SuperLumin Nemesis. Administration Guide. February 2011

Transcription

1 SuperLumin Nemesis Administration Guide February 2011

2

3 SuperLumin Nemesis

4 Legal Notices Information contained in this document is believed to be accurate and reliable. However, SuperLumin assumes no responsibility for its use, nor for any infringements of patents or other rights of third parties, that might result from its use. SuperLumin reserves the right to change product specifications at any time without notice. Copyright SuperLumin. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of SuperLumin. Printed in U. S. A. Information subject to change without notice. SuperLumin 2 Riverplace, Suite 200 Dayton, OH SuperLumin Nemesis

5 SuperLumin Trademarks SuperLumin is a registered trademark. All other product names and services identified in this documentation are trademarks or registered trademarks of their respective companies and are used throughout this documentation in editorial fashion only for the benefit of such companies. No such use, or the use of any trade name, is intended to convey an endorsement or other affiliation with SuperLumin. Third-Party Materials Third-party trademarks are indicated by asterisks (*) and are the property of their respective owners. 5

6 6 SuperLumin Nemesis

7 Contents Part I Learning What the SuperLumin Proxy Server Can Do 15 1 How Caching Accelerates Web Content Delivery Web Browsing Basics What the SuperLumin Proxy Server Does Forward Proxy Services 19 3 Transparent Proxy Services 21 4 Reverse Proxy Services 23 Part II Integrating SuperLumin Proxy into Your Network 25 5 Managing the Proxy Server The Browser-Based Management Tool The Command Line Preparing the Network Basic Network Configuration Setup Configuring the Client Workstation Configuring the SuperLumin Proxy Server Changing the IP Address of an Existing Proxy Service Troubleshooting the Initial Proxy Server Setup Proxy Server Problems My proxy server isn't working I can't ping the proxy server from my client Browser Problems My browser can't find the proxy server I can t see or modify SuperLumin proxy services None of the changes I made in the browser application are taking effect Part III Quickly Creating Proxy Services 35 8 Quickly Creating Proxy Services Creating a Forward Proxy Service Creating a Transparent Proxy Service Proxy Service Configuration Modifying Packet Filter Rules (Transparent Proxy) Creating a Social Media Cache Service Contents 7

8 Part IV Accelerating HTML Content 43 9 Forward Proxy Services Overview of Forward Proxy Key Functionality How Forward Proxy Works Benefits of Forward Proxy Forward Proxy Setup Transparent Proxy Services Overview of Transparent Proxy Transparent Proxy with an L4 Switch Transparent Proxy with a WCCP-Capable Router Transparent/L4 Proxy Setup Transparent/WCCP Proxy Setup Creating Packet Filter Rules Reverse Proxy Services Overview of Reverse Proxy How Reverse Proxy Works Benefits of Origin Web Server Acceleration Reverse Proxy Setup Working with DNS Standard Multihoming for Multiple Web Sites Configuration Considerations When Using Proxy Server Multihoming Features Social Media Services Overview of Social Media Services How Social Media Services Work Social Media Services Setup FTP Proxy Services Overview of FTP Proxy Services How FTP Forward Proxy Works How FTP Reverse Proxy Works FTP Forward Proxy Setup FTP Reverse Proxy Part V Managing and Leveraging SuperLumin Proxy Server Advanced Features Installing and Upgrading Licenses Obtaining Product Licenses Viewing License Information Installing a License Authentication Services Prompting the User for Authentication Information SuperLumin Nemesis

9 15.2 Matching Authentication Profiles to Your Requirements Understanding How Profiles Work A Summary of Authentication Method Pros and Cons Understanding How Authentication Cookies Are Used Setting Up Authentication Services (Overview) Using LDAP Authentication How LDAP Authentication Works Platforms Supported Preparing Your Network for LDAP Authentication Setting Up LDAP Authentication Adding Support for SuperLumin Single Sign-On Access Control Overview Process Determining Your Access Control Strategy Authentication Examples Creating an Access Control Policy Other Guidelines Configuring Content Filtering Managing Proxy Server Certificates Naming Certificates Creating Certificates Using the SuperLumin CA Obtaining a Certificate from an External CA Requesting the CSR Importing a Trusted Root to a Cache Device Cache Freshness Overview Managing Cache Freshness How the SuperLumin Proxy Server Checks for Object Freshness How a SuperLumin Proxy Server Keeps Cached Objects Fresh How SuperLumin Proxy Server Handles the Freshest Objects in Cache Fine-Tuning Cache Freshness on Your Proxy Server Managing Proxy Server Security Features Managing HTTP CONNECT Method Support How the CONNECT Method Works An Unverified CONNECT Connection Is a Security Risk How SuperLumin Proxy Server Protects Your Network Configuring SuperLumin Proxy Server to Meet Your CONNECT Method Requirements Automatic Configuration Mechanisms About Proxy Server Configuration Files Backing Up and Restoring the Proxy Server Configuration Backing Up the Proxy Server Configuration Restoring the Proxy Server Configuration Contents 9

10 20.3 Creating Proxy Server Configuration Shortcuts Restoring Factory Settings Reimaging and Restoring the Proxy Server System Configuring DNS for Social Media Cache Overview Configuration Guidelines DNS Server Configuration DNS Zone Configuration Examples Other Options Host Name Resolution Managing the hosts File Logging Using Proxy Server Logging Services Overview of Proxy Server Logging What the Proxy Server Can Log The Costs of Logging System Constraints Planning Your Logging Strategy Planning Step 1: Determining Your Logging Requirements Planning Step 2: Selecting a Log File Format and Optimizing the Log Entry Size Planning Step 3: Calculating Log Rollover Requirements Configuring Logging Options Configuration Step 1: Opening the Appropriate Log Options Dialog Box Configuration Step 2: Selecting a Log Format Configuration Step 3: Specifying Rollover Options Configuration Step 4: Specifying Handling of Older Files Configuration Step 5: Monitoring and Refining Your Logging Strategy Manually Downloading and Deleting Log Files When to Download and Delete Log Files Getting Log Filenames Downloading Log Files Deleting Uploaded Log Files About Extended Log Field Headers Logging Alerts Shutting Down and Restarting Restarting from the Browser-Based Management Tool Shutting Down and Restarting Using SSH or the Command Line Time Synchronization Synchronizing Time Using the Browser-Based Management Tool Using the Command Line NTP Date & Time Synchronization Is Not Immediate SuperLumin Nemesis

11 Part VI Browser-Based Tool Help Using the Browser-Based Management Tool Prerequisites for Running the Management Tool Starting the Management Tool The Apply and Cancel Buttons The Help Link Encryption The Management Tool Main Page Getting Started Page Licensing Latest Updates Quick Service Creation Forward Proxy Wizard Select Name Forward Proxy Wizard Select Address Forward Proxy Wizard Logging/Authentication Forward Proxy Wizard LDAP Configuration Forward Proxy Wizard Authentication Configuration Forward Proxy Wizard Verify Settings Transparent Proxy Wizard Select Name Transparent Proxy Wizard Select Address Transparent Proxy Wizard Logging/Authentication Transparent Proxy Wizard LDAP Configuration Transparent Proxy Wizard Authentication Configuration Transparent Proxy Wizard Verify Settings Social Media Service Wizard Select Name Social Media Service Wizard Select Addresses Social Media Service Wizard Logging/DNS Social Media Service Wizard DNS Server Social Media Service Wizard Verify Settings Single Sign-On Client Import/Export Configuration Health Page Monitoring Page Device Information Graphs Logs Reports Define Report Device Benefits Device Load Device System Status Bandwidth Request Rate Connections Configuration Page HTTP Services Miscellaneous Services Appliance Settings Network Settings Hierarchy Settings System Settings Security Settings Cache Settings Contents 11

12 12 SuperLumin Nemesis Product Add-on Forward Proxy Forward Proxy Configuration Advanced TCP Options Listener Listener Settings Protocol TCP Connect Options TCP Listen Options Access Control (Policy Management Options) Access Control Policy Definition Access Control Rule Definition Host IPv4 Condition Configuration Host IPv6 Condition Configuration Host Port Condition Configuration Source IPv4 Condition Configuration Source IPv6 Condition Configuration Source Port Condition Configuration Time Condition Configuration Uri Scheme Condition Configuration Uri Host Condition Configuration Uri Path Condition Configuration Uri Extension Condition Configuration Uri Condition Configuration User Authenticated Condition Configuration User LDAP Condition Configuration Authenticate Form-Based Action Configuration Authenticate SL-SSO Action Configuration Block Action Configuration Filter Request Action Configuration Execute Policy Action Configuration Access Control Policy List Logging Log Options Configuration Extended Log Options Cache Management Edit Cache Options Reverse Proxy Reverse Proxy Configuration Transparent Proxy Transparent Proxy Configuration FTP Proxy Restrict FTP Commands FTP Proxy Messages Generic Proxy Generic Proxy Configuration Hierarchy Hierarchy Definition Bypass Hierarchy Disk Management Date & Time NTP Options Adapters Modify Adapter Adapter Advanced Settings Gateways DNS Advanced DNS Options DNS Server

13 DNS Forwarder Hosts Host Name WCCP WCCP Options Definition Authentication LDAP Authentication Profile Packet Filter Create Packet Filter Rule Firewall Settings Social Media YouTube Facebook A Command Line Reference 275 A.1 Starting the SuperLumin CLI A.2 Understanding the SuperLumin CLI A.2.1 Exec Mode A.2.2 Config Mode A.2.3 A Graphical Summary of Modes A.2.4 Using the Context-Sensitive Help A.2.5 Quick Keys A.2.6 Commands for Managing Configurations Contents 13

15 ILearning What the SuperLumin Proxy Server Can Do I If you are new to caching and Web content acceleration, you can use the chapters in this section to: Become familiar with basic caching terminology and concepts Begin thinking about how the SuperLumin proxy server fits with your content delivery strategy The following table summarizes the tasks you can accomplish using the chapters in this section. To Learn the basics of Web content caching See Chapter 1, How Caching Accelerates Web Content Delivery, on page 17 Learn about providing forward proxy services Chapter 2, Forward Proxy Services, on page 19 Learn about providing transparent proxy services Chapter 3, Transparent Proxy Services, on page 21 Learn about providing reverse proxy services Chapter 4, Reverse Proxy Services, on page 23 Learning What the SuperLumin Proxy Server Can Do 15

17 1How Caching Accelerates Web Content Delivery 1 This section describes: Web Browsing Basics What the SuperLumin Proxy Server Does 1.1 Web Browsing Basics The explanations of caching features contained in this manual build on the illustration in Figure 1-1 of basic Web browsing: Figure 1-1 Web Browsing Basics 4 3 Browser 1 2 Router (Gateway) Internet 4 Browser Origin Web Server DNS Server 1 The user enters a URL in the browser, creating a DNS request. 2 DNS returns the numeric IP address of the origin Web server. 3 The browser requests objects from the origin Web server. 4 The origin Web server accepts the request into its queue, processes it in turn, and returns the requested objects to the browser. 5 The process repeats each time a browser makes the same request. The SuperLumin proxy server eliminates the redundant network traffic and server processing time associated with Step 5 in Figure What the SuperLumin Proxy Server Does All cache services include the basic functionality in Figure 1-2. How Caching Accelerates Web Content Delivery 17

18 Figure 1-2 What the SuperLumin Proxy Server Does 1 Browser 3 SuperLumin Proxy Server Internet 2 Origin Web Server 1 The SuperLumin Proxy Server receives a browser request. 2 The SuperLumin Proxy Server gets objects not in cache from the origin Web server. 3 The SuperLumin Proxy Server caches objects and sends copies to the browser. After a request has been cached, processing subsequent requests for the same objects is simpler and much faster. Figure 1-3 What the SuperLumin Proxy Server Does 1 Browser SuperLumin Proxy Server 1 The SuperLumin Proxy Server receives a browser request and sends copies of the objects back to the browser. Basic cache services fit in three categories: Forward proxy services Transparent proxy services Reverse proxy services Although these services are described separately, they can generally be combined and used simultaneously on a single SuperLumin proxy server. 18 SuperLumin Nemesis

19 2Forward Proxy Services 2 The most basic method for accelerating content delivery to browsers is to set up the SuperLumin proxy server as an HTTP forward proxy server. After this has been done, users who want to get accelerated content can configure their browsers to use the SuperLumin forward proxy IP address and port number as their forward proxy server. Configuration steps are different for each browser. For example, in Internet Explorer 8 you can access the Proxy Settings dialog box by clicking Tools > Internet Options > Connections > LAN Settings. Figure 2-1 illustrates how forward proxy services work. Figure 2-1 How Forward Proxy Services Work 1 2 Internet 3 Browser 4 SuperLumin Proxy Server 1 The browser is configured to use the SuperLumin Proxy Server as a forward proxy server. 2 All browser requests are sent to the SuperLumin Proxy Server. 3 The SuperLumin Proxy Server gets objects not in cache from the Web. 4 The SuperLumin Proxy Server sends cached objects to the requesting browser. For more information about forward proxy services, see Chapter 9, Forward Proxy Services, on page 45. Forward Proxy Services 19

21 3Transparent Proxy Services 3 Another method for accelerating content delivery to browsers is to configure a router or switch on the network to route all HTTP traffic to a transparent proxy service you have set up on the SuperLumin proxy server. After this has been done, all network users automatically get accelerated content. The specific configuration steps are different for each router or switch, but the basic concept is that the switch or router sends all browser requests that use the network's HTTP port number (port 80 in most cases) to the SuperLumin proxy server. Figure 3-1 on page 21 illustrates how transparent proxy services work. Figure 3-1 How Transparent Proxy Services Work Browser 1 Router or Switch 2 Internet 3 4 SuperLumin Proxy Server 1 A router or L4 switch is configured to send all browser requests to the SuperLumin Proxy Server. 2 All browser requests on the network are rerouted by the router or switch to the SuperLumin Proxy Server. 3 The SuperLumin Proxy Server gets objects not in cache from the Web. 4 The SuperLumin Proxy Server sends cached objects to the requesting browser. For more information about transparent proxy services, see Chapter 10, Transparent Proxy Services, on page 49. Transparent Proxy Services 21

23 4Reverse Proxy Services 4 You can also set up a reverse proxy service on your SuperLumin proxy server to accelerate your Web server. A reverse proxy dramatically improves the performance and response time of your Web site by offloading the burden of handling redundant content requests from the Web server. After this has been done, the Web server can devote its bandwidth to handling requests for specific content and services and to supplying dynamic, uncached, or updated content to the proxy server for subsequent caching. Figure 4-1 on page 23 illustrates how Web server acceleration (reverse proxy) services work. Figure 4-1 How Reverse Proxy Services Work Browser DNS Server 5 SuperLumin Proxy Server Internet Origin Web server 1 DNS is configured to resolve object requests to the SuperLumin Proxy Server's IP address rather than to the Origin Web Server's address. 2 The SuperLumin Proxy Server is configured as a Web server accelerator reverse proxy. 3 Browser requests are sent to the SuperLumin Proxy Server rather than to the origin Web server. 4 The SuperLumin Proxy Server gets objects not in cache from the origin Web server. 5 The SuperLumin Proxy Server sends cached objects to the requesting browser. For more about reverse proxy services, see Chapter 11, Reverse Proxy Services, on page 57. Reverse Proxy Services 23

25 IIntegrating SuperLumin Proxy into Your Network II You should have received a Getting Started Guide with your SuperLumin proxy server. It is designed to help you quickly connect the proxy server to your network and then test it to ensure it is configured correctly. The SuperLumin Nemesis Getting Started guide also contains instructions for installing and reinstalling the SuperLumin Proxy software product. NOTE: This SuperLumin documentation covers both SuperLumin iproxy and SuperLumin Nemesis. In addition to including all the features and functionality of SuperLumin iproxy, SuperLumin Nemesis also includes support for social media and video caching. SuperLumin iproxy and SuperLumin Nemesis are the same product and consist of the same software. Your license determines which features are available. IMPORTANT: You should complete the initial setup before proceeding with the instructions in this guide. The following table summarizes the tasks you can accomplish using the information in this section. To Learn about your options for managing the proxy server Install the proxy server on your network and prepare your network workstations to use proxy server services Troubleshoot any initial setup problems you encounter See Chapter 5, Managing the Proxy Server, on page 27 Chapter 6, Preparing the Network, on page 29 Chapter 7, Troubleshooting the Initial Proxy Server Setup, on page 33 Integrating SuperLumin Proxy into Your Network 25

27 5Managing the Proxy Server 5 The SuperLumin proxy server can be configured and managed in the following ways: Using the browser-based management tool from a workstation on the network. From the command line through an SSH session. (You can also use an attached keyboard and monitor if your proxy server has the required connections.) 5.1 The Browser-Based Management Tool The proxy server is configured using XML configuration files. The browser-based management tool reads the XML configuration files in order to configure proxy services. The XML configuration files are generated and updated by the SuperLumin browser-based management tool and CLI commands. You should not attempt to alter the XML configuration files using other methods. For more information about using the browser-based management tool, see Chapter 26, Using the Browser-Based Management Tool, on page The Command Line Although it is possible to configure and monitor a Proxy server using the command line interface, we strongly recommend that you use the browser-based management tool for all administrative tasks whenever possible. The browser-based management tool includes extensive cross-checking, helpful messages, an online help system, and other program features to ensure that the SuperLumin proxy server is configured correctly for optimal performance. The command line interface does not include these features. Even the most expert users can overlook critical steps in configuring SuperLumin proxy server from the command line. For more information about using the command line, see Appendix A, Command Line Reference, on page 275. Managing the Proxy Server 27

29 6Preparing the Network 6 After you complete the initial proxy server setup and test, review this chapter to ensure that all your network components are properly configured. 6.1 Basic Network Configuration Setup Figure 6-1 on page 29 provides a visual map for the information in this chapter. NOTE: The letters in Figure 6-1 on page 29 are referenced in the tables that follow. The addresses shown are for illustration purposes only. You will need to substitute actual addresses for your network. Figure 6-1 Basic Network Configuration Setup A Client Workstation IP Address = Mask = Gateway = DNS Name = dnsname.com DNS IP Address = Router (Gateway) IP Address = or C Router (Gateway) IP Address = Internet B SuperLumin Proxy Server eth0 IP Address = DNS IP Address = Default Gateway = One or more proxy services DNS Server IP Address = Server Name = dnsname or C SuperLumin Proxy Server eth0 IP Address= DNS IP Address= Default Gateway= One or more proxy services Configuring the Client Workstation In most cases, client workstations on the network are already configured with IP address information to use the network. If that is the case with your client workstations, you can skip this section. The workstation of each browser that will use proxy server services must be configured with the IP address information listed below. (List items marked with asterisks [*] must be on the same subnet.) A numeric IP address on the subnet * The subnet mask * The numeric IP address of the default gateway for the subnet * The numeric IP address of the DNS server the browser will use to resolve DNS names The domain name for the DNS server the client will use (optional) Configuration procedures vary for each platform. Refer to the workstation documentation for specific instructions. Preparing the Network 29

30 Configuration Requirements Do This Notes A numeric IP address on the subnet The subnet mask The numeric IP address of the default gateway for the subnet The numeric IP address of the DNS server the browser will use to resolve DNS names The domain name for the DNS server the client will use (optional) Refer to setup instructions for the system. The procedure is different for each platform. On a Windows* XP or Windows Vista* workstation, for example, rightclick My Network Places on the Start menu. See A in Figure 6-1 on page 29. The IP address, subnet mask, and gateway address must all be on the same subnet Configuring the SuperLumin Proxy Server NOTE: If you used the Getting Started Guide to set up your proxy server, you have already completed most of the following steps. IMPORTANT: When possible, connect the network cable to the network card on the server before assigning an IP address to the card. If this is not possible, you might need to restart the server after the cable is attached so the IP address assignment can take effect. Configure the proxy server following the steps below: To Configure Do This Notes IP addresses and subnet masks for the network connections (eth0, eth1, etc.) that will handle proxy services 1. In the browser-based tool, click the Configuration link, then in Network Settings click Adapters. 2. Under the desired network card, click Modify and change the needed configuration and address settings for the adapter. 3. Click OK, then click Apply All Changes. See B and C in Figure 6-1 on page 29. The proxy server does not need to be on the same subnet as the browser. If the proxy server is on a different subnet, its IP address will reflect a different subnet. Also, eth0, eth1, etc., can be on different subnets. If you intend to configure a transparent or a reverse proxy service, or if you expect an excessive amount of network traffic, you should consider using a separate network card for managing your proxy server. 30 SuperLumin Nemesis

31 To Configure Do This Notes At least one DNS server IP address The numeric IP address for a gateway (router) on the same subnet as the proxy server One or more proxy services 1. Click the Configuration link, then in Network Settings, click DNS. 2. Enter the addresses in the appropriate fields. 3. Click Insert, then click OK and then Apply All Changes. 1. In the browser-based tool, click the Configuration link, then in Network Settings click Gateways. 2. Enter the address in the Default Gateway IP Address field. 3. Click Insert, then click OK and then Apply All Changes. See Part IV, Accelerating HTML Content, on page 43. See B in Figure 6-1 on page 29. If the proxy server is on the same subnet as the client workstation, the proxy server and the workstation will have the same gateway address. If the proxy server is on a different subnet than the browser, its gateway address will be the IP address of the router on the other subnet. See C in Figure 6-1 on page 29. IMPORTANT: If you are reinitializing the system, you should remove the CD, shut down SuperLumin Proxy, turn the SuperLumin proxy server off, and then restart it Changing the IP Address of an Existing Proxy Service There are certain situations that might require you to change the IP address of an existing proxy service. This could be necessary if you have an IP address conflict or if you add an additional network card to your server or switch a network cable to a different network card. To change the IP address of an existing proxy cache service 1 Go to the Login prompt of your SuperLumin proxy server via an SSH session or at the system console. 2 At the Login prompt, log in as the root user by entering the following: root 3 Enter the root user password you defined during initial device setup when the quickstart script was run. 4 Start the SuperLumin command line interface (CLI) by entering slash at the command prompt. 5 Enter conf to access config mode. 6 Enter adapter eth0. Replace eth0 with the network card ID that you are changing the IP address for (eth0, eth1, etc). Preparing the Network 31

32 7 Enter address eth0_default. Replace eth0_default with the address you want to change. 8 Enter the following commands in the order listed: ip new_ip_address cidr new_cidr_mask Replace new_ip_address with the IP address you are changing to. Replace new_cidr_mask with the new cidr netmask of the IP address you are changing to. 9 Enter the following commands in the order listed... apply quit NOTE: After changing the IP address you might need to change the default route and DNS settings. 32 SuperLumin Nemesis

33 7Troubleshooting the Initial Proxy Server Setup 7 This section covers troubleshooting the initial proxy server setup. 7.1 Proxy Server Problems My proxy server isn't working Most problems are caused by invalid IP address configurations. Four things are critical: A unique numeric IP address with a subnet mask A valid gateway address on the same subnet as the IP address A valid DNS server IP address A valid DNS domain name I can't ping the proxy server from my client Ensure the client and the proxy server are on the same subnet Disable the firewall on the proxy server. 7.2 Browser Problems My browser can't find the proxy server The correct URL is Replace proxyipaddress with the IP address of your proxy server I can t see or modify SuperLumin proxy services The SuperLumin proxy server uses a role-based management system. You might not have sufficient access rights or permissions to see or make modifications to the available services on the SuperLumin proxy server None of the changes I made in the browser application are taking effect After making the changes, you must click Apply All Changes to make the changes effective. Troubleshooting the Initial Proxy Server Setup 33

35 IIQuickly Creating Proxy Services III SuperLumin now provides wizards that take you step by step through the process of quickly creating and configuring proxy services. These wizards are accessible on the Getting Started page of the browser-based management tool. As with previous versions of SuperLumin Proxy, you can also create and configure proxy services using the pages displayed under the Configuration links of the browser-based management tool. The following table summarizes the proxy services you can create using the information in this section. To create Forward proxy services Transparent proxy services Social Media services See Section 8.1, Creating a Forward Proxy Service, on page 37 Section 8.2, Creating a Transparent Proxy Service, on page 38 Section 8.4, Creating a Social Media Cache Service, on page 40 Quickly Creating Proxy Services 35

37 8Quickly Creating Proxy Services 8 This chapter provides instructions for quickly creating transparent, forward, reverse and social media proxy services. More detailed instructions for creating these services can be found in Chapter 9, Forward Proxy Services, on page 45, Chapter 10, Transparent Proxy Services, on page 49, Chapter 11, Reverse Proxy Services, on page 57, and Chapter 12, Social Media Services, on page Creating a Forward Proxy Service To create a forward proxy service: 1 Start the browser-based management tool, click the Getting Started link, then click Quick Service Creation. See Section 26.2, Starting the Management Tool, on page 127 for details on starting and using the browser-based management tool. 2 Select Forward Proxy Service, then click Next. 3 Enter the name you want to assign to the forward proxy service, then click Next. 4 Select the IP address that the forward proxy service will be available on, then click Next. If the desired IP address is not listed, you can quickly add another IP address by clicking Quick Adapter Setup. After clicking Quick Adapter Setup, click Modify under the desired adapter and add the needed IP address. If you have already added an address and don t see the address you want, the port needed for the forward proxy service may already be in use. 5 Choose if you want logging turned on and if you want authentication enforced, then click Next. If logging is turned on, forward proxy service caching activity will be saved in log files. The on-box reporting functionality of the SuperLumin proxy server uses log files to generate reports. Enabling logging is therefore recommended. Logging can be useful for generating reports that help you get a better understanding of user requests and activities. Logging can also quickly use up disk space. See Chapter 23, Logging, on page 109 for more information on logging and coming up with a logging strategy. If you choose to have authentication enforced, a user that has not been authenticated will receive a prompt to provide authentication information (username and password) before being allowed to use the forward proxy service. See Chapter 15, Authentication Services, on page 75 for more information. 6 (Optional) If you chose to have authentication enforced, specify the LDAP hostname, user fieldname, and context for the user objects, then click Next. NOTE: LDAP is currently the only authentication method supported. To use LDAP authentication, you must provide the hostname or IP address of the LDAP server. You can use the ldaps://host.name.com or the ldap://host.name.com form in the wizard. 7 (Optional) If you chose to have authentication enforced, choose whether you want authentication events logged and if you want to use SuperLumin Single Sign-on, then click Next. Quickly Creating Proxy Services 37

38 See Section , Adding Support for SuperLumin Single Sign-On, on page 81 for more information on SuperLumin Single Sign-on. 8 Click Finish and then click Apply All Changes to save the forward proxy service. 8.2 Creating a Transparent Proxy Service To create a transparent proxy service: 1 Start the browser-based management tool, click the Getting Started link, then click Quick Service Creation. See Section 26.2, Starting the Management Tool, on page 127 for details on starting and using the browser-based management tool. 2 Select Transparent Proxy Service, then click Next. 3 Enter the name you want to assign to the transparent proxy service, then click Next. 4 Select the IP address that the transparent proxy service will be available on, then click Next. If the desired IP address is not listed, you can quickly add another IP address by clicking Quick Adapter Setup. After clicking Quick Adapter Setup, click Modify under the desired adapter and add the needed IP address. If you have already added an address and don t see the address you want, the port needed for the transparent proxy service may already be in use. 5 Choose if you want logging turned on and if you want authentication enforced. If logging is turned on, transparent proxy service caching activity will be saved in log files. The on-box reporting functionality of the SuperLumin proxy server uses log files to generate reports. Enabling logging is therefore recommended. Logging can be useful for generating reports that help you get a better understanding of user requests and activities. Logging can also quickly use up disk space. See Chapter 23, Logging, on page 109 for more information on logging and coming up with a logging strategy. If you choose to have authentication enforced, a user that has not been authenticated will receive a prompt to provide authentication information (username and password) before being allowed to use the transparent proxy service. See Chapter 15, Authentication Services, on page 75 for more information. 6 (Optional) If you chose to have authentication enforced, specify the LDAP hostname, user fieldname, and context for the user objects, then click Next. NOTE: LDAP is currently the only authentication method supported. To use LDAP authentication, you must provide the hostname or IP address of the LDAP server. You can use the ldaps://host.name.com or the ldap://host.name.com form in the wizard. 7 (Optional) If you chose to have authentication enforced, choose whether you want authentication events logged and if you want to use SuperLumin Single Sign-on, then click Next. See Section , Adding Support for SuperLumin Single Sign-On, on page 81 for more information on SuperLumin Single Sign-on. 8 Click Finish and then click Apply All Changes to save the transparent proxy service. 38 SuperLumin Nemesis

39 8.3 Proxy Service Configuration When you create a forward or a transparent proxy service, references are automatically created from the service to certain default configuration options. These default configuration options are also created automatically when you create a service using the Quick Service Creation wizard, and consist of the following: A listener TCP options (default options are created automatically for both connect and listen) A policy list (if you enable authentication) Cache management settings (default options are created) Multiple services and different service types can use the same configuration options. For example, you may have a forward proxy service and a transparent proxy service that use the same cache management options. In most cases, the default configuration options are sufficient. Depending on your needs however, you may want to change the default configuration options. You can do this using the pages that are accessible from the Configuration page. You should be aware that if you change a default configuration option, all the services that reference or use that option will be affected. If you want different options for different proxy services, then you need to create separate options settings and reference them in the appropriate service. Although default configuration options and references to them are created automatically by the Quick Service Creation Wizard, transparent proxies require a modification to the packet filter rules Modifying Packet Filter Rules (Transparent Proxy) Although you can create a Transparent Proxy service using the Quick Service Creation wizard, you must modify packet filter rules in order to send traffic to the transparent proxy service. To create a packet filter rule for a transparent proxy service: 1 In the browser-based management tool, click Configuration, then select Show Advanced Options. 2 Click Packet Filter, select Enable Packet Filtering, then click Append. 3 Set the following options to the values specified below, then click Next. Action=REDIRECT Table=nat Chain=PREROUTING Protocol/Match=tcp (ensure checkbox is NOT selected) 4 Under REDIRECT Action Configuration, set REDIRECT to Ports to Under the Basic Rule Configuration, ensure the Destination checkbox is NOT checked and then set the TCP Destination Port to Click OK and then OK again and then click Apply All Changes. Quickly Creating Proxy Services 39

40 8.4 Creating a Social Media Cache Service Facebook and YouTube are the only social media cache services currently supported. To create a social media cache for Facebook or YouTube, you need three IP addresses. These IP addresses must be different than the IP address that is used by the browser-based management tool. One IP address is used for caching Facebook and YouTube domains. For Facebook, there are three secure sites that must be handled by the social media cache service. A different tunnel service (genereic proxy) that uses another one of the three IP addresses is created to tunnel requests to each of the secure sites. To create a social media cache service: 1 Start the browser-based management tool, click the Getting Started link, then click Quick Service Creation. See Section 26.2, Starting the Management Tool, on page 127 for details on starting and using the browser-based management tool. 2 Select Social Media Service, then click Next. 3 Enter the name you want to assign to the social media service, then click Next. You can use the name that already appears or enter a unique service name. 4 Select the IP addresses that requests for social media will be routed to, then click Next. You can click Quick Adapter Setup to add the IP addresses mentioned above or another address. After clicking Quick Adapter Setup, click Modify under the desired adapter and add the needed IP addresses. If you have already added addresses and don t see the address you want, the port needed for the social media service may already be in use. The DNS server will resolve requests to the addresses you specify where the requested social media content may be cached. You must specify three IP Addresses for the social media cache that is created by the social media wizard. The first address (which uses port 80) is needed to create a reverse proxy service to accelerate all domains associated with YouTube and Facebook. The first address on port 443 is used to create a tunnel (generic proxy) service for the Facebook secure login.facebook.com site. The second address on port 443 is used to create a tunnel service for the Facebook secure register.facebook.com site. The third address on port 443 is used to create a tunnel service for the Facebook secure s-static.ak.facebook.com site. NOTE: The IP address used for the SuperLumin mangement GUI cannot be used as one of the addresses for the social media cache. 5 Choose whether you want logging enabled and if you want to use the proxy server as the social media cache DNS server, then click Next. If logging is enabled, social media service caching activity will be saved in log files. The onbox reporting functionality of the SuperLumin proxy server uses log files to generate reports. Enabling logging is therefore recommended. Selecting the option for configuring the SuperLumin proxy server as the social media cache DNS server is recommended. Selecting this option creates a DNS server on the SuperLumin proxy with the needed DNS records for DNS host name resolution for the YouTube and Facebook sites. Even if you create a DNS server on the proxy and don t use it as your primary DNS server, you can still use it to look at the DNS records that are created to get a better understanding of what DNS records are needed on the DNS server that will be used. 40 SuperLumin Nemesis

