Secure Web Gateway Network Guardian Administration Guide

Transcription

1 Secure Web Gateway Network Guardian Administration Guide For future reference Network Guardian serial number: Date installed: Smoothwall contact:

2 Smoothwall Network Guardian, Administration Guide, March 2015 Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Network Guardian. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall. For more information, contact: Smoothwall Ltd. All rights reserved. Trademark notice Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. Acknowledgements Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Network Guardian contains graphics taken from the Open Icon Library project Address Web Telephone Fax Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom [email protected] USA and Canada: United Kingdom: All other countries: USA and Canada: United Kingdom: All other countries:

3 Contents About This Guide... 1 Audience and Scope... 1 Organization and Use... 1 Conventions... 2 Related Documentation... 2 Chapter 1 Network Guardian Overview... 3 Overview of Network Guardian... 4 Annual Renewal... 4 Accessing Network Guardian... 4 Dashboard... 5 Logs and Reports... 6 Reports... 6 Alerts... 6 Realtime... 6 Logs... 7 Settings... 8 Networking... 8 Configuration... 8 Filtering... 9 Routing... 9 Settings... 9 Services Authentication User Portal Proxies SNMP Message Censor System Maintenance Central Management Preferences Administration iii

4 Contents Hardware Diagnostics Certificates Guardian Quick Links Web Filter Policies HTTPS Inspection Policies Content Modification Policies Anti-malware Policies Block Page Policies Policy Objects Swurl Web Proxy Web Proxy Upstream Proxy Authentication MobileProxy Global Proxy Configuration Guidelines Specifying Networks, Hosts and Ports Using Comments Connecting via SSH Connecting Using a Client Secure Communication Unknown Entity Warning Inconsistent Site Address Chapter 2 Working with Interfaces About Network Interfaces and Roles Creating an External Connection About Load Balancing Traffic over External Connections 26 Editing an External Connection Deleting an External Connection Monitoring External Connections Status Adding a New Interface Allocating IP Addresses to Interfaces Adding an IP Address Editing Allocated IP Addresses Deleting Allocated IP Addresses Configuring Bonded Interfaces Creating Bonds Editing Bonds Deleting a Bond Interface Using Virtual Local Area Networks Creating a VLAN Configuring Transparent Bridges Creating Bridges Editing Bridges Deleting Bridge Interfaces iv Smoothwall Ltd

5 Contents Using a Point-to-Point Protocol over Ethernet Interface Editing a PPPoE Interface Deleting Parent PPPoE Interfaces Adding Alias IP Addresses Using Domain Name System Services Configuring Global DNS Settings Configuring the DNS Servers Using Conditional DNS Forwarders Mapping Static DNS Hosts Chapter 3 Deploying Web Filtering Getting Up and Running Blocking and Allowing Content Immediately Blocking Locations Excepting Computers from Web Filtering About Shortcuts About Network Guardian s Default Policies About the Default Web Filter Policies About the Default Authentication Policies Chapter 4 Working with Policies An Overview of Policies Types of Policies How Policies are Applied Guardian Getting Started Working with Category Group Objects Creating Category Group Objects Creating Custom Categories Editing Category Group Objects Deleting Category Group Objects Working with Time Slot Objects Creating a Time Slot Editing a Time Slot Deleting a Time Slot Working with Location Objects Creating a Location Object Editing Location Objects Deleting Location Objects Working with Quota Objects About the Default Quota Object Creating Quota Objects Editing Quota Objects Deleting Quota Objects Managing Web Filter Policies Creating Web Filter Policies Editing Web Filter Policies Deleting Web Filter Policies Managing HTTPS Inspection Policies Enabling HTTPS Inspection Policies Creating an HTTPS Inspection Policy v

6 Contents Editing HTTPS Inspection Policies Deleting HTTPS Inspection Policies Configuring HTTPS Inspection Policy Settings Clearing the Generated Certificate Cache Managing Content Modification Policies Creating a Content Modification Policy Editing Content Modification Policies Deleting Content Modification Policies Creating Custom Content Modification Policies Managing Anti-malware Policies Creating an Anti-malware Policy Configuring Anti-malware Protection Configuring Anti-malware Status Information Editing Anti-malware Policies Deleting Anti-malware Policies Using the Policy Tester Other Ways of Accessing the Policy Tester Working with Policy Folders Creating a Policy Folder Editing Policy Folders Deleting Policy Folders Censoring Web Form Content Configuring Organization Accounts Chapter 5 Managing Authentication Policies About Authentication Policies Creating Authentication Policies Creating Non-transparent Authentication Policies Creating Transparent Authentication Policies Managing Authentication Policies Editing Authentication Policies Deleting Policies Managing Authentication Exceptions Identification by Location Using Global Proxy Certificates Using Multiple, Distinct Proxies Using an Unsecured Proxy Viewing the Global Proxy Logs Connecting to Network Guardian About Non-transparent Connections About Transparent Connections Authentication Scenarios New Content Filtering Changing the Listening Port Providing Filtered Web Access to the Public Requiring Authentication to Browse the Web Using Multiple Authentication Methods Controlling an Unruly Class vi Smoothwall Ltd

7 Contents Chapter 6 Managing Web Security Overview of the Web Proxy Global Options Advanced Web Proxy Settings Using PAC Scripts Using a Built-in Script Using a Custom Script Managing the Configuration Script Limiting Bandwidth Use Ordering Bandwidth Limiting Policies Editing Bandwidth Limiting Policies Deleting Bandwidth Limiting Policies Configuring WCCP Managing Upstream Proxies Overview Configuring an Upstream Proxy Configuring Source and Destination Filters Using a Single Upstream Proxy Working with Multiple Upstream Proxies Managing Blocklists Viewing Blocklist Information Manually Updating Blocklists Managing Block Pages About the Default Block Page Customizing the Default Block Page Using a Custom HTML Template Using an External Block Page Configuring a Block Page Policy Managing Block Page Policies Working with Block Pages Chapter 7 Managing Your Network Infrastructure Creating Subnets Editing and Removing Subnet Rules Using the Routing Information Protocol Service Load Balancing Traffic Creating Load Balancing Pools Reordering Load Balancing Pools Example Configuration Using Source NATs and LLB Policies Using LLB Pools for Local Traffic Creating a NAT Policy Reordering NAT Policies Chapter 8 Managing Network Security Blocking by IP Creating IP Blocking Rules Editing and Removing IP Block Rules vii

8 Contents Blocking Services on the Ethernet Bridge Managing Exceptions to Blocked Services Working with Port Groups Creating a Port Group Adding Ports to Existing Port Groups Editing Port Groups Deleting a Port Group Working with Address Objects Creating an Address Object Creating Nested Address Objects Editing Address Objects Deleting Address Objects Configuring Advanced Networking Features Blocking and Ignoring Traffic Enabling Advanced Networking Features Configuring ARP Table Size Configuring Connection Tracking Table Size Configuring SYN Backlog Queue Size Configuring Traffic Audits Dropping Direct Traffic Enabling Network Application Helpers Managing Bad External Traffic Chapter 9 Using Zone Bridging Rules About Zone Bridging Rules Creating Zone Bridging Rules Editing and Removing Zone Bridge Rules Example Zone Bridging Rules About Group Bridging Rules Group Bridging and Authentication Creating Group Bridging Rules Editing and Removing Group Bridges Chapter 10 Managing Inbound Traffic Managing Inbound Traffic with Port Forwards About Port Forward Rules Creating Port Forward Rules Chapter 11 Authentication and User Management About User Authentication Configuring Global Authentication Settings About Directory Services Configuring a Microsoft Active Directory Connection Configuring an LDAP Connection Configuring a RADIUS Connection Configuring an Active Directory Connection Legacy Method Configuring a Local Users Directory Reordering Directory Servers viii Smoothwall Ltd

9 Contents Editing a Directory Server Deleting a Directory Server Diagnosing Directories Managing Local Users Adding Users Editing Local Users Deleting Users Managing Groups of Users About Groups Adding Groups Editing Groups Deleting Groups Mapping Groups Remapping Groups Deleting Group Mappings Managing Temporarily Banned Users Creating a Temporary Ban Removing Temporary Bans Removing Expired Bans Managing User Activity Viewing User Activity Logging Users Out Banning Users About SSL Authentication Customizing the SSL Login Page Reviewing SSL Login Pages Managing Kerberos Keytabs Prerequisites Adding Keytabs Managing Keytabs Troubleshooting a Kerberos Service Authenticating Chromebook Users Creating a Google Client ID and Client Secret (Web Application) Restricting Accepted Google Accounts by Domain Customizing the Client Login Page Managing Chromebooks Chapter 12 Centrally Managing Smoothwall Systems About Centrally Managing Smoothwall Systems Pre-requirements Setting up a Centrally Managed Smoothwall System Configuring the Parent Node Configuring Child Nodes Adding Child Nodes to the System Editing Child Node Settings Deleting Nodes in the System Managing Nodes in a Smoothwall System Monitoring Node Status Accessing the Node Details Page ix

10 Contents Working with Updates Rebooting Nodes Disabling Nodes Using BYOD in a Centrally Managed System Glossary Index x Smoothwall Ltd

11 About This Guide Smoothwall s Network Guardian is a licenced feature of your Smoothwall System. This supplement provides guidance for configuring Network Guardian. Audience and Scope This guide is aimed at system administrators maintaining and deploying Network Guardian. This guide assumes the following prerequisite knowledge: An overall understanding of the functionality of the Smoothwall System An overall understanding of networking concepts Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, contact your Smoothwall representative. Organization and Use This guide is made up of the following chapters and appendices: Chapter 1, Network Guardian Overview on page 3 Chapter 2, Working with Interfaces on page 23 Chapter 3, Deploying Web Filtering on page 45 Chapter 4, Working with Policies on page 51 Chapter 5, Managing Authentication Policies on page 91 Chapter 6, Managing Web Security on page 111 Chapter 7, Managing Your Network Infrastructure on page 139 Chapter 8, Managing Network Security on page 151 1

12 About This Guide Chapter 9, Using Zone Bridging Rules on page 165 Chapter 10, Managing Inbound Traffic on page 173 Chapter 11, Authentication and User Management on page 177 Chapter 12, Centrally Managing Smoothwall Systems on page 209 Glossary on page 221 Index on page 231 Conventions The following typographical conventions are used in this guide: Item Convention Example Key product terms Initial Capitals Network Guardian Smoothwall System Menu flow, and screen objects Bold System > Maintenance > Shutdown Click Save Cross-references Blue text See Chapter 1, Network Guardian Overview on page 3 References to other guides Italics Refer to the Network Guardian Administration Guide Filenames and paths Courier The portal.xml file Variables that users replace Courier Italics Links to external websites Blue text, underlined Refer to This guide is written in such a way as to be printed on both sides of the paper. Related Documentation The following guides provide additional information relating to Network Guardian: Network Guardian Installation Guide, which describes how to install Network Guardian Network Guardian Operations Guide, which describes how to maintain Network Guardian Network Guardian Upgrade Guide, which describes how to upgrade Network Guardian Network Guardian User Portal Guide, which describes how to use the Network Guardian user portal contains the Smoothwall support portal, knowledge base and the latest product manuals. 2 Smoothwall Ltd

13 1 Network Guardian Overview This chapter introduces Network Guardian, including: Overview of Network Guardian on page 4 Annual Renewal on page 4 Accessing Network Guardian on page 4 Dashboard on page 5 Logs and Reports on page 6 Networking on page 8 Services on page 10 System on page 12 Guardian on page 14 Swurl on page 17 Web Proxy on page 17 Configuration Guidelines on page 19 Connecting via SSH on page 20 Secure Communication on page 21 3

