SonicWALL Content Security Manager Integrated Solutions Guide

Transcription

1 SonicWALL Content Security Manager Integrated Solutions Guide Document Scope This solutions document describes how to deploy a SonicWALL Content Security Manager (CSM) content filtering appliance along with the SonicWALL ADConnector software for Microsoft Active Directory client integration into a new or existing network. The SonicWALL CSM solutions presented in this document are based on actual customer deployments and are SonicWALL-recommended best practices. These solutions were tested and verified in a lab environment. This document contains the following sections: What s New in CSM 2.0 section on page 2 Introduction section on page 3 User Policies and Client IP Dependencies section on page 5 SonicWALL ADConnector section on page 8 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist section on page 10 Installing the SonicWALL ADConnector Software section on page 10 Setting Up the SonicWALL CSM to Communicate with Active Directory section on page 14 Configuring the ADConnector section on page 16 Adding Multiple CSM Devices section on page 16 Viewing ADConnector Attributes section on page 18 Working with the Computer Object section on page 21 Configuring Global Settings section on page 21 Working with Multiple Domains section on page 22 Assigning a Policy to a User section on page 24 Assigning a Policy to a Computer section on page 26 Assigning a Policy to a Group section on page 27 SonicWALL CSM Policies section on page 29 SonicWALL CSM Policy Inheritance section on page 29 1

2 What s New in CSM 2.0 SonicWALL CSM Deployment Solutions section on page 30 Deployment Prerequisite: Set Up Active Directory section on page 30 Solution #1: Configuring a Single Content Filtering Policy for All Users with Bypass section on page 31 Solution #2: Creating Distinct Filtering Policies for Different User Groups section on page 32 Solution #3: Creating Static Lists of Allowed Websites for Different User Groups section on page 36 SonicWALL CSM Advanced Deployment Solutions section on page 41 Using the SonicWALL CSM with a Caching Proxy Server section on page 41 Scenario 1 Single Path Upstream Proxy Server section on page 42 Scenario 2 Dual Path Upstream Proxy Server section on page 43 Scenario 3 Single Path Downstream Proxy Server section on page 45 Scenario 4 Reiterative Path Upstream Proxy Server section on page 47 Scenario 5 SonicWALL CSM and SonicPoint Integration section on page 49 Deploying SonicWALL GMS for the SonicWALL CSM section on page 51 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector section on page 66 Technical Frequently Asked Questions section on page 81 Glossary section on page 84 Related Documents section on page 87 Contributors section on page 88 Index section on page 91 What s New in CSM 2.0 The SonicWALL CSM 2100 CF is an appliance-based Internet filtering solution that integrates real-time gateway anti-virus, anti-spyware and Internet filtering to deliver maximum network protection from today s sophisticated Internet threats. Combining dynamic threat management capabilities with precise control over Internet usage in an affordable appliance-based solution, the SonicWALL CSM 2100 CF boosts network security and employee productivity, optimizes network utilization and mitigates legal liabilities. This unique solution integrates seamlessly into virtually any network topology for powerful, scalable, and cost-effective threat protection. New features in the product include: Real-Time Gateway Anti-Virus and Anti-Spyware Scanning - Over a multitude of widely used ports and protocols including HTTP, SMTP, POP3, FTP, and NetBIOS delivers complete protection by eliminating viruses, worms, Trojans, spyware, and other Internet threats at the gateway before they can infect the network. Powerful Internet Filtering - Provides granular, policy-based controls to manage access to inappropriate, unproductive, and potentially illegal Web content. Instant Messaging (IM), Peer-to-Peer (P2P), and Multimedia Controls - Improves network performance, enhances security and protects against legal liabilities. IM/P2P Application Filters can now be nexted into policies and assigned to users, groups, computers, and hosts. 2

3 SonicWALL Content Security Manager Overview Granular Policy Control via Single Sign-On - Streamlines user authentication and the management of access to network resources and online content. Powerful Web-Based Reporting - Provides greater insight into network usage through custom reports that can be viewed in multiple formats. Seamless Integration Behind Virtually and Network Firewall - Enables organizations to leverage the existing network infrastructure without the need to purchase additional hardware. High Availability - Ensures the network is always protected and productivity remains uninterrupted by automatically failing over to a secondary SonicWALL CSM 2100 CF should the primary unit fail. SonicWALL Content Security Manager Overview This section provides an introduction to the SonicWALL ADConnector software. This section contains the following subsections: Introduction section on page 3 User Policies and Client IP Dependencies section on page 5 SonicWALL ADConnector section on page 8 Introduction The SonicWALL CSM 2100 CF is a standalone content filtering appliance designed for seamless integration into any networking environment. This broad compatibility is achieved though the intelligent bridging architecture of the SonicWALL CSM 2100 CF, which offers a potent combination of the transparency typically associated with layer 2 devices, along with application-layer analysis and control provided by SonicWALL s stateful and deep packet inspection engines associated with layer 3 devices. While this architecture allows for drop-in integration, as well as single-sign on (SSO) capabilities provided by the SonicWALL ADConnector, the architecture differs from many legacy content filtering devices in that it is not a sockets-based proxy. A socket proxy acts as an intervening agent for client connections; the client opens a socket (for example, makes a connection) to the proxy, and the proxy then makes a connection on behalf of the client to the destination server to retrieve the content. This man-in-the-middle approach affords the socket proxy the ability to have traffic directed to it explicitly so that it may operate in a one-armed mode (rather than strictly inline), and it also allows it to perform RFC 2617 HTTP Authentication. Although the architecture of the SonicWALL CSM 2100 CF does not provide these capabilities, its bump-in-the-wire design is substantially simpler to deploy, and the SonicWALL CSM 2100 CF can easily be used in conjunction with socket-based solutions, such as caching proxy servers. SonicWALL Content Security Manager Integrated Solutions 3

4 SonicWALL Content Security Manager Overview Figure 1 Cabling a SonicWALL CSM 2100 CFCSM 2100 CF 4

5 SonicWALL Content Security Manager Overview User Policies and Client IP Dependencies One of the key features of the SonicWALL CSM 2100 CF is its ability to apply per-user or per-group policies for all users whose HTTP traffic passes through it. To provide such fine controls, the SonicWALL CSM 2100 CF must be able to uniquely identify every user. Rather than requiring every user to manually authenticate, the SonicWALL CSM 2100 CF employs an SSO mechanism, where SSO refers to the automated reuse of user credentials across multiple authentication checkpoints. Since most users today begin their computing sessions by logging on to a Microsoft Windows Active Directory (MSAD) domain, the ability to reuse these MSAD credentials is a significant convenience to users in environments where subsequent user identification is required. Deployment Restrictions As described in the SonicWALL ADConnector section, it is essential that the SonicWALL CSM 2100 CF be able to correlate a user to a unique IP address for SSO to function correctly. Deployments that this one-to-one correlation prevents are the use of per-user or per-group policies. The most common disruptive conditions include: A sockets-based proxy server placed between the clients and the SonicWALL CSM 2100 CF. Sockets-based proxy servers present their own IP address rather than the IP address of the original client to the SonicWALL CSM 2100 CF, preventing the SonicWALL CSM 2100 CF from tracking users by their unique IP addresses. A network address translation (NAT) device placed between the clients and the SonicWALL CSM 2100 CF. NAT devices generally translate the original client IP address to some other non-unique or uncorrelated value. A multi user, or thin client environment, such as Citrix or Microsoft Terminal Server. Multi-user servers present a single IP address for all of the virtual client sessions they host, preventing the correlation of a unique IP address to a human user. Socket based proxy or content filter devices sometimes work around this issue by implementing HTTP authentication, typically in the form of either Basic or NTLM authentication. The SonicWALL CSM 2100 CF generally correlates all traffic coming from the terminal server to the last user who logged on. SonicWALL Gateway Anti-Virus, Anti-Spyware Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus and Anti-Spyware Service features a configurable, high-performance Deep Packet Inspection architecture that uses parallel searching algorithms up through the application layer to deliver complete application layer, Web and attack prevention. Parallel processing reduces the impact on the processor and maximizes available memory for exceptional performance on SonicWALL appliances. Spyware Protection - SonicWALL Gateway Anti-Virus and Anti-Spyware Service prevents malicious spyware from infecting networks by blocking spyware installations at the gateway and disrupts background communications from existing spyware programs that transmit confidential data. Real-Time AV Gateway Scanning - SonicWALL Gateway Anti-Virus and Anti-Spyware and Service delivers intelligent file-based virus and malicious code prevention by scanning in real-time for decompressed and compressed files containing viruses, Trojans, worms and other Internet threats over the corporate network. Scalability and Performance - SonicWALL Gateway Anti-Virus and Anti-Spyware Service utilitizes a per packet scanning engine, allowing the SonicWALL unified threat management solution to handle unlimited file size and virtually unlimited concurrent downloads. SonicWALL Content Security Manager Integrated Solutions 5