41 If you create a DNS server on the proxy and want to use that DNS server, it should be your primary DNS server. If you already have a DNS server and choose not to create a DNS server on the proxy, you can simply add DNS records for the Facebook and YouTube domains to redirect traffic to the SuperLumin Social Media Cache server. 6 (Optional) If you chose to have the proxy server also be the social media cache DNS server, select the IP address of your DNS server from the list of available addresses. This is the IP address of the listener for the DNS server. The default port for DNS is 53, so you can use the same IP address as the one used by the browser-based managemant tool. If you don t see the address you want, the port needed for the DNS server may already be in use. You can click Quick Adapter Setup to add another address. The IP address for the social media DNS server must be set as the primary DNS server on clients using the social media cache. Once the IP address of the social media DNS server is used as the primary DNS server, host name resolutions for YouTube and Facebook sites are correctly resolved to the IP address of the reverse proxy service that accelerates requests for YouTube and Facebook. 7 Click Finish and then click Apply All Changes to save the social media cache service. Quickly Creating Proxy Services 41

43 IVAccelerating HTML Content IV After you have connected the proxy server to your network and completed the other basic setup instructions in Part II, Integrating SuperLumin Proxy into Your Network, on page 25, use the instructions in this section to learn more about the different proxy services the SuperLumin proxy server offers and to set up the HTML acceleration services your Web content strategy requires. Each chapter in this section provides: An overview of the proxy service Instructions for setting up the proxy service The following table summarizes the tasks you can accomplish using the information in this section. To learn more about See Forward proxy services Chapter 9, Forward Proxy Services, on page 45 Transparent proxy services Chapter 10, Transparent Proxy Services, on page 49 Reverse proxy services Chapter 11, Reverse Proxy Services, on page 57 Social Media services Chapter 12, Social Media Services, on page 63 Accelerating HTML Content 43

45 9Forward Proxy Services 9 This section contains information about the forward proxy services. 9.1 Overview of Forward Proxy This section presents a conceptual overview of SuperLumin Proxy forward proxy services. Setup instructions are in Section 9.2, Forward Proxy Setup, on page Key Functionality You can configure browsers with the IP address of a forward proxy service or you can set up Web Proxy Auto-Discovery (WPAD) services on your network so that configured browsers can obtain proxy address information automatically. After they are properly configured, browsers send requests directly to a proxy server IP address configured for forward proxy service. The forward proxy service obtains the objects and forwards copies back to the browsers How Forward Proxy Works Figure 9-1 Forward Proxy Browser Router (Gateway) Internet 3 Origin Web Server 2 Browser 2 5 SuperLumin Proxy Server 1 A browser requests an origin Web server s Web page from its forward proxy server (SuperLumin Proxy Server). 2 The forward proxy service obtains the numeric IP from DNS. 3 The service obtains objects from the origin Web server. DNS Server 4 The service forwards copies of the retrieved objects to the browser. 5 The forward proxy service handles subsequent requests for the same Web page objects without accessing DNS or the origin Web server Benefits of Forward Proxy Forward proxy doesn't require a special router configuration. Forward Proxy Services 45

46 Forward proxy provides an immediate improvement in browser performance. Forward proxy allows users to decide whether to use the proxy service. For tips and guidelines on setting up forward proxy services, see Section 9.2, Forward Proxy Setup, on page Forward Proxy Setup Figure 9-2 provides a visual map for the information in this section. NOTE: The letters in Figure 9-2 are referenced in the table that follows. The addresses shown are for illustration purposes only. You will need to substitute actual addresses for your network. Figure 9-2 Forward Proxy Setup These IP addresses must match. Browser 1 Forward Proxy B Server = Router (Gateway) Internet Origin Web Server Browser 2 Forward Proxy B Server = SuperLumin Proxy Server A IP Address = DNS Server Set up forward proxy services as follows: To Do This Notes Ensure your basic network configuration is complete 1. See Section 6.1, Basic Network Configuration Setup, on page SuperLumin Nemesis

47 To Do This Notes Enable forward proxy services on the SuperLumin proxy server 1. In the browser-based tool, click the Configuration link, then in HTTP Services, click Forward Proxy and enter a unique name. 2. Click Insert. 3. Select Allow Connect to enable the forward proxy service to use the HTTP CONNECT method. 4. Select Force SSL on CONNECT to have the Proxy server check to ensure that HTTP CONNECT requests to the forward service contain SSL-related traffic. In general, this option should be enabled whenever the Allow Connect option is enabled 5. If you want to use TCP options other that the default options, select them from the lists. 6. Select a listener, then click Select. If a listener does not already exist, you you can create one by clicking Add New Listener. 7. Under Policy Enforcement, select the access control profiles you want to apply to this proxy service. 8. Select the desired cache management options for this proxy service. 9. Under Logging Options, click Enable if you want logging to be performed for this proxy service. 10. Under Hierarchy Options, click enable if you want to enable hierarchy definitions and select the desired definition. 11. Click OK, then click Apply All Changes. If you disable the CONNECT method for a forward proxy service, you block access to all SSL sites for browsers using that forward proxy service. This may include banks, employee portals, and web-based systems. The Allow Connect Method and Force SSL on Connect options should always be used together. If the TCP option you want is not listed, you can click TCP Options to configure TCP connect options. See TCP Connect Options on page 172 for more information. If the listener you want is not listed, you can click Add New Listener to create a new one. See Listener on page 168 for more information. You can also configure a new access control profile by clicking Policy Management Options. See Access Control (Policy Management Options) on page 175 for more information. If the cache management option you want is not listed, you can click Cache Management Options to configure a new cache management option. You can click Logging Options to add change or configure logging options. See Logging on page 209 for more information. If a desired hierarchy definition is not listed, click Hierarchy Options to bring up a page for configuring hierarchy lists and hierarchy bypass rules. See Hierarchy on page 233 for more information. Forward Proxy Services 47

48 To Do This Notes Enable the client browsers to use proxy services See the software vendor's documentation for more information. See B in Figure 9-2 on page 46. Use one of the checked IP addresses as the address for the forward proxy server. Be sure to use the same port number as configured on the SuperLumin proxy server. 48 SuperLumin Nemesis

49 10Transparent Proxy Services 10 This section contains information about tranparent proxy services Overview of Transparent Proxy Transparent proxy services require browser requests to be routed to the SuperLumin proxy server from a network router or switch. This chapter reviews two different router/switch configurations and contains setup instructions for each configuration type. The two router/switch configurations are: An L4 switch A WCCP-capable network router Transparent Proxy with an L4 Switch An L4 switch on the same network as the client workstation intercepts browser requests from the client and sends them to the SuperLumin proxy server. The transparent proxy service processes the request for the browser. How Transparent Proxy Works with an L4 Switch Figure 10-1 Transparent Proxy with an L4 Switch 4 Browser 1 1 L4 Switch Gateway (Router) Internet 3 Origin Web Server Browser SuperLumin Proxy Server 1 A browser requests a Web page from an origin Web server. The L4 switch detects that the request is on port 80, intercepts it, and sends it to the SuperLumin Proxy Server s transparent proxy service. 2 The service obtains the numeric IP address from DNS. DNS Server 3 The service gets the Web page objects from the origin Web server. 4 The service forwards copies of the retrieved objects to the browser. 5 The SuperLumin Proxy Server s transparent proxy service handles subsequent requests for the same Web page objects without accessing DNS or the origin Web server. Benefits of Transparent Proxy with an L4 Switch Transparent proxy doesn't require browser configuration. After the switch and the proxy server are configured, proxy services are transparent to the browser. Transparent Proxy Services 49

50 For tips and guidelines on setting up transparent proxy services using an L4 switch, see Section 10.2, Transparent/L4 Proxy Setup, on page Transparent Proxy with a WCCP-Capable Router A WCCP-capable router, which is configured as the default gateway for the client workstation, intercepts browser requests from the client and routes them to the proxy server. The transparent proxy service processes the requests for the browser. How Transparent Proxy Works with a WCCP-Capable Router Figure 10-2 Tranparent Proxy with a WCCP-Capable Router Browser Gateway (WCCP-Capable Router) Internet 3 Origin Web Server 2 Browser 2 5 SuperLumin Proxy Server 1 A browser requests a Web page from an origin Web server. The WCCP-capable router detects that the request is on port 80 and routes it to the SuperLumin Proxy Server's transparent proxy service 2 The SuperLumin Proxy Server obtains the IP address of the origin Web server from DNS. DNS Server 3 The proxy service obtains Web page objects from the origin Web server. 4 The service forwards copies of the retrieved objects to the browser. 5 The SuperLumin Proxy Server's transparent proxy service handles subsequent requests for the same Web page objects without accessing DNS or the origin Web server. Benefits of Transparent Proxy with a WCCP-Capable Router Transparent proxy doesn't require browser configuration. After the router and the Proxy Server are configured, proxy services are transparent to the browser. For tips and guidelines on setting up transparent proxy services using WCCP-capable routers, see Section 10.3, Transparent/WCCP Proxy Setup, on page Transparent/L4 Proxy Setup Figure 10-3 provides a visual map for the information in this section. NOTE: The letters in Figure 10-3 are referenced in the table that follows. The addresses shown are for illustration purposes only. You will need to substitute actual addresses for your network. 50 SuperLumin Nemesis

51 Figure 10-3 Transparent/L4 Proxy Setup Support Policy B Route port 80 traffic to Browser 1 L4 Switch Gateway (Router) Internet Origin Web Server Browser 2 SuperLumin Proxy Server DNS Server IP Address = A To Do This Notes Ensure your basic network configuration is complete 1. See Section 6.1, Basic Network Configuration Setup, on page 29. Transparent Proxy Services 51

52 To Do This Notes Set up transparent proxy services on the proxy server 1. In the browser-based tool, click the Configuration link, then in HTTP Services, click Transparent Proxy and enter a unique name. 2. Click Insert. 3. Select Allow Connect to enable the transparent proxy service to use the HTTP CONNECT method. 4. Select Force SSL on CONNECT to have the Proxy server check to ensure that HTTP CONNECT requests to the transparent service contain SSL-related traffic. In general, this option should be enabled whenever the Allow Connect option is enabled 5. If you want to use TCP options other that the default options, select them from the lists. 6. Select a listener, then click Select. If a listener does not already exist, you you can create one by clicking Add New Listener. 7. Under Policy Enforcement, select the access control profiles you want to apply to this proxy service. 8. Select the desired cache management options for this proxy service. 9. Under Logging Options, click Enable if you want logging to be performed for this proxy service. 10. Under Hierarchy Options, click enable if you want to enable hierarchy definitions and select the desired definition. 11. Click OK, then click Apply All Changes. See A in Figure 10-3 on page 51. No additional configuration is necessary for SuperLumin Proxy to work with an L4 switch. For more information, see Section , Transparent Proxy, on page 220. See Section , Advanced TCP Options, on page 166 You do not normally need to enable the CONNECT method for transparent proxy services. For most installations, only forward proxies need to support the CONNECT method. However, if you configure your transparent proxy to intercept traffic normally intended for a forward proxy (such as on port 8080), then the transparent proxy might also need to allow the CONNECT method. The Allow Connect Method and Force SSL on Connect options should always be used together. 52 SuperLumin Nemesis

53 To Do This Notes Set up your L4 switch to route browser requests (port 80 traffic) to the proxy server 1. Configure a support policy to redirect traffic to a transparent proxy address on the Proxy Server. Refer to the documentation for your switch. See B in Figure 10-3 on page Transparent/WCCP Proxy Setup Figure 10-4 provides a visual map for the information in this section. NOTE: The letters in Figure 10-4 are referenced in the table that follows. The addresses shown are for illustration purposes only. You will need to substitute actual addresses for your network. Figure 10-4 Transparent/WCCP Proxy Setup A Enable the router for WCCP routing. Browser 1 Gateway (WCCP-Capable Router) Internet IP Address = Origin Web Server Browser 2 SuperLumin Proxy Server DNS Server B C Transparent Proxy IP Address = WCCP Options WCCP Router = WCCP Cache = To Do This Notes Ensure your basic network configuration is complete Enable WCCP routing on the router 1. See Section 6.1, Basic Network Configuration Setup, on page Enable the router for WCCP routing. Follow the router manufactuer's directions. See A in Figure A WCCP-capable router can service more than one transparent proxy server. Transparent Proxy Services 53

54 To Do This Notes Set up transparent proxy services on the proxy server 1. In the browser-based tool, click the Configuration link, then in HTTP Services, click Transparent Proxy and enter a unique name. 2. Click Insert. 3. Select Allow Connect to enable the transparent proxy service to use the HTTP CONNECT method. 4. Select Force SSL on CONNECT to have the Proxy server check to ensure that HTTP CONNECT requests to the transparent service contain SSL-related traffic. In general, this option should be enabled whenever the Allow Connect option is enabled 5. If you want to use TCP options other that the default options, select them from the lists. 6. Select a listener, then click Select. If a listener does not already exist, you you can create one by clicking Add New Listener. 7. Under Policy Enforcement, select the access control profiles you want to apply to this proxy service. 8. Select the desired cache management options for this proxy service. 9. Under Logging Options, click Enable if you want logging to be performed for this proxy service. 10. Under Hierarchy Options, click enable if you want to enable hierarchy definitions and select the desired definition. 11. Click OK, then click Apply All Changes. See B in Figure 10-4 on page 53. When transparent proxy is enabled, it is active for all IP addresses on the Proxy Server, except those addresses configured for origin Web server acceleration services on the same port. For more information, see Section , Transparent Proxy, on page 220. See Section , Advanced TCP Options, on page 166 You do not normally need to enable the CONNECT method for transparent proxy services. For most installations, only forward proxies need to support the CONNECT method. However, if you configure your transparent proxy to intercept traffic normally intended for a forward proxy (such as on port 8080), then the transparent proxy might also need to allow the CONNECT method. The Allow Connect Method and Force SSL on Connect options should always be used together. 54 SuperLumin Nemesis

55 To Do This Notes Register the proxy server with the WCCP routers on your network. 1. After you have enabled transparent proxy services, click the Configuration tab, then in Network Settings, click WCCP Options. 2. Enter a WCCP definition name, then click Insert. 3. Configure WCCP options. See WCCP on page 257 for more information. 4. Click OK, then click Apply All Changes. See C in Figure 10-4 on page 53. The router needs the WCCP Cache IP address to know where to send browser requests. SuperLumin Proxy needs one or more WCCP router IP addresses in order to register with the routers. A Proxy Server can register with multiple WCCP routers. WCCP version 2 is the only version supported Creating Packet Filter Rules After creating a transparent proxy service, you must create packet filter rules in order to send traffic to the transparent proxy service. To create a packet filter rule for a transparent proxy service: 1 In the browser-based management tool, click Configuration, then select Show Advanced Options. 2 Click Packet Filter, select Enable Packet Filtering, then click Append. 3 Set the following options to the values specified below, then click Next. Action=REDIRECT Table=nat Chain=PREROUTING Protocol/Match=tcp (ensure checkbox is NOT selected) 4 Under REDIRECT Action Configuration, set REDIRECT to Ports to Under the Basic Rule Configuration, ensure the Destination checkbox is NOT checked and then set the TCP Destination Port to Click OK and then OK again and then click Apply All Changes. Transparent Proxy Services 55

57 1Reverse Proxy Services 11 This section contains information about reverse proxy services Overview of Reverse Proxy The proxy server s reverse proxy relies on DNS to cause the proxy server to receive requests originally targeted at the origin Web server. The reverse proxy handles the requests, accessing the origin Web server only when needed objects are not cached. The SuperLumin proxy server allows you to use the same IP address of the proxy server to accelerate multiple Web sites. This is referred to as Multihoming How Reverse Proxy Works The mechanism for routing browser requests to the reverse proxy instead of the Web server can be summarized as follows: Without reverse proxy, DNS resolves the origin Web server's host name to the origin server's IP address. With reverse proxy, DNS resolves the origin server's host name to the IP address of the Reverse Proxy service. Figure 11-1 Reverse Proxy Internet 3 5 A Browser 1 on the Web 2 IP Address = Origin Web Server SuperLumin Proxy Server IP Address = DNS Server OriginWeb Server.com = A browser on the Web requests an origin Web server Web page. This generates a request to DNS for the numeric IP address of the Web server. 2 Instead of returning the origin Web server s numeric IP address, DNS returns the numeric IP address of the reverse proxy service on the SuperLumin Proxy Server. 3 The browser requests the Web page using the numeric IP address of the reverse proxy service. 4 The reverse proxy service obtains the Web page objects from the origin Web server. 5 The reverse proxy returns copies of the objects to the browser. Reverse Proxy Services 57

58 Benefits of Origin Web Server Acceleration A reverse proxy reduces response time to browser requests and frees up origin Web server bandwidth, allowing it to handle requests for less frequently requested, uncached data much more quickly. The proxy server can accelerate origin Web servers at remote locations that don't offer broadband connections. The reverse proxy can be located on the local network, delivering high-speed access to browsers for all cached objects. The connection to the origin Web server is then used for transporting only those objects not already in cache. For tips and guidelines on setting up an origin Reverse Proxy, see Section 11.2, Reverse Proxy Setup, on page 58. The procedure for configuring DNS to work with a Reverse Proxy is explained in Working with DNS on page Reverse Proxy Setup Figure 11-2 provides a visual map for the information in this section. NOTE: The letters in Figure 11-2 are referenced in the table that follows. The addresses shown are for illustration purposes only. You will need to substitute actual addresses for your network. Figure 11-2 Reverse Proxy Setup Internet A Browser on the Web IP Address = Origin Web Server SuperLumin Proxy Server IP Address = B DNS Server OriginWebServer.com = A SuperLumin Proxy Server Configuration Reverse Proxy IP Address = Web Server Address = To Do This Notes Ensure your basic network configuration is complete for each proxy server Ensure that DNS resolves browser requests to the proxy server IP addresses configured for the Reverse Proxy services 1. See Configuring the SuperLumin Proxy Server on page See Working with DNS on page 60. See A in Figure SuperLumin Nemesis

59 To Do This Notes Set up one or more reverse proxy services 1. In the browser-based tool, click the Configuration link, then in HTTP Services, click Reverse Proxy and enter a unique name. 2. Click Insert. 3. Click Enable to enable this reverse proxy service. 4. Select the desired TCP options from the list. 5. Select a listener from the list. 6. Enter the host name or domain name of the Web sites you want the reverse proxy service to fill the cache from, then click Add. Repeat this step for each Web server that will provide content for caching. 7. Under Policy Enforcement, select the access control profiles you want to apply to this proxy service. 8. Select the desired cache management options for this proxy service. 9. Under Logging Options, click Enable if you want logging to be performed for this proxy service. 10. Under Hierarchy Options, click enable if you want to enable hierarchy definitions and select the desired definition. 11. Click OK. You are returned to the initial configuration page. 12. Click Apply All Changes. If the TCP option you want is not listed, click TCP Options to configure TCP connect options. See TCP Connect Options on page 172 for more information. If the listener you want is not listed, click Add New Listener to create a new one. See Listener on page 168 for more information. A DNS record must be created for the host names being cached by the reverse proxy. A wild card DNS record must also be created for the domains being cached by the reverse proxy. Specifying a domain name will cause the reverse proxy service to cache the content of all of the Web sites within that domain e.g. superlumin.com, and support.superlumin.com would all be cached by the SuperLumin proxy server. You can also configure a new access control profile by clicking Policy Management Options. See Access Control (Policy Management Options) on page 175 for more information. If the cache management option you want is not listed, you can click Cache Management Options to configure a new cache management option. If logging is enabled, reverse proxy log files for the SuperLumin proxy server will have the same name as the reverse proxy. You can click Logging Options to add change or configure logging options. See Logging on page 209 for more information. If a desired hierarchy definition is not listed, click Hierarchy Options to bring up a page for configuring hierarchy lists and hierarchy bypass rules. See Hierarchy on page 233 for more information. Reverse Proxy Services 59

60 Working with DNS The steps you take for having DNS resolve requests to the proxy server rather than to the origin server depend on whether the proxy server and the origin Web server are on the same subnet. If the proxy server and the origin Web server are on the same subnet, you can swap IP addresses as shown in Figure Figure 11-3 Proxy Server and Origin Web Server on Same Subnet Internet A Browser on the Web IP Address = Origin Web Server The origin Web server s IP address was You change it to SuperLumin Proxy Server IP Address = You assign the appliance the IP address DNS server OriginWebServer.com = DNS is unchanged, but now sends browsers to the appliance instead of the origin Web server. If the origin Web server is on a remote network, you need to alter DNS as shown in Figure 11-4 on page 60. Figure 11-4 Proxy Server and Origin Web Server on Different Subnets Internet A Browser on the Web OriginWebServer.com = Origin Web Server 1 The origin Web server s IP address is SuperLumin Proxy Server 2 You assign the SuperLumin Proxy Server the IP address DNS Server 3 DNS had as the IP address for OriginWebServer.com. You change DNS so that OriginWebServer.com now resolves to SuperLumin Nemesis

61 Standard Multihoming for Multiple Web Sites Multiple Web sites can be hosted through a single IP address and port combination in two ways: Multiple Web Sites Through a Single IP Address and Port: This scenario requires that each host name in the Reverse Proxy definition be unique and that none of the Web servers use SSL. (See Section , Configuration Considerations When Using Proxy Server Multihoming Features, on page 62.) To do this, simply configure a Reverse Proxy and specify a host name for each of the Web sites being accelerated. Multiple Domains Through a Single IP Address and Port: This scenario causes the reverse proxy service to cache the contents of the specified domains. Each domain includes all the Web sites associated with that domain. For example, the superlumin.com domain includes Web sites such as suport.superlumin.com, sales.superlumin.com, etc. The following are simplified examples for each scenario. Example: Accelerating Multiple Web Sites on a Single IP Address A company named Server Consolidation, Inc., offers proxy acceleration services to several small companies, each of which has its own Web server. Server Consolidation knows it can provide enough bandwidth to handle the combined Web traffic on one IP address, Server Consolidation installs a SuperLumin proxy server, configures it with a reverse proxy service using the IP address , and fills it from different Web servers. Each company then arranges to have its DNS name (or names) resolve to After the DNS changes are complete, Server Consolidation's proxy server is accelerating multiple Web sites through IP address Because SuperLumin proxy server uses the host name to determine which Web site to fill a request from, one Reverse Proxy definition is required for all host names accelerated by the proxy server. NOTE: In this example, none of the Web servers could use SSL. See Section , Configuration Considerations When Using Proxy Server Multihoming Features, on page 62 for more information. Example: Accelerating Multiple Domains on a Single IP Address A company named Web Host, Inc. provides hosting services for many companies on a single IP address of The domain name for each of the accelerated companies is added to the Reverse proxy service listening on address DNS records are changed to ensure that all of the host names associated with the specified domains are resolved to address Example: Accelerating Multiple Domains on Multiple IP Addresses Web Host could also configure the SuperLumin Proxy server with multiple IP addresses and assign an IP address to each of the companies that it is accelerating. Web Host would then configure a reverse proxy for each domain associated with each company. Reverse Proxy Services 61

62 In this scenario, Web Host could also dedicate different disks to each of the companies to ensure that the content for each domain remains on the disks associated with the reverse proxy service for that domain Configuration Considerations When Using Proxy Server Multihoming Features Proxy server multihome capabilities are explained in Section , Standard Multihoming for Multiple Web Sites, on page 61. Keep the following points in mind when configuring multihomed support on the SuperLumin proxy server: Support for SSL is restricted. Although SuperLumin proxy server allows multiple reverse proxies to use the same IP address and port combination, this is not supported for Web servers using SSL. Host names must be unique when accelerating multiple sites. If you are accelerating multiple Web sites on the same IP address, the host names in the reverse proxy definitions must exactly match the host names that are used in browser requests. Each reverse proxy definition must use a unique combination of host name, IP address, and port number for the SuperLumin proxy server to properly route browser requests. 62 SuperLumin Nemesis

63 12Social Media Services 12 This section contains information about social media services Overview of Social Media Services SuperLumin s Social Media service lets you configure a social media cache. A social media cache performs as a reverse proxy, and identifies and caches social media objects that have already been retrieved. This minimizes bandwidth consumption and accelerates the delivery of social media content from Web application such as Facebook TM and YouTube TM How Social Media Services Work Social media Web applications such as Facebook and YouTube use a redirection model for content distribution, which means the same Web objects often originate from a different server with a different URL. Most caches have to store a separate copy derived from each server. The SuperLumin Social Media Cache can determine if an object has already been retrieved from another server and vend it from the existing cache inventory Social Media Services Setup To Do This Notes Ensure your basic network configuration is complete for each proxy server Ensure that DNS resolves browser requests to the proxy server IP addresses configured for the Reverse Proxy services 1. See Configuring the SuperLumin Proxy Server on page See Working with DNS on page 60. See A in Figure Social Media Services 63

64 To Do This Notes Set up caching support for one or more social media services 1. In the browser-based tool, click the Configuration link, then in Product Add-on, click Social Media and enter a unique name for the new social media site you want to add, or click on one of the existing services. 2. Add the domains or host names for the social media site that will resolve to the proxy server for content requests. 3. Click on a domain or host name to bring up a page for configuring the reverse proxy service that is used by the social media service. 4. Change or modify the reverse proxy configuration as desired, then click OK. 5. Add the tunnels (host names) that will bypass the proxy server and resolve to the origin Web server for content requests. 6. Click on a tunnel to bring up a page for configuring the generic proxy service that is used by the social media service. 7. Change or modify the generic proxy configuration as desired, then click OK. 8. Click OK, then click Apply All Changes. A social media reverse proxy service is automatically created when you select Add in the Service drop down menu for Domain/Hosts. The reverse proxy service created for the new social media site is also accessible using Reverse Proxy settings under HTTP Services. YouTube and Facebok are preconfigured, but are not enabled. A social media generic proxy service is automatically created when you add a new tunnel for the new social media site. The generic proxy service acts as a tunnel through which social media requests are sent or forwarded to the origin Web server. The tunnel proxy service created for the new social media site is also accessible using Generic Proxy settings under Miscellaneous Services. There must be a listener configured on the reverse proxy service used by the social media service. To configure a new listener see Listener on page 168. There must be a listener associated with the generic proxy service used by the social media service. To configure a new listener, see Section , Listener, on page SuperLumin Nemesis

65 13FTP Proxy Services 13 This section contains information about FTP proxy services. NOTE: Authentication is currently not supported with SuperLumin FTP Proxy Services Overview of FTP Proxy Services An FTP proxy acts as an application level gateway between FTP clients and servers. It allows you to secure local FTP servers against possibly insecure clients or malicious attacks. Using an FTP proxy provides protection against attacks by clients using the FTP protocol. You can run an FTP proxy service on your firewall. Doing so lets your firewall act as an intermediary for all FTP transactions. This increases your protection against buffer overflows and many other kinds of FTP attacks. It also allows you to restrict which FTP commands are executed by FTP clients. When ftp-proxy receives FTP client packets that have been redirected in this way, it uses their destination IP as the destination of the new FTP connection it initiates to the desired FTP server. Two options exist for FTP Proxy Services. They are FTP Forward Proxy Services and FTP Reverse Proxy Services. These options are similar to Forward Proxy Services and Reverse Proxy Services How FTP Forward Proxy Works Figure 13-1 FTP Forward Proxy Browser Router (Gateway) Internet 3 FTP Server 2 Browser 2 5 SuperLumin Proxy Server 1 A browser makes an FTP request to its FTP forward proxy service (SuperLumin Proxy Server). 2 The FTP forward proxy service obtains the IP address of the origin FTP Server from DNS. DNS Server 3 The service forwards the FTP request to the origin FTP Server. 4 The service forwards the FTP Server response back to the browser. FTP Proxy Services 65

66 How FTP Reverse Proxy Works The mechanism for routing FTP requests to the FTP Reverse Proxy service instead of the FTP server can be summarized as follows: Without FTP reverse proxy, DNS resolves the FTP server's host name to the FTP server's IP address. With FTP reverse proxy, DNS resolves the FTP server's host name to the IP address of the FTP Reverse Proxy service. Figure 13-2 FTP Reverse Proxy Internet 3 5 A Browser 1 on the Web 2 IP Address = FTP Server SuperLumin Proxy Server IP Address = DNS Server Origin FTP Server.com = A browser makes an FTP request. This generates a request to DNS for the numeric IP address of the FTP Server. 2 Instead of returning the origin FTP Server's IP address, DNS returns the IP address of the FTP reverse proxy service on the SuperLumin Proxy Server. 3 The browser makes the FTP request using the IP address of the FTP reverse proxy service. 4 The FTP reverse proxy service forwards the FTP request to the origin FTP Server. 5 The FTP reverse proxy service returns the origin FTP server response back to the browser FTP Forward Proxy Setup Figure 13-3 provides a visual map for the information in this section. NOTE: The letters in Figure 13-3 are referenced in the table that follows. The addresses shown are for illustration purposes only. You will need to substitute actual addresses for your network. 66 SuperLumin Nemesis

67 Figure 13-3 FTP Forward Proxy Setup These IP addresses must match. Browser 1 Forward FTP Proxy B Server = Router (Gateway) Internet Origin FTP Server Browser 2 Forward FTP Proxy B Server = A SuperLumin Proxy Server IP Address = DNS Server To set up an FTP Forward Proxy service 1. In the browser-based tool, click the Configuration link, then in Misc Services, click FTP Proxy and select Act as FTP Forward Proxy. 2. Select Enable FTP Proxy to enable the FTP Proxy service. 3. Choose the listening addresses you want the FTP proxy service to use to listen for incoming requests. You can choose to have the service listen on all addresses that are enabled to use the FTP proxy service or you can select a specific address from the list. 4. Specify the listening port number you want the FTP proxy service to listen on for incoming requests. The port number must be unique for the server. The default port number is Select the log level that you want the FTP proxy service to use. The Log Level option lets you choose to have only the log message types that you want generated. See FTP Proxy on page 225 for descriptions of the log levels. 6. Enter the maximum number of FTP clients that the FTP proxy service will allow to be concurrently connected. The default is Enter the amount of time in seconds that a client can remain connected with no activity before that client s connection to the FTP proxy service is terminated. The default is 900 seconds. 8. Enter the maximum number of client connections that can be made to the FTP proxy service in one minute. The default is Select Restrict FTP Commands to enable restricting certain FTP commands, then click Modify and select only those FTP commands that you want to allow. 10. Click Modify, then create messages that will display when users successfully authenticate to the FTP proxy, are denied access to the FTP proxy, or if the maximum number of connections for the FTP proxy service have been exceeded. FTP Proxy Services 67