14 Network Guardian Overview Overview of Network Guardian Welcome to Network Guardian, the intelligent web content filter that dynamically analyses, understands and categorizes all web content requested by your users. Network Guardian provides: Protection from pornography and objectionable content Controlled access to non work-related sites, such as news, sport, travel and auctions. Protection from web-borne spyware, malware and browser exploits Reporting on Internet behavior and resource utilization security: anti-spam, anti-malware, mail relay and control. Annual Renewal To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. For more information, contact your Smoothwall representative. Accessing Network Guardian To access Network Guardian, do the following: 1. In a web browser, enter the address of your Network Guardian, for example: Note: The example address above uses HTTPS to ensure secure communication with your Network Guardian. It is possible to use HTTP on port 81 if you are satisfied with less security. Note: The following sections assume that you have registered and configured Network Guardian as described in the Network Guardian Installation and Setup Guide. 2. Accept Network Guardian s certificate.the login screen is displayed. 4 Smoothwall Ltd

15 Network Guardian Overview 3. Enter the following information: Field Username Password Information Enter admin This is the default Network Guardian administrator account. Enter the password you specified for the admin account when installing Network Guardian. 4. Click Login. The Dashboard opens. The following describe Network Guardian s user interface. Dashboard The Dashboard is the default home page of your Network Guardian system. It displays the status of external interfaces, service information and customizable summary reports. 5

16 Network Guardian Overview Logs and Reports The Logs and reports section contains the following menu items and pages: Reports All report functionality, including customizing and scheduling, are found here: Pages Summary Reports Recent and saved Scheduled Custom Displays a number of generated reports. For more information, refer to the Network Guardian Operations Guide. Where you generate and organize reports. For more information, refer to the Network Guardian Operations Guide. Lists recently-generated and previously saved reports. For more information, refer to the Network Guardian Operations Guide. Sets which reports are automatically generated and delivered. For more information, refer to the Network Guardian Operations Guide. Enables you to create and view custom reports. For more information, refer to the Network Guardian Operations Guide. Alerts You can enable alerts and monitors from here: Pages Alerts Alert settings Determine which alerts are sent to which groups of users and in what format. For more information, refer to the Network Guardian Operations Guide. Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, refer to the Network Guardian Operations Guide. Realtime You can watch Network Guardian s log files populate in realtime from here: Pages System Firewall A real time view of the system log with some filtering options. For more information, refer to the Network Guardian Operations Guide. A real time view of the firewall log with some filtering options. For more information, refer to the Network Guardian Operations Guide. 6 Smoothwall Ltd

17 Network Guardian Overview Pages Portal IM proxy Web filter Traffic graphs Displays the log viewer running in real time mode. For more information, refer to the Network Guardian Operations Guide. Note that you may not see this option if Anti-Spam is not installed. For more information, refer to the Anti- Spam Installation and Administration Guide. A real time view of activity on user portals. For more information, refer to the Network Guardian Operations Guide. A real time view of recent instant messaging conversations. For more information, refer to the Network Guardian Operations Guide. Displays the web filter log viewer running in real time mode. For more information, refer to the Network Guardian Operations Guide. Displays a real time bar graph of the bandwidth being used. For more information, refer to the Network Guardian Operations Guide. Logs You can view and download Network Guardian s log files from here: Pages System Firewall IM proxy Web filter User portal Log settings Simple logging information for the internal system services. For more information, refer to the Network Guardian Operations Guide. Displays all data packets that have been dropped or rejected by the firewall. For more information, refer to the Network Guardian Operations Guide. Displays sender, recipient, subject and other message information. For more information, refer to the Network Guardian Operations Guide. Note that you may not see this option if Anti-Spam is not installed. For more information, refer to the Anti-Spam Installation and Administration Guide. Displays information about instant messaging conversations. For more information, refer to the Network Guardian Operations Guide. Displays time, username, source IP and other web filtering information. For more information, refer to the Network Guardian Operations Guide Web Filter Logs on page 107. Displays information about access by users to portals. For more information, refer to the Network Guardian Operations Guide. Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, refer to the Network Guardian Operations Guide. 7

18 Network Guardian Overview Settings You set global settings for reports, alerts, and log files from here: Pages Datastore settings Groups Output settings Contains settings to manage the storing of log files. For more information, refer to the Network Guardian Operations Guide. Where you create groups of users which can be configured to receive automated alerts and reports. For more information, refer to the Network Guardian Operations Guide Settings to configure the to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, refer to the Network Guardian Operations Guide. Networking The Networking section contains the following sub-sections and pages: Configuration You configure all interfaces, whether they are NICs or software interfaces, here: Pages Interfaces DNS Link Load Balancing Source NAT & LLB policies Port forwards Configure and display information for your Network Guardian s interfaces, including VLANs and bridges. For more information, see Configuring Global Settings for Interfaces on page 26. Configure static DNS settings, and DNS proxy service settings. For more information, see Using Domain Name System Services on page 40. Configure load balancing pools for network interfaces. For more information, see Load Balancing Traffic on page 143. Configure any source NAT-ing, source mapping policies, and load balancing policies. For more information, see Using Source NATs and LLB Policies on page 147. Configure any port forwarding policies to internal network services. For more information, see Managing Inbound Traffic with Port Forwards on page Smoothwall Ltd

19 Network Guardian Overview Filtering You can setup filtering rules here for network traffic: Pages Zone bridging Group bridging IP block Ethernet bridging Used to define permissible communication between pairs of network zones. For more information, see About Zone Bridging Rules on page 165. Used to define the network zones that are accessible to authenticated groups of users. For more information, see About Group Bridging Rules on page 169. Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Creating IP Blocking Rules on page 151. Used to block peer to peer traffic across the bridge interface. For more information, see Blocking Services on the Ethernet Bridge on page 153. Routing You can configure routing rules here for network traffic: Pages Subnets RIP Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see Creating Subnets on page 139. Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, see Using the Routing Information Protocol Service on page 141. Settings You set global settings for all networking aspects from here: Pages Port groups Address object manager Advanced Create and edit groups of ports for use throughout Network Guardian. For more information, see Working with Port Groups on page 155. Create and edit IP address objects for use in networking configuration. For more information, see Working with Address Objects on page 157. Used to configure advanced network and traffic auditing parameters. For more information, see Configuring Advanced Networking Features on page

20 Network Guardian Overview Services The Services section contains the following sub-sections and pages: Authentication You configure user authentication policies here: Pages Settings Directories Groups Temporary bans User activity SSL login Kerberos keytabs BYOD Chromebook Used to set global login time settings. For more information, see Configuring Global Authentication Settings on page 178. Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. For more information, see About Directory Services on page 179. Used to customize group names. For more information, see Managing Groups of Users on page 190. Enables you to manage temporarily banned user accounts. For more information, see Managing Temporarily Banned Users on page 193. Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Managing User Activity on page 195. Used to customize the end-user SSL login page. For more information, see About SSL Authentication on page 196. This is where Kerberos keytabs are imported and managed. For more information, see Managing Kerberos Keytabs on page 198. Enables you to authenticate users with their own devices and allow them to connect to the network. For more information, refer to the Network Guardian Operations Guide. Used to configure Google credentials for Chromebook authentication. For more information, see Authenticating Chromebook Users on page 201. User Portal You configure and manage user portals here: Pages Portals Group access User access This page enables you to configure and manage user portals. For more information, refer to the Network Guardian Operations Guide. This page enables you to assign groups of users to portals. For more information, refer to the Network Guardian Operations Guide. This page enables you to override group settings and assign a user directly to a portal. For more information, refer to the Network Guardian Operations Guide. 10 Smoothwall Ltd

21 Network Guardian Overview Proxies You configure the proxy service for Network Guardian s individual modules, including: Pages Instant messenger FTP Configure the instant messenger proxy service. For more information, refer to the Network Guardian Operations Guide. Configure the FTP proxy service. For more information, refer to the Network Guardian Operations Guide. SNMP You enable and configure the SNMP service here: Pages SNMP Used to activate Network Guardian s Simple Network Management Protocol (SNMP) agent. For more information, refer to the Network Guardian Operations Guide. Message Censor You can configure filtering policies for message content here: Pages Policies Filters Time Custom categories Enables you to create and manage filtering policies by assigning actions to matched content. For more information, refer to the Network Guardian Operations Guide. This is where you create and manage filters for matching particular types of message content. For more information, refer to the Network Guardian Operations Guide. This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, refer to the Network Guardian Operations Guide. Enables you to create and manage custom content categories for inclusion in filters. For more information, refer to the Network Guardian Operations Guide. 11

22 Network Guardian Overview System The System section contains the following sub-sections and pages: Maintenance You use the following sections to manage and maintain various aspects of Network Guardian, including: Pages Updates Modules Licenses Archives Scheduler Shutdown Used to display and install available product updates, in addition to listing currently installed updates. For more information, refer to the Network Guardian Operations Guide. Used to upload, view, check, install and remove Network Guardian modules. For more information, refer to the Network Guardian Operations Guide. Used to display and update license information for the licensable components of the system. For more information, refer to the Network Guardian Operations Guide. Used to create and restore archives of system configuration information. For more information, refer to the Network Guardian Operations Guide. Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, refer to the Network Guardian Operations Guide. Used to shutdown or reboot the system. For more information, refer to the Network Guardian Operations Guide. Central Management You can setup a centrally managed Network Guardian system here: Pages Overview Child nodes Local node settings This is where you monitor nodes and schedule updates in a Smoothwall system. For more information, see Managing Nodes in a Smoothwall System on page 215. This is where you add and configure nodes in a Smoothwall system. For more information, see Configuring Child Nodes on page 211. This is where you configure a node to be a parent or child in a Smoothwall system and manage central management keys for use in the system. For more information, see Setting up a Centrally Managed Smoothwall System on page Smoothwall Ltd

23 Network Guardian Overview Preferences You can customize your installation of Network Guardian here: Pages User interface Time Registration options Hostname Used to manage Network Guardian s dashboard settings. For more information, refer to the Network Guardian Operations Guide. Used to manage Network Guardian s time zone, date and time settings. For more information, refer to the Network Guardian Operations Guide. Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to Smoothwall. For more information, refer to the Network Guardian Operations Guide. Used to configure Network Guardian s hostname. For more information, refer to the Network Guardian Operations Guide. Administration You can enable administration access to Network Guardian here: Pages Admin options External access Administrative users Tenants Used to enable secure access to Network Guardian using SSH, and to enable referral checking. For more information, refer to the Network Guardian Operations Guide. Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Network Guardian. For more information, refer to the Network Guardian Operations Guide. Used to manage user accounts and set or edit user passwords on the system. For more information, refer to the Network Guardian Operations Guide. Used to manage tenants. For more information, refer to the Multi-Tenant Installation and Administration Guide. Note you may not see this option if you have not purchased a Multi-Tenant licence. Hardware You can configure additional hardware aspects here: Pages UPS Console Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, refer to the Network Guardian Operations Guide. Configure the system console. For more information, refer to the Network Guardian Operations Guide. 13