6 SonicWALL Content Security Manager Overview Day Zero Protection - SonicWALL Gateway Anti-Virus and Anti-Spyware Service ensures fast time-to-protection by employing a dynamically updated database of signatures created by a combination of SonicWALL s SonicAlert Team and third-party sources. Extensive Signature List - SonicWALL Gateway Anti-Virus and Anti-Spyware Service utilizes an extensive database of thousands of attack and vulnerability signatures written to detect and prevent intrusions, viruses, spyware, worms, Trojans, application exploits, and malicious applications. Distributed Enforcement Architecture - SonicWALL Gateway Anti-Virus and Anti-Spyware Service utilizes a distributed enforcement architecture to deliver automated signature updates, providing real-time protection from emerging threats and lowering total cost of ownership. Inter-zone Protection - SonicWALL Gateway Anti-Virus and Anti-Spyware Service provides application layer attack protection against malicious code and other threats originating from the Internet or from internal sources. Administrators have the ability to enforce anti-virus scanning not only between each network zone and the Internet, but also between internal network zones for added security (Requires SonicOS Enhanced). Advanced File Decompression Technology - SonicWALL Gateway Anti-Virus and Anti-Spyware Service includes advanced decompression technology that can automatically decompress and scan files on a per packet basis to search for viruses, Trojans, worms and malware. Supported compression formats include: ZIP, Deflate and GZIP. File-Based Scanning Protocol Support - SonicWALL Gateway Anti-Virus and Anti-Spyware Service delivers protection for high threat viruses and malware by inspecting the most common protocols used in today s networked environments, including SMTP, POP3, IMAP, HTTP, FTP, NETBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based protocols. This closes potential backdoors that can be used to compromise the network while also improving employee productivity and conserving Internet bandwidth. Application Control - SonicWALL GAV/IPS provides the ability to prevent instant messaging and peer-to-peer file sharing programs from operating through the firewall, closing a potential back door that can be used to compromise the network while also improving employee productivity and conserving Internet bandwidth. Simplified Deployment and Management - SonicWALL Gateway Anti-Virus and Anti-Spyware Service allows network administrators to create global policies between security zones and group attacks by priority, simplifying deployment and management across a distributed network. Granular Management - SonicWALL Gateway Anti-Virus and Anti-Spyware Service provides an intuitive user interface and granular policy tools, allowing network administrators to configure a custom set of detection or prevention policies for their specific network environment and reduce the number of false policies while identifying immediate threats. Logging and Reporting - SonicWALL Gateway Anti-Virus and Anti-Spyware Service offers comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level, enabling administrators to highlight high priority attacks. Granular reporting based on attack source, destination and type of intrusion is available through SonicWALL ViewPoint and Global Management System. SonicWALL Gateway Anti-Virus Overview SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by using SonicWALL s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWALL gateway. Building on SonicWALL s reassembly-free architecture, SonicWALL GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic. Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the 6

7 SonicWALL Content Security Manager Overview scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis. SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching downloaded or ed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWALL s SonicAlert Team, third-party virus analysts, open source developers and other sources. SonicWALL GAV can be configured to protect against internal threats as well as those originating outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols, to provide administrators with comprehensive network threat prevention and control. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that automatically decompresses and scans files on a per packet basis. SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by using SonicWALL s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWALL gateway. Building on SonicWALL s reassembly-free architecture, SonicWALL GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic. Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis. SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching downloaded or ed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWALL s SonicAlert Team, third-party virus analysts, open source developers and other sources. SonicWALL GAV can be configured to protect against internal threats as well as those originating outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols, to provide administrators with comprehensive network threat prevention and control. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that automatically decompresses and scans files on a per packet basis. SonicWALL Content Security Manager Integrated Solutions 7

8 SonicWALL Content Security Manager Overview SonicWALL ADConnector The SonicWALL CSM 2100 CF achieves transparent, automated SSO integration by means of the SonicWALL ADConnector software, an installable agent that runs as a service on a Microsoft Win32 workstation or server that is either a domain member or domain controller for the target (authenticating) domain. As illustrated in Figure 2, the SonicWALL CSM 2100 CF must see the request as coming from the client s actual IP address so that it may pass it to the SonicWALL ADConnector for enumeration. If the enumeration attempt fails, the default policy (rather than the specific user or group policy) will be applied to the request. The following example details the sequence of events that occurs when a CSM 2100 CF attempts to resolve an IP address to a corresponding user name. The example assumes the following: A workstation with an IP address of A default gateway of The workstation requests content (such as, through the SonicWALL CSM 2100 CF The user logged on to the workstation is a member of the local AD domain The user has logged on with username user1 The user is a member of the Sales group Figure 2 SonicWALL CSM 2100 CF Automated SSO Integration 8

9 SonicWALL Content Security Manager Overview 1. The SonicWALL CSM 2100 CF detects the request, and queries the SonicWALL ADConnector (residing on domain member server ) for the username corresponding to the IP address Since the SonicWALL ADConnector caches information to speed responses to queries, it first checks its cache to see if it has previously resolved this IP address to the corresponding username. a. If the cache contains the information, move to step 4. b. If the cache does not contain the information (such as, this is the first request from IP address ) the SonicWALL ADConnector uses the Microsoft.Net framework to issue a NetWkstaUserEnum Lib call from netapi32.dll to to determine the username logged on to the current session. This function call is complete in its result, returning all logon information for local, terminal service, impersonated users, and interactive logons. 3. Upon receiving the logged on username information (user1), the SonicWALL ADConnector checks its cache again to see if it has the applicable policy associated with the username user1. a. If the cache contains the information, move to step 7. b. If the cache does not contain the information, the SonicWALL ADConnector issues an LDAP query to the AD Server ( ) to retrieve the correct attribute information for the user, as well as group membership (memberof) information, and relevant group attribute information. 4. The Active Directory server returns the response to the LDAP query. This includes the pertinent attribute information for the user, the memberof (group) information for the user, and the pertinent attribute information for the group. SonicWALL Content Security Manager Integrated Solutions 9

10 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist This section contains the following subsections: ADConnector Overview on page 10 Installing the SonicWALL ADConnector Software section on page 10 Setting Up the SonicWALL CSM to Communicate with Active Directory section on page 14 ADConnector Overview The CSM achieves transparent, automated Single-Sign-On (SSO) integration by means of the ADConnector, an installable agent that runs as a service on a Microsoft Win32 workstation or server that is either a domain member or domain controller for the target (authenticating) domain. Installing the SonicWALL ADConnector Software When installing the ADConnector software, you need to establish it as an Administrator equivalent. To install the SonicWALL ADConnector software, perform the following steps: Step 1 Step 2 Step 3 If you have a previously installed version of the ADConnector, uninstall it prior to the installation of the new version. Download and install the SonicWALL ADConnector software. This file can be downloaded from the site. If prompted to install the Microsoft.NET 1.1 Framework, click Yes. After installing the Microsoft.NET Framework the computer will restart. After the restart is complete, setup will continue automatically. Double-click the SonicWALL ADConnector icon. The installation script displays the InstallShield Wizard Welcome screen. Figure 3 ADConnector - InstallShield Wizard Home Screen 10

11 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Step 4 Step 5 Click Next. The installation script displays the License Agreement screen. Click the radio button for I accept the terms in the License Agreement and click Next. The installation script displays the Customer Information screen. Figure 4 ADConnector Customer Information Screen Step 6 Step 7 Step 8 Type a user name and organization name in the fields. In the Install this application for region, click on the radio button that determines the level of restrictiveness you want for the access to the application. Anyone who uses this computer (all users) Only for me Click Next. The installation script displays the Destination Folder screen. Figure 5 ADConnector Destination Folder Step 9 Review the default path of the folder to which the program will be stored. The default is C:\ProgramFiles\SonicWALL\ADConnector\. If want the program to be loaded somewhere else, click Change and browse to the location. Click Next. The installation script displays the Ready to Install the Program screen. SonicWALL Content Security Manager Integrated Solutions 11

12 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Step 10 Click Install. The installation script displays the ADConnector Configuration screen Figure 6 ADConnector Configuration Screen. Step 11 Step 12 Step 13 Step 14 Make sure the IP address appears in the CSM 2100 CF Appliance IP field. If the address has changed, make sure it is the address assigned to the CSM 2100 CF Appliance if changed from its default. Type it in if it is not there. Type the system port number of the CSM 2100 CF appliance in the CSM Appliance Port field. This is the port over which the ADConnector and CSM communicate. Type the assigned 16-character key value in the Shared Key field and click Next. Click Next. The installation script installs the ADConnector. 12

13 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Post-Installation Tasks Once you have completed the installation, you are now ready to enter the ADConnector Configuration environment. Step 1 After the installation has successfully completed open the SonicWALL ADConnector Configuration Tool (Start > Programs > SonicWALL > SonicWALL ADConnector > ADConnector Configuration Tool), as illustrated in Figure 7. Figure 7 SonicWALL ADConnector Configuration Tool Step 2 Expand the Users option. A dialog box like the one below will appear prompting you to select Active Directory attributes in which to store SonicWALL CSM Group and User policies. Click OK to continue. Figure 8 ADConnector Attributes Message Step 3 A dialog box appears allowing you to select which attribute to use for storing Group Policies and which one to use for storing User Policies. The exact attributes you choose are not important so long as they are not being currently used. Select two attributes that are currently unused in your environment, then click OK to continue. SonicWALL Content Security Manager Integrated Solutions 13

14 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Figure 9 ADConnector Attribute Selection Dialog Box If the Add Policy dialog box (as illustrated below) appears prompting you to add a policy, click Cancel at this time. Figure 10 ADConnector Add Policy Dialog Box Setting Up the SonicWALL CSM to Communicate with Active Directory To set up the SonicWALL CSM 2100 CF to communicate with Active Directory, perform the following steps: Step 1 Navigate to the Users > Settings page in the SonicWALL CSM 2100 CF management GUI and select the Use Windows Active Directory radio button under the Authentication Method section. Click Apply to save your changes, as illustrated in Figure 11. Figure 11 Users > Settings > Authentication Method 14