68 11. Specify any desired FTP Proxy advanced settings. See FTP Proxy on page 225 for descriptions of FTP Proxy advanced settings FTP Reverse Proxy Figure 13-4 provides a visual map for the information in this section. NOTE: The letters in Figure 13-4 are referenced in the table that follows. The addresses shown are for illustration purposes only. You will need to substitute actual addresses for your network. Figure 13-4 FTP Reverse Proxy Setup Internet A Browser on the Web IP Address = FTP Server SuperLumin Proxy Server IP Address = B DNS Server Origin FTP Server.com= A SuperLumin Proxy Server Configuration Reverse Proxy IP Address = Web Server Address = To set up an FTP Reverse Proxy service 1. In the browser-based tool, click the Configuration link, then in Misc Services, click FTP Proxy and select Act as FTP Reverse Proxy. 2. In the Destination Address field, specify the IP address of the FTP server that the FTP Reverse Proxy service will send FTP requests to. 3. In the Destination Port field, specify the port number of the FTP server that the FTP Reverse Proxy service will send FTP requests to. 4. Select Enable FTP Proxy to enable the FTP Proxy service. 5. Choose the listening addresses you want the FTP proxy service to use to listen for incoming requests. You can choose to have the service listen on all addresses that are enabled to use the FTP proxy service or you can select a specific address from the list. 6. Specify the listening port number you want the FTP proxy service to listen on for incoming requests. The port number must be unique for the server. The default port number is Select the log level that you want the FTP proxy service to use. The Log Level option lets you choose to have only the log message types that you want generated. See FTP Proxy on page 225 for descriptions of the log levels. 68 SuperLumin Nemesis

69 8. Enter the maximum number of FTP clients that the FTP proxy service will allow to be concurrently connected. The default is Enter the amount of time in seconds that a client can remain connected with no activity before that client s connection to the FTP proxy service is terminated. The default is 900 seconds. 10. Enter the maximum number of client connections that can be made to the FTP proxy service in one minute. The default is Select Restrict FTP Commands to enable restricting certain FTP commands, then click Modify and select only those FTP commands that you want to allow. 12. Click Modify, then create messages that will display when users successfully authenticate to the FTP proxy, are denied access to the FTP proxy, or if the maximum number of connections for the FTP proxy service have been exceeded. 13. Specify any desired FTP Proxy advanced settings. See FTP Proxy on page 225 for descriptions of FTP Proxy advanced settings. FTP Proxy Services 69

71 VManaging and Leveraging SuperLumin Proxy Server Advanced Features V As you set up your proxy server and fine-tune its installation, you should be aware of the many supporting functions the proxy server offers. We recommend you review the chapters in this section and use the information in them to ensure your proxy server is providing exactly the services your Web content delivery strategy requires. The following table summarizes the tasks you can accomplish using the information in this section. To Install and manage product licenses See Chapter 14, Installing and Upgrading Licenses, on page 73 Use proxy server authentication services Chapter 15, Authentication Services, on page 75 Set up and implement access control policies Chapter 16, Access Control, on page 83 Manage proxy server certificates Tune the proxy server to meet your cache freshness requirements Learn about managing proxy server security Learn how the proxy server stores various configuration settings, including those you make Learn important information about re-imaging and restoring proxy server configurations Configure the proxy server so that DNS names in browser requests resolve as expected Plan and implement a logging strategy so log files are uploaded to another server before logs are deleted Shut down and restart the proxy server Ensure proxy server time is synchronized with the network Chapter 17, Managing Proxy Server Certificates, on page 87 Chapter 18, Cache Freshness, on page 91 Chapter 19, Managing Proxy Server Security Features, on page 95. Chapter 20, Automatic Configuration Mechanisms, on page 99 Section , Backing Up the Proxy Server Configuration, on page 99 and Section , Restoring the Proxy Server Configuration, on page 100 Chapter 22, Host Name Resolution, on page 107 Chapter 23, Logging, on page 109 Chapter 24, Shutting Down and Restarting, on page 119 Chapter 25, Time Synchronization, on page 121 Managing and Leveraging SuperLumin Proxy Server Advanced Features 71

73 14Installing and Upgrading Licenses 14 Each cache device requires a unique license be installed Obtaining Product Licenses To obtain a 45-day evaluation product license, use the license portal at and provide the MAC address of the first network card (eth0). You will receive an with a license.bin.number file. To install the license, follow the instructions in Installing a License below. If you have purchased SuperLumin Nemesis, your sales representative will provide you with a nonevaluation license Viewing License Information To view the information for an installed license, complete the following step: 1 Start the browser-based management tool, click the Getting Started link, then click Licensing. See Section 26.2, Starting the Management Tool, on page 127 for details on starting and using the browser-based management tool Installing a License To install a license on your proxy server 1 Copy the license.bin.number file to your desktop. 2 Start the browser-based management tool, click the Getting Started link, then click Licensing. See Section 26.2, Starting the Management Tool, on page 127 for details on starting and using the browser-based management tool. 3 Click Browse and then browse to the license file and select it. 4 Click Install License. The license file will automatically be renamed to remove the number and will be copied to the appropriate directory on the proxy server. The proxy server is now licensed. 5 Click Restart Server after the license is installed. After installing the license, the proxy server must be restarted for the license to be activated. If you need additional assistance, call and ask for support. For a better support experience, ensure your proxy server s management IP address is accessible to the host ( /32) for ports 22, 80, and 443. Installing and Upgrading Licenses 73

75 15Authentication Services 15 You can control access to SuperLumin proxy server services by creating and assigning authentication profiles. When you create an authentication profile, you can choose whether to use form-based authentication or SuperLumin Single Sign-on (Novell edirectory only). Form-based authentication causes the proxy service to return an authentication form to the browser which prompts the user for authentication information. The authentication profiles handle user verification by validating the specified authentication information using LDAP. The following sections will help you to match SuperLumin Proxy authentication features to your security infrastructure and requirements, and to create authentication profiles for your proxy services Prompting the User for Authentication Information After enabling authentication, you can configure the service to use form-based authentication or SuperLumin Single Sign-on (Novell edirectory only). Form-Based Authentication With form-based authentication, when the proxy service receives a request from a user that has not been authenticated, it returns an authentication form over a secure channel prompting the user for authentication information. Upon successful authentication, the proxy service requires an authentiation cookie to be sent by subsequent requests identifying the user to the proxy service. See Section , Understanding How Authentication Cookies Are Used, on page 77 for a better understanding of how authentication cookies are used. SuperLumin Single Sign-on SuperLumin Single Sign-on works with Novell edirectory, allowing users to authenticate to network services once instead of being prompted for authentication credentials. When the user logs into the Novell edirectory tree, the SuperLumin Single Sign-on client securely authenticates the user to the proxy server as well. This allows the user to browse the internet without being prompted for authentication credentials. However, the proxy is fully aware of the user and can be configured to log all pages the user accesses Matching Authentication Profiles to Your Requirements Chances are good that your network already requires authentication of those seeking access to network services through a database of some kind (LDAP, RADIUS, or NTLM). SuperLumin proxy server lets you extend your authentication infrastructure to include access to proxy services. With both form-based authentication and SuperLumin Single Sign-on, LDAP can be selected as the back end authentication database. Authentication Services 75

76 If your LDAP server is a Novell edirectory server, you can also configure SuperLumin proxy clients to support edirectory Single Sign On. SuperLumin Proxy is the replacement for the Novell BorderManager product. The following sections provide information to help you match SuperLumin proxy server authentication profile types with your network requirements Understanding How Profiles Work The LDAP profile authentication mechanisms are summarized in Table 15-1: Table 15-1 LDAP Profile Authentication Mechanisms Profile Type LDAP Summary of Authentication Mechanisms To gain access to a proxy service, users must enter the information required by the profile, normally a valid username and password. The exchange of the username and password between the browser and the cache device is encrypted. The exchange of information between the cache device and the LDAP server can be encrypted or non-encrypted depending on the configuration of the LDAP authentication profile A Summary of Authentication Method Pros and Cons SuperLumin proxy server provides support for various authentication sources as summarized in Table 15-2: Table 15-2 LDAP Authentication Method Pros and Cons Profile Type Pros Cons LDAP LDAP is a widely used directory service protocol. For example, LDAP is supported by Novell edirectory, Microsoft Active Directory, and OpenLDAP. This method works with Secure LDAP servers. This implementation supports context-less login. This implementation supports group access. LDAP trees may be viewable by unauthorized persons if they are not configured securely. 76 SuperLumin Nemesis

77 Understanding How Authentication Cookies Are Used If you are concerned that some authentication methods use cookies, you should understand the following two points about SuperLumin proxy server authentication cookie functionality. Authentication cookies are session-based, meaning they expire either when the browser closes or when an inactivity timeout occurs. Because unique authentication cookies are sent to each browser, there is no risk of global service access in NAT IP installations. In other words, each NAT client must authenticate to use the service. The usage of cookies by authentication profiles is summarized in Table 15-3: Table 15-3 Authentication Profile Cookie Usage Profile Type Cookies Used Cookie Effective Until LDAP Yes Current session ends or specified inactivity timeout occurs Setting Up Authentication Services (Overview) To enable authentication services, you must complete the following steps: 1 Create an authentication profile. See Section , Authentication, on page Create an access control policy with an authentication rule. See Section , Access Control Policy Definition, on page 176 and Section , Access Control Rule Definition, on page 178. Each policy is evaluated in order and each access control policy is comprised of rules. Each rule in a policy is also evaluated in order. If a rule contains an 'ending' action such as BLOCK or ALLOW, no additional rules or policies are evaluted. This ending action terminates the policy check. Authentication is an action, but is not a terminating action unless the authentication fails in which case the user is blocked from reaching any web sites until they have authenticated. 3 Create an access control list. An access control list is a list of access control policies. Access control lists evaluate the contained access control policies in order. If any policy encounters an ending action, then policy evaluation stops and no other policies in the list are evaluated. See Section , Access Control (Policy Management Options), on page 175. You can use the Configuration page of the browser-based management tool to create access control policies and lists. 4 Inform users regarding the following: Any workstation and/or browser preparation they must make, such as installing the SuperLumin Single Sign-on client. Authentication Services 77

78 You can use workstation administration products such as Novell ZenWorks to automate this process. The steps they will need to complete to log in and use the service What they should expect regarding inactivity timeouts, etc. while using the service 15.4 Using LDAP Authentication Use the information in this section to understand, create, and use LDAP authentication profiles How LDAP Authentication Works Figure 15-1 illustrates how LDAP authentication can be used to control access to proxy services Figure 15-1 Controlling Access to Proxy Services Using LDAP Authentication Internet 7 Browser Cache Device 4 LDAP Server 1A browser requests access to a Web page through service on a cache device. 2The cache device sends the LDAP authentication form to the browser over a secure channel. 3The user provides the username and password information. 4The cache device verifies the username and password with the LDAP server. If the information is verified, the process continues with Step 5. If the information is not verified, the cache device resends the authentication form with a message that the login attempt failed. 5The cache device sends a session cookie to the browser with an inactivity timeout limitation. 6The cache device returns the requested Web page to the browser. 8Subsequent browser requests contain the session cookie, and reauthentication is not required again unless an inactivity timeout occurs. NOTE: Users attempting to authenticate using LDAP must have a password. Empty and blank passwords are not supported. A user with an empty or blank password will not be able to authenticate Platforms Supported The following table summarizes the platforms supported for LDAP authentication: 78 SuperLumin Nemesis

79 Table 15-4 Supported LDAP Authentication Platforms Network Component Workstation Cache Device LDAP server Software Requirements Any SSL-capable Internet browser SuperLumin proxy server LDAP compliant database as specified in the profile Preparing Your Network for LDAP Authentication Figure 15-2 summarizes the configuration requirements for LDAP authentication: Figure 15-2 LDAP Authentication Configuration Requirements 1 Internet SSL Port SSL Port 2 Browser 3 Cache Device Port 389 or 636 LDAP Server 1The browser and the cache device must be able to communicate using an SSL connection. 2If Secure LDAP is enabled, the cache device must have the trusted root of the LDAP server used by the service. 3The cache device must be able to communicate with the LDAP server using port 389 (or port 636 if using Secure LDAP) Setting Up LDAP Authentication After you have completed the steps in Preparing Your Network for LDAP Authentication on page 79, you can set up an LDAP authentication profile by completing the steps in the following sections. Creating an LDAP Profile Complete the following steps: 1 In the browser-based management tool, click Configuration, then under Security Settings click Authentication. 2 Type a name for the profile in the Insert LDAP Profile field, then click Insert. IMPORTANT: Each profile name created on a cache device must be unique. The SuperLumin proxy server doesn't recognize case differences (MyProfile and myprofile are the same name to SuperLumin Proxy) and it will overwrite previously created profiles without warning if a duplicate name is used. 3 Specify the host name or IP address of the server containing the LDAP compliant directory in the LDAP Server hostname field. Authentication Services 79

80 4 Type the port number on which the LDAP server will listen for requests from the cache device. The default ports are: 389 for non-secure access and 636 for secure (SSL) access. 5 If the cache device and the LDAP server will communicate using SSL, check Secure LDAP Access. 6 (Conditional) If you selected Secure LDAP Access, specify the name and path of the trusted root file. This is the name and location of the LDAP server's trusted-root certificate that will be used for SSL communications between the cache device and the LDAP directory. 7 Specify the User Group Membership Attribute. This is the user object attribute that is used by the LDAP server to designate group membership 8 Specify the LDAP field name through which users can authenticate. You may enter field names using cn for Common Name format or uid for User ID format. 9 Specify an LDAP search base. You can click the Browse button to navigate your LDAP directory tree and choose the container that you want to start the LDAP search from. You can insert as many LDAP search base containers as needed. You can also choose a search base from the list of previously inserted search bases and select Search Subtrees to perform the search from the specified container and all sub containers in the tree. 10 If the cache device can authenticate to the LDAP server using anonymous bind, click Bind Anonymous. 11 If anonymous bind is not enabled on the LDAP server, select Bind Using Credentials and enter the username and password pair through which the proxy server will authenticate to the LDAP server before requesting the search. Enabling and Using LDAP Groups You can designate LDAP groups for authentication to SuperLumin proxy services by including the LDAP context for target groups. Users who are members of the groups will be able to authenticate using only their username. Designating the Group Class and/or Attribute Name Each LDAP-compliant directory uses a different mechanism for implementing group support. If you plan to set access control based on LDAP groups, you must also specify how the target directory's schema defines groups. The field under LDAP Group Settings, User Group Membership Attribute, tells SuperLumin proxy server the mechanism the target directory's schema uses to designate an LDAP group on the user object. 1 In the User Group Membership Attribute field, enter the user object attribute name that designates group membership. For example, Active Directory uses memberof and Novell edirectory uses groupmembership. This field is required for all LDAP group implementations. 2 Assign the profile to one or more proxy services. See Section , LDAP Authentication Profile, on page SuperLumin Nemesis

81 Adding Support for SuperLumin Single Sign-On SuperLumin provides a Single Sign-On solution that can be used with the configured authentication profiles. For example, if you have end users that use LDAP authentication and your LDAP server is a Novell edirectory server, you can configure the Windows clients to support edirectory Single Sign-On. IMPORTANT: The SuperLumin Single Sign-On client and the Novell BorderManager Client both use port 3024 for background authentication. If you need to install and run both clients on the same workstation, you must change the SuperLumin Single Sign-on port on the SuperLumin proxy server and on all workstations. To configure support for SuperLumin Single Sign-On 1 Open the Web-based management tool and click the Getting Started link at the top of the page. See Chapter 26, Using the Browser-Based Management Tool, on page Click Single Sign-On Client, then click SuperLumin Single Sign-On Windows Client. 3 Copy the slnlogin.exe file to a directory on your Windows client machine and double click on it to run it. This installs the SuperLumin edirectory Single Sign On file in c:\program Files\SuperLumin\slnLogin. 4 Copy the proxy server s Certificate of Authority (CA) public key file from the proxy server to your Windows client machine by right clicking Proxy CA Public Key (for SSO), selecting Save As, and then specifying a directory. On Windows XP, copy the file to c:\program Files\SuperLumin\slnLoginSvc\config\ On other Windows clients, the file is copied to c:\programdata\superlumin\slnloginsvc\config\ It is the file with a ".0" extension. 5 (Optional) To uninstall the SuperLumin Single Sign-On Windows client on Windows XP, run c:\program Files\SuperLumin\slnLogin\uninst.exe On other versions of Windows, run c:\programdata\superlumin\slnlogin\uninst.exe. NOTE: You can t uninstall the SuperLumin Single Sign-On Windows client using the Add or Remove Programs option in the Windows Control Panel. Changing the SuperLumin Single Sign-on Client Port Number The SuperLumin Single Sign-On client and the Novell BorderManager Client both use port 3024 for background authentication. If you need to install and run both clients on the same workstation, you must change the SuperLumin Single Sign-on port on the SuperLumin proxy server and on all workstations. To change the port number on a Windows workstation 1 Click Start > Run and then enter regedit. 2 Select HKEY_LOCAL_MACHINE and then select SOFTWARE. 3 Select SuperLumin and then select slnloginsvc. Authentication Services 81

82 4 Right-click ServicePort and then select Modify. 5 Select Decimal and then set Value Data to 3025 or any high port other than Click OK and then do one of the following to make the change effective. Restart the client (requires a new login) Click a file in the certificates directory - Program Files(or ProgramData)\SuperLumin\slnLoginSvc\config (no new login required) If you are running slnloginmon, right-click the SuperLumin Client icon and select Refresh (no new log on reqd) IMPORTANT: You must update your firewall settings to allow the new port. Port 3024 already allows BorderManager to work. To change the Single Sign-on port on the proxy server, see Section , Authenticate SL-SSO Action Configuration, on page SuperLumin Nemesis

83 16Access Control 16 This section contains information about access control Overview SuperLumin Proxy access control lets you control the traffic through the proxy. For example, authentication, content filtering, and explicit blocking and allowing are all done through SuperLumin access control. Authentication using SuperLumin access control has been enhanced from what existed in legacy cache systems. It allows a greater degree of flexibility and provides the means to handle graded authentication in an administrator-controlled data-flow. Access Control has been enabled at the service level. An administrator can define different access control rules for different services. After an authentication rule has been executed, the rules that follow that authentication rule have access to user information such as user names, groups, and contexts or domains. The rules also have access to the data stream, and therefore can make decisions based on IP, TCP and HTTP-level data. Services by default allow requests. If you want a service to deny requests, you must create a rule (typically the last rule) that blocks all requests. The access control functionality in SuperLumin proxy server allows you to create rules. Each rule consists of a set of conditions and one or more actions. If the condition result is TRUE, the actions are performed. Access control functionality also allows you to configure content filtering. For more information on configuring content filtering, see Configuring Content Filtering on page 86. IMPORTANT: By default, access control is not enabled and no rules or polices have been created or are active. Key Points to Understanding Access Control Certain access control actions are terminal and others are not. A terminal action is an action that stops all rule and policy processing when the action is encountered. Any subsequent rules and actions will not be processed if a terminal action is encountered. For example, allow and block are terminal actions. Authenticate is a conditionally terminating action and log target is not a terminal action. If the authenticate condition fails, the user is redirected to a login page (form-based authentication), or a 403 error is returned to the browser (SuperLumin Single Sign-on). Filter requests are a hybrid. Content filtering providers can be either authoritative or nonauthoritative. Authoritative filters determine if a request is allowed or blocked and are therefore terminal. Non-authoritative filters only determine if a URL matches a specific category. If it does match it is terminal. If it does not match it is not terminal. All rules and policies are order dependent. Policies and the rules in those policies are processed in the order they are specified. This means that you should put exceptions or more granular rules above rules that are less specific. For example, suppose you have configured the following policies/rules: 1. Authenticate all users. Access Control 83

84 2. Only allow users to access external sites on ports 80 and 443 (HTTP and HTTPS). 3. Only allow users who are members of a certain group to access the internet. 4. Filter requests using ContentKeeper. 5. Block everything else. Now suppose you want to add a rule that states that user John can go to external sites on any port, not just ports 80 and 443. You would have to add this rule between rules 1 and 2 above. Now, if he is going to an external HTTP site with a port override of 81 for example, then he would be allowed access when the new rule is added between rules 1 and 2. NOTE: In the example above, user John will not be filtered by content filtering software. The reason is that the new rule will allow him. Allow is a terminal action, which means that the content filter rule will not run. If filtering were mission critical, you would need to move the content filtering rule up in the list Process NOTE: These are just general guidelines. The access control policies you set up will all depend on your situation. The general process to set up and implement an Access Control List (ACL) is as follows: 1. Determine your ACL strategy. 2. Using the SuperLumin proxy server browser-based management tool, create access control policies. NOTE: The terms Access Control Policy and Access Control Profile are both used in the browser-based management tool. Both terms refer to the same thing. 3. Add the access control policies to an access control list. An access control list is a list of access control policies. Each policy is executed in order until an explicit block or allow is encountered. Access control services reference access control lists. An access control list references a set of access control policies. Access control policies reference access control conditions and actions Determining Your Access Control Strategy When you are determining your access control strategy, some questions to consider are: Should everything be blocked at a high level and access provided only to certain users? Should the rules be applied to all users or to specific users? Are the connections based on a single IP address, an IP address range, or an IP subnet? Are the destination addresses mixed? Should destinations be blocked by URL, a single IP address, an IP address range, or an IP subnet? 84 SuperLumin Nemesis

85 Authentication Anytime there is a user-specified rule, authentication needs to be configured and enabled on the service on which you're applying the access control policy. If the authentication is not set up properly, the user will not be prompted to authenticate. An authentication rule must precede all userspecified rules Examples Here are two examples of access control policies. Example 1: Enforce Authentication. This example describes creation of an authentication policy to require authentication before granting access. Before creating the access control policy, you must first create an authentication profile. After creating an authentication profile, create the access control policy with a rule that includes a condition set to Always and an Action set to either Authenticate Form-base or Authenticate SL-SSO. When creating the action, you must select the authentication profile that you have previously configured. Example 2: Blocking by Subnet. In this example, the organization is divided into two sections: R&D and Temp. R&D needs universal access; Temp needs access to innerweb only. Rule 1: allow access to all users connecting from R&D subnet destined to anywhere. Rule 2: allows access to all users connecting from Temp subnet to destined to innerweb.company.com. Rule 3: block access to all users connecting from anywhere destined to anywhere Creating an Access Control Policy In order to use the access control policies, you must create access control rules using either the command line interface or the browser-based management tool. To enable access control, do the following: 1 Launch the browser-based management tool. 2 Click Configuration > Access Control. 3 Configure your setup, as needed. IMPORTANT: If a SuperLumin proxy server is hosting the Web content, the port number must be included in the URL (i.e., Other Guidelines Some other guidelines for using access control are as follows: A destination rule cannot have multiple source types. Due to the architecture, the Source is specified as part of the policy (i.e., if specifying an IP Address Range, you would not want to specify a URL within the destination field of the same rule). A possible solution is to create another rule with the URL destination and so on with Single IP Address, Subnet, etc. Administrators will want to note case sensitivity with user IDs for access control policies, especially with RADIUS users since there is no method to copy the user object into the User Specific window. Access Control 85

86 A subnet entry must be followed with a hyphen. For example, if the Source or Destination is a Subnet Type, then the Subnet IP Address must be in the form: This distinguishes the Subnet Type from a Single IP Address. If the hyphen is not present then the rule will not take effect unless a requesting client is connecting from an IP address of , which is not very likely. The product does not perform reverse DNS lookups. If a URL maps to six unique IP addresses, an administrator would have to block the entire range or block each single IP address specifically Configuring Content Filtering In order to configure content filtering with SuperLumin Proxy, you must first purchase and install content filtering software from a content filter provider (such as ContentKeeper). See your content filter provider documentation for instructions on installing content filtering software. To configure content filtering 1 Launch the browser-based management tool. 2 Click Configuration > Access Control. 3 Click on an existing access control profile or create a new one by entering a profile name and clicking Add. 4 Create a new access control rule by entering a rule name and clicking Add. 5 Select Always as the condition, then click Add. 6 Select Filter Request as the action, then click Add. 7 Select the desired filter provider in the drop-down Filter Agent list, then click Filter Categories. You should also select the other desired action configuration items on the page. If the desired filter provider doesn t show up in the drop-down list, it is not properly installed. 8 Select the desired filter categories, then click OK on each page until you get to the main configration page, then click Apply All Changes. 86 SuperLumin Nemesis

87 17Managing Proxy Server Certificates 17 The SuperLumin proxy server has public key infrastructure mechanisms for generating, importing, using, and maintaining public key certificates. These include: An appliance-specific certificate authority (CA). Browsers won't recognize the appliance CA unless they are specifically configured to do so. This causes confirmation messages to be generated that can confuse users and cause them to not use the proxy server's caching services. To create proxy server-specific certificates, see the instructions in Section 17.2, Creating Certificates Using the SuperLumin CA, on page 87. Mechanisms for generating a certificate signing request (CSR) and storing issued certificates on the proxy server. Generating a CSR is the first step to obtaining a certificate from an external trusted CA. After you obtain certificates from one or more external CAs, you can use the proxy server certificate maintenance features to monitor certificate status and replace certificates when they expire. To generate a CSR and store the issued certificate, complete all the instructions in Section 17.3, Obtaining a Certificate from an External CA, on page 88 Because the creation process is different for internal and external certificates, they are described separately. See the instructions in Section 17.2, Creating Certificates Using the SuperLumin CA, on page 87 and Section 17.3, Obtaining a Certificate from an External CA, on page Naming Certificates As you create certificates on the proxy server, you should observe the following guidelines: 1. Identify the caching service for which the certificate will be used. 2. Pick a name for the certificate that you will easily associate with its corresponding caching service. The name must contain only alphanumeric characters and no spaces. For example, you might pick Foo for the name of the foo.gov reverse proxy or Marketing for the transparent service in the marketing department. 3. Identify the DNS hostname that the browser expects to find in the certificate Creating Certificates Using the SuperLumin CA Use the instructions in this section to create a certificate signed by the SuperLumin proxy server Certificate Authority (CA). The browsers accessing the proxy server s secure service that uses the newly created certificate need to import the proxy server s CA trusted root in order to accept its certificate as legitimate. Managing Proxy Server Certificates 87

88 If this is not done, users will receive certificate validation warning messages that could cause concern. To create a SuperLumin CA certificate 1 Using an attached keyboard and monitor, or connecting through SSH, log into the SuperLumin proxy server and start the command line interface tool by entering slash at the command line. 2 Enter the following commands in the order listed: 1. exec 2.crypto keymanager auto-generate new-key Replace with an appropriate name for the certificate. See Section 17.1, Naming Certificates, on page 87 for more information. A Generating new key message will display followed by a CA Passwd: prompt. Enter the root password. 3. apply The apply command will cause the changes to become effective Obtaining a Certificate from an External CA Use the instructions in this section to create a Certificate Signing Request (CSR) to obtain a certificate from an external Certificate Authority (CA) Requesting the CSR 1 Using an attached keyboard and monitor, or connecting through SSH, log into the SuperLumin proxy server and start the command line interface tool by entering slash at the command line. 2 Enter the following in the order listed: 1. exec 2. key-management 3. show Show displays the default settings of the information needed to create the CSR. You must change the values to your settings. 4. Provide the required information for the following settings: Enter Country Name Enter the two letter country code for your country (for example, US for the United States) Enter State or Province Name (full name) Enter the full name of the state or province where your organizaiton is legally located; do not abbreviate (for example, Utah) Enter a city name Enter the name of the city, town, or other locality where your company is legally located (for example, Draper) Enter Organization Name (e.g. company) 88 SuperLumin Nemesis

89 Enter the full and exact legal name of your organization; do not abbreviate (for example, SuperLumin) Enter Organizational Unit Name Enter the section or department of the organization (for example, Marketing) Enter Common Name (your name, server host name, or service name) Enter the fully-qualified domain name for your web server The domain name you enter for your web server must be an exact match. For example, if you intend to secure the URL then the common name of the CSR must be If you are applying for a wildcard certificate to secure all sub-domains of your domain, the common name must be *.example.com. Enter Address Enter your address 5. Run the gen-csr command to generate the CSR. Upon successful creation of the CSR the following message displays (where example.csr is replaced with the name you specified for the CSR): CSR has been written to /opt/sln/iproxy/keys/cert/example.csr 17.4 Importing a Trusted Root to a Cache Device LDAP authentication profiles that rely on a secure LDAP server require that the trusted root of their associated CAs be imported to the proxy server. For more information, see Section 15.4, Using LDAP Authentication, on page 78. When creating these profiles, you must import the trusted root into the cache device. To import the trusted root 1 Copy the trusted root file to the /tmp directory on the proxy server. You can use any SCP client (such as WinSCP) to copy the file. 2 Start the Slash CLI by entering slash at the command line. 3 Enter exec to go into Exec mode. 4 Enter the following commands in the order listed: key-management import trusted-root 5 Press the Tab key and then select the trusted root file you copied to the /tmp directory in Step 1. The trusted root file must be a pem or p7b file format. Ensure the file extension of the trusted root file is.pem or.p7b. Managing Proxy Server Certificates 89

91 18Cache Freshness 18 This section contains information about cache freshness Overview When first introduced to Web content caching, many network administrators assume that the object cache on a SuperLumin proxy server is basically the same as a browser's cache, which all users access when they click the Back button. The logical extension from this assumption is the fear that SuperLumin proxy server will serve stale content that doesn't accurately reflect the fresh content on the origin Web server. Actually, most time-sensitive Web content is flagged by Webmasters in such a way that it cannot become stale unless a caching system ignores the Webmaster's settings. And in fact, the SuperLumin proxy server honors all HTTP headers that affect cache freshness, including Time to Live, Don't Cache, and Must Revalidate directives. In addition, the SuperLumin proxy server can be fine-tuned for cache freshness in the following ways: Accelerated checking of objects that have longer than desirable Time to Live headers Delayed checking of objects that have shorter than desirable Time to Live headers Checking for freshness of objects that do not include Time to Live headers For more information on configuring SuperLumin proxy server for cache freshness, see Section , Cache Management, on page Managing Cache Freshness Cache freshness is a primary concern of most proxy server administrators. The following sections briefly explain how your proxy server ensures fresh content for network users and the options you have for adjusting this proxy server feature How the SuperLumin Proxy Server Checks for Object Freshness Although the following explanation is an over-simplification, it lays the foundation for the specific examples that follow this section. A SuperLumin proxy server has timers that it applies to every cached object. Each time an object is cached or revalidated, the proxy server starts a timer for that object. As long as the timer has not expired, the proxy server will vend the object from cache. After the time has expired and when the proxy server receives a request for the object, it will issue an IF-MODIFIED- SINCE request to the origin Web server. If the object has changed, SuperLumin proxy server retrieves the updated object into cache and serves it to the requesting browser before restarting the timer. Cache Freshness 91

92 If the object has not changed, the proxy server vends the object from cache and resets the timer, and the countdown for vending the object from cache begins again. If a browser forces a refresh of the object, SuperLumin proxy server honors the browser request, retrieves and caches the object regardless of whether it has changed, and restarts the timer How a SuperLumin Proxy Server Keeps Cached Objects Fresh A significant number of all Web objects either have no Time to Expire directives or are set to stay cached for as long as months or even years. Because many of these objects actually change fairly frequently, the proxy server has two timers for ensuring their freshness. You can configure these timers on the Cache Management page. Cache for a Maximum of: This setting overrides an object's Time to Live settings if it is longer than the setting s value. That is, SuperLumin proxy server will not vend an object that has been in cache longer than the specified time for HTTP Maximum without first determining if it should be refreshed. Cache for a Minimum of: This setting overrides an object's Time to Live settings if it is shorter than the setting s value. That is, SuperLumin proxy server will vend an object that has been in cache less than the settings value even if the origin Web server has specified that the object can only be cached for a time less then this value. For more information, see How SuperLumin Proxy Server Handles the Freshest Objects in Cache. Default Cache Time: SuperLumin proxy server applies this setting to objects that don't have Time to Live settings. That is, SuperLumin proxy server will not vend an object that has no Time to Expire setting that has been in cache longer than the time specified for HTTP Default without determining whether it should be refreshed How SuperLumin Proxy Server Handles the Freshest Objects in Cache Most Webmasters ensure that their time-sensitive objects have appropriate Time to Live directives. Late-breaking news stories and photographs, for example, might stay in cache for only a few minutes before expiring. By default, the SuperLumin proxy server simply honors the Webmasters' instructions and revalidates the objects in cache as directed. However, some proxy server installations, such as those connected through a modem, might need to limit how often these objects are refreshed. The proxy server has a third setting for this purpose, also accessible on the Cache Management page. Cache for a Minimum of: This setting sets the minimum number of hours or minutes SuperLumin proxy server will serve HTTP data from cache before revalidating it against content on the origin Web server. No requested object will be revalidated sooner than specified by this value. The default value is 0, meaning that SuperLumin proxy server honors the Time to Live directive for each object (assuming, of course, it is not longer than the HTTP Maximum setting). 92 SuperLumin Nemesis

