s Guide 103

110