15 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Step 2 Click the Configure button. In the ADConnector Configuration window and enter the following information: IP Address: The IP address of the machine running the SonicWALL ADConnector Port Number: The value you entered when prompted during the installation of the SonicWALL ADConnector software (default 2258) Shared Secret: The value you entered when prompted during the installation of the SonicWALL ADConnector software Step 3 Step 4 Click Ok and return to the Configure screen. Click the Check button. A successful configuration to communicate with the SonicWALL ADConnector will be confirmed with a popup status window. SonicWALL Content Security Manager Integrated Solutions 15

16 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Configuring the ADConnector When you configure the AD Connector, you need to perform the following tasks: Adding Multiple CSM Devices on page 16 Viewing ADConnector Attributes on page 18 Working with the Computer Object on page 21 Configuring Global Settings on page 21 Working with Multiple Domains on page 22 Assigning a Policy to a User on page 24 Assigning a Policy to a Computer on page 26 Assigning a Policy to a Group on page 27 Adding Multiple CSM Devices This procedure allows for additional CSM devices to be defined to support multi-csm environments with a single ADConnector. To configure your CSMs, perform the following steps: Step 1 Click the SonicWALL ADConnector Configuration Tool option in the navigation pane. ADConnector highlights the option. Figure 12 ADConnector Configuration Tool Step 2 Right click on the SonicWALL ADConnector Configuration Tool option. ADConnector displays a popup menu as shown in the following figure 16

17 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Figure 13 ADConnector Configuration Tool Popup Window. Step 3 Click the Add New CSM Appliance option. ADConnector displays the Add New CSM Appliance dialog box as shown in the following figure. Figure 14 Add New CSM Appliance Dialog Box Step 4 Enter values for the following fields in the Add New CSM Appliance dialog box. Field CSM Appliance IP CSM Appliance Port Friendly Name Shared Key Policy File Description Indicates the IP address that uniquely identifies the CSM appliance. Indicates the system port number used by the CSM appliance. Indicates the string that has been correlated with the appliance address by which you can identify the appliance. Indicates the key used to encrypt communications between the CSM and the ADConnector. The Shared key can be either generated or user defined. The explicit pathname for the policy file that sets conditions for permitting and denying packets into and out of the CSM appliance. Step 5 Step 6 Add several other CSM appliances as you just added the previous device. Click Ok. SonicWALL Content Security Manager Integrated Solutions 17

18 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Viewing ADConnector Attributes Now that you have added your CSM 2100 CF appliances, you can view the attributes. Attributes are the unused optional attributes within the ADConnector that are selected to store the policy information assigned to users, groups, and computers. To view attributes of your CSM 2100 CF appliances, perform the following steps. Step 1 Step 2 Click the SonicWALL ADConnector Configuration Tool option in the navigation pane. ADConnector highlights the option.click on the plus (+) icon to the left of the SonicWALL ADConnector Configuration Tool option. ADConnector displays two options: SonicWALL_CSM Appliances Domains Click on the plus (+) icon to the left of the SonicWALL CSM Appliances option. ADConnector displays the appliance IP address Figure 15 ADConnector Configuration Tool CSM Appliance IP Address Step 3 Right click on the appliance address entry ADConnector displays the status line of the appliance address. 18

19 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Figure 16 ADConnector CSM Appliance Status Columns Note the status columns that appear in the appliance list: Field Default Friendly Name IP Port Shared Key Description Indicates the administrative status of the device. It can be either Yes or No. Indicates the string that has been correlated with the appliance address by which you can identify the appliance. Indicates the IP address of the appliance. Indicates the system port number used by the appliance. Indicates the key used by the appliance used to create access by users. The key is a sixteen-digit value that uses the Hexadecimal value system. Step 4 Right click the appliance entry in the appliance list and click Properties. ADConnector displays the CSM Appliance dialog box. SonicWALL Content Security Manager Integrated Solutions 19

20 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Figure 17 AD Connector CSM Appliance Configuration Dialog Box Step 5 Fill in the fields as shown in the following table. Field CSM Appliance IP CSM Appliance Port Friendly Name Shared Key Policy File Description The IP address of the appliance The port number of the appliance. The string correlated with the IP address of the appliance that identifies it. A generated value that enables a user to access the appliance. The path where the policy file can be found. Step 6 Click the CSM Policies tab. ADConnector associates policies with CSM 2100 CF devices. ADConnector displays either the default policy for the CSM 2100 CF you selected or a list of policies for the CSM 2000 CF. If you have not synchronized to an appliance properly, ADConnector will display the following message: The Policy list is not available. Please check if the ADConnector service is running and has been configured correctly to communicate with your CSM appliance. If you have synchronized to an appliance properly, ADConnector displays the CSM Policies dialog box that may appear in a similar fashion to the following figure. 20

21 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Step 7 When you first configure the CSM, it provides a default policy. A policy is an object that contains criteria to block certain categories of internet locations. You can add policies to provide better control over the Internet access of the specific CSM device. At a minimum, you will simply have the Default policy (called DEFAULT) associated with the CSM 2100 CF. If you see only the DEFAULT policy name, it indicates that your network administrator did not set up ADConnector policies for this CSM 2100 CF. Click Ok. Working with the Computer Object When using the ADConnector, you can store information about users and computers in an object. A computer is a single node on the network to which you can apply the same kinds of rules that you can to users. From the ADConnector perspective, they are parallel. A domain is basically a network space. It is an area over which the ADConnector rules apply. A user is a person s login account on the network. A user can log into anything connected to the network. The ADConnector tracks computers by MAC addresses. Configuring Global Settings To configure your CSMs, perform the following steps: Step 1 Step 2 Click the SonicWALL AD Connector Configuration Tool option in the navigation pane. Right click on the SonicWALL CSM Appliance option and click Properties. ADConnector displays the Configuration Editor dialog box as shown in the following figure. Figure 18 ADConnector Configuration Editor Dialog Box SonicWALL Content Security Manager Integrated Solutions 21

22 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Step 3 View the following read-only fields that are necessary for the ADConnector to transfer information to the Domain Controller about users and user names. These fields are necessary for the ADConnector to talk to the Domain Controller. Field ComputerPolicyAttribute GroupPolicyAttribute UserPolicyAttribute Description A policy that provides values for settings for the computer associated with this configuration. A policy that provides values for settings for the group associated with this configuration. A policy that provides values for settings for the user associated with this configuration. Step 4 Step 5 Step 6 Step 7 Set the priority levels for logs to this device in the Logging Level listbox where 0 is the lowest level of priority and 2 is the highest. These levels apply to application logging. The logging levels enable a more or less restrictive approach to the amount of logs you want displayed. 0 displays the least amount, only critical severity logs; 1 displays the second least amount, critical and significant severity logs, and 2 displays all logs, using the debug level of severity. Set the amount of time the device takes to reapply a policy in the Policy Refresh Time field. This indicates how long the ADConnector checks for new policies after you have added them. The range can be from 0 to 300 seconds. Set the path of where you want the Policy Configuration File to reside. The Policy Configuration File contains the policies associated with the device. The default is C:\Program Files\SonicWALL\ADConnector\PolicyList.xml. Click Ok. Working with Multiple Domains In the 1.0 version of CSM, you could only have one domain in your AD Connector environment. Now you can add multiple domains. A domain is an area on the network that contains Users, Groups, and Computers. The advantage to working with multiple domains is that it enables you to apply the benefits of the CSM 2100 CF to all of your domains. Multiple domains enable you to: Creates a set of separate network domains even if they don t share the same network even if they are located on the same site. This can be helpful if you want to separate a department into a secure area protected from the rest of the network. Enables you to partition your network into logical units to help organize your network when you have a large number of nodes. Enables you to match the organization of your network to the organization of your company. Enables you to deploy the same policies across different domains, providing ease and convenience. Understanding Trust Relationship Requirements You need to define a trust relationship between different domains for which you want to manage. It can be established using the Windows Active Directory management tools. The basic user under which you are running must have read-write permissions to access these trusted domains. Trust relationship is a description of the user access between two domains consisting of a one way and a two way trust. Terms: 22

23 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Adding Multiple Domains One way trust - When one domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two way trust - When two domains allow access to users on the other domain. Trusting domain - The domain that allows access to users on another domain. Trusted domain - The domain that is trusted, whose users have access to the trusting domain. Transitive trust - A trust which can extend beyond two domains to other trusted domains in the tree. Intransitive trust - A one way trust that does not extend beyond two domains. Explicit trust - A trust that an administrator creates. It is not transitive and is one way only. Cross-link trust - An explicit trust between domains in different trees or in the same tree when a descendent/ancestor (child/parent) relationship does not exist between the two domains. Windows 2000 only supports the following types of trusts: Two way transitive trusts One way non-transitive trusts. This means the two way non transitive trust supported by Windows NT is no longer supported. The way to deal with this is to create two one way trusts in Windows Note Depending on the number of objects in the domain you are adding, and speed of the network connection to the domain controller, it might take a few minutes to enumerate and display the domain. To add a new domain, perform the following tasks: Step 1 Step 2 Step 3 Click the SonicWALL ADConnector Configuration Tool option in the navigation pane. In the entity list, right click on Domains. ADConnector displays a popup window. Click on the option Add New Domain. Figure 19 ADConnector Add New Domain Option Step 4 ADConnector displays the Add New Domain dialog box. SonicWALL Content Security Manager Integrated Solutions 23