24 Network Guardian Overview Diagnostics You can perform diagnostics tests here: Pages Functionality tests Configuration report IP tools Whois Used to ensure that your current Network Guardian settings are not likely to cause problems. For more information, refer to the Network Guardian Operations Guide. Used to create diagnostic files for support purposes. For more information, refer to the Network Guardian Operations Guide. Contains the ping and trace route IP tools. For more information, refer to the Network Guardian Operations Guide. Used to find and display ownership information for a specified IP address or domain name. For more information, refer to the Network Guardian Operations Guide. Certificates You can configure Network Guardian as a Certificate Authority: Page Certificate authorities Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, refer to the Network Guardian Operations Guide. Guardian The Guardian section contains the following sub-sections and pages: Quick Links The most commonly used Guardian functions are found here: Page Getting started Shortcuts Quick block/allow Policy tester This page provides an overview of what comprises a web filter policy, a link to the default policies and an introduction to policy wizards. For more information, see Guardian Getting Started on page 54. This page provides direct links to tasks you might do on a daily basis, such as blocking and allowing sites and running reports. For more information, see About Shortcuts on page 49. This page enables you to block or allow content immediately. For more information, see Blocking and Allowing Content Immediately on page 46. The policy tester enables you to test whether a URL is available to a specific person at a specific location and time. For more information, see Using the Policy Tester on page Smoothwall Ltd

25 Network Guardian Overview Web Filter Policies You configure web filter policies here: Pages Manage policies Policy wizard Location blocking Exceptions Outgoing This is where you manage how web filtering policies are applied. For more information, see Managing Web Filter Policies on page 64. This is where you can configure a custom web filtering policy. For more information, see Creating Web Filter Policies on page 65. Enables you to block computers at a specific location from accessing web content. For more information, see Blocking Locations on page 47. Here you can exempt computers from any web filtering. For more information, see Excepting Computers from Web Filtering on page 47. This is where you configure outgoing settings for a censor policy for content and/or files posted using web forms. For more information, see Censoring Web Form Content on page 87. HTTPS Inspection Policies You can configure HTTPS inspection policies here: Pages Manage policies Policy wizard Settings This is where you manage HTTPS inspection policies that decrypt and inspect encrypted communications. For more information, see Managing HTTPS Inspection Policies on page 68. This is where you create custom policies for managing encrypted communications. For more information, see Creating an HTTPS Inspection Policy on page 69. This is where you manage CA security certificates and configure HTTPS interception messages. For more information, see Configuring HTTPS Inspection Policy Settings on page 72. Content Modification Policies You can configure content modification policies here: Pages Manage policies Policy wizard Content modifications This is where you manage content modification policies that apply recommended security rules and enforce SafeSearch in browsers. For more information, see Managing Content Modification Policies on page 74. Enables you to create custom policies for applying security rules and enforcing SafeSearch in browsers. For more information, see Creating a Content Modification Policy on page 75. Create and manage content modification policies. For more information, see Managing Content Modification Policies on page

26 Network Guardian Overview Anti-malware Policies You can configure anti-malware policies here: Pages Manage policies Policy wizard Status page Settings This is where you manage policies that protect against malware. For more information, see Managing Anti-malware Policies on page 79. This is where you can create custom policies to protect against malware. For more information, see Creating an Anti-malware Policy on page 79. Enables you to customize anti-malware information shown when downloading files. For more information, see Configuring Anti-malware Status Information on page 82. This is where you enable malware protection. For more information, see Creating an Anti-malware Policy on page 79. Block Page Policies You can configure block page policies here: Pages Manage policies Policy wizard Block pages This is where you manage block page policies. For more information, see Managing Block Page Policies on page 137. This is where you create and edit block page policies. For more information, see Configuring a Block Page Policy on page 136. This is where you create and edit block pages. For more information, see Managing Block Pages on page 132. Policy Objects You can configure global policy objects to be used in any Guardian policy: Pages Category groups User defined Time slots Locations Quotas This is where you manage content categories used when applying a web filtering policy. For more information, see Working with Category Group Objects on page 55. This is where you manage custom content categories. For more information, see Creating Custom Categories on page 56. This is where you create and manage time slot policy objects for use in content filtering policies. For more information, see Working with Time Slot Objects on page 59. This is where you create and manage location policy objects for use in content filtering policies. For more information, see Working with Location Objects on page 60. This is where you create and manage quota policy objects for use in content filtering policies. For more information, see Working with Quota Objects on page Smoothwall Ltd

27 Network Guardian Overview Swurl The Swurl section contains the following sub-sections and pages: Pages Settings This is where you configure your organization s Swurl account. For more information, see Configuring Organization Accounts on page 89. Web Proxy The Web proxy section contains the following sub-sections and pages: Web Proxy You can manage the web proxy service here: Pages Settings Automatic configuration Bandwidth limiting WCCP This is where you configure and manage web proxy settings. For more information, see Overview of the Web Proxy on page 112. This is where you create and make available proxy auto-configuration (PAC) scripts. For more information, see Using PAC Scripts on page 116. This is where you can manage how much bandwidth is made available to clients. For more information, see Limiting Bandwidth Use on page 118. This is where you can configure Network Guardian to join a Web Cache Coordination Protocol (WCCP) cache engine cluster. For more information, see Configuring WCCP on page 120. Upstream Proxy You can managed the upstream proxy service here: Pages Manage policies Proxies Filters This is where you manage upstream proxy policies. For more information, see Working with Multiple Upstream Proxies on page 128. This is where you configure upstream proxy settings. For more information, see Configuring an Upstream Proxy on page 123. This is where you manage upstream proxy source and destination filters. For more information, see Configuring Source and Destination Filters on page

28 Network Guardian Overview Authentication You can manage web proxy authentications here: Pages Manage polices Policy wizard Exceptions Ident by location This is where you manage authentication policies which determine which web filter policies are applied. For more information, see Chapter 5, Managing Authentication Policies on page 91. This is where you create and edit authentication policies. For more information, see Creating Authentication Policies on page 92. This is where you can exempt content from authentication. For more information, see Managing Authentication Exceptions on page 103. This is where you configure identification of groups and/or users by their location. For more information, see Identification by Location on page 103. MobileProxy You can manage the MobileProxy service here: Pages Settings Proxies Exceptions On this page, you configure global MobileProxy server settings. For more information, refer to the Network Guardian Operations Guide. On this page, you manage MobileProxyservers for use with mobile devices. For more information, refer to the Network Guardian Operations Guide. On this page, you specify proxy exceptions. For more information, refer to the Network Guardian Operations Guide. Global Proxy The Global Proxy section contains the following sub-sections and pages: Pages Settings Certificate activity Used to configured Secure Global Proxy. For more information, For more information, see Using Global Proxy Certificates on page 104. Used to view the Secure Global Proxy logs. For more information, For more information, see Viewing the Global Proxy Logs on page Smoothwall Ltd

29 Network Guardian Overview Configuration Guidelines This section provides guidance about how to enter suitable values for frequently required configuration settings. Specifying Networks, Hosts and Ports IP Address An IP address defines the network location of a single network host. The following format is used: IP Address Range An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example: Subnet Addresses A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways: / /24 Netmasks A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples: Service and Ports A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Examples:

30 Network Guardian Overview Port Range A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used: 137:139 Using Comments Almost every configurable aspect of Network Guardian can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement. Comments are entered in the Comment fields and displayed alongside saved configuration information. Connecting via SSH You can access Network Guardian via a console using the Secure Shell (SSH) protocol. Connecting Using a Client When SSH access is enabled, you can connect to Network Guardian via a secure shell application, such as PuTTY. To connect using an SSH client: 1. Check SSH access is enabled on Network Guardian. See Configuring Administration Access Options on page 139 for more information. 2. Start PuTTY or an equivalent client. 20 Smoothwall Ltd

31 Network Guardian Overview 3. Enter the following information: Field Host Name (or IP address) Enter Network Guardian s host name or IP address. Port Enter 222 Protocol Select SSH. 4. Click Open. When prompted, enter root, and the password associated with it. You are given access to the Network Guardian command line. Secure Communication When you connect your web browser to Network Guardian s web-based interface on a HTTPS port for the first time, your browser will display a warning that Network Guardian s certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site. Unknown Entity Warning This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, Network Guardian s certificate is a self-signed certificate. Note: The data traveling between your browser and Network Guardian is secure and encrypted. To remove this warning, your web browser needs to be told to trust certificates generated by Network Guardian. To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browser s documentation for information about how to import the certificate. Inconsistent Site Address Your browser will generate a warning if Network Guardian s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. A certificate can only contain a single site name, and in Network Guardian s case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match. To remove this warning, access Network Guardian using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future. 21

32 Network Guardian Overview Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that HTTPS is also about identity as well encryption. 22 Smoothwall Ltd

33 2 Working with Interfaces This chapter describes how to configure the network cards and interfaces on your Network Guardian, including: About Network Interfaces and Roles on page 23 Creating an External Connection on page 25 Adding a New Interface on page 27 Allocating IP Addresses to Interfaces on page 28 Configuring Bonded Interfaces on page 30 Using Virtual Local Area Networks on page 33 Configuring Transparent Bridges on page 34 Using a Point-to-Point Protocol over Ethernet Interface on page 37 Using Domain Name System Services on page 40 About Network Interfaces and Roles Note: Support for Internet connections using dial-up modems has been withdrawn. For more information, contact your Smoothwall representative. Interface can refer to both a software interface, such as a virtual LAN, and a physical network interface card (NIC). Within Network Guardian, interface typically refers to a software interface, whereas NICs have roles. The following NIC roles are supported: NIC Role External External interfaces connect your network to the Internet. For a detailed description of how to configure an external role, see Creating an External Connection on page

34 Working with Interfaces NIC Role Basic interface Bond member Bridge member Typically, basic interfaces deal with internal network traffic. During installation, a basic interface is reserved, and configured to provide a direct link to Network Guardian, either through the administration user interface, or through secure shell (SSH). For a detailed description of how to add an IP address to a basic interface, see Allocating IP Addresses to Interfaces on page 28. A bond member is one of two or more NICs combined together to provide high availability. A Bonding interface acts as the combination. For a detailed description of how to configure a bond member, see Configuring Bonded Interfaces on page 30. A bridge member is one of two or more NICs that bridge separate network zones together. A Bridge interface acts as the connection between NICs. For a detailed description of how to configure a bridge member, see Configuring Transparent Bridges on page 34. The following interfaces are supported: Interface Bonding VLAN Bridge PPPoE A Bonding interface is a software interface that combines NICs to provide high availability. For a detailed description of how to configure a bonded interface, see Configuring Bonded Interfaces on page 30. A virtual local area network (VLAN) is a virtual network zone. VLAN interfaces are software interfaces, associated with a NIC. For a detailed description of how to configure a VLAN interface, see Using Virtual Local Area Networks on page 33. A Bridge interface is a software interface that links network zones, that is, NICs, together. For a detailed description of how to configure a bridge interface, see Configuring Transparent Bridges on page 34. A Point-to-Point Protocol over Ethernet (PPPoE) interface connects network zones using modems, or similar devices. For a detailed description of how to configure a PPPoE interface, see Using a Point-to-Point Protocol over Ethernet Interface on page 37. New NICs added to your appliance are automatically added to the configuration as a BASIC interface. You must configure additional interfaces for Internet connections, connections from internal clients for web filtering purposes, and so on. Note: The configuration entered for the NIC during the installation is to allow access to Network Guardian from the administration user interface. For more information, refer to the Network Guardian Installation Guide. 24 Smoothwall Ltd