93 If the setting is set to a value other than 0, it then overrides any object's Time to Live directive that is shorter than the value set Fine-Tuning Cache Freshness on Your Proxy Server The default settings explained in the previous sections are tuned for most proxy server installations. However, you might have special requirements that could be met better if the default settings were adjusted. Perhaps you are accelerating content that doesn't contain Time to Live directives but changes frequently and needs to be refreshed more often. You can adjust the HTTP Default setting in the Cache Management dialog box so that SuperLumin proxy server refreshes the objects more frequently. Perhaps you have severe Internet bandwidth restrictions and an environment with users who don't require object freshness checks within an interval of time specified in the HTTP Maximum caching option. You can adjust the HTTP Maximum setting on the Cache Management page to a different setting that meets your requirements and conserves bandwidth. If you choose to adjust the values, avoid settings that result in objects being refreshed more often than is necessary. Otherwise, you could easily negate the bandwidth and response-time benefits of having the proxy server on your network. Cache Freshness 93

95 19Managing Proxy Server Security Features 19 This section contains information about proxy server security features. For additional information about proxy server security configuration see Chapter 15, Authentication Services, on page 75 Chapter 16, Access Control, on page 83 Section , Packet Filter, on page 263 Section , Firewall Settings, on page Managing HTTP CONNECT Method Support The HTTP protocol supports a number of different access methods, such as GET, POST, and CONNECT. The CONNECT method is normally used to establish a tunneled connection between a browser and an origin Web server on a proxy service through which encrypted SSL traffic can be sent How the CONNECT Method Works When proxy servers receive CONNECT requests, they are expected to establish a tunneled connection to a specified host or IP address on a specified port. This allows the tunneled connection to be set up to any address and port An Unverified CONNECT Connection Is a Security Risk It is not safe to assume that all CONNECT requests received by proxy servers are actually for SSL traffic. Attackers frequently scan the Internet for proxies on port 8080 and other commonly used proxy ports to discover proxy servers that are accessible to them. Attackers Can Use Proxies to Attack Other Machines Inside a Firewall If a proxy server that supports the CONNECT method is inside a firewall and the proxy server is accessible from outside the firewall, outsiders can request a tunneled connection to any address and port inside the firewall. The proxy will set up the connection, thus allowing the attacker to have access to machines inside the firewall which would normally be inaccessible. To the machines inside the firewall, it appears that the connection is originating from the proxy server address inside the firewall rather than from outside the firewall. Attackers are known to have used this capability to break through the protection normally provided by firewalls. Managing Proxy Server Security Features 95

96 Attackers Can Hide Their Location Attackers can use the CONNECT method to request that a publicly accessible proxy server set up a tunneled connection which passes through the proxy. This hides the real address of the attacker. Attackers can then chain through several proxies by having the first proxy connect to the second, the second connect to the third, and so on, making it very difficult for law enforcement to discover where the attack is actually originating. Attackers can use the proxy server to send spam. Attackers can use the CONNECT method to connect to open SMTP servers. This allows the attacker to send SPAM messages through the proxy while hiding their location How SuperLumin Proxy Server Protects Your Network By default, SuperLumin proxy server enables the CONNECT method for forward proxy services and disables it for transparent proxy services because: Users accessing SSL sites such as banks or web based systems through a forward proxy must be able to use the CONNECT method to establish a tunneled connection with the origin Web server. Otherwise, they will not be able to access any SSL sites through the forward proxy service. Transparent services do not ordinarily need to use the CONNECT method. For proxy services that require CONNECT method support, SuperLumin proxy server monitors the data flowing through the tunneled connection. If the data is not SSL-related, SuperLumin proxy server immediately tears down the tunneled connection and doesn't forward the data requests. This prevents outsiders from gaining access through firewalls and attackers from establishing chains to hide their identity. The proxy server checks if traffic is SSL-related. This option is configurable and is enabled by default. You should only disable this if you know what you are doing Configuring SuperLumin Proxy Server to Meet Your CONNECT Method Requirements As explained in How SuperLumin Proxy Server Protects Your Network on page 96, SuperLumin proxy server is configured by default to use the CONNECT method only when necessary and to verify CONNECT method requests to protect your network against security risks. We recommend you use the default CONNECT method settings whenever possible. If you have special configuration requirements and are considering a non-default CONNECT method configuration, consider the following points: If you disable the CONNECT method for forward proxy services, you block access to all SSL sites for browsers using the service. These SSL sites could include banks, employee portals, or web based systems. You do not normally need to enable the CONNECT method for transparent proxy services. 96 SuperLumin Nemesis

97 For most installations, only forward proxies need to support the CONNECT method. However, if you configure your transparent proxy to intercept traffic normally intended for a forward proxy (such as port 8080), then the transparent proxy might also need to allow the CONNECT method. The Allow Connect and Force SSL on Connect options should always be used together. This protects your proxy server and network against the establishment of tunneled connections that are not SSL-related. Not using this protection makes your installation vulnerable to the risks described in An Unverified CONNECT Connection Is a Security Risk on page 95. Managing Proxy Server Security Features 97

99 20Automatic Configuration Mechanisms 20 The following table summarizes the tasks discussed in this chapter. To Learn about proxy server configuration files Create multiple proxy server configurations Restore the original factory settings Reimage the proxy server See Section 20.1, About Proxy Server Configuration Files, on page 99 Section 20.3, Creating Proxy Server Configuration Shortcuts, on page 100 Section 20.4, Restoring Factory Settings, on page 100 Section 20.5, Reimaging and Restoring the Proxy Server System, on page About Proxy Server Configuration Files Proxy server configuration is done using XML configuration files. The proxy reads the configuration files in order to configure proxy services. The XML configuration files are generated and updated by the SuperLumin CLI and also by the browser-based management tool. You should not attempt to alter the XML configuration files using other methods Backing Up and Restoring the Proxy Server Configuration You can back up and restore specific parts or all of the proxy server configuration using the browserbased management tool. NOTE: Backing up the proxy server configuration does not back up the license. To install or reinstall a license, see Installing a License on page Backing Up the Proxy Server Configuration To back up the proxy server configuration 1 In the browser-based management tool, click the Getting Started link, then click Import/Export Config. 2 Select the configuration you want to back up and then click Export. If the export worked, you should see a message indicating that the export was successful along with a link to the backup file. 3 Right-click the link to the backup file, select save as and save the configuration backup file to the desired location. Automatic Configuration Mechanisms 99

100 Restoring the Proxy Server Configuration To restore the proxy server configuration 1 In the browser-based management tool, click the Getting Started link, then click Import/Export Config. 2 Enter the name of the configuration file that you want to restore, or browse to select it, then click Import. This copies the configuration file to the correct directory on the proxy server. 3 Click the Configuration link at the top of the page, then click Apply All Changes Creating Proxy Server Configuration Shortcuts You might want to have more than one configuration for a proxy server, depending on business needs or other conditions. An alternate method to manually reconfiguring the proxy server is to create and save different configurations and to apply those configurations as needed Restoring Factory Settings WARNING: Restoring factory settings removes all the settings you have configured. This includes passwords, network addresses, and all proxy server cache services. You should also prepare an alternatively named backup configuration file as a precaution. You can quickly return the proxy server to its original factory settings using the quickstart script. Run /usr/sbin/quickstart to reinitialize your proxy server and get it up and running again. See Restoring the Proxy Server Configuration above for more information. NOTE: If you are attempting to restore the proxy server to factory settings using an SSH session, the SSH session will be dropped because the IP address is reset Reimaging and Restoring the Proxy Server System The proxy server comes with a CD that can be used to reimage the system. This reformats the hard disks and reinstalls the SuperLumin proxy server system. After reimaging a proxy server, you must either reinitialize it as described in the Getting Started guide or use a previously created backup to restore your configuration settings. WARNING: Restoring factory settings removes all the settings you have configured. This includes passwords, network addresses, and all proxy server cache services. You should also prepare an alternatively named backup configuration file as a precaution. 100 SuperLumin Nemesis

101 Complete the following steps to reimage and restore a proxy server. 1 Reinstall the proxy server using the CD that came with your SuperLumin proxy server. IMPORTANT: If the CD is in the proxy server, remove the CD, shut down the proxy server, recycle the proxy server's power switch, and allow the proxy server to restart. 2 Run /usr/sbin/quickstart as described in the Getting Started with SuperLumin Proxy Server documentation. 3 Reinstall the license on your server. See Chapter 14, Installing and Upgrading Licenses, on page Get the latest patches and upgrades by running exec online-update in the slash CLI or by accessing the Getting Started page in the browser-based management tool. 5 (Optional) If you ran quickstart as described in Step 2 above, reconfigure the desired services. If you restored from a previously created backup, you should already have the desired services configured. 6 Restart the proxy server. The proxy server should now be restored to its previous operating configuration. Automatic Configuration Mechanisms 101

103 21Configuring DNS for Social Media Cache Overview To benefit from Superlumin Social Media Cache services, client browsers on your network should use the Social Media Cache for all access to supported Social Media Web sites (currently Facebook and YouTube). To ensure that the Social Media Cache is being used, you must modify your local DNS server so that it resolves all requests for Social Media web sites to the Social Media Cache. After modifying your local DNS server, local client browsers send requests to the Social Media Cache and believe the Social Media Cache is a Social Media Web site. Providing configuration information for specific DNS servers is not provided here since many different DNS servers exist. However, if you are familiar with configuring DNS servers, you can use the information in this section to configure your DNS server to integrate with a Social Media Cache Configuration Guidelines In order for a DNS server to integrate with the Social Media Cache, it must support wild card name resolution. In other words, the DNS server must be able to resolve all host names in a specified domain or zone even though there is not an explicit A record for that host name. NOTE: The configuration tools used to configure some DNS servers do not support wild card name resolution. However, the underlying DNS server does support wild card name resolution. In this case, it may be necessary to modify the configuration files directly and not use the configuration tools. The DNS server must support multiple domains or zones. Since most modern DNS servers support multiple domains or zones, this should rarely be a problem. You must not configure a Social Media Cache to use the exact DNS server configuration that is described below. Doing so will cause name resolution loops, which in turn will cause the Social Media Web sites to appear to be down. If a second DNS server is not available, then the Social Media Cache should be configured to use one of the many publicly available DNS servers such as opendns.com or google DNS Server Configuration Before configuring the DNS server, three IP addresses must be available for use by the Social Media Cache. In this section, these IP addresses are identified as the first IP address, the second IP address, and the third IP address. After obtaining the three IP addresses, you must modify the DNS server by adding four domains or zones to the DNS server. The following paragraphs provide information for configuring each DNS domain or zone. Configuring DNS for Social Media Cache 103

104 Zone 1: facebook.com The facebook.com zone must have three hosts configured. They are 1. facebook.com. - This should resolve to the first IP address. Note that the trailing dot is important. 2. register - This should resolve to the second IP address. 3. * (all other hosts) - This should resolve the the first IP address. Zone 2: ak.facebook.com The ak.facebook.com zone must have two hosts configured. They are 1. s-static - This should resolve to the third IP address. 2. * (all other hosts) - This should resolve to the first IP address. Zone 3: fbcdn.net The fbcdn.net zone must have two hosts configured. They are 1. fbcdn.net. - This should resolve to the first IP address. Note that the trailing dot is important. 2. * (all hosts) - This should resolve to the first IP address. Zone 4: youtube.com The youtube.com zone must have two hosts configured. They are 1. youtube.com. - This should resolve to the first IP address. Note that the trailing dot is important. 2. * (all hosts) - This should resolve to the first IP address. NOTE: Microsoft DNS server requires you to enable loose wildcarding. You can find instructions for enabling loose wildcarding at ( and at ( DNS Zone Configuration Examples The following examples show the zone configuration files for the four zones described above. In these configuration files, the first IP address is , the second IP address is , and the third IP address is These configuration files are specific to ISC's Bind DNS server, version 9.5. Zone 1: facebook.com $TTL IN SOA ns.superlumin.com. root.ns.superlumin.com. ( ; serial 3h ; refresh 1h ; retry 104 SuperLumin Nemesis

105 1w 1d ) ; expiry ; minimum facebook.com. IN NS ns.superlumin.com. facebook.com. IN A register IN A * IN A Zone 2: ak.facebook.com $TTL IN SOA ns.superlumin.com. root.ns.superlumin.com. ( ; serial 3h ; refresh 1h ; retry 1w ; expiry 1d ) ; minimum ak.facebook.com. IN NS ns.superlumin.com. s-static IN A * IN A Zone 3: fbcdn.net $TTL IN SOA ns.superlumin.com. root.ns.superlumin.com. ( ; serial 3h ; refresh 1h ; retry 1w ; expiry 1d ) ; minimum fbcdn.net. IN NS ns.superlumin.com. fbcdn.net. IN A * IN A Zone 4: youtube.com $TTL IN SOA ns.superlumin.com. root.ns.superlumin.com. ( ; serial 3H ; refresh 1H ; retry Configuring DNS for Social Media Cache 105

106 1W 1D ) ; expiry ; minimum youtube.com. IN NS ns.superlumin.com. youtube.com. IN A * IN A Other Options The DNS specification requires clients to try the configured DNS servers in order. Using DHCP, it is possible to configure clients to have the following DNS servers in this order: Primary: The DNS server running on the proxy Secondary: The primary company DNS server Tertiary: A backup company DNS server The proxy could be configured to forward all unknown DNS requests to the company DNS servers. In this configuration, the proxy would resolve Facebook and Youtube. For all other servers, including internal company servers, the proxy would forward the request to the company DNS servers so they could do the name resolution. If the proxy were to go down, clients would see that the proxy is no longer resolving DNS requests. By default (and according to the DNS spec) they would fail over to the secondary and tertiary DNS servers, which would be the company s DNS servers. In the above configuration, there would be no downtime if the proxy server failed. Also, there is no configuration required on the clients because it is all done via DHCP and DNS. 106 SuperLumin Nemesis

107 2Host Name Resolution 22 As the SuperLumin proxy server processes browser requests, it uses its DNS host name resolution system to obtain the IP addresses of origin Web servers. This causes latency. In order to reduce this latency, the SuperLumin proxy server maintains a DNS cache in which it stores all resolved DNS host names. When another request is made for the same Web site, the SuperLumin proxy server easily retrieves the address from its DNS cache. The SuperLumin DNS cache maintains an entry for each resolved host name. These entries have a time-to-live (TTL) timer and remain in the DNS Cache for the period specified in the TTL timer, after which they are refreshed. After the time expires (they are refreshed), the SuperLumin proxy server again resolves the host name. The entries in the /etc/hosts files are added to the DNS cache and never expire. The SuperLumin DNS Host Name Resolution system is configured to use one or more DNS servers to resolve host names. For each host name resolution, the SuperLumin proxy server sends a DNS query to the first configured DNS server. If the host name is not successfully resolved using the first configured DNS server, then a DNS query is sent to the second configured DNS server. If the host name is not successfully resolve using the second configured DNS server, then a DNS query is sent to the third configured DNS server and so on. If the host name is not resolved and it does not contain a dot in its name, the domain name of the system is then appended and the proxy server tries to resolve the host name with the appended domain name. For example, if the received host name in the URL is foo and the domain name is superlumin.com, and foo is not resolved, the SuperLumin proxy server tries foo.superlumin.com next for name resolution Managing the hosts File The host name entries in the /etc/hosts file are added to the DNS cache and do not expire. You can manage the contents of the /etc/hosts file using the following procedure: 1 Start the SuperLumin browser-based management tool. For help, see Section 32.2 Starting the Management Tool, on page Click the Configuration tab, select Show Advanced Options, then click the Hosts link in the Network Settings section. 3 Select the checkbox next to the host you want to modify and then click the Modify button. 4 Modify the host name as desired. You can also delete the selected host by clicking the Delete button or create a new host file by specifying a host IP address and clicking Insert. The system polls the hosts file for changes every minute. If a change occurs, the system loads the revised hosts file and displays its contents on the system monitor. Host Name Resolution 107

109 23Logging 23 Logging proxy server caching activity can be useful for a number of reasons, such as monitoring end user activity or billing for services rendered. SuperLumin proxy server lets you specify how often a new log file will be started (rolled over), how long old log files will be retained, and the format of the log files Using Proxy Server Logging Services Your proxy server offers the following logging services: You can turn on logging for forward, transparent, and reverse proxy. NOTE: All HTTP services use one log file (/var/log/sln/iproxy/slnhttp). All services share this one log file and the options that configure it. Individual services may not be configured to log, but if they do log, then they all log in the same way to the same file. You can control the deleting of old log files based on an older-than-x time period or the number of log files in the system. The proxy server can create logs using both the common and extended log formats. A wide variety of tools exist for manipulating and processing these files. You can view archived HTTP logs and generate and view log reports by clicking the Monitoring link in the browser-based management tool Overview of Proxy Server Logging The SuperLumin proxy server provides a high-performance proxy cache system capable of handling thousands of transactions per second. Even though SuperLumin proxy server can log extensive details of each transaction and the disk space reserved for log files is quite generous on most proxy servers, SuperLumin proxy server can fill up the available disk space in a matter of minutes if transaction volume is high and log entries consume a few hundred bytes each. This section explains how proxy server logging works and presents management options you can use to ensure optimal use of the available log file disk space What the Proxy Server Can Log The following table shows the transactions the proxy server can log and the formats available for each service type. Service Common Extended Forward Proxy Yes Yes Transparent Proxy Yes Yes Reverse Proxy Yes Yes Logging 109

110 The Costs of Logging Performance Turning on logging for a given service increases system overhead and causes some performance degradation. Therefore, logging should be used only when service transactions must be tracked for monitoring end users, customer billing purposes, or other compelling reasons. Disk Space Transaction volume and log entry size can cause available log partition space to fill up quickly. Proxy cache disk space is unaffected by log files. See Planning Step 3: Calculating Log Rollover Requirements on page 112 for formulas you can use to estimate how quickly your logging partition will fill System Constraints To plan a logging strategy, you must know the capacity and limitations of your proxy server. Partition Space Is Preset It is essential that you know how much logging partition space is available on your proxy server. Logging partition space is not user-configurable; it is preset by the SuperLumin installation program. On a single disk system, the log partition is set to 10 GB. On a multi-disk system, the log partition is set to approximately <size of first disk> - 60 GB. For example, if the first disk is 200 GB in size, then the log partition would be set to approximately 140 GB (i.e., 200 GB - 60 GB). Log Files Must Be Rolled Over Before Deletion or Compression SuperLumin proxy server will not allow the deletion or compression of active log files files that are currently in use by the caching system. Only log files that have been rolled over and closed can be deleted or compressed. You can ensure you have closed files on the system by scheduling regular rolling over of log files. During each rollover, the current log file is closed and a new log file is opened. NOTE: Although you can monitor active log files, this is normally useful only for periodic administrative checks. Active files contain only the transaction data up to the moment and are incomplete from customer billing and other business standpoints. Logging Ceases When the Logging Partition Is Full When the proxy server encounters a log partition full condition, it stops logging and closes all active log files. Information that would have been logged after that point is lost. Other proxy server functions continue without interruption. 110 SuperLumin Nemesis

111 Log Filenames Are Limited The proxy server automatically generates log filenames as follows: Log filenames include a service name (such as slnhttp). Log filenames include a number. This is a number between 1 and the maximum number of log files that can be kept (default is 10). Log filenames include a.gz extension if they are compressed. They do not include an extension if they are not compressed. For example, slnhttp.1.gz, slnhttp.2.gz, or slnhttp.1 Log files that have been rolled are in /var/log/sln/iproxy/archive. Active log files are in /var/log/sln/ iproxy. The Proxy Server Offers Two Log Rollover Options Proxy server log rollover options let you specify when the proxy server closes active log files and opens new files so that the closed files can be compressed or deleted. Because of the limitations explained in this section, it is essential that you develop a solid log file rollover plan. This will ensure that your proxy server doesn't run out of logging partition space or overwrite log files before they can be analyzed. You can have the proxy server roll log files over according to time or file size, as explained in the following table: Option Roll Over by Time Roll Over by Size Description You can configure the proxy server to roll over log files according to time intervals. For example, you might want to configure the proxy server to roll log files ever six hours if the log partition space is filling every 12 hours. You can configure the proxy server to rollover log files according to size. This is useful if you aren t certain how long it will take to fill your proxy server s logging partition space. For example, you might want to specify a log file roll over size of 1000 MB (1 GB) if you are logging transactions for three services and the log partition is 7 GB Planning Your Logging Strategy As explained in The Costs of Logging on page 110 and System Constraints on page 110, logging of caching transactions involves system and maintenance overhead. If your situation requires logging, you should plan carefully so that the information you are tracking aligns with specific requirements. This will ensure optimal use of proxy server resources. Because logging requirements and transaction volume vary widely, it is impossible to make recommendations regarding specific logging strategies. Logging 111

112 The following sections step you through the logging strategy planning process. We recommend you record the information you gather on a planning sheet of some kind Planning Step 1: Determining Your Logging Requirements To plan a logging strategy, you should first determine the requirements driving the need for logging. We recommend you complete the following steps: 1 Identify the business and/or other reasons for tracking service transactions. Examples include customer billing requirements, statistical analysis, or growth planning. 2 Record this information for later reference Planning Step 2: Selecting a Log File Format and Optimizing the Log Entry Size If you use the common log format, each log entry size is fixed. If you use the extended log format, each log entry size depends on the number of log fields selected. Complete the following steps for each service you need to track: 1 Referring to Logging (page 209), record which log fields must be tracked. 2 Carefully scrutinize the information you plan to track to ensure that the log data collected is essential. Consider the following points: Logging the method will consume additional space and provide little, if any, critical information. If you plan to import SuperLumin proxy server log files to a third-party reporting tool, you will need to use the extended format and ensure that the URI and URI-STEM fields are all selected. If not, the reporting agents won't be able to import the logs and compile the information. The main point is to log only the essential data because a few bytes can add up quickly when the cache device is tracking thousands of requests every second Planning Step 3: Calculating Log Rollover Requirements You can have the proxy server roll over log files based on time or on size, but not both. If you already know which option you want to use, scan this section and then complete only the calculations pertinent to your choice. If you don't know which option best matches your situation, completing the calculations in this section should help you decide. Variable Definitions The following variables are used in the formulas: logvol_size: The total disk capacity reserved for log files on your proxy server. 112 SuperLumin Nemesis

113 On a single disk system, the log partition is set to 10 GB. On a multi-disk system, the log partition is set to approximately the size of first disk minus 60 GB. For example, if the first disk is 200 GB in size, then the log partition would be set to approximately 140 GB (200 GB minus 60 GB). logentry_size: The average log entry size. You can determine this by configuring your proxy server to track the required information, generating traffic to the proxy server, uploading the log files, determining how large each entry is, and calculating the average. request_rate: The peak rate of requests per second. You can estimate this rate or place your proxy server in service and get more accurate data by accessing the browser-based management tool s Monitoring tab. num_services: The number of services that will be configured. Calculating DISK_FULL_TIME Using the following formula, you can calculate how long it will take the proxy server to fill your logging partition space: disk_full_time seconds = logvol_size / (request_rate * logentry_size * num_services) For example, if you assume the following: logvol_size = 60 GB request_rate = 1000 requests per second logentry_size = 1KB num_services = 1 Then disk_full_time = (60 GB) / (1000 * 1KB * 1) = 63,914 seconds (1065 minutes or hours). The logging partition space will fill up every hours Configuring Logging Options Based on the planning you have completed in Section 23.3, Planning Your Logging Strategy, on page 111, you must now configure the log options for each affected service Configuration Step 1: Opening the Appropriate Log Options Dialog Box 1 In the browser-based management tool, open the Log Options dialog box for the logging type you want. Refer to the services you selected in Planning Step 1: Determining Your Logging Requirements on page 112. Logging 113

114 The following table gives the path for each service: Service Forward Proxy Transparent Proxy Reverse Proxy Path Configuration > Forward Proxy > Insert or Modify a service > Logging Options Configuration > Transparent Proxy > Insert or Modify a service > Logging Options Configuration > Reverse Proxy > Insert or Modify a Reverse Proxy service > Logging Options The following sections discuss each of the areas within the Log Options dialog box. For further information, see Section , Logging, on page Configuration Step 2: Selecting a Log Format 1 In the logging section specify the log format for the service based on the planning you did in Planning Step 2: Selecting a Log File Format and Optimizing the Log Entry Size on page 112. Remember that each bit of information you log increases the size of each log entry, thus affecting the rate at which logging partition space is used Configuration Step 3: Specifying Rollover Options 1 In the Log Options dialog box, specify how the proxy server rolls over the log files based on the planning you did in Planning Step 3: Calculating Log Rollover Requirements on page Configuration Step 4: Specifying Handling of Older Files You must schedule the regular upload and deletion of log files to avoid running out of log partition space. You can manage log files manually using secure copy (SCP). See Section 23.5, Manually Downloading and Deleting Log Files, on page 115. The proxy server also provides an option for dealing with old files as a failover precaution. These options automatically dispose of older files to avoid the disk full condition. The Limit Number of Files option lets you limit the total number of log files retained for each service. After the limit for each is reached, the oldest file for the service is deleted each time a new file is created. All logging data in deleted files is lost. To specify how the proxy server handles older files, complete the following: 1 In the Log Options dialog box, select how many old files should be kept. 114 SuperLumin Nemesis

115 Configuration Step 5: Monitoring and Refining Your Logging Strategy As with all proxy server operations, you should monitor what is happening with your logging strategy over time and make adjustments and refinements if necessary. When you monitor your logging strategy, you should ensure that: All the logging information you are gathering is being used. If not, you might be able to further reduce your logging record size. Your log file sizes match the estimated averages you used to plan your log file roll-over strategy. If not, you might need to adjust the frequency or even the method used to trigger log file rollover. Your logging strategy is leaving a buffer of free log partition space adequate for possible surges in proxy server traffic. All aspects of your logging strategy are keeping pace with increases in traffic through the proxy server Manually Downloading and Deleting Log Files The only method currently available for manually downloading and deleting log files is to use secure copy. This includes SCP on Linux and WinSCP for Windows. If you need to manage your log files manually, we recommend that you establish a regular schedule and ensure that all those responsible for downloading and deleting log files know the following things: When log files are to be downloaded and deleted How to determine the name of each log file to be downloaded and deleted Where to save the log files You will want to develop specific procedures for your situation. The following sections contain general ideas for accomplishing these tasks When to Download and Delete Log Files The primary consideration is that log files must be downloaded and deleted before the logging partition space fills up and the log file is deleted via the Max Number of Old Log Files setting Getting Log Filenames Before you can download or delete a log file, you must know its exact name. Proxy server log filenames can be listed from the command line or through an SSH session. The proxy server automatically generates log filenames as follows: Log filenames include a service name (such as slnhttp). Log filenames include a number. Logging 115

116 This is a number between 1 and the maximum number of log files that can be kept (default is 10). Log filenames include a.gz extension if they are compressed. They do not include an extension if they are not compressed. For example, slnhttp.1.gz, slnhttp.2.gz, or slnhttp.1 This naming convention accommodates up to 702 log files per day. If the rollover options are set so that all the possible filenames are used in one day, the log file with the ZZ letter identifier should not be closed manually until the start of the next day (unless the logging partition becomes full). To copy log files using secure copy, you must know the path to the files. Use the following table to determine the paths to various log files. File All log files Active log files Archived log files Location /var/log/iproxy /var/log/sln/iproxy /var/log/sln/iproxy/archive Archived log files may be zipped Downloading Log Files To download log files, you must use secure copy (scp on Linux or WinSCP on Windows) Deleting Uploaded Log Files After the log files have been downloaded and saved to another location, delete the files using one of the following options: Log in at the server console and use the rm command (bash shell) to delete the files. Use secure copy (scp on WinSCP on Windows) to upload the log file, and then delete it. This is the easiest option. Let the max number of log files option delete the file(s) for you About Extended Log Field Headers The following information about field values in extended log files might help you interpret the content of the files: Fields within the file are delimited by the tab character. A field is of two types: string and non-string. Fields containing no value are represented by a hyphen (-). Log files contain the following fields: Field 1: Date Field 2: Time Field 3: Elapsed time for the request in microseconds 116 SuperLumin Nemesis

117 Field 4: HTTP status code (e.g. 200, 403, 404) Field 5: Cache status (All statuses start with CACHE_ (e.g. CACHE_MISS). This includes the following statuses: UNKNOWN, DISK_HIT, MEM_HIT, MEM_DISK_HIT, DISK_PARTIAL, MEM_PARTIAL, MEM_DISK_PARTIAL, NEG_HIT, MISS, REFRESH_HIT, REFRESH_STALE, REFRESH_MISS, CLIENT_REFRESH, IMS_HIT, IMS_MISS, READ_FAIL, DENIED) Field 6: Client IP address Field 7: User name (Only valid if authentication is enabled.) Field 8: Content Length Field 9: HTTP Method Field 10: URI Field 11: Reserved Field 12: Reserved Field 13: Reserved 23.7 Logging Alerts The only option currently available for alerts is to log them. Alerts are written to the /var/log/sln/ iproxy/slnalerts file using syslog-ng. Using syslog-ng, you can also send alerts to other locations such as and SMS. For more information on logging and logging alerts, see ( documents/syslog-ng-v3.0-guide-admin-en.html/index.html). Logging 117

119 24Shutting Down and Restarting 24 If you need to shut down or restart the proxy server, you should shut it down properly to protect the data in memory and ensure the data is written to disk Restarting from the Browser-Based Management Tool 1 Start the browser-based management tool. 2 Click the Health link. 3 Shut down SuperLumin proxy server by clicking Shutdown Proxy. You can also restart the proxy by clicking Restart Proxy. You are given a chance to verify your selection. If you do not have access to the physical location of the proxy server, once you can access the browser-based management tool again, you know that the proxy server is up and running Shutting Down and Restarting Using SSH or the Command Line You can shut down or restart a proxy server down from the command line. NOTE: Both actions break the connection. If you restart the proxy server from a remote connection, you will be able to reconnect after the proxy server restarts. If you shut down the proxy server, however, someone will need physical access to the proxy server to restart it. To restart the proxy server from the command line, enter slash exec restart To shut down the proxy server from the command line, enter the following: slash exec Shutdown You need physical access to the proxy server to power it back on. NOTE: Shutting down and restarting the proxy server both happen immediately and without delay. You can t cancel the shutdown or restart process after it starts. Shutting Down and Restarting 119

121 25Time Synchronization 25 Time settings offered within the management tool are more than adequate for most system needs. For more information on the specific parameters available, see Section 25.1, Synchronizing Time, on page 121 and Section , Date & Time, on page Synchronizing Time You can either set the time manually or synchronize it using the network time protocol (NTP). The proxy server uses NTP by default and comes preconfigured with the folloing time server: pool.ntp.org You can add or delete servers using the browser-based management tool and the command line interface. For more information regarding NTP functionality, see Section 25.2, NTP Date & Time Synchronization Is Not Immediate, on page Using the Browser-Based Management Tool Adding or Deleting an NTP Server 1 Start the browser-based management tool, click Configuration, and then in the System Settings section, click Date and Time. 2 Click Setup NTP 3 Do one of the following: To add a server, type the DNS name or IP address of the server, then click Insert. To delete a server, click the Delete button next to the server you want to delete. You must apply the changes for the new configuration to take effect. Setting the Date and Time Manually 1 Start the browser-based management tool, click Configuration, and then in the System Settings section, click Date and Time. 2 Click Set Date and Time Manually. 3 Using the drop-down lists, select the correct time and date. 4 Click Update Now. Setting the Time Zone Manually 1 Start the browser-based management tool, click Configuration, and then in the System Settings section, click Date and Time. 2 In the Time Zone section, select the time zone, then click OK. You must apply the changes for the new configuration to take effect. Time Synchronization 121

