Secure Web Gateway Network Guardian Administration Guide

Transcription

1 Secure Web Gateway Network Guardian Administration Guide For future reference Network Guardian serial number: Date installed: Smoothwall contact:

2 Smoothwall Network Guardian, Administration Guide, December 2014 Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Network Guardian. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall. For more information, contact: Smoothwall Ltd. All rights reserved. Trademark notice Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. Acknowledgements Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Network Guardian contains graphics taken from the Open Icon Library project openiconlibrary.sourceforge.net/ Address Web Telephone Fax Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom [email protected] USA and Canada: United Kingdom: All other countries: USA and Canada: United Kingdom: All other countries:

3 Contents About This Guide... 1 Audience and Scope... 1 Organization and Use... 1 Conventions... 2 Related Documentation... 2 Chapter 1 Introduction... 3 Overview of Network Guardian... 3 Annual Renewal... 3 Chapter 2 Network Guardian Overview... 5 Accessing Network Guardian... 5 Dashboard... 6 Logs and reports... 6 Reports... 7 Alerts... 7 Realtime... 8 Logs... 8 Settings... 9 Networking... 9 Filtering... 9 Routing... 9 Interfaces Settings Services Authentication User Portal Proxies SNMP Message Censor System Maintenance Central Management iii

4 Contents Preferences Administration Hardware Diagnostics Certificates Guardian Quick Links Web Filter Policies HTTPS Inspection Policies Content Modification Policies Anti-malware Policies Block Page Policies Policy Objects Swurl Web Proxy Web Proxy Upstream Proxy Authentication MobileProxy Configuration Guidelines Specifying Networks, Hosts and Ports Using Comments Creating, Editing and Removing Rules Connecting via the Console Connecting Using a Client Secure Communication Unknown Entity Warning Inconsistent Site Address Chapter 3 Working with Interfaces Configuring Global Settings for Interfaces Working with Bridges Creating Bridges Editing Bridges Deleting Bridges Working with Bonded Interfaces Creating Bonds Editing Bonds Deleting Bonds Configuring IP Addresses Adding an IP Address Editing an IP Address Deleting an IP Address Chapter 4 Deploying Web Filtering Getting Up and Running Blocking and Allowing Content Immediately Blocking Locations Excepting Computers from Web Filtering About Shortcuts iv Smoothwall Ltd

5 Contents About Network Guardian s Default Policies About the Default Web Filter Policies About the Default Authentication Policies Chapter 5 Working with Policies An Overview of Policies Types of Policies How Policies are Applied Guardian Getting Started Working with Category Group Objects Creating Category Group Objects Creating Custom Categories Editing Category Group Objects Deleting Category Group Objects Working with Time Slot Objects Creating a Time Slot Editing a Time Slot Deleting a Time Slot Working with Location Objects Creating a Location Object Editing Location Objects Deleting Location Objects Working with Quota Objects About the Default Quota Object Creating Quota Objects Editing Quota Objects Deleting Quota Objects Managing Web Filter Policies Creating Web Filter Policies Editing Web Filter Policies Deleting Web Filter Policies Managing HTTPS Inspection Policies Enabling HTTPS Inspection Policies Creating an HTTPS Inspection Policy Editing HTTPS Inspection Policies Deleting HTTPS Inspection Policies Configuring HTTPS Inspection Policy Settings Clearing the Generated Certificate Cache Managing Content Modification Policies Creating a Content Modification Policy Editing Content Modification Policies Deleting Content Modification Policies Creating Custom Content Modification Policies Managing Anti-malware Policies Creating an Anti-malware Policy Configuring Anti-malware Protection Configuring Anti-malware Status Information Editing Anti-malware Policies Deleting Anti-malware Policies v

6 Contents Using the Policy Tester Other Ways of Accessing the Policy Tester Working with Policy Folders Creating a Policy Folder Editing Policy Folders Deleting Policy Folders Censoring Web Form Content Configuring Organization Accounts Chapter 6 Managing Authentication Policies About Authentication Policies Creating Authentication Policies Creating Non-transparent Authentication Policies Creating Transparent Authentication Policies Managing Authentication Policies Editing Authentication Policies Deleting Policies Managing Authentication Exceptions Identification by Location Connecting to Network Guardian About Non-transparent Connections About Transparent Connections Authentication Scenarios New Content Filtering Changing the Listening Port Providing Filtered Web Access to the Public Requiring Authentication to Browse the Web Using Multiple Authentication Methods Controlling an Unruly Class Chapter 7 Managing Web Security Overview of the Web Proxy Global Options Advanced Web Proxy Settings Using PAC Scripts Using a Built-in Script Using a Custom Script Managing the Configuration Script Limiting Bandwidth Use Ordering Bandwidth Limiting Policies Editing Bandwidth Limiting Policies Deleting Bandwidth Limiting Policies Configuring WCCP Managing Upstream Proxies Overview Configuring an Upstream Proxy Configuring Source and Destination Filters Using a Single Upstream Proxy Working with Multiple Upstream Proxies Managing Blocklists Viewing Blocklist Information vi Smoothwall Ltd

7 Contents Manually Updating Blocklists Managing Block Pages Customizing a Block Page Using a Custom HTML Template Using an External Block Page Configuring a Block Page Policy Managing Block Page Policies Working on Block Pages Chapter 8 Managing Your Network Infrastructure Creating Subnets Editing and Removing Subnet Rules Using RIP Chapter 9 General Network Security Settings Blocking by IP Creating IP Blocking Rules Editing and Removing IP Block Rules Configuring Advanced Networking Features Working with Port Groups Creating a Port Group Adding Ports to Existing Port Groups Editing Port Groups Deleting a Port Group Chapter 10 Configuring Inter-Zone Security About Zone Bridging Rules Creating a Zone Bridging Rule Editing and Removing Zone Bridge Rules A Zone Bridging Tutorial Creating the Zone Bridging Rule Allowing Access to the Web Server Accessing a Database on the Protected Network Group Bridging Group Bridging and Authentication Creating Group Bridging Rules Editing and Removing Group Bridges Chapter 11 Authentication and User Management Configuring Global Authentication Settings About Directory Servers Configuring a Microsoft Active Directory Connection Configuring an LDAP Connection Configuring a RADIUS Connection Configuring an Active Directory Connection Legacy Method Configuring a Local Users Directory Reordering Directory Servers vii

8 Contents Editing a Directory Server Deleting a Directory Server Diagnosing Directories Managing Local Users Adding Users Editing Local Users Deleting Users Managing Groups of Users About Groups Adding Groups Editing Groups Deleting Groups Mapping Groups Remapping Groups Deleting Group Mappings Managing Temporarily Banned Users Creating a Temporary Ban Removing Temporary Bans Removing Expired Bans Managing User Activity Viewing User Activity Logging Users Out Banning Users About SSL Authentication Customizing the SSL Login Page Reviewing SSL Login Pages Managing Kerberos Keytabs Adding Keytabs Managing Keytabs Chapter 12 Centrally Managing Smoothwall Systems About Centrally Managing Smoothwall Systems Pre-requirements Setting up a Centrally Managed Smoothwall System Configuring the Parent Node Configuring Child Nodes Adding Child Nodes to the System Editing Child Node Settings Deleting Nodes in the System Managing Nodes in a Smoothwall System Monitoring Node Status Accessing the Node Details Page Working with Updates Rebooting Nodes Disabling Nodes Using BYOD in a Centrally Managed System Appendix A User Authentication Overview Verifying User Identity Credentials viii Smoothwall Ltd

9 Contents About Authentication Mechanisms Other Authentication Mechanisms Choosing an Authentication Mechanism About the Login Time-out Network Guardian and DNS A Common DNS Pitfall Working with Large Directories Active Directory Active Directory Username Types Accounts and NTLM Identification About Kerberos Kerberos Pre-requisites and Limitations Troubleshooting Glossary Index ix

10

11 About This Guide Smoothwall s Network Guardian is a licenced feature of your Smoothwall System. This manual provides guidance for configuring Network Guardian. Audience and Scope This guide is aimed at system administrators maintaining and deploying Network Guardian. This guide assumes the following prerequisite knowledge: An overall understanding of the functionality of the Smoothwall System An overall understanding of networking concepts Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, contact your Smoothwall representative. Organization and Use This guide is made up of the following chapters and appendices: Chapter 1, Introduction on page 3 Chapter 2, Network Guardian Overview on page 5 Chapter 3, Working with Interfaces on page 25 Chapter 4, Deploying Web Filtering on page 31 Chapter 5, Working with Policies on page 37 Chapter 6, Managing Authentication Policies on page 77 Chapter 7, Managing Web Security on page 93 Chapter 8, Managing Your Network Infrastructure on page 123 1

12 About This Guide Chapter 9, General Network Security Settings on page 127 Chapter 10, Configuring Inter-Zone Security on page 135 Chapter 11, Authentication and User Management on page 143 Chapter 12, Centrally Managing Smoothwall Systems on page 167 Appendix A:User Authentication on page 179 Glossary on page 185 Index on page 195 Conventions The following typographical conventions are used in this guide: Item Convention Example Key product terms Initial Capitals Network Guardian Cross-references and references to other guides Italics See Chapter 1, Introduction on page 3 Filenames and paths Courier The portal.xml file Variables that users replace Courier Italics This guide is written in such a way as to be printed on both sides of the paper. Related Documentation The following guides provide additional information relating to Network Guardian: Network Guardian Installation Guide, which describes how to install Network Guardian Network Guardian Operations Guide, which describes how to maintain Network Guardian Network Guardian Upgrade Guide, which describes how to upgrade Network Guardian Network Guardian User Portal Guide, which describes how to use the Network Guardian user portal contains the Smoothwall support portal, knowledge base and the latest product manuals. 2 Smoothwall Ltd

13 1 Introduction This chapter introduces Network Guardian, including: Overview of Network Guardian on page 3 Annual Renewal on page 3 Overview of Network Guardian Welcome to Network Guardian, the intelligent web content filter that dynamically analyses, understands and categorizes all web content requested by your users. Network Guardian provides: Protection from pornography and objectionable content Controlled access to non work-related sites, such as news, sport, travel and auctions. Protection from web-borne spyware, malware and browser exploits Reporting on Internet behavior and resource utilization security: anti-spam, anti-malware, mail relay and control. Annual Renewal To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. For more information, contact your Smoothwall representative. 3

14

15 2 Network Guardian Overview In this chapter: How to access Network Guardian An overview of the pages used to configure and manage Network Guardian. Accessing Network Guardian To access Network Guardian: 1. In a web browser, enter the address of your Network Guardian, for example: Note: The example address above uses HTTPS to ensure secure communication with your Network Guardian. It is possible to use HTTP on port 81 if you are satisfied with less security. Note: The following sections assume that you have registered and configured Network Guardian as described in the Network Guardian Installation and Setup Guide. 2. Accept Network Guardian s certificate.the login screen is displayed. 5

16 Network Guardian Overview 3. Enter the following information: Field Username Password Information Enter admin This is the default Network Guardian administrator account. Enter the password you specified for the admin account when installing Network Guardian. 4. Click Login. The Dashboard opens. The following sections give an overview of Network Guardian s default sections and pages. Dashboard The dashboard is the default home page of your Network Guardian system. It displays service information and customizable summary reports. Logs and reports The Logs and reports section contains the following sub-sections and pages: 6 Smoothwall Ltd

17 Network Guardian Overview Reports Pages Summary Reports Recent and saved Scheduled Custom Displays a number of generated reports. For more information, refer to the Network Guardian Operations Guide. Where you generate and organize reports. For more information, refer to the Network Guardian Operations Guide. Lists recently-generated and previously saved reports. For more information, refer to the Network Guardian Operations Guide. Sets which reports are automatically generated and delivered. For more information, refer to the Network Guardian Operations Guide. Enables you to create and view custom reports. For more information, refer to the Network Guardian Operations Guide. Alerts Pages Alerts Alert settings Determine which alerts are sent to which groups of users and in what format. For more information, refer to the Network Guardian Operations Guide. Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, refer to the Network Guardian Operations Guide. 7

18 Network Guardian Overview Realtime Pages System Firewall Portal IM proxy Web filter Traffic graphs A real time view of the system log with some filtering options. For more information, refer to the Network Guardian Operations Guide. A real time view of the firewall log with some filtering options. For more information, refer to the Network Guardian Operations Guide. Displays the log viewer running in real time mode. For more information, see Logs on page 112. A real time view of activity on user portals. For more information, refer to the Network Guardian Operations Guide. A real time view of recent instant messaging conversations. For more information, see Realtime Instant Messaging on page 104. Displays the web filter log viewer running in real time mode. For more information, see Web Filter Logs on page 105. Displays a real time bar graph of the bandwidth being used. For more information, refer to the Network Guardian Operations Guide. Logs Pages System Firewall IM proxy Web filter Log settings Simple logging information for the internal system services. For more information, refer to the Network Guardian Operations Guide. Displays all data packets that have been dropped or rejected by the firewall. For more information, refer to the Network Guardian Operations Guide. Displays sender, recipient, subject and other message information. For more information, see Logs on page 112. Displays information on instant messaging conversations. For more information, see IM Proxy Logs on page 116. Displays time, username, source IP and other web filtering information. For more information, see Web Filter Logs on page 105. Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, refer to the Network Guardian Operations Guide. 8 Smoothwall Ltd

19 Network Guardian Overview Settings Pages Datastore settings Groups Output settings Contains settings to manage the storing of log files. For more information, refer to the Network Guardian Operations Guide. Where you create groups of users which can be configured to receive automated alerts and reports. For more information, refer to the Network Guardian Operations Guide Settings to configure the to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, refer to the Network Guardian Operations Guide. Networking The Networking section contains the following sub-sections and pages: Filtering Pages Zone bridging Group bridging IP block Used to define permissible communication between pairs of network zones. For more information, see About Zone Bridging Rules on page 135. Used to define the network zones that are accessible to authenticated groups of users. For more information, see Group Bridging on page 140. Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Creating IP Blocking Rules on page 127. Routing Pages Subnets RIP Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see Creating Subnets on page 123. Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, see Using RIP on page

20 Network Guardian Overview Interfaces Pages Interfaces Internal aliases Configure and display information on your Network Guardian s internal interfaces. For more information, see Configuring Global Settings for Interfaces on page 26. Used to create aliases on internal network interfaces, thus enabling a single physical interface to route packets between IP addresses on a virtual subnet without the need for physical switches. For more information, see on page 126. Settings Pages Port groups Advanced Create and edit groups of ports for use throughout Network Guardian. For more information, see Working with Port Groups on page 132. Used to configure advanced network and traffic auditing parameters. For more information, see Configuring Advanced Networking Features on page 129. Services The Services section contains the following sub-sections and pages: 10 Smoothwall Ltd

21 Network Guardian Overview Authentication Pages Settings Directories Groups Temporary bans User activity SSL login Kerberos keytabs BYOD Used to set global login time settings. For more information, see Configuring Global Authentication Settings on page 144. Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. For more information, see About Directory Servers on page 145. Used to customize group names. For more information, see Managing Groups of Users on page 156. Enables you to manage temporarily banned user accounts. For more information, see Managing Temporarily Banned Users on page 159. Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Managing User Activity on page 161. Used to customize the end-user SSL login page. For more information, see About SSL Authentication on page 162. This is where Kerberos keytabs are imported and managed. For more information, see Managing Kerberos Keytabs on page 164. Enables you to authenticate users with their own devices and allow them to connect to the network. For more information, refer to the Network Guardian Operations Guide. User Portal Pages Portals Group access User access This page enables you to configure and manage user portals. For more information, refer to the Network Guardian Operations Guide. This page enables you to assign groups of users to portals. For more information, refer to the Network Guardian Operations Guide. This page enables you to override group settings and assign a user directly to a portal. For more information, refer to the Network Guardian Operations Guide. 11

22 Network Guardian Overview Proxies Pages Instant messenger FTP Used to configure and enable instant messaging proxying. For more information, refer to the Network Guardian Operations Guide. Used to configure and enable a proxy to manage FTP traffic. For more information, refer to the Network Guardian Operations Guide. SNMP Pages SNMP Used to activate Network Guardian s Simple Network Management Protocol (SNMP) agent. For more information, refer to the Network Guardian Operations Guide. Message Censor Pages Policies Filters Time Custom categories Enables you to create and manage filtering policies by assigning actions to matched content. For more information, refer to the Network Guardian Operations Guide. This is where you create and manage filters for matching particular types of message content. For more information, refer to the Network Guardian Operations Guide. This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, refer to the Network Guardian Operations Guide. Enables you to create and manage custom content categories for inclusion in filters. For more information, refer to the Network Guardian Operations Guide. 12 Smoothwall Ltd

23 Network Guardian Overview System The System section contains the following sub-sections and pages: Maintenance Pages Updates Modules Licenses Archives Scheduler Shutdown Used to display and install available product updates, in addition to listing currently installed updates. For more information, refer to the Network Guardian Operations Guide. Used to upload, view, check, install and remove Network Guardian modules. For more information, refer to the Network Guardian Operations Guide. Used to display and update license information for the licensable components of the system. For more information, refer to the Network Guardian Operations Guide. Used to create and restore archives of system configuration information. For more information, refer to the Network Guardian Operations Guide. Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, refer to the Network Guardian Operations Guide. Used to shutdown or reboot the system. For more information, refer to the Network Guardian Operations Guide. Central Management Pages Overview Child nodes Local node settings This is where you monitor nodes and schedule updates in a Smoothwall system. For more information, see Managing Nodes in a Smoothwall System on page 173. This is where you add and configure nodes in a Smoothwall system. For more information, see Configuring Child Nodes on page 169. This is where you configure a node to be a parent or child in a Smoothwall system and manage central management keys for use in the system. For more information, see Setting up a Centrally Managed Smoothwall System on page

24 Network Guardian Overview Preferences Pages User interface Time Registration options Hostname Used to manage Network Guardian s dashboard settings. For more information, refer to the Network Guardian Operations Guide. Used to manage Network Guardian s time zone, date and time settings. For more information, refer to the Network Guardian Operations Guide. Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to Smoothwall. For more information, refer to the Network Guardian Operations Guide. Used to configure Network Guardian s hostname. For more information, refer to the Network Guardian Operations Guide. Administration Pages Admin options External access Administrative users Used to enable secure access to Network Guardian using SSH, and to enable referral checking. For more information, refer to the Network Guardian Operations Guide. Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Network Guardian. For more information, refer to the Network Guardian Operations Guide. Used to manage user accounts and set or edit user passwords on the system. For more information, refer to the Network Guardian Operations Guide. Hardware Pages UPS Modem Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, refer to the Network Guardian Operations Guide. Used to create up to five different modem profiles, typically used when creating external dial-up connections. For more information, refer to the Network Guardian Operations Guide. 14 Smoothwall Ltd

25 Network Guardian Overview Diagnostics Pages Functionality tests Configuration report IP tools Whois Traffic analysis Used to ensure that your current Network Guardian settings are not likely to cause problems. For more information, refer to the Network Guardian Operations Guide. Used to create diagnostic files for support purposes. For more information, refer to the Network Guardian Operations Guide. Contains the ping and trace route IP tools. For more information, refer to the Network Guardian Operations Guide. Used to find and display ownership information for a specified IP address or domain name. For more information, refer to the Network Guardian Operations Guide. Used to generate and display detailed information on current traffic. For more information, refer to the Network Guardian Operations Guide. Certificates Page Certificate authorities Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, refer to the Network Guardian Operations Guide. Guardian The Guardian section contains the following sub-sections and pages: 15

26 Network Guardian Overview Quick Links Page Getting started Shortcuts Quick block/allow Policy tester This page provides an overview of what comprises a web filter policy, a link to the default policies and an introduction to policy wizards. For more information, see Guardian Getting Started on page 40. This page provides direct links to tasks you might do on a daily basis, such as blocking and allowing sites and running reports. For more information, see About Shortcuts on page 35. This page enables you to block or allow content immediately. For more information, see Blocking and Allowing Content Immediately on page 32. The policy tester enables you to test whether a URL is available to a specific person at a specific location and time. For more information, see Using the Policy Tester on page 69. Web Filter Policies Pages Manage policies Policy wizard Location blocking Exceptions Outgoing This is where you manage how web filtering policies are applied. For more information, see Managing Web Filter Policies on page 49. This is where you can configure a custom web filtering policy. For more information, see Creating Web Filter Policies on page 50. Enables you to block computers at a specific location from accessing web content. For more information, see Blocking Locations on page 33. Here you can exempt computers from any web filtering. For more information, see Excepting Computers from Web Filtering on page 33. This is where you configure outgoing settings for a censor policy for content and/or files posted using web forms. For more information, see Censoring Web Form Content on page Smoothwall Ltd

27 Network Guardian Overview HTTPS Inspection Policies Pages Manage policies Policy wizard Settings This is where you manage HTTPS inspection policies that decrypt and inspect encrypted communications. For more information, see Managing HTTPS Inspection Policies on page 53. This is where you create custom policies for managing encrypted communications. For more information, see Creating an HTTPS Inspection Policy on page 54. This is where you manage CA security certificates and configure HTTPS interception messages. For more information, see Configuring HTTPS Inspection Policy Settings on page 57. Content Modification Policies Pages Manage policies Policy wizard This is where you manage content modification policies that apply recommended security rules and enforce SafeSearch in browsers. For more information, see Managing Content Modification Policies on page 59. Enables you to create custom policies for applying security rules and enforcing SafeSearch in browsers. For more information, see Creating a Content Modification Policy on page

28 Network Guardian Overview Anti-malware Policies Pages Manage policies Policy wizard Status page Settings This is where you manage policies that protect against malware. For more information, see Managing Anti-malware Policies on page 64. This is where you can create custom policies to protect against malware. For more information, see Creating an Anti-malware Policy on page 64. Enables you to customize anti-malware information shown when downloading files. For more information, see Configuring Anti-malware Status Information on page 67. This is where you enable malware protection. For more information, see Creating an Anti-malware Policy on page 64. Block Page Policies Pages Manage policies Policy wizard Block pages This is where you manage block page policies. For more information, see Managing Block Page Policies on page 120. This is where you create and edit block page policies. For more information, see Configuring a Block Page Policy on page 119. This is where you create and edit block pages. For more information, see Managing Block Pages on page 114. Policy Objects Pages Category groups User defined Time slots Locations Quotas This is where you manage content categories used when applying a web filtering policy. For more information, see Working with Category Group Objects on page 40. This is where you manage custom content categories. For more information, see Creating Custom Categories on page 42. This is where you create and manage time slot policy objects for use in content filtering policies. For more information, see Working with Time Slot Objects on page 44. This is where you create and manage location policy objects for use in content filtering policies. For more information, see Working with Location Objects on page 45. This is where you create and manage quota policy objects for use in content filtering policies. For more information, see Working with Quota Objects on page Smoothwall Ltd

29 Network Guardian Overview Swurl Pages Settings This is where you configure your organization s Swurl account. For more information, see Configuring Organization Accounts on page 74. Web Proxy The Web proxy section contains the following sub-sections and pages: Web Proxy Pages Settings Automatic configuration Bandwidth limiting WCCP This is where you configure and manage web proxy settings. For more information, see Overview of the Web Proxy on page 94. This is where you create and make available proxy auto-configuration (PAC) scripts. For more information, see Using PAC Scripts on page 98. This is where you can manage how much bandwidth is made available to clients. For more information, see Limiting Bandwidth Use on page 100. This is where you can configure Network Guardian to join a Web Cache Coordination Protocol (WCCP) cache engine cluster. For more information, see Configuring WCCP on page 102. Upstream Proxy Pages Manage policies Proxies Filters This is where you manage upstream proxy policies. For more information, see Working with Multiple Upstream Proxies on page 110. This is where you configure upstream proxy settings. For more information, see Configuring an Upstream Proxy on page 105. This is where you manage upstream proxy source and destination filters. For more information, see Configuring Source and Destination Filters on page

30 Network Guardian Overview Authentication Pages Manage polices Policy wizard Exceptions Ident by location This is where you manage authentication policies which determine which web filter policies are applied. For more information, see Chapter 6, Managing Authentication Policies on page 77. This is where you create and edit authentication policies. For more information, see Creating Authentication Policies on page 78. This is where you can exempt content from authentication. For more information, see Managing Authentication Exceptions on page 87. This is where you configure identification of groups and/or users by their location. For more information, see Identification by Location on page 88. MobileProxy Pages Settings Proxies Exceptions On this page, you configure global MobileProxy server settings. For more information, refer to the Network Guardian Operations Guide. On this page, you manage MobileProxyservers for use with mobile devices. For more information, refer to the Network Guardian Operations Guide. On this page, you specify proxy exceptions. For more information, refer to the Network Guardian Operations Guide. Configuration Guidelines This section provides guidance about how to enter suitable values for frequently required configuration settings. Specifying Networks, Hosts and Ports IP Address An IP address defines the network location of a single network host. The following format is used: IP Address Range An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example: 20 Smoothwall Ltd

31 Network Guardian Overview Subnet Addresses A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways: / /24 Netmasks A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples: Service and Ports A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Examples: Port Range A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used: 137:139 Using Comments Almost every configurable aspect of Network Guardian can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement. Comments are entered in the Comment fields and displayed alongside saved configuration information. Creating, Editing and Removing Rules Much of Network Guardian is configured by creating rules for example, IP block rules and administration access rules. 21

32 Network Guardian Overview Creating a Rule To create a rule: 1. Enter configuration details in the Add a new rule area. 2. Click Add to create the rule and add it to the appropriate Current rules area. Editing a Rule To edit a rule: 1. Find the rule in the Current rules area and select its adjacent Mark option. 2. Click Edit to populate the configuration controls in the Add a new rule area with the rule s current configuration values. 3. Change the configuration values as necessary. 4. Click Add to re-create the edited rule and add it to the Current rules area. Removing a Rule To remove one or more rules: 1. Select the rule(s) to be removed in the Current rules area. 2. Click Remove to remove the selected rule(s). Note: The same processes for creating, editing and removing rules also apply to a number of pages where hosts and users are the configuration elements being created. On such pages, the Add a new rule and Current rules area will be Add a new host and Current users etc. Connecting via the Console You can access Network Guardian via a console using the Secure Shell (SSH) protocol. Note: By default, Network Guardian only allows SSH access if it has been specifically configured. See Configuring Administration Access Options on page 144 for more information. Connecting Using a Client When SSH access is enabled, you can connect to Network Guardian via a secure shell application, such as PuTTY. To connect using an SSH client: 1. Check SSH access is enabled on Network Guardian. See Configuring Administration Access Options on page 144 for more information. 22 Smoothwall Ltd

33 Network Guardian Overview 2. Start PuTTY or an equivalent client. 3. Enter the following information: Field Host Name (or IP address) Enter Network Guardian s host name or IP address. Port Enter 222 Protocol Select SSH. 4. Click Open. When prompted, enter root, and the password associated with it. You are given access to the Network Guardian command line. Secure Communication When you connect your web browser to Network Guardian s web-based interface on a HTTPS port for the first time, your browser will display a warning that Network Guardian s certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site. Unknown Entity Warning This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, Network Guardian s certificate is a self-signed certificate. Note: The data traveling between your browser and Network Guardian is secure and encrypted. To remove this warning, your web browser needs to be told to trust certificates generated by Network Guardian. To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browser s documentation for information on how to import the certificate. 23