35 Working with Interfaces Creating an External Connection Internet connections are made through the NIC configured as External. You can choose to configure this with a static IP address, or with one set by your ISP s DHCP server. Note: External connection does not refer to those connections that use a PPPoE interface. For a detailed description of how to configure a PPPoE connection, see Using a Point-to-Point Protocol over Ethernet Interface on page 37. To create an external connection, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. Highlight the relevant interface, and click Edit. 3. Configure the following: Name Configure a meaningful name for this connection. Use as Select External. Spoof MAC If MAC address spoofing is required, enter the new MAC address here. MTU If required, you can set the Maximum Transmission Unit (MTU) size, in bytes, for packets using this connection. Comment Configure an optional comment for this external interface. An additional button, Show comments, is displayed on the Ethernet interfaces table if any comments are configured. Clicking this displays configured comments under the interface name. 4. Click Add. 25

36 Working with Interfaces You must assign the IP address, and gateway if provided, as advised by your ISP. This can either be a static IP address or one assigned dynamically. For a detailed description of how to do this, see Allocating IP Addresses to Interfaces on page 28. Note: IPv6 is not yet supported. For more information, refer to your Smoothwall representative. About Load Balancing Traffic over External Connections If multiple external connections are configured on the appliance, Network Guardian balances external-destined traffic, according to weighting, across all functioning connections. This way, a failed connection should not have any noticeable impact on network clients. For a detailed description of how to configure link load balancing weighting, see Load Balancing Traffic on page 143. Editing an External Connection To edit an external interface, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, highlight the relevant external interface, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Creating an External Connection on page Click Save changes. Deleting an External Connection You cannot delete an external connection as this is typically a port on the appliance. To remove an external interface, you delete the IP addresses allocated to the interface. For a detailed description of how to do this, see Deleting Allocated IP Addresses on page Smoothwall Ltd

37 Working with Interfaces Monitoring External Connections Status You can monitor the status of all external connections configured on your appliance, using Network Guardian s Dashboard. To view the status of all external connections, do the following: From the menu list, browse to Dashboard. For more information about the Dashboard, refer to the Network Guardian Operations Guide. Adding a New Interface In addition to the NICs on your Network Guardian appliance, you can create additional interfaces to process network traffic. You do this as follows: 1. Browse to Networking > Configuration > Interfaces. 2. Click Add new interface. 27

38 Working with Interfaces 3. The parameters available to configure change depending on the Type of interface you select. For more information, see: Bonding Configuring Bonded Interfaces on page 30 VLAN Using Virtual Local Area Networks on page 33 Bridge Configuring Transparent Bridges on page 34 PPPoE Using a Point-to-Point Protocol over Ethernet Interface on page Click Add. Basic interfaces are added automatically when a new NIC is detected. For a detailed description of how to change a basic interface to an external interface, see Creating an External Connection on page 25. Allocating IP Addresses to Interfaces Typically, you assign an IP address to the interface during installation - refer to the Network Guardian Installation Guide. If required, you can assign additional IP addresses to an interface, for example: Extra static IP address, for later use. An IP address, set by DHCP, to an interface with a static IP address already assigned. An IP address alias to a PPPoE interface. For a detailed description of how to add an IP address alias to a PPPoE interface, see Adding Alias IP Addresses on page 39. Note: IPv6 is not yet supported. For more information, refer to your Smoothwall representative. Adding an IP Address To add an IP address, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. Click the IP addresses link for the relevant interface to display the Attached addresses table. 3. Click Add new IP address. 4. Configure the following: Status New IP addresses are enabled by default. Clear the check box to create a disabled IP address. Type Choose whether this IP address is assigned a static IP address (Static IPv4), or an IP address assigned via DHCP (DHCP IPv4). 28 Smoothwall Ltd

39 Working with Interfaces Depending the type of IP address, additional parameters may require configuration: Use as Additional Parameter Static IPv4 IP address Enter the additional IP address for this interface. Subnet mask Gateway Bandwidth Connection monitoring Enter the subnet mask for the IP address If traffic from this IP address needs to go through a gateway, select User defined, and either enter it into the box provided, or choose it from the drop-down list. Else, leave None selected. This parameter is only displayed if a User defined Gateway is configured. If multiple gateways are configured and used, enter the minimum bandwidth used to load balance traffic between connections. If a single gateway is configured, load balancing is not used so this parameter can be left at 1. Select whether the configured value is in kilobits per second (kbps), or in megabits per second (Mbps). This parameter is only displayed if a User defined Gateway is configured. Connection monitoring is enabled by default. It is not recommended you disable connection monitoring, otherwise Network Guardian assumes the gateway always has an internet connection. DHCP IPv4 Bandwidth If multiple gateways are configured and used, enter the minimum bandwidth used to load balance traffic between connections. If a single gateway is configured, load balancing is not used so this parameter can be left at 1. Select whether the configured value is in kilobits per second (kbps), or in megabits per second (Mbps). Connection monitoring DHCP client hostname Connection monitoring is enabled by default. It is not recommended you disable connection monitoring, otherwise Network Guardian assumes the gateway always has an internet connection. Optionally, enter the DHCP client hostname as specified by the DHCP server. Comment Configure an optional comment for this IP address. 29

40 Working with Interfaces An additional button, Show comments, is displayed on the Attached addresses table if any comments are configured. Clicking this displays configured comments under the IP address. 5. Click Add. Editing Allocated IP Addresses To edit an allocated IP address, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, highlight the interface, and click IP addresses. 3. From the Attached addresses table, highlight the relevant IP address and click Edit. 4. Edit the configuration as required. For a detailed description of each setting, see Using Virtual Local Area Networks on page Click Save changes. Deleting Allocated IP Addresses Note: You cannot delete IP addresses that are assigned elsewhere, for example, used as part of a port forwarding rule (see Managing Inbound Traffic with Port Forwards on page 173) or source NAT policy (see Using Source NATs and LLB Policies on page 147). To delete an allocated IP address, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, highlight the interface, and click IP addresses. 3. From the Attached addresses table, locate and highlight the relevant IP address. 4. Click Delete. Configuring Bonded Interfaces Network interface card (NIC) bonding involves combining the cards in parallel, in order to increase throughput, provide high availability, and provide redundancy should one of the links fail. Network Guardian enables you to bind two or more NICs into a single bond. Creating Bonds You must first create the parent bonded interface, before adding the bonded interfaces. If required, a bridge member interface can also be used as a bonded interface. 30 Smoothwall Ltd

41 Working with Interfaces To create a bond: 1. Browse to Networking > Configuration > Interfaces. 2. Click Add new interface. 3. Configure the following: Name Configure a meaningful name for this bond. Type Select Bonding. Ports Select the relevant Network Guardian ports to be used as bonded interfaces. Use as Select whether this bonded interface is an External interface, Basic interface, or a Bridge member. Depending the usage of the interface, additional parameters may require configuration: Use as Additional Parameter External None Basic interface Default IP address Configure the default IP address for this bond. Bridge member Bridge interface From the drop-down list, select the parent bridge interface. MAC The MAC address for this bonded interface is taken from the MAC address of the Port selected earlier. If MAC address spoofing is required, enter the new MAC address here. Comment Configure an optional comment for this bond. 31

42 Working with Interfaces An additional button, Show comments, is displayed on the Ethernet interfaces table if any comments are configured. Clicking this displays configured comments under the interface name. 4. Click Add. Network Guardian adds a BOND interface to the Ethernet interfaces table, and changes the Role of the selected Port to Bond member. To add additional bonded interfaces, do the following: 1. Highlight the relevant interface, and click Edit. 2. Configure the following: Name Configure a meaningful name for this bonded interface. Use as Select Bond member. Bonding interface From the drop-down list, select the parent bonded interface. Spoof MAC If MAC address spoofing is required, enter the new MAC address here. MTU If required, you can set the Maximum Transmission Unit (MTU) size, in bytes, for packets using this bonded interface. Comment Configure an optional comment for this bonded interface. An additional button, Show comments, is displayed on the Ethernet interfaces table if any comments are configured. Clicking this displays configured comments under the interface name. 3. Click Save changes. Editing Bonds To edit a bond member, or bond interface, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, highlight the relevant bond, or bonded interface, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Creating Bonds on page Click Save changes. Deleting a Bond Interface Note: You cannot delete a bond member, as this is a physical port on the appliance. To remove a bond member from a bond, you must change the interface s Role to Basic. To delete a BOND interface, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, locate and highlight the relevant bond. 3. Click Delete. 4. When prompted, confirm the deletion. 32 Smoothwall Ltd

43 Working with Interfaces Using Virtual Local Area Networks You can create Virtual Local Area Networks (VLANs) to isolate resources, similar to creating network zones. In Network Guardian, you can create VLAN interfaces, and associate multiple VLANs to a NIC of any role. Each VLAN is treated by Network Guardian as an isolated network zone. Creating a VLAN The parent VLAN interface must exist before additional VLAN interfaces can be associated with it. If required, a bridge member interface can also be used as a VLAN interface. To create a VLAN, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. Click Add new interface. 3. Configure the following: Name Configure a meaningful name for this VLAN. Type Select VLAN. Parent interface From the drop-down list, select the interface to bind this VLAN to. VLAN tag Enter the VLAN tag for this VLAN. This ensures that traffic from this VLAN is recognized and allowed through the interface. If there is no tag assigned to this VLAN, select Untagged. Use as Select whether this VLAN interface is an External interface, Basic interface, or a Bridge member. 33

44 Working with Interfaces Depending the usage of the interface, additional parameters may require configuration: Use as Additional Parameter External None Spoof MAC If MAC address spoofing is required, enter the new MAC address here. Comment Configure an optional comment for this VLAN interface. An additional button, Show comments, is displayed on the Ethernet interfaces table if any comments are configured. Clicking this displays configured comments under the interface name. 4. Click Add. Editing a VLAN To edit a VLAN, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, highlight the relevant VLAN, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Creating a VLAN on page Click Save changes. Deleting a VLAN Basic interface Default IP address Configure the default IP address for this VLAN. Bridge member Bridge interface From the drop-down list, select the parent bridge interface. To delete a VLAN interface, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, locate and highlight the relevant VLAN. 3. Click Delete. 4. When prompted, confirm the deletion. Configuring Transparent Bridges It is possible to deploy Network Guardian in-line using two or more NICs to create a transparent bridge on which Deep Packet Inspection is possible. Creating Bridges You must first create the parent bridge interface, before adding the bridge member interfaces. 34 Smoothwall Ltd

45 Working with Interfaces To create a bridge interface, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. Click Add new interface. 3. Configure the following: Name Configure a meaningful name for this bridge. Type Select Bridge. Ports Select the relevant Network Guardian ports to be used as bridge members. Use as Select whether this bridge is for External traffic or internal traffic (Basic interface) Default IP address This option is only available if the interface is Basic. Configure the default IP address for this bridge. MAC The MAC address for this bridge is taken from the MAC address of the Port selected earlier. If MAC address spoofing is required, enter the new MAC address here. Comment Configure an optional comment for this bridge. An additional button, Show comments, is displayed on the Ethernet interfaces table if any comments are configured. Clicking this displays configured comments under the interface name. 4. Click Add. Network Guardian adds a BRIDGE interface to the Ethernet interfaces table, and changes the Role of the selected Port to Bridge member. 35

46 Working with Interfaces To add additional bridge members, do the following: 1. Highlight the relevant interface, and click Edit. 2. Configure the following: Name Configure a meaningful name for this bridge member. Use as Select Bridge member. Bridge interface From the drop-down list, select the parent bridging interface. Spoof MAC If MAC address spoofing is required, enter the new MAC address here. MTU If required, you can set the Maximum Transmission Unit (MTU) size, in bytes, for packets using this bridge member. Comment Configure an optional comment for this bridge member. An additional button, Show comments, is displayed on the Ethernet interfaces table if any comments are configured. Clicking this displays configured comments under the interface name. 3. Click Save changes. Editing Bridges To edit a bridge or bridge member, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, highlight the relevant bridge or bridge member, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Creating Bridges on page Click Save changes. Deleting Bridge Interfaces Note: You cannot delete a bridge member as this is a physical port on the appliance. To remove a bridge member from a bridge, you must change the interface s Role to Basic. To delete a BRIDGE interface, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, locate and highlight the relevant bridge. 3. Click Delete. 4. When prompted, confirm the deletion. 36 Smoothwall Ltd