122 Using the Command Line 1 Do one of the following: To add an NTP server address, enter slash conf time ntp server host time.xmission.com or server ip In the above example, replace time.xmission.com or with the host name or IP address of your time server. To remove an NTP server address, enter slash conf time ntp server host no time.xmission.com or server ip no In the above example, replace time.xmission.com or with the host name or IP address of your time server. To enable NTP, enter slash conf time ntp enable To disable NTP, enter slash conf time ntp no enable NOTE: You can specify the NTP server DNS name instead of its IP address. 2 To have the changes take effect, enter apply. For more command line options, refer to the proxy server's command line help. 122 SuperLumin Nemesis

123 25.2 NTP Date & Time Synchronization Is Not Immediate When you specify an NTP server, synchronization between the NTP server clock and the proxy server clock might not be immediate. If the NTP server clock has an earlier date or time setting than the proxy server clock, the system will slow down the proxy server clock until the two are synchronized. This provides for proper incrementation of log files and other time-sensitive information during the synchronization process. If the NTP server clock has a later date or time setting than the proxy server clock, synchronization between the two will generally be immediate. However, in certain situations you might observe the proxy server clock incrementing by 600-minute intervals. This is normal system behavior. IMPORTANT: If necessary, you can set proxy server time manually to the target time and then reenable the NTP feature. If your time is far off from the correct time, NTP will not synchronize the time. In this case, you must set the time close to the correct time and then let NTP perform time synchronization. Time Synchronization 123

125 VIBrowser-Based Tool Help VI The following table summarizes the tasks covered in this section. To Launch and use the browser-based management tool See Chapter 26, Using the Browser-Based Management Tool, on page 127 Use the Quick Start page Section 27.1, Getting Started Page, on page 131 Use the Health page Section 27.2, Health Page, on page 147 Use the Monitoring page Section 27.3, Monitoring Page, on page 148 Use the Configuration page Section 27.4, Configuration Page, on page 159 Browser-Based Tool Help 125

127 26Using the Browser-Based Management Tool 26 NOTE: Information contained in this chapter is incomplete and still being developed. Contact SuperLumin Networks for the latest SuperLumin proxy server documentation. Use the information in this section to explore, understand, and use the browser-based management tool Prerequisites for Running the Management Tool You need the following: A SuperLumin proxy server that has been initialized and is currently running To initialize or reinitialize your proxy server, run the SuperLumin proxy server quickstart script. To do this, enter quickstart at the server console. A Java-enabled browser, such as Netscape* Navigator* 4.07 (or higher), Netscape Communicator* 4.5 (or higher), Internet Explorer 7.0 (or higher), or Mozilla Firefox 3.0 or later running on your workstation SSL 2.0 and SSL 3.0 (where available) enabled on the browser The IP address of the SuperLumin proxy server After the SuperLumin proxy server has been configured with an IP address and mask, a gateway server, and a DNS server, you can administer the SuperLumin proxy server over the network via any client that can communicate with it over IP Starting the Management Tool 1 Start the browser on your client workstation. 2 Point the browser to the IP address or DNS name of the SuperLumin proxy server you want to manage followed by /manage. The URL must contain a DNS name or an IP address you have already configured on the SuperLumin proxy server, for example: or NOTE: The SuperLumin management tool requires a secure connection, so using http in the URL will automatically redirect to https: NOTE: The DNS name or IP address must contain the /manage in the path. Otherwise, the browser will receive a 404 Not Found error message. Using the Browser-Based Management Tool 127

128 3 Enter the name of the administrative user and the password you assigned to the administrative user when you installed the SuperLumin proxy server. You may have assigned a name other than config when you created the administrative user. The name may have been assigned in the Quickstart script. Regenerating a Certificate for Accessing the Management Tool If you get certificate error while trying to access the browser-based management tool, you may need to regenerate a security certificate. You can do this using the SuperLumin CLI by entering slash at the command line and then running the following commands in the order listed. exec key-management number-of-bits 2048 number-of-days 7300 common-name host.domainname Replace host.domainname with the name of your host/domain. gen-ca common-name host Replace host with your host name. gen-certificate sln-iproxy-gui exit quit You may need to delete your browser certificate before regenerating a certificate. Changing the Management Tool Timeout The browser-based management tool is configured to timeout after ten minutes of inactivity. You can change the timeout value using the following steps: 1 Log in to the proxy server as a user with administrative privileges. 2 Use a text editor to open the following proxy configuration file: /opt/sln/iproxy/web/manage/iproxy.conf 3 Change the session_inactivity_timeout value to the desired setting. The units are in seconds The Apply and Cancel Buttons As you make changes to SuperLumin proxy server parameters in the management tool, these changes are tracked and accumulated in a buffer until you either apply or cancel them. You can make changes on multiple pages and wait to apply them all at once. 128 SuperLumin Nemesis

129 This does not apply when setting the current date and time on the Set Date and Time page. Changes to this page are effective immediately.furthermore, if you change the NTP server, the SuperLumin proxy server time will change with the next synchronization cycle (normally about 15 minutes). Except in the cases just mentioned, clicking Apply All Changes commits all changes made on any page since the last time you started the SuperLumin proxy server or clicked Cancel All Changes. Clicking Cancel All Changes cancels all changes made since the last time you started the SuperLumin proxy server or clicked Apply All Changes. Clicking Cancel All Changes is also a quick way of requesting that the SuperLumin proxy server reread the currently displayed settings. After you click Apply All Changes or Cancel All Changes, the action cannot be undone The Help Link You can click the Help link at the top of the page to display the online documentation. A table of contents appears in the left frame. To navigate through the documentation, you can click the titles in the table of contents Encryption If you have specified passwords for SuperLumin proxy server management purposes, communications regarding the password are transmitted through HTTPS. Using the Browser-Based Management Tool 129

131 27The Management Tool Main Page 27 The main page of the management tool is the Getting Started page. The Getting Started page provides access to wizards that let you quickly set up proxy services and adapters, install licenses, and update your proxy server with the latest patches and software from SuperLumin Getting Started Page The proxy server Getting Started page provides links to wizards and licensing and update information. Figure 27-1 Getting Started Page The following options are available from links on the left panel of the Getting Started page: Getting Started: Provides instructions on licensing and proxy service creation. Licensing (see Section , Licensing, on page 132) Latest Updates (see Section , Latest Updates, on page 132) Quick Service Creation (see Section , Quick Service Creation, on page 133) Single Sign On Client (see Section , Single Sign-On Client, on page 145) Import/Export Config (see Section , Import/Export Configuration, on page 146) The Management Tool Main Page 131

132 Licensing Path: Getting Started Page > Licensing The Licensing page lets you check the current licensing status and also lets you install a license that you have obtained from SuperLumin Networks. Figure 27-2 Licensing Page Before installing a license, you must have already copied the license.bin.number file to your desktop. To install a license, enter the license filename or click Browse and select it, then click Install License. The license file will automatically be renamed to remove the number and will be copied to the appropriate directory on the proxy server. After installing the license, the proxy server must be restarted for the license to be activated. See Installing and Upgrading Licenses on page 73 for more information on licensing and licenses Latest Updates Path: Getting Started Page > Latest Updates The Latest Updates page lets you check to see if there are updates available for your proxy server and installs updates and patches. 132 SuperLumin Nemesis

133 Figure 27-3 Latest Updates Page Click Check for Update to have your proxy server scanned for the current software version and to check for updates and patches on the SuperLumin Web site. If needed updates or patches are found, they are automatically installed. This process can take several seconds Quick Service Creation Path: Getting Started Page > Quick Service Creation The Quick Service Creation page starts a wizard that lets you quickly create and configure forward proxy services, transparent proxy services, and social media proxy services. Figure 27-4 Quick Service Creation Page Select the desired service and then click Next to start the Quick Service Creation Wizard for that service. The Management Tool Main Page 133

134 Forward Proxy Wizard Select Name Path: Getting Started Page > Quick Service Creation > Forward Proxy Service > click Next Figure 27-5 Forward Proxy Quick Service Creation Name Page Enter a name for the forward proxy service you want to create, then click Next. You can use the name that already appears or enter a unique service name Forward Proxy Wizard Select Address Path: Getting Started Page > Quick Service Creation > Forward Proxy Service > click Next > click Next Figure 27-6 Forward Proxy Quick Service Creation Address Page From the list of available addresses, select the IP address that the forward proxy service will be available on, then click Next. 134 SuperLumin Nemesis

135 If the desired IP address is not listed, you can quickly add another IP address by clicking Quick Adapter Setup. After clicking Quick Adapter Setup, click Modify under the desired adapter and add the needed IP address. If you have already added an address and don t see the address you want, the port needed for the forward proxy service may already be in use. See Section 8.1, Creating a Forward Proxy Service, on page 37 for more information Forward Proxy Wizard Logging/Authentication Path: Getting Started Page > Quick Service Creation > Forward Proxy Service > click Next > click Next > click Next Figure 27-7 Forward Proxy Quick Service Creation Logging/Authentication Page Choose if you want logging turned on and if you want authentication enforced, then click Next. If logging is turned on, forward proxy service caching activity will be saved in log files. The on-box reporting functionality of the SuperLumin proxy server uses log files to generate reports. Enabling logging is therefore recommended. Logging can be useful for generating reports that help you get a better understanding of user requests and activities. Logging can also quickly use up disk space. See Chapter 23, Logging, on page 109 for more information on logging and coming up with a logging strategy. If you choose to have authentication enforced, a user that has not been authenticated will receive a prompt to provide authentication information (username and password) before being allowed to use the forward proxy service. See Chapter 15, Authentication Services, on page 75 for more information Forward Proxy Wizard LDAP Configuration Path: Getting Started Page > Quick Service Creation > Forward Proxy Service > click Next > click Next > click Next > Select Yes on Authentication > click Next The Management Tool Main Page 135

136 Figure 27-8 Forward Proxy Quick Service Creation LDAP Configuration Page Specify the LDAP hostname, user fieldname, and context for the user objects, then click Next. LDAP is currently the only authentication method supported. To use LDAP authentication, you must provide the hostname of the LDAP server. You can use the ldaps://host.name.com or the ldap:/ /host.name.com form in the wizard Forward Proxy Wizard Authentication Configuration Path: Getting Started Page > Quick Service Creation > Forward Proxy Service > click Next > click Next > click Next > Select Yes on Authentication > click Next > Specify LDAP Configuration > click Next Figure 27-9 Forward Proxy Quick Service Creation Authentication Configuration Page Choose whether you want authentication events logged and if you want to use SuperLumin Single Sign-on, then click Next. See Section , Adding Support for SuperLumin Single Sign-On, on page 81 for more information on SuperLumin Single Sign-on. 136 SuperLumin Nemesis

137 Forward Proxy Wizard Verify Settings Path: Getting Started Page > Quick Service Creation > Forward Proxy Service > click Next > click Next > click Next > click Next Figure Forward Proxy Quick Service Creation Verify Settings Page Review the forward proxy settings and then click Finish and then Apply All Changes to save the settings. You can click the Cancel button to return to the main Getting Started page. Use the back button on your browser to step back through the previous pages of the wizard Transparent Proxy Wizard Select Name Path: Getting Started Page > Quick Service Creation > Transparent Proxy Service > click Next The Management Tool Main Page 137

138 Figure Transparent Proxy Quick Service Creation Name Page Enter a name for the transparent proxy service you want to create, then click Next. You can use the name that already appears or enter a unique service name Transparent Proxy Wizard Select Address Path: Getting Started Page > Quick Service Creation > Transparent Proxy Service > click Next > click Next Figure Transparent Proxy Quick Service Creation Address Page From the list of available addresses, select the IP address that the transparent proxy service will be available on, then click Next. If the desired IP address is not listed, you can quickly add another IP address by clicking Quick Adapter Setup. After clicking Quick Adapter Setup, click Modify under the desired adapter and add the needed IP address. If you have already added an address and don t see the address you want, the port needed for the transparent proxy service may already be in use. See Section 8.2, Creating a Transparent Proxy Service, on page 38 for more information. 138 SuperLumin Nemesis

139 Transparent Proxy Wizard Logging/Authentication Path: Getting Started Page > Quick Service Creation > Transparent Proxy Service > click Next > click Next > click Next Figure Transparent Proxy Quick Service Creation Logging/Authentication Page Choose if you want logging turned on and if you want authentication enforced, then click Next. If logging is turned on, transparent proxy service caching activity will be saved in log files. The onbox reporting functionality of the SuperLumin proxy server uses log files to generate reports. Enabling logging is therefore recommended. Logging can be useful for generating reports that help you get a better understanding of user requests and activities. Logging can also quickly use up disk space. See Chapter 23, Logging, on page 109 for more information on logging and coming up with a logging strategy. If you choose to have authentication enforced, a user that has not been authenticated will receive a prompt to provide authentication information (username and password) before being allowed to use the transparent proxy service. See Chapter 15, Authentication Services, on page 75 for more information Transparent Proxy Wizard LDAP Configuration Path: Getting Started Page > Quick Service Creation > Transparent Proxy Service > click Next > click Next > click Next > Select Yes on Authentication > click Next The Management Tool Main Page 139

140 Figure Transparent Proxy Quick Service Creation LDAP Configuration Page Specify the LDAP hostname, user fieldname, and context for the user objects, then click Next. LDAP is currently the only authentication method supported. To use LDAP authentication, you must provide the hostname of the LDAP server. You can use the ldaps://host.name.com or the ldap:/ /host.name.com form in the wizard Transparent Proxy Wizard Authentication Configuration Path: Getting Started Page > Quick Service Creation > Transparent Proxy Service > click Next > click Next > click Next > Select Yes on Authentication > click Next > Specify LDAP Configuration > click Next Figure Transparent Proxy Quick Service Creation Authentication Configuration Page 140 SuperLumin Nemesis

141 Choose whether you want authentication events logged and if you want to use SuperLumin Single Sign-on, then click Next. See Section , Adding Support for SuperLumin Single Sign-On, on page 81 for more information on SuperLumin Single Sign-on Transparent Proxy Wizard Verify Settings Path: Getting Started Page > Quick Service Creation > Transparent Proxy Service > click Next > click Next > click Next > click Next Figure Transparent Proxy Quick Service Creation Verify Settings Page Review the transparent proxy settings and then click Finish and then Apply All Changes to save the settings. You can click the Cancel button to return to the main Getting Started page. Use the back button on your browser to step back through the previous pages of the wizard Social Media Service Wizard Select Name Path: Getting Started Page > Quick Service Creation > Social Media Service > click Next The Management Tool Main Page 141

142 Figure Social Media Quick Service Creation Name Page Enter a name for the social media service you want to create, then click Next. You can use the name that already appears or enter a unique service name Social Media Service Wizard Select Addresses Path: Getting Started Page > Quick Service Creation > Social Media Service > click Next > click Next Figure Social Media Quick Service Creation Address Page Select the IP address or addresses that requests for social media will be routed to, then click Next. 142 SuperLumin Nemesis

143 You can click Quick Adapter Setup to add the IP addresses mentioned above or another address. After clicking Quick Adapter Setup, click Modify under the desired adapter and add the needed IP addresses. If you have already added addresses and don t see the address you want, the port needed for the social media service may already be in use. The DNS server will resolve requests to the addresses you specify where the requested social media content may be cached. You must specify three IP Addresses for the social media cache that is created by the social media wizard. The first address (which uses port 80) is needed to create a reverse proxy service to accelerate all domains associated with YouTube and Facebook. The first address on port 443 is used to create a tunnel (generic proxy) service for the Facebook secure login.facebook.com site. The second address on port 443 is used to create a tunnel service for the Facebook secure register.facebook.com site. The third address on port 443 is used to create a tunnel service for the Facebook secure s-static.ak.facebook.com site. NOTE: The IP address used for the SuperLumin mangement GUI cannot be used as one of the addresses for the social media cache. See Section 8.4, Creating a Social Media Cache Service, on page 40 for more information Social Media Service Wizard Logging/DNS Path: Getting Started Page > Quick Service Creation > Social Media Service > click Next > click Next > click Next Figure Social Media Quick Service Creation Logging/DNS Page Choose whether you want logging enabled and if you want to use the proxy server as the social media cache DNS server, then click Next. If logging is enabled, social media service caching activity will be saved in log files. The on-box reporting functionality of the SuperLumin proxy server uses log files to generate reports. Enabling logging is therefore recommended. Selecting the option for configuring the SuperLumin proxy server as the social media cache DNS server is recommended. Selecting this option creates a DNS server on the SuperLumin proxy with the needed DNS records for DNS host name resolution for the YouTube and Facebook sites. Even if The Management Tool Main Page 143

144 you create a DNS server on the proxy and don t use it as your primary DNS server, you can still use it to look at the created DNS records and get a better understanding of what DNS records are needed on the DNS server that will be used. If you already have a DNS server and choose not to create a DNS server on the proxy, you can simply add DNS records for the Facebook and YouTube domains to redirect traffic to the SuperLumin Social Media Cache server Social Media Service Wizard DNS Server Path: Getting Started Page > Quick Service Creation > Social Media Service > click Next > click Next > click Next > Choose Yes for DNS > click Next Figure Social Media Quick Service Creation DNS Server Page If you chose to have the proxy server also be the social media cache DNS server, select the IP address of your DNS server from the list of available addresses. This is the IP address of the listener for the DNS server. The default port for DNS is 53, so you can use the same IP address as the one used by the browser-based managemant tool. If you don t see the address you want, the port needed for the DNS server may already be in use. You can click Quick Adapter Setup to add another address. The IP address for the social media DNS server must be set as the primary DNS server on clients using the social media cache. Once the IP address of the social media DNS server is used as the primary DNS server, host name resolutions for YouTube and Facebook sites are correctly resolved to the IP address of the reverse proxy service that accelerates requests for YouTube and Facebook Social Media Service Wizard Verify Settings Path: Getting Started Page > Quick Service Creation > Social Media Service > click Next > click Next > click Next > click Next 144 SuperLumin Nemesis

145 Figure Social Media Quick Service Creation Verify Settings Page Review the social media service settings and then click Finish and then Apply All Changes to save the settings. You can click the Cancel button to return to the main Getting Started page. Use the back button on your browser to step back through the previous pages of the wizard Single Sign-On Client Path: Getting Started Page > Single Sign-On Client The Single Sign-On Client page lets you download the SuperLumin Single Sign-On Windows client and the CA public key for the SuperLumin Single Sign-On client. Figure Single Sign-On Client Download Page The Management Tool Main Page 145

146 Click the SuperLumin Single-Sign-On Windows Client link to download the client software. Rightclick the Proxy CA Public Key (for SSO) link to save the the CA public key certificate to your client machine. See Adding Support for SuperLumin Single Sign-On on page 81 for information on installing and configuring SuperLumin Single Sign-On Import/Export Configuration Path: Getting Started Page > Import/Export Config The Import/Export Config page lets you back up and restore specific parts or all of the proxy server configuration. Figure Import/Export Configuration Page Use the browse button to select an exported configuration archive file on your computer. Then click import to install the configuration. 146 SuperLumin Nemesis

147 Select the specific part of the proxy server configuration that you want to export, then click Export. Then on the page that displays, right-click the link on the page, select save as and save the file to the desired directory Health Page Use the SuperLumin proxy server Health page to view the general health status of the SuperLumin proxy server. You can also shutdown or restart proxy services or the proxy server from the Health page. The Health Status page indicates the general status of SuperLumin proxy server configurations, including which services are currently configured and the operational status of those services. NOTE: The text of the Health link at the top of the page turns red if a condition or conditions exist that require administrator attention. Figure Health Page The following information displays on the Health page: The Management Tool Main Page 147

148 Health Details Type: Lists the various types of services running on the proxy server. Status: Displays the current overall status of all proxy services with a status indicator. A green status indicates the proxy server has not detected any configuration discrepancies. A yellow status indicates the service may be functioning sub-optimally due to configuration discrepancies. A red status indicates the service configuration may be incomplete or incorrect. Messages One of the following messages will display in the Messages column: Passed: The service is operational. Warning: The service may not be operational. Failed: The service is not operational. Not Reporting: The service is not reporting. Not Configured: The service is not configured. Shut down SuperLumin Proxy by clicking Shutdown Proxy. You can also restart the proxy by clicking Restart Proxy. Clicking Shutdown System or Restart System shuts down or restarts the server, not just the SuperLumin proxy software Monitoring Page The Monitoring page lets you monitor statistics for SuperLumin proxy server activity in the following three ways: Device Information (see Section , Device Information, on page 148) Graphs (see Section , Graphs, on page 148) Logs (see Section , Logs, on page 149) Reports (see Section , Reports, on page 149) Device Information The Device Information section lets you view information and statistics in the following three areas: Device Benefits (see Section , Device Benefits, on page 152) Device Load (see Section , Device Load, on page 153) Device System Status (see Section , Device System Status, on page 155) Graphs The Graphs section lets you view statistical information for a specific time period in a graphical format in the following three areas: Bandwidth (see Section , Bandwidth, on page 156) Request Rate (see Section , Request Rate, on page 157) Connections (see Section , Connections, on page 158) 148 SuperLumin Nemesis

149 Superlumin Proxy uses RRDtool for a portion of its data collection and graphing services. See RRDtool ( for more information Logs The Logs section lets you view the log files that are generated for the different logging options. These log options include alerts, messages, policy, and HTTP. Clicking one of the log options displays up to 1500 lines of the selected log file type. There is no automatic refresh of the log that is displayed. If you want to refresh, click the desired log option link again to show the latest log information Reports Path: Monitoring Page > HTTP Archive The HTTP Archive Report page lets you create an HTTP Archive report. The report generator uses the log files that are created on the proxy server to get the information and data that is used in the report. You must have logging configured in order for log files to be available to be used in the report. Figure HTTP Archive Report Page When this page is initially displayed, the system scans the logging directory and the logging archive directory. It then reads each HTTP log file to determine the date ranges contained in the files. The following options display on the HTTP Archive Report page: The Management Tool Main Page 149

150 Archive Directory Status If the log archive is empty or there is an error reading the files, you will see an Archive Directory Status notification. If log files are found and there are no errors reading them, this section will not be present. If the log archive contains several files, the scanning process may take a few seconds. Archive Range This section shows the available date range found in all of the log files. Select Files By Date Range Include current file: By default, the system only checks archived files. Selecting this option causes the system to re-read the archive, including the non-archived currently active file. This option is not selected by default because this tool focuses on longer term reporting and is not intended for monitoring current activity. Start Date/End Date: Select the date and time range of the log files that you want included in the report. The system defaults to the most recent day in the available date range. Select Files Options Skip file entries not in range: Selecting a date range causes the system to use all files containing a date in that range. This option causes the system to not only use the files within the date range, but to also compare each entry in each file to the specified date range and only pull those entries that fall within the range. For example, assume a log file contains entries from Jan 01 through Jan 15, but you selected a range of Jan 07 through Jan 10. With this option set to OFF, the entire file would be included in the report. With this option set to ON, the report would contain only entries for Jan 07 - Jan 10. This option is off by default because processing each file one entry at a time takes longer than processing file by file Define Report Path: Monitoring Page > HTTP Archive > Define Report The HTTP Archive Define Report page lets you customize the report that is generated. You can choose the kind of information that is displayed in the report and how that information is organized. 150 SuperLumin Nemesis

151 Figure HTTP Archive Define Report Page The following options display on the HTTP Archive Define Report page: Table Information This section shows details for the MySQL table that was just created. Clicking the Details button displays the number of entries and which file they came from. The Details button is mostly used for troubleshooting, and only displays when the MySQL table is created. If you return to the main Reports page and then click the Define Report button again, the Details button is not displayed because the MySQL table is not recreated unless a new date range is selected. Filter Report Output This section lets you limit which MySQL table entries are used in the report. The UserName selector is populated with all usernames found in the newly created MySQL table. If the log files have no usernames, the only available options are -ALL- and -NULL- which indicates an empty field. Both the -ALL- and -NULL- options return the same results. Custom Reports This section contains two options for quickly creating custom reports. Clicking the Top Sites (By Hits) button or the Top Sites (By Bytes) option runs the report and ignores any settings made in the sections below. The Management Tool Main Page 151

152 Select Display Columns This section shows all the available columns in the MySQL table. You can select which columns you want included in the report. Group Results By This section involves the MySQL "GROUP BY" statement. If you select a field in this section, all entries with matching data in that field will be combined into one line in the report. For example, if you select a user name in the Filter Report Output section and then select UserIP in this section, a short list of all the IP addresses that user had used would be included in the report. Order Results By This section involves the MySQL "ORDER BY" statement. Specify how you want the data in the report sorted by selecting one of the options in this section. All reports are sorted by a specific value. HTTP reports are by default sorted using the "ReqTime" value. Data in reports are by default sorted in ascending order. If you want the data sorted in descending order, select Descending. Change Dates Clicking this button returns you to the HTTP Archive Report - Build Table page, while retaining all the selections you hav made. Note that selecting HTTP Archive in the left column does the same thing but does not save your selections. View Report Clicking this button displays the first page of the report. Most of the option in the report are self-explanatory. The Show SQL Query button shows you the actual SQL query that generated the report. The Go To button allows you to move around in huge reports without having to go through one page at a time Device Benefits Path: Monitoring Page > Device Benefits The Device Benefits list provides information on how the proxy server optimizes system resources. 152 SuperLumin Nemesis

153 Figure Monitoring Device Benefits Page The following information displays on the Device Benefits page: Requests: Displays the number of requests that were completed by using data cached by the proxy server rather than requesting the data from the Web servers. Bandwidth: Displays the amount of bandwidth saved by using data cached by the proxy server rather than requesting the data from the Web servers. Cache: Displays the percentage of hits the proxy server sent from cache rather than requesting it from the Web servers Device Load Path: Monitoring Page > Device Load Use the SuperLumin proxy server Monitoring pages to observe the activity of the SuperLumin proxy server. The SuperLumin proxy server Device Load page provides critical proxy server information and statistics. The Management Tool Main Page 153

154 Figure Monitoring Device Load Page The following options display on the Device Load page: Connections Connections to Browsers: Displays total number of current browser connections to the proxy server. Connections to Origin Servers: Displays total number of current fill connections the proxy server has opened to origin Web servers. Idle Connections to Origin Servers: Displays total number of idle connections to origin Web servers. Total Connections to Origin Servers: Displays total number of connections that have been filled to origin servers. Total Connections: Displays the total number of connections to browser connections to the proxy server added to the total number of connections to origin Web servers. Requests Active Requests from Browsers: Displays number of current requests from browsers to the proxy server. Active Requests to Origin Servers: Displays number of current requests from the proxy server to origin Web servers. 154 SuperLumin Nemesis

155 Total Active Requests: Displays the number of current requests the proxy server has received from the browsers and has sent to the Web servers. New Requests per second from Browsers: Displays the number of new requests being sent each second from the browsers to the proxy server. New Requests per second to Origin Servers: Displays the number of requests being sent each second from the proxy server to the Web servers. Bandwidth Current Mbps to Browsers: Displays total number of bytes of data being sent each second from the proxy server to requesting browsers. Current Mbps from Origin Servers: Displays total number of bytes of data being sent each second from the Web servers to the proxy server. Current Mbps in bandwidth savings: Displays the amount of bandwidth saved using data cached by the proxy server rather than requesting the data from the Web servers. Cache Cache Objects: Displays the total number of cacheable Web objects that are stored on the proxy server. This includes objects stored on disk and in memory. Current Cache Hit Rate: Displays the current cache hit rate. A high cache hit rate indicates the caching system is off-loading significant request processing from Web servers whose objects have been cached. Use this chart for capacity planning. Cache Disks: Displays the number of disk available for caching. Cache Disk Space: Displays the total disk space available for caching. The amount shown is smaller than the total disk space available on the Access Gateway because it doesn't include the disk space reserved for the operating system and log files. Cache Disk Space Used: Displays the amount of caching disk space currently in use. Objects in Memory Cache: Displays the number of Web objects that are stored in memory on the proxy server Device System Status Path: Monitoring Page > Device System Status The Device System Status page displays statistics relating to Web cache hierarchies. The Management Tool Main Page 155

156 Figure Monitoring Device System Status Page The following information displays on the Device System Status page: System Status CPU Utilization: Displays the current CPU utilization rate. Use this chart for capacity planning. Boot Partition Disk Space: Displays the total disk space configured for the boot partitions. Boot Partition Disk Space Used: Displays the disk space in use on the boot partitions. Boot Partition Disk Space Free: Displays the disk space available on the boot partitions. Swap Partition Disk Space: Displays the total disk space configured for the swap partition. Swap Partition Disk Space Used: Displays the disk space in use on the swap partition. Swap Partition Disk Space Free: Displays the disk space available on the swap partition. Total Installed Memory: Displays total available memory on the proxy server. Start Up Time: Displays the last time the proxy server was started. Up Time: Displays total time the proxy server has been running since last started Bandwidth Path: Monitoring Page > Bandwidth The Bandwidth graphs page displays graphs in megabits per second of the amount of traffic being processed through the proxy server. This includes traffic from brower requests, origin server requests, and saved requests. 156 SuperLumin Nemesis

157 Figure Bandwidth Graphs Page You can choose to have bandwidth graphs displayed for time periods of from 15 minutes to one year. You can also choose to have an area graph chart or a line graph chart displayed by clicking Show Area Charts or Show Line Charts Request Rate Path: Monitoring Page > Request Rate The Request Rate graphs page displays graphs of the number of requests per second from browsers, origin servers, and saved requests. The Management Tool Main Page 157

158 Figure Request Rate Graphs Page You can choose to have request rate graphs displayed for time periods of from 15 minutes to one year. You can also choose to have an area graph chart or a line graph chart displayed by clicking Show Area Charts or Show Line Charts Connections Path: Monitoring Page > Connections TheConnections graphs page displays graphs of the number of connections being made with the proxy server from browsers, origin servers, and saved connections. 158 SuperLumin Nemesis

159 Figure Connections Graphs Page You can choose to have connection graphs displayed for time periods of from 15 minutes to one year. You can also choose to have an area graph chart or a line graph chart displayed by clicking Show Area Charts or Show Line Charts Configuration Page The Configuration page shows the configuration settings of the proxy server. The Configuration page lets you configure the proxy server in the following eight areas: HTTP Services (see Section , HTTP Services, on page 160) Miscellaneous Services (see Section , FTP Proxy, on page 225) Appliance Settings (see Section , Appliance Settings, on page 160) Network Settings (see Section , Network Settings, on page 161) Hierarchy Settings (see Section , Hierarchy Settings, on page 161) System Settings (see Section , System Settings, on page 161) Security Settings (see Section , Security Settings, on page 161) Cache Settings (Advanced option) (see Section , Cache Settings, on page 162) The Management Tool Main Page 159

160 Figure Configuration Page HTTP Services The HTTP Services section of the Configuration page provides options for creating and configuring various proxy services. The following options are available in the Services section: Forward Proxy (see Section , Forward Proxy, on page 162) Reverse Proxy (see Section , Reverse Proxy, on page 216) Transparent Proxy (see Section , Transparent Proxy, on page 220) Miscellaneous Services The Miscellaneous Services section of the Configuration page provides an option for creating and configuring FTP proxy services and Generic Proxy Services. See Section , FTP Proxy, on page 225 and Section , Generic Proxy, on page Appliance Settings The Appliance Settings section of the Configuration page provides options for creating or modifying various appliance settings. 160 SuperLumin Nemesis