24 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Figure 20 ADConnector Add New Domain Dialog Box Step 5 Step 6 Step 7 Type a string in the Domain field. Click the Test Connection button to determine whether the domain you selected is connected. Click Ok to save your new domain. Assigning Policies You can assign policies to user, computer, and group objects, using the ADConnector Configuration Tool. The following priorities exist for policy assignment: Priority Level Highest Priority Medium Priority Low Priority Description Policy assigned to a computer object. Policy assigned to a user object. Policy assigned to a group object. Assigning a Policy to a User A policy is a set of rules configured on the CSM that defines access to various resources, applications, and classes of content. The CSM includes 12 pre-configured policies (denoted by an asterisk prefix) and also allows for custom policies to be added. To be effective, these policies must be assigned to either Users, Groups, or Computers through the ADConnector, or to Hosts through the CSM management interface. The following procedure illustrates how to assign a policy to a User. Step 1 Step 2 Step 3 Click on the SonicWALL ADConnector Configuration Tool entry. Click on the Domains option. Click on the Plus icon (+) to the left of the Users option. ADConnector displays the user list. 24

25 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Figure 21 ADConnector Users Screen Step 4 Right click on a user, in this example, Aaron Alesis. ADConnector displays a popup window as shown in the following figure. Figure 22 ADConnector Add Policy Option Step 5 Click Add Policy. ADConnector displays the Add Policy dialog box. SonicWALL Content Security Manager Integrated Solutions 25

26 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Figure 23 ADConnector Add Policy Dialog Box Step 6 Step 7 Click on the Select Policy listbox and click on a policy. You have now added a policy to the user Aaron Alesis. Click Ok. Assigning a Policy to a Computer Assigning a policy to a computer allows an administrator to associate a policy with a particular workstation or server within the domain. The computer policy takes precendence over evedrything. For example: In Active Directory, user A is a member of the Engineering group. In ADConnector User A is assigned Policy1 Engineering Group is assigned Policy2 FastWorkstation is assigned Policy3 Using the above set of conditions, usera logs onto the computer named FastWorkstation. Policy3 will be applied. A computer is a device owned by a particular user in the network. The device can take a friendly name, for example, Dans_Computer, or it can simply be an IP address. To access an area where you can view all computers mapped to your system, perform the following steps: Step 1 Step 2 Step 3 Step 4 Click the SonicWALL ADConnector Configuration Tool option in the navigation pane. Click the plus (+) sign to the left of the Domains option. ADConnector displays the your domain. Click the plus (+) sign to the left of the sv directory. ADConnector displays three options: Users, Groups, and Computers. Click the plus (+) sign to the left of the Computers option. ADConnector displays all the computers in your network as shown in the following figure. 26

27 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Figure 24 ADConnector Computer List Step 5 Step 6 Step 7 Step 8 Step 9 Click on the plus sign (+) to the left of the Users option to display all users. Right click on the desired computer. ADConnectors displays a popup menu. Click on the Add Policy option. ADConnector displays the Add Policy dialog box. Click on a policy in the Select Policy list box to add the policy to the user. Click Ok. Assigning a Policy to a Group Assigning a policy to a group allows an administrator to associate a policy with an Active Directory group. All members of that group will then inherit the assigned policy. The effective policy applied to users will be a combination of inherited policies and any directly applied policies. To access an area where you can view all groups mapped to your system, perform the following steps: Step 1 Step 2 Step 3 Step 4 Click the SonicWALL ADConnector Configuration Tool option in the navigation pane. Click the plus (+) sign to the left of the Domains option. ADConnector displays the sv directory. Click the plus (+) sign to the left of the directory of your domain. ADConnector displays three options: Users, Groups, and Computers. Click the plus (+) sign to the left of the Groups option. ADConnector displays all the computers in your network as shown in the following figure. SonicWALL Content Security Manager Integrated Solutions 27

28 SonicWALL CSM and SonicWALL ADConnector Configuration Tasklist Figure 25 ADConnector Group List Step 5 Step 6 Step 7 Step 8 Look for the group you are interested in, for example, Domain Users, and right click on it. Click Add Policy. ADConnector displays the Add Policy dialog box. Click on an existing policy in the Select Policy list box to assign the policy to the group. Click Ok. Assigning a Policy to a Host You can also assign policies to a range of addresses, known as a host, in the CSM environment. This is useful to non-microsoft devices. Step 1 Navigate to Users and Hosts > Hosts. 28

29 SonicWALL CSM Policies Step 2 Click Add. CSM displays the Add IP Address Range dialog box. Step 3 Step 4 Step 5 Step 6 Specify an IP address range by supplying a beginning range address in the IP Address From field and an ending range address in the IP Address To field. Select a policy in the CFS Policy list box. Click Ok. CSM displays the new policy in the policy list in the Users and Hosts > Hosts dialog box. SonicWALL CSM Policies The SonicWALL CSM uses 54 different categories to classify web content. (A complete listing can be found at the end of this document). Conceptually, SonicWALL CSM policies can be thought of as a collection of categories under one administrative name. They are created in the management GUI by selecting any combination of one or more categories to block and then saving that combination with a descriptive name. As a rule of thumb when creating SonicWALL CSM policies build functional topics containing several related categories Although either SonicWALL CSM policies can be applied directly to a user or group, understanding what role each of these elements plays as well as their characteristics and behavior will help you design your SonicWALL CSM configuration in a way that will provide you with maximum flexibility and scalability. SonicWALL CSM Policy Inheritance In order to achieve the desired behavior when creating SonicWALL CSM Policies and applying them to Active Directory users and groups, it is important to understand how the various elements in the SonicWALL CSM configuration interact with each other. There are three key rules to remember: Step 1 Step 2 If a website belongs to multiple categories and a user s policy blocks one but allows the other, the user will not be allowed access to the site. When a user is a member of multiple AD groups and each group has a different SonicWALL CSM filtering Policy assigned, the user inherits all of the available privileges from each group so that the net result will be the least restrictive attributes of all the combined policies. SonicWALL Content Security Manager Integrated Solutions 29

30 SonicWALL CSM Deployment Solutions SonicWALL CSM Deployment Solutions This section provides three SonicWALL CSM deployment solutions. Solution #1: A network administrator requires a standard content filtering policy for an entire company with the ability to bypass filtering for the administrator and a few other key individuals (such as the CEO of the company). Solution #2: A network administrator in an education environment needs to create four levels of filtering: Elementary, Middle, High and Teachers. Solution #3: A network administrator needs to create three levels of filtering: Operations, Shift Leads, and Managers, however, instead of using SonicWALL CSM Categories, Policies, the administrator has chosen to create static white lists using SonicWALL CSM Trusted URLs of sites members of each department can visit. Functionally, the biggest difference between this and the previous examples is that when using categories the specific websites a given category contains that are dynamic, you can specifically hard-code what sites a user can visit. Any change to the white list has to be explicitly made by the network administrator. This section contains the following subsections: Deployment Prerequisite: Set Up Active Directory section on page 30 Solution #1: Configuring a Single Content Filtering Policy for All Users with Bypass section on page 31 Solution #2: Creating Distinct Filtering Policies for Different User Groups section on page 32 Assigning Policies to an Active Directory Group section on page 34 Testing section on page 35 Solution #3: Creating Static Lists of Allowed Websites for Different User Groups section on page 36 Testing section on page 40 SonicWALL CSM Filtering Architecture and Predefined Categories section on page 40 Deployment Prerequisite: Set Up Active Directory Step 1 Step 2 On your Domain Controller, navigate to the Start > Programs > Administrative Tools > Active Directory Users and Computers page and create the following four users: Bill Ted Alice John Create the following 7 groups: CSM-Elementary CSM-Middle CSM-High CSM-Teachers 30

31 SonicWALL CSM Deployment Solutions Step 3 CSM-Operators CSM-Shift Leads CSM-Managers Add the following users to the following groups: Bill > CSM-Elementary, CSM-Operators Ted > CSM-Middle, CSM-Shift Leads Alice > CSM-High, CSM-Managers John > CSM-Teachers Solution #1: Configuring a Single Content Filtering Policy for All Users with Bypass The *Predefined Policy is enforced without having to specifically assign it to users or groups. It also acts as a template for subsequent policies that you create. Configure the default policy as your most restrictive policy. As users require more access you can create less restrictive policies to accommodate them. To configure a single content filtering policy for all users with bypass, perform the following steps: Step 1 Navigate to Navigate to Policies > Policy List in the SonicWALL CSM management GUI and click the edit icon for the *Default policy. SonicWALL Content Security Manager Integrated Solutions 31

32 SonicWALL CSM Deployment Solutions Step 2 At the Edit Policy window, click the Category Sets tab then check the Sports/Games/Gambling checkbox (Adult, Drugs & Racism should be checked already). Solution #2: Creating Distinct Filtering Policies for Different User Groups To create a distinct filtering policy for different user groups, perform the following steps: Step 1 Step 2 Navigate to the Web Filters > Category Sets screen in the management GUI. Click the Add button. In the pop-up window that appears enter *Elementary in the Name field, as illustrated in Figure 26. Figure 26 Web Filters > Category Sets > Add > Settings 32