47 Working with Interfaces Using a Point-to-Point Protocol over Ethernet Interface You can create a Point-to-Point Protocol over Ethernet (PPPoE) interface. To create a PPPoE interface, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. Click Add new interface. 3. Configure the following: Name Configure a meaningful name for the PPPoE interface. Type Select PPPoE. Parent interface From the drop-down list, select the interface to bind the PPPoE connection to. Username Enter the username supplied by your ISP for this connection. Password Enter the password supplied by your ISP for this connection. Confirm Re-enter the password. Do not copy and paste it from Password. Bandwidth Enter the minimum bandwidth used to load balance traffic from this connection across multiple gateways. Select whether the configured value is in kilobits per second (kbps), or in megabits per second (Mbps). Connection monitoring Connection monitoring is enabled by default. 37

48 Working with Interfaces It is not recommended you disable this option otherwise Network Guardian always assumes the gateway always has an internet connection. MTU If required, you can set the Maximum Transmission Unit (MTU) size, in bytes, for packets using this connection. Advanced options If your PPPoE connection makes use of a service or concentrator, click Advanced options and configure the following: Advanced Option Service Concentrator If required, enter the service name as specified by your ISP. If required, enter the concentrator name as specified by your ISP. Comment Configure an optional comment for this PPPoE interface. An additional button, Show comments, is displayed on the Ethernet interfaces table if any comments are configured. Clicking this displays configured comments under the interface name. 4. Click Add. Editing a PPPoE Interface To edit a PPPoE interface, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, highlight the relevant PPPoE interface, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Using a Pointto-Point Protocol over Ethernet Interface on page Click Save changes. Deleting Parent PPPoE Interfaces Note: You cannot delete a PPPoE interface, only the parent interface itself, as this is typically a port on the appliance. To remove a PPPoE interface, you must change the interface s Role to Basic. To delete a parent PPPoE interface, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, locate and highlight the relevant PPPoE interface. 3. Click Delete. 4. When prompted, confirm the deletion. 38 Smoothwall Ltd

49 Working with Interfaces Adding Alias IP Addresses You can assign IP address aliases to the PPPoE interface for management and operational purposes. To assign alias IP addresses, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. Click the Alias IP addresses link for the relevant PPPoE interface to display the Alias IP addresses table. 3. Click Add new IP address. 4. Configure the following: IP address Enter the alias IP address for this PPPoE interface. Status New alias IP addresses are enabled by default. Clear the check box to create a disabled alias IP address. Comment Configure an optional comment for this IP address. An additional button, Show comments, is displayed on the Alias IP addresses table if any comments are configured. Clicking this displays configured comments under the IP address. 5. Click Add. Editing Alias IP Addresses To edit an alias IP address, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, highlight the PPPoE interface, and click Alias IP addresses. 3. From the Alias IP addresses table, highlight the relevant IP address and click Edit. 4. Edit the configuration as required. For a detailed description of each setting, see Adding Alias IP Addresses on page Click Save changes. Deleting an Alias IP Address To delete an alias IP address, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. From the Ethernet interfaces table, highlight the PPPoE interface, and click Alias IP addresses. 3. From the Alias IP addresses table, locate and highlight the relevant IP address. 4. Click Delete. 39

50 Working with Interfaces Using Domain Name System Services You can configure domain name system (DNS) services for Network Guardian to use from the DNS page. Configuring Global DNS Settings A DNS resolver translates domain names back into IP addresses. You can configure Network Guardian to either use its own internal DNS proxy to resolve domain names, or specify an external server to use. Network Guardian s default behavior is to use the internal DNS server, unless one has been specified during installation refer to the Network Guardian Installation Guide. To change the DNS server in use, do the following: 1. Browse to Networking > Configuration > DNS. 2. From the Global panel, choose the System DNS resolver: System internal DNS server You must ensure you configure the details for the DNS server that the DNS proxy uses to resolve DNS requests. For more information, see Configuring the DNS Servers on page 41. User defined Further parameters are displayed: Parameter Primary DNS Enter the IP address of the primary DNS server to use. 40 Smoothwall Ltd

51 Working with Interfaces Parameter Secondary DNS Optionally, enter the IP address of the secondary DNS server to use. 3. Click Save changes. Configuring the DNS Servers The DNS proxy service is used to provide internal and external name resolution services for local network hosts. You can configure a list of DNS servers for the DNS proxy service to use when resolving requests. You can also apply a load balancing pool to a specific DNS server to ensure that connections from your Internet Service Provider (ISP) are sent to their own DNS server this is a requirement of most ISPs to ensure requests to their DNS servers are made over their connections. To add DNS servers, do the following: 1. Browse to Networking > Configuration > DNS. 2. From the DNS forwarders panel, click Add new DNS forwarder. 3. Configure the following: Status New DNS forwarders are enabled by default. Clear the check box to create a disabled DNS forwarder. Server IP address Either enter the server IP addresses, or click the down arrow and select the relevant DNS IP addresses, or ranges. Optionally, select Save selected objects as group to create a new address object that can be re-used in other areas of Network Guardian s user interface without re-entering each individual IP address, or address range. For more information about using address objects see Working with Address Objects on page 157. Link Load Balancing pool or Local IP address To assign a load balancing pool to this DNS server, select the relevant pool from the drop-down list. If the DNS server is not globally accessible, it is recommended you assign a load balancing pool. Alternatively, leave this option as Default to use the Default LLB pool configured under Networking > Configuration > Source NAT & LLB policies (see Using Source NATs and LLB Policies on page 147). Comment Configure an optional comment for this DNS server. An additional button, Show comments, is displayed on the DNS forwarders table if any comments are configured. Clicking this displays configured comments under the server IP address. 4. Click Add. In order for network clients to use Network Guardian s DNS proxy service, you must ensure an external access rule for DNS, on port 53, exists for the interface they use to connect to Network Guardian. You do this as follows: 1. Browse to System > Administration > External access. 41

52 Working with Interfaces 2. Add an external access rule for the following: Interface Select the interface network clients use to connect to Network Guardian. Service DNS proxy (53) For a detailed description of using external access rules, including how to configure them, refer to the Network Guardian Operations Guide. Editing DNS Servers To edit a DNS server, do the following: 1. Browse to Networking > Configuration > DNS. 2. From the DNS forwarders table, highlight the DNS server, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Configuring the DNS Servers on page Click Save changes. Deleting DNS Servers To delete an existing DNS server, do the following: 1. Browse to Networking > Configuration > DNS. 2. From the DNS forwarders table, locate and highlight the relevant DNS server. 3. Click Delete. Using Conditional DNS Forwarders You can configure a list of additional DNS servers to override the DNS servers configured in the DNS forwarders table (see Configuring the DNS Servers on page 41) within specific domains. For example, an Active Directory domain may be required to query an internal DNS server for internal hostnames, rather than an external server. To configure domain-specific DNS servers, do the following: 1. Browse to Networking > Configuration > DNS. 2. From the Conditional DNS forwarders table, click Add new conditional DNS forwarder. 3. Configure the following: Status New DNS servers are enabled by default. Clear the check box to create a disabled DNS server. Server IP From the drop-down list, select the IP address of the domain-specific DNS server. Domains Enter the domains that belong to this DNS server. Comment Configure an optional comment for this DNS server. An additional button, Show comments, is displayed on the Conditional DNS forwarders table if any comments are configured. Clicking this displays configured comments under the server IP address. 4. Click Add. 42 Smoothwall Ltd

53 Working with Interfaces Editing Domain-Specific DNS Servers To edit a domain-specific DNS server, do the following: 1. Browse to Networking > Configuration > DNS. 2. From the Conditional DNS forwarders table, highlight the DNS server, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Using Conditional DNS Forwarders on page Click Save changes. Deleting Domain-Specific DNS Servers To delete an existing domain-specific DNS server, do the following: 1. Browse to Networking > Configuration > DNS. 2. From the Conditional DNS forwarders table, locate and highlight the relevant DNS server. 3. Click Delete. Note: Deleting a DNS server from the Conditional DNS forwarders table does not remove it from the DNS forwarders table. To ensure the DNS server is not used by any network client, it should be removed from both tables. Mapping Static DNS Hosts Adding static DNS hosts allows the DNS proxy to override, or add to, external DNS resolutions. Hostname to IP address mappings affect all hosts using the DNS proxy. However, it should be noted that your installation of Network Guardian may not be configured to use the DNS proxy. For more information, see Configuring Global DNS Settings on page 40 and Configuring the DNS Servers on page 41. Note: Network Guardian itself resolves static hostnames regardless of whether the DNS proxy service is enabled. To map a static DNS host, do the following: 1. Browse to Networking > Configuration > DNS. 2. Click Add new static DNS host. 3. Configure the following: Status New DNS host mappings are enabled by default. Clear the check box to create a disabled DNS host mapping. Host IP addresses Either enter the host IP addresses, or click the down arrow and select the relevant DNS IP addresses, or ranges. Optionally, select Save selected objects as group to create a new address object that can be re-used in other areas of Network Guardian s user interface without re-entering each individual IP address, or address range. For more information about using address objects see Working with Address Objects on page 157. Hostnames Enter the hostnames to resolve from the IP addresses. You can either enter a single hostname, or list multiple hosts, each on a new line. Comment Configure an optional comment for this DNS host. 43

54 Working with Interfaces An additional button, Show comments, is displayed on the Static DNS hosts table if any comments are configured. Clicking this displays configured comments under the IP address. 4. Click Add. Editing Static DNS Hosts To edit a static DNS host, do the following: 1. Browse to Networking > Configuration > DNS. 2. From the Static DNS hosts table, highlight the DNS host, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Mapping Static DNS Hosts on page Click Save changes. Deleting Static DNS Hosts To delete an existing static DNS host, do the following: 1. Browse to Networking > Configuration > DNS. 2. From the Static DNS hosts table, locate and highlight the relevant DNS host. 3. Click Delete. 44 Smoothwall Ltd

55 3 Deploying Web Filtering This chapter describes how to deploy Guardian s web filter, including: Getting Up and Running on page 45 About Network Guardian s Default Policies on page 50 Getting Up and Running By default, Network Guardian comes with a comprehensive set of web filter policies and an authentication policy which you can use immediately in order to protect your users and your organization. The following section explains how to use these policies to get web filtering up and running quickly. Tip: Log in to our support portal and read about initial setup considerations, testing and refining filter settings and tips on content filtering. To get up and running: 1. On users computers, configure the web browser to use port 800 on Network Guardian as the web proxy, that is, non-transparent proxying. 45

56 Deploying Web Filtering 2. Navigate to the Web proxy > Web proxy > Settings page. 3. Check that the Guardian option is enabled. 4. Scroll to the bottom of the page and click Save and Restart. Network Guardian starts to provide web security. 5. On a user s computer, browse to Network Guardian blocks access to the site and displays a block page You can edit the default policies and create new policies to suit you organization. For more information, see Chapter 4, Working with Policies on page 51. Blocking and Allowing Content Immediately Network Guardian enables you to block or allow content immediately without having to create or edit a web filter policy. To block or allow content immediately: 1. Browse to the Guardian > Quick links > Quick block/allow page. 2. Enter the URL to the content you want to block or allow. 46 Smoothwall Ltd