34 Network Guardian Overview Inconsistent Site Address Your browser will generate a warning if Network Guardian s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. A certificate can only contain a single site name, and in Network Guardian s case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match. To remove this warning, access Network Guardian using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future. Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that HTTPS is also about identity as well encryption. 24 Smoothwall Ltd

35 3 Working with Interfaces This chapter describes how to configure the interfaces (network interface cards) on your Network Guardian, including: Configuring Global Settings for Interfaces on page 26 Working with Bridges on page 27 Working with Bonded Interfaces on page 28 Configuring IP Addresses on page 29 25

36 Working with Interfaces Configuring Global Settings for Interfaces Global settings determine Network Guardian s primary and secondary DNS addresses. To configure global settings: 1. Browse to the Networking > Interfaces > Interfaces page. The following settings global interface settings are available: Setting Default gateway Primary DNS Secondary DNS A drop-down list of the current gateways available. If Network Guardian is to be integrated as part of an existing DNS infrastructure, enter the appropriate DNS server information within the existing infrastructure. For more information, see Network Guardian and DNS on page 181. Enter the IP address of the secondary DNS server, if one is available. 26 Smoothwall Ltd

37 Working with Interfaces Working with Bridges It is possible to deploy Network Guardian in-line using two or more NICs to create a transparent bridge on which Deep Packet Inspection is possible. The following sections explain how to create, edit and delete bridges. Creating Bridges To create a bridge: 1. On the Networking > Interfaces > Interfaces page, click Add new interface. 2. In the Add new interface dialog box, configure the following settings: Setting Name Type Ports Use as MAC Enter a name for the bridge. Select Bridge. From the ports listed as available, select the ports to be used as bridge members. Select one of the following: External Select to use the bridge as an external interface. Basic interface Select to use the bridge as an interface with one or more IP addresses on it. Accept the displayed MAC address or enter a new one. 3. Click Add. Network Guardian adds the bridge to the list on the Networking > Interfaces > Interfaces page. Editing Bridges To edit a bridge: 1. On the Networking > Interfaces > Interfaces page, point to the bridge and click Edit. 2. In the Edit interface dialog box, make the changes needed. See Creating Bridges on page 27 for information on the settings available. 3. Click Save changes. Network Guardian applies the changes. Deleting Bridges To delete a bridge: 1. On the Networking > Interfaces > Interfaces page, point to the bridge and click Delete. 2. When prompted, click Delete to confirm you want to delete the bridge. Network Guardian deletes the bridge. 27

38 Working with Interfaces Working with Bonded Interfaces Network Guardian enables you to bind two or more NICs into a single bond. Bonding enables the NICs to act as one thus providing high availability. Creating Bonds To create a bond: 1. On the Networking > Interfaces > Interfaces page, click Add new interface. 2. In the Add new interface dialog box, configure the following settings: Setting Name Type Ports Use as MAC Enter a name for the bond. Select Bonding. From the ports listed as available, select the ports to be used as bond members. Select one of the following: External Select to use the bond as an external interface. Basic interface Select to use the bond as an interface with one or more IP addresses on it. Bridge member Select to use the bond as a member of a bridge. For more information, see Working with Bridges on page 27. Accept the displayed MAC address or enter a new one. 3. Click Add. Network Guardian adds the bond to the list on the Networking > Interfaces > Interfaces page. Editing Bonds To edit a bond: 1. On the Networking > Interfaces > Interfaces page, point to the bond and click Edit. 2. In the Edit interface dialog box, make the changes needed. See Creating Bonds on page 28 for information on the settings available. 3. Click Save changes. Network Guardian applies the changes. Deleting Bonds To delete a bond: 1. On the Networking > Interfaces > Interfaces page, point to the bond and click Delete. 2. When prompted, click Delete to confirm you want to delete the bond. Network Guardian deletes the bond. 28 Smoothwall Ltd

39 Working with Interfaces Configuring IP Addresses The following sections explain how to add, edit and delete IP addresses used by interfaces. Adding an IP Address To add an IP address: 1. On the Networking > Interfaces > Interfaces page, click on the interface you want to add an IP address to. 2. In the IP addresses dialog box, click Add new address. In the Add new address dialog box, configure the following settings: Setting Status IP address Subnet mask Gateway Select Enabled to enable the IP address for the NIC. Enter an IP address. Enter the subnet mask. Optionally, enter a gateway. 3. Click Add. Network Guardian adds the IP address to the interface. Editing an IP Address To edit an IP address: 1. On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you want to edit. 2. In the IP addresses dialog box, point to the address and click Edit. 3. In the Edit address dialog box, make the changes needed and click Save changes. Network Guardian applies the changes. Deleting an IP Address To edit an IP address: 1. On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you want to delete. 2. In the IP addresses dialog box, point to the address and click Delete. 3. When prompted, click Delete. Network Guardian deletes the address. 29

40

41 4 Deploying Web Filtering This chapter describes how to deploy Guardian s web filter, including: Getting Up and Running on page 31 About Network Guardian s Default Policies on page 36 Getting Up and Running By default, Network Guardian comes with a comprehensive set of web filter policies and an authentication policy which you can use immediately in order to protect your users and your organization. The following section explains how to use these policies to get web filtering up and running quickly. Tip: Log in to our support portal and read about initial setup considerations, testing and refining filter settings and tips on content filtering. To get up and running: 1. On users computers, configure the web browser to use port 800 on Network Guardian as the web proxy, that is, non-transparent proxying. 31

42 Deploying Web Filtering 2. Navigate to the Web proxy > Web proxy > Settings page. 3. Check that the Guardian option is enabled. 4. Scroll to the bottom of the page and click Save and Restart. Network Guardian starts to provide web security. 5. On a user s computer, browse to Network Guardian blocks access to the site and displays a block page You can edit the default policies and create new policies to suit you organization. For more information, see Chapter 5, Working with Policies on page 37. Blocking and Allowing Content Immediately Network Guardian enables you to block or allow content immediately without having to create or edit a web filter policy. To block or allow content immediately: 1. Browse to the Guardian > Quick links > Quick block/allow page. 2. Enter the URL to the content you want to block or allow. 32 Smoothwall Ltd

43 Deploying Web Filtering 3. Click Block or Allow depending on what you want. Network Guardian immediately blocks or allows the content and adds the URL to the appropriate custom blocked or allowed content lists. Blocking Locations Network Guardian enables you to block web-enabled resources at a specific location from accessing content. To block a location: 1. Browse to the Guardian > Web filter > Location blocking page. 2. Locate the location and click Block. Network Guardian blocks any web-enabled resources at that location from accessing web content. For more information on locations, see Chapter 5, Working with Location Objects on page 45. Excepting Computers from Web Filtering Network Guardian enables you to exempt specific computers from any web filtering. You can configure exceptions based on the source IP address or the destination IP address. Configuring Source Exceptions A source exception IP using a non-transparent connection will have unfiltered access to the Internet if configured to use port 801. A source exception IP going through an interface where transparent proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to Network Guardian. A source exception IP using a transparent connection requires no client browser configuration. 33

44 Deploying Web Filtering To configure a source exception: 1. Browse to the Guardian > Web filter > Exceptions page. 2. In the Manage source exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR notation of the computers to be exempted and click Save. Network Guardian exempts the computer(s) from any web filtering. 34 Smoothwall Ltd

45 Deploying Web Filtering Configuring Destination Exceptions A destination exception IP which goes through an interface where transparent proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to Network Guardian. To configure a destination exception: 1. Browse to the Guardian > Web filter > Exceptions page. 2. In the Manage destination exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR notation of the computers to be exempted and click Save. Network Guardian exempts the computer(s) from any web filtering. About Shortcuts Network Guardian provides a number of shortcuts to tasks you might carry out on a daily basis. To access the shortcuts: 1. Browse to the Guardian > Quick links > Shortcuts page. 2. Click on a link to be taken to the task s page. 35

46 Deploying Web Filtering About Network Guardian s Default Policies The following sections discuss Network Guardian s default web filtering and authentication policies. About the Default Web Filter Policies Network Guardian s default web filtering default policies are: Web filter policies these policies allow users access to custom specified content, access to specific web sites at lunch time and Microsoft Windows updates. They also block core and custom specified undesirable content and adverts and enforce file security. To review this policy, browse to the Guardian > Web filter > Manage policies page. For information on customizing web filter policies, see Chapter 5, Managing Web Filter Policies on page 49. HTTPS inspection policies these policies can be enabled to allow users to access online banking sites securely while inspecting encrypted traffic and checking security certificates. To review these policies, browse to the Guardian > HTTPS inspection > Manage policies page. For information on customizing HTTPS inspection policies, see Chapter 5, Managing HTTPS Inspection Policies on page 53. Content modification policies these policies apply recommended security rules and force search engines to use SafeSearch functionality. To review these policies, browse to the Guardian > Content modification policies > Policy page. For information on customizing content modification policies, see Chapter 5, Managing Content Modification Policies on page 59. Anti-malware policy this policy protects against malware and viruses. To review this policy, browse to the Guardian > Anti-malware > Manage policies page. For information on customizing anti-malware policies, see Chapter 5, Managing Anti-malware Policies on page 64. About the Default Authentication Policies Network Guardian comes with the following authentication policy ready for use: Non-transparent authentication policy any user s browser configured to use Network Guardian on port 800 as its web proxy will have this authentication policy applied to it. For information on creating more authentication policies, see Chapter 6, About Authentication Policies on page Smoothwall Ltd

47 5 Working with Policies This chapter describes how to configure, and maintain, Guardian policies, including: An Overview of Policies on page 38 Working with Category Group Objects on page 40 Working with Time Slot Objects on page 44 Working with Location Objects on page 45 Working with Quota Objects on page 47 Managing Web Filter Policies on page 49 Managing HTTPS Inspection Policies on page 53 Managing Content Modification Policies on page 59 Managing Anti-malware Policies on page 64 Using the Policy Tester on page 69 Working with Policy Folders on page 70 Censoring Web Form Content on page 72 Configuring Organization Accounts on page 74 37

48 Working with Policies An Overview of Policies Policies determine how Network Guardian handles web content to best protect your users and your organization. You can create and deploy custom policies to fit your organization. Deploying custom policies entails: Configuring custom policies based on your organization s Acceptable Usage Policies (AUPs); for more information, see Types of Policies on page 38 Configuring authentication policies; for more information, see Chapter 6, Creating Authentication Policies on page 78 Configuring users browsers or network connections to use Network Guardian as their web proxy or default gateway; for more information, see Connecting to Network Guardian on page 89. Types of Policies Network Guardian enables you to create the following types of policies: Web filter policies Web filter policies determine whether to allow, block, soft block or whitelist web content that a user has requested. For more information, see Managing Web Filter Policies on page 49 HTTPS inspection policies when enabled, HTTPS inspection policies determine whether to decrypt and inspect encrypted content in order to determine to handle the content based on web filter policies. HTTPS inspection policies can also be used to validate web site certificates. For more information, see Managing HTTPS Inspection Policies on page 53 Content modification policies Content modification policies can be used to identify and stop malicious content embedded in web pages from being accessed. For information, see Managing Content Modification Policies on page 59. Anti-malware policies Anti-malware policies are used to against malware and viruses. For information on customizing anti-malware policies, see Managing Anti-malware Policies on page 64. How Policies are Applied How Network Guardian applies policies depends on the original web request from a user. The following diagrams give a high-level view of what happens when a user makes a non-encrypted (HTTP) web request and an encrypted (HTTPS) web request. 38 Smoothwall Ltd

49 Working with Policies Applying Policies to a HTTP Web Request 39

50 Working with Policies Guardian Getting Started The Getting started page explains policies and policy objects. Working with Category Group Objects A category group object is a collection of URLs, domains, phrases, lists of file types and/or security rules. Network Guardian uses category group objects in policies to determine if a user should be allowed access to the content they have requested using their web browser. 40 Smoothwall Ltd

51 Working with Policies Creating Category Group Objects The following section explains how to create a category group object to be used in a web filter policy. To create a category group object: 1. Browse to the Guardian > Policy objects > Category groups page. 2. In the Manage category groups area, configure the following settings: Setting Name Comment Content categories Enter a name for the category group. Optionally, enter a comment to make it easier to remember what the category contains. Select the content you want to include in the category group object. Click [ + ] to access and view any sub-categories available. Tip: Click the Advanced view option to access more detailed information on the content. 3. Click Save. The category group object is saved and added to the list of groups of content available. 41

52 Working with Policies Creating Custom Categories You can define new categories of content for use in category group objects to suit you organizations requirements. To create custom categories, do the following: 1. Browse to the Guardian > Policy objects > Categories page. 2. From the Manage categories panel, configure the following parameters: Name The name of the category. Comment Enter an optional description for this category. Domain/URL filtering Enter the domains and or URLs for this category. Only one entry is allowed per line. Note that www. is not needed for URLs. 3. Optionally, click Advanced to access the following settings: Setting Search term filtering Enter one search term, surrounded by delimiters, per line for example: ( hardcore ) (xxx) Spaces before and after a term are not removed, thus simplifying searching for whole words. Parenthesis are required. You can use the following delimiters: [] () {} <> 42 Smoothwall Ltd

53 Working with Policies Setting URL patterns File extensions Enter a URL pattern per line, for example: ( adultsite sexdream ) The example above looks for URLs containing either the word adultsite or the word sexdream. You can use the following delimiters: [] () {} <> Note: If the URL pattern you enter contains a delimiter, you must use a different delimiter to contain the whole pattern. For example: [ mysearchwith(abracket) ] Enter one file extension, e.g..doc, or MIME type, e.g. application/octet-stream per line. You must include the dot (.) when entering file extensions. 4. Click Save. Network Guardian creates the content category and makes it available on the Guardian > Policy objects > Category groups page. Searching for URLs in User-defined Categories You can search in user-defined categories to determine which ones match a particular URL. Note: A search can take up to a minute to complete. To search for a URL in a category: 1. Browse to the Guardian > Policy objects > User defined page. 2. In the Enter URL field, enter the URL you want to search for. 3. Click Find categories. Network Guardian displays the names and components of any categories in which the URL was found. Editing Category Group Objects You can edit category group objects to suit you organizations requirements. To edit a category group object: 1. Browse to the Guardian > Policy objects > Category groups page. 2. From the Category groups list, select the object you want to edit and click Edit category group. Network Guardian displays the object in the Manage category groups area. Click [ + ] to access and view any sub-categories available. Tip: Click the advanced view option to access more detailed information on the content and subcategories. 3. Select any new content you want to add to the object and de-select any content you want to remove from the object. 4. Click Save. Network Guardian saves and applies the changes. 43

54 Working with Policies Deleting Category Group Objects You can delete category group objects you no longer require. To delete a category group object: 1. Browse to the Guardian > Policy objects > Category groups page. 2. From the Category groups list, select the content category object you want to delete and click Delete category group. Network Guardian deletes the object. Note: You cannot delete a category group object if it is in use in a policy. You must first remove the object from the policy. Working with Time Slot Objects You can configure Network Guardian to allow or stop users accessing the Internet during certain time periods depending on the time and day. Creating a Time Slot The following section explains how to create a time slot for use in a web filter policy. To create a time slot: 1. Navigate to the Guardian > Policy objects > Time slots page. 44 Smoothwall Ltd

55 Working with Policies 2. Configure the following settings: Setting Name Comment Enter a name for the time slot. Optionally, enter a comment to help identify when the period is used 3. In the time-table, click and drag to select the periods of time you want to include in the time slot. 4. Click Save. Network Guardian creates the time slot and adds it to the list of time slots. It also makes the time slot available where applicable on the policy wizard pages for inclusion in policies. Editing a Time Slot The following section explains how to edit a time slot. To edit a time slot: 1. Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area, locate the time slot you want to edit. 2. Click the Edit time button. Network Guardian displays the time slot in the time-table. Tip: You can use the Clear and Edit in full-text mode options to make changes the time slot. 3. Make the changes you require and click Save. Network Guardian makes the changes and saves the time slot. Deleting a Time Slot The following section explains how to delete a time slot. To edit a time slot: 1. Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area, locate the time slot you want to delete. 2. Click the Delete time button. Network Guardian deletes the time slot. Working with Location Objects Network Guardian enables you to create locations into which you can place resources such as desktop and laptop computers. You can use a location to block the resources at the location from accessing external networks or the Internet. 45

56 Working with Policies Creating a Location Object To create a location object: 1. Browse to the Guardian > Policy objects > Locations page. 2. In the Manage location area, configure the following settings: Setting Name Addresses Enter a name for the location object. Enter an IP address, hostname, IP range or a subnet of the resource(s), for example: For a computer, enter: For a range of computers, enter: For content identified by a hostname, enter: roaming_laptop 3. Optionally, click Advanced and configure the following settings to define exceptions to any address ranges you specified in the previous step: Setting Exceptions Enter an individual IP, hostname, IP range or a subnet of the resource(s), for example: To make an exception for a computer, enter: To make an exception for a range of computers, enter: Click Save. Network Guardian adds the resources to the location object and lists it in the Locations list. 46 Smoothwall Ltd

57 Working with Policies Editing Location Objects You can edit a location object. To edit a location object: 1. On the Guardian > Policy objects > Locations page, in the Locations area, select the location and click the Edit location button. 2. Make the changes you require and click Save, Network Guardian displays the settings. 3. Click Save. Network Guardian updates the resources in the location object and lists it in the Locations list. Deleting Location Objects You can delete location objects you no longer require. Note: You cannot delete a location object if it is in use in a policy. You must first remove the object from the policy. To delete a location object: 1. Browse to the Guardian > Policy objects > Locations page. 2. In the Locations list, locate the location object you want to delete and click the Delete location button. Network Guardian deletes the location object. Working with Quota Objects Network Guardian s quota objects enable you to limit user access to content on a daily basis. When a quota is used in a web filter policy, users to whom the policy is applied are prompted to confirm that they want to access the content and are told how long their quota is and how much of the quota they have left. About the Default Quota Object Network Guardian comes with a default quota object which is ready for use in a web filtering policy. When used, the default quota limits access to the relevant content to 60 minutes per 24 hours. Users will be prompted every 10 minutes to confirm that they want to continue using their quota. Default quotas are reset daily at 04:00. You can edit the default quota but you cannot remove it there must always be a default in case the quota action is used in a web filtering policy. For more information on using quotas and web filtering policies, see Creating Web Filter Policies on page

58 Working with Policies Creating Quota Objects Creating a quota object entails specifying who the quota applies to, how long the quota is, how often to prompt the user to confirm that they want to continue using their quota and when the quota is reset. To create a quota object: 1. Browse to the Guardian > Policy objects > Quotas page. 2. Click Create a new quota and configure the following settings: Setting Available users or groups Duration Prompt every Reset at Enable quota From the list, select the user(s) and/or group(s) to whom the quota will apply. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. Click Add. Move the slider to set the duration of the quota. From the drop-down list, select how often users will be prompted to confirm that they want to use more of their quota. From the drop-down list, select when to rest the quota. Select to enable the quota. 3. Click Save. Network Guardian creates the quota and lists it on the Guardian > Policy objects > Quotas page. 4. Drag and drop the quota object to the correct position. 48 Smoothwall Ltd

59 Working with Policies Note:Quotas are applied as listed on the Guardian > Policy objects > Quotas. You must consider their position when using them. Take, for example Bob. Bob is a member of the Staff group. The Staff group has a quota of 60 minutes. However, because of Bob s responsibilities, he needs a quota of 120 minutes. To ensure Bob gets the quota he needs, create a quota object that applies to Bob and, on the Guardian > Policy objects > Quotas page, list it above the Staff quota object. When Network Guardian applies the web filtering policy to the Staff group, it will check for quotas and allow Bob 120 minutes while other people in the Staff group will get 60 minutes. If Bob s quota object is listed below the Staff group s quota object, Bob will get 60 minutes just like everyone else. For more information on using quotas and web filtering policies, see Creating Web Filter Policies on page 50. Editing Quota Objects It is possible to edit a quota object s settings. To edit a quota object: 1. On the Guardian > Policy objects > Quotas page, locate the quota you want to change and click its Edit quota button. Network Guardian displays the settings. 2. Make the changes required. See Working with Quota Objects on page 47 for more information on the settings available. 3. Click Save. Network Guardian edits and updates the quota and lists it on the Guardian > Policy objects > Quotas page. Deleting Quota Objects You can delete a quota object when it is no longer required. To delete a quota object: 1. On the Guardian > Policy objects > Quotas page, locate the quota you want to change and click its Delete quota button. Network Guardian deletes the quota and removes it from the Guardian > Policy objects > Quotas page. Managing Web Filter Policies Network Guardian processes web filter policies in order of priority, from top to bottom, until it finds content that matches. When it finds a match, Network Guardian applies the action, block, allow, whitelist, soft block or limit to quota as configured in the policy. You can review the default web filter policies on the Guardian > Web filter > Manage policies page and you can change the order by dragging and dropping policies in the list. The following sections discuss how to create, edit and delete web filter policies. 49

60 Working with Policies Creating Web Filter Policies You can create custom web filter policies to allow or block specific content, allow access to specific web sites at certain times or apply an acceptable usage policy (AUP) to meet your organization s requirements. To create a web filter policy: 1. Browse to the Guardian > Web filter > Policy wizard page. 2. Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where From the Available users or groups list, select the user(s) and/or group(s) to whom the policy will apply. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what is to be filtered. Tip: Enter the name or part of the name and Network Guardian will search for content that matches. Click Add and, when you have selected all the content, click Next to continue. From the Available locations list, select where the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for locations that match. Click Add and, when you have added the location(s), click Next to continue. 50 Smoothwall Ltd

61 Working with Policies Step Step 4: When Step 5: Action From the Available time slots list, select when the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for time slots that match. Click Add and, when you have added the time slot(s), click Next to continue. Select one of the following actions to use when applying this policy: Create policy folder Select this action when configuring a policy at a central installation where you need to create policy folders for multiple locations or groups. Block Select this action to block the selected content. Allow Select this action to allow the content. Content will be scanned for anti-malware if an anti-malware policy is in place. Network Guardian may also categorize the content and apply any content modification policies in place. You can use this option to create specific exceptions to broad blocking policies. Another possible use is to prevent over-blocking of diverse content such as news articles, which may fall under a variety of categorizations depending on the type of news article. Whitelist Select this action to whitelist the selected content. When content is whitelisted, Network Guardian does not examine it any further. Whitelisting is applied early on when Network Guardian is checking URLs. Content which is whitelisted will not be subjected to outgoing filtering or dynamic content analysis. Content modification policies may still be applied, unless the categorization of the original, unmodified URL matches the whitelist. Whitelisting content may help to conserve system resources and prevent unintentional blocking when dealing with trusted content, such as online banking sites or Windows updates. Note: Whitelisted content will not be scanned for potential malware. Soft block Select this action to soft block the selected content. Anyone trying to access the content will be prompted by Network Guardian to confirm that they want to access content. Limit to quota Select this action to apply a quota when applying the policy. When the policy is applied, Network Guardian will check the quotas defined on the Guardian > Policy objects > Quotas page and limit access to the requested content based on the quota object s settings. Note: Any content being streamed or downloaded by a user will not be stopped when the user s quota runs out. Note: Each step must be completed in order to create the policy. If you skip a step, Network Guardian creates a policy folder in which you can store policies. For more information on policy folders, see Working with Policy Folders on page Select Enable policy to enable the policy and click Confirm. 4. Network Guardian displays the settings you have selected. Review them and click Save to create the policy. Network Guardian creates the policy and makes it available on the Guardian > Web filter > Manage policies page. You must now specify in what order Network Guardian should apply the policy. 51

62 Working with Policies 5. Browse to the Guardian > Web filter > Manage policies page. 6. Locate the policy in the Filtering policies area. Drag and drop the policy to where you want Network Guardian to apply it. For example, if you have created a policy which allows media students to access advertising content during their lunch break, drag the policy to the top of the list of policies. 7. Click Save. Network Guardian re-orders and applies the filtering policies and allows all users in the media student group to access adverts during their lunch break. Editing Web Filter Policies You can edit an existing web filter policy to suit your organization s requirements. To edit a web filter policy: 1. Browse to the Guardian > Web filter > Manage policies page and locate the policy you want to edit. 2. Click the Edit policy button. Network Guardian displays the policy settings on the Guardian > Web filter > Policy wizard page. 3. Make the changes necessary, see Creating Web Filter Policies on page 50 for more information on working with policies. 4. Click Confirm. Network Guardian displays the settings you have selected. Review them and click Save to save the changes to the policy. Network Guardian updates the policy and makes it available on the Guardian > Web filter > Manage policies page. 52 Smoothwall Ltd

63 Working with Policies Deleting Web Filter Policies You can delete a web filter policy you no longer require. To delete a web filter policy: 1. Browse to the Guardian > Web filter > Manage policies page and locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. Click Remove. Network Guardian deletes the policy. Managing HTTPS Inspection Policies The following sections discuss how to create, edit and delete HTTPS inspection policies. HTTPS inspection policies enable you to inspect and manage communication between users on your network and web sites which use HTTPS by configuring an inspection method for different user groups, destinations and locations. Network Guardian processes HTTPS inspection policies in order of priority as listed on the Guardian > HTTPS inspection > Manage policies page, from top to bottom, until a match is found. You can change the order by dragging and dropping policies in new positions. Network Guardian comes with three pre-configured HTTPS inspection policies which handle the following content: Online banking when enabled, this policy allows end-users to do online banking without communications being decrypted and inspected All encrypted content accessed by unauthenticated IPs when enabled, this policy decrypts and inspects all encrypted content that users at unauthenticated IPs try to access Certificate validation enabled by default, this policy check secure certificates on web sites. Any sites whose certificates are self-signed, out of date or otherwise invalid will be blocked. 53

64 Working with Policies Enabling HTTPS Inspection Policies The following section explains how to enable HTTPS inspection policies that are listed on the Guardian > HTTPS inspection > Manage policies page. To enable HTTPS inspection policies: 1. Browse to the Guardian > HTTPS inspection > Manage policies page. 2. Locate the policy you want to enable, click on the Enabled button and select Enable. 3. Repeat the step above for any other policies you want to enable and then click Save. Network Guardian enables the policies. Note:When, for the first time, you enable a HTTP inspection policy which decrypts and inspects content Network Guardian informs you that users browsers must have the Network Guardian CA certificate in order for the policy to work. You can click on Guardian CA certificate in the text displayed and download the certificate ready for import into browsers. See Managing Certificates on page 58 for more information on how to import the certificate. Creating an HTTPS Inspection Policy When an HTTPS inspection policy is in place, Network Guardian displays a warning page informing users who try to access a HTTPS web site that their communication with the site is being monitored. Users must actively accept the monitoring by clicking Yes in order to continue to the site, or click No to end the communication. Note: You must configure HTTPS settings and certificates in order for an HTTPS inspection policy to work. For more information, see Configuring HTTPS Inspection Policy Settings on page Smoothwall Ltd