161 The following options are available in the Appliance Settings section: Listeners (see Section , Advanced TCP Options, on page 166) Protocol (Section , TCP Connect Options, on page 172) WCCP (see Section , WCCP, on page 257) Logging (see Section , Logging, on page 209) Network Settings The Network Settings section of the Configuration page provides options for changing settings on things like network adapters, gateways, DNS, etc. The following options are available in the Network Settings section: Adapters (see Section , Adapters, on page 243) Gateways (see Section , Gateways, on page 247) DNS (see Section , DNS, on page 248) DNS Server (see Section , DNS Server, on page 251) Hosts (see Section , Hosts, on page 255) Hierarchy Settings The Hierarchy Settings section of the Configuration page provides options for defining and configuring proxy hierarchy settings for use by the various HTTP proxies. Hierarchy (see Section , Hierarchy, on page 233) System Settings The System Settings section of the Configuration page provides options for changing the system date and time, Network Time Protocol settings, and time zone. Date & Time (see Section , Date & Time, on page 240) Security Settings The Security Settings section of the Configuration page provides options for configuring various security-related settings for both the appliance and the services confiured on the appliance. Firewall (see Section , Firewall Settings, on page 267) Packet Filter (see Section , Packet Filter, on page 263) Authentication (see Section , Authentication, on page 260) Access Control (see Section , Access Control (Policy Management Options), on page 175) The Management Tool Main Page 161

162 Cache Settings The Cache Settings section of the Configuration page is an advanced option that provides control over the configuration of the cache disks as well as how objects are stored in the cache. NOTE: You should not modify most options in the Cache Settings section unless you are directed to so do by Technical Support. Disk Management (see Section , Disk Management, on page 237) Cache Management (see Section , Cache Management, on page 213) Product Add-on The Product Add-on section of the Configuration page provides the option for configuring social media cache option. Social media caching minimizes bandwidth consumption and accelerates the delivery of social media content. See Section , Social Media, on page 269 for more information Forward Proxy Path: Configuration > Forward Proxy Use the Forward Proxy Insert page to create a forward proxy service. 162 SuperLumin Nemesis

163 Figure Forward Proxy Insert Page The following options display on the Forward Proxy Insert page: Forward Proxy Insert Forward Proxy Insert: Specify the name for the forward proxy, then click Insert. Forward Proxy List Enable: Displays the current enabled status of the defined forward proxy after you have configured it. The enabled status cannot be modified from this page. Name: Displays the name of the forward proxy service. Listening Address: Displays the IP address(es) of the forward proxy service. Port: Displays the port from which the Proxy server will receive forward proxy requests and send requested data back to the requesting browsers. The default is After clicking Insert, a page appears that lets you specify the different configuration options for the forward proxy service you specified. The Management Tool Main Page 163

164 Forward Proxy Configuration Path: Configuration > Forward Proxy > type a service name > Insert (or select an existing service) The Forward Proxy Configuration page lets you configure the forward proxy service. This includes letting you specify which IP addresses receive forward proxy requests from browsers and the ports the Proxy server listens on for forward requests. Figure Forward Proxy Configuration Page The following options display on the Forward Proxy Configuration page: Forward Proxy Enable Forward Proxy: Select this option to enable the Proxy server to handle forward proxy services. Browsers using this service must either be configured with the Proxy server as a forward proxy server, or they must be enabled to obtain the proxy address automatically using WPAD. To activate the service, you must select an existing Listener from the list of configured Listeners. 164 SuperLumin Nemesis

165 Allow Connect: Select this option to enable the forward proxy service to use the HTTP CONNECT method. NOTE: If Allow Connect is not enabled, then users will not be able to access websites that use SSL (e.g., financial institutions). Force SSL on CONNECT: Select this option to have the Proxy server check to ensure that HTTP CONNECT requests to the forward service contain SSL-related traffic. In general, this option should be enabled whenever the Allow Connect option is enabled. TCP Options: Select the TCP Options that this service will use for TCP Connect options (see Section , Advanced TCP Options, on page 166). Default TCP Options are included with the SuperLumin proxy server. You can create additional options by clicking the Protocol link in the left column of the main Configuration page. Listener: Select the listener that this proxy service will use to receive and send requests. If you have not configured a listener for the forward proxy service, you can create a new listener by clicking Add New Listener. See Listener on page 168 for information on creating a listener. Listening Port: This is the port from which the Proxy server will receive forward proxy requests and send requested data back to the requesting browsers. The listening port is specified when the listener is created. The default port is Listening Address(es): This is a list of the Proxy server IP addresses that forward proxy services running will run on. The listening address(es) are specified when the listener is created. Policy Enforcement Enable: Select this option to enable access control policies that you have previously created. Access control policies allow you to block or allow specific HTTP traffic. See also Section , Access Control (Policy Management Options), on page 175. Policy Management Options: Click the Policy Management Options button to open the Policy Management editor. Cache Management Select a cache management option policy to use for this forward proxy. Cache Management policies allow you to change how long the proxy caches objects, and to enable and disable certain cache optimizations (see Section , Cache Management, on page 213). Cache Management Options: Click Cache Management Options to open the cache management editor for the selected cache management policy. Disk Management Select a disk management option that you have previously created to use with this forward proxy service. See Section , Disk Management, on page 237) The Management Tool Main Page 165

166 Logging Options Enable: Select this option to enable logging of forward activity. Click Logging Options to edit the policy for HTTP logs. HTTP log options allow you to specify how the HTTP related-services log, including specifying common logs and extended logs, as well as how often new HTTP log files are started and how long HTTP log files are retained (see Section , Logging, on page 209). Hierarchy Options Enable: Select this option to enable hierarchy options that you have previously created. You can create create HTTP forward hierarchy options for the proxy server. See Section , Hierarchy, on page 233. Hierarchy Options: Click Hierarchy Optionsto open the Hierarchy editor. Click OK to save the Forward Proxy service. Or, click Cancel to discard changes and return to the Forward Proxy List. NOTE: You must click Apply All Changes to send the new configuration to the proxy Advanced TCP Options Path: Configuration > Forward Proxy > Insert a service > TCP Options > Advanced TCP Options > Modify or Path: Configuration > Protocol > Insert or Modify TCP Connect Configuration > Advanced TCP Options > Modify Use the Advanced TCP Options page to specify additional TCP options for proxy services. 166 SuperLumin Nemesis

167 Figure Advanced TCP Options Page The following options display on the Advanced TCP Options page: Advanced TCP Options Connection Handshake Timeout: Specify the number of seconds the proxy server attempts to establish a connection before timing out due to the browser not responding. You may want to increase this value if you notice the browser workstation is reachable (the ping succeeds), but the load is heavy. Keep Alive Interval: Specify the number of minutes a browser connection is idle before the Proxy server queries to check if the browser is still responding. Data Read Timeout: Specify the number of seconds the Proxy server waits for request data to arrive from the browser before it times out. You may want to increase this value if you notice browser connections are disconnected in the middle of data transfer. Idle Timeout: Specify the number of minutes the proxy server keeps the connection between the browser and the proxy server active, even if there is no data flow. Window Size: Specify the TCP receive window size for incoming browser requests. Enable Nagles: Select this option to enable the Nagles algorithm. The Management Tool Main Page 167

168 The Nagle's algorithm tries to conserve bandwidth by instructing a sender to buffer any data to be sent until all outstanding data has been acknowledged, or until there is a full segment of data to send. Re-Transmit Limit: Specify the number of retry requests that will be issued. Click OK to save the Advanced TCP options and return to the TCP Connect Options page. Or, click Cancel to discard changes and return to the TCP Connect Options page. You must click Apply All Changes in order for changes to take effect Listener Path: Configuration > Listener Use the Listener page to create a listen service for incoming connections using the protocol (TCP or UDP), IP address(es), and port you designate. A listener is an entity used by all HTTP -related services on the proxy. A listener is comprised of a list of IP addresses and a single port to be used by the service to listen for incoming requests. The IP address and port combination must be unique on the server. Figure Listener Page 168 SuperLumin Nemesis

169 The following options display on the Listener page: Name: Specify a name for the listening service. Port: Specify the port number you want the service to listen on for requests from the cache device. TCP/UDP: Specify the protocol (TCP or UDP) you want the listening service to use. After specifying the desired options, click Insert to create the listening service. You can also select an existing listener and click Modify to change the name, port number, protocol, and to add or remove IP addresses from the listener. To remove a previously configured listener, select the listener, then click Delete. Click OK to save changes and return to the previous page. Or, click Cancel to discard changes and return to the previous page. You must click Apply All Changes for changes to take effect Listener Settings Path: Configuration > Listener > Insert or Modify a Listener Use the Listener Settings page to add or remove IP addresses to or from the listener or to change the listener name, port number, and protocol. The Management Tool Main Page 169

170 Figure Listener Settings Page The following options display on the Listener Settings page: Listener Settings Name: Specify a name for the listening service. Port: Specify the port number you want the service to listen on for requests from the cache device. TCP/UDP: Specify the protocol (TCP or UDP) you want the listening service to use. Add IP Address IP Address: Select an IP address to add to the listener, then click Insert. If you are creating (inserting) a new listener, you must add at least one IP address to the listener. If you are modifying an existing listener, you can add an additional IP address to the listening service. 170 SuperLumin Nemesis

171 Remove IP Address IP Address: If you want to remove an IP address from a listener, select the desired IP address and then click Delete. Click OK to save changes and return to the previous page. Or, click Cancel to discard changes and return to the previous page. You must click Apply All Changes for changes to take effect Protocol Path: Configuration > Protocol Use the Protocol page to create TCP Connect and TCP Listen options. Figure Protocol Page The following options display on the Protocol page: TCP Connect Options Specify a name for a new TCP Connect configuration, then click Insert. You can also select an existing configuration (such as the default configuration) and modify or delete it. See TCP Connect Options on page 172 for more information on TCP Connect options. The Management Tool Main Page 171

172 TCP Listen Options Specify a name for a new TCP Listen configuration, then click Insert. You can also select an existing configuration (such as the default configuration) and modify or delete it. See TCP Listen Options on page 173 for more information on TCP Listen options. Click OK to save changes and return to the previous page. Or, click Cancel to discard changes and return to the previous page. You must click Apply All Changes for changes to take effect TCP Connect Options Path: Configuration > Protocol > Insert or Modify TCP Connect Configuration Use the TCP Connect Options page to specify connect options for proxy services. Figure TCP Connect Options Page The following options display on the TCP Connect Options page: Name: This is the name of the TCP Connect configuration. 172 SuperLumin Nemesis

173 Multiple Destination IP Address Policy: If you specified multiple Web server IP addresses when you configured proxy services, you can choose how you want attempted connections to those IP addresses handled. If you specify simple, the proxy will connect to the first IP address in the list. If you specify round-robin, the proxy will go from one address to another until it finds the requested information to fill its cache. Enable Persistent Connections: Select this option to ensure all connections from browsers to the Proxy server remain open. This option makes the response time between the Proxy server and browsers faster. Use Explicit Local Address: Choosing Yes on this option causes the proxy to resolve requests locally rather than performing a DNS lookup. Advanced TCP Options: Click Modify to access the Advanced TCP Options page. See Section , Advanced TCP Options, on page 166. Click OK to save changes and return to the previous page. Or, click Cancel to discard changes and return to the previous page. You must click Apply All Changes for changes to take effect TCP Listen Options Path: Configuration > Protocol > Insert or Modify a TCP Listen Configuration Use the TCP Listen Options page to specify listen options for proxy services. The Management Tool Main Page 173

174 Figure TCP Listen Options Page The following options display on the TCP Listen Options page: Name: You can use this option to change the name of the TCP Listen configuration. Enable SSL: Specifying Yes on this option enables a secure connection and ensures that communication between the proxy server and the browser uses a secure SSL channel. If you select Yes, you can click SSL Settings to choose SSL keys and trusted roots. Enable Persistent Connections: Select this option to ensure all connections from browsers to the Proxy server remain open. This option makes the response time between the Proxy server and browsers faster. Enable Advanced TCP Options: Click Modify to access the Advanced TCP Options page. See Section , Advanced TCP Options, on page 166. Click OK to save changes and return to the previous page. Or, click Cancel to discard changes and return to the previous page. You must click Apply All Changes for changes to take effect. 174 SuperLumin Nemesis

175 Access Control (Policy Management Options) Path: Configuration > Access Control or Path: Configuration > Forward Proxy > Insert a service > Policy Management Options NOTE: The terms Access Control Policy and Access Control Profile are both used in the browserbased management tool. Both terms refer to the same thing. Use the Access Control page to create access control policies and access control policy lists. An access control list contains one or more access control policies. The access control policies are executed in the order they are specified in the list. Each access control policy contains one or more conditions and actions that are also ordered. The policies and rules applied to access control lists govern HTTP requests and allow you to block, authenticate, or log specific HTTP traffic. It is the access control list that is selected when you configure policy enforcement in a proxy service. Figure Access Control Page The Management Tool Main Page 175

176 The following options display on the Access Control page: Access Control Profiles Name: Specify the name of the access control policy you want to create. The policy must contain at least two characters. You can also select an existing policy and click Delete to remove it. Request Type: Choose the request type for this policy. HTTP requests are currently the only type supported. After providing the name and request type for the policy, click Add to bring up the Access Control Policy Definition page. Access Control Lists Name: Specify the name of the access control list you want to create. You can also select an existing list and click Delete to remove it. Request Type: Choose the request type for this list. HTTP requests are currently the only type supported. After providing the name and request type for the policy list, click Add to bring up the Access Control Policy List page where you can add policies to the list Access Control Policy Definition Path: Configuration > Access Control > Insert Access Control Profile Use the Access Control Policy Definition page to add access control rules that govern proxy service requests to the policy. It is recommended that each access control policy contains a comment describing the purpose of the policy. 176 SuperLumin Nemesis

177 Figure Access Control Policy Definition Page The following options display on the Access Control Policy Definition page: Access Control Policy Definition Policy Name: Displays the name of the policy or profile you just created. Comment: Lets you specify a brief comment or description for the policy you are configuring. Although this field is optional, comments are highly recommended. Add Access Control Rules Add to Back: You can choose Add to Back to have this rule applied at the end or Add to Front to have this rule applied at the beginning of all the other rules that are part of this access control policy. Rule Name: Add a name for the rule you are creating for this policy. The Management Tool Main Page 177

178 After naming the rule, click the Add button to launch the Access Control Rule Definition page where you can configure addition rule options. You can also select an existing access control rule and click delete to remove it or click on the rule name to bring up the Access Control Rule Defintion page for that rule Access Control Rule Definition Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule Use the Access Control Rule Definition page to create and configure rules for access control profiles. Access Control rules let you govern how source or destination requests are handled by the proxy server. Figure Access Control Rule Definition Page The following options display on the Access Control Rule Definition page: Access Control Rule Definition You can optionally add or specify a brief comment or description for the policy you are configuring. 178 SuperLumin Nemesis

179 Conditions This section lists the conditions that apply to this rule. You can change the order in which the conditions are applied to the rule by selecting the condition and then clicking either the up or down arrow. You can modify a condition by clicking on it, delete a condition by selecting the checkbox next to the condition and clicking the Delete button, or change the relationship between conditions by selecting either AND conditions or OR conditions. Selecting And conditions means that each condition that has the And conditions applied has to be true in order for any of the actions to be performed. Selecting Or conditions means that only one of the conditions that has the Or condition applied has to be true in order for the actions to be performed. For example, suppose you have a condition designating host IPv4 equals and another condition designating host-port equals 443. If you select And conditions, The host IPv4 address must be and the host port must be 443 in order for any of the actions for the rule to be performed. If you select Or conditions, either the host IPv4 address being or the host port being 443 causes the rule actions to be performed. Add Condition to Rule You can choose Add to Back to have this condition applied at the end or Add to Front to have this condition applied at the beginning of all the other conditions that are part of this access control policy rule. Add the desired conditions that you want to apply to this rule and upon which you want to base conditional access. Each condition is labeled by the type of data on which it is based. The following conditions exist for HTTP requests: None Always Host IPv4 Host IPv6 Host Port Source IPv4 Source IPv6 Source Port Time Uri Scheme Uri Host Uri Path Uri Extension Uri User Authenticated User LDAP The Management Tool Main Page 179

180 Selecting one of the above conditions and clicking Add displays an Access Control Condition Configuration page that lets you specify the configuration information for the condition type you have chosen. Different configuration options exist based on the selected condition. The Always condition has no configuration options and is always true or false depending on what action you have selected. For example, if you want to make authentication or filtering happen every time, you would select always. Descriptions of the required information for each of the fields in the other access control conditions are found in the specific access control condition configuration sections. Actions This section lists the actions that apply to this rule. You can change the order in which the actions are applied to the rule by selecting the action and then clicking either the Move Up or Move Down button. You can modify and action by clicking on it or delete an action by selecting the checkbox next to it and clicking the Delete button. Add Action to Rule You can choose Add to Back to have this action applied at the end or Add to Front to have this action applied at the beginning of all the other actions that are part of this access control policy rule. Add the desired actions that you want to apply to this rule and upon which you want to base conditional access. The following actions exist for HTTP requests: None Allow Authenticat Form-based Authenticate SL-SSO Block Filter Request Execute Policy Log Target Selecting one of the above actions and clicking Add displays an Access Control Action Configuration page that lets you specify the configuration information for the action type you have chosen. Different configuration options exist based on the selected action. Some actions like Allow and Log Target have no configuration options. After selecting them, you can click on the action name and choose whether you want logging turned on. Actions are either terminal or non-terminal. Terminal actions behave differently that non-terminal actions. Some actions like allow and block are terminal or terminating actions, which means that if either of them is encountered, no other actions are performed. Authenticate Form-based and Authenticate SL-SSO are conditionally terminating actions, which means they only terminate if authentication is not successful. Filter Request is conditionally terminating, which means that it only terminates if a request matches a specific filter. The other actions are not terminal. See Chapter 16, Access Control, on page 83 for information on terminal and non-terminal actions. Descriptions of the required information for each of the fields in the access control actions are found in the specific access control action configuration sections. 180 SuperLumin Nemesis

181 Host IPv4 Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Host IPv4 Condition to Rule Figure Host IPv4 Condition Configuration Page The following options display on the Host IPv4 Condition Configuration page: Condition Host IPv4 Configuration Condition: Shows that you have selected Host IPv4. Host is the destination (Web server) address. Operator: Select an operation for comparing the designated request data with the specified value. The operators available for the Host IPv4 condition are equals, in-range, and in-subnet. If you select the equal operator, the IP address being evaluated by the policy must exactly match the address you specify in the Compare field. If you select the in-range operator, the IP address being evaluated by the policy must be in the range you specify. For example, if you specified , any address from to inclusive will match. If you select the in-subnet operator, the IP address being evaluated by the policy must be in the subnet you specify. For example, if you specified , any address from /24 subnet will match. The Management Tool Main Page 181

182 Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, if you selected equals as the operator, not equal to would be used if you selected Not Condition Result. Compare: Type the IP address that will be compared against the designated request data using the operator you selected. You must specify an IPv4 address. DNS names are not allowed with this condition. If you want to use a DNS name, use the Uri Host condition to specify a DNS name. You must click OK and then Apply All Changes for changes to take effect Host IPv6 Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Host IPv6 Condition to Rule Figure Host IPv6 Condition Configuration Page The following options display on the Host IPv6 Condition Configuration page: Condition Host IPv6 Configuration Condition: Shows that you have selected Host IPv6. Host is the destination (Web server) address. 182 SuperLumin Nemesis

183 Operator: Select an operation for comparing the designated request data with the specified value. The operators available for the Host IPv6 condition are equals, in-range, and in-subnet. If you select the equal operator, the IP address being evaluated by the policy must exactly match the address you specify in the Compare field. If you select the in-range operator, the IP address being evaluated by the policy must be in the range you specify. If you select the in-subnet operator, the IP address being evaluated by the policy must be in the subnet you specify. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, if you selected equals as the operator, not equal to would be used if you selected Not Condition Result. Compare: Type the IP address that will be compared against the designated request data using the operator you selected. You must specify an IPv6 address. DNS names are not allowed with this condition. If you want to use a DNS name, use the Uri Host condition to specify a DNS name. You must click OK and then Apply All Changes for changes to take effect Host Port Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Host Port Condition to Rule The Management Tool Main Page 183

184 Figure Host Port Condition Configuration Page The following options display on the Host Port Condition Configuration page: Condition Host Port Configuration Condition: Shows that you have selected Host Port. Host is the destination (Web server) port. Operator: Select an operation for comparing the designated request data with the specified value. The operators available for the Host Port condition are equals and in-range. If you select the equal operator, the port number being evaluated by the policy must exactly match the port number you specify in the Compare field. If you select the in-range operator, the port number being evaluated by the policy must be in the range you specify. For example, if you specified port , any port number from 80 to 200 inclusive will match. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, if you selected equals as the operator, not equal to would be used if you selected Not Condition Result. Compare: Type the port number that will be compared against the designated request data using the operator you selected. For example, specifying port 80 includes all HTTP traffic. 184 SuperLumin Nemesis

185 You must click OK and then Apply All Changes for changes to take effect Source IPv4 Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Source IPv4 Condition to Rule Figure Source IPv4 Condition Configuration Page The following options display on the Source IPv4 Condition Configuration page: Condition Source IPv4 Configuration Condition: Shows that you have selected Source IPv4. Source is the client (browser) address. Operator: Select an operation for comparing the designated request data with the specified value. The operators available for the Source IPv4 condition are equals, in-range, and in-subnet. If you select the equal operator, the IP address being evaluated by the policy must exactly match the address you specify in the Compare field. If you select the in-range operator, the IP address being evaluated by the policy must be in the range you specify. For example, if you specified , any address from to inclusive will match. The Management Tool Main Page 185

186 If you select the in-subnet operator, the IP address being evaluated by the policy must be in the subnet you specify. For example, if you specified , any address from /24 subnet will match. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, if you selected equals as the operator, not equal to would be used if you selected Not Condition Result. Compare: Type the IP address that will be compared against the designated request data using the operator you selected. You must specify an IPv4 formatted address. You must click OK and then Apply All Changes for changes to take effect Source IPv6 Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Source IPv6 Condition to Rule Figure Source IPv6 Condition Configuration Page The following options display on the Source IPv6 Condition Configuration page: Condition Source IPv6 Configuration Condition: Shows that you have selected Source IPv6. Source is the client (browser) address. 186 SuperLumin Nemesis

187 Operator: Select an operation for comparing the designated request data with the specified value. The operators available for the Source IPv6 condition are equals, in-range, and in-subnet. If you select the equal operator, the IP address being evaluated by the policy must exactly match the address you specify in the Compare field. If you select the in-range operator, the IP address being evaluated by the policy must be in the range you specify. If you select the in-subnet operator, the IP address being evaluated by the policy must be in the subnet you specify. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, if you selected equals as the operator, not equal to would be used if you selected Not Condition Result. Compare: Type the IP address that will be compared against the designated request data using the operator you selected. You must specify an IPv6 formatted address. You must click OK and then Apply All Changes for changes to take effect Source Port Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Source Port Condition to Rule The Management Tool Main Page 187

188 Figure Source Port Condition Configuration Page The following options display on the Source Port Condition Configuration page: Condition Source Port Configuration Condition: Shows that you have selected Source Port. Source is the client (browser) port. Operator: Select an operation for comparing the designated request data with the specified value. The operators available for the Source Port condition are equals and in-range. If you select the equal operator, the port number being evaluated by the policy must exactly match the port number you specify in the Compare field. If you select the in-range operator, the port number being evaluated by the policy must be in the range you specify. For example, if you specified port , any port number from 80 to 200 inclusive will match. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, if you selected equals as the operator, not equal to would be used if you selected Not Condition Result. Compare: Type the port number that will be compared against the designated request data using the operator you selected. For example, specifying port 80 includes all HTTP traffic. 188 SuperLumin Nemesis

189 You must click OK and then Apply All Changes for changes to take effect Time Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Time Condition to Rule Figure Time Condition Configuration Page You can use the Time Condition Configuration page to specify specific times in half hour increments that you want the rule to be applied. You can select entire days by clicking on the day name or the same time every day by clicking the hour on the top row. For example, if you wanted to allow access to Facebook and YouTube during lunch time every day, you could have set up a policy rule with actions that allow access to the Facebook and YouTube addresses. You would then select the desired times that you want to allow access on this page. You must click OK and then Apply All Changes for changes to take effect Uri Scheme Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Uri Scheme Condition to Rule The Management Tool Main Page 189

190 Figure URI Scheme Condition Configuration Page The following options display on the Uri Scheme Condition Configuration page: Condition Uri Scheme Configuration Condition: Shows that you have selected Uri Scheme. The Uri scheme is the first part of the Uri. For example, http, https, and ftp are Uri schemes. Operator: This is the operation for comparing the designated request data with the specified value. The only operator available for the Uri Scheme condition is equals. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, with equals as the operator, not equal to would be used if you selected Not Condition Result. Compare: Type the value or item that will be compared against the designated request data using the equals operator. For example, if you selected https as the compare value, any actions applied would be constrained to only Uri values of https. You must click OK and then Apply All Changes for changes to take effect. 190 SuperLumin Nemesis

191 Uri Host Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Uri Host Condition to Rule Figure Uri Host Condition Configuration Page The following options display on the Uri Host Condition Configuration page: Condition Uri Host Configuration Condition: Shows that you have selected Uri Host. Operator: This is the operation for comparing the designated request data with the specified value. The only operator available for the Uri Host condition is in-list. This means that the Uri hosts listed under Compare will be evaluated against the specific operators that were selected for each of those hosts. One or more Uri Host values can be added to the Uri Host list. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, with in-list as the operator, not in-list would be used if you selected Not Condition Result. Add Uri Host: Enter the desired Uri host, select the operator you want for that Uri host and then click Add Host to add a new Uri host to the list. The Management Tool Main Page 191

192 When a match is found, the remaining Uri hosts on the list will not be evaluated. The condition terminates as soon as a match is found. The available operators are equals, starts-with, ends-with, matches-regex, and matches-regexext. For example, you could enter and then choose equals as the operator and the condition would be true only if was used as the in the host portion of the Uri. If you entered.google.com and chose ends-with as the operator, the condition would be true for any host ending with.google.com, such as maps.google.com, images.google.com, etc. If you entered google. and chose starts-with as the operator, the condition would be true for any host starting with google., such as google.mail.com, google.map.com, etc. The matches-regex and matches-regex-ext operators are for POSIX regular expressions and POSIX extended regular expressions. This provides great flexibility and allows you to do things in one rule that can evaluate multiple possibilities. For more information on POSIX regular expressions, see POSIX Regular Expressions ( Regular_expression#POSIX). Compare: This shows the list of comparisons you have made. You can delete a comparison by selecting the checkbox next to it and clicking Delete. You must click OK and then Apply All Changes for changes to take effect Uri Path Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Uri Path Condition to Rule 192 SuperLumin Nemesis

193 Figure Uri Path Condition Configuration Page The following options display on the Uri Path Condition Configuration page: Condition Uri Path Configuration Condition: Shows that you have selected Uri Path. Operator: This is the operation for comparing the designated request data with the specified value. The only operator available for the Uri Path condition is equals. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, with equals as the operator, not equal to would be used if you selected Not Condition Result. Compare: Type the path that you want compared against the equals operator. For example, if you entered /finance in the Compare field, the condition would be true for any Uri path that is /finance. In a Uri path that has a? in it, the path ends at the question mark. You must click OK and then Apply All Changes for changes to take effect. The Management Tool Main Page 193

194 Uri Extension Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Uri Extension Condition to Rule Figure Uri Extension Condition Configuration Page The following options display on the Uri Extension Condition Configuration page: Condition Uri Extension Configuration Condition: Shows that you have selected Uri Extension. Operator: This is the operation for comparing the designated request data with the specified value. The only operator available for the Uri Extension condition is equals. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, with equals as the operator, not equal to would be used if you selected Not Condition Result. 194 SuperLumin Nemesis

195 Compare: Type the Uri extension that will be compared against the designated request data using the equals operator. This is the extension part of the Uri path. For example, you could specify.xml as the Compare value and any Uri extension that ends with.xml would be true. In this example, it doesn t matter if part of the Uri follows the.xml extension. If the path extension is.xml, the condition is true. You must click OK and then Apply All Changes for changes to take effect Uri Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Uri Condition to Rule Figure Uri Condition Configuration Page The following options display on the Uri Condition Configuration page: Condition Uri Configuration Condition: Shows that you have selected Uri. Operator: This is the operation for comparing the designated request data with the specified value. The Management Tool Main Page 195

196 The operators available for the Uri condition are equals, starts-with, ends-with, matches-regex, and matches-regex-ext. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, with equals as the operator, not equal to would be used if you selected Not Condition Result. Compare: Type the Uri that will be compared against the designated request data using the operator you selected. For example, if you selected equals as the operator, the condition would only be true if the entire Uri is used. So if the Compare value is that entire Uri would be required. If you selected starts-with as the operator and as the Compare value, the condition would be true for data, or any Uri that starts with The matches-regex and matches-regex-ext operators are for POSIX regular expressions and POSIX extended regular expressions. This provides great flexibility and allows you to do things in one rule that can evaluate multiple possibilities. For more information on POSIX regular expressions, see POSIX Regular Expressions ( Regular_expression#POSIX). You must click OK and then Apply All Changes for changes to take effect User Authenticated Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add User Authenticated Condition to Rule 196 SuperLumin Nemesis

197 Figure User Authenticated Condition Configuration Page The following options display on the User Authenticated Condition Configuration page: Condition User Authenticated Configuration Condition: Shows that you have selected User Authenticated. Operator: This is the operation for comparing the designated request data with the specified value. The only operator available for the User Authenticated condition is via. This means that the condition is true if the user has authenticated to the specified authentication profile. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, with via as the operator, not via would be used if you selected Not Condition Result. Compare: Select the name of the authentication profile that will be used to authenticate the user. An authentcation profile must already exist in order to be selected. See Authentication on page 260 for information on creating authentication profiles. You must click OK and then Apply All Changes for changes to take effect. The Management Tool Main Page 197

198 User LDAP Condition Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add User LDAP Condition to Rule Figure User LDAP Condition Configuration Page The following options display on the User LDAP Condition Configuration page: Condition LDAP User Configuration Condition: Shows that you have selected LDAP User. Operator: Select an operation for comparing the designated request data with the specified value. The only operator available for the LDAP User condition is in-list. As you add comparison values using the Add LDAP Comparison field, those comparisons are added to the list. The condition stops evaluating the remaining LDAP User conditions in the list as soon as a match occurs. Not Condition Result: Select this option to use the reverse of the operation you selected for comparing. For example, with in-list as the operator, not in-list would be used if you selected Not Condition Result. 198 SuperLumin Nemesis

199 Configuration: Select the authentication profile you want this rule to use. The authentication profile specifies the directory tree where the user object is located. An authentcation profile must already exist in order to be selected. See Authentication on page 260 for information on creating authentication profiles. Add LDAP Comparison: Enter the LDAP user objects, groups or contexts you want to be used for user object comparisons, then click Add. You can also select equals, in-group or in-context and then click Browse to look for and select specific users, groups, or contexts in the directory tree. Comparisons specified are explicitly or comparisons. This means that if you specified a group and a context, the comparison would be made for user objects in the group and then the context you specified. If the user object is found in the group, no further comparisons would be made. Compare: This shows the list of comparisons you have made. You can delete a comparison by selecting the checkbox next to it and clicking Delete. You must click OK and then Apply All Changes for changes to take effect Authenticate Form-Based Action Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Authenticate Form-Based Action to Rule The Management Tool Main Page 199

200 Figure Authenticate Form-Based Action Configuration Page The following options display on the Authenticate Form-Based Action Configuration page: Authenticate Form-based Configuration Authentication Profile: Select the authentication profile you want to be used with this action. An authentication profile must be created before you can assign the Authenticate SL-SSO action to an authentication profile. See Section , Authentication, on page 260 for information on creating an authentication profile. Time to Live in Minutes: This is the amount time after the connection becomes idle that the user remains logged in. The user must log in again if this time value elapses. The default time value is one minute. Allow all connects: Browsers use a CONNECT request to access a secure site when going through a forward proxy. If Allow all connects is selected, CONNECT requests are allowed access even if the connection has not authenticated. If Allow all connects is not selected, then only the CONNECT requests on authenticated connections will be allowed. Log: If this option is selected, successful and failed login attempts will be added to the log. IP Overrides Cookie: Selecting this option causes the proxy to perform the authentication based on the source IP address. 200 SuperLumin Nemesis