33 SonicWALL CSM Deployment Solutions Step 3 Click the Predefined tab and select all the categories except Education & Kid Friendly, as illustrated in Figure 27. Figure 27 Web Filters > Category Sets > Add > Predefined Step 4 Step 5 Following the same procedure, create three more policies named *Middle, *High and *Teachers. For the *Middle policy block all categories except the following: Education IT/Computers Reference Travel Kid Friendly For the *High policy block all the categories except the following: Business/Economy Education Government Health IT/Computers Search Engines News Reference Travel SonicWALL Content Security Manager Integrated Solutions 33

34 SonicWALL CSM Deployment Solutions Step 6 For the *Teachers policy unblock all the categories except Pornography. When your configuration is complete, your Web Filters > Category Sets screen should look like Figure 28. Figure 28 Web Filters > Category Sets Assigning Policies to an Active Directory Group To assign a policy to an Active Directory group, perform the following steps: Step 1 Step 2 Step 3 Open the ADConnector Configuration Tool and expand the Groups container. Find the CSM-Elementary group, right-click and select Add Policy. In the Add Policy pop-up window, select the *Elementary policy from the drop-down list then click OK. Repeat the same procedure this time assigning the *Middle, *High and *Teachers policies to the CSM-Middle, CSM-High and CSM-Teachers groups respectively. 34

35 SonicWALL CSM Deployment Solutions Testing On a test workstation login to the domain as user Bill. As you recall, Bill is a member of the CSM-Elementary group that can only access sites categorized as Kid friendly. Attempt to navigate to You should see this site blocked because it is not within one of the allowed categories. Now open a browser to: Access should be allowed. Log in as the other users Ted, Alice, and John bearing in mind that they are members of CSM-Middle, CSM-High & CSM-Teachers respectively. Notice how the levels of access change appropriately in accordance with the logged in user, his/her group membership and the specific SonicWALL CSM policy assigned. Some websites you can use to test with are listed in Table 1. Table 1 Example Website URLs for Testing Website Category Business and Economy (15) Education (17) Health (25) Government (22) Information Technology/Computers (26) Search Engines & Portals (28) News & Media (32) Reference (35) Travel (44) Kid Friendly (50) SonicWALL Content Security Manager Integrated Solutions 35

36 SonicWALL CSM Deployment Solutions Solution #3: Creating Static Lists of Allowed Websites for Different User Groups To create a static list of allowed websites for different groups, perform the following steps: Step 1 Step 2 Navigate to the Web Filters > Custom Categories page in the management GUI. In the Allowed URLs section click the Add button. In the Add Trusted URL pop-up window that appears, enter the following information: a. Name: Allowed Sites Operators b. Entry: techtarget.com, Webopedia.com (click Add after each entry to move it into the List window), as illustrated in Figure 29. Figure 29 Web Filters > Custom Categories > Add Allowed URL Step 3 Step 4 Click OK to save your changes. Using the same procedure, create two more Trusted URL lists and enter the following information: a. Name: Allowed Sites Shift Leads b. Entry: techtarget.com, webopedia.com, call-center.net c. Name: Allowed Sites Managers d. Entry: techtarget.com, webopedia.com, call-center.net, callcentermagazine.com, callcenterops.com, ccdigest.com, callcentertimes.com 36

37 SonicWALL CSM Deployment Solutions Step 5 When done it should look like Figure 30. Figure 30 Web Filters > Custom Categories Step 6 Step 7 Step 8 Navigate to the Web Filters > Category Sets page and click the Add button. In the Add window that appears, enter *Operators in the Name: field then click the Predefined tab. Select all the categories in the list (you can click the first checkbox in the list to automatically select and deselect all the categories in the list). It should look like Figure 31. Figure 31 Web Filters > Category Sets > Add > Predefinedt SonicWALL Content Security Manager Integrated Solutions 37

38 SonicWALL CSM Deployment Solutions Step 9 Click the Custom tab then check the box next to the Allowed Sites Operators custom category you just created, as illustrated in Figure 32. Figure 32 Web Filters > Category Sets > Add > Custom Step 10 Step 11 Click OK to save your changes. Using the same procedure, create two more Policies and enter the following information: Name: *Shift Leads Predefined Categories: Select all (same as before) Custom Categories: Allowed Sites Shift Leads Name: *Managers Predefined Categories: Select all except for Search Engines and Portals Custom Categories: Allowed Sites Managers 38

39 SonicWALL CSM Deployment Solutions Step 12 When done it should look like Figure 33. Figure 33 Web Filters > Category Sets Cleanup Tasks from Previous Example Step 1 Step 2 Open the ADConnector Configuration Tool and expand the Groups container. Find the CSM-Elementary group, click to select it and in the right-hand pane you should see the *Elementary policy we added in the previous example. Highlight it then press the Del key to disassociate it from the CSM-Elementary group. Follow the same procedure and disassociate the SonicWALL CSM policies from the CSM-Middle, CSM-High & CSM-Teachers groups. Associations for This Example Step 1 Step 2 Step 3 Find the CSM-Operators group, right-click and select Add Policy. In the Add Policy pop-up window that appears (see figure above), select the *Operators policy from the drop-down list, then click OK. this time assigning the *Shift Leads, and *Managers policies to the CSM-Shift Leads, and CSM-Managers groups respectively. SonicWALL Content Security Manager Integrated Solutions 39

40 SonicWALL CSM Deployment Solutions Testing On a test workstation login to the domain as user: Bill. As you recall Bill is a member of the Active Directory group CSM-Operators which was assigned the SonicWALL CSM policy *Operators. This policy only allows access to two sites: and Verify this to be true. Login as users Ted and Alice and verify that their access corresponds to their group membership and SonicWALL CSM policy assignment. You can use Table 2, which summarizes the websites each employee type is allowed to access as a reference while testing. Table 2 Example Website URLs for Testing Website Operators Shift Leads Managers o o o o o o x o o x x o x x o x x o x x o x x o Search Engines & Portals x x o X=Blocked O=Allowed SonicWALL CSM Filtering Architecture and Predefined Categories The following section explains the structural hierarchy of the SonicWALL Content Security Manager filtering architecture. The Category Set level includes the Predefined Categories (SonicWALL Content Filtering Service categories), the Custom Categories (user defined), and Miscellaneous. You manage these categories at the category set level. These default and user defined policies can be applied to users or groups. Working with Hardware Failover On the Hardware Failover > Monitoring page, you can specify IP addresses that the SonicWALL Content Security Manager performs an ICMP ping on to determine link viability. When using logical monitors, the Content Security Manager pings the defined Probe IP Address target from the Primary as well as the Backup SonicWALL. If both can successfully ping the target, no failover occurs. If both cannot successfully ping the target, no failover occurs, as the Content Security Managers assume that the problem is with the target, and not the Content Security Managers. But, if one SonicWALL can ping the target but the other SonicWALL cannot, it will failover to the SonicWALL that can ping the target. 40

41 SonicWALL CSM Advanced Deployment Solutions SonicWALL CSM Advanced Deployment Solutions This section illustrates four possible methods of deploying the SonicWALL CSM with a caching proxy server and describes the advantages and disadvantages of each. Also illustrated will be the integration of the SonicWALL CSM into a SonicPoint environment, and a highly-available hardware failover (HF) environment. This section contains the following subsections: Using the SonicWALL CSM with a Caching Proxy Server section on page 41 Scenario 1 Single Path Upstream Proxy Server section on page 42 Scenario 2 Dual Path Upstream Proxy Server section on page 43 Scenario 3 Single Path Downstream Proxy Server section on page 45 Scenario 4 Reiterative Path Upstream Proxy Server section on page 47 Scenario 5 SonicWALL CSM and SonicPoint Integration section on page 49 Using the SonicWALL CSM with a Caching Proxy Server As indicated earlier, per-user or per-grouppolicy application requires that the SonicWALL CSM see clients actual IP addresses. The following are three design considerations to keep in mind when using the SonicWALL CSM with a caching proxy server: 1. To make use of the SonicWALL CSM s per-user or per-group Web Filter policies, place the caching proxy server upstream (on the WAN segment) from the SonicWALL CSM, and configure the SonicWALL CSM s web proxy feature from the Network > Web Proxy page. 2. To make use of the SonicWALL CSM s Application Filter, be sure that all network traffic traverses the SonicWALL CSM. 3. For reasons of efficiency, try to avoid configurations wherein traffic traverses the SonicWALL CSM more than once. Such a configuration is perfectly functional, and its design may prove to be convenient in some circumstances. This configuration is illustrated in Scenario 4 Reiterative Path Upstream Proxy Server section on page 47. SonicWALL Content Security Manager Integrated Solutions 41

42 SonicWALL CSM Advanced Deployment Solutions Scenario 1 Single Path Upstream Proxy Server This first scenario is the preferred method of deploying a caching proxy server in conjunction with the SonicWALL CSM because it adheres to all three design considerations above. Figure 34 Single Path Upstream Caching Proxy Server Advantages Presents the actual client IP addresses to the SonicWALL CSM, enabling per-user policy application. All client traffic flows through the SonicWALL CSM, allowing application filters to be employed. The caching proxy server has a direct path to the Internet, so HTTP traffic does not repetitively pass through the SonicWALL CSM. This configuration supports either transparent redirection to the proxy server from the SonicWALL CSM (from the Network > Web Proxy page) or an explicit proxy configuration on the client machines (either manually or by a script). Disadvantages The SonicWALL CSM is in the path of all network traffic bound for the gateway. 42