65 Working with Policies To create an HTTPS inspection policy: 1. Browse to the Guardian > HTTPS inspection > Policy wizard page. 2. Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where Step 4: When From the Available users or groups list, select who the policy will apply to. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what is to be inspected. Tip: Enter the name or part of the name and Network Guardian will search for content that matches. Click Add and, when you have added all the categories or category groups, click Next to continue. From the Available locations list, select where the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for locations that match. Click Add and, when you have added the location(s), click Next to continue. From the Available time slots list, select when the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for time slots that match. Click Add and, when you have added the time slot(s), click Next to continue. 55

66 Working with Policies Step Step 5: Action Select one of the following actions to apply: Create policy folder Select this action when configuring Network Guardian at a central installation where you need to create policy folders for multiple locations or groups. Decrypt and inspect Select this action to decrypt and inspect the encrypted content. Validate certificate only Select this action to check secure certificates on web sites. Any sites whose certificates are self-signed, out of date or otherwise invalid will be blocked. Do not inspect Select this action to not inspect the communication. An example of using this would be to not intercept communication with banking sites if a blanket policy of inspecting all HTTPS communication was in place. Note: Each step must be completed in order to create the policy. If you skip a step, Network Guardian creates a policy folder in which you can store policies. For more information on policy folders, see Working with Policy Folders on page Select Enable policy to enable the policy and then click Confirm. 4. Network Guardian displays the settings you have selected. Review them and click Save to create the policy. Network Guardian creates the policy and makes it available on the Guardian > HTTPS Inspection > Manage policies page. You must now specify in what order Network Guardian should apply the policy. 5. Browse to the Guardian > HTTPS Inspection > Manage policies page. 6. Locate the policy in the HTTPS policies area. Drag and drop the policy to where you want Network Guardian to apply it. For example, if you have created a policy which does not inspect the Google HTTPS AdSense site when accessed by marketing students, drag the policy to the top of the list of policies. 7. Click Save. Network Guardian re-orders and applies the HTTPS inspection policies and allows all users in the marketing student group to access the Google AdSense site. 56 Smoothwall Ltd

67 Working with Policies Editing HTTPS Inspection Policies You can edit an existing HTTPS inspection policy to suit your organization s requirements. To edit a HTTPS inspection policy: 1. Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy you want to edit. 2. Click the Edit policy button. Network Guardian displays the policy settings on the Guardian > HTTPS inspection > Policy wizard page. 3. Make the changes necessary, see Creating an HTTPS Inspection Policy on page 54 for more information on working with policies. 4. Click Confirm. Network Guardian displays the settings you have selected. Review them and click Save to save the changes to the policy. Network Guardian updates the policy and makes it available on the Guardian > HTTPS inspection policies > Manage policies page. Deleting HTTPS Inspection Policies You can delete a HTTPS inspection policy you no longer require. To delete a HTTPS inspection policy: 1. Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. Click Remove. Network Guardian deletes the policy. Configuring HTTPS Inspection Policy Settings For HTTPS inspection policies to work, you must configure HTTPS inspection policy settings. Configuring these settings entails exporting certificate authority certificates, import them into the list of trusted CA certificates on the computers in your network and configuring warning and confirmation messages that are displayed to users when communications are being decrypted and inspected. 57

68 Working with Policies Managing Certificates Managing certificate authority (CA) certificates entails exporting them and then installing them on end-users computers. Without certificates on users computers, HTTPS inspection policies cannot work. To export a certificate: 1. Browse to the Guardian > HTTPS inspection > Settings page. 2. Click Export. Network Guardian generates the Guardian CA Cert.crt file. Save the certificate and import it into the list of trusted CA certificates on the computers in your network on which you want to implement HTTPS filtering. Tip: At the time of writing, to import the certificate on a PC running Internet Explorer 8: from the Tools menu, select Internet Options. On the Content tab, click Certificates and then click Import. Run the Certificate Import Wizard and place the certificate in Trusted Root Certification Authorities store. In Firefox 3 on Windows XP, from the Tools menu, select Options. Click Advanced and display the Encryption tab. Click View Certificates and then click the Authorities tab. Click Import, browse to where the certificate is stored and click Open. When prompted, select Trust this CA to identify web sites and click OK, OK and OK. For Active Directory, you can deploy the certificate using a group policy. Consult your Active Directory documentation for more information. 58 Smoothwall Ltd

69 Working with Policies Configuring Warning Information When implemented, Network Guardian displays a warning page informing users who try to access HTTPS web site(s) that their communication with the site(s) is being decrypted and inspected. Users must actively accept the decryption and inspection in order to continue to the site. To configure HTTP inspection policy settings: 1. Browse to the Guardian > HTTPS inspection > Settings page. 2. In the Manage HTTPS interception warning panel, configure the following settings: Setting Warning message Confirmation button label Warning frequency Accept the default message or enter a custom message informing users that their HTTPS connections will be decrypted and filtered if they continue to the site they have requested. Accept the default label or enter a new label to display on the button users must click to confirm that they accept that their HTTPS connections will be decrypted and filtered. Once they have clicked on the button, they will be able to continue to the site they requested. These settings determine how often the warning message is displayed. Daily Select to display the warning daily. Weekly Select to display the warning weekly. Never Select to never display a warning. Typically, you would not use this option, however, if you are using the Smoothwall Connect Filter for Windows client, it is recommended you disable the warning message to ensure correct operations. For more information, refer to the Smoothwall Connect Filter for Windows Installation and Administration Guide. 3. Click Save to save the settings. Clearing the Generated Certificate Cache It is possible to clear Network Guardian s cache of certificates generated for use with HTTPS inspection policies. To clear the cache: 1. Browse to the Guardian > HTTPS inspection > Settings page and click Clear. Network Guardian clears the cache. Managing Content Modification Policies The following sections discuss how to create, edit and delete content modification policies. A content modification policy can apply recommended security rules, determine if Internet searches should use SafeSearch functionality, warn about address spoofing and more. It can also ignore content thus making it possible to exempt content from modification for specific users or locations. 59

70 Working with Policies Creating a Content Modification Policy You can create a content modification policy that enforces or ignores security rules and/or SafeSearch for specific users at certain locations. To create a content modification policy: 1. Browse to the Guardian > Content modification > Policy wizard page. 2. Complete the following steps: Step Step 1: Who Step 2: What to target Step 3: Where From the Available users or groups list, select who the policy applies to. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what the policy applies to. Tip: Enter the name or part of the name and Network Guardian will search for matches. Click Add and, when you have selected the categories or category groups, click Next to continue. From the Available locations list where the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for locations that match. Click Add and, when you have selected the location(s), click Next to continue. 60 Smoothwall Ltd

71 Working with Policies Step Step 4: Action Select one of the following options: Create policy folder Select this action to group related rules in a policy folder. You can then use Apply or Ignore actions within this folder. For more information on policy folders, see Working with Policy Folders on page 70. Apply Select this action to modify the categories and category groups selected. Ignore Select this action to exempt the categories and category groups from being modified. Note: Usually creating a policy which ignores content implies that there is another policy which modifies content. For example, there might be an Apply policy which enforces SafeSearch for everyone, and another Ignore policy which exempts certain users who need unrestricted search. In such a case, on the Guardian > Content modification > Manage policies page, the Ignore policy which creates the exception must be placed before the Apply policy which modifies the content. From the Available categories or category groups list, select the content modification to apply and click Add. Note: If you are creating a policy that ignores content, the options here are disabled. Note: Each step must be completed in order to create the policy. If you skip a step, Network Guardian creates a policy folder in which you can store policies. For more information on policy folders, see Working with Policy Folders on page Select Enable policy to enable the policy and click Confirm. 4. Network Guardian displays the settings you have selected. Review them and click Save to create the policy. Network Guardian creates the policy and makes it available on the Guardian > Content modification > Manage policies page. Network Guardian applies all content modification policies in the order found. You must specify in what order Network Guardian should apply the content modification policies. You do this as follows: 1. Browse to the Guardian > Content modification > Manage policies page. 61

72 Working with Policies 2. Using the drag and drop method, reorder the list of policies according to the how you want Network Guardian to apply them. For example, if you have created a policy which exempts search results from modification for users in the teachers group, and another policy which exempts particular terms from allowed searches, drag the latter policy to the top of the list of policies. Editing Content Modification Policies You can edit an existing content modification policy to suit your organization s requirements. To edit a content modification policy: 1. Browse to the Guardian > Content modification > Manage policies page and locate the policy you want to edit. 2. Click the Edit policy button. Network Guardian displays the policy settings on the Guardian > Content modification > policy wizard page. 3. Make the changes necessary, see Creating a Content Modification Policy on page 60 for more information on working with policies. 4. Click Confirm. Network Guardian displays the settings you have selected. Review them and click Save to save the changes to the policy. Network Guardian updates the policy and makes it available on the Guardian > Content modification > Manage policies page. Deleting Content Modification Policies You can delete a content modification policy you no longer require. To delete a content modification policy: 1. Browse to the Guardian > Content modification > Manage policies page and locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. Click Remove. Network Guardian deletes the policy. 62 Smoothwall Ltd

73 Working with Policies Creating Custom Content Modification Policies You can define new content modification policies for use to suit you organizations requirements. To create a content modification policy, do the following: 1. Browse to Guardian > Content modification > Content modifications. 2. Configure the following parameters: Name The name of the content modification policy. Comment Enter an optional description for this policy. Headers to override Enter the algorithm to use the requested website s capability to override HTTP headers sent to it, and redirect users to other content. Only one entry is allowed per line. For example: A redirect to YouTube Education would be configured as: X-YouTube-Edu-Filter: Abc_dEf where Abc_dEf is the search term or phrase which causes the redirect. Note that an account and key must be setup on YouTube for this to work for more information, refer to A restriction on available Google Apps to only allow access to Google Calendar and Google Drive would be configured as: X-GoogApps-Allowed-Domains:

74 Working with Policies Note that for a Google Apps restriction, HTTPS interception is required as Google Apps uses HTTPS throughout. 3. Click Save. Managing Anti-malware Policies The following sections discuss how to create, edit and delete anti-malware policies. Anti-malware policies provide protection against many malware threats, including viruses, worms, spyware and trojans by scanning content passing through Network Guardian. Creating an Anti-malware Policy An anti-malware policy provides protection by scanning content requested by users. The following section explains how to create an anti-malware policy and configure anti-malware settings. Note: Anti-malware scanning is not enabled by default. You must enable anti-malware scanning in order to apply any anti-malware policies you have created and enabled. For more information, seeconfiguring Anti-malware Protection on page 66. To create an anti-malware policy: 1. Browse to the Guardian > Anti-malware > Policy wizard page. 64 Smoothwall Ltd

75 Working with Policies 2. Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where Step 4: Action From the Available users or groups list, select who the policy will apply to. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. To select more than one user or group, hold the CTRL button down while selecting them. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what is to be scanned. Tip: Enter the name or part of the name and Network Guardian will search for content that matches. From the list of locations, select where the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for locations that match. Click Add and when you have added the location(s), click Next to continue. Select one of the following options: Create policy folder Select this action when configuring Network Guardian at a central installation where you need to create policy folders for multiple locations or groups. Scan Select this action to scan the content specified for malware. Do not scan Select this action to allow the user to access the content without scanning it for malware. Note: Each step must be completed in order to create the policy. If you skip a step, Network Guardian creates a policy folder in which you can store policies. For more information on policy folders, seeworking with Policy Folders on page Select Enable policy to enable the policy and click Confirm. 4. Network Guardian displays the settings you have selected. Review them and click Save to create the policy. Network Guardian creates the policy and makes it available on the Guardian > Anti-malware > Manage policies page. You must now specify in what order Network Guardian should apply the policy. 65

76 Working with Policies 5. Browse to the Guardian > Anti-malware > Manage policies page. 6. Locate the policy. Drag and drop the policy to where you want Network Guardian to apply it. For example, if you have created a policy which does not scan archives that system administrators want to download, drag the policy to the top of the list of policies. Configuring Anti-malware Protection The following section explains how to enable anti-malware scanning and set a maximum size for files to be scanned. To configure anti-malware protection: 1. Navigate to the Guardian > Anti-malware > Settings page. 2. Configure the following settings: Setting Anti-malware scanning Select Enable to activate malware scanning. 66 Smoothwall Ltd

77 Working with Policies Setting Max file size to scan File uploads Enter the maximum file size to scan in megabytes. The value can be between 1 MB and 100 MB. Note: To download files larger than 100 MB with malware scanning enabled, you may need to create an anti-malware policy which never scans files from these sites. Sites which stream audio/video over HTTP may also experience problems when malware scanning is enabled. Select Scan or Do not scan as required. 3. Click Save to apply the malware protection. Configuring Anti-malware Status Information You can configure Network Guardian to display information on files being scanned for malware. To configure the information displayed: 1. Navigate to the Guardian > Anti-malware > Status page page. 2. Configure the following settings: Setting Status page title After download This text displays information on the name and size of the file being downloaded. Accept the default or enter new text. The keywords %%FILENAME%% and %%FILESIZE%% can be used to provide file-specific information. This information is displayed after the file has been downloaded and while it is being scanned. Accept the default or enter new text. 67

78 Working with Policies Setting After scan Auto-start downloads This text is a message displayed when the file has been scanned. Users are provided with a link to save the file to their computer following a successful scan. Accept the default or enter new text. Select to automatically download the file after it has been scanned and approved for download. 3. Click Save to apply any changes. Note:If requested content fails the malware scan, Network Guardian will deny the download. To allow such downloads, you should first be confident that the requested content is safe before creating a policy which allows the content to be downloaded. Editing Anti-malware Policies You can edit an existing anti-malware policy to suit your organization s requirements. To edit an anti-malware policy: 1. Browse to the Guardian > Anti-malware > Manage policies page and locate the policy you want to edit. 2. Click the Edit policy button. Network Guardian displays the policy settings on the Guardian > Anti-malware > Policy wizard page. 3. Make the changes necessary, seecreating an Anti-malware Policy on page 64 for more information on working with policies. 4. Click Confirm. Network Guardian displays the settings you have selected. Review them and click Save to save the changes to the policy. Network Guardian updates the policy and makes it available on the Guardian > Anti-malware > Manage policies page. Deleting Anti-malware Policies You can delete an anti-malware policy you no longer require. To delete an anti-malware policy: 1. Browse to the Guardian > Anti-malware > Manage policies page and locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. Click Remove. Network Guardian deletes the policy. 68 Smoothwall Ltd

79 Working with Policies Using the Policy Tester Network Guardian s policy tester enables you to determine what policy actions would apply for a given URL and, optionally, a specific user or group at a specific location and/or time. This is done by the policy tester sending an impersonated request for access to a URL. Tip: Use the policy tester to check possible negative side effects of adding a user/group, time slot or location to a Guardian policy. To use the policy tester: 1. Browse to the Guardian > Quick links > Policy tester page. 2. Configure the following settings: Setting URL Who Enter the URL to be requested. If the URL contains www, enter that too. Optionally, select the group(s) or user who would make the request. Group From the drop-down list, select the group(s) who would make the request. User Enter the name of the user making the request. 69

80 Working with Policies Setting Where When Detailed diagnostics Optionally, select the location(s) or IP address from which the content would be requested. Location From the drop-down list, select the location(s) from which the request would be made. IP address Enter the IP address from which the request would be made. Optionally, select at what time or during which time slot(s) the content would be requested. Time Enter the time at which the content would be requested. Time slot Specify the time slot(s) during which the content would be requested. Tip: It is possible to impersonate a request made in the past. For example, you can check if someone could have accessed a URL previously. Optionally, select this to determine what policy actions would apply to resources such as images, javascript, CSS tags, HTML5 multimedia tags and other resources at the URL. Note: Hyperlinks to other pages are not tested. 3. Click Test. For each Guardian policy enabled at that time, Network Guardian displays what action has been applied regarding the URL and the options you specified. When testing a URL which results in a redirect, the URL to which the original is redirected and its status are displayed. This enables you to policy test the redirect URL. For information on URL statuses, see: Note: The policy tester can impersonate a user or group(s) attempting to access web content. Network Guardian does not log impersonated requests. However, an upstream proxy may capture and log the request as coming from the user or group(s) being impersonated. Other Ways of Accessing the Policy Tester The policy tester is also available: On the Dashboard page. If the Web filter option is enabled on the System > Preferences > User interface page, you can run quick policy tests. On user portals. If the policy tester has been enabled for a user portal, it will be available when users access the portal. For more information, refer to the Network Guardian Operations Guide. Working with Policy Folders Policy folders enable you to organize and apply policies according to whatever criteria are most appropriate to your organization. For example, by default, Network Guardian blocks all adverts for all users all the time in every location. If you want to allow some users and/or groups to access adverts sometimes and others to access them always at specific locations, you can accomplish this by creating a policy folder which 70 Smoothwall Ltd

81 Working with Policies contains a general web filter policy allowing access to adverts. You can then add policies to the folder specifying which groups are allowed access, at what times and in which locations. Using policy folders makes it easier to understand the policy table on the manage policies page and more accurately reflects how a policy is applied to specific groups. Creating a Policy Folder You create a policy folder by using a policy wizard. To create a policy folder: 1. When running a policy wizard, do not add a policy object for the criterion you want to use to determine the type of policy folder. For example, if you want to create a web filter policy folder to contain policies that can be applied to specific groups and/or users, do not add any users or groups to the policy. 2. When configuring the policy action, select Create policy folder. After you have completed the policy wizard, Network Guardian makes the policy folder available on the manage policies page. 3. To add a policy to a folder, browse to the relevant manage policies page, locate the policies folder and click Add policy to folder. Network Guardian opens the folder and displays it on the policy wizard page. 4. Add the policy object, for example a group to which you want to apply the policy and click Confirm. Network Guardian displays the policy settings. Review the settings and then click Save. Network Guardian creates the policy, places it in the policy folder and makes it available on the manage policies page. Editing Policy Folders You can edit policy folders by changing the policy objects it contains. To edit a policy folder: 1. On the relevant manage policies page, locate the policy folder and click Edit policy folder. Network Guardian opens the folder and displays it on the policy wizard page. 2. Make changes to the policy object(s) included in the folder by adding or removing them as required. 3. Click Confirm, review the changes and click Save to apply the changes and update the folder. Deleting Policy Folders You can delete policy folders you no longer require. To delete a policy folder: 1. On the relevant manage policies page, locate the policy folder and click Delete policy folder. Click Remove when prompted to confirm that you want to delete the folder. Network Guardian deletes the folder and removes it from the relevant manage policies page. 71

82 Working with Policies Censoring Web Form Content The following section explains how to create and apply a censor policy for content and/or files posted using web forms. A censor policy consists of a filter, an action and a time period. To create and apply a censor policy: 1. Browse to the Services > Message censor > Policies page. 2. Configure the following settings: Setting Service Filter Time period Action From the drop-down menu, select one of the following options: Web filter outgoing Select to apply the policy to content and/or files being posted in web forms, such as to message boards or Wikipedia, using HTTP. Web filter secure outgoing (HTTPS) Select to apply the policy to content and/or files being posted in web forms, such as to message boards or Wikipedia, using HTTPS. Note: A HTTPS inspection policy must be deployed for this to work. See Managing HTTPS Inspection Policies on page 53 for more information. Click Select to update the policy settings available. From the drop-down menu, select a filter to use. For more information on filters,. From the drop-down menu, select a time period to use, or accept the default setting. For more information on time settings,. From the drop-down menu, select one of the following actions: Block - Content which is matched by the filter is blocked. Allow - Content which is matched by the filter is allowed and is not processed by any other filters. 72 Smoothwall Ltd

83 Working with Policies Setting Log severity level Group Comment Enabled Network Guardian enables you to store all blocked content, no blocked content or only blocked content above a certain severity level. If you want Network Guardian to only store blocked content above a certain severity level, you must assign severity levels to the content. The Log severity level option enables you to this. From the drop-down list, select the severity level to assign to content that has been blocked by this policy. Note: You must also configure the options for storing blocked content on the Guardian > Web filter > Outgoing page. See below for more information. From the drop-down list, select the group to which you want to apply the policy. Optionally, enter a description of the policy. Select to enable the policy. 3. Click Add and, at the top of the page, click Restart to apply the policy. 4. Browse to the Guardian > Web filter > Outgoing page. 5. Configure the following settings: Setting MessageCensor filtering and logging Store blocked content Store blocked content above severity level Select Enable to enable censoring of content and/or files posted using web forms. Select this option if you want Network Guardian to store content it blocks. Note: This option does not apply to content posted using HTTPS. If you have selected to store blocked content, from the drop-down list, select one of the following options: Always store Network Guardian stores all blocked content and makes it available for review in the web filter log. 4 to 5 Select a severity level above which Network Guardian stores the blocked content and makes it available for review in the web filter log. For more information, see the Log severity option above. Note: This option does not apply to content posted using HTTPS. 73

84 Working with Policies 6. Click Save. Network Guardian applies the policy. Configuring Organization Accounts Before your organization can deploy Swurl, the organization account must be configured on Network Guardian. To configure the organization s account: 1. On the Swurl home page, click View account. The Organization account screen opens. 2. Make a note of the information displayed. 3. On Network Guardian, browse to Guardian > Swurl > Settings page. 4. Configure the following settings: Setting Swurl Select Enable. 74 Smoothwall Ltd

85 Working with Policies Setting Fetch lists when centrally managed Organization User ID Password Select this setting if Swurl is managed centrally. See your Network Guardian Administrator s Guide for more information on centrally managed systems. Enter the name of your organization as shown on the Organization account screen. Enter your user ID as shown on the Organization account screen. Enter your password as shown on the Organization account screen. 5. Click Save. Network Guardian saves the information and enables Swurl. 75

86

87 6 Managing Authentication Policies This chapter introduces authentication policies, including: About Authentication Policies on page 77 Creating Authentication Policies on page 78 Managing Authentication Policies on page 86 Managing Authentication Exceptions on page 87 Identification by Location on page 88 Connecting to Network Guardian on page 89 Authentication Scenarios on page 91 About Authentication Policies Note: By default, Network Guardian comes with an authentication policy in place. To use it, you configure your users web browsers to use Network Guardian as their web proxy. For more information, see Creating a Non-transparent Connection Manually on page 89. Network Guardian uses authentication to: Identify users and assign them to groups, so that Network Guardian can apply different policies to each group Allow access to registered users or trusted workstations Provide logging and auditing facilities in case of misuse Show in real time which users are accessing content An authentication policy is comprised of a connection type, an authentication method, port information and a location. 77

88 Managing Authentication Policies Network Guardian can use several different authentication methods to identify a user or group, with different requirements and restrictions. Authentication policies determine which method is used. They also determine which interfaces and ports Network Guardian listens on for web requests. Creating Authentication Policies Network Guardian enables you to create the following types of authentication policies: Non-transparent authentication policies this type of policy is applied to users whose web browsers are configured to connect to the Internet using Network Guardian as their web proxy. For more information, see Creating Non-transparent Authentication Policies on page 78 Transparent authentication policies this type of policy is applied to users whose computers network connection uses Network GuardianFor more information, see Creating Transparent Authentication Policies on page 83. Creating Non-transparent Authentication Policies Non-transparent authentication policies enable you to apply a web filter policy and authentication requirements to a user or group of users. To create a non-transparent authentication policy: 1. Browse to the Web proxy > Authentication > Policy wizard page. 2. Select Non-Transparent and from the Method drop-down list, select one of the following authentication methods: Method No authentication Kerberos Setting Identify users by their IP address only. All requests are assigned to the Unauthenticated IPs group. Identify users by using the Kerberos keytab stored on Network Guardian. For more information,. 78 Smoothwall Ltd

89 Managing Authentication Policies Method Kerberos (Terminal Services compatibility mode) Proxy authentication Proxy authentication (Terminal Services compatibility mode) NTLM identification NTLM identification (Terminal Services compatibility mode) Setting Identify users by using the Kerberos keytab stored on Network Guardian. For more information. For information on Kerberos pre-requisites and troubleshooting,. This method is designed to work with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server Identify users by requesting a username and password from the user s browser. This authentication method prompts users to enter a username and password when they try to web browse. The username and password details are encoded in all future requests made by the user s browser. Identify users by requesting a username and password from the user s browser. This method is designed to work with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server Identify users according to the username logged into their Microsoft Windows workstation. Note: NTLM identification does not verify a user's credentials. It should only be used where all client workstations are secured and members of a Microsoft Windows domain. Unsecured clients can spoof their credentials. Note: Network Guardian supports NTLM on Microsoft operating system software and browsers only. NTLM should not be used with any other browser or platform, even if the platform claims to support NTLM. NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames. Identify users according to the username logged into their Microsoft Windows workstation. Can be used in conjunction with Microsoft Terminal Services. Note: NTLM identification does not verify a user s credentials. It should only be used where all client workstations are secured and members of a Microsoft Windows domain. Unsecured clients can spoof their credentials. Note: Network Guardian supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames. This method works with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server

90 Managing Authentication Policies Method NTLM authentication NTLM authentication (Terminal Services compatibility mode) Redirect users to SSL Login page (with background tab) Setting Identify users according to the username logged into their Microsoft Windows workstation, and validate their credentials with the domain controller. Prerequisites: There must be a computer account for Network Guardian in Active Directory The account specified on the Services > Authentication > Settings page must have permission to join the computer to the domain. Note: Network Guardian supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames Identify users according to the username logged into their Microsoft Windows workstation, and validate their credentials with the domain controller. Can be used in conjunction with Microsoft Terminal Services. Prerequisites: There must be a computer account for Network Guardian in Active Directory The account specified on the Services > Authentication > Settings page must have permission to join the computer to the domain. Note: Network Guardian supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames. This method works with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server Identify users with the Network Guardian authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Network Guardian authentication service supports only one user per client IP address. Using this method, the SSL Login page automatically refreshes itself so that the authentication time-out period does not elapse; because of this, the user must leave the SSL Login page open at all times. Select this method if a user s browser cannot accept cookies. This method is also suitable if a user s browser plugins or applications require the authenticated session to remain active. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Network Guardian system is encrypted. To securely logout, the user must click Logout on the SSL Login page.. 80 Smoothwall Ltd