57 Deploying Web Filtering 3. Click Block or Allow depending on what you want. Network Guardian immediately blocks or allows the content and adds the URL to the appropriate custom blocked or allowed content lists. Blocking Locations Network Guardian enables you to block web-enabled resources at a specific location from accessing content. To block a location: 1. Browse to the Guardian > Web filter > Location blocking page. 2. Locate the location and click Block. Network Guardian blocks any web-enabled resources at that location from accessing web content. For more information about locations, see Chapter 4, Working with Location Objects on page 60. Excepting Computers from Web Filtering Network Guardian enables you to exempt specific computers from any web filtering. You can configure exceptions based on the source IP address or the destination IP address. Configuring Source Exceptions A source exception IP using a non-transparent connection will have unfiltered access to the Internet if configured to use port 801. A source exception IP going through an interface where transparent proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to Network Guardian. A source exception IP using a transparent connection requires no client browser configuration. 47

58 Deploying Web Filtering To configure a source exception: 1. Browse to the Guardian > Web filter > Exceptions page. 2. In the Manage source exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR notation of the computers to be exempted and click Save. Network Guardian exempts the computer(s) from any web filtering. 48 Smoothwall Ltd

59 Deploying Web Filtering Configuring Destination Exceptions A destination exception IP which goes through an interface where transparent proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to Network Guardian. To configure a destination exception: 1. Browse to the Guardian > Web filter > Exceptions page. 2. In the Manage destination exceptions area, enter the IP addresses, IP ranges or IP addresses with CIDR notation of the computers to be exempted and click Save. Network Guardian exempts the computer(s) from any web filtering. About Shortcuts Network Guardian provides a number of shortcuts to tasks you might carry out on a daily basis. To access the shortcuts: 1. Browse to the Guardian > Quick links > Shortcuts page. 2. Click on a link to be taken to the task s page. 49

60 Deploying Web Filtering About Network Guardian s Default Policies The following sections discuss Network Guardian s default web filtering and authentication policies. About the Default Web Filter Policies Network Guardian s default web filtering default policies are: Web filter policies these policies allow users access to custom specified content, access to specific web sites at lunch time and Microsoft Windows updates. They also block core and custom specified undesirable content and adverts and enforce file security. To review this policy, browse to the Guardian > Web filter > Manage policies page. For information about customizing web filter policies, see Managing Web Filter Policies on page 64. HTTPS inspection policies these policies can be enabled to allow users to access online banking sites securely while inspecting encrypted traffic and checking security certificates. To review these policies, browse to the Guardian > HTTPS inspection > Manage policies page. For information about customizing HTTPS inspection policies, see Managing HTTPS Inspection Policies on page 68. Content modification policies these policies apply recommended security rules and force search engines to use SafeSearch functionality. To review these policies, browse to the Guardian > Content modification policies > Policy page. For information about customizing content modification policies, see Managing Content Modification Policies on page 74. Anti-malware policy this policy protects against malware and viruses. To review this policy, browse to the Guardian > Anti-malware > Manage policies page. For information on customizing anti-malware policies, see Managing Anti-malware Policies on page 79. About the Default Authentication Policies Network Guardian comes with the following authentication policy ready for use: Non-transparent authentication policy any user s browser configured to use Network Guardian on port 800 as its web proxy will have this authentication policy applied to it. For information about creating more authentication policies, see Chapter 5, About Authentication Policies on page Smoothwall Ltd

61 4 Working with Policies This chapter describes how to configure, and maintain, Guardian policies, including: An Overview of Policies on page 52 Working with Category Group Objects on page 55 Working with Time Slot Objects on page 59 Working with Location Objects on page 60 Working with Quota Objects on page 62 Managing Web Filter Policies on page 64 Managing HTTPS Inspection Policies on page 68 Managing Content Modification Policies on page 74 Managing Anti-malware Policies on page 79 Using the Policy Tester on page 83 Working with Policy Folders on page 85 Censoring Web Form Content on page 87 Configuring Organization Accounts on page 89 51

62 Working with Policies An Overview of Policies Policies determine how Network Guardian handles web content to best protect your users and your organization. You can create and deploy custom policies to fit your organization. Deploying custom policies entails: Configuring custom policies based on your organization s Acceptable Usage Policies (AUPs); for more information, see Types of Policies on page 52 Configuring authentication policies; for more information, refer to the Network Guardian Operations Guide Configuring users browsers or network connections to use Network Guardian as their web proxy or default gateway; for more information, see Connecting to Network Guardian on page 106. Types of Policies Network Guardian enables you to create the following types of policies: Web filter policies Web filter policies determine whether to allow, block, soft block or whitelist web content that a user has requested. For more information, see Managing Web Filter Policies on page 64 HTTPS inspection policies when enabled, HTTPS inspection policies determine whether to decrypt and inspect encrypted content in order to determine to handle the content based on web filter policies. HTTPS inspection policies can also be used to validate web site certificates. For more information, see Managing HTTPS Inspection Policies on page 68 Content modification policies Content modification policies can be used to identify and stop malicious content embedded in web pages from being accessed. For information, see Managing Content Modification Policies on page 74. Anti-malware policies Anti-malware policies are used to against malware and viruses. For information on customizing anti-malware policies, see Managing Anti-malware Policies on page 79. How Policies are Applied How Network Guardian applies policies depends on the original web request from a user. The following diagrams give a high-level view of what happens when a user makes a non-encrypted (HTTP) web request and an encrypted (HTTPS) web request. 52 Smoothwall Ltd

63 Working with Policies Applying Policies to a HTTP Web Request 53

64 Working with Policies Guardian Getting Started The Getting started page explains policies and policy objects. 54 Smoothwall Ltd

65 Working with Policies Working with Category Group Objects A category group object is a collection of URLs, domains, phrases, lists of file types and/or security rules. Network Guardian uses category group objects in policies to determine if a user should be allowed access to the content they have requested using their web browser. Creating Category Group Objects The following section explains how to create a category group object to be used in a web filter policy. To create a category group object: 1. Browse to the Guardian > Policy objects > Category groups page. 2. In the Manage category groups area, configure the following settings: Setting Name Comment Enter a name for the category group. Optionally, enter a comment to make it easier to remember what the category contains. 55

66 Working with Policies Setting Content categories Select the content you want to include in the category group object. Click [ + ] to access and view any sub-categories available. Tip: Click the Advanced view option to access more detailed information about the content. 3. Click Save. The category group object is saved and added to the list of groups of content available. Creating Custom Categories You can define new categories of content for use in category group objects to suit you organizations requirements. To create custom categories, do the following: 1. Browse to the Guardian > Policy objects > Categories page. 2. From the Manage categories panel, configure the following parameters: Name The name of the category. Comment Enter an optional description for this category. Domain/URL filtering Enter the domains and or URLs for this category. Only one entry is allowed per line. Note that www. is not needed for URLs. 56 Smoothwall Ltd

67 Working with Policies 3. Optionally, click Advanced to access the following settings: Setting Search term filtering URL patterns File extensions Enter one search term, surrounded by delimiters, per line for example: ( hardcore ) (xxx) Spaces before and after a term are not removed, thus simplifying searching for whole words. Parenthesis are required. You can use the following delimiters: [] () {} <> Enter a URL pattern per line, for example: ( adultsite sexdream ) The example above looks for URLs containing either the word adultsite or the word sexdream. You can use the following delimiters: [] () {} <> Note: If the URL pattern you enter contains a delimiter, you must use a different delimiter to contain the whole pattern. For example: [ mysearchwith(abracket) ] Enter one file extension, e.g..doc, or MIME type, e.g. application/octet-stream per line. You must include the dot (.) when entering file extensions. 4. Click Save. Network Guardian creates the content category and makes it available on the Guardian > Policy objects > Category groups page. Searching for URLs in User-defined Categories You can search in user-defined categories to determine which ones match a particular URL. Note: A search can take up to a minute to complete. To search for a URL in a category: 1. Browse to the Guardian > Policy objects > User defined page. 2. In the Enter URL field, enter the URL you want to search for. 3. Click Find categories. Network Guardian displays the names and components of any categories in which the URL was found. Editing Category Group Objects You can edit category group objects to suit you organizations requirements. To edit a category group object: 1. Browse to the Guardian > Policy objects > Category groups page. 2. From the Category groups list, select the object you want to edit and click Edit category group. Network Guardian displays the object in the Manage category groups area. Click [ + ] to access and view any sub-categories available. 57

68 Working with Policies Tip: Click the advanced view option to access more detailed information about the content and sub-categories. 3. Select any new content you want to add to the object and de-select any content you want to remove from the object. 4. Click Save. Network Guardian saves and applies the changes. Deleting Category Group Objects You can delete category group objects you no longer require. To delete a category group object: 1. Browse to the Guardian > Policy objects > Category groups page. 2. From the Category groups list, select the content category object you want to delete and click Delete category group. Network Guardian deletes the object. Note: You cannot delete a category group object if it is in use in a policy. You must first remove the object from the policy. 58 Smoothwall Ltd

69 Working with Policies Working with Time Slot Objects You can configure Network Guardian to allow or stop users accessing the Internet during certain time periods depending on the time and day. Creating a Time Slot The following section explains how to create a time slot for use in a web filter policy. To create a time slot: 1. Navigate to the Guardian > Policy objects > Time slots page. 2. Configure the following settings: Setting Name Comment Enter a name for the time slot. Optionally, enter a comment to help identify when the period is used 3. In the time-table, click and drag to select the periods of time you want to include in the time slot. 4. Click Save. Network Guardian creates the time slot and adds it to the list of time slots. It also makes the time slot available where applicable on the policy wizard pages for inclusion in policies. 59

70 Working with Policies Editing a Time Slot The following section explains how to edit a time slot. To edit a time slot: 1. Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area, locate the time slot you want to edit. 2. Click the Edit time button. Network Guardian displays the time slot in the time-table. Tip: You can use the Clear and Edit in full-text mode options to make changes the time slot. 3. Make the changes you require and click Save. Network Guardian makes the changes and saves the time slot. Deleting a Time Slot The following section explains how to delete a time slot. To edit a time slot: 1. Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area, locate the time slot you want to delete. 2. Click the Delete time button. Network Guardian deletes the time slot. Working with Location Objects Network Guardian enables you to create locations into which you can place resources such as desktop and laptop computers. You can use a location to block the resources at the location from accessing external networks or the Internet. 60 Smoothwall Ltd

71 Working with Policies Creating a Location Object To create a location object: 1. Browse to the Guardian > Policy objects > Locations page. 2. In the Manage location area, configure the following settings: Setting Name Addresses Enter a name for the location object. Enter an IP address, hostname, IP range or a subnet of the resource(s), for example: For a computer, enter: For a range of computers, enter: For content identified by a hostname, enter: roaming_laptop 3. Optionally, click Advanced and configure the following settings to define exceptions to any address ranges you specified in the previous step: Setting Exceptions Enter an individual IP, hostname, IP range or a subnet of the resource(s), for example: To make an exception for a computer, enter: To make an exception for a range of computers, enter: Click Save. Network Guardian adds the resources to the location object and lists it in the Locations list. 61