43 SonicWALL CSM Advanced Deployment Solutions Requirements Configure the Network > Web Proxy feature on the SonicWALL CSM or configure each client to explicitly use the proxy server (either manually or with a script). If using the explicit client proxy configuration, exclude the SonicWALL CSM itself, either by setting the workstations to bypass the proxy server for local addresses, or by specifying the IP address of the SonicWALL CSM as an exclusion. Scenario 2 Dual Path Upstream Proxy Server This scenario removes the SonicWALL CSM from the path of all traffic, but requires additional configuration, and also prevents the use of the Application Filters on the SonicWALL CSM. Figure 35 Dual Path Upstream Proxy Server SonicWALL Content Security Manager Integrated Solutions 43

44 SonicWALL CSM Advanced Deployment Solutions Advantages Disadvantages Requirements Removes the SonicWALL CSM from the path of all network traffic. Presents the actual client IP addresses to the SonicWALL CSM, enabling per-user policy application. The caching proxy server has a direct, dedicated path to the Internet, so HTTP traffic does not repetitively pass through the SonicWALL CSM. The transparent web-proxy redirection feature of the SonicWALL CSM cannot be used in this configuration because HTTP traffic must be explicitly sent through the SonicWALL CSM by the clients. Application Filters cannot be employed on the SonicWALL CSM because not all client traffic passes through it, only HTTP traffic. Client machines must be explicitly configured to use the proxy server, since the SonicWALL CSM is not in the path of their default gateway. The proxy server must be dual-homed. The client LAN connects to the SonicWALL CSM s LAN (X0) interface, and the proxy server connects to the WAN (X1) interface. The SonicWALL CSM s default gateway resides on its LAN. The upstream firewall/gateway should be configured to only allow HTTP traffic from the proxy server and the SonicWALL CSM (to prevent clients going directly through the gateway). 44

45 SonicWALL CSM Advanced Deployment Solutions Scenario 3 Single Path Downstream Proxy Server This scenario removes the SonicWALL CSM from the path of all traffic, but requires additional configuration, and also prevents the use of the Application Filters on the SonicWALL CSM. Figure 36 Single Path Downstream Proxy Server SonicWALL Content Security Manager Integrated Solutions 45

46 SonicWALL CSM Advanced Deployment Solutions Advantages Disadvantages Requirements All client traffic flows through the SonicWALL CSM, allowing application filters to be employed. The proxy server itself is content and application filtered by the SonicWALL CSM. All HTTP traffic is sourced from the proxy server. The SonicWALL CSM is unable to apply per-user policies. The SonicWALL CSM is in the path of all network traffic bound for the gateway. The transparent web-proxy redirection feature of the SonicWALL CSM cannot be used in this configuration because HTTP traffic must be explicitly sent to the proxy server by the clients. Client machines must be explicitly configured to use the proxy server. The upstream firewall/gateway should be configured to only allow HTTP traffic from the proxy server and the SonicWALL CSM (to prevent clients going directly through the gateway). 46

47 SonicWALL CSM Advanced Deployment Solutions Scenario 4 Reiterative Path Upstream Proxy Server This scenario is effectively a simpler, single-homed proxy server variation of scenario 2. Figure 37 Reiterative Path Upstream Proxy Server SonicWALL Content Security Manager Integrated Solutions 47

48 SonicWALL CSM Advanced Deployment Solutions Advantages Disadvantages Requirements Removes the SonicWALL CSM from the path of all network traffic. Presents the actual client IP addresses to the SonicWALL CSM, enabling per-user policy application. All HTTP traffic must traverse the SonicWALL CSM redundantly, once as it is requested, and again as it is retrieved by the proxy server. The transparent web-proxy redirection feature of the SonicWALL CSM cannot be used in this configuration because HTTP traffic must be explicitly sent through the SonicWALL CSM by the clients. Application Filters cannot be employed on the SonicWALL CSM because not all client traffic passes through it, only HTTP traffic. Client machines must be explicitly configured to use the proxy server. The upstream firewall/gateway should be configured to only allow HTTP traffic from the proxy server and the SonicWALL CSM (to prevent clients going directly through the gateway). 48

49 SonicWALL CSM Advanced Deployment Solutions Scenario 5 SonicWALL CSM and SonicPoint Integration The Web and application filtering provided by the SonicWALL CSM can be used on SonicPoint powered WLAN Zones on SonicOS Enhanced 3.0 and higher. Figure 38 SonicWALL CSM and SonicPoint Integration SonicWALL Content Security Manager Integrated Solutions 49

50 SonicWALL CSM Advanced Deployment Solutions Advantages Disadvantages Requirements Provides a single-sign-on capable alternative to using CFS on the upstream firewall. Presents the actual client IP addresses to the SonicWALL CSM, enabling per-user policy application. All client traffic flows through the SonicWALL CSM, allowing application filters to be employed. Optionally, this configuration supports either transparent redirection to the proxy server from the SonicWALL CSM (from the Network > Web Proxy page) or an explicit proxy configuration on the client machines (either manually or by a script). WiFiSec cannot be used since the resulting traffic traversing the SonicWALL CSM will be encrypted. WPA can be used in its place, since WPA decryption occurs at the SonicPoint passing clear traffic through SonicWALL CSM. The SonicWALL CSM is in the path of all network traffic bound for the gateway. SonicPoint enforcement must be disabled on the WLAN Zone (requires SonicOS Enhanced 3.0 or higher). WPA must be used in place of WiFiSec. 50

51 Deploying SonicWALL GMS for the SonicWALL CSM Deploying SonicWALL GMS for the SonicWALL CSM This section provides configuration tasks for deploying SonicWALL GMS to provide appliance-based Internet filtering that enhances security and employee productivity, optimizes network utilization, and mitigates legal liabilities by managing access to objectionable and unproductive Web content. This chapter contains the following sections: Configuring Web Filters section on page 51 Configuring Settings section on page 53 Configuring Policies section on page 55 Configuring Custom Categories section on page 56 Configuring Privacy Prevention section on page 57 Configuring Custom Block Page section on page 59 Configuring Web Usage by User ViewPoint Reporting section on page 59 Configuring Web Usage by Site ViewPoint Reporting section on page 62 Configuring Browse Time Top Users ViewPoint Reporting section on page 63 Configuring Web Filters Web Filters includes settings for configuring Internet filtering on the SonicWALL CSM. To configure Web Filters, follow these steps: Step 1 Step 2 Access the SonicWALL CSM 2100 CF. Select a SonicWALL Content Security Manager 2100 CF appliance. SonicWALL Content Security Manager Integrated Solutions 51

52 Deploying SonicWALL GMS for the SonicWALL CSM Step 3 Expand the Web Filters tree. Figure 39 Web Filters 52

53 Deploying SonicWALL GMS for the SonicWALL CSM Configuring Settings The Settings page provides information on the status of filtering subscription service updates, settings for enabling filtering, managing the behavior of the Dynamic Rating engine, adding IP addresses to exclude from filtering, and access to URL ratings with the SonicWALL Content Filtering Service database. Figure 40 Settings Settings Enable Web Filtering - enables Web Filtering on the SonicWALL Content Security Manager. URL Cache Size (KBs) - specifies the URL Cache size on the SonicWALL Content Security Manager. The default value is 5120 KBs. A larger URL Cache size can provide noticeable improvements in Internet browsing response times. Use Dynamic Rating - enables the use of the Content Security Manager s integrated dynamic rating engine that allows an unrated URL to be dynamically rated in real-time. Dynamic Rating Settings - the Optimize for speed setting instructs the dynamic rating engine to process less information for faster ratings with the trade off of less accuracy. The Optimize for accuracy setting instructs the dynamic rating engine to process more information resulting in slower ratings with the trade off of more accuracy. Suppress Compressed Server Responses - selecting this setting blocks URLs from Web sites that compressed content. SonicWALL Content Security Manager Integrated Solutions 53

54 Deploying SonicWALL GMS for the SonicWALL CSM IP Address Exclusion List The IP Address Exclusion List allows you to specify an IP address or IP address range on your network that are excluded from any SonicWALL Content Security Manager filtering. To add an IP address or IP address range: Step 1 Step 2 Step 3 Step 4 To specify a single IP address, enter the IP address in the IP Address Begin and in the IP Address End fields. To specify an IP address range, enter the starting IP address in the IP Address Begin field and the ending IP address in the IP Address End field. Click the Add. If you selected other settings for the IP Address Exclusion List, click Update. URL Rating Review Clicking the here link displays the same CFS URL Rating Review Request page that displays when you click the URL Rating Review button. 54

55 Deploying SonicWALL GMS for the SonicWALL CSM Configuring Policies The Policies page allows you to create and edit policies that are used to filter categories, which in turn are applied to user groups. Figure 41 Policies Policies Table The Policies table lists the default policies. Clicking the + button expands the list to display every policy. As you create custom policies, they are displayed in the table. The Policies table displays the following information about each policy: Name - The name of the policy. Type - Displays Policy or Predefined Category. Clicking the + button expands the policies. Comment - Displays a caption icon. When you move the pointer over the icon, the comment text is displayed. The comment text is entered in the Add Policy or Edit Policy window. Schedule - Displays the Schedule icon for policies indicating the policy has a schedule activation time. Configure - Includes the edit icon that displays the Edit Policy window, and the delete icon. The Delete icon is dimmed for the *Default policy. Clicking the + button expands displays the policies included in the group. Clicking the Restore Defaults button removes all custom policies and any policies you added to the *Default policy. Clicking Add Policy button displays the Add Web Filter Policy window for adding new policies. SonicWALL Content Security Manager Integrated Solutions 55