91 Managing Authentication Policies Method Redirect users to SSL Login page (with session cookie) Core authentication Ident Identification by Location Setting Identify users with the Network Guardian authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Network Guardian authentication service supports only one user per client IP address. Using this method, Network Guardian stores a session cookie on the user s browser. The cookie removes the need for the user to reauthenticate. This method is useful for users of tablet PCs and other mobile devices which have problems keeping tabs in browsers open in the background. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Network Guardian system is encrypted. To securely logout, the user must click Logout from the SSL Login page. Identify users with the Network Guardian authentication service. If no user is logged in, identify the user by their IP address and assign the request to the Unauthenticated IPs group. The Network Guardian authentication service supports only one user per client IP address. Core authentication is typically used with the SSL Login page. For example, anonymous users can be allowed to certain sites only, but users can optionally log in to gain a higher level of access. Identify users according to the username returned by an Ident server running on their workstation. Network Guardian supports Ident for compatibility with any Identenabled networks your organization may already be using. Networks supporting Ident authentication require an Ident server application to be installed on all workstations that can be queried by Ident-enabled systems. The user does not need to enter their username as it is automatically supplied by the Ident server application. Once a user s Ident server has identified the user, the user s web activities will be filtered according to their authentication group membership. For details of how to configure this with your choice of Ident server, please refer to the ident server s administrator's guide. Note: Ident does not verify a user s credentials. It should only be used where all client workstations are secured and running an Ident server controlled by the network administrator. Unsecured clients can spoof their credentials. Identify users by their IP address. Assign a group based on the identification by location policy configured for their location. Identification by location is typically used where certain clients do not support the authentication method used by the rest of the network. For more information, see Identification by Location on page 88. For information on locations, see Chapter 5, Working with Location Objects on page

92 Managing Authentication Policies Method Kerberos (via redirect) NTLM identification (via redirect) NTLM authentication (via redirect) Global Proxy using NTLM Setting Identify users with the Network Guardian authentication service. If no user is logged in, redirect Web requests to the Kerberos login page, which obtains the username logged into their Microsoft Windows workstation. For information on Kerberos pre-requisites and troubleshooting,. The Network Guardian authentication service supports only one user per client IP address. Identify users with the Network Guardian authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation. The Network Guardianauthentication service supports only one user per client IP address. Note: This option is for backwards compatibility with earlier versions of Guardian. Identify users with the Network Guardianauthentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation and validates their credentials with the domain controller. The Network Guardianauthentication service supports only one user per client IP address. Note: This option is for backwards compatibility with earlier versions of Guardian. Identify users using the Secure Global Proxy service. Users must be logged in using NTLM credentials. Note: Note that even if your Smoothwall System has multiple internal interfaces, you can only create one Global Proxy using NTLM authentication policy. Enabling this policy automatically adds firewall rules to allow external access to the proxy port. If your Smoothwall System uses primary and secondary external connections, Secure Global Proxy will listen on the primary connection. Device authentication can be implemented using client-side certificates. For a detailed description of how to configure these, see Connecting to Network Guardian on page 89. For more information about Secure Global Proxy, refer to the Secure Global Proxy Installation and Administration Guide. 3. Configure the following settings: Setting Interface Port Enabled From the drop-down list, select the interface on which to apply the authentication policy. From the drop-down list, select the port on which to apply the authentication policy. Select to enable the policy. 4. Click Next and add the location at which the policy will apply. 82 Smoothwall Ltd

93 Managing Authentication Policies 5. Click Next and review the options for handling unauthenticated requests. When requests are permitted without requiring authentication, for example, entries on the Web proxy > Authentication > Exceptions page, Network Guardian assigns them to the Unauthenticated IPs group. If you want to assign them to a different group, add the group to the Included groups list. 6. Click Next, select Enabled and click Confirm. Network Guardian displays the policy settings. 7. Review the settings and click Save to make the policy available for use. Creating Transparent Authentication Policies Transparent authentication policies enable you to apply a web filter policy and authentication requirements to a user or group of users. To create a transparent authentication policy: 1. Browse to the Web proxy > Authentication > Policy wizard page. 2. Select Transparent and, from the Method drop-down list, select one of the following authentication methods: Method No authentication Redirect users to SSL Login page (with background tab) Setting Identify users by their IP address only. All requests are assigned to the Unauthenticated IPs group. Identify users with the Network Guardian authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Network Guardian authentication service supports only one user per client IP address. Using this method, the SSL Login page automatically refreshes itself so that the authentication time-out period does not elapse; because of this, the user must leave the SSL Login page open at all times. Select this method if a user s browser cannot accept cookies. This method is also suitable if a user s browser plugins or applications require the authenticated session to remain active. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Network Guardian system is encrypted. To securely logout, the user must click Logout on the SSL Login page. 83

94 Managing Authentication Policies Method Redirect users to SSL Login page (with session cookie) Core authentication Identification by location Kerberos (via redirect) NTLM identification (via redirect) Setting Identify users with the Network Guardianauthentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Network Guardian authentication service supports only one user per client IP address. Using this method, Network Guardian stores a session cookie on the user s browser. The cookie removes the need for the user to reauthenticate. This method is useful for users of tablet PCs and other mobile devices which have problems keeping tabs in browsers open in the background. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Network Guardian system is encrypted. To securely logout, the user must click Logout from the SSL Login page. Identify users with the Network Guardian authentication service. If no user is logged in, identify the user by their IP address and assign the request to the Unauthenticated IPs group. The Network Guardian authentication service supports only one user per client IP address. Core authentication is typically used with the SSL Login page. For example, anonymous users can be allowed to certain sites only, but users can optionally log in to gain a higher level of access. Identify users by their IP address. Assign a group based on the identification by location policy configured for their location. Identification by location is typically used where certain clients do not support the authentication method used by the rest of the network. For more information, see Identification by Location on page 88. For information on locations, see Working with Location Objects on page 45. Identify users with the Network Guardian authentication service. If no user is logged in, redirect Web requests to the Kerberos login page, which obtains the username logged into their Microsoft Windows workstation. For information on Kerberos pre-requisites and troubleshooting,. The Network Guardian authentication service supports only one user per client IP address. Identify users with the Network Guardian authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation. The Network Guardian authentication service supports only one user per client IP address. Note: NTLM identification does not verify a user's credentials. It should only be used where all client workstations are secured and members of a Microsoft Windows domain. Unsecured clients can spoof their credentials. 84 Smoothwall Ltd

95 Managing Authentication Policies Method NTLM authentication (via redirect) Setting Identify users with the Network Guardian authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation and validates their credentials with the domain controller. The Network Guardian authentication service supports only one user per client IP address. 3. Configure the following settings: Setting Interface HTTPS Spoofing Enabled From the drop-down list, select the interface on which to apply the authentication policy. Note: For more information on the WCCP interface option, see Configuring WCCP on page 102. Filter HTTPS traffic Select this option to transparently intercept HTTPS connections. Allow HTTPS traffic with no SNI header for the 'Transparent HTTPS incompatible sites' category Select this option to allow HTTPS traffic without a server name indication (SNI) field in its header. This allows access to content in the Transparent HTTPS incompatible sites content category based on a best-guess of the destination host by using DNS reverse lookup. For more information on content categories, see Working with Category Group Objects on page 40. Note: When enabled, web requests allowed by this option will bypass any deployed HTTPS policies and will not be subjected to inspection or certificate checking. Note: This option is not applicable when configuring an authentication policy folder. For more information on folders, see Working with Policy Folders on page 70. Select this option to allow upstream services to see network traffic as coming from the originating client s IP address rather than Network Guardian s IP address. Note: This option is only available when configuring a policy which uses a bridged interface. Select to enable the policy. When disabled, no filtering is performed on HTTPS requests from clients without deployed proxy settings. Note: Transparent HTTPS interception is not compatible with Internet Explorer running on Windows XP or earlier. 4. Click Next and add the location at which the policy will apply. 5. Click Next and review the options for handling unauthenticated requests. When requests are permitted without requiring authentication, for example, entries on the Web proxy > Authentication > Exceptions page, Network Guardian assigns them to the Unauthenticated IPs group. If you want to assign them to a different group, add the group to the Included groups list. 6. Click Next, select Enabled and click Confirm. Network Guardian displays the policy settings. 7. Review the settings and click Save to make the policy available for use. 85

96 Managing Authentication Policies Managing Authentication Policies Network Guardian applies authentication policies in the order they are displayed on the Web proxy > Authentication > Manage policies page. You can re-order the policies by dragging and dropping them in new positions. To access authentication policies: 1. Browse to the Web proxy > Authentication > Manage policies page. Network Guardian displays the current authentication policies. Editing Authentication Policies You can make changes to authentication policies by editing them. To edit an authentication policy: 1. On the to the Web proxy > Authentication > Manage policies page, locate the policy you want to change. 2. Click the Edit policy button. Network Guardian displays the policy on the Web proxy > Authentication > Policy wizard page. 3. Make the changes you require, see Creating Authentication Policies on page 78 for more information on the settings available. 4. Click Confirm, review your changes and then click Save to save and apply the changes. Network Guardian applies the changes and prompts you to restart the Network Guardian proxy. 5. Click Restart proxy. Network Guardian restarts the proxy. 86 Smoothwall Ltd

97 Managing Authentication Policies Deleting Policies You can delete authentication policies you no longer require. To delete an authentication policy: 1. On the to the Web proxy > Authentication > Manage policies page, locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. 3. Click Delete. Network Guardian deletes the policy and prompts you to restart the Network Guardian proxy. 4. Click Restart proxy. Network Guardian restarts the proxy. Managing Authentication Exceptions You can configure Network Guardian to allow access to content without requiring authentication. For example, automatic Windows updates can be accessed without user authentication. Tip: Log in to our support portal and read more about applications known not to support authenticated proxies and how to put an authentication exception in place for them. To create an exception: 1. Browse to the Web proxy > Authentication > Exceptions page. 2. Select the content to be excepted from authentication and click Add. 3. Click Save to create the exception. 87

98 Managing Authentication Policies Identification by Location You can configure Network Guardian to identify groups and/or users by the location in which they are situated. This ident by location status can be used to configure an identification by location authentication policy. Note: The settings configured on this page are only used when Identification by Location is selected as the method in an authentication policy. See Creating Authentication Policies on page 78 for more information. To configure identification by location: 1. Browse to the Web proxy > Authentication > Ident by location page. 2. From the Selected location drop-down list, select the location. 3. Select the groups and/or users to include in the location and click Add. 4. Click Confirm. Network Guardian lists the location in the Location to group mappings table. 88 Smoothwall Ltd

99 Managing Authentication Policies Connecting to Network Guardian The following sections explain how to connect non-transparently and transparently to Network Guardian. About Non-transparent Connections Non-transparent connections from users web browsers to Network Guardian are suitable when content is accessed using HTTPS or when using NTLM or proxy authentication or identification in terminal services compatibility mode. Connecting to Network Guardian non-transparently entails configuring users web browsers to use Network Guardian as the web proxy using one of the following methods: Manually Web browser LAN settings are manually configured, see Creating a Nontransparent Connection Manually on page 89 for more information Automatic configuration script Web browser LAN settings are configured to receive proxy configuration settings from an automatic configuration script which is generated by Network Guardian, see Configuring Non-transparent Connections Using a PAC Script on page 90 for more information WPAD automatic script Web browser LAN settings are configured to detect proxy settings, see Configuring a Non-transparent Connection Using a WPAD Automatic Script on page 90 for more information. Creating a Non-transparent Connection Manually Note: The following instructions apply to Internet Explorer 7. For information on other browsers, see the documentation delivered with the browsers. To create a non-transparent connection manually: 1. On users computers, start Internet Explorer, and from the Tools menu, select Internet Options. 2. On the Connections tab, click LAN settings. 3. In the Automatic configuration area, check that Automatically detect settings and Use automatic configuration script are not selected. 4. In the Proxy server area, select Use a proxy server for your LAN 5. Enter Network Guardian's IP address and port number 800 and select Bypass proxy server for local addresses. 6. Click Advanced to access more settings. In the Exceptions area, enter Network Guardian s IP address and any other IP addresses to content that you do not want filtered, for example, your intranet or local wiki. 7. Click OK and OK to save the settings. 89

100 Managing Authentication Policies Configuring Non-transparent Connections Using a PAC Script A proxy auto-config (PAC) script is a file generated by Network Guardian. Once configured, any changes to connections are automatically retrieved by the user s web browser. For information on working with PAC scripts, see Using PAC Scripts on page 98. Note: The following instructions apply to Internet Explorer 7. For information on other browsers, see the documentation delivered with the browsers. To configure a non-transparent connection using a PAC script: 1. On the user s computer, start Internet Explorer, and from the Tools menu, select Internet Options. 2. On the Connections tab, click LAN settings. 3. Configure the settings as follows: Setting Automatically detect settings Use automatic configuration script Address Deselect this option. Select this option. Enter the address of the script. Tip: To locate the address, navigate to the Web proxy > Web proxy > Settings page. The address is listed in the Automatic configuration script address area. 4. Ensure that no other proxy settings are enabled or have entries. Note: You may need to restart the web browser for the settings to take effect. Configuring a Non-transparent Connection Using a WPAD Automatic Script Note: This method is only for administrators familiar with configuring web and DNS servers. Enduser browsers must support WPAD the latest versions of Microsoft Internet Explorer support this method. The WPAD method works by the web browser pre-pending the hostname wpad to the front of its fully qualified domain name and looking for a web server on port 80 that can supply a wpad.dat file. The file works in the same way as the automatic configuration script and tells the browser what web security policy it should use. To use WPAD: 1. Configure your network to use Network Guardian as the network web proxy. Consult your network documentation for more information on how to do this. 2. Using a local DNS server or Network Guardian s static DNS, add the host 'wpad.yourdomainname' substituting your own domain name. The host must resolve to Network Guardian s IP address. 3. Configure users browsers to automatically detect LAN settings. 90 Smoothwall Ltd

101 Managing Authentication Policies Note: Users computers must be configured with the same domain name as the A record. However, the Microsoft Knowledge Base article Q suggests that WPAD does not work on Windows Microsoft suggests that you should use a DHCP auto-discovery method using a PAC script. See the article for more information. About Transparent Connections You configure transparent connections from users computers Network Guardian by configuring computers network connections to use Network Guardian as the default gateway. In order for a transparent policy to work, the following must be in place: DNS must be set up correctly on your network so that user computers can resolve the short form of Network Guardian s hostname, for example: resolve mysystem for the hostname mysystem.example.com User computers and Network Guardian must be within the same DNS domain Internet Explorer must be configured to authenticate automatically with intranet sites. Authentication Scenarios The following are high level examples of how you can configure Network Guardian to suit your organization s authentication requirements. New Content Filtering Changing the Listening Port Anna runs an Internet cafe. She is replacing her current content filter with Network Guardian because of its superior filtering. To avoid reconfiguring each workstation, she needs Network Guardian to listen on the same port as before, which was port Anna goes to the Web proxy > Authentication > Policy page which shows the default configuration of no authentication on port 800. She clicks the Edit button on the entry displayed which takes her to the Web proxy > Authentication > Policy wizard page. On this page, all fields apart from interface and port are disabled. She changes the port to 3128 and saves her changes, and a message prompts her to restart Network Guardian. Providing Filtered Web Access to the Public Brian is a network administrator for a university. Staff and student web access is unfiltered, but Brian wants to provide filtered web access for a new conference centre open to the public. He does not want delegates to need to configure a proxy in their browsers. Brian configures Network Guardian to listen in transparent mode. On the Web proxy > Authentication > Policy wizard page, he selects Transparent and No authentication and leaves the other options at their defaults. 91

102 Managing Authentication Policies After adding this entry, on the Web proxy > Authentication > Policy page, he can see the new transparent authentication policy so he removes the default entry for port 800. He then configures the firewall and DHCP servers on the network to route traffic through Network Guardian. Requiring Authentication to Browse the Web Charlotte is a hotel manager. The hotel provides Internet access to guests via their own laptops and shared PCs in the lobby. The wireless network is secured but Charlotte needs to know which guest is responsible for web traffic in case of misuse. She wants a simple system which doesn t require guests to register their wireless devices. Charlotte creates a local user account for each room, with names like room23 and a random simple password. Guests are told the password for their room when they check in if they request Internet access, and the password is changed when they check out. Charlotte then configures Network Guardian in transparent mode on the Web proxy > Authentication > Policy page by adding a new entry for Transparent and Redirect to SSL Login, leaving the other options at their defaults. She removes the entry for port 800 before restarting Network Guardian. Using Multiple Authentication Methods Donald is a college system administrator. His network contains Windows PCs, Macs, and network points for student laptops. Donald wants to provide authentication across the network using single sign on wherever possible. For Macs, Donald creates a location on the Guardian > Location > Policy wizard page, which he names Macs. This location contains the IP address ranges assigned to macs. On the Web proxy > Authentication > Policy page, he edits the default entry for port 800, changing the authentication method to NTLM authentication. Then he adds a new entry, choosing Ident authentication for the location Macs. This is displayed above the entry for NTLM on the policy page. Finally he adds an entry for the laptops for transparent connections and Redirect to SSL Login. Using group policy and central admin tools, he configures the Windows PCs and Macs to use Network Guardian, and installs an Ident server on the Macs. Windows and Mac users now authenticate to Network Guardian using their desktop login session, but laptop users are presented with the SSL Login screen when they browse. Controlling an Unruly Class Ellen is a secondary school teacher. Ellen s students are supposed to be reading about the Civil War but are inclined to waste time when her back is turned. Ellen needs to be able to ban students from accessing the Internet as a punishment for misbehavior. While the students are working, Ellen looks around the room and also monitors web usage on the Logs and reports > Realtime > Web filter page. She sees that one of her students, Fred, is watching videos on YouTube, so she goes to the Services > Authentication > User activity page, scrolls to his login entry, and selects Ban. This takes her to the temporary bans page where she configures the ban to expire at the end of the lesson. When Fred clicks on another video, he is shown the block page. 92 Smoothwall Ltd

103 7 Managing Web Security This chapter includes: Overview of the Web Proxy on page 94 Using PAC Scripts on page 98 Limiting Bandwidth Use on page 100 Configuring WCCP on page 102 Managing Upstream Proxies on page 104 Managing Blocklists on page 112 Managing Block Pages on page

104 Managing Web Security Overview of the Web Proxy The following sections provide an overview of Network Guardian s web proxy settings. To access Network Guardian s web proxy settings: 1. Navigate to the Web proxy > Web proxy > Settings page. Global Options The following table lists Network Guardian s global web proxy setting: Setting Guardian Select Enable to enable content filtering and Network Guardian s web proxy. 1. Click Advanced to access advanced web proxy settings which are documented in the following sections. Advanced Web Proxy Settings The following advanced web proxy settings are available. Web Filter Options The following optional advanced web filter settings are available: Settings HTTP strict mode By default, this option is enabled. However, for certain client applications going through Network Guardian you may need to disable this so as to handle problems, for example, with headers that the applications send. 94 Smoothwall Ltd

105 Managing Web Security Settings File upload policy Resume interrupted NTLM connections Resolve single component hostnames Allow access to web servers on these additional ports The following options are available: Allow unlimited uploads All file uploads are allowed. Block all uploads All file uploads are blocked. Restrict upload size to Files below the size specified are allowed. By default Network Guardian resumes interrupted NTLM connections caused by non-standard web browser behavior. Enable This is the default setting. Select this setting to configure Network Guardian to resume interrupted NTLM connections. Disable Select this setting to disable resumption of interrupted NTLM connections when restrictive Active Directory account lockout policies are in operation. By default, Network Guardian makes no attempt to interpret single component hostnames which are not fully qualified. Enable Select this setting to enable Network Guardian to attempt to interpret single component hostnames which are not fully qualified if single component hostnames are being used. Disable Select this setting to stop Network Guardianfrom trying to interpret single component hostnames which are not fully qualified. By default, Network Guardian only allows requests to servers running on a certain subset of privileged ports, i.e. ports below 1024, such as HTTP (80), HTTPS (443) and FTP (21). If you require access to servers running on non-standard ports, enter them here. Logging Options The following advanced logging settings are available: Setting Proxy logging Organization name Filter logging mode We recommend that you disable this option when Filter logging mode is enabled. This is because Network Guardian proxy logs are effectively duplicated subsets of Network Guardian web filter logs. Disabling proxy logging can lead to improved performance by reducing system storage and processing requirements. Enter a name which can be used to identify Network Guardian in your organization. Organization names are also referenced in certain web reports. From the drop-down list, select one of the following logging modes: Normal Select this option to generate proxy logs with all recorded data. Anonymized Select this option to generate filter logs with anonymous username and IP address information. Disabled Select this option to disable content filter logging. 95

106 Managing Web Security Setting Client hostnames Client user-agents Advert blocks Select one of the following options: Log Select this option to record hostnames of computers using Network Guardian. When enabled, filter logs and reports incorporating hostname information can be generated. It is important that DNS servers exist on the local network and are correctly configured with the reverse DNS of all machines if this option is enabled, otherwise performance will suffer. Do not log Select this option to disable the logging of hostnames of computers using Network Guardian. Select one of the following options: Log Select to record the types of browsers used by users. Do not log Select to disable the logging of the types of browsers used by users. Select one of the following options: Log Select this option to log information on advert blocking. Do not log Select to disable the logging of information on advert blocking. Cache Options The following advanced, optional cache settings are available: Setting Global cache size Max and min object size that can be stored in the cache The size entered here determines the amount of disk space allocated to Network Guardian for caching web content. Web and FTP requests are cached. HTTPS requests and pages including username and password information are not cached. The specified size must not exceed the amount of free disk space available. The cache size should be configured to an approximate size of around 40% of the system s total storage capacity, up to a maximum of around 1.5 gigabytes. Larger cache sizes can be specified, but may not be entirely beneficial and can adversely affect page access times. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection. For slower external connections such as dial-up, the cache can dramatically improve access to recently visited pages. The values entered here determine the maximum and minimum sizes of objects stored the cache. Max object size Enter the largest object size that will be stored in Network Guardian s cache. Any object larger than the specified size will not be cached. This prevents large downloads filling the cache. The default of bytes (30 MB) should be adjusted to suit the needs of your end-users. Min object size Enter the smallest object size that will be stored in Network Guardian s cache. Any object smaller than the specified size will not be cached. This can be useful for preventing large numbers of tiny objects filling the cache. The default is no minimum this should be suitable for most purposes. 96 Smoothwall Ltd

107 Managing Web Security Setting Max object size that can pass in and out of proxy Do not cache these domains The values entered here determine the maximum sizes of objects which can pass through the web proxy. Max outgoing size Enter the maximum amount of outbound data that can be sent by a browser in any one request. This can be used to prevent large uploads or form submissions. The default no limit. Max incoming size Enter the maximum amount of inbound data that can be received by a browser in any one request. This limit is independent of whether the data is cached or not. This can be used to prevent excessive and disruptive download activity. The default is no limit. Used to specify domains that should be excluded from the web cache. This can be used to ensure that old content of frequently updated web sites is not cached. Enter domain names without the www prefix, one entry per line. To apply the option to any subdomains, enter a leading period, for example:.example.com Internet Cache Protocol The following advanced, optional Internet Cache Protocol (ICP) settings are available: Setting ICP server ICP server IP addresses Select one of the following options: Enable Select to allow ICP compatible proxies to query Network Guardian's cache. ICP is a technique employed by proxies to determine if an unfulfilled local cache request can be fulfilled by another proxy s cache. ICP-enabled proxies work together as cache peers to improve cache performance across a LAN. ICP is recommended for LANs with multiple Network Guardian proxy servers; non-smoothwall proxies must use port 801 for HTTP traffic. Disable Select to disable Network Guardian as an ICP server. Use this area to enter the IP addresses of other ICP-enabled proxies on the LAN that Network Guardian should query. Use in conjunction with the ICP server option enabled to allow two-way cache sharing. Load Balancing The following load balancing option is available: Setting Direct Return Server Virtual IP Enables you to use a load balancing device which uses a virtual IP with Network Guardian. Enter the IP address on which Network Guardian can accept load balanced connections. Assuming a load balancer has been setup, Network Guardian will form part of its cluster. Note: This IP address must not respond to ARP queries, as ARP-ing behavior is what sets this type of Virtual IP apart from a simple alias. 97

108 Managing Web Security Using PAC Scripts Network Guardian enables you to create and make available proxy auto-config (PAC) scripts which determine which IP addresses and domains to access via Network Guardian and which to access directly. Network Guardian supports built-in PAC scripts and custom PAC script templates. Using a Built-in Script A built-in script is an auto configuration script which you can customize with additional settings such as exceptions. To use a built-in script: 1. Browse to the Web proxy > Web proxy > Automatic configuration page. 98 Smoothwall Ltd

109 Managing Web Security 2. Select Built-in and configure the following settings: Setting Bypass proxy server for local addresses Refer to the proxy by domain name Exception domains and IP addresses Exception regular expression domains Select this option to not use Network Guardian when connecting to local addresses. When selected, this option makes users browsers bypass the Network Guardian proxy if the address is a hostname only, for example: myhostname. Browsers will not bypass the Network Guardian proxy if the address is a fully qualified domain name (FQDN) for example: myhostname.example.local. Select this option so that the Network Guardian proxy uses its domain name instead of IP addresses in the configuration file. Note: Before enabling this option, ensure that you have a valid DNS configuration which resolves correctly for this hostname. This option must be enabled when using Kerberos authentication to use proxy automatic configuration. In this text box, enter an IP address, IP address range, network address or hostname that users may access directly. For example: /24 hostname.local Optionally, click Advanced to access the Exception regular expression domains area. In the text box, enter one regular expression domain per line that users may access directly. For example: ^(.*\.)?youtube\.com$ ^(.*\.)?ytimg\.com$ would disable usage of Network Guardian for youtube.com, ytimg.com and subdomains such as but not, for example, fakeyoutube.com. 3. Click Save. Network Guardian creates the script and makes it available at: Using a Custom Script A custom script provides advanced functionality by enabling you to use a script customized to suit your organization. Tip: You can use the built-in template as starting point for creating a custom script. On the Web proxy > Web proxy > Automatic configuration page, click Download and save the default script to a suitable location. Edit the file to suit your requirements and save it using a different name. See below for how to upload it. 99

110 Managing Web Security To use a custom script: 1. After configuring the custom script, browse to the Web proxy > Web proxy > Automatic configuration page. 2. Select Custom script template and click Browse. Locate and select the script and click Upload. Network Guardian uploads the script and makes it available at: Your_System_IP_address/proxy.pac Managing the Configuration Script You define the policy for each interface, by configuring which proxy address the configuration script should direct clients to. To manage the configuration script: 1. Browse to the Web proxy > Web proxy > Automatic configuration page. 2. In the Manage configuration script area, from the Interface drop-down list, select the address the configuration script should direct clients to. 3. Click Save. Limiting Bandwidth Use By default, Network Guardian does not limit bandwidth use. However, it is possible to configure bandwidth limiting policies which can, for example, stop a user or group of users from overloading your Internet connection. To create a bandwidth limiting policy: 1. Navigate to the Web proxy > Web proxy > Bandwidth limiting page. 100 Smoothwall Ltd