72 Working with Policies Editing Location Objects You can edit a location object. To edit a location object: 1. On the Guardian > Policy objects > Locations page, in the Locations area, select the location and click the Edit location button. 2. Make the changes you require and click Save, Network Guardian displays the settings. 3. Click Save. Network Guardian updates the resources in the location object and lists it in the Locations list. Deleting Location Objects You can delete location objects you no longer require. Note: You cannot delete a location object if it is in use in a policy. You must first remove the object from the policy. To delete a location object: 1. Browse to the Guardian > Policy objects > Locations page. 2. In the Locations list, locate the location object you want to delete and click the Delete location button. Network Guardian deletes the location object. Working with Quota Objects Network Guardian s quota objects enable you to limit user access to content on a daily basis. When a quota is used in a web filter policy, users to whom the policy is applied are prompted to confirm that they want to access the content and are told how long their quota is and how much of the quota they have left. About the Default Quota Object Network Guardian comes with a default quota object which is ready for use in a web filtering policy. When used, the default quota limits access to the relevant content to 60 minutes per 24 hours. Users will be prompted every 10 minutes to confirm that they want to continue using their quota. Default quotas are reset daily at 04:00. You can edit the default quota but you cannot remove it there must always be a default in case the quota action is used in a web filtering policy. For more information about using quotas and web filtering policies, see Creating Web Filter Policies on page Smoothwall Ltd

73 Working with Policies Creating Quota Objects Creating a quota object entails specifying who the quota applies to, how long the quota is, how often to prompt the user to confirm that they want to continue using their quota and when the quota is reset. To create a quota object: 1. Browse to the Guardian > Policy objects > Quotas page. 2. Click Create a new quota and configure the following settings: Setting Available users or groups Duration Prompt every Reset at Enable quota From the list, select the user(s) and/or group(s) to whom the quota will apply. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. Click Add. Move the slider to set the duration of the quota. From the drop-down list, select how often users will be prompted to confirm that they want to use more of their quota. From the drop-down list, select when to rest the quota. Select to enable the quota. 3. Click Save. Network Guardian creates the quota and lists it on the Guardian > Policy objects > Quotas page. 4. Drag and drop the quota object to the correct position. 63

74 Working with Policies Note: Quotas are applied as listed on the Guardian > Policy objects > Quotas. You must consider their position when using them. Take, for example Bob. Bob is a member of the Staff group. The Staff group has a quota of 60 minutes. However, because of Bob s responsibilities, he needs a quota of 120 minutes. To ensure Bob gets the quota he needs, create a quota object that applies to Bob and, on the Guardian > Policy objects > Quotas page, list it above the Staff quota object. When Network Guardian applies the web filtering policy to the Staff group, it will check for quotas and allow Bob 120 minutes while other people in the Staff group will get 60 minutes. If Bob s quota object is listed below the Staff group s quota object, Bob will get 60 minutes just like everyone else. For more information about using quotas and web filtering policies, see Creating Web Filter Policies on page 65. Editing Quota Objects It is possible to edit a quota object s settings. To edit a quota object: 1. On the Guardian > Policy objects > Quotas page, locate the quota you want to change and click its Edit quota button. Network Guardian displays the settings. 2. Make the changes required. See Working with Quota Objects on page 62 for more information about the settings available. 3. Click Save. Network Guardian edits and updates the quota and lists it on the Guardian > Policy objects > Quotas page. Deleting Quota Objects You can delete a quota object when it is no longer required. To delete a quota object: 1. On the Guardian > Policy objects > Quotas page, locate the quota you want to change and click its Delete quota button. Network Guardian deletes the quota and removes it from the Guardian > Policy objects > Quotas page. Managing Web Filter Policies Network Guardian processes web filter policies in order of priority, from top to bottom, until it finds content that matches. When it finds a match, Network Guardian applies the action, block, allow, whitelist, soft block or limit to quota as configured in the policy. You can review the default web filter policies on the Guardian > Web filter > Manage policies page and you can change the order by dragging and dropping policies in the list. The following sections discuss how to create, edit and delete web filter policies. 64 Smoothwall Ltd

75 Working with Policies Creating Web Filter Policies You can create custom web filter policies to allow or block specific content, allow access to specific web sites at certain times or apply an acceptable usage policy (AUP) to meet your organization s requirements. To create a web filter policy: 1. Browse to the Guardian > Web filter > Policy wizard page. 2. Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where From the Available users or groups list, select the user(s) and/or group(s) to whom the policy will apply. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what is to be filtered. Tip: Enter the name or part of the name and Network Guardian will search for content that matches. Click Add and, when you have selected all the content, click Next to continue. From the Available locations list, select where the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for locations that match. Click Add and, when you have added the location(s), click Next to continue. 65

76 Working with Policies Step Step 4: When Step 5: Action From the Available time slots list, select when the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for time slots that match. Click Add and, when you have added the time slot(s), click Next to continue. Select one of the following actions to use when applying this policy: Create policy folder Select this action when configuring a policy at a central installation where you need to create policy folders for multiple locations or groups. Block Select this action to block the selected content. Allow Select this action to allow the content. Content will be scanned for anti-malware if an anti-malware policy is in place. Network Guardian may also categorize the content and apply any content modification policies in place. You can use this option to create specific exceptions to broad blocking policies. Another possible use is to prevent over-blocking of diverse content such as news articles, which may fall under a variety of categorizations depending on the type of news article. Whitelist Select this action to whitelist the selected content. When content is whitelisted, Network Guardian does not examine it any further. Whitelisting is applied early on when Network Guardian is checking URLs. Content which is whitelisted will not be subjected to outgoing filtering or dynamic content analysis. Content modification policies may still be applied, unless the categorization of the original, unmodified URL matches the whitelist. Whitelisting content may help to conserve system resources and prevent unintentional blocking when dealing with trusted content, such as online banking sites or Windows updates. Note: Whitelisted content will not be scanned for potential malware. Soft block Select this action to soft block the selected content. Anyone trying to access the content will be prompted by Network Guardian to confirm that they want to access content. Limit to quota Select this action to apply a quota when applying the policy. When the policy is applied, Network Guardian will check the quotas defined on the Guardian > Policy objects > Quotas page and limit access to the requested content based on the quota object s settings. Note: Any content being streamed or downloaded by a user will not be stopped when the user s quota runs out. Note: Each step must be completed in order to create the policy. If you skip a step, Network Guardian creates a policy folder in which you can store policies. For more information about policy folders, see Working with Policy Folders on page Select Enable policy to enable the policy and click Confirm. 4. Network Guardian displays the settings you have selected. Review them and click Save to create the policy. Network Guardian creates the policy and makes it available on the Guardian > Web filter > Manage policies page. You must now specify in what order Network Guardian should apply the policy. 66 Smoothwall Ltd

77 Working with Policies 5. Browse to the Guardian > Web filter > Manage policies page. 6. Locate the policy in the Filtering policies area. Drag and drop the policy to where you want Network Guardian to apply it. For example, if you have created a policy which allows media students to access advertising content during their lunch break, drag the policy to the top of the list of policies. 7. Click Save. Network Guardian re-orders and applies the filtering policies and allows all users in the media student group to access adverts during their lunch break. Editing Web Filter Policies You can edit an existing web filter policy to suit your organization s requirements. To edit a web filter policy: 1. Browse to the Guardian > Web filter > Manage policies page and locate the policy you want to edit. 2. Click the Edit policy button. Network Guardian displays the policy settings on the Guardian > Web filter > Policy wizard page. 3. Make the changes necessary, see Creating Web Filter Policies on page 65 for more information about working with policies. 4. Click Confirm. Network Guardian displays the settings you have selected. Review them and click Save to save the changes to the policy. Network Guardian updates the policy and makes it available on the Guardian > Web filter > Manage policies page. 67

78 Working with Policies Deleting Web Filter Policies You can delete a web filter policy you no longer require. To delete a web filter policy: 1. Browse to the Guardian > Web filter > Manage policies page and locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. Click Remove. Network Guardian deletes the policy. Managing HTTPS Inspection Policies The following sections discuss how to create, edit and delete HTTPS inspection policies. HTTPS inspection policies enable you to inspect and manage communication between users on your network and web sites which use HTTPS by configuring an inspection method for different user groups, destinations and locations. Network Guardian processes HTTPS inspection policies in order of priority as listed on the Guardian > HTTPS inspection > Manage policies page, from top to bottom, until a match is found. You can change the order by dragging and dropping policies in new positions. Network Guardian comes with three pre-configured HTTPS inspection policies which handle the following content: Online banking when enabled, this policy allows users to do online banking without communications being decrypted and inspected All encrypted content accessed by unauthenticated IPs when enabled, this policy decrypts and inspects all encrypted content that users at unauthenticated IPs try to access Certificate validation enabled by default, this policy check secure certificates on web sites. Any sites whose certificates are self-signed, out of date or otherwise invalid will be blocked. 68 Smoothwall Ltd

79 Working with Policies Enabling HTTPS Inspection Policies The following section explains how to enable HTTPS inspection policies that are listed on the Guardian > HTTPS inspection > Manage policies page. To enable HTTPS inspection policies: 1. Browse to the Guardian > HTTPS inspection > Manage policies page. 2. Locate the policy you want to enable, click on the Enabled button and select Enable. 3. Repeat the step above for any other policies you want to enable and then click Save. Network Guardian enables the policies. Note: When, for the first time, you enable a HTTP inspection policy which decrypts and inspects content Network Guardian informs you that users browsers must have the Network Guardian CA certificate in order for the policy to work. You can click on Guardian CA certificate in the text displayed and download the certificate ready for import into browsers. See Managing Certificates on page 73 for more information about how to import the certificate. Creating an HTTPS Inspection Policy When an HTTPS inspection policy is in place, Network Guardian displays a warning page informing users who try to access a HTTPS web site that their communication with the site is being monitored. Users must actively accept the monitoring by clicking Yes in order to continue to the site, or click No to end the communication. Note: You must configure HTTPS settings and certificates in order for an HTTPS inspection policy to work. For more information, see Configuring HTTPS Inspection Policy Settings on page

80 Working with Policies To create an HTTPS inspection policy: 1. Browse to the Guardian > HTTPS inspection > Policy wizard page. 2. Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where Step 4: When From the Available users or groups list, select who the policy will apply to. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what is to be inspected. Tip: Enter the name or part of the name and Network Guardian will search for content that matches. Click Add and, when you have added all the categories or category groups, click Next to continue. From the Available locations list, select where the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for locations that match. Click Add and, when you have added the location(s), click Next to continue. From the Available time slots list, select when the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for time slots that match. Click Add and, when you have added the time slot(s), click Next to continue. 70 Smoothwall Ltd

81 Working with Policies Step Step 5: Action Select one of the following actions to apply: Create policy folder Select this action when configuring Network Guardian at a central installation where you need to create policy folders for multiple locations or groups. Decrypt and inspect Select this action to decrypt and inspect the encrypted content. Validate certificate only Select this action to check secure certificates on web sites. Any sites whose certificates are self-signed, out of date or otherwise invalid will be blocked. Do not inspect Select this action to not inspect the communication. An example of using this would be to not intercept communication with banking sites if a blanket policy of inspecting all HTTPS communication was in place. Note: Each step must be completed in order to create the policy. If you skip a step, Network Guardian creates a policy folder in which you can store policies. For more information about policy folders, see Working with Policy Folders on page Select Enable policy to enable the policy and then click Confirm. 4. Network Guardian displays the settings you have selected. Review them and click Save to create the policy. Network Guardian creates the policy and makes it available on the Guardian > HTTPS Inspection > Manage policies page. You must now specify in what order Network Guardian should apply the policy. 5. Browse to the Guardian > HTTPS Inspection > Manage policies page. 6. Locate the policy in the HTTPS policies area. Drag and drop the policy to where you want Network Guardian to apply it. For example, if you have created a policy which does not inspect the Google HTTPS AdSense site when accessed by marketing students, drag the policy to the top of the list of policies. 7. Click Save. Network Guardian re-orders and applies the HTTPS inspection policies and allows all users in the marketing student group to access the Google AdSense site. 71