201 If the request does not have a cookie but the IP address is authenticated, then this is the same user on the same IP address. With this option, cookies are still used, they just are not always required. If this option is not selected, then a redirect and a cookie check are performed. If you want to match the existing functionality in Novell BorderManager, you should select this option. Alternate Host (Optional): If necessary, specify the IP address or host name of the server that clients connect to for accessing a Superlumin proxy server. Use this option only if your clients must connect to another host and cannot connect directly to a SuperLumin proxy server. For example, if your clients connect to a server that acts as a load balancer that redirects traffic to different proxy servers, you can provide that server s hostname or IP address here. If you specify this option, you must enable persistent connections. See TCP Connect Options on page 172. You must click OK and then Apply All Changes for changes to take effect Authenticate SL-SSO Action Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Authenticate SL-SSO Action to Rule The Management Tool Main Page 201

202 Figure Authenticate SL-SSO Action Configuration Page The following options display on the Authenticate SL-SSO Action Configuration page: Authenticate SL-SSO Configuration Authentication Profile: Select the authentication profile you want to be used with this action. An authentication profile must be created before you can assign the Authenticate SL-SSO action to an authentication profile. See Section , Authentication, on page 260 for information on creating an authentication profile. Time to Live in Minutes: This is the amount time after the connection becomes idle that the user remains logged in. The user must log in again if this time value elapses. The default time value is one minute. SL-SSO retries: This is the number of times after failed authentication attempts that the client will be sent SuperLumin Single Sign-on authentication requests. After this number has been reached, an authentication form is sent to the user. SL-SSO port: This is the port used for single-sign on authentication. The standard port is Because Novell BorderManager uses this port, you may need to change the port number if you have Novell BorderManager running concurrently with your SuperLumin proxy. 202 SuperLumin Nemesis

203 If you change the standard port number, you must also change the port number in the browser of each client machine that will access the proxy. See Changing the SuperLumin Single Signon Client Port Number on page 81 for more information. Log: If this option is selected, successful and failed login attempts will be added to the log. No Cookies: Selecting this option causes authentication information to not be stored in cookies. This means the user is required to provide login credentials each time they attempt to authenticate to the proxy unless IP Overrides Cookies is selected. If you select this option, you should also select the IP Overrides Cookie option. IP Overrides Cookie: Selecting this option causes the proxy to perform the authentication based on the source IP address. If the request does not have a cookie but the IP address is authenticated, then this is the same user on the same IP address. With this option, cookies are still used, they just are not always required. If this option is not selected, then a redirect and a cookie check are performed. If you want to match the existing functionality in Novell BorderManager, you should select both the No Cookies and the IP Overrides Cookie options. Alternate Host (Optional): If necessary, specify the IP address or host name of the server that clients connect to for accessing a Superlumin proxy server. Use this option only if your clients must connect to another host and cannot connect directly to a SuperLumin proxy server. For example, if your clients connect to a server that acts as a load balancer that redirects traffic to different proxy servers, you can provide that server s hostname or IP address here. If you specify this option, you must enable persistent connections. See TCP Connect Options on page 172. You must click OK and then Apply All Changes for changes to take effect Block Action Configuration Path: Configuration > Access Control > Add or Modify Access Control Profile > Add or Modify Rule > Add Block Action Use the Block Action Configuration page to specify the Web page that browser requests will be redirected to when access is attempted to the blocked page. The Block Action Configuration page only displays only when you select Block for the action to a rule. The Management Tool Main Page 203

204 Figure Block Action Configuration Page The following options display on the Block Action Configuration page: Block Page Value: Specify the URL of the Web page you want displayed when a request is blocked by the rule you are creating or editing. Because the URL can be different for each rule, you can create a separate page for each blocking rule if desired. Log: If you selected the Log option, an entry will be added to the log file. Click OK to save changes and return to the previous page. Or, click Cancel to discard changes and return to the previous page. You must click Apply All Changed for changes to take effect Filter Request Action Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Filter Request Action to Rule 204 SuperLumin Nemesis

205 Figure Filter Request Action Configuration Page The following options display on the Filter Request Action Configuration page: Action Filter Request Authentication Profile: Select the authentication profile you want to be used with this action. If an authentication profile does not exist, or you don t select an authentication profile, content filtering will apply to all users based on the condition. Login credentials are not sent to the filter provider. The content filtering provider then determines whether or not to allow access. An authentication profile must exist in order to appear in the list be available for assignment. See Section , Authentication, on page 260 for information on creating an authentication profile. Filter Agent: Select the filter agent you want to use for this policy. You must buy and install content filtering software in order for a filter agent to show up in the list. Filter Categories: Clicking Filter Categories displays a page that lets you select the categories you want to be applied to this policy. The number and types of filter categories is based on the content filtering software you have purchased and installed. The Management Tool Main Page 205

206 Deny On Category Match: This option causes access to be blocked when a user attempts to access a URL that falls into a category that is being filtered by the selected filter agent. This option is selected by default. Allow On Category Match: This option causes access to be allowed when a user attempts to access a URL that falls into a category that is being filtered by the selected filter agent. Deny On Error: Selecting this option causes access to be blocked if the filter returns any kind of error. This acts as a kind of safety net to deny access to blocked URLs if there is an error with the content filtering software. Allow Redirect: This option lets you redirect blocked URL access attempts to either a URL you specify (Configured Redirect) or to a URL determined by the filtering agent you selected (Prefer Filter Redirect). If you select this option and don t specify a configured redirect or a preferred filter redirect, users will receive a browser error if they attempt to access a URL that is blocked. Configured Redirect: Specify the URL you want blocked access attempts to redirect to. You can create and specify custom Web pages that are specific to the category being filtered. For example, if you specified the redirect URL as and the user attempted to access a filtered or blocked gambling page, the proxy could redirect the browser to In this example, the user sees this URL in his/her browser and the Web page that is displayed can give the gambling category as the reason the URL is not accessible. Allow Redirect must be selected in order to specify a configured redirect. Prefer Filter Redirect: If you select this option, blocked access attempts will be redirected to a URL that is determined by the content filtering agent you selected. Selecting this option causes the content filtering agent redirect to be used and any configured redirect to be ignored. Log Action: Selecting this option causes any content filtering category matches to be added to the log file. The log file is var/log/sln.iproxy/slnpolicy. You must click OK and then Apply All Changes for changes to take effect Execute Policy Action Configuration Path: Configuration > Access Control > Insert Access Control Profile > Add Access Control Rule > Add Execute Policy Action to Rule 206 SuperLumin Nemesis

207 Figure Execute Policy Action Configuration Page Select the policy you want to add. This action lets you specify another policy that is evaluated based on its own set of rules, conditions, and actions. This is useful for things like role-based authentication, where other policies can be defined for specific roles. After evaluating the rules, conditions and actions for the current policy you can specify that if a specific role is true, the action jumps or links to another policy and the rules, conditions and actions of that policy are then evaluated. You must click OK and then Apply All Changes for changes to take effect Access Control Policy List Path: Configuration > Access Control > Add Access Control List Use the Access Control Policy List page to add access control policies to an access control list. An access control list is a group of access control policies that are enforced in the order they appear in the list. It is recommended that each access control list contains a comment describing the purpose of the list. The Management Tool Main Page 207

208 Figure Access Control List Definition Page The following options display on the Access Control List Definition page. Access Control List Definition Policy List Name: Displays the name of the access control policy list you just created. Comment: Lets you specify a brief comment or description for the list you are configuring. Although this field is optional, comments are highly recommended. Policies Add to List: Select the desired access control policy and click Add to List to add it to the access control list. You can also select a policy and click Delete to remove it from the access control list. Repeat this for each policy you want to add or remove from the list. You can click the up or down arrow next to a policy to move that policy up or down in the access control list. You must click OK and then Apply All Changes for changes to take effect. 208 SuperLumin Nemesis

209 Logging Path: Configuration > Logging Use the Logging Options page to set the logging format and other logging options for a proxy service. Figure Logging Options Page TIP: For technical information on the common log file format, see the Common Log File Format Web site ( You can configure and modify logging for the following option types on the Logging Options page by clicking Modify next to the desired option. HTTP Logging Options Alert Logging Options FTP Logging Options Policy Logging Options Global Logging Options The Management Tool Main Page 209

210 Click OK to save the logging options. Or, click Cancel to discard changes and return to the Configuration page Log Options Configuration Path: Configuration > Logging > HTTP Logging Options Modify Use this page to modify or configure log options for the different protocols and policies used by SuperLumin Proxy. NOTE: The descriptions below are specific to HTTP logging options. Since similar or identical configuration options exist for the other logging options, no separate field descriptions for those other logging options have been included. Figure Log Options Configuration Page 210 SuperLumin Nemesis

211 You can configure and modify the following options on the Logging Options Configuration page. Log Options Stop Service on Log Failure: Select this option to have the service disable if logging fails for any reason. Use Common Log Format: Select this radio-button to enable logging and use the common log format. Use Extended Log Format: Select this option to enable logging and use the extended log format. Rollover Options Compress Log File On Rollover Rollover when file size reached (in MB): Select this option, then specify how often new log files are started or rolled over according to the log file size which will trigger the start of a new file. NOTE: If you specify file size as the trigger to start a new file and the Proxy server is shut down before and restarted after midnight, the Proxy server will start a new log file automatically. Rollover every: Select this option, then specify how often new log files are started or rolled over according to periods of time. Old File Options Limit number of files to: Select this option, then specify the maximum number of log files allowed. When this number of log files is reached, the oldest files will be removed from the system Extended Log Options Path: Configuration > Logging > Modify a logging option > Extended Options Use the Extended Log Options page to set logging format and other logging options for a proxy service. TIP: For technical information on the extended log file format, see the Extended Log File Format Web site. Extended Log File Format Web site ( The Management Tool Main Page 211

212 Figure Extended Log Options Page The following options display on the Extended Log Options page: Select the box next to any of the following field headers to have that information logged: User Name: The name of the user sending the request, if applicable. Server IP: The IP address of the Proxy server. Method: The HTTP method the browser sent to the Proxy server (GET, HEAD, POST, etc). URI: The HTTP URL the browser sent to the Proxy server. URI Stem: The stem portion of the HTTP URL the browser sent to the Proxy server. The stem is everything in the URL up to the first question mark. If the URL has no question mark, the URI Stem field is the same as the URI field. It is redundant if URI is selected. Cached Status: The value indicates whether the request was filled from cache. 1 = filled from cache 0 = not filled from cache 212 SuperLumin Nemesis

213 Time Taken: The time in seconds it took the Proxy server resources to deal with the request. Content Length: The size in bytes of the entire object delivered to a requesting browser. Click OK to save the logging options and return to the Proxy Service page. Or, click Cancel to discard changes and return to the Proxy Service page Cache Management Path: Configuration > select Show Advanced Options > Cache Management The Cache Management page lets you specify whether cachable objects that meet specific criteria are cached. These options are sometimes misinterpreted to imply that objects meeting the criteria are always cached. That is not the case. The Proxy server will not cache objects that Web server administrators have marked as non-cachable. By the same token, not having the options enabled is sometimes misinterpreted to imply objects meeting the criteria are never cached. This is also not true. Objects containing question marks and / cgi in the path might meet other criteria that cause them to be cached. The Management Tool Main Page 213

214 Figure Cache Management Page The following options display on the Cache Management page: New Cache Options Name: Specify a name that you want to apply to a set of cache options. A default cache option is already defined. You can create separate cache options with different cache enhancements and freshness by naming new options and clicking Insert. Cache Options List: You can click the dropdown box to display the cache options that already exist. You can also select a desired cache option and modify or delete it Edit Cache Options Path: Configuration > Cache Management > select a cache option > Modify The Cache Options Edit page lets you specify social media enhancements and freshness of the selected cache object. 214 SuperLumin Nemesis

215 Figure Edit Cache Options The following options display on the Cache Options Edit page: NOTE: The default settings explained below should not generally be changed, especially for forward proxy or transparent proxy services. If you are configuring a reverse proxy service and you know the HTTP headers coming from the accelerated Web site do not correctly indicate which objects should or should not be cached. You can use these options to correct caching problems. Social Media Enhancements Optimize Caching of Facebook: Select this option to optimize caching for Facebook. Optimize Caching of YouTube Videos: Select this option to optimize caching YouTube video objects. The Management Tool Main Page 215

216 Optimize Caching of SilverLight Videos: Select this option to optimize caching SilverLight video objects. Optimize Caching of Move Networks Videos: Select this option to optimize caching Move Networks video objects. Cache Freshness Cache for a Maximum of: Specify the maximum high ceiling number of seconds, minutes, hours, or days the proxy server will serve HTTP data from cache before revalidating it against content on the origin Web server. If the cache time returned by the origin Web server is higher than this number, it will be lowered to this value. If the cache time is lower than this value, it will not be changed. If an object has not been revalidated when this value expires, the object cannot be served from cache. Cache for a Minimum of: Specify the floor minimum number of seconds, minutes, hours, or days the proxy server will serve HTTP data from cache before revalidating it against content on the origin Web server. If the cache time returned from the origin Web server is lower than this value, it will be increased to this value. If the cache time is higher than this value, it will not be changed. No requested object will be revalidated sooner than specified by this value. Cache for a Default of: Specify the default number of seconds, minutes, hours, or days of the cache time for objects that do not have an HTTP freshness control header. Click OK to save the cache options you specified or click Cancel to discard changes and return to the Cache Management page. You must click Apply All Changes for changes to take effect Reverse Proxy Path: Configuration > Reverse Proxy Use the Reverse Proxy Insert page to name and add a reverse proxy service on the Proxy server. A reverse proxy is used to cache the content of specific origin Web servers. The Reverse Proxy relies on DNS to cause the Proxy server to receive requests originally targeted at the origin Web server. 216 SuperLumin Nemesis

217 Figure Reverse Proxy Insert page Specify the name for the reverse proxy and click Insert. You can also select an existing reverse proxy service and modify, rename or delete it Reverse Proxy Configuration Path: Configuration > Reverse Proxy > type a service name > Insert (or select an existing service and Modify) Use the Reverse Proxy Configuration page to configure a reverse proxy service on the Proxy server. You can select listeners that specify which IP addresses receive reverse proxy requests from browsers and the port that the Proxy server listens on for reverse requests. The Management Tool Main Page 217

218 Figure Reverse Proxy Configuration Page Reverse Proxy Enable Reverse Proxy: Select this option to enable the defined reverse proxy after you have configured it. New services are enabled by default. To activate the service, you must have configured a listener to listen on one or more IP addresses. TCP Options: Select the TCP Options that this service will use for TCP Connect options (see Section , Advanced TCP Options, on page 166). Default TCP Options are included with the SuperLumin proxy server. You can create additional options by clicking the Protocol link in the left column of the main Configuration page. Listener: Select the listener that this proxy service will use to receive and send requests. 218 SuperLumin Nemesis

219 You can create additional listeners by clicking Add New Listener. See Listener on page 168 for information on creating a listener. Listening Port: This is the port from which the Proxy server will receive reverse proxy requests and send requested data back to the requesting browsers. The listening port is specified when the listener is created. The default port is Listening Address(es): This is a list of the Proxy server IP addresses that reverse proxy services will run on. The listening address(es) are specified when the listener is created. Fill Host Management Fill Host Name: Enter the host name or domain name of the Web servers you want the reverse proxy service to fill the cache from, then click Add. You can also select an existing host and click Delete to remove it. Policy Enforcement Enable: Select this option to enable access control policies that you have previously created. Access control policies allow you to block or allow specific HTTP traffic. See also Section , Access Control (Policy Management Options), on page 175. Policy Management Options: Click the Policy Management Options button to open the Policy Management editor. Cache Management Select a cache management option policy to use for this reverse proxy. Cache Management policies allow you to change how long the proxy caches objects, and to enable and disable certain cache optimizations (see Section , Cache Management, on page 213). Cache Management Options: Click Cache Management Options to open the cache management editor for the selected cache management policy. Disk Management Select a disk management option that you have previously created to use with this reverse proxy service. See Section , Disk Management, on page 237. Logging If you select None, the reverse proxy service will became a RAM only cache. Enable: Select this option to enable logging of reverse activity. Click Logging Options to edit the policy for HTTP logs. HTTP log options allow you to specify how the HTTP related-services log, including specifying common logs and extended logs, as well as how often new HTTP log files are started and how long HTTP log files are retained (see Section , Logging, on page 209). The Management Tool Main Page 219

220 Hierarchy Options Enable: Select this option to enable hierarchy options that you have previously created. You can create create HTTP hierarchy options for the proxy server. See Section , Hierarchy, on page 233. Hierarchy Options: Click Hierarchy Optionsto open the Hierarchy editor. Click OK to save the revserse proxy service. Or, click Cancel to discard changes and return to the Reverse Proxy Insert page. NOTE: You must click Apply All Changes to send the new configuration to the proxy Transparent Proxy Path: Configuration > Transparent Proxy Use the Transparent Proxy Insert page to configure the Proxy server as a transparent proxy server. You can also specify which IP addresses receive transparent proxy requests from browsers and the ports the Proxy server listens on for transparent requests. 220 SuperLumin Nemesis

221 Figure Transparent Proxy Insert Page The following options display on the Transparent Proxy Insert page: Transparent Proxy Insert Name: Specify the name for the transparent proxy, then click Insert. Transparent Proxy List Enable: Indicates whether the defined transparent proxy service has been enabled. New services are not enabled by default. Name: Displays the name of the transparent proxy service. Listening Address: Displays the IP address of the transparent proxy service. Port: Displays the port from which the Proxy server will receive transparent proxy requests and send requested data back to the requesting browsers. The default is 80. The Management Tool Main Page 221

222 Click OK to save the list of Transparent Proxy services and return to the Configuration page. Or, click Cancel to discard changes and return to the Configuration page. You can also select an existing transparent proxy service and modify, rename or delete it Transparent Proxy Configuration Path: Configuration > Transparent Proxy (an existing service name) > type a service name > Insert Use the Transparent Proxy Configuration page to configure the Transparent Proxy server. You can also modify the configuration of an existing transparent proxy service. The page lets you specify which IP addresses receive transparent proxy requests from the browsers and the ports the Proxy server listens on for transparent requests. 222 SuperLumin Nemesis

223 Figure Transparent Proxy Configuration Page The following options display on the Transparent Proxy page: Transparent Proxy Enable Transparent Proxy: Select this option to enable the Proxy server to handle transparent proxy services. Browser requests must be routed to the Proxy server from a network router or switch. The Management Tool Main Page 223

224 To activate the service, you must have configured a listener to listen on one or more IP addresses. Allow Connect: Select this option to enable the transparent proxy service to allow the HTTP CONNECT method. Force SSL on CONNECT: Select this option to have the Proxy server check to ensure that HTTP CONNECT requests to the transparent service contain SSL-related traffic. TCP Options: Select the TCP Options that this service will use for TCP Connect options (see Section , Advanced TCP Options, on page 166). Default TCP Options are included with the SuperLumin proxy server. You can create additional options by clicking the Protocol link in the left column of the main Configuration page. Listener: Select the listener that this proxy service will use to receive and send requests. You can create additional listeners by clicking Add New Listener. See Listener on page 168 for information on creating a listener. Listening Port: This is the port from which the Proxy server will receive transparent proxy requests and send requested data back to the requesting browsers. The listening port is specified when the listener is created. The default port is 80. Listening Address(es): This is a list of the Proxy server IP addresses that transparent proxy services will run on. The listening address(es) are specified when the listener is created. Policy Enforcement Enable: Select this option to enable access control policies that you have previously created. Access control policies allow you to block or allow specific HTTP traffic. See also Section , Access Control (Policy Management Options), on page 175. Policy Management Options: Click the Policy Management Options button to open the Policy Management editor. Cache Management Select a cache management option policy to use for this transparent proxy. Cache Management policies allow you to change how long the proxy caches objects, and to enable and disable certain cache optimizations (see Section , Cache Management, on page 213). Cache Management Options: Click Cache Management Options to open the cache management editor for the selected cache management policy. Disk Management Select a disk management option that you have previously created to use with this reverse proxy service. See Section , Disk Management, on page 237. Logging If you select None, the reverse proxy service will became a RAM only cache. Enable: Select this option to enable logging of transparent proxy activity. 224 SuperLumin Nemesis

225 Click Logging Options to edit the policy for HTTP logs. HTTP log options allow you to specify how the HTTP related-services log, including specifying common logs and extended logs, as well as how often new HTTP log files are started and how long HTTP log files are retained (see Section , Logging, on page 209). Hierarchy Options Enable: Select this option to enable hierarchy options that you have previously created. You can create create HTTP transparent hierarchy options for the proxy server. See Section , Hierarchy, on page 233. Hierarchy Options: Click Hierarchy Optionsto open the Hierarchy editor. Click OK to save the Transparent Proxy service and return to the Transparent Proxy list page. Or, click Cancel to discard changes and return to the Transparent Proxy list page. You must click Apply All Changes for the changes to take effect. NOTE: In order for the transparent proxy service to work properly, you may need to create a packet redirector. This is necessary because the transparent proxy receives ALL outbound port 80 (http) traffic. None of this traffic is destined for the proxy, so the TCP/IP stack drops the packets. A packet redirector rule redirects the port 80 traffic to the proxy so the TCP/IP stack will not drop the packets. See Section 8.3.1, Modifying Packet Filter Rules (Transparent Proxy), on page 39 for more information FTP Proxy Path: Configuration > FTP Proxy Use the FTP Proxy page to choose whether you want the proxy to act as an FTP forward or FTP reverse proxy and to configure FTP proxy settings. The FTP Proxy service allows FTP requests that are received by the proxy server to be forwarded on the destination FTP server. The Management Tool Main Page 225

226 Figure FTP Proxy Page The following options display on the FTP Proxy page: FTP Proxy Type Act as ftp forward proxy: Choose this option if you want clients to forward outbound FTP traffic to the FTP Forward Proxy service instead of directly to the the destination FTP server. 226 SuperLumin Nemesis

227 Act as ftp reverse proxy: Choose this option if you want FTP traffic intended for the destination FTP server (inbound traffic) to go to the FTP reverse proxy service. The FTP reverse proxy service also provides additional functionality to help protect the FTP server from attacks. If you choose this option, you must also specify a destination address and port number. Destination Address: Specify the IP address of the FTP server that the FTP Reverse Proxy service will send FTP requests to. Destination Port: Specify the port number of the FTP server that the FTP Reverse Proxy service will send FTP requests to. FTP Proxy Settings Enable FTP Proxy: Select this option to enable the FTP Proxy service type you specified above. Listening Address: Choose the listening addresses you want the FTP proxy service to use to listen for incoming requests. You can choose to have the service listen on all addresses that are enabled to use the FTP proxy service or you can select a specific address from the list. Listening Port: Specify the port number you want the FTP proxy service to listen on for incoming requests. The port number must be unique for the server. The default port number is 21. Log Level: Select the log level that you want the FTP proxy service to use. Using this option you can choose to have only the log message types that you want generated. All log files are stored in /var/log/sln/iproxy/slnftp. The following log levels can be selected: FLT: Messages using this log level indicate a rare condition that may be due to an unknown problem. You may need to report messages of this type to SuperLumin Technical Support Services. ERR: Messages using this log level indicate a severe error condition that can lead to process termination. Action is required. WRN: Messages using this log level indicate a mild technical problem or inconsistency and may require action. INF: This is the default log level. Messages using this log level are generally for information only and don t require action. DBG: Messages using this log level can be used for diagnostic purposes and generally don t require an immediate action. Max Concurrent Clients: Enter the maximum number of FTP clients that the FTP proxy service will allow to be concurrently connected. The default is 50. Inactivity Timeout in Seconds: Enter the amount of time in seconds that a client can remain connected with no activity before that client s connection to the FTP proxy service is terminated. The default is 900 seconds. Connections per minute: Enter the maximum number of client connections that can be made to the FTP proxy service in one minute. The default is 50. Restrict FTP Commands: Select this option to enable restricting certain FTP commands, then click Modify and select only those FTP commands that you want to allow. This option defines the list of allowed FTP commands for the client. If you do not select this option, there will be no restriction on the allowed commands. If you do select this option, then all commands not selected will be denied. The Management Tool Main Page 227

228 FTP Messages: Click Modify, then create messages that will display when users successfully authenticate to the FTP proxy, are denied access to the FTP proxy, or if the maximum number of connections for the FTP proxy service have been exceeded. If you don t create messages for Deny Access or Maximum Number of Clients, a Service not available default message will be displayed. If you don t create a Welcome message, an FTP server ready default message will be displayed. NOTE: Authentication is currently not supported with SuperLumin FTP Proxy Services. FTP Proxy Advanced Settings Auth layout: Select this option if you want authentication configuration variable set to or auth@, then choose which one you is an encoding separator character. Auth layout is an authentication extension. It allows encoding of additional usernames and passwords using the USER and PASS commands for authentication. Auth Separator Character: If you want to use an encoding separator character other select this option and specify the character. Using character allows you to use addresses as usernames for login to the ftp server. Allow data connections only from the same host where the control connection originated: Since FTP allows control connections to come from anywhere and data connections to go anywhere, selecting this option provides some defense against outside attacks. It also prevents your FTP proxy service from being a potential bounce point. This option is selected by default. Deselecting this option allows the proxy to be included in third party server to server transfers. If this option is selected, transfers only take place to and from the client itself. Max Receive Buffer Size: This is the maximum amount of memory that can be used by any one FTP connection. You may want to adjust this to improve performance. Advertise as different address: You can use this option to specify an IP address that the users connecting through FTP will see rather than the actual address used by the FTP proxy service. You can specify an IP address, a DNS host name, or a file name. A filename is assumed if the name starts with a slash. The file is opened and scanned for the desired address. Blank lines or lines starting with # are ignored. Reading the address from a file may be useful for environments with masquerading and dynamic PPP connections Restrict FTP Commands Path: Configuration > FTP Proxy > Restrict FTP Commands > Modify Use the FTP Restrict Commands page to limit the FTP commands to only those that you choose in the list. 228 SuperLumin Nemesis

229 Figure Restrict FTP Commands page If you want to limit the FTP commands that can be used to manage the FTP proxy service, select Restrict FTP Commands to Those Selected, then select the FTP commands you want to allow. The FTP commands you select are the allowed FTP commands for the client. If you do not select Restrict FTP Commands to Those Selected, there will be no restriction on the allowed commands. If you do select this option, then all commands not selected will be denied FTP Proxy Messages Path: Configuration > FTP Proxy > FTP Messages > Modify Use the FTP Proxy Messages page to create messages that will display when users successfully authenticate to the FTP proxy, are denied access to the FTP proxy, or if the maximum number of connections for the FTP proxy service have been exceeded. The Management Tool Main Page 229

230 Figure FTP Proxy Messages page If you don t create messages for Deny Access or Maximum Number of Clients, a Service not available default message will be displayed. If you don t create a Welcome message, an FTP server ready default message will be displayed Generic Proxy Path: Configuration > Generic Proxy The Generic Proxy page is used to create a service that forwards certain request through the proxy to the destination server. An example of this is an SSL service for a web site. The proxy server can t interpret the data because it is encrypted. Because the user must go through the proxy in order to get past the firewall, a generic (or pass through) proxy is created to get the user out to the internet. UDP or TCP listeners can be created to be used with the generic proxy service and and allow requests to be forwarded from the browser through the proxy to the destination server. 230 SuperLumin Nemesis

231 Figure Generic Proxy Insert Page To add a generic proxy service, enter a name for the generic proxy service, then click Insert Generic Proxy Configuration Path: Configuration > Generic Proxy > Insert a Generic Proxy name Use the Generic Proxy Configuration page to configure a generic proxy service on the Proxy server. You can set up TCP options, select listeners that specify which IP addresses receive proxy requests from browsers and the hosts that you want the generic proxy service to forward requests to. The Management Tool Main Page 231

232 Figure Generic Proxy Configuration Page The following options display on the Generic Proxy Configuration page: Generic Proxy Enable Generic Proxy: Select Enable Generic Proxy to enable this generic proxy service. TCP Options: Select the TCP Options that this service will use for TCP Connect options (see Section , Advanced TCP Options, on page 166). Default TCP Options are included with the SuperLumin proxy server. You can create additional options by clicking the Protocol link in the left column of the main Configuration page. Listener: Select the listener that this proxy service will use to receive and send requests. If you have not configured a listener for the generic proxy service, you can create a new listener by clicking Add New Listener. See Listener on page 168 for information on creating a listener. Listening Port: This is the port from which the Proxy server will receive proxy requests and forward requested data on to destination Web servers. The listening port is specified when the listener is created. The default port is SuperLumin Nemesis

233 Listening Address(es): This is a list of the Proxy server IP addresses that generic proxy services running will run on. The listening address(es) are specified when the listener is created. Fill Host: Fill Host is the IP address or the host name of the destination server that requests will be forward to. Fill Port: Fill Port is the port that the destination server is listening on to receive requests Hierarchy Path: Configuration > Hierarchy Use the Hierarchy configuration page to configure the Proxy server to participate in HTTP hierarchies. Figure Hierarchy Page The following options display on the Hierarchy page: Hierarchy Definition Insert New Hierarchy Name: You can create a new hierarchy by specifying the name you want to assign to the hierarchy definition and then clicking Insert. After clicking Insert, the Hierarchy Definition Edit page displays where you can then configure additional hierarchy options. The Management Tool Main Page 233

234 Hierarchy Bypass List Insert New Bypass List Name: You can create a new hierarchy bypass list by specifying the name you want to assign to the bypass list and then clicking insert. A bypass hierarchy list lets you designate requests that should bypass the hierarchy by specifying a list of domain names and/or URL path substrings. The device then matches requested objects against these lists and sends requests for matching objects directly to the origin Web server, rather than going through the hierarchy. See Section , Bypass Hierarchy, on page Hierarchy Definition Path: Configuration > Hierarchy > Insert new Hierarchy Use the Hierarchy Definition page to specify the hierarchy type, apply a hierarchy bypass list, and to configure a hierarchy remote host. Figure Hierarchy Definition Page The following options display on the Hierarchy Definition page: Hierarchy Definition Edit Bypass List: If desired, select a bypass list to be used with this hierarchy. 234 SuperLumin Nemesis

235 By default, no bypass list is selected. A bypass hierarchy list designates requests that bypass the hierarchy by specifying a list of domain names and/or URL path substrings. You must have already created a bypass list in order for a bypass list to appear in the list. Hierarchy Remote Host Setup Port: Specify the port through which the remote host receives requests. Use DNS Host: If you select Use DNS Host, specify the host name of the remote server that this proxy will contact instead of going directly to the internet. Use Address List: If you have previously defined an IP address list, you can select it here. The proxy will then attempt to contact the addresses in the list until it gets access to the internet. Add Address: You can add an IP address that you want the proxy to contact to get access to the internet Bypass Hierarchy Path: Configuration > Hierarchy > Hierarchy Bypass List Insert Use the Hierarchy Bypass List page to designate requests that should bypass the hierarchy by specifying lists of hosts, domain names, or regular expressions. The device then matches requested objects against these lists and sends requests for matching objects directly to the origin Web server, rather than going through the hierarchy. IMPORTANT: The Proxy server always processes the list of domain names and hosts, but the URL patterns list is processed only when the Must Only Forward through Hierarchy option in the Hierarchy section of the Hierarchy page is not selected. See Section , Hierarchy, on page 233 for more information. The device uses the local domains and URL patterns lists in relation to HTTP hierarchies. The Management Tool Main Page 235

236 Figure Hierarchy Bypass Page The following options display under Bypass Rule Insert on the Bypass Hierarchy page: Host Name Specify the host name of the proxy that you want to bypass, then click Insert. This allows you to bypass a single proxy in the hierarchy. For example, proxy1.superlumin.net or Domain Name Specify a domain name, then click Insert. By specifying a domain name, you can bypass any proxy in the specified domain. For example, by specifying the dev.superlumin.net domain, you could bypass proxies such as proxy1.dev.superlumin.net, proxy2.dev.superlumin.net, and proxy3.dev.superlumin.net. Regular Expression Specify a regular expression, then click Insert. 236 SuperLumin Nemesis