111 Managing Web Security 2. Click Create a new policy. The policy wizard is displayed. Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where Step 4: When Step 5: Action From the Available users or groups list, select the user(s) and/or group(s) to whom the policy will apply. For information on users and groups,. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what is to be filtered. For information on categories, see Working with Category Group Objects on page 40. Tip: Enter the name or part of the name and Network Guardian will search for content that matches. Click Add and, when you have selected all the content, click Next to continue. From the Available locations list, select where the policy will apply. For more information on locations, see Working with Location Objects on page 45. Tip: Enter the name or part of the name and Network Guardian will search for locations that match. Click Add and, when you have added the location(s), click Next to continue. From the Available time slots list, select when the policy will apply. For more information on time slots, see Working with Time Slot Objects on page 44. Tip: Enter the name or part of the name and Network Guardian will search for time slots that match. Click Add and, when you have added the time slot(s), click Next to continue. Limit bandwidth to Enter the number of kilobytes per second to which bandwidth is limited when this policy is applied. Shared between clients Select this option to share the bandwidth specified between all clients on the network. If this option is not selected then the limit specified applies to each client, determined by IP, not by user or group. Note: A user or group may be able to draw on bandwidth from several policies. Note: Each step must be completed in order to create the policy. If you skip a step, Network Guardian creates a policy folder in which you can store policies. For more information on policy folders, see Working with Policy Folders on page Select Enable policy to enable the policy and then click Confirm. Network Guardian displays the settings you have selected. 4. Review the settings and click Save to create the policy. Network Guardian creates the policy and makes it available on the Web proxy > Web proxy > Bandwidth limiting page. 101

112 Managing Web Security Ordering Bandwidth Limiting Policies It is possible to order bandwidth limiting policies. Ordering policies enables you, for example, to apply one policy to a user and another policy to the group the user belongs to. To order bandwidth limiting policies: 1. Browse to the Web proxy > Web proxy > Bandwidth limiting page. 2. Drag and drop the policy you want applied first to the top of the list and click Save. Network Guardian applies the order specified when applying the policies. Editing Bandwidth Limiting Policies You can edit an existing bandwidth limiting policy to suit your organization s requirements. To edit a bandwidth limiting policy: 1. Browse to the Web proxy > Web proxy > Bandwidth limiting page and locate the policy you want to edit. 2. Click the Edit policy button. Network Guardian displays the policy settings. 3. Make the changes necessary, see Limiting Bandwidth Use on page 100 for more information on working with policies. 4. Click Confirm. Network Guardian displays the settings you have selected. Review them and click Save to save the changes to the policy. Network Guardian updates the policy and makes it available on the Web proxy > Web proxy > Bandwidth limiting page. Deleting Bandwidth Limiting Policies You can delete a bandwidth limiting policy you no longer require. To delete a bandwidth limiting policy: 1. Browse to the Web proxy > Web proxy > Bandwidth limiting page and locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. Click Delete. Network Guardian deletes the policy. Configuring WCCP Network Guardian can be added to a Web Cache Communication Protocol (WCCP) cache engine cluster. When enabled, Network Guardian broadcasts its availability to a nominated WCCPcompatible router. The WCCP-compatible router can forward web traffic and perform load balancing across all the WCCP capable proxies it is aware of. Both HTTP and HTTPS traffic can be transparently proxied via WCCP 102 Smoothwall Ltd

113 Managing Web Security Note:WCCP-compatible routers forward web traffic in a transparent mode over a GRE tunnel, therefore you must configure a transparent authentication policy for the interface which will receive redirected traffic. For information on transparent authentication policies, see Chapter 6, Creating Transparent Authentication Policies on page 83. For more information about configuring WCCP on your router, refer to the documentation that accompanies your router. To configure WCCP: 1. Browse to the Web proxy > Web proxy > WCCP page. 2. Select the option you require and configure its settings: Option No WCCP WCCP version 1 Select to disable WCCP. Select this option to enable WCCP version 1. Version 1 does not require authentication for caches to join the cluster, and only supports a single coordinating router. WCCP router IP Enter the WCCP router s IP address. 103

114 Managing Web Security Option WCCP version 2 Select this option to enable WCCP version 2. Version 2 can be more secure than version 1, as it supports authentication for caches to join the cluster, providing a level of protection against rogue proxies on the LAN. In addition, it supports multiple coordinating routers. Note: Currently, WCCP version 2 in Network Guardian only supports routers configured to use the hash assignment method and GRE for both the forwarding and return methods. Password Enter the password required to join the WCCP cluster. WCCP passwords can be a maximum of 8 characters. Cache weight Enter a cache weight to provide a hint as to the proportion of traffic which will be forwarded to this particular cache. Caches with high weights relative to other caches in the cluster will receive more redirected requests. Device IP addresses Enter the IP addresses of one or more WCCP version 2 routers. 3. Click Save. Network Guardian saves the settings. 4. On the Web proxy > Authentication > Manage policies page, create a transparent authentication policy using the authentication method you require and select WCCP as the interface. For more information, see Chapter 6, Creating Transparent Authentication Policies on page 83. Network Guardian completes the WCCP configuration. Managing Upstream Proxies Network Guardian enables you to configure and deploy policies which manage access to upstream proxies. The policies can: Allow or deny access to upstream proxies based on network location Direct web requests to a specific upstream proxy depending on the type of request Provide load balancing and failover. The following sections explain how to configure and deploy upstream proxy policies. Overview Managing upstream proxies entails: Configuring upstream proxy settings, for more information see Configuring an Upstream Proxy on page 105 Creating source and destination filters, for more information see Configuring Source and Destination Filters on page 107 Configuring a single upstream proxy for all web requests, see Using a Single Upstream Proxy on page 109, or deploying upstream proxy policies to combine multiple upstream proxies and use load balancing and failover, for more information, see Working with Multiple Upstream Proxies on page Smoothwall Ltd

115 Managing Web Security Configuring an Upstream Proxy The following section explains how to configure an upstream proxy. To configure an upstream proxy: 1. Browse to the Web proxy > Upstream proxy > Proxies page. 2. Configure the following settings: Setting Name IP/Hostname Port Comment Enter a name for the upstream proxy. Only the following characters and numbers are allowed in a proxy name:., abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ The name Default is invalid as it is reserved as the name of the default proxy. Enter the IP address or the hostname of the upstream proxy. Enter the port number to use on the upstream proxy. Optionally, enter a comment or description. 105

116 Managing Web Security 3. Click Advanced to access the following, optional settings: Setting Credential forwarding Username Password Load balance ratio Select one of the following credential forwarding options: Disabled Select this option to use the static username and password entered below when logging in to the upstream proxy. Username only Forward the username of the client making the request with the password entered below when logging in to the upstream proxy. This allows the upstream proxy to identify individual users without revealing their passwords. Note: This requires proxy authentication, NTLM authentication or NTLM identification to be enabled, otherwise usernames cannot be determined by Network Guardian. Username and password Forward the username and password of the client making the request when logging in to the upstream proxy. This could be used if both Network Guardian and the upstream proxy are authenticating against the same directory server, but should be used with caution as it reveals client credentials. Note: This option requires proxy authentication to be used, not NTLM. Otherwise, plaintext usernames and passwords cannot be determined by Network Guardian. Note: Network Guardian can only log in to upstream proxies which require basic proxy authentication, not NTLM or any other authentication scheme. Enter a static username for use when credential forwarding is disabled. Enter a static password for use when credential forwarding is disabled, or when forwarding usernames only. Enter a load balance ratio value. Values are relative. For example, if one upstream proxy has the value: 2 and another upstream proxy has the value: 1 and both use the round robin load balancing method, then the proxy with value: 2 will receive twice as many web requests as the proxy with value:1. For more information, see Configuring Multiple Upstream Proxy Policies on page Click Save. Network Guardian adds the upstream proxy to the list of current upstream proxies. 5. Repeat the steps above to add other upstream proxies. 106 Smoothwall Ltd

117 Managing Web Security Configuring Source and Destination Filters Network Guardian enables you to create source and destination filters which are used when applying upstream proxy policies. Configuring a Destination Filter Network Guardian uses destination filters to determine which upstream proxy policy to apply based on the destination domain(s), IP(s) or destination URL regular expressions. To create a destination filter: 1. Browse to the Web proxy > Upstream proxy > Filters page. 2. Configure the following settings: Setting Type Name Comment IPs/Hostnames Select Destination. Enter a name for the destination filter. Optionally, enter a description or comment. Enter a destination IP address or hostname. 3. Optionally, click Advanced and configure the following setting: Setting Destination regular expression URLs Optionally, click Advanced. Enter one regular expression URL, including the protocol, per line. Note: The full URL is not available for HTTPS requests. 107

118 Managing Web Security 4. Click Save. Network Guardian adds the filter and lists it in the Upstream proxy filters. 5. Repeat the steps above to add more destination filters. Configuring a Source Filter Network Guardian uses source filters to determine which upstream proxy policy to apply based on the source IP(s), subnet(s) or IP range(s) of the client machine(s). To create a source filter: 1. Browse to the Web proxy > Upstream proxy > Filters page. 2. Configure the following settings: Setting Type Name Comment IPs/Hostnames Select Source. Enter a name for the filter. Optionally, enter a description or comment. Enter a source IP address, IP address range, network address or hostname. For example: /24 hostname.local Note: Hostnames require reverse DNS look-ups to be performed. 3. Click Save. Network Guardian adds the filter and lists it in the Upstream proxy filters area. 4. Repeat the steps above to add more source filters. 108 Smoothwall Ltd

119 Managing Web Security Using a Single Upstream Proxy After configuring upstream proxy settings, see Configuring an Upstream Proxy on page 105, you can use a single upstream proxy for all web requests. To use a single upstream proxy: 1. Browse to the Web proxy > Upstream proxy > Manage policies page. 2. In the Global options area, configure the following settings: Setting Default upstream proxy Allow direct connections Leak client IP with X- forwarded-for header This setting determines the default proxy which is used when upstream proxies are not available, not configured or not allowed by policies. From the drop-down list, select an upstream proxy. Select this option to allow direct connections to origin servers. If allowed, direct connections will be made as a final fall-back if the default proxy is unavailable or not configured. For more information, see Enforcing Upstream Proxy Usage on page 112. Select this option to send the originating IP addresses of client requests upstream. 3. Click Save. Network Guardian starts using the single upstream proxy. 109

120 Managing Web Security Working with Multiple Upstream Proxies The following sections discuss general upstream proxy behavior, how to load balance using multiple upstream proxy policies and how to enforce upstream proxy usage. About Upstream Proxy Behavior There are three potential destinations for a web request forwarded to an upstream proxy. These are as follows, in order of precedence: 1. A pool of one or more proxies which are allowed by the upstream proxy policies, to service the request. 2. The default proxy, if configured. 3. Direct forwarding of requests to their origin servers, if allowed. An origin server is defined as the target destination of web request, i.e. the server from which a requested resource originates. Upstream proxy policies are additive. Network Guardian checks requests against all the policies, in order. Any proxy which is allowed to service a particular request is added to the proxy pool in step 1. If the final pool for a request contains two or more proxies, load-balancing and fail-over rules decide which one will be sent the request. Note: The rules above only apply to requests serviced by Network Guardian. If a client behind Network Guardian is able to obtain direct, unfiltered web access, the client s requests will be treated no differently from other Internet traffic. Configuring Multiple Upstream Proxy Policies By configuring multiple upstream proxy policies, you can balance the web request load across two or more upstream proxies. To load balance using upstream proxy policies: 1. On the Web proxy > Upstream proxy > Proxies page, configure the upstream proxies you will be using. See Configuring an Upstream Proxy on page 105 and Configuring Source and Destination Filters on page 107 for more information. 2. Browse to the Web proxy > Upstream proxy > Manage policies page and click Advanced. 110 Smoothwall Ltd

121 Managing Web Security 3. Configure the following settings: Setting Load balancing method Upstream proxy Source filter Destination filter Action Comment Enabled From the drop-down list, select the load balancing method you require. The following methods are available: Source IP Based on the client s IP address, Network Guardian selects one proxy from the set of allowed proxies and uses it as long as that proxy is available. For example: three requests for example.com from one machine might all go via proxy A; three requests from the machine next to it might all go via proxy B. Username Based on the client s username, Network Guardian selects one proxy from the set of allowed proxies and uses it as long as that proxy is available. For example: three requests for example.com while logged in as Alice might all go via proxy A; three requests while logged in as Bob might go via proxy B, even if Bob has the same IP as Alice. Round-robin Network Guardian cycles through the proxies one by one. Three requests for example.com, with three proxies allowed to serve the request, would send one request via each. Note: This method requires Network Guardian to be configured for username and password based authentication. See Chapter 6, About Authentication Policies on page 77 for more information. From the drop-down list, select the proxy for which you are configuring the policy. From the drop-down list, select Everything. From the drop-down list, select Everything. Select Allow. Optionally, enter a comment describing the proxy. Select to enable the policy. 4. Click Save. Network Guardian creates the policy and lists it in the Upstream proxy policies table. 5. Configure policies for other upstream proxies by repeating steps 2 and 3 above. Once you have configured policies for the upstream proxies you require, Network Guardian will check any web requests against the policy table and each of the proxies will be allowed to service the request, so load balancing and failover rules will be used to pick the most suitable proxy. Network Guardian monitors availability of upstream proxies automatically and avoid forwarding requests to unavailable proxies. If none of the proxies permitted to service a request are available, Network Guardian will use the default proxy. If the default proxy is not available, or if no default proxy is configured, the request will be forwarded directly to its origin server. 111

122 Managing Web Security Enforcing Upstream Proxy Usage If you want to prevent web requests from being forwarded directly to their origin servers when other permissible upstream proxies are unavailable, disable the Allow direct connections option. Note: As the Allow direct connections option eliminates the last option for forwarding requests in failure scenarios, only use it to implement strict requirements that all traffic go through an upstream proxy. For finer-grained control of direct connection behavior, you can configure policies using the dummy upstream proxy option None. For example, to prevent only YouTube traffic from being sent directly, enable the Allow direct connections option, then create a policy with upstream proxy None, action Block, and a destination filter corresponding to the youtube.com domain. Conversely, to allow direct access only for requests to certain sites, disable Allow direct connections and create None, Allow policies matching those requests for which direct access is permissible. This may be useful for bandwidth conservation, if direct access is routed over a slower link than access to the upstream proxies. Managing Blocklists A blocklist is a group of pre-configured settings which is updated on a regular basis by Network Guardian. A blocklist maintains Network Guardian s list of undesirable, inappropriate or objectionable content. Network Guardian automatically checks for and installs blocklist updates. You can also check for and install blocklist updates manually. 112 Smoothwall Ltd

123 Managing Web Security Viewing Blocklist Information To view blocklist information: 1. Navigate to the System > Maintenance > Licenses page. Note: The information displayed depends on the product you are using. Blocklist subscription status is displayed. By default, Network Guardian checks for updated blocklists hourly. When a new blocklist becomes available, Network Guardian automatically downloads and installs it. Note: As Network Guardian complies with Internet Watch Foundation (IWF) guidelines, this mode of working is mandatory. Visit for more information. Manually Updating Blocklists To manually update blocklists: 1. Navigate to the System > Maintenance > Licenses page. 2. Click Update. The latest blocklists are installed and displayed in the Blocklists subscription area. Note: In order to download blocklists, you must have a valid blocklist subscription. To obtain a blocklist subscription, please contact your Network Guardian reseller or Network Guardian directly. 113

124 Managing Web Security Managing Block Pages When an end-user s web request is blocked, Network Guardian displays its default block page which tells the user that they have been blocked from accessing the web content they requested. It also shows other information such as which group the user is in, what the blocked content is categorized as and the computer s IP address. Which block page Network Guardian displays is determined by the block page policies in use. The following sections explain about the different block pages you can use, how to create a block page policy and how to manage block page policies. You can configure Network Guardian to display the following different types of block pages: A block page which you have customized, for more information, see Customizing a Block Page on page 115 A customized HTML page which you upload to Network Guardian, for more information, see Using a Custom HTML Template on page 117 A block page located at a specified URL, see Using an External Block Page on page Smoothwall Ltd

125 Managing Web Security Customizing a Block Page You can customize the default block page in many ways, including supplying a new message about why a block occurred and using different graphics. To customize a block page: 1. Navigate to the Guardian > Block page > Block pages page. 2. Configure the following settings: Setting Name Comment Enter a name for the block page. Enter a comment describing the block page. 3. Select the Manually create contents for block page option and configure the following settings: Setting Block message This is the default message shown when a user is blocked from accessing content because of the web filter policy that applies to them. You can use this text or enter a custom message explaining to the user what has happened. 115

126 Managing Web Security Setting Quota message Quota button label Sub message Administrator's address This is the default message shown when a user tries to access content which is time limited because of the web filter policy that applies to them. You can use this text or enter a custom message. For more information on quotas, see Working with Quota Objects on page 47. This is the text used on the quota button which users must click to start using their quota of time to access the content. You can use this text or enter custom text. Accept the default message, or enter a custom, secondary message. Optionally, enter a administrator s address, for contact purposes. 4. Optionally, click Advanced and configure the following settings: Setting Custom title image Custom background image Show unblock request Show client username Show address Show client IP Show client hostname Show user group Show unblock controls This option determines the image displayed at the top of the block page. Note: To use a custom title image, the image must be 551 x 79 pixels. To specify a custom title image: 1. Click Browse. 2. In the dialog box that opens, browse to and select the image. Click OK. 3. Click Upload. This option determines the image displayed as a background on the block page. Note: To use a custom title image, the image must be 551 x 552 pixels. To specify a custom background image: 1. Click Browse. 2. In the dialog box that opens, browse to and select the image. Click OK. 3. Click Upload. Optionally, select to display a button on the block page which allows users to request that a blocked page be unblocked. Clicking the button on the block page opens a pop up form which when completed sends the request via the server used for alerts. Optionally, select to display the user s username, if applicable. Optionally, select to display the administrator's address. Optionally, select to display the IP address of the user s workstation. Optionally, select to display the workstation s hostname on the block page. Optionally, select to display the users group membership, if applicable. Optionally, select to display controls on the block page which allow administrators to add domains and URLS to the custom allowed or custom blocked content categories. For more information, see Working on Block Pages on page Smoothwall Ltd

127 Managing Web Security Setting Show reason for block Show bypass controls Optionally, select to display the reason why the web request was blocked. Optionally, select to display temporary bypass controls on the block page. These controls allow users with bypass privileges to temporarily bypass the Network Guardian.For more information, see Customizing a Block Page on page 115. Note: When an HTTPS inspection policy is enabled, see About the Default Web Filter Policies on page 36, and a user visits a site with an invalid certificate, Network Guardian s temporary bypass will not work. This is because Network Guardian must check the certificate before authentication information for bypass can be detected. In this case, bypass controls will be visible on the block page if enabled, but will not work. Show URL of blocked page Use custom title image Show categories matched Use custom background image Optionally, select to display the URL of the blocked web request. Select if you have specified a custom title image, see above for more information. Optionally, select to display the filter category that caused the page to be blocked, if applicable. Select if you have specified a custom background image, see above for more information. 4. Click Save to save the block page and make it available for use in a block page policy. Using a Custom HTML Template You can create your own block page, created in HTML. Network Guardianprovides a custom block page template for your use. To use a custom HTML file as a block page, do the following: 1. Browse to Guardian > Block page > Block pages. 2. Download the block page template by clicking Download the custom block page example. Network Guardian downloads a zip file for your use. 3. Update the template as required, and save it in a zip file archive. Ensure all files needed by the custom block page are included in the zip file, and that the archive s location is accessible by Network Guardian. 4. Browse to Guardian > Block page > Block pages if you have navigated away. 5. Configure the following settings: Name Configure a meaningful name for the block page. Comment If required, configure a comment for the block page. 6. Select Import HTML template from zip file. 7. From Upload zip archive, click Choose file. 8. Locate and select the custom block page archive. 117

128 Managing Web Security 9. Click Upload. Network Guardian unpacks the archive, and makes it available for use in a block page policy. 10. If required, enter your system administrator s address to receive unblock requests. 11. Click Save. Using an External Block Page Network Guardian enables you to specify an external page as a block page. To use an external page as a block page: 1. Navigate to the Guardian > Block page > Block pages page and configure the following settings: Setting Name Comment Redirect to block page Block page URL Enter a name for the block page. Enter a comment describing the block page. Select to enable Network Guardian to use an external block page. Enter the block page s URL. 2. Click Save to make it available for use in a block page policy. 118 Smoothwall Ltd

129 Managing Web Security Configuring a Block Page Policy By default, Network Guardian displays a standard block page whenever it blocks a web request by users. You can configure Network Guardian to display a specific block page when a web request is blocked based on unsuitable or objectionable content, location or time. To configure a block page policy: 1. Browse to the Guardian > Block page > Policy wizard page. 2. Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where Step 4: When Step 5: Action From the Available users or groups list, select who will see the block page when content is blocked. Click Next to continue. From the Available categories or category groups list, select what categories or category groups will trigger the content being blocked. Click Next to continue. For information on categories, see Working with Category Group Objects on page 40. From the Available locations list, select where the policy applies. Click Next to continue. For information on locations, see Working with Location Objects on page 45. From the Available time slots list, select when the policy applies. Click Next to continue. For information on time slots, see Working with Time Slot Objects on page 44. Select which block page to use. For information on the types of block pages you can use, see Managing Block Pages on page

130 Managing Web Security 3. Select Enable policy to enable the policy and click Confirm. 4. Network Guardian displays the settings you have specified for the policy. Review the settings and then click Save to save the policy and make it available on the manage policies page. Managing Block Page Policies Block page policies are managed on the manage policy page. Network Guardian processes policies in order of priority, from top to bottom, until it finds a match. You can change the order by dragging and dropping them on the page. To manage block page policies: 1. Browse to the Guardian > Block page > Manage policies page. 2. To change the order of the policies displayed, select a policy and drag it to the position you require. 3. Click Save to save the change(s). Network Guardian re-orders the policies. Working on Block Pages Depending on how a block page is configured, there may be controls to add URLS and domains to user-defined blocked or allowed categories as well as temporary bypass features to allow users with the correct privileges to access the blocked content. Adding to User-defined Categories Note: The availability of these options depends on how the block page is configured. For more information, see Customizing a Block Page on page Smoothwall Ltd

131 Managing Web Security To add to user-defined categories: 1. Configure the following settings on the block page: Setting Control Temporary Bypass From the User-defined categories drop-down list, select one of the following options: Custom blocked content Add the blocked URL or domain to the custom blocked category. Custom allowed content Add the blocked URL or domain to the custom allowed category. Enables temporary bypass of the block page if the user has the necessary privileges. Select from the following options: 5 minutes Temporarily bypass the block page for 5 minutes. 30 minutes Temporarily bypass the block page for 30 minutes. 1 hour Temporarily bypass the block page for 1 hour. When prompted, enter the bypass password. Note: The temporary bypass and control options use non-standard port 442. This is to enable administrator access controls to be used without affecting these features. 121

132 Managing Web Security 122 Smoothwall Ltd

133 8 Managing Your Network Infrastructure This chapter describes how to manage various aspects of your Network Guardian network, including: Creating Subnets on page 123 Using RIP on page 124 Creating Subnets Large organizations often find it advantageous to group computers from different departments, floors and buildings into their own subnets, usually with network hubs and switches. Note: This functionality only applies to subnets available via an internal gateway. To create a subnet rule: 1. Navigate to the Networking > Routing > Subnets page. 123

134 Managing Your Network Infrastructure 2. Configure the following settings: Setting Network Netmask Gateway Metric Comment Enabled Enter the IP address that specifies the network ID part of the subnet definition when combined with a netmask value. Enter a network mask that specifies the size of the subnet when combined with the network field. Enter the IP address of the gateway device by which the subnet can be found. This will be an address on a locally recognized network zone. It is necessary for Network Guardian to be able to route to the gateway device in order for the subnet to be successfully configured. The gateway address must be a network that Network Guardian is directly attached to. Enter a router metric to set the order in which the route is taken. This sets the order in which the route is evaluated, with 0 being the highest priority and the default for new routes. Enter a description of the rule. Select to enable the rule. 3. Click Add. The rule is added to the Current rules table. Editing and Removing Subnet Rules To edit or remove existing subnet rules, use Edit and Remove in the Current rules area. Using RIP The Routing Information Protocol (RIP) service enables network-wide convergence of routing information amongst gateways and routers. A RIP-enabled gateway passes its entire routing table to its nearest neighbor, typically every 30 seconds. Network Guardian s RIP service can: Operate in import, export or combined import/export mode Support password and MD5 authentication Export direct routes to the system s internal interfaces. 124 Smoothwall Ltd

135 Managing Your Network Infrastructure To configure the RIP service: 1. Navigate to the Networking > Routing > RIP page. 2. Configure the following settings: Setting Enabled Scan interval Direction Logging level Select to enable the RIP service. From the drop-down menu, select the time delay between routing table imports and exports. Select a frequent scan interval for networks with fewer hosts. For networks with greater numbers of hosts, choose a less frequent scan interval. Note: There is a performance trade-off between the number of RIPenabled devices, network hosts and the scan frequency of the RIP service. The periodic exchange of routing information between RIP-enabled devices increases the ambient level of traffic on the host network. Accordingly, administrators responsible for larger networks should consider increasing the RIP scan interval or the suitability of the RIP service for propagating routing information. From the drop-down menu, select how to manage routing information. The following options are available: Import and Export The RIP service will add and update its routing table from information received from other RIP enabled gateways. The RIP service will also broadcast its routing tables for use by other RIP enabled gateways. Import The RIP service will add and update its routing table from information received from other RIP enabled gateways. Export The RIP service will only broadcast its routing tables for use by other RIP enabled gateways. From the drop-down menu, select the level of logging. 125

136 Managing Your Network Infrastructure Setting RIP interfaces Authentication Password Again Direct routing interfaces Select each interface that the RIP service should import/export routing information to/from. Enabling RIP authentication ensures that routing information is only imported and exported amongst trusted RIP-enabled devices. Select one of the following options to manage authentication: None In this mode, routing information can be imported and exported between any RIP device. We do not recommend this option from a security standpoint. Password In this mode, a plain text password is specified which must match other RIP devices. MD5 In this mode, an MD5 hashed password is specified which must match other RIP devices. If Password is selected as the authentication method, enter a password for RIP authentication. If Password is selected as the authentication method, re-enter the password to confirm it. Optionally, select interfaces whose information should also include routes to the RIP service s own interfaces when exporting RIP data. This ensures that other RIP devices are able to route directly and efficiently to each exported interface. 3. Click Save. 126 Smoothwall Ltd

137 9 General Network Security Settings This chapter describes how to secure your Network Guardian network, including: Blocking by IP on page 127 Configuring Advanced Networking Features on page 129 Working with Port Groups on page 132 Blocking by IP IP block rules can be created to block network traffic originating from certain source IPs or network addresses. IP block rules are primarily intended to block hostile hosts from the external network, however, it is sometimes useful to use this feature to block internal hosts, for example, if an internal system has been infected by malware. IP block rules can also operate in an exception mode allowing traffic from certain source IPs or network addresses to always be allowed. Creating IP Blocking Rules IP block rules block all traffic to/from certain network hosts, or between certain parts of distinct networks. 127