56 Deploying SonicWALL GMS for the SonicWALL CSM Configuring Custom Categories The Custom Categories page allows you to create custom policies that can incorporate untrusted urls and domains, untrusted keywords, and trusted urls and domains. Figure 42 Custom Categories Untrusted URLs Untrusted URLs allows you to specify URLs that you want to selectively block or allow with logging of the action by the Content Security Manager. You add Untrusted URLs to policies in the Web Filters > Policies page. The Untrusted URLs table displays the names of the Untrusted URLs categories you create, any optional comments added when you create the category are displayed in the Comment column, and the Configure column with the Edit icon for accessing the Edit Untrusted URLs window and the Delete icon. You have two available actions for Untrusted URLs categories in policies: Block and Log Only, which you specify in the Web Filters > Policies page. Log Only allows users to access the URLs in the Untrusted URLs category but logs each access event in the Content Security Manager log. 56

57 Deploying SonicWALL GMS for the SonicWALL CSM Untrusted Keywords Allowed URLs Untrusted Keywords allows you to specify keywords that are substrings of URLs, which allows you to employ stricter filtering, blocking sites whose URLs contain specific words. The Untrusted Keywords table displays the names of the Untrusted Keywords categories you create, any optional comments added when you create the category are displayed in the Comments column, and the Configure column with the Edit icon for accessing the Edit Untrusted Keywords window and the Delete icon. You have two available actions for Untrusted Keywords categories in policies: Block and Log Only, which you specify in the Web Filters > Policies page. Log Only allows users to access the URLs in the URLs category but logs each access event in the Content Security Manager log. Allowed URLs allows you to specify URLs that are always allowed. The Allowed URLs table displays the names of the Allowed URLs categories you create, any optional comments added when you create the category is displayed in the Comment column, and the Configure column with the Edit icon for accessing the Edit Allowed URLs window and the Delete icon. You have one available action for Trusted URLs categories in policies: Allow, which is specified in the Web Filters > Category Sets page. Configuring Privacy Prevention The Privacy Prevention page allows you to enhance your network security by blocking potentially harmful applications from entering your network. Figure 43 Privacy Protection SonicWALL Content Security Manager Integrated Solutions 57

58 Deploying SonicWALL GMS for the SonicWALL CSM Miscellaneous Untrusted File Types Miscellaneous Trusted Sites Miscellaneous compromises Block Cookies, Block ActiveX, Block HTTP Proxy Server, and Block Fraudulent Certificates. These settings are always activated as Block and cannot be deleted or modified. Block Cookies - Cookies are used by Web servers to track Web usage and remember user identity. Cookies can also compromise users' privacy by tracking Web activities. Block ActiveX - ActiveX is a programming language that embeds scripts in Web pages. Malicious programmers can use ActiveX to delete files or compromise security. Block HTTP Proxy Servers - When a proxy server is located on the external interface, users can circumvent content filtering by pointing their computer to the proxy server. Block Fraudulent Certificates - Digital certificates help verify that Web content and files originated from an authorized party. Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL Content Security Manager blocks the Web content and the files that use these fraudulent certificates. Known fraudulent certificates blocked by SonicWALL Content Security Manager include two certificates issued on January 29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee. These are groupings of file extensions used for similar purposes. SonicWALL Content Security Manager allows you to filter Internet content based on a file extension. For example, you can restrict access to particular types of files from sites within an otherwise permitted. File type filtering is activated via policies. SonicWALL provides several predefined file types for use in filtering. You can modify these, or create new file types to suit your needs. Untrusted File Types compromises of Java Applets, Executable Files, Video Files, Audio Files, and user specified file types by extension. You have two available actions for Untrusted File Type categories in policies: Block and Log Only, which you specify in the Web Filters > Category Sets page. Log Only allows users to access the file types in the Untrusted File Types category but logs each access event in the Content Security Manager log. The Untrusted File Types table displays the names of the default Untrusted File Types categories and the ones you create, any optional comments added when you create the category are displayed in the Comment column, and the Configure column with the Edit icon for accessing the Edit Untrusted File Types window and the Delete icon. The Trusted Site List is a list of domains that act as an exclusion list for Miscellaneous. Domains specified in the Trusted Sites cannot act upon any other class. Only a single Trusted Site List can be specified, but it can be shared among multiple policies. The Trusted Domains includes Web sites you trust, which are sites that you believe users can access without damaging your network or data. Cookies, ActiveX, Java and all other file types specified in the Untrusted File Types categories are not blocked for these sites. The Trusted Site List table displays only the Trusted Site List category, any optional comments added when you create the Edit Trusted Site List window is displayed in the Comment column, and the Configure column with the Edit icon for accessing the Edit Trusted Site List window and the Delete icon. 58

59 Deploying SonicWALL GMS for the SonicWALL CSM You have one available action for the Trusted Site List in policies: Trusted, which is specified in the Web Filters > Category Sets page. Configuring Custom Block Page The Custom Block Page allows you to enter your customized text to display to the user when access to a blocked site is attempted. Any message, including embedded HTML, can be entered in this field. Figure 44 Custom Block Page Message to Display when Blocking Enter your customized text to display to the user when access to a blocked site is attempted. The default message is This site is blocked by the SonicWALL Content Filter Service. Any message, including embedded HTML, up to 255 characters long, can be entered in this field. You can select a background color for the pop-up window from the Background Color menu. Click Preview to display your pop-up window. A Web page is displayed in your browser with your blocked site text. Clicking the Click here to bookmark URL link saves the URL of your page. Click the Go Back button to return to the management interface. Configuring Web Usage by User ViewPoint Reporting The By User report displays a list of all users, their top sites, the number of hits to each site, and the amount of data transferred. To view the By User report, follow these steps: Step 1 Access the SonicWALL CSM 2100 CF. SonicWALL Content Security Manager Integrated Solutions 59

60 Deploying SonicWALL GMS for the SonicWALL CSM Step 2 Click the Reports tab. Step 3 Select a SonicWALL appliance. Step 4 Expand the Web Usage tree and click By User. The By User page appears (Figure 45). Figure 45 By User Page Step 5 The table contains the following information: User the IP address of the user. Hits number of hits to each web site visited by the user. MBytes number of megabytes transferred. 60

61 Deploying SonicWALL GMS for the SonicWALL CSM Step 6 To change the display settings, click Settings. The Report Settings dialog box appears. Figure 46 Report Settings Dialog Box Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Select the number of users that will be displayed from the Number of Users list box. Select the type of chart from the Chart Type list box. Select the year, month, and day that you would like to view. To display a limited group of users, enter the user IDs in the Select Users field and separate each entry with a comma. This field does not use pattern matching. For example, john will not match john_smith, john42, or big_john. When you are finished, click Close. SonicWALL CSM 2100 CF refreshes the report based on the selected settings. Note These settings will stay in effect for all similar reports during your active login session. SonicWALL Content Security Manager Integrated Solutions 61

62 Deploying SonicWALL GMS for the SonicWALL CSM Configuring Web Usage by Site ViewPoint Reporting The By Site report displays a list of all sites, the users that accessed the sites, the number of hits to each site, and the amount of data transferred. To view the By Site report, follow these steps: Step 1 Access the SonicWALL CSM 2100 CF. Step 2 Click the Reports tab. Step 3 Select a SonicWALL appliance. Step 4 Expand the Web Usage tree and click By Site. The By Site page appears (Figure 47). Figure 47 By Site Page Step 5 The table contains the following information: Site the URL of the site. User the top users that visited the site (default: 10). Hits number of hits to the web site, by user. MBytes number of megabytes transferred, by user. 62

63 Deploying SonicWALL GMS for the SonicWALL CSM Step 6 SonicWALL CSM 2100 CF shows today s report and all web sites. To change the date of the report or web sites displayed, click Settings. The Report Settings dialog box appears. Figure 48 Report Settings Dialog Box Step 7 Step 8 Step 9 Step 10 Step 11 Select the number of sites that will be displayed from the Number of Sites list box. Select the number of users that will be displayed per site from the Number of Users per Site list box. To only display a limited set of web sites, enter the URLs in the Select Site field and separate each entry with a comma. This field does not use pattern matching. For example, will not match yahoo.com, mail.yahoo.com, or shopping.yahoo.com. When you are finished, click Close. SonicWALL CSM 2100 CF adjusts the report for the selected day and settings. Note These settings will stay in effect for all similar reports during your active login session. Configuring Browse Time Top Users ViewPoint Reporting The Top Users report displays the users who spent the most time browsing non-job function-related sites on the Internet for the specified date. To view the Top Users report, follow these steps: Step 1 Step 2 Step 3 Start and log into SonicWALL CSM 2100 CF. Click the Reports tab. Select a SonicWALL appliance. SonicWALL Content Security Manager Integrated Solutions 63

64 Deploying SonicWALL GMS for the SonicWALL CSM Step 4 Expand the Browse Time tree and click Top Users. The Top Users page appears. Figure 49 Top Users Page Step 5 Step 6 The pie chart displays a Browse Time report on the total time spent browsing non-job function-related sites on the Internet by each user. The table contains the following information: Hour when the sample was taken. Browse Time number of minutes spent browsing non-job function-related sites on the Internet. % of Browse Time percentage of the total amount of time browsing non-job function-related sites on the Internet during this hour, compared to the day. 64