237 This is a true GNU style regular expression. This allows you to bypass any proxy that matches the regular expression. For example, by specifying \.superlumin\.\w\w\w you can match anything at superlum.xxx, where xxx is three characters (not digits). -- superlumin.com, superlumin.net, superlumin.biz, but not superlumin.us. Click OK to save changes and return to the previous page. Or, click Cancel to discard changes and return to the previous page Disk Management Path: Configuration > select Show Advanced Options > Disk Management The Disk Management page lets you define disk groups and cache groups, configure directory snapshots, and specify memory cache directives. Dish groups consist of one or more disks or disk partitions and are used by cache services to store or cache data. NOTE: A default disk group is created automatically for you when the SuperLumin proxy server software is installed. Changing the disk management configuration is an advanced option that normally doesn t need to change. You should carefully consider your needs before changing your disk configuration. The Management Tool Main Page 237

238 Figure Disk Management Page The following options display on the Disk Management page: Disk Group Definition New Disk Group Name: Specify the name of the new disk group you want to create, then click Insert. You are then taken to the Disk Group Edit page where you can specify configuration options for the group and choose which disks or partitions will be part of the group. 238 SuperLumin Nemesis

239 A disk group is a collection of disks (raw partitions). A single disk cannot be in multiple disk groups at the same time. All disks in a disk group share a common sector size, chunk size, category, and elevator. Disk Group List: You can select an existing disk group and modify or delete it. If you choose to modify a disk group, you are then taken to the Disk Group Edit page where you can modify configuration options for the group and change which disks or partitions are part of the group. Cache Group Definition New Cache Group Name: Specify the name of the new disk group you want to create, then click Insert. You are then taken to the Cache Group Edit page where you can add disk groups to the cache group. No additional configuration is necessary for a cache group other than adding disk groups to it. Each service is tied to a single cache group. When the service writes an object to disk, it writes it to the cache group. The cache group then chooses the best disk group in its group for that object based on the categories of the various disk groups (large objects, small objects, etc.). The cache group then writes the object to the disk group. The disk group then chooses the best disk in its group based on utilization of the disks, and the object is written to that disk. Cache Group Name List: You can select an existing cache group and modify or delete it. If you choose to modify a cache group, you are then taken to the Cache Group Edit page where you can add or remove disk groups from the cache group. Directory Snapshot Options Active Request Keep Alive: This is the number of seconds you want the disk cache to wait for before it writes the directory to disk. The default is 60 seconds. The cache (disk cache, not the proxy itself) cannot take requests at the same time it writes the directory to disk. It will wait the amount of time you specify in Active Request Keep Alive before aborting all cache requests and writing the directory. Schedule (CRON syntax): Lists the current schedule for writing the directory cache to disk. Day of Week specifier: Specify the days of the week you want the directory cache written to disk. You can click Set to Every Day to have the directory cache written every day. You can specify days by their number in the week (1 though 7) or their abbreviated name (sun, mon, etc.). You can also use the asterisk (*) to have the directoy cache every day. Hour specifier: Specify the hour of the day you want the directory cache written to disk. The hour identifier should be between 0 and 23 hours. You can click Set to Every Hour to have the directory cache written every hour. The default is to have the directory written every day at 2:00 AM. You should choose a time when the cache is not busy. Minute specifier: Specify the minute of the hour you want the directory written to disk. The minute identifier should be between 0 and 59 minutes. Advanced CRON specifier: You can use this field to specify a schedule for writing the directory cache to disk. For example, if you specify 5 4 * * sun, the directory will be written at 5 after 4 every Sunday. If you add a schedule here, it will override any schedule values you have specified in the other fields on this page. The Management Tool Main Page 239

240 Memory Cache Directives Chunk Size Limit: Specify the maximum object size in kilobytes that can be stored in the memory cache. Large objects are split into chunks. For example, if you specify 512 K as the chunk size limit, a 10M object will be split into twenty 512K chunks. If any chunk is larger then this value, it is not a candidate for the memory cache. This prevents extremely large objects from being stored in the memory cache. The default values created during the installation process allow all objects to be written to the memory cache Date & Time Path: Configuration > Date & Time Use the Date & Time page to configure time settings for the Proxy server. The Date & Time page lets you set the system time so that the time stamps in cache logs are accurate and valid. NOTE: The Proxy server stamps log entries with Greenwich Mean Time (GMT). If the device is using an NTP server, the GMT stamp comes from that server. If the device is using a manually set time, it assumes the time is accurate and calculates the GMT value based on the device's time zone and daylight saving settings. 240 SuperLumin Nemesis

241 Figure Date and Time Page The following options display on the Date & Time page: Current Date and Time Displays the current date and time retrieved from the device. Set Date & Time Manually Clicking this button lets you set the date and time manually rather than using the date and time retrieved from the device. Network Time Protocol Enable Network Time Protocol: Click Setup NTP to add an NTP server or to use one that is already listed. See Section , NTP Options, on page 242 for more information. Time Zone Select the correct time zone for the device from the drop-down list. The Management Tool Main Page 241

242 Click OK to save your changes and return to the main Configuration page. Or, click Cancel to discard changes and return to main Configuration page NTP Options Path: Configuration > Date & Time > Setup NTP Use the Setup NTP Server page to configure Network Time Protocol (NTP) server settings. NTP enables the device to synchronize its system time with an NTP server. Using an NTP server makes device cache log time stamps as reliable as possible. Figure Setup NTP Server Page The following options display on the Date & Time Networks Protocol page: NTP Server Insert: Specify the IP address for a valid NTP server, then click Insert to add the server to the NTP Server List. IMPORTANT: When you specify an NTP server, synchronization between the NTP server clock and the device clock might not be immediate. If the NTP server clock has an earlier time than the device clock, the device will slow the clock down until the two are synchronized. This provides for proper incrementation of log files and other time-sensitive information during the synchronization process. 242 SuperLumin Nemesis

243 If the NTP server clock is later than the device clock, synchronization between the two will generally be immediate. However, in certain situations you might observe the device clock incrementing by 600-minute intervals. This is normal system behavior. If the above features are problematic in your situation, you can manually set the device time settings to the target time and then re-enable the NTP feature. NTP Server List: Displays the available NTP servers. Click OK to save changes and return to the Configuration page. Or, click Cancel to discard changes and return to Configuration page Adapters Path: Configuration > Adapters The Adapters page lists the adapters currently installed on the Proxy server and the IP address information for each adapter. You can also add additional IP addresses or a new adapter using this page. Figure Adapters Page The following options display on the Adapters page: The Management Tool Main Page 243

244 Adapter Insert Insert Adapter Name: Select the adapter you want to add from the list, then click Insert. Adapter (adapter_name) Addresses/CIDR: You can delete the IP addresses assigned to the adapter by clicking Delete, or add or modify the IP address assigned to the adapter by clicking the Modify button. To add a new IP address to the adapter, click Modify, enter a new IP address, then click Insert. Click OK to save your changes and return to the Configuration page. Or, click Cancel to discard changes and return to the Configuration page. You must click Apply All Changes for changes to take effect Modify Adapter Path: Configuration > Adapters > Modify an adapter The Modify Adapter page lets you add an IP address to the selected adapter. You can also access an advanced settings page using this page. 244 SuperLumin Nemesis

245 Figure Modify Adapter The following options display on the Modify Adapter page: Adapter Name: Shows the name of the adapter you selected to modify. You can click Advanced Settings to display a page that lets you change things like the adapter speed, duplex settings, etc. See Adapter Advanced Settings for more information. IP Address Insert: Enter the IP address and the CIDR you want to assign to the adapter, then click Insert. You must also select the IP address version or type. IP Address List: This shows you the IP addresses currently assigned to the adapter. You can select an IP address and click Delete to remove it from the adapter. Click OK to save your changes and return to the Configuration page. Or, click Cancel to discard changes and return to the Configuration page. You must click Apply All Changes for changes to take effect. The Management Tool Main Page 245

246 Adapter Advanced Settings Path: Configuration > Adapters > Modify an adapter > Advanced Settings The Adapter Advanced Settings page lets you change adapter speed, duplex settings, auto negotiation and load line parameters for the selected adapter. Figure Adapter Advanced Settings The following options display on the Adapter Advanced Settings page: Adapter Speed: Choose the speed at which you want the network adapter to operate. Most adapters are already set for optimal speed. If you select default, the adapter will operate at the factory preconfigured speed. Adapter Duplex: Choose the desired duplex setting for the adapter. If you select default, the adapter will operate at the factory preconfigured duplex setting. Adapter NAT: Specify whether you want NAT (Network Address Translation) enabled or disabled on the adapter. 246 SuperLumin Nemesis

247 Adapter MTU: Specify the MTU (Media Transition Unit) size. This is the maximum packet size that can be send over the wire. The current setting is the default, which means that the factory preconfigured value will be used. Adapter Auto Negotiate: If you set this option to on, the adapter will try to automatically detect and use the needed settings. Selecting default will let the adapter perform as it was preconfigured to do, which is either auto negotiate or use pre-set values. Load Line Parameters: This is an advanced option that lets you customize how the adapter functions. You should consult your adapter documentation for the load line parameters that can be used. Click OK to save your changes and return to the previous page. Or, click Cancel to discard changes and return to the previous page. You must click Apply All Changes for changes to become effective Gateways Path: Configuration > Gateways The Gateways page lets you configure the route settings for the proxy. Using this page you can specify or change the default gateway. This page also lets you specify host and network gateways. Figure Gateways Page The following options display on the Gateways page: The Management Tool Main Page 247

248 Gateway Options Enable IP Forwarding: Select this option to turn on IP forwarding. IP forwarding allows the gateway to forward requests not intended for the local network to another network. Enable Gateway Monitoring: Select this option to enable gateway monitoring by the Proxy server. The Proxy server normally monitors gateway availability by pinging the configured gateways every minute. Deselect this item if the Proxy server accesses its gateways through a connection that should not be kept continually open, such as a dial-up phone line or ISDN connection. Keep in mind, however, that deselecting the option will cause the Gateway status on the Health page to display as failed. Default Gateway IP Address: Specify the IP address of the gateway. IPv4/IPv6: Choose if you want the gateway to use IP version 4 or IP version 6. Network Route Destination Network/CIDR: Specify the network address for the destination IP address range. You can also type a specific IP address on a given subnet and the device will calculate the network address using the mask. Gateway: Specify the address of the destination gateway that is to be used. IPv4/IPv6: Choose if the destination gateway uses IP version 4 or IP version 6. NOTE: You can define one or more gateways to be used for packets being sent to specific subnets. Host Route Destination Host: Specify the IP address of the destination host. Valid addresses cannot be the first or last address of a class and must be unique. Gateway: Specify the address of the host gateway that is to be used. IPv4/IPv6: Choose if the host gateway uses IP version 4 or IP version 6. NOTE: You can define one or more gateways to be used for packets being sent to specific hosts. Click OK to save your changes and return to the Configuration page or click Cancel to discard changes and return to the Configuration page. You must click Apply All changes for changes to be saved permanently DNS Path: Configuration > DNS 248 SuperLumin Nemesis

249 Use the DNS page to configure the domain name service the Proxy server will use, including setting a domain name for domain-relative address resolution. You must specify a domain name for the device to use relative domain names. DNS servers are listed in the order inserted and searched in the order listed. Figure DNS Page The following options display on the DNS page: Device Hostname Specify the host name of your Proxy server. Domain: Specify the domain of your Proxy server. DNS Server IP Addresses DNS Server IP Address: Specify the IP addresses and the IP version of a DNS server you want the device to use, then click Insert. DNS Server IP Address List: Displays all of the DNS server IP addresses. To remove IP addresses from the DNS Server IP Addresses list, select the desired IP addresses, then click Delete. The Management Tool Main Page 249

250 Advanced DNS Options DNS Cache Settings See Advanced DNS Options below. Click OK to save your changes and return to the Configuration page. Or, click Cancel to discard changes and return to the Configuration page. You must click Apply All Changes for changes to take effect Advanced DNS Options Path: Configuration > DNS > DNS Cache Settings Use the Advanced DNS Options (Device Hostname) page to configure additional Domain Name Service (DNS) settings. Figure Advanced DNS Options The following options display on the Advanced DNS page: DNS Cache Settings Negative Lookup: Specify a time value (in seconds) to control how long a failed DNS lookup domain name remains in the Proxy server's DNS cache. 250 SuperLumin Nemesis

251 The default is 120 seconds. Valid field values include seconds. If the proxy server cannot resolve a domain name, it stores that information in its cache for the specified amount of time. If the proxy server receives requests for that domain name within this period, it sends a "Bad Gateway" error message to the browser and does not resolve the domain name again. Minimum Time to Live per Entry: Specify a time value (in seconds) to set the minimum amount of time DNS entries remain in cache before they expire. This is the minimum value the Proxy server uses regardless of the value returned by the DNS name server. The default is 120 seconds. Valid field values include seconds. Maximum Time to Live per Entry: Specify a time value (in hours) to set the maximum amount of time DNS entries remain in cache before they expire. This is the maximum value the Proxy server uses regardless of the value returned by the DNS name server. The default is 168 hours. Valid field values include hours. Maximum Entries: Specify the maximum number of DNS cache entries allowed. When this number is reached, the Proxy server deletes old entries to make room for newer ones. The default is Valid field values include DNS Transport Protocol: Specify the transport protocol the Proxy server uses to issue DNS queries to DNS servers. You can choose to have the internal DNS client use TCP or UDP for the queries it sends to the configured DNS server. UDP is the default. You shoult not change this unless directed by technical support. Click OK to save your changes and return to the DNS page. Or, click Cancel to discard changes and return to the DNS page. You must click Apply All Changes for changes to take effect DNS Server Path: Configuration > select Show Advanced Options > DNS Server Use the DNS Server page to enable and configure a DNS server on the Proxy server. This is useful for social media cache services and also if you don t have access to another DNS server. The Management Tool Main Page 251

252 Figure DNS Server Options page The following options display on the DNS Server page: DNS Server Options Enable: Select this option to enable the DNS server option on the proxy server. Log All DNS Queries: Select this option to enable logging of all DNS queries. See Logging on page 209 for more information on configuring logging and log files. Listener: Select the listener that the DNS server will use to receive and send requests. If a needed listener is not listed click Add New Listener to bring up the page for creating a listener. 252 SuperLumin Nemesis

253 NOTE: If a new listener is needed for the DNS server, ensure the new listener type is set to UDP. See Listener on page 168 for more information on creating and configuring listeners. Listening Port: This is the port from which the DNS server will receive requests and either resolve addresses or forward them. The listening port is specified when the listener is created. The default port is 53. Listening Address(es): This is a list of the DNS server IP addresses that DNS services will run on. The listening address(es) are specified when the listener is created. Forwarders Forwarder Options: The option to user forwarders is not enabled by default. Click Forwarder Options to launch a page for enabling and configuring DNS forwarding. See DNS Forwarder on page 253 for more information on setting up forwarders. DNS Zone Insert Domain Name: Specify the domain name of the DNS zone that you want DNS queries sent to for resolution, then click Insert. NOTE: Underscores are invalid in DNS host names. DNS Zone List This is the list of DNS zones that have been configured. You can select an existing zone and modify or delete it DNS Forwarder Path: Configuration > select Show Advanced Options > DNS Server > Forwarder Options Use the DNS Server Forwarders page to enable and add DNS forwarders to the DNS server. When you add a DNS forwarder domain name, DNS queries that cannot be resolved locally will be forwarded to the specified forwarder domain name where they will then either be resolved or forwarded to another DNS server for resolution. The Management Tool Main Page 253

254 Figure DNS Forwarder Page The following options display on the DNS Forwarders page: Forwarders Enable Forwarders: Select this option to enable DNS forwarding on this DNS server. Always Forward Queries: If you select t his option, DNS queries will not be resolved locally and all DNS queries will be forwarded to specified DNS forwarder domains. 254 SuperLumin Nemesis

255 Forwarder Insert Forwarder: Specify the IP address of the DNS server that DNS requests will be forwarded to. You must also specify whether the DNS server that requests will be forwarded to uses IP version 4 or IP version 6. Forwarder List This is the list of forwarders that have been configured. You can select a forwarder and click Delete to remove it Hosts Path: Configuration > select Show Advanced Options > Hosts Use the Host page to add or remove hosts to or from the Proxy server s list of hosts, or to change the order host names are resolved to host IP addresses. The device uses the hosts table to resolve DNS host names prior to querying its DNS servers. Figure Hosts Page The Management Tool Main Page 255

256 The following options display on the Host page: Host IP Address Insert Host IP Address: Specify the IP address and the IP version (4 or 6) of a destination host, then click Insert. NOTE: The address must not be the first or last address of a class, and it must be unique in the Host IP Address List. The Host Name page displays. See Section , Host Name, on page 256 for more information. Host IP Address List Host IP Address: Displays the IP address of each host. Host Name: Displays the host names entered for each IP address. To add additional host names to a host IP address, select the desired host and click Modify. To remove a host IP address and its associated host names, select it and then click Delete. Click OK to save your changes and return to the Configuration page. Or, click Cancel to discard changes and return to the Configuration page. You must click Apply All Changes for changes to take effect Host Name Path: Configuration > select Show Advanced Options > Hosts > enter Hosts IP Address and IP Version > Insert Use the Host Name page to associate IP addresses with hosts in a server-specific static lookup table. All host names added to the static lookup table are resolved without requiring a DNS query. Modifications to the static lookup table take effect immediately after the configuration changes are applied. 256 SuperLumin Nemesis

257 Figure Host Name Page The following options display on the Host Name page: Hosts Table Host IP Address: This is either the IP address you inserted in the Host page or the IP address for which you clicked Modify in the Hosts page (see Section , Hosts, on page 255). Host Names: Specify the DNS host name you want resolved to the Host IP Address, then click Add. Repeat this for each DNS host name you want resolved to the Host IP Address. You can click Move Up or Move Down to change the order that host names are resolved to the Host IP Address. Click OK to save your changes and return to the Hosts page. Or, click Cancel to discard changes and return to the Hosts page. You must click Apply All Changes for changes to take effect WCCP Path: Configuration > select Show Advanced Options > WCCP The Management Tool Main Page 257

258 Use the WCCP Options page to configure the WCCP protocol. This protocol is used only with the transparent proxy service. It lets a WCCP-capable router dynamically send HTTP traffic to a proxy if that proxy is up. If the proxy fails, the router is notified via the WCCP protocol so that it can route HTTP traffic directly to the internet. NOTE: Only WCCP version 2 is supported. Figure WCCP Definition Page Using this page you can view the existing WCCP definitions, or create a new definition by entering a name and then clicking Insert. Click OK to save changes and return to the Configuration page. Or, click Cancel to discard changes and return to the Configuration page. You must click Apply All Changes for changes to take effect WCCP Options Definition Path: Configuration > WCCP > Insert or Modify a WCCP defintion Use the WCCP Options Definition page to enable and configure WCCP settings, intercept ports, and router communications. 258 SuperLumin Nemesis

259 Figure WCCP Options Definition Page The following options display on the WCCP Options Definition page: WCCP Options Definition Enable: Select this option to enable WCCP-capable routers to route HTTP requests to the device. Service ID: The service ID routers use for the multiple port service. Password: If you specify a password, the Proxy server signs WCCP communication packets with an MD5 hash or "signature" of the password you specify. Priority: Specify the priority you want for multiple ports. Protocol: Choose the protocol (TCP or UDP) that the WCCP-capable routers use. Redirect to Local IP: Specify the IP address of the server that you want the WCCP capable routers to redirect HTTP requests to. Hash the destination and source IP addresses and ports is selected by default. This provides additional security by causing IP addresses and ports to be encrypted with a hash value. You can also choose to have alternate hash values used. This ensures that not the same hash value is used each time. The Management Tool Main Page 259

260 If you select Return Via Tunnel, a tunneled connection will be established between the WCCPcapable router and the proxy server, through which encrypted traffic can be sent. Intercept Port List Intercept:Choose either Destination Ports or Source Ports. Intercept ports can be either destination or source, but not both. You can add up to eight ports to the intercept port list. For example, if you selected Destination Ports and added port 80 to the list, The WCCPcapable router would detect would detect any requests that are on port 80, intercept them, and sends them to the SuperLumin Proxy Server s transparent proxy service. When used with adhoc service types (non-http), the ports you add to the list cause the router to only route traffic targeted (Destination) to or originating from (Source) the ports specified in the port list. Port List:Specify the ports you want the WCCP-capable router to intercept and forward to the transparent proxy service. Router Communications Setup Add Unicast Address: Specify the addresses that the device uses to route HTTP traffic to the device. NOTE: Although WCCP supports both Unicast and Multicast, the SuperLumin proxy currently only supports Unicast. Click to save changes and return to the WCCP page. Or, click Cancel to discard changes and return to the WCCP page. You must click Apply All Changes for changes to take effect Authentication Path: Configuration > Authentication The Authentication panel lets you create authentication profiles that are used in access control authentication policies. Authentication profiles are policy based. They are associated with authentication policies that require users to authenticate before being granted access. 260 SuperLumin Nemesis

261 Figure Authentication Page The following options display on the Authentication page: Insert LDAP Profile: Specify the name of the authentication profile you are creating, then click Insert. You are then taken to a page for configuring the authentication profile options. Because the name identifies the profile in other pages, use a descriptive name. LDAP Profile List: Displays the names of the authentication profiles. Use the Modify or Delete buttons to edit/delete the selected authentication profile. Click OK to save changes and return to the Configuration page. Or, click Cancel to discard changes and return to the Configuration page. You must click Apply All Changes for changes to take effect LDAP Authentication Profile Path: Configuration > Authentication > Insert or modify an LDAP authentication profile The LDAP Authentication Profile page lets you configure LDAP authentication server and login options for the LDAP authentication profile you are creating. The Management Tool Main Page 261

262 Figure LDAP Authentication Profile Page The following options display on the LDAP Authentication Profile page: LDAP Server Options LDAP Server Hostname: Specify the IP address or DNS name of the LDAP server that will be used for authentication Port: Specify the port number on which the LDAP server is listening for requests from LDAP clients. The default port for a non-secure LDAP server is 389. If you are not using a secure LDAP server, your LDAP server is probably listening on port 389. If not, you can change it to the port number being used. 262 SuperLumin Nemesis

263 The default port for a secure LDAP server is 636. If you are using a secure LDAP server with the default port number, you must change the port number to 636 and you must also select the Secure LDAP Access checkbox. Secure LDAP Access: Select this option to enable SSL communication between the cache device and the LDAP directory. Trusted Root File: This field is required if Secure LDAP Access is selected and is the location of the LDAP server's trusted-root certificate to be used for SSL communications between the cache device and the LDAP directory. User Group Membership Attribute: This specifies the user object attribute used by the LDAP server to designate group membership. LDAP Search Login Field Name: Specify the LDAP field name through which users can authenticate. You may enter field names using cn for Common Name format or uid for User ID format. NOTE: Some user objects may use the cn attribute but not the uid attribute. This is especially true of user objects created using older versions on Novell Directory Services. For those user objects, you may need to specify field names using the cn attibute or manually create and populate a uid attribute in order for those users to authenticate. Insert Search Base: Specify an LDAP search base. You can click the Browse button to navigate your LDAP server tree and choose the container that you want to start the LDAP search from. You can insert as many LDAP search base containers as needed. Search Base List: This is a list of previously inserted LDAP search bases. You can delete a search base by selecting it and clicking the Delete button. Search Subtrees: Select this option to have the LDAP search continue through subtrees. LDAP Search Login Credentials Bind Anonymous: Select this option if the proxy server can authenticate to the LDAP server using anonymous bind. Bind Using Credentials: Select this option if anonymous bind is not enabled on the LDAP server. Username:Specify the username through which the proxy server authenticates to use the LDAP server's authentication services. You can click the Browse button to navigate through your LDAP server tree for the username that you want to use. Password: Specify the password for the user you specified above Packet Filter Path: Configuration > select Show Advanced Options > Packet Filter The Packet Filter page lets you enable or disable filters that allow or restrict specified incoming IP addresses. You can also enable IP forwarding and external script support as well as access a page to create packet filter rules. The Management Tool Main Page 263

264 Figure Packet Filter Page The following options display on the Packet Filter page: Packet Filter Configuration Enable Packet Filtering: Select this option to enable any IP packet filters (rules) you have previously created. You can configure packet filter rules by clicking Append. Enable IP Forwarding: Select this option to enable IP packets to be routed through the box. You must have already configured a rule for IP forwarding for this to work. You can configure rules by clicking Append. Enable External Script Support: Select this option to cause two previously created scripts to run that configure packet filter options. These are Linux scripts that you must create. The path and filenames of the scripts must be /etc/opt/sln/iproxy/iptables-create.sh 264 SuperLumin Nemesis

265 and /etc/opt/sln/iproxy/iptables-cleanup.sh. The iptables-create.sh script is used to create new packet filter rules. The iptablescleanup.sh script is used to fix old or existing packet filter rules. Append Packet Filter Rule Append: Select this option to bring up a page that lets you configure rules for packet filtering and IP forwarding. Rules Using this section, you can select an existing rule and modify or delete it. You can also change the order in which the rules in list are processed Create Packet Filter Rule Path: Configuration > select Show Advanced Options > Packet Filter > Click Append The Packet Filter Rule page is the first page of a wizard that lets you create and configure a packet filter. You can also set up support for IP forwarding. The Management Tool Main Page 265

266 Figure Create Packet Filter Rule Page The following options display on the Create Packet Filter Rule page: Action: In the drop down box, select one of the available actions that govern how packets are handled by the filter. On-screen descriptions of the possible actions are provided. 266 SuperLumin Nemesis

267 Table: This is the IP table you will use with packet filtering. In the drop down box, select either the filter or the nat table. Filter is the default table and is the main way to filter packets. Nat (Network Address Translation) tables are used for new connections. See the on-screen instructions for descriptions of table options. Chain: In the drop down box, select one of the available chains. If you chose the IP Forwarding option, you must select the Forward chain option. See the on-screen descriptions of the available options. Protocol/Match: Select the protocol type you want to filter. If you select the checkbox, network packets using the protocol type you have chosen will not be subject to the conditions you have specified in the packet filter rule. See the on-screen descriptions of the available protocol options Firewall Settings Path: Configuration > Firewall Use the Firewall Settings page to protect the Proxy server from outside attacks. A firewall is a gateway that limits access between networks in accordance with a local security policy, in order to protect the system from outside attacks. This local security policy is set up here. IMPORTANT: Modifying the firewall may lock you out of the proxy server (management access, SSH access, and proxy access). Figure Firewall Settings Page The Management Tool Main Page 267

268 The following options display on the Firewall Settings pages: Firewall Settings Enable: Select this option to activate firewall on the Proxy server. Enable ICMP: Select this option to allow ping (ICMP) requests to the Proxy server. Enable IP Forwarding: Select this option to allow http requests to forward past the proxy server to their intended destination. Adapters Adapter ID: Select an adapter that you want to assign to a zone. Zone: Select the zone you want to add the adapter to, then click Insert. You can choose from three different zone types which include internal, external and DMZ zone types. Network Interface Cards (NICs) can be assigned to any of these three zones, but to only one zone at a time. If you choose to not assign a NIC to a zone, then by default it is put in the external zone, which is the most untrusted and restricted zone. Dynamic NAT Enable: Select this option to enable Dynamic NAT. Dynamic NAT (Network Address Translation) lets you map private IP addresses to public IP addresses that are obtained from a pool of registered public IP addresses. Dynamic NAT helps you secure your network by masking the internal configuration of your private network. This makes it difficult for someone outside the network to monitor individual usage patterns. Another advantage of dynamic NAT is that it allows you to use private IP addresses that are invalid on the Internet but useful as internal addresses. Firewall Log Settings Log Accepted Packets - Log Critical: Selecting this option causes only the following types of accepted packets to be logged: spoofed packets, TCP connection requests, and some ICMP types. Log Dropped Packets - Log Critical: Selecting this option causes only the following types of dropped packets to be logged: spoofed packets, TCP connection requests, and some ICMP types. Log Dropped Packets - Log All: Selecting this option causes all dropped packets to be logged. Log Dropped Packets - Log None: Selecting this option causes no dropped packets to be logged. NOTE: Log Drop Critical, Log Drop All, and Log Drop None are mutually exclusive. You can choose one option, but not more than one at the same time. Firewall Zones Three different zone types can be defined for firewalls. These zones include internal, external and DMZ zone types. The internal zone type is used for network traffic that is fully trusted and requires no packet filtering. It generally used for internal LANs. 268 SuperLumin Nemesis

269 The external zone type is the most restrictive zone type, and is used for network traffic that might not be trusted, such as traffic from the internet. The DMZ zone type is a more secure approach to a firewall. It is a neutral zone that acts as a buffer between the internet and your private network. Clicking on any zone button launches a page that lets you configure the settings for that particular zone type Social Media Path: Configuration > Social Media Use the Social Media page to configure a social media cache. A social media cache performs as a reverse proxy, and identifies and caches social media objects. This minimizes bandwidth consumption and accelerates the delivery of social media content. See Creating a Social Media Cache Service on page 40 for additional instructions on creating social media cache services. Figure Social Media Site Configuration Page The Management Tool Main Page 269

270 The following options display on the Social Media Site Configuration page: Sites: You can click on an existing site to bring up the page for modifying the site s cache configuration. You can also select an existing site and click Delete to remove it from the social media cache. Name: Enter a name for the social media site you want to configure for caching, then click Add. This will bring up a page that lets you configure the hosts/domains and tunnels for the social media site. You can use the Quick Service Creation wizard on the Getting Started page to configure a social media cache for YouTube and Facebook YouTube Path: Configuration > Social Media > YouTube Use the YouTube Social Media Configuration page to configure caching for the YouTube social media site. Figure YouTube Social Media Configuration page The following options display on the Social Media YouTube Configuration page: Enable/Disable: Click Enable or Disable to enable or disable caching for the YouTube social media site. 270 SuperLumin Nemesis

271 youtube.com: Click youtube.com to display the reverse proxy service created to cache this domain. To remove the YouTube cache service, select the youtube.com checkbox, then click Delete. ytimg.com: Click ytimg.com to display the reverse proxy service created to cache this domain. To remove the ytimg domain, select the ytimg.com checkbox, then click Delete. Service: Displays the name of the reverse proxy service associated with this social media site. Select Add to create a different reverse proxy service for the social media site. To remove the domains from the reverse proxy service, select None. Name: Use this field to add an additional domain or host name for this social media site, then click Add. Tunnels: No tunnel services are needed for YouTube social media sites. NOTE: A reverse proxy service must already be configured for the YouTube social media cache in order for the youtube.com and ytimg.com links to be active. You can use the Getting Started page to configure social media cache services which automatically configure the needed reverse proxy services for social media caching Facebook Path: Configuration > Social Media > Facebook Use the Facebook Social Media Configuration page to configure caching for the the Facebook social media site. The Management Tool Main Page 271

272 Figure Facebook Social Media Configuration Page The following options display on Social Media site for Facebook: Enable/Disable: Click Enable or Disable to enable or disable caching for the Facebook social media site. facebook.com: This is one of the Facebook domains. Click facebook.com to display the reverse proxy service created to cache this domain. To remove the Facebook domain, select the facebook.com checkbox, then click Delete. fbcdn.net: This is a Facebook domain. Click fbcdn.net to display the reverse proxy service created to cache this domain. To remove the fbcdn.net domain, select the fbcdn.net checkbox, then click Delete. Service: Displays the name of the reverse proxy service associated with the social media site. Select Add to create a different reverse proxy service for the social media site. To remove the domains from the reverse proxy service, select None. Name: Use this field to add an additional domain or host name for this social media site, then click Add. There are three secure sites associated with Facebook: login.facebook.com register.facebook.com s-static.ak.facebook.com 272 SuperLumin Nemesis