138 General Network Security Settings To create an IP block rule: 1. Navigate to the Networking > Filtering > IP block page. 2. Configure the following settings: Control Source IP or network Destination IP or network Drop packet Reject packet Exception Log Comment Enter the source IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt: An individual network host, enter its IP address, for example: A range of network hosts, enter an appropriate IP address range, for example: A subnet range of network hosts, enter an appropriate subnet range, for example, / or /24. Enter the destination IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt: An individual network host, enter its IP address, for example: A range of network hosts, enter an appropriate IP address range, for example: A subnet range of network hosts, enter an appropriate subnet range, for example, / or 19 Select to ignore any request from the source IP or network. The effect is similar to disconnecting the appropriate interface from the network. Select to cause an ICMP Connection Refused message to be sent back to the originating IP, and no communication will be possible. Select to always allow the source IPs specified in the Source IP or Network field to communicate, regardless of all other IP block rules. Exception block rules are typically used in conjunction with other IP block rules, for example, where one IP block rule drops traffic from a subnet range of IP addresses, and another IP block rule creates exception IP addresses against it. Select to log all activity from this IP. Optionally, describe the IP block rule. 128 Smoothwall Ltd

139 General Network Security Settings Control Enabled Select to enable the rule. 3. Click Add. The rule is added to the Current rules table. Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it. Editing and Removing IP Block Rules To edit or remove existing IP block rules, use Edit and Remove in the Current rules area. Configuring Advanced Networking Features Network Guardian s advanced networking settings can help prevent denial of service (DoS) attacks and enforce TCP/IP standards to restrict broken network devices from causing disruption. To configure advance networking features: 1. Navigate to the Networking > Settings > Advanced page. 129

140 General Network Security Settings 2. Configure the following feature settings: Setting Block and ignore Enable ICMP ping broadcasts Select to prevent the system responding to broadcast ping messages from all network zones (including external). This can prevent the effects of a broadcast ping-based DoS attack. ICMP ping Select to block all ICMP ping requests going to or through Network Guardian. This will effectively hide the machine from Internet Control Message Protocol (ICMP) pings, but this can also make connectivity problems more difficult to diagnose. IGMP packets Select this option to block and ignore multi-cast reporting Internet Group Management Protocol (IGMP) packets. IGMP packets are harmless and are most commonly observed when using cable modems to provide external connectivity. If your logs contain a high volume of IGMP entries, enable this option to ignore IGMP packets without generating log entries. Multicast traffic Select this option to block multicast messages on network address from ISPs and prevent them generating large volumes of spurious log entries. SYN+FIN packets Select to automatically discard packets used in SYN+FIN scans used passively scan systems. Generally, SYN+FIN scans result in large numbers of log entries being generated. With this option enabled, the scan packets are automatically discarded and are not logged. SYN cookies Select to defend the system against SYN flood attacks. A SYN flood attack is where a huge number of connection requests, SYN packets, are sent to a machine in the hope that it will be overwhelmed. The use of SYN cookies is a standard defence mechanism against this type of attack, the aim being to avoid a DoS attack. TCP timestamps Select this option to enable TCP timestamps (RFC1323) to improve TCP performance on high speed links. Selective ACKs Select this option to enable selective ACKs (RFC2018) to improve TCP performance when packet loss is high. Window scaling Select this option to enable TCP window scaling to improve the performance of TCP on high speed links. ECN Select this option to enable Explicit Congestion Notification (ECN), a mechanism for avoiding network congestion. While effective, it requires communicating hosts to support it, and some routers are known to drop packets marked with the ECN bit. For this reason, this feature is disabled by default. ARP filter Select this option to enable the ARP filter. This option can be enabled if your network is experiencing ARP flux. 130 Smoothwall Ltd

141 General Network Security Settings Setting ARP table size Connection tracking table size SYN backlog queue size Audit Drop all direct traffic on internal interfaces You should increase the ARP table size if the number of directly connected machines or IP addresses is more then the value shown in the drop-down box. In normal situations, the default value of 2048 will be adequate, but in very big networks, select a bigger value. Directly connected machines are those which are not behind a intermediate router but are instead directly attached to one of Network Guardian's network interfaces. Select to store information about all connections known to the system. This includes NATed sessions, and traffic passing through the firewall. The value entered in this field determines the table s maximum size. In operation, the table is automatically scaled to an appropriate size within this limit, according to the number of active connections and their collective memory requirements. Occasionally, the default size, which is set according to the amount of memory, is insufficient use this field to configure a larger size. Select this option to set the maximum number of requests which may be waiting in a queue to be answered. The default value for this setting is usually adequate, but increasing the value may reduce connection problems for an extremely busy proxy service. Traffic auditing is a means of recording extended traffic logs for the purpose of analyzing the different types of incoming, outgoing and forwarded traffic. Direct incoming traffic Select to log all new connections to all interfaces that are destined for the firewall. Forwarded traffic Select to log all new connections passing through one interface to another. Direct outgoing traffic Select to log all new connections from any interface. Note: It is possible that auditing traffic generates vast amounts of logging data. Ensure that the quantity of logs generated is acceptable. Traffic auditing logs are viewable on the Logs and reports > Logs > Firewall page. Select any internal interfaces which have hosts on them that do not require direct access to the system but do require access to other networks connected to Network Guardian. 3. Click Save to enable the settings you have selected. 131

142 General Network Security Settings Working with Port Groups You can create and edit named groups of TCP/UDP ports for use throughout Network Guardian. Creating port groups significantly reduces the number of rules needed and makes rules more flexible. For example, you can create a port group to make a single port forward to multiple ports and modify which ports are in the group without having to recreate the rules that use it. In this way you could easily add a new service to all your DMZ servers. Creating a Port Group To create a port group: 1. Navigate to the Networking > Settings > Port groups page. 2. In the Port groups area, click New and configure the following settings: Setting Group name Name Port Comment Enter a name for the port group and click Save. Enter a name for the port or range of ports you want to add to the group. Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example: 1024:65535 For non-consecutive ports, create a separate entry for each port number. Optionally, add a descriptive comment for the port or port range. 3. Click Add. The port, ports or port range is added to the group. 132 Smoothwall Ltd

143 General Network Security Settings Adding Ports to Existing Port Groups To add a new port: 1. Navigate to the Networking > Settings > Port groups page. 2. Configure the following settings: Setting Port groups Name Port Comment From the drop-down list, select the group you want to add a port to and click Select. Enter a name for the port or range of ports you want to add to the group. Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example: 1024:65535 Optionally, add a descriptive comment for the port or port range. 3. Click Add. The port, ports or range are added to the group. Editing Port Groups To edit a port group: 1. Navigate to the Networking > Settings > Port groups page. 2. From the Port groups drop-down list, select the group you want to edit and click Select. 3. In the Current ports area, select the port you want to change and click Edit. 4. In the Add a new port, edit the port and click Add. The edited port, ports or range is updated. Deleting a Port Group To delete a Port group: 1. Navigate to the Networking > Settings > Port groups page. 2. From the Port groups drop-down list, select the group you want to delete and click Select. 3. Click Delete. Note: Deleting a port group cannot be undone. 133

144

145 10 Configuring Inter-Zone Security This chapter describes how to configure bridging between network zones, including: About Zone Bridging Rules on page 135 Creating a Zone Bridging Rule on page 136 Editing and Removing Zone Bridge Rules on page 138 A Zone Bridging Tutorial on page 138 Group Bridging on page 140 About Zone Bridging Rules By default, all internal network zones are isolated by Network Guardian. Zone bridging is the process of modifying this, in order to allow some kind of communication to take place between a pair of network zones. A zone bridging rule defines a bridge in the following terms: Term Zones Direction Source Destination Service Defines the two network zones between which the bridge exists. Defines whether the bridge is accessible one-way or bi-directionally. Defines whether the bridge is accessible from an individual host, a range of hosts, a network or any host. Defines whether the bridge allows access to an individual host, a range of hosts, a network or any hosts. Defines what ports and services can be used across the bridge. 135

146 Configuring Inter-Zone Security Term Protocol Defines what protocol can be used across the bridge. It is possible to create a narrow bridge, e.g. a one-way, single-host to single-host bridge, using a named port and protocol, or a wide or unrestricted bridge, for example, a bi-directional, any-host to any-host bridge, using any port and protocol. In general, make bridges as narrow as possible to prevent unnecessary or undesirable use. Creating a Zone Bridging Rule Zone bridging rules enable communications between specific parts of separate internal networks. To create a zone bridging rule: 1. Navigate to the Networking > Filtering > Zone bridging page. 2. Configure the following settings: Setting Source interface Destination interface Bi-directional Protocol From the drop-down menu, select the source network zone. From the drop-down menu, select the destination network zone. Select to create a two-way bridge where communication can be initiated from either the source interface or the destination interface. Note: To create a one-way bridge where communication can only be initiated from the source interface to the destination interface and not vice versa, ensure that this option is not selected. From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. 136 Smoothwall Ltd

147 Configuring Inter-Zone Security Setting Source IP Destination IP Service Port Comment Enabled Enter the source IP, IP range or subnet range from which access is permitted. To create a bridge from: A single network host, enter its IP address, for example: A range of network hosts, enter an appropriate IP address range: for example, A subnet range of network hosts, enter an appropriate subnet range, for example: / or /24. Any network host in the source network, leave the field blank. Enter the destination IP, IP range or subnet range to which access is permitted. To create a bridge to: A single network, enter its IP address, for example, A range of network hosts, enter an IP address range, for example, A subnet range of network hosts, enter a subnet range, for example: / or /24. To create a bridge to any network host in the destination network, leave the field blank. From the drop-down list, select the services, port range or group of ports to which access is permitted. Or, select User defined and leave the Port field blank to permit access to all ports for the relevant protocol. Note: This is only applicable to TCP and UDP. If User defined is selected as the destination port, specify the port number. Or, leave the field blank to permit access to all ports for the relevant protocol. Enter a description of the bridging rule. Select to enable the rule. 3. Click Add. The rule is added to the Current rules table. 137

148 Configuring Inter-Zone Security Editing and Removing Zone Bridge Rules To edit or remove existing zone bridging rules, use Edit and Remove in the Current rules area. A Zone Bridging Tutorial In this tutorial, we will use the following two local network zones: Network zone IP address Protected network Contains local user workstations and confidential business data /24 DMZ Contains a web server /24 Note: The DMZ network zone is a DMZ in name alone until appropriate bridging rules are created, neither zone can see or communicate with the other. In this example, we will create a DMZ that: Allows restricted external access to a web server in the DMZ, from the Internet. Does not allow access to the protected network from the DMZ. Allows unrestricted access to the DMZ from the protected network. A single zone bridging rule will satisfy the bridging requirements, while a simple port forward will forward HTTP requests from the Internet to the web server in the DMZ. Creating the Zone Bridging Rule To create the rule: 1. Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: Settings Source interface Destination interface Protocol Comment Enabled From the drop-down menu, select the protected network. From the drop-down menu, select the DMZ. From the drop-down list, select All. Enter a description of the rule. Select to activate the bridging rule once it has been added. 2. Click Add. Hosts in the protected network will now be able to access any host or service in the DMZ, but not vice versa. 138 Smoothwall Ltd

149 Configuring Inter-Zone Security Allowing Access to the Web Server To allow access to a web server in the DMZ from the Internet: 1. Navigate to the Networking > Firewall > Port forwarding page and configure the following settings: Setting Protocol From the drop-down list, select TCP. Destination IP Enter the IP address of the web server Source Comment Enabled From the drop-down menu, select HTTP (80) to forward HTTP requests to the web server. Enter a description, such as Port forward to DMZ web server. Select to activate the port forward rule once it has been added. 2. Click Add. Accessing a Database on the Protected Network Multiple zone bridging rules can be used to further extend the communication allowed between the zones. As a extension to the previous example, a further requirement might be to allow the web server in the DMZ to communicate with a confidential database in the Protected Network. To create the rule: 1. Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: Setting Source interface Destination interface Protocol From the drop-down menu, select DMZ. From the drop-down menu, select Protected Network. From the drop-down menu, select TCP. Source IP Enter the web server s IP address: Destination IP Enter the database s IP address: Service Select User defined. Port The database service is accessed on port Enter Comment Enabled Enter a comment: DMZ web server to Protected Network DB. Select Enabled to activate the bridging rule once the bridging rule has been added. 2. Click Add. 139

150 Configuring Inter-Zone Security Group Bridging By default, authenticated users may only access network resources within their current network zone, or that are allowed by any active zone bridging rules. Group bridging is the process of modifying this default security policy, in order to allow authenticated users from any network zone to access specific IP addresses, IP ranges, subnets and ports within a specified network zone. Authenticated groups of users can be bridged to a particular network by creating group bridging rules. A group bridging rule defines a bridge in the following terms: Group The group of users from the authentication sub-system that may access the bridge. Zone The destination network zone. Destination Defines whether the bridge allows access to an individual host, a range of hosts, a subnet of hosts or any hosts. Service Defines what ports and services can be used across the bridge. Protocol Defines what protocol can be used across the bridge. Like zone bridges, group bridges can be narrow (e.g. allow access to a single host, using a named port and protocol) or wide (e.g. allow access to any host, using any port and protocol). In general, bridges should be made as narrow as possible to prevent unnecessary or undesirable use. Group Bridging and Authentication Group bridging uses the core authentication mechanism, meaning that users must be preauthenticated before group bridging rules can be enforced by Network Guardian. Users can authenticate themselves using the authentication system s Login mechanism, either automatically when they try to initiate outbound web access or manually by browsing to the secure SSL Login page. Authentication can also be provided by any other mechanism used elsewhere in the system. For further information about authentication, see Chapter 11, Authentication and User Management on page Smoothwall Ltd

151 Configuring Inter-Zone Security Creating Group Bridging Rules Group bridging rules apply additional zone communication rules to authenticated users. To create a group bridging rule: 1. Navigate to the Networking > Filtering > Group bridging page. 2. Configure the following settings: Setting Groups Select Destination interface Destination IP Protocol Service From the drop-down menu, select the group of users that this rule will apply to. Click to select the group. Select the interface that the group will be permitted to access. Enter the destination IP, IP range or subnet range that the group will be permitted to access. To create a rule to allow access to: A single network host in the destination network, enter its IP address, for example: A range of network hosts in the destination network, enter an appropriate IP address range, for example: A subnet range of network hosts in the destination network, enter an appropriate subnet range, for example: / or /24. Any network host in the destination network, leave the field blank. From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. From the drop-down list, select the service, port or port range to be used. To restrict to a custom port, select User defined and enter a port number in the Port field. To allow any service or port to be used, select User defined and leave the Port field empty. 141

152 Configuring Inter-Zone Security Setting Port Comment Enabled If applicable, enter a destination port or range of ports. If this field is blank, all ports for the relevant protocol will be permitted. Enter a description of the rule. Select to enable the rule. 3. Click Add. The rule is added to the Current rules table. Editing and Removing Group Bridges To edit or remove existing group bridging rules, use the Edit and Remove buttons in the Current rules region. 142 Smoothwall Ltd

153 11 Authentication and User Management This chapter describes how to configure authentication methods, and manage users, including: Configuring Global Authentication Settings on page 144 About Directory Servers on page 145 Managing Local Users on page 155 Managing Groups of Users on page 156 Mapping Groups on page 158 Managing Temporarily Banned Users on page 159 Managing User Activity on page 161 About SSL Authentication on page 162 Managing Kerberos Keytabs on page

154 Authentication and User Management Configuring Global Authentication Settings Configuring global authentication settings entails setting login timeout, the number of concurrent login sessions allowed and the type of authentication logging you require. To configure log-in and logging settings: 1. Navigate to the Services > Authentication > Settings page. 2. Configure the following settings: Setting Login timeout (minutes) Concurrent login sessions (per user) Determines the length of time of inactivity after which a user is logged out. Accept the default or enter the time out period. Note: Setting a short login timeout increases the load on the machine, particularly when using transparent NTLM or SSL Login. It also increase the rate of re-authentication requests. Setting a long login timeout may enable unauthorized users to access the network if users leave computers without actively logging out. The behavior of some authentication mechanisms is automatically adjusted by the time-out period. For example, the SSL Login refresh rate will update to ensure that authenticated users do not time-out. For more information, see About the Login Time-out on page 181. Concurrent login settings determine how many logins are allowed per user. The following options are available: No limit Select this option to allow an unlimited number of logins per user or enter the number of logins you want to allow users. 144 Smoothwall Ltd

155 Authentication and User Management Setting Logging level Logging levels determine the type of authentication logging you want. The following options are available: Normal Select this option to log user login and LDAP server information. Verbose Select this option to log user login and LDAP server information, request, response and result information. This option is useful when troubleshooting possible authentication issues. 3. Click Save changes. Network Guardian applies the changes. Tip: Encourage users to pro-actively log-out of the system to ensure that other users of their workstation cannot assume their privileges if login time-out is yet to occur. About Directory Servers The Network Guardian authentication service is designed to enable Network Guardian to connect to multiple directory servers in order to: Retrieve groups configured in directories, and apply network and web filtering permissions to users based on group membership within directories Verify the identity of a user who is trying to access network or Internet resources. Once the connection to a directory service has been configured, Network Guardian retrieves a list of the groups configured in the directory and maps them to the groups available in Network Guardian. When the groups have been mapped, permissions and network access permissions in the filtering and outgoing sections can be granted on the basis of group membership. For information on how authentication works and interacts with other systems, see User Authentication on page 179. Currently, Network Guardian supports the following directory servers: Directory Microsoft Active Directory Novell edirectory Apple / Open LDAP 389 Directory RADIUS F more information, see Configuring a Microsoft Active Directory Connection on page 146. For information on using the legacy method to connect to Active Directory, see Configuring an Active Directory Connection Legacy Method on page 151. Various directories which support the LDAP protocol. For more information, see Configuring an LDAP Connection on page 147 Remote Authentication Dial In User Service. For more information, see Configuring a RADIUS Connection on page

156 Authentication and User Management Directory Local users A directory of Network Guardian local users. For more information, see Configuring a Local Users Directory on page 154. Configuring a Microsoft Active Directory Connection The following sections explain the prerequisites for Microsoft Active Directory and how to configure Network Guardian to work with Microsoft Active Directory. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: On the Networking > Interfaces > Interfaces page, check that the primary, and optionally the secondary, DNS server containing the Active Directory information is specified correctly. This DNS server is used by Network Guardian for name lookups. For more information, see Network Guardian and DNS on page 181. In Active Directory, choose or configure a non-privileged user account to use for joining the domain. Network Guardian stores this account s credentials, for instance, when backing-up and replicating settings. Note: We strongly recommend that you do not use an administrator account. The account that you use needs permission to modify the Computers container. To delegate these permissions to a non-privileged user account, choose Delegate Control on the Computers container, create a custom task to delegate and, for Computer objects, grant the full control, create and delete privileges. Ensure that the times set on Network Guardian and your Active Directory server are synchronized using NTP. For more information, refer to the Network Guardian Operations Guide. Configuring an Active Directory Connection The following section explains what is required to configure a connection to Active Directory. To configure the connection: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select Active Directory and configure the following settings: Setting Status Domain Username Password Select Enabled to enable the connection. Enter the full DNS domain name of the domain. Other trusted domains will be accessible automatically. Enter the username of the user account. Enter the password for the user account. 146 Smoothwall Ltd

157 Authentication and User Management Setting Confirm Cache timeout (minutes) Comment Re-enter the password to confirm it. Click Advanced. Accept the default or specify the length of time Network Guardian keeps a record of directory-authenticated users in its cache. Network Guardian will not need to query the directory server for users who log out and log back in as long as their records are still in the cache. Note: Setting a short cache timeout increases the load on the directory server. Setting a long cache timeout means that old passwords are valid for longer, i.e. until the cache timeout has been passed. Optionally, enter a comment about the directory. 3. Click Add. Network Guardian adds the directory to its list of directories and establishes the connection. 4. You must map Active Directory groups to Network Guardian groups. For a detailed description of how to do this, see Mapping Groups on page 158. Configuring an LDAP Connection The following section explains what is required to configure a connection to an edirectory, Apple / OpenLDAP or 389 directory server. To configure an LDAP connection: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select one of the following: edirectory, Apple/ OpenLDAP Directory or 389 Directory and configure the following settings: Setting Status LDAP server Username Select Enabled to enable the connection. Enter the directory s IP address or hostname. Note: If using Kerberos as the bind method, you must enter the hostname. Enter the username of a valid account in the LDAP notation format The format depends on the configuration of the LDAP directory. Normally it should look something like this: cn=user,ou=container,o=organization This is what is referred to in the Novell edirectory as tree and context. A user part of the tree Organization and in the context Sales would have the LDAP notation: cn=user,ou=sales,o=organization For Apple Open Directory, when not using Kerberos, the LDAP username can be written as: uid=user,cn=users,dc=example,dc=org Consult your directory documentation for more information. 147

158 Authentication and User Management Setting Password Confirm Bind method Kerberos realm User search root Group search roots Enter the password of a valid account. Note: A password is not required if using simple bind as the bind method. Re-enter the password to confirm it. Accept the default bind method, or from the drop-down list, select one of the following options: TLS (with password) Select to use Transport Layer Security (TLS). Kerberos Select to use Kerberos authentication. Simple bind Select to bind without encryption. This is frequently used by directory servers that do not require a password for authentication. If using Kerberos, enter the Kerberos realm. Use capital letters. Enter where in the directory, Network Guardian should start looking for user accounts. Usually, this is the top level of the directory. For example: ou=myusers,dc=mydomain,dc=local In LDAP form, this is seen in the directory as dc=mycompany,dc=local. OpenLDAP based directories will often use the form o=myorganization Apple Open Directory uses the form: cn=users,dc=example,dc=org A Novell edirectory will refer to this as the tree, taking the same form as the OpenLDAP-based directories o=myorganization. Note: In larger directories, it may be a good idea to narrow down the user search root so Network Guardian does not have to look through the entire directory. For example, if all users that need to be authenticated have been placed in an organizational unit, the user search root can be narrowed down by adding ou=userunit in front of the domain base. Note: When working with multi domain environments, the user search root must be set to the top level domain. Enter where in the directory, Network Guardian should start looking for user groups. Usually this will be the same location as configured in the user search root field. For example: ou=mygroups,dc=mydomain,dc=local Apple Open Directory uses the form: cn=groups,dc=example,dc=org Note: With larger directories, it may be necessary to narrow down the group search root. Some directories will not return more than 1000 results for a search, so if there are more than 1000 groups in the directory, a more specific group search root needs to be configured. The principle is the same as with the user search root setting. If there are multiple OUs containing groups that need to be mapped, add the other locations in the advanced section. 148 Smoothwall Ltd

159 Authentication and User Management Setting Cache timeout LDAP port Extra user search roots Extra group search roots Extra realms Discover Kerberos realms through DNS Comment Accept the default or specify the length of time Network Guardian keeps a record of directory-authenticated users in its cache. Network Guardian does not query the directory server for users who log out and log back in as long as their records are still in the cache. Accept the default or enter the LDAP port to use. Note: LDAPs (SSL) will be automatically used if you enter port number 636. This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. Enter one search root per line. Optionally, enter where in the directory Network Guardian should start looking for more user groups. Enter one search roots per line. For more information, see Working with Large Directories on page 182. This setting enables you to configure subdomains manually using DNS. Use the following format: <realm><space><kdc server> For example: example.org kdc.example.org Enter one realm per line. Only available if you have selected Kerberos as the authentication method, select this advanced option to use DNS to discover Kerberos realms. Using DNS to discover realms configures Network Guardian to try to find all the domains in the directory server by querying the DNS server that holds the directory information. Optionally, enter a comment about the directory. 3. Click Add. Network Guardian adds the directory to its list of directories and establishes the connection. 4. You must map LDAP groups to Network Guardian groups. For a detailed description of how to do this, see Mapping Groups on page 158. Configuring a RADIUS Connection You can configure Network Guardian to use a Remote Authentication Dial In User Service (RADIUS) as an authentication service. Prerequisites Before you configure any settings: Configure the RADIUS server to accept queries from Network Guardian. Consult your RADIUS server documentation for more information. 149

160 Authentication and User Management Configuring the Connection To configure the connection: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select RADIUS and configure the following settings: Setting Status RADIUS server Secret Confirm Action on login failure Identifying IP address Obtain groups from RADIUS Cache timeout (minutes) Port Comment Select Enabled to enable the connection. Enter the hostname or IP address of the RADIUS server. Enter the secret shared with the server. Re-enter the secret to confirm it. Try next directory server Select this option if users in RADIUS are unrelated to users in any other directory server. Deny access Select this option if the RADIUS password should override the password set in another directory server, for example when using an authentication token. Enter the IP address to use to identify the caller connecting to the RADIUS server, if it must be different to the internal IP address of the system. If the RADIUS server can provide group information, select this option to enable Network Guardian to use the group information in the RADIUS Filter-Id attribute. When not enabled, Network Guardian will use group information from the next directory server in the list. If there are no other directories in the list, Network Guardian will place all users in the Default Users group. Accept the default or specify the length of time Network Guardian keeps a record of directory-authenticated users in its cache. Network Guardian does not query the directory server for users who log out and log back in as long as their records are still in the cache. Accept the default port or specify a UDP port to use when communicating with the RADIUS server. The default is port Optionally, enter a comment about the directory. 3. Click Add. Network Guardian adds the directory to its list of directories and establishes the connection. 4. You must map RADIUS groups to Network Guardian groups. For a detailed description of how to do this, see Mapping Groups on page 158. Note that you must use the same RADIUS group names as configured for the group_attribute parameter in your RADIUS server. For more information, refer to your RADIUS server documentation. 150 Smoothwall Ltd

161 Authentication and User Management Configuring an Active Directory Connection Legacy Method Note: This is the legacy method of configuring an Active Directory connection. For a simpler method, we recommend that you use the latest method, see Configuring a Microsoft Active Directory Connection on page 146 for more information. The following sections explain the prerequisites for Microsoft Active Directory and how to use the legacy method to configure Network Guardian to work with Microsoft Active Directory. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: Run the Network Guardian Setup program and check that the DNS server containing the Active Directory information is specified correctly. This DNS server is used by Network Guardian for name lookups. For more information, see Network Guardian and DNS on page 181 and the Network Guardian Getting Started Guide. Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active Directory servers. Ensure that the times set on Network Guardian and your Active Directory server are synchronized. Note: Do not use the administrator account as the lookup user. Often the administrator account will not have a Windows 2000 username, preventing the account from being used by the authentication service. Configuring an Active Directory Connection Configuring an Active Directory connection entails specifying server details and optionally the Kerberos realm to use, search roots and any advanced settings required. To configure the connection: 1. Navigate to the Services > Authentication > Directories page. 2. In the Add directory server area, from the Directory server drop-down list, select Active Directory and click Next. Network Guardian displays the settings for Active Directory. 3. Configure the following settings: Setting Status Select Enabled to enable the connection. 151