65 Deploying SonicWALL GMS for the SonicWALL CSM Step 7 By default, SonicWALL CSM 2100 CF shows today s report, a pie chart, and the ten top users. To change these settings, click Settings. The Report Settings dialog box appears. Figure 50 Report Settings Dialog Box Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Select the number of users that will be displayed from the Number of Users list box. Select the type of chart from the Chart Type list box. Select the year, month, and day that you would like to view. To display a limited group of users, enter the user IDs in the Select Users field and separate each entry with a comma. This field does not use pattern matching. For example, john will not match john_smith, john42, or big_john. When you are finished, click Close. SonicWALL CSM 2100 CF displays the report for the selected day. Note These settings will stay in effect for all similar reports during your active login session. SonicWALL Content Security Manager Integrated Solutions 65

66 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector Troubleshooting the SonicWALL CSM and SonicWALL ADConnector The SonicWALL CSM 2100 CF (CSM 2100 CF) is an inline appliance primarily designed to enforce Internet usage policies by preventing access to inappropriate and unproductive Internet applications. It also provides additional capabilities, including the ability to limit or completely disallow the use of IM, P2P, and multimedia applications, the ability to block Java, ActiveX, and cookies, and the ability to block users from downloading any type of file the administrator disallows. The CSM 2100 CF can be configured to provide a single blanket policy that applies to the entire user base or it can be configured with multiple policies that apply to different users and groups of users. When configured with multiple policies, the CSM 2100 CF can transparently communicate with Microsoft Active Directory to determine what policy applies to a network user or group. This Single Sign-On (SSO) capability is provided via a software component called the ADConnector. If you do not need an Application Filter, but only Web Filtering and a deployed HTTP proxy server, then it is possible to deploy the SonicWALL CSM device to remove it from the path of all network traffic (see the SonicWALL CSM Advanced Deployment Solutions section on page 41). But there is no other way to make the Application Filter work except for placing the SonicWALL CSM device inline. Different Roles of the CSM 2100 CF The SonicWALL CSM is a combination of a transparent bridge and a regular network host. As a transparent bridge it forwards packets without modifications until these packets are matched by Web or Application filters and are blocked. The SonicWALL CSM device differs from regular transparent bridges because direction of the network traffic matters for both Web and Application Filters. As a regular network host it has to communicate with other hosts on the network. For example, the SonicWALL CSM does not have a local URL Ratings database (it has only a URL Rating cache), so it receives URL ratings from the CFS Servers in the colocation site. This means that the SonicWALL CSM has to send requests to a CFS Server and get a response back. The SonicWALL CSM device also uses DNS to obtain URL Ratings, so it communicates with DNS servers. Another example is the SonicWALL ADConnector. The SonicWALL CSM device sends requests to the SonicWALL ADConnector and receives responses back from it. This section contains the following subsections: Transparent Bridge Deployment Troubleshooting section on page 67 Network Host Deployment Troubleshooting section on page 68 System Settings and Performance Troubleshooting section on page 69 General Troubleshooting section on page 72 How to Verify the TSR section on page 73 Troubleshooting the Active Directory Connector section on page 77 Working with the ADConnector Checklist section on page 78 Troubleshooting Specific Symptoms section on page 79 66

67 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector Transparent Bridge Deployment Troubleshooting As a transparent bridge, the SonicWALL CSM device forwards all packets without any modifications until these packets are matched by Web or Application filters and need to be blocked. The advantage of this approach is you can deploy the SonicWALL CSM device without any changes to your network. You need only switch cables: 1. Disconnect the existing connection from your LAN to the default gateway (Internet Router) and reconnect it into the LAN (X0) interface of the CSM 2100 CF. 2. Connect the WAN (X1) interface of the CSM 2100 CF to the default gateway (Internet Router) using a crossover cable. 3. Power on the CSM 2100 CF. During startup, the CSM 2100 CF contacts the SonicWALL License Manager Web site to update its license information, download its Application Filter, and Dynamic Rating databases and then determine the IP address of the nearest URL Rating Server. Figure 51 Connecting the SonicWALL CSM Inline The SonicWALL CSM device is different from regular transparent bridges because the direction of the network traffic (ingress/egress) is established by how it will interact and filter that traffic. The CSM 2100 CF Web Filters only filters outbound HTTP requests originating from the Internet destined to internal web servers. Similarly, the CSM 2100 CF Application Filters (which are based on signatures) only filter traffic that originates internally. Your LAN must be connected to the LAN (X0) port of the SonicWALL CSM device, and the WAN (X1) port of the SonicWALL CSM device must be connected to the Internet gateway. The Web Filter filters only outgoing HTTP traffic. It filters only HTTP traffic generated by Internet browsers or other programs on client PCs. It does not affect incoming traffic from Internet users to web servers located on the LAN. The Application Filter uses information about traffic direction. It is based on packet signatures, which depend on traffic direction. SonicWALL Content Security Manager Integrated Solutions 67

68 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector Network Host Deployment Troubleshooting The CSM device may not perform properly when you do not configure it correctly. To properly configure the device, you may find it helpful to view the SonicWALL CSM as a network host. Also, you need to successfully configure the device routing table, and be able to reach hosts on the Internet and some hosts on the LAN. The SonicWALL CSM will not work properly if it is not able to reach any of the components or hosts on the network shown in Table 3: Table 3 Network Host on the Internet License Manager CFS server in the colocation sites NTP servers DNS servers AD Connector ViewPoint SMTP server SonicWALL CSM as a Network Host Description The SonicWALL CSM device communicates with License Manager (HTTPS protocol, TCP 443) at the colocation sites for updating license information, updating the Dynamic Rating database and Application Filter database. For the SonicWALL CSM device, License Manager is always on the Internet. The SonicWALL CSM device also uses DNS protocol (UDP port 2257) to retrieve URL ratings. For the SonicWALL CSM device, the CFS Server is always on the Internet. The SonicWALL CSM device uses NTP Servers (UDP port 123) to synchronize time with world time clocks. For the SonicWALL CSM device, NTP Servers are always on the Internet until you deploy a private NTP server on a LAN network. The SonicWALL CSM device uses DNS Servers (UDP port 53) to retrieve URL ratings. You may use public or ISP DNS servers which are always on the Internet. You may have private DNS servers on a LAN network. The SonicWALL CSM device uses SonicWALL ADConnector (port 2258) to obtain user names and polices. The SonicWALL CSM device sends requests to the SonicWALL ADConnector with the IP address of the user host and expects a response with name of the users logged into this host and list of assigned policies. The SonicWALL CSM device sends logs to ViewPoint using the syslog protocol (UDP port 514). The SonicWALL CSM device uses the SMTP server for sending logs and alerts via the SMTP protocol (CTP port 25). The SonicWALL CSM device should be able to reach all of these components or hosts. If the SonicWALL CSM device sits behind the corporate firewall then you must configure the firewall to allow network traffic from the SonicWALL CSM device. Sometimes your network has several firewalls on his or her local network. These firewalls also must be configured to allow the SonicWALL CSM device to communicate with internal DNS servers, SonicWALL ADConnector, ViewPoint, and other hosts. 68

69 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector Figure 52 SonicWALL CSM as a Network Host System Settings and Performance Troubleshooting The following scenarios indicate common environments that require troubleshooting. Symptom: Sluggish Web Browsing The SonicWALL CSM Web Filter utilizes SonicWALL s global content filtering infrastructure to deliver its filtering services. The multi-level caching technology provides great performance for the SonicWALL CSM. However, other factors can impact SonicWALL CSM s performance, including performance of DNS servers and the access time to SonicWALL s CFS Server. To reduce the impact of the second factor, SonicWALL provides multiple servers around the globe. Each SonicWALL CSM device contacts the closest CFS server depending on its Time Zone setting. If you experience slow web browsing, verify the following: Check the time zone (System > Time). Make sure DNS server settings (Network > Interfaces > configure X1) are configured properly, and DNS servers have good response time and can resolve MX domain requests. Ping DNS servers from the CSM 2100 CF (System > Diagnostics > Ping) them from SonicWALL CSM (System > Diagnostics > Ping). It is very important that ping time is less than 100 ms, otherwise the SonicWALL CSM device could significantly slow down HTTP traffic. Make sure that DNS servers are able to resolve domain names. Make sure that DNS servers are able to resolve MX records. Verifying Network Settings CSM now provides a mechanism to verify your network settings from the System > Status page called the Network Check button. To access this, perform the following steps: SonicWALL Content Security Manager Integrated Solutions 69

70 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector Step 1 Navigate to the System > Status page. Step 2 Step 3 Note the entry Click here to verify your network settings in the lower right portion of the screen. Click the hyperlinked here string in the entry. CSM displays the System > Diagnostics page. 70

71 Troubleshooting the SonicWALL CSM and SonicWALL ADConnector Step 4 Select a diagnostic test type from the Diagnostic Test list box. Most commonly, you will select the default option, Check Network Settings. Step 5 Click the Run Test button at the bottom of the screen. Wait for a minute and view the status messages that display in the lower left portion of the screen. When the screen has completed its test of network resources, it displays output as showing the following region in each screen. Step 6 Note that each region has a series of columns: Column Server IP Address Test Results Notes Description The name of the server device to which the diagnostic test applies. The IP address of the server device to which the diagnostic test applies. Indicates the state of the test whether ready or not ready. Contains any special comments about the state of the device. Step 7 Note the following details displayed in the output. General Network Connections Region. This region contains a table with data about servers and gateways on your network. SonicWALL Content Security Manager Integrated Solutions 71