162 Authentication and User Management Setting Active Directory server Username Password Confirm Cache timeout (minutes) Kerberos realm User search root Group search root Comment Enabled Enter the directory server s full hostname. Note: For Microsoft Active Directory, Network Guardian requires DNS servers that can resolve the Active Directory server hostnames. Often, these will be the same servers that hold the Active Directory. The Active Directory DNS servers will need a reverse lookup zone with pointer (PTR) records for the Active Directory servers for a successful lookup to be able to take place. Refer to the Microsoft DNS server help if you need assistance in setting up a reverse lookup zone. See also, Network Guardian and DNS on page 181 for more information. Enter the username of a valid account. Enter the username without the domain. The domain will be added automatically by Network Guardian. In a multi domain environment, the username must be a user in the top level domain. For more information, see Active Directory on page 182. Enter the password of a valid account. Re-enter the password to confirm it. Accept the default or specify the length of time Network Guardian keeps a record of directory-authenticated users in its cache. Network Guardian will not need to query the directory server for users who log out and log back in as long as their records are still in the cache. Note: Setting a short cache timeout increases the load on the directory server. Setting a long cache timeout means that old passwords are valid for longer, i.e. until the cache timeout has been passed. Optionally, select Automatic or enter the Kerberos realm. Optionally, to configure Network Guardian to start looking for user accounts at the top level of the directory, select Automatic. Or enter the user search root to start looking in, for example: ou=myusers,dc=mydomain,dc=local search root. Note: When working with multi-domain environments, the user search root must be set to the top level domain. Optionally, to configure Network Guardian to start looking for user groups at the top level of the directory, select Automatic. Or enter the group search root to start looking in, for example: ou=mygroups,dc=mydomain,dc=local Note: Some directories will not return more than results for a search, so if there are more than groups in the directory, a more specific group search root needs to be configured. Optionally, enter a comment about the directory server and the settings used. Select this option to enable the connection to the directory server. 152 Smoothwall Ltd

163 Authentication and User Management 4. Optionally, click Advanced to access and configure the following settings: Setting LDAP port Discover Kerberos realms through DNS Use samaccountname NetBIOS workgroup Extra user search roots Extra group search roots Extra realms Accept the default, or enter the LDAP port to use. Select this option to use DNS to discover Kerberos realms. Using DNS to discover realms configures Network Guardian to try to find all the domains in the directory server by querying the DNS server that holds the directory information. This setting applies when using Microsoft Windows NT4 or older installations. Enter the samaccountname to override the userprinciplename. This setting applies when using NTLM authentication with Guardian. Network Guardian cannot join domains required for NTLM authentication where the workgroup, also known as NetBIOS domain name or pre- Windows 2000 domain name, is not the same as the Active Directory domain. Select Automatic or enter the NetBIOS domain name to use when joining the workgroup. This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. Enter search roots one per line. Optionally, enter where in the directory, Network Guardian should start looking for more user groups. Enter search roots one per line. For more information, see Working with Large Directories on page 182. This setting enables you to configure subdomains manually, as opposed to automatically, using DNS. Use the following format: <realm><space><kdc server> For example: example.org kdc.example.org Enter one realm per line. 5. Click Add. Network Guardian adds the directory to its list of directories and establishes the connection. 6. You must map Active Directory groups to Network Guardian groups. For a detailed description of how to do this, see Mapping Groups on page

164 Authentication and User Management Configuring a Local Users Directory Network Guardian stores user account information comprised of usernames, passwords and group membership in local user directories so as to provide a standalone authentication service for network users. To configure a local users directory: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select Local users and configure the following settings: Setting Status Name Comment Select Enabled to enable the connection. Accept the default name or enter a new name. Optionally, enter a comment about the directory. 3. Click Add. Network Guardian adds the directory to its list of directories. For information on adding and managing local users, see Managing Local Users on page 155. Reordering Directory Servers Tip: If most of your users are in one directory, list that directory first so as to reduce the number of queries required. If user passwords are checked by a RADIUS server and group information is obtained from LDAP, list the RADIUS server first. To reorder directory servers: 1. On the Services > Authentication > Directories page, select the directory server you want to move and click Up or Down until the server is where you want it. 2. Repeat the step above for any other directories you want to move. 3. Click Save moves. Network Guardian applies the changes. Tip: You can also drag and drop directories to where you want them. Just remember to click Save moves. Editing a Directory Server To edit a directory server: 1. On the Services > Authentication > Directories page, point to the directory server and click Edit. The Edit directory dialog box opens, 2. Make the changes required, see About Directory Servers on page 145 for information on the settings available. 3. Click Save changes. Network Guardian applies the changes. 154 Smoothwall Ltd

165 Authentication and User Management Deleting a Directory Server To delete a directory server: 1. On the Services > Authentication > Directories page, point to the directory server and click Delete. When prompted, confirm that you want to delete the directory. Network Guardian deletes the server. Diagnosing Directories It is possible to review a directory s status and run diagnostic tests on it. To diagnose a directory: 1. On the Services > Authentication > Directories page, point to the directory server and click Diagnose. Network Guardian displays current directory connection, user account and status information. Tip: You can diagnose multiple directories at the same time. Select the directories and click Diagnose. Managing Local Users Network Guardian stores user account information comprised of usernames, passwords and group membership in local user directories so as to provide a standalone authentication service for network users. Adding Users To add a user to a local user directory: 1. On the Services > Authentication > Directories page, click on the local user directory you want to add a user to. Network Guardian displays any current local users 2. Click Add new user. In the Add new user dialog box, configure the following settings: Setting Enabled Username Password Repeat password Select group Select to enable the user account. Enter the user account name. Enter the password associated with the user account. Passwords must be a minimum of six characters long. Re-enter the password to confirm it. From the drop-down menu, select a group to assign the user account to. 3. Click Add. Network Guardian saves the information. 4. Repeat the steps above to add more users. 155

166 Authentication and User Management Editing Local Users To edit an existing user's details: 1. On the Services > Authentication > Directories page, click on the local user directory containing the user account you want to edit. Network Guardian displays current local users. 2. Point to the user account and click Edit. In the Edit user dialog box, make the changes required. See Adding Users on page 155 for more information on the settings available. 3. Click Save changes. Network Guardian applies the changes. Deleting Users To delete users: 1. On the Services > Authentication > Directories page, click on the local user directory containing the user account(s) you want to delete. Network Guardian displays current local users. 2. Point to the user account and click Delete. When prompted, confirm that you want to delete the account. Network Guardian deletes the account. 3. Repeat the steps above to delete other accounts. Managing Groups of Users The following sections discuss groups of users and how to manage them. About Groups Network Guardian uses the concept of groups to provide a means of organizing and managing similar user accounts. Authentication-enabled services can associate permissions and restrictions to each group of user accounts, thus enabling them to dynamically apply rules on a per-user account basis. Local users can be added or imported to a particular group, with each group being organized to mirror an organization s structure. Groups can be renamed by administrators to describe the users that they contain. Currently, Network Guardian supports 1000 groups and by default, contains the following groups: Group Unauthenticated IPs The main purpose of this group is to allow certain authenticationenabled services to define permissions and restrictions for unauthenticated users, i.e. users that are not logged in, currently unauthenticated or cannot be authenticated. Note: This group cannot be renamed or deleted. 156 Smoothwall Ltd

167 Authentication and User Management Group Default Users Banned Users Network Administrators Users can be mapped to Default Users. The main purpose of this group is to allow certain authentication-enabled services to define permissions and restrictions for users that are not specifically mapped to an Network Guardian group, i.e. users that can be authenticated, but who are not mapped to a specific Network Guardian authentication group. Note: This group cannot be renamed or deleted. This purpose of this group is to contain users who are banned from using an authentication-enabled service. Note: This group cannot be renamed or deleted. This group is a normal user group, configured with a preset name, and setup for the purpose of granting network administrators access to an authentication-enabled service. Because the Network Administrators group is a normal group with a preset configuration, it can be both renamed and used by authentication-enabled services to enforce any kind of permissions or restrictions. Adding Groups It is possible to add groups to Network Guardian. Currently, Network Guardian supports 1000 groups. To add a group: 1. On the Services > Authentication > Groups page, click Add new group. 2. In the Add new group dialog box, enter the following information: Field Name Comment Enter a name for the group. Optionally, enter a comment. 3. Click Add. Network Guardian creates the group and lists on the changes. Editing Groups Note: It is not possible to rename the Unauthenticated IPs, Default Users or Banned Users groups To edit a group: 1. On the Services > Authentication > Groups page, point to the group and click Edit. 2. In the Edit group dialog box, enter the following information: Field Name Comment When renaming a group, enter a new name. Edit or enter a new comment. 157

168 Authentication and User Management 3. Click Save changes. Network Guardian applies the changes. Deleting Groups Note: It is not possible to delete the Unauthenticated IPs, Default Users or Banned Users groups To delete a group or groups: 1. On the Services > Authentication > Groups page, select the group(s) and click Delete. 2. When prompted to confirm the deletion, click Delete. Network Guardian deletes the group(s). Mapping Groups Once you have successfully configured a connection to a directory, you can map the groups Network Guardian retrieves from the directory in order to apply permissions and restrictions to the users in the groups. Note: These instructions are only for directories, not configured as Local users. For a detailed description of how to lap local users, see Managing Local Users on page 155. To map directories to Network Guardian groups, do the following: 1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and click Add new group mapping. 3. Configure the following parameters: Directory group Depending on the directory service configured, add or select the directory group to map from. Local group From the drop-down menu, select the relevant Network Guardian group. Enabled Select this option to enable or disable the group mapping. 4. Click Add. Remapping Groups It is possible to change group mappings. To remap groups, do the following: 1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and select the relevant group mapping. 3. C lick Edit. 4. Change the Directory group and, or, the Local group as required. 5. Click Save changes. 158 Smoothwall Ltd

169 Authentication and User Management Deleting Group Mappings It is possible to delete group mappings. To delete one or more group mappings, do the following: 1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and select the relevant group mapping. 3. Click Delete. 4. Click Delete to confirm the deletion. Managing Temporarily Banned Users Network Guardian enables you to temporarily ban specific user accounts. When temporarily banned, the user is added to the Banned users group. Note: You can apply any web filtering policy to the Banned users group. Creating a Temporary Ban Note: Only administrators and accounts with Temp ban access can manage banned accounts. For more information, refer to the Network Guardian Operations Guide. To ban an account temporarily: 1. Navigate to the Services > Authentication > Temporary bans page. 2. Click Add new temporary ban. In the Add new temporary ban dialog box, configure the following settings: Setting Status Username Select Enabled to enable the ban immediately. Enter the user name of the account you want to ban. 159

170 Authentication and User Management Setting Ban expires Comment Click and select when the ban expires. Optionally, enter a comment explaining why the account has been banned. 3. Click Add. Network Guardian enforces the ban immediately. Tip: You can edit the block page displayed to banned users so that it gives them information on the ban in force. For more information, refer to the Network Guardian Operations Guide. Tip: There is also a ban option on the Services > Authentication > User activity page, for more information, see Managing User Activity on page 161. Removing Temporary Bans To remove a ban: 1. Navigate to the Services > Authentication > Temporary bans page. 2. In the Current rules area, select the ban and click Remove. Network Guardian removes the ban. Removing Expired Bans To remove bans which have expired: 1. Navigate to the Services > Authentication > Temporary bans page. 2. In the Current rules area, click Remove all expired. Network Guardian removes all bans which have expired. 160 Smoothwall Ltd

171 Authentication and User Management Managing User Activity Network Guardian enables you to see who is logged in and who has recently logged out. You can also log users out and/or ban them. Viewing User Activity To view activity: 1. Navigate to the Services > Authentication > User activity page. Network Guardian displays who is logged in, who recently logged out, the group(s) the user belongs to their source IP and the method of user authentication. Recently logged out users are listed for 15 minutes. Logging Users Out To log a user out: 1. On the Services > Authentication > User activity page, point to the user you want to log out and click Log user out. Network Guardian logs the user out immediately and lists them as logged out. Note: Logging a user out is not the same as blocking a user from accessing web content. Connection-based authentication will automatically log the user back in. If the user is using SSL login, they will be prompted to authenticate again. Banning Users To ban a user: 1. On the Services > Authentication > User activity page, point to the user you want to ban and click Ban user. Network Guardian copies the user s information and displays it on the Services > Authentication > Temporary bans page where you can configure the ban. For more information, see Creating a Temporary Ban on page

172 Authentication and User Management About SSL Authentication Network Guardian provides SSL Login as a built-in authentication mechanism which can be used by authentication-enabled services to apply permissions and restrictions on a customized, per-user basis. When SSL Login is configured, network users requesting port 80 for outbound web access will be automatically redirected to a secure login page, the SSL Login page, and prompted for their user credentials. The SSL Login page can be manually accessed by users wishing to pro-actively authenticate themselves, typically where they need to use a non-web authentication-enabled service, for example, group bridging, or where only a small subset of users require authentication. SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated user, thus allowing SSL Login redirection to be bypassed for authenticated users. When an authenticated user logs out or exceeds the time-out limit, the rule is removed and future outbound requests on port 80 will again cause automatic redirection to the SSL Login. For information on the authentication methods that can be used with SSL login, see Managing Authentication Policies on page 86. Customizing the SSL Login Page When using SSL as an authentication method, it is possible to customize the title image, background image and message displayed on an SSL login page. 162 Smoothwall Ltd

173 Authentication and User Management Customizing the Title Image It is possible to customize the title image displayed on the SSL login page. To upload a custom title image: 1. Browse to the Services > Authentication > SSL login page. 2. Click the Title image Browse/Select file button. Using your browser s controls, locate and select the file. 3. Click Save changes. Network Guardian uploads the file and makes it available on the SSL login page. Customizing the Background Image It is possible to customize the background image used on an SSL login page. To upload a background image: 1. On the Services > Authentication > SSL login page, click the Background image Browse/ Select file button. Using your browser s controls, locate and select the file. 2. Click Save changes. Network Guardian uploads the file and makes it available on the SSL login page. Removing Custom Files To remove a custom file: 1. Browse to the Services > Authentication > SSL login page. 2. To remove the title image, adjacent to Title image, click Delete. 3. To remove the background image, adjacent to Background image, click Delete. 163

174 Authentication and User Management Customizing the Message It is possible to provide users with a customized message. To customize the login message: 1. Navigate to the Services > Authentication > SSL login page. 2. In the Customize SSL Login area, enter your custom message in the SSL login page text box. 3. Click Save changes to apply the new message. Reviewing SSL Login Pages You can review SSL Login pages. To review the SSL Login page: 1. In the web browser of your choice, enter your Network Guardian system s IP address and / login. For example: or, using HTTPS, :442/login. Network Guardian displays the SSL login page. Managing Kerberos Keytabs Note: When using Microsoft Active Directory for authentication, Kerberos keys are managed automatically. For other directory servers, it is necessary to import keytabs manually, see the following section for information on how to do this. A Kerberos keytab is a file which contains pairs of Kerberos principals and encrypted keys. By importing and using Kerberos keytabs, Network Guardian services, such as authentication, can use the interoperability features provided by Kerberos. For information on using Kerberos as the authentication method in authentication policies, refer to the Network Guardian Operations Guide. Adding Keytabs The following section explains how to add Kerberos keytabs into Network Guardian. For information on generating keytabs, consult the documentation delivered with your directory server. Also, available at the time of writing, see cc753771%28v=ws.10%29.aspx which discusses how to get a keytab from Active Directory. 164 Smoothwall Ltd

175 Authentication and User Management To add a keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. Click Add new keytab and configure the following settings: Setting Status Name File Comment Accept the default setting to enable the keytab. Enter a descriptive name for the keytab. Using your browser, locate and select the keytab. Optionally, enter a comment to describe the keytab. 3. Click Add. Network Guardian adds the keytab and lists it in the Kerberos keytabs area. 4. Repeat the steps above for any other keytabs you need to import. Managing Keytabs The following sections explain how to enable, view, edit and delete Kerberos keytabs. Disabling Keytabs Kerberos keytabs are enabled by default. It is possible to disable a Kerberos keytab when required, for example, when troubleshooting. To disable a keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, clear the Enabled option. Click Save changes to save the setting. Network Guardian disables the keytab. 165

176 Authentication and User Management Viewing Keytab Content It is possible to view the contents of a Kerberos keytab. To view a Kerberos keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, click the keytab s display arrow. Network Guardian displays the content. Editing Keytabs It is possible to change the name of the Kerberos keytab file. To change the name of the Kerberos keytab file: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, change the name as required and click Save changes. Network Guardian changes the name and lists the Kerberos keytab in the Installed Kerberos keytabs area Deleting Keytabs It is possible to delete Kerberos keytabs that are no longer require. To delete a Kerberos keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Delete. 3. When prompted to confirm the deletion, click Delete. Network Guardian deletes the keytab. 166 Smoothwall Ltd

177 12 Centrally Managing Smoothwall Systems This chapter describes how to configure, and maintain a centrally managed Smoothwall system, including: About Centrally Managing Smoothwall Systems on page 167 Setting up a Centrally Managed Smoothwall System on page 168 Managing Nodes in a Smoothwall System on page 173 Using BYOD in a Centrally Managed System on page 177 About Centrally Managing Smoothwall Systems Network Guardian s central management enables you to monitor and manage nodes in a Smoothwall system. A Smoothwall system is comprised of an instance of a Smoothwall product running as a parent node and one or more compatible Smoothwall products running as child nodes being managed by the parent node. Configuring and managing a Smoothwall system entails: Configuring a parent and the nodes in the system, for more information, see Setting up a Centrally Managed Smoothwall System on page 168 Actively monitoring the nodes in the system, for more information, see Monitoring Node Status on page 174 Applying updates, for more information, see Scheduling and Applying Updates to One or More Nodes on page 175 Rebooting nodes as required, for more information, see Rebooting Nodes on page 176 Disabling nodes as required, for more information, see Disabling Nodes on page

178 Centrally Managing Smoothwall Systems Pre-requirements Before you start to set up a centrally managed Smoothwall system: Check that all the Smoothwall machines you intend to include in the system have the latest updates applied. For more information, refer to the Network Guardian Operations Guide Check that you have administrator access to all of the computers you want to include in the system Check that there is IP access from the computer that will be a the parent node to the computers that will be child nodes in the system. Setting up a Centrally Managed Smoothwall System Setting up a centrally managed Smoothwall system entails: Configuring the parent node in the system Configuring child nodes settings, installing the central management key and enabling SSH on child nodes Adding child nodes to the system. Configuring the Parent Node The first step when configuring a Smoothwall system is to configure the parent node in the system. To configure the parent node: 1. Log in to the instance of Network Guardian you want to function as the parent node. 2. Browse to the System > Central management > Local node settings page. 168 Smoothwall Ltd

179 Centrally Managing Smoothwall Systems 3. Configure the following settings: Setting Local node options Parent node Select this option to enable central management and configure this instance of Network Guardian as the parent node in the Smoothwall system. 4. Click Save. This instance of Network Guardian becomes the parent node and can be used to centrally manage the Smoothwall system. Configuring Child Nodes Every child node in a Smoothwall system must have a central management key installed and SSH enabled. To configure a child node: 1. On the system s parent node, browse to the System > Central management > Local node settings page. 2. Configure the following settings: Setting Local node options Manage central management keys Parent node Check that this option is selected so that you can generate a central management key for installation on child nodes. Central management key Click Download to download and save the central management key in a secure, accessible location for distribution to the child nodes in the system. 169

180 Centrally Managing Smoothwall Systems 3. On the Smoothwall system you want to add as a child node, browse to the System > Central management > Local node settings page and configure the following settings: Setting Local node options Manage central management keys Child node Select this option to configure this machine as a child node in the system. Click Save to save this setting. Upload central management key Using your browser s controls, browse to and select the key. Click Save to upload the key to the child node. Note: If you are reconfiguring a child node to be the child of a new parent, reboot the child node to apply the changes. 4. On the System > Administration > Admin options page, select SSH and click Save. 5. Repeat step 3. and step 4. above on any other machines you want to use as child nodes. When finished, you are ready to add them the system. See Adding Child Nodes to the System on page 170 for more information. Adding Child Nodes to the System When you have installed the central management key and enabled SSH on all child nodes, you are ready to add them to the system. You can add nodes: Manually by adding each node separately, see Manually Adding Child Nodes on page 170 By importing node information from a CSV file, for more information, see Importing Nodes into the System on page 171. Manually Adding Child Nodes Adding child nodes manually entails entering the information for each node separately. To add child nodes manually: 1. On the parent node, browse to the System > Central management > Child nodes page. 170 Smoothwall Ltd

181 Centrally Managing Smoothwall Systems 2. Click Add node and configure the following settings: Setting Node details Node settings Node name Enter a unique name to identify the node. Node names may only consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported. IP/hostname Enter the IP address or hostname of the child node. Comment Optionally, enter a comment describing the child node. Replication profile From the drop-down list, select the replication profile to be deployed on the child node. The replication profile enables the sharing of system settings between nodes. For information on configuring a replication profile, refer to the Network GuardianOperations Guide. Central logging Select to enable central logging for the child node. Note: Do not select this option if you want to access the child node s logs on the child node itself. Allow parent to monitor status Select to enable central monitoring for the child node. Allow parent to manage resources Select to enable the parent node in the group to manage child node resources such as quotas which limit user access to web content. When enabled and quotas have been used in a web filtering policy, the parent ensures that users cannot access content for longer than allowed by using different child nodes. 3. Select Enable node and click Confirm. When prompted, review the node details and then click Save to add the node. 4. Repeat step 2. and step 3. for each node you want to add to the system. 5. When you have added all of the nodes, browse to the System > Central management > Overview page. The parent node lists the child nodes and displays their current status. For more information, see Monitoring Node Status on page 174. Importing Nodes into the System If child node information is available in a comma separated format (CSV) file, you can import it directly into the parent node. About the CSV File Each line in the CSV file must contain 8 fields. The fields must be separated by commas and ordered as follows: Name,IP/hostname,Centrallogging,Monitorstatus,Centralresources, Replicationprofile,Enabled,Comment 171

182 Centrally Managing Smoothwall Systems The possible values for the fields are as follows: Field Name IP/hostname Central logging Monitor status Central resources Replication profile Enabled Comment Value The node name. This field is required. Note: If the name is the same as that of a child node already in the system, the child node in the system will be overwritten. A node name may consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported. The IP or hostname of the node. This field is required. Determines if central logging is enabled or disabled. This field is required. Enabled Enter: yes, on, or 1. Disabled Enter: no, off, or 0. Note: Do not enable this option if you want to access the child node s logs on the child node itself. Determines if central monitoring is enabled or disabled. This field is required. Enabled Enter: yes, on, or 1. Disabled Enter: no, off, or 0. Determines if resources are managed by the parent. This field is required. Enabled Enter: yes, on, or 1. Disabled Enter: no, off, or 0. The name of the replication profile used on the node. This field is optional and may be empty. For more information, refer to the Network Guardian Operations Guide. Determines if the node settings are enabled or disabled. This field is required. Enabled Enter: yes, on, or 1. Disabled Enter: no, off, or 0. A comment. This field is optional. It may consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported. For full information on what the settings do, see Manually Adding Child Nodes on page 170. Importing Node Information The following steps explain how to import node information from a CSV file. For more information on CSV files, see About the CSV File on page 171. To import node information from a CSV file: 1. On the parent node, browse to the System > Central management > Child nodes page. 2. Click Import CSV, browse to the file and select it. Click Import to import the contents of the file. 3. The parent node displays the contents of the file and notifies you of any errors in the file. Note: Importing settings from a CSV file will overwrite existing nodes with the same name. 172 Smoothwall Ltd

183 Centrally Managing Smoothwall Systems 4. Click Confirm to import the information in the file. The parent node imports the node information and displays it. Editing Child Node Settings When required, it is possible to edit child node settings. To edit a child node s settings: 1. Browse to the System > Central management > Child nodes page, locate the node you want to edit and click Edit node. 2. Make the changes required, see Manually Adding Child Nodes on page 170 for full information on the settings. 3. Click Confirm, review the changes and then click Save to save and implement the changes. Deleting Nodes in the System It is possible to delete nodes that are no longer required in the system. To delete a node: 1. On the System > Central management > Child nodes page, locate the node you want to delete and click Delete node. When prompted, click Delete to confirm the deletion. 2. Repeat the step above for any other nodes you want to delete. Managing Nodes in a Smoothwall System Managing nodes in a Smoothwall system entails: Monitoring node status Applying updates to nodes Scheduling updates for application at a specific time Rebooting nodes when necessary Disabling nodes when necessary 173

184 Centrally Managing Smoothwall Systems Monitoring Node Status The central management node overview on the parent node displays a list of all of the nodes in the Smoothwall system. It also displays the nodes current status and whether updates for the nodes are available. To monitor node status: 1. On the parent node, browse to the System > Central management > Overview page. The parent node displays current node status, for example: Node information is contained in the following fields: Field Name Status Updates The Name field displays the name of the node. Click on the name to log in to the node. The Status field displays the current state of the node. Click on the Status text to display detailed information on the node. For more information, see Accessing the Node Details Page on page 175. The following statuses are possible: OK the node is functioning and does not require attention. Critical the node requires immediate attention. Click on the node s status field for more information. Warning the node does not require immediate attention but should be checked for problems. Click on the node s status field for more information. The Updates field enables you to schedule the application of available updates. For more information, see Scheduling and Applying Updates to One or More Nodes on page 175. Click on the Updates text to display detailed information on the node. 174 Smoothwall Ltd

185 Centrally Managing Smoothwall Systems Accessing the Node Details Page It is possible to view detailed information on a node by accessing the node details page. To access a node details page: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate the node you want more information on and click on its Status text. Network Guardian displays the node details page. 3. Click on the displayed headings for more information. 4. Click Refresh node to refresh the information displayed. 5. Click Reboot node to reboot the node. Working with Updates You can review and apply updates to a node as they become available. You can also apply updates to one or more nodes immediately or at a later date. Reviewing and Applying Available Updates to a Node You can review and apply updates to a node as they become available. To review and apply updates: 1. On the parent node, browse to the System > Central management > Overview page. 2. Click the Updates tab and then click the Status field of the node. The node details are displayed. 3. Click on the Updates line to review detailed information about the updates available. To apply the updates to the node, click Schedule update. The Schedule node update page is displayed. 4. In the Install updates area, select one of the following options: Option Now Later Select to apply the updates to the node immediately. From the drop-down list, select when you want the updates applied to the node. 5. Click Schedule update. The updates are applied to the node as specified in the previous step and the node is rebooted. Scheduling and Applying Updates to One or More Nodes You can apply updates to one or more nodes immediately or schedule them for application later. To apply updates: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate and select the node(s) that require updates and click Schedule update. The Schedule node update page is displayed. 175

186 Centrally Managing Smoothwall Systems 3. In the Install updates area, select one of the following options: Option Now Later Select to apply the update(s) to the node(s) immediately. From the drop-down list, select when you want the update(s) applied to the node(s). 4. Click Schedule update. The updates are applied to the node(s) as specified in the previous step and the node(s) are rebooted. Clearing Schedule Updates It is possible to clear any scheduled updates. To clear scheduled updates: 1. On the System > Central management > Overview page or the node details page, under Updates, click Clear schedule. 2. Network Guardian displays the updates that are currently scheduled. Click Clear schedule to clear the updates. Rebooting Nodes When required, you can reboot a child node from the system s parent node. To reboot a child node: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate the node you want to reboot and click on the Status text. The node details are displayed. 3. Click Reboot node. The Schedule node reboot page opens. In the Reboot node area, select one of the following options: Option Now Later Select to reboot the node immediately. From the drop-down list, select when you want to reboot the node. 4. Click Schedule reboot. The node is rebooted. 176 Smoothwall Ltd

187 Centrally Managing Smoothwall Systems Disabling Nodes It is possible to disable nodes locally and system-wide. Disabling Nodes Locally You may need to work on a child node in a system and, e.g. want to stop replication settings from being applied by the parent. You can do this by disabling the child node locally. To disable a node locally: 1. On the node you want to disable, browse to the System > Central management > Local node settings page. 2. In the Local node options area, select Disable and click Save. 3. Repeat the step above for any other nodes in the system that you want to disable. Note: On the parent node, on the System > Central management > Overview page, nodes that have been disabled locally will be listed as Node uncontactable. Disabling Nodes System-wide You may need to disable a child node in a system, e.g. in the case of hardware failure. You can do this by disabling the child node system-wide. To disable a node system-wide: 1. On the parent node, browse to the System > Central management > Child nodes page. 2. Locate the node you want to disable area, select Disable and click Save. 3. Repeat the steps above for any other nodes in the system that you want to disable system-wide. Using BYOD in a Centrally Managed System It is possible to provide a bring your own device (BYOD) service in a centrally managed Smoothwall System. In such a configuration, you can choose to have a single node, typically the parent node, receive RADIUS requests and forward them onto the other RADIUS servers, or have a number of nodes act as the RADIUS server for the network access server (NAS) for authentication requests, authorization requests, accounting packets, or a mixture of all three. For a detailed description of how to configure Network Guardian to support a BYOD service, including an example of a centrally managed implementation, refer to the Network Guardian Operations Guide. 177

188

189 Appendix A: User Authentication In this appendix: Overview on page 179 Network Guardian and DNS on page 181 Working with Large Directories on page 182 Active Directory on page 182 About Kerberos on page 183 Overview Network Guardian's authentication system enables the identity of internal network users to be verified, such that service permissions and restrictions can be dynamically applied according to a user's group membership. Identity verification authenticate users by checking supplied identity credentials, for example, usernames and passwords, against known user profile information. Identity confirmation provide details of known authenticated users at a particular IP address. Verifying User Identity Credentials In order to authenticate users, Network Guardian must be able to verify the identity credentials, usernames and passwords, supplied by network users. Credentials are verified against the authentication system's local user database. Network users must provide their identity credentials when using an authentication-enabled service for the first time. If the credentials cannot be verified by the authentication system, i.e. a matching username and password cannot be found in the local user database, the user's identity status will 179

190 User Authentication be set to 'Unauthenticated'. Unauthenticated users are usually granted limited, or sometimes no, access to authentication-enabled services. A user that is authenticated can be described as being logged in. About Authentication Mechanisms All authentication-enabled services use the authentication system to discover what users are accessing them. Once a particular user is known, an authentication-enabled service can enforce customized permissions and restrictions. Authentication-enabled services can interact with the authentication system in the following ways: Passive interrogation of whether there is an already-authenticated user at a particular IP address, and if so their details Active provision of user-supplied identity credentials, for onward authentication. The means by which these two types of interactions are combined and implemented defines a particular named authentication mechanism. The Core Authentication Mechanism This is a special type of authentication mechanism that uses the first interaction method exclusively, i.e. it only ever asks the authentication system whether there is a known user at a particular IP address. If the user has not been authenticated by any other authentication mechanism, the user's status is returned by the authentication system as 'Unauthenticated'. Other Authentication Mechanisms All other authentication mechanisms use a combination of the previously discussed interactions. Such mechanisms usually interrogate the authentication system to determine if the user at the requesting IP has already been authenticated. If the user has been authenticated, appropriate permissions and restrictions can be enforced by the requesting service. However, if the user is currently unauthenticated, the second type of interaction occurs i.e. the requesting service pro-actively provides end-user identity credentials to the authentication system, for onward authentication. Thus, it follows that such authentication mechanisms must also provide an appropriate means of collecting end-user identity credentials. Choosing an Authentication Mechanism As discussed in the preceding sections, all authentication-enabled services must use some kind of authentication mechanism to interact with the authentication system. Some authentication-enabled services offer no choice of mechanism used in such cases, the authentication mechanism will always be 'Core authentication'. 180 Smoothwall Ltd

191 User Authentication About the Login Time-out The login time-out is the length of time that a user's authenticated status will last once they are authenticated. Time-out does not occur if Network Guardian can determine that the same user is still active for example, by seeing continued web browsing from the same user. However, if Network Guardian sees no activity from a particular user for the length of time specified by the time-out period, the user's authenticated status will be invalidated. The login time-out affects the load on the local system. Lower time-out values increase the frequency of re-authentication requests. A value of 10 minutes is effective for most networks. Time-out values that are too low may adversely affect system performance, resulting in failed login attempts. However, longer time-outs increase the risk of a new user at the same IP address being granted inappropriate rights, if the original user fails to pro-actively log-out. Network Guardian and DNS Network Guardian s authentication service uses internal DNS servers for name lookups. Internal DNS servers are specified using Network Guardian s setup program. Network Guardian s DNS proxy server uses external DNS servers for name lookups. External DNS servers are specified when setting up an Network Guardian connectivity profile. In this way, Network Guardian can be configured to use an internal DNS server and the internal DNS server can, in turn, be configured to use Network Guardian as its DNS forwarder. A Common DNS Pitfall Often Network Guardian is configured so that an internal DNS server is configured as the primary DNS server and an external DNS server configured as the secondary DNS server. This is not the correct way to configure DNS servers on any client. DNS is a system that was designed to be able to respond to any request by redirecting questions to the DNS servers responsible for the various registered domains on the public Internet. This means the client assumes that it does not matter which DNS server it uses, as all DNS servers will have access to the same information. With the proliferation of private networks and internal DNS zones, this no longer is the case. A DNS client will behave in the following way when looking up a host: If a reply of host not found is received, the client will NOT ask other DNS servers If the DNS is not answering, the client will try to ask another DNS server The client will ask randomly between configured DNS servers Taking the above conditions into account, it is clear that a DNS configuration that has an internal DNS and an external DNS server in the configuration will not work, or at least, will not work reliably. The internal DNS server that holds the Active Directory information needs to be configured so it can resolve external hostnames. The easiest way to do this is to configure the DNS server to use a forwarder, like Network Guardian s DNS proxy server. 181

192 User Authentication Working with Large Directories The Additional Group search roots option enables you to specify several OUs in which to search for groups. When dealing with large directories, a search through the entire directory can take a long time and make the Network Guardian Include groups page unwieldy to manage. Normally, a specified group search root can help in narrowing the scope of where to search for groups, but if groups are distributed in multiple OUs, one group search root may not be enough. Consider, for example, a directory with 5000 users and 2500 groups. Setting the group search root to the top level of the directory would result in an Include groups page with 2500 entries. This would probably take a long time to load and be hard to get an overview of. The administrator of the Active Directory domain has 2 OUs, where the groups to be mapped are located. In the groups search root, the administrator enters the path for the primary OU and in the additional groups search, the second OU is entered: User search root: dc=domain,dc=local Group search root: ou=guardiangroups,dc=domain,dc=local Additional group search root: ou=networkgroups,ou=users,dc=sub1,dc=domain.dc=local The above example is for a multi domain Active Directory installation, where the second OU is in the sub-domain sub1. Remember that multiple groups can be mapped to the same Network Guardian permissions group. Active Directory The following sections usernames and group membership which must be configured correctly in order to successfully implement Active Directory-based authentication. Active Directory Username Types A user account on a Windows server will have 2 types of usernames: A Windows username, which takes the form of [email protected] An old style Windows NT 4 username, which has no domain attached to it. When a Windows domain has been migrated from a legacy Windows NT4 domain, the Windows NT 4 style usernames are not automatically duplicated to Windows usernames. In order for Network Guardian authentication to be able to successfully look up and authenticate Windows users, a Windows username needs to be present. 182 Smoothwall Ltd

193 User Authentication Accounts and NTLM Identification When using NTLM identification on an Active Directory server that has been set up with no pre- Windows 2000 access permissions, the server lookup user account needs to be a member of the Pre-Windows 2000 Compatible Access group. This group is normally found in the built-in OU in the Active Directory Users and Groups snap-in. About Kerberos The following sections document Kerberos pre-requisites and list some points to try if troubleshooting. Kerberos Pre-requisites and Limitations The following are pre-requisites and known limitations when using Kerberos as an authentication method: Forward and reverse DNS must be working All clocks must be in sync. More than 5 minutes clock drift will cause authentication to fail Internet E6 will not work in non-transparent mode. Troubleshooting Check the following when troubleshooting a service that uses Kerberos: Make sure all the prerequisites have been met, see Kerberos Pre-requisites and Limitations on page 183 Try another browser for fault-finding In Safari, try the fully qualified domain name (FQDN) if the short form does not work Check if the user logged on before the keytab was created? Try logging off then on again. Check if the user logged on before Network Guardian joined the domain? Try logging off then on again. Double check you are logged on with a domain account When exporting your own keytabs: Make sure the keytab contains keys with the same type of cryptography as that used by the client The HTTP in the service principal name (SPN) must be in uppercase The keytab should contain SPNs containing the short and fully qualified forms of each hostname. 183

194

195 Glossary Numeric 2-factor authentication The password to a token used with the token. In other words: 2- factor authentication is something you know, used together with something you have. Access is only be granted when you use the two together. 3DES A triple strength version of the DES cryptographic standard, usually using a 168-bit key. 185

196 Glossary A Acceptable Use Policy Access control Active Directory ActiveX* AES AH Algorithm Alias ARP ARP Cache AUP Authentication See AUP The process of preventing unauthorized access to computers, programs, processes, or systems. Microsoft directory service for organizations. It contains information about organizational units, users and computers. A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser. Advanced Encryption Standard A method of encryption selected by NIST as a replacement for DES and 3DES. AES supports key lengths of 128-bit, 192-bit and 256-bit. AES provides high security with fast performance across multiple platforms. Authentication Header Forms part of the IPSec tunnelling protocol suite. AH sits between the IP header and datagram payload to maintain information integrity, but not secrecy. Smoothwall products, an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it. or External Alias In Smoothwall terminology, an alias is an additional public IP that operates as an alternative identifier of the red interface. Address Resolution Protocol A protocol that maps IP addresses to NIC MAC addresses. Used by ARP to maintain the correlation between IP addresses and MAC addresses. Acceptable Use Policy An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organization s and Internet systems. The policy explains the organization s position on how its users should conduct communication within and outside of the organization both for business and personal use. The process of verifying identity or authorization. B Bandwidth BIN Buffer Overflow Bandwidth is the rate that data can be carried from one point to another. Measured in Bps (Bytes per second) or Kbps. A binary certificate format, 8-bit compatible version of PEM. An error caused when a program tries to store too much data in a temporary storage area. This can be exploited by hackers to execute malicious code. 186 Smoothwall Ltd

197 Glossary C CA Certificate Cipher Ciphertext Client Cracker Cross-Over Cable Cryptography Certificate Authority A trusted network entity, responsible for issuing and managing x509 digital certificates. A digital certificate is a file that uniquely identifies its owner. A certificate contains owner identity information and its owner's public key. Certificates are created by CAs. A cryptographic algorithm. Encrypted data which cannot be understood by unauthorized parties. Ciphertext is created from plain text using a cryptographic algorithm. Any computer or program connecting to, or requesting the services of, another computer or program. A malicious hacker. A network cable with TX and RX (transmit and receive) reversed at either end to provide a direct peer-to-peer network connection. The study and use of methods designed to make information unintelligible. D Default Gateway Denial of Service DER DES DHCP Dial-Up DMZ DNS The gateway in a network that will be used to access another network if a gateway is not specified for use. Occurs when a network host is flooded with large numbers of automatically generated data packets. The receiving host typically slows to a halt while it attempts to respond to each request. Distinguished Encoding Rules A certificate format typically used by Windows operating systems. Data Encryption Standard A historical 64-bit encryption algorithm still widely used today. DES is scheduled for official obsolescence by the US government agency NIST. Dynamic Host Control Protocol A protocol for automatically assigning IP addresses to hosts joining a network. A telephone based, non-permanent network connection, established using a modem. Demilitarized Zone An additional separate subnet, isolated as much as possible from protected networks. Domain Name Service A name resolution service that translates a domain name to an IP address and vice versa. 187

198 Glossary Domain Controller Dynamic IP Dynamic token A server on a Microsoft Windows network that is responsible for allowing host access to a Windows domain's resources. A non-permanent IP address automatically assigned to a host by a DHCP server. A device which generates one-time passwords based on a challenge/ response procedure. E Egress filtering Encryption ESP Exchange Server Exploit The control of traffic leaving your network. The transformation of plaintext into a less readable form (called ciphertext) through a mathematical process. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it. Encapsulating Security Payload A protocol within the IPSec protocol suite that provides encryption services for tunnelled data. A Microsoft messaging system including mail server, client and groupware applications (such as shared calendars). A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service. F Filter FIPS Firewall A filter is a collection of categories containing URLs, domains, phrases, lists of file types and replacement rules. Filters are used in policies to determine if a user should be allowed access to information or files he/she has requested using their web browser. Federal Information Processing Standards. See NIST. A combination of hardware and software used to prevent access to private network resources. G Gateway Green A network point that acts as an entrance to another network. In Smoothwall terminology, green identifies the protected network. 188 Smoothwall Ltd

199 Glossary H Hacker Host Hostname HTTP HTTPS Hub A highly proficient computer programmer who seeks to gain unauthorized access to systems without malicious intent. A computer connected to a network. A name used to identify a network host. Hypertext Transfer Protocol The set of rules for transferring files on the World Wide Web. A secure version of HTTP using SSL. A simple network device for connecting networks and network hosts. I ICMP IDS IP IPS IP Address IPtables IPSec IPSec Passthrough ISP Internet Control Message Protocol One of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. Intrusion Detection System Internet Protocol Intrusion Prevention System A 32-bit number that identifies each sender and receiver of network data. The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities. Internet Protocol Security An internationally recognized VPN protocol suite developed by the Internet Engineering Task Force (IETF). A 'helper' application on NAT devices that allows IPSec VPN traffic to pass through. An Internet Service Provider provides Internet connectivity. K Key Kernel A string of bits used with an algorithm to encrypt and decrypt data. Given an algorithm, the key determines the mapping of plaintext to ciphertext. The core part of an operating system that provides services to all other parts the operating system. 189

200 Glossary Key space The name given to the range of possible values for a key. The key space is the number of bits needed to count every distinct key. The longer the key length (in bits), the greater the key space. L L2F L2TP LAN Leased Lines Lockout Layer 2 Forwarding A VPN system, developed by Cisco Systems. Layer 2 Transport Protocol A protocol based on IPSec which combines Microsoft PPTP and Cisco Systems L2F tunnelling protocols. Local Area Network A network between hosts in a similar, localized geography. Or private circuits A bespoke high-speed, high-capacity site-to-site network that is installed, leased and managed by a telephone company. A method to stop an unauthorized attempt to gain access to a computer. For example, a three try limit when entering a password. After three attempts, the system locks out the user. M MAC Address MX Record Media Access Control An address which is the unique hardware identifier of a NIC. Mail exchange An entry in a domain name database that specifies an server to handle a domain name's Smoothwall Ltd

201 Glossary N NAT-T NIC NIST NTP Network Address Translation Traversal A VPN Gateway feature that circumvents IPSec NATing problems. It is a more effective solution than IPSec Passthrough Network Interface Card National Institute of Standards and Technology NIST produces security and cryptography related standards and publishes them as FIPS documents. Network Time Protocol A protocol for synchronizing a computer's system clock by querying NTP Servers. O OU An organizational unit (OU) is an object used to distinguish different departments, sites or teams in your organization. P Password PEM Perfect Forward Secrecy PFS A protected/private string of characters, known only to the authorized user(s) and the system, used to authenticate a user as authorized to access a computer or data. Privacy Enhanced Mail A popular certificate format. A key-establishment protocol, used to secure previous VPN communications, should a key currently in use be compromised. See Perfect Forward Secrecy Phase 1 Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security parameter agreement. Phase 2 Ping Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the agreed parameters from Phase 1 to bring the tunnel up. A program used to verify that a specific IP address can be seen from another. PKCS#12 Public Key Cryptography Standards # 12 A portable container file format for transporting certificates and private keys. PKI Plaintext Public Key Infrastructure A framework that provides for trusted third party vetting of, and vouching for, user identities; and binding of public keys to users. The public keys are typically in certificates. Data that has not been encrypted, or ciphertext that has been decrypted. 191

202 Glossary Policy Port Port Forward PPP PPTP Private Circuits Private Key Protocol Proxy PSK Public Key PuTTY Contains content filters and, optionally time settings and authentication requirements, to determine how Network Guardian handles web content and downloads to best protect your users and your organization. A service connection point on a computer system numerically identified between 0 and Port 80 is the HTTP port. A firewall rule that routes traffic from a receiving interface and port combination to another interface and port combination. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router. Point-to-Point Protocol Used to communicate between two computers via a serial interface. Peer-to-Peer Tunnelling Protocol A widely used Microsoft tunnelling standard deemed to be relatively insecure. See Leased Lines. A secret encryption key known only by its owner. Only the corresponding public key can decrypt messages encrypted using the private key. A formal specification of a means of computer communication. An intermediary server that mediates access to a service. Pre-Shared Key An authentication mechanism that uses a password exchange and matching process to determine authenticity. A publicly available encryption key that can decrypt messages encrypted by its owner's private key. A public key can be used to send a private message to the public key owner. A free Windows / SSH client. Q QOS Quality of Service In relation to leased lines, QOS is a contractual guarantee of uptime and bandwidth. 192 Smoothwall Ltd

203 Glossary R RAS Red RIP Road Warrior Route Routing Table Rules Remote Access Server A server which can be attached to a LAN to allow dial-up connectivity from other LANs or individual users. RAS has been largely superseded by VPNs. In Smoothwall, red is used to identify the Unprotected Network (typically the Internet). Routing Information Protocol A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are. An individual remote network user, typically a travelling worker 'on the road' requiring access to a organization s network via a laptop. Usually has a dynamic IP address. A path from one network point to another. A table used to provide directions to other networks and hosts. In firewall terminology, rules are used to determine what traffic is allowed to move from one network endpoint to another. S Security policy Server SIP Single Sign-On Site-To-Site Smart card Spam SQL Injection Squid A security policy is a collection of procedures, standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. It should include password, account and logging policies, administrator and user rights and define what behavior is and is not permitted, by whom and under what circumstances. In general, a computer that provides shared resources to network users. Session Initiation Protocol A protocol for initiating, modifying, and terminating an interactive user session that involves multimedia elements such as video, voice, instant messaging, online games, and virtual reality. Commonly used in VOIP applications. (SSO) The ability to log-in to multiple computers or servers in a single action by entering a single password. A network connection between two LANs, typically between two business sites. Usually uses a static IP address. A device which contains the credentials for authentication to any device that is smart card-enabled. Junk , usually unsolicited. A type of exploit whereby hackers are able to execute SQL statements via an Internet browser. A high performance proxy caching server for web clients. 193

204 Glossary SSH SSL SSL VPN Strong encryption Subnet Switch Syslog Secure Shell A command line interface used to securely access a remote computer. A cryptographic protocol which provides secure communications on the Internet. A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client configuration. A term given to describe a cryptographic system that uses a key so long that, in practice, it becomes impossible to break the system within a meaningful time frame. An identifiably separate part of an organization s network. An intelligent cable junction device that links networks and network hosts together. A server used by other hosts to remotely record logging information. T Triple DES (3-DES) Encryption Tunneling A method of data encryption which uses three encryption keys and runs DES three times Triple-DES is substantially stronger than DES. The transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. U User name / user ID A unique name by which each user is known to the system. V VPN VPN Gateway Virtual Private Network A network connected together via securely encrypted communication tunnels over a public network, such as the global Internet. An endpoint used to establish, manage and control VPN connections. X X509 An authentication method that uses the exchange of CA issued certificates to guarantee authenticity. 194 Smoothwall Ltd

205 Index A accessing 6 active directory cache timeout 147 domain 146 extra realm 153 password 146 status 146 username 146 active directory legacy cache timeout 152 discover kerberos realms through dns 153 extra group search roots 153 extra realms 153 extra user search roots 153 kerberos realm 152 netbios domain name 153 password 152 port 153 sam account name 153 server 152 server username 152 status 151 user search root 152 admin 6 admin options 14 administration 14 administrative users 14 advanced 10 alerts 7 settings 7 archives 13 arp filter 130 arp table size 131 audit 131 authentication 11, 20, 143 choosing 180 core 81, 84 diagnostics 144 identification by IP 81, 84 mechanisms 180 NTLM 80 SSL background tab 80, 83 session cookie 81, 84 time-out 144 B bandwidth limiting 100 banned users 157 bond 28 bridge 27 bridging groups 140 rules 135 zones 135 C ca 15 central management 167 about 167 pre-requirements 168 central management key

206 Index centrally manage 167 certs ca 15 child node 169 cluster 167 connection tracking 131 connections 25 console connecting via 22 control page 6 create 7 csv 171 importing nodes 171 csv files 171 custom categories 12 D database settings 9 default users 157 denial of service 129 diagnostics 15, 144 directories 11 directory settings 145 prerequisites 146, 149, 151 documentation 2 DoS 130 E ECN enable arp filter 130 enable filtering 32 external access 14 F filtering 9 filters 12 about 50, 54, 60, 64 firewall 8 accessing browser 6 connecting 22 ftp 12 G group bridging 9, 140 groups 9, 11, 156 banned users 157 default users 157 mapping 158 network administrators 157 renaming 157 unauthenticated ips 156 H hardware 14 hostname 14 https 6 https inspection policies 53 I icmp 130 ICMP ping 130 ICMP ping broadcast 130 identification NTLM 79 igmp 130 IGMP packets 130 im proxy 8 im proxy 8 information 6 instant messenger 12 interface bond 28 bridge 27 interfaces 10 internal aliases 10 inter-zone security 135 ip block 9 tools 15 K kerberos keytabs 11 L ldap directory bind method 148 cache timeout 149 discover kerberos realms through dns 149 extra group search root 149 extra realms 149 extra user search roots 149 group search roots 148 kerberos realm 148 password 148 port 149 server Smoothwall Ltd

207 Index status 147 user search root 148 username 147 leak client ip with x-forwarded-for header 109 licenses 13 load balancing 111 local users 154 activity 161 adding 155 configuring 154 deleting 156 editing 156 managing 155 status 154 log settings 8 logs 8 M maintenance 13 message censor 12 custom categories 12 filters 12 time 12 message censor filtering enable 73 modem 14 modules 13 multicast traffic 130 N network administrators 157 interface 26 networking 9, 10 node 173 add 170 child 169 child delete 173 child edit 173 configure child 13 csv 171 delete 173 disable 177 edit 173 import 171 local settings 13 manage 173 monitor 174 parent 168 reboot 176 review 174 update 175 O output settings 9 P pages central management 13 guardian anti malware policies manage policies 18 policy wizard 18 settings 18 status page 18 block page policies block pages 18 manage policies 18 policy wizard 18 content modification policies manage policies 17 policy wizard 17 https inspection policies manage policies 17 policy wizard 17 settings 17 policy objects category groups 18 locations 18 quotas 18 time slots 18 user defined 18 quick links getting started 16 quick block/allow 16 shortcuts 16 swurl settings 19 web filter policies exceptions 16 location blocking 16 manage policies 16 outgoing 16 policy wizard

208 Index info alerts 7 alerts 7 custom 7 logs 8 firewall 8 im proxy 8 system 8 realtime 8 firewall 8 portal 8 system 8 traffic graphs 8 reports reports 7 saved 7 scheduled reports 7 settings alert settings 7 database settings 9 groups 9 log settings 8 output settings 9 information 6 main 6 mobile 20 networking 9, 10 filtering 9 group bridging 9 ip block 9 zone bridging 9 interfaces 10 interfaces 10 internal aliases 10 routing 9 rip 9 subnets 9 settings advanced 10 port groups 10 services 10 authentication 11 directories 11 groups 11 kerberos keytabs 11 settings 11 ssl login 11 temporary bans 11 user activity 11 message censor 12 proxies 12 ftp 12 im proxy 12 snmp 12 user portal 11 groups 11 portals 11 user exceptions 11 system administration 14 admin options 14 administrative users 14 external access 14 central management child nodes 13 local node settings 13 overview 13 diagnostics 15 configuration report 15 functionality test 15 ip tools 15 traffic analysis 15 whois 15 hardware 14 modem 14 ups 14 maintenance 13 archives 13 licenses 13 modules 13 scheduler 13 shutdown 13 updates 13 preferences 14 hostname 14 registration options 14 time 14 web proxy 198 Smoothwall Ltd

209 Index authentication exceptions 20 ident by location 20 manage polices 20 policy wizard 20 mobile proxy exceptions 20 proxies 20 settings 20 upstream proxy filters 19 manage policies 19 proxies 19 web proxy automatic configuration 19 bandwidth limiting 19 settings 19 wccp 19 parent node 168 passwords 6 policies 12 https inspection 53 policy tester 69 port groups 10 portal 8, 11 portals 11 preferences 14 primary dns 26 proxies 12 Q quotas 47 R radius action on login failure 150 cache timeout 150 identifying IP address 150 obtain groups from radius 150 port 150 secret 150 server 150 status 150 realtime 8 8 reboot 176 registration options 14 reports 7 custom 7 reports 7 scheduled 7 rip 9 routing 9 rules group bridging 141 internal alias 126 ip blocking 127 subnet 123 zone bridging 136 S scheduled reports 7 scheduler 13 secondary dns 26 selective ACK 130 services authentication 11, 144 message censor 12 portal 11 rip 124 snmp 12 settings 9, 11 shutdown 13 site address 24 sni 85 snmp 12 snmp 12 ssh 22 client 22 ssl login 11 accessing the page 164 customizing 162 subnets 9 SYN backlog queue 131 SYN cookies 130 SYN+FIN packets 130 system 8 T TCP timestamps 130 temporary ban 159 temporary bans 11 time 14 time out 144 time slots 12 time-out 181 traffic analysis 15 graphs 8 199

210 Index training 1 tutorial zone bridging 138 U unauthenticated ips 156 unknown entity 23 updates 13 ups 14 upstream proxies 109 allow direct connections 109 default proxy 109 leak client ip with x-forwarded-for header 109 load balancing 111 user activity 11, 161 identity 179 user exceptions 11 users banned 157 default 157 local 155 network administrators 157 temporary ban 159 unauthenticated IPs 156 W web filter 8 web filtering configuring manual 89 whois 15 window scaling 130 Z zone bridge narrow 136 rule create 136 settings 136 tutorial 138 wide 136 zone bridging 9, Smoothwall Ltd

211

212