82 Working with Policies Editing HTTPS Inspection Policies You can edit an existing HTTPS inspection policy to suit your organization s requirements. To edit a HTTPS inspection policy: 1. Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy you want to edit. 2. Click the Edit policy button. Network Guardian displays the policy settings on the Guardian > HTTPS inspection > Policy wizard page. 3. Make the changes necessary, see Creating an HTTPS Inspection Policy on page 69 for more information about working with policies. 4. Click Confirm. Network Guardian displays the settings you have selected. Review them and click Save to save the changes to the policy. Network Guardian updates the policy and makes it available on the Guardian > HTTPS inspection policies > Manage policies page. Deleting HTTPS Inspection Policies You can delete a HTTPS inspection policy you no longer require. To delete a HTTPS inspection policy: 1. Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. Click Remove. Network Guardian deletes the policy. Configuring HTTPS Inspection Policy Settings For HTTPS inspection policies to work, you must configure HTTPS inspection policy settings. Configuring these settings entails exporting certificate authority certificates, import them into the list of trusted CA certificates on the computers in your network and configuring warning and confirmation messages that are displayed to users when communications are being decrypted and inspected. 72 Smoothwall Ltd

83 Working with Policies Managing Certificates Managing certificate authority (CA) certificates entails exporting them and then installing them on users computers. Without certificates on users computers, HTTPS inspection policies cannot work. To export a certificate: 1. Browse to the Guardian > HTTPS inspection > Settings page. 2. Click Export. Network Guardian generates the Guardian CA Cert.crt file. Save the certificate and import it into the list of trusted CA certificates on the computers in your network on which you want to implement HTTPS filtering. Refer to your browser, or directory service for a detailed description of how to do this. Configuring Warning Information When implemented, Network Guardian displays a warning page informing users who try to access HTTPS web sites that their communication with the site is being decrypted and inspected. Users must actively accept the decryption and inspection in order to continue to the site. To configure a warning message, do the following: 1. Browse to the Guardian > HTTPS inspection > Settings page. 2. In the Manage HTTPS interception warning panel, configure the following: Warning message Either accept the default message, or enter a custom message informing users that their HTTPS connections will be decrypted and filtered if they continue to the site they have requested Confirmation button label Either accept the default label, or enter new text to display on the button that users must click to confirm that they accept that their HTTPS connections will be decrypted and filtered. Once they have clicked on the button, they will be able to continue to the site they requested. 73

84 Working with Policies Warning frequency Choose how often the warning message is displayed to the user: Warning Frequency Daily Weekly Never Select to display the warning daily. Select to display the warning weekly. Select to never display a warning. Typically, you would not use this option, however, if you are using the Smoothwall Connect Filter for Windows client, it is recommended you disable the warning message to ensure correct operations. For more information, refer to the Smoothwall Connect Filter for Windows Installation and Administration Guide. 3. Click Save. The URL used to present the warning page, refers to the Network Guardian IP address. However, if a system redirection to hostname setting is in place, you can force the hostname to be used instead. You do this from the System > Preferences > Hostname page. For a detailed description of how to configure this page, refer to the Network Guardian Operations Guide. Clearing the Generated Certificate Cache It is possible to clear Network Guardian s cache of certificates generated for use with HTTPS inspection policies. To clear the cache: 1. Browse to the Guardian > HTTPS inspection > Settings page and click Clear. Network Guardian clears the cache. Managing Content Modification Policies The following sections discuss how to create, edit and delete content modification policies. A content modification policy can apply recommended security rules, determine if Internet searches should use SafeSearch functionality, warn about address spoofing and more. It can also ignore content thus making it possible to exempt content from modification for specific users or locations. 74 Smoothwall Ltd

85 Working with Policies Creating a Content Modification Policy You can create a content modification policy that enforces or ignores security rules and/or SafeSearch for specific users at certain locations. To create a content modification policy: 1. Browse to the Guardian > Content modification > Policy wizard page. 2. Complete the following steps: Step Step 1: Who Step 2: What to target Step 3: Where From the Available users or groups list, select who the policy applies to. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what the policy applies to. Tip: Enter the name or part of the name and Network Guardian will search for matches. Click Add and, when you have selected the categories or category groups, click Next to continue. From the Available locations list where the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for locations that match. Click Add and, when you have selected the location(s), click Next to continue. 75

86 Working with Policies Step Step 4: Action Select one of the following options: Create policy folder Select this action to group related rules in a policy folder. You can then use Apply or Ignore actions within this folder. For more information about policy folders, see Working with Policy Folders on page 85. Apply Select this action to modify the categories and category groups selected. Ignore Select this action to exempt the categories and category groups from being modified. Note: Usually creating a policy which ignores content implies that there is another policy which modifies content. For example, there might be an Apply policy which enforces SafeSearch for everyone, and another Ignore policy which exempts certain users who need unrestricted search. In such a case, on the Guardian > Content modification > Manage policies page, the Ignore policy which creates the exception must be placed before the Apply policy which modifies the content. From the Available categories or category groups list, select the content modification to apply and click Add. Note: If you are creating a policy that ignores content, the options here are disabled. Note: Each step must be completed in order to create the policy. If you skip a step, Network Guardian creates a policy folder in which you can store policies. For more information about policy folders, see Working with Policy Folders on page Select Enable policy to enable the policy and click Confirm. 4. Network Guardian displays the settings you have selected. Review them and click Save to create the policy. Network Guardian creates the policy and makes it available on the Guardian > Content modification > Manage policies page. Network Guardian applies all content modification policies in the order found. You must specify in what order Network Guardian should apply the content modification policies. You do this as follows: 1. Browse to the Guardian > Content modification > Manage policies page. 76 Smoothwall Ltd

87 Working with Policies 2. Using the drag and drop method, reorder the list of policies according to the how you want Network Guardian to apply them. For example, if you have created a policy which exempts search results from modification for users in the teachers group, and another policy which exempts particular terms from allowed searches, drag the latter policy to the top of the list of policies. Editing Content Modification Policies You can edit an existing content modification policy to suit your organization s requirements. To edit a content modification policy: 1. Browse to the Guardian > Content modification > Manage policies page and locate the policy you want to edit. 2. Click the Edit policy button. Network Guardian displays the policy settings on the Guardian > Content modification > policy wizard page. 3. Make the changes necessary, see Creating a Content Modification Policy on page 75 for more information about working with policies. 4. Click Confirm. Network Guardian displays the settings you have selected. Review them and click Save to save the changes to the policy. Network Guardian updates the policy and makes it available on the Guardian > Content modification > Manage policies page. Deleting Content Modification Policies You can delete a content modification policy you no longer require. To delete a content modification policy: 1. Browse to the Guardian > Content modification > Manage policies page and locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. Click Remove. Network Guardian deletes the policy. 77

88 Working with Policies Creating Custom Content Modification Policies You can define new content modification policies for use to suit your organizations requirements. To create a content modification policy, do the following: 1. Browse to Guardian > Content modification > Content modifications. 2. Configure the following parameters: Name The name of the content modification policy. Comment Enter an optional description for this policy. Request headers to override Enter the algorithm to use the requested website s capability to override HTTP headers sent to it, and redirect users to other content. Only one entry is allowed per line. For example: A redirect to YouTube Education would be configured as: X-YouTube-Edu-Filter: Abc_dEf where Abc_dEf is the search term or phrase which causes the redirect. Note that an account and key must be setup on YouTube for this to work for more information, refer to A restriction on available Google Apps to only allow access to Google Calendar and Google Drive would be configured as: X-GoogApps-Allowed-Domains: Note that for a Google Apps restriction, HTTPS interception is required as Google Apps uses HTTPS throughout. 3. Click Save. 78 Smoothwall Ltd

89 Working with Policies Managing Anti-malware Policies The following sections discuss how to create, edit and delete anti-malware policies. Anti-malware policies provide protection against many malware threats, including viruses, worms, spyware and trojans by scanning content passing through Network Guardian. Creating an Anti-malware Policy An anti-malware policy provides protection by scanning content requested by users. The following section explains how to create an anti-malware policy and configure anti-malware settings. Note: Anti-malware scanning is not enabled by default. You must enable anti-malware scanning in order to apply any anti-malware policies you have created and enabled. For more information, see Configuring Anti-malware Protection on page 81. To create an anti-malware policy: 1. Browse to the Guardian > Anti-malware > Policy wizard page. 2. Complete the following steps: Step Step 1: Who From the Available users or groups list, select who the policy will apply to. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. To select more than one user or group, hold the CTRL button down while selecting them. Click Add and, when you have added all the users and/or groups, click Next to continue. 79

90 Working with Policies Step Step 2: What Step 3: Where Step 4: Action From the Available categories or category groups list, select what is to be scanned. Tip: Enter the name or part of the name and Network Guardian will search for content that matches. From the list of locations, select where the policy will apply. Tip: Enter the name or part of the name and Network Guardian will search for locations that match. Click Add and when you have added the location(s), click Next to continue. Select one of the following options: Create policy folder Select this action when configuring Network Guardian at a central installation where you need to create policy folders for multiple locations or groups. Scan Select this action to scan the content specified for malware. Do not scan Select this action to allow the user to access the content without scanning it for malware. Note: Each step must be completed in order to create the policy. If you skip a step, Network Guardian creates a policy folder in which you can store policies. For more information on policy folders, seeworking with Policy Folders on page Select Enable policy to enable the policy and click Confirm. 4. Network Guardian displays the settings you have selected. Review them and click Save to create the policy. Network Guardian creates the policy and makes it available on the Guardian > Anti-malware > Manage policies page. You must now specify in what order Network Guardian should apply the policy. 5. Browse to the Guardian > Anti-malware > Manage policies page. 6. Locate the policy. Drag and drop the policy to where you want Network Guardian to apply it. For example, if you have created a policy which does not scan archives that system administrators want to download, drag the policy to the top of the list of policies. 80 Smoothwall Ltd

91 Working with Policies Configuring Anti-malware Protection The following section explains how to enable anti-malware scanning and set a maximum size for files to be scanned. To configure anti-malware protection: 1. Navigate to the Guardian > Anti-malware > Settings page. 2. Configure the following settings: Setting Anti-malware scanning Max file size to scan File uploads Select Enable to activate malware scanning. Enter the maximum file size to scan in megabytes. The value can be between 1 MB and 100 MB. Note: To download files larger than 100 MB with malware scanning enabled, you may need to create an anti-malware policy which never scans files from these sites. Sites which stream audio/video over HTTP may also experience problems when malware scanning is enabled. Select Scan or Do not scan as required. 3. Click Save to apply the malware protection. 81

92 Working with Policies Configuring Anti-malware Status Information You can configure Network Guardian to display information on files being scanned for malware. To configure the information displayed: 1. Navigate to the Guardian > Anti-malware > Status page page. 2. Configure the following settings: Setting Status page title After download After scan Auto-start downloads This text displays information on the name and size of the file being downloaded. Accept the default or enter new text. The keywords %%FILENAME%% and %%FILESIZE%% can be used to provide file-specific information. This information is displayed after the file has been downloaded and while it is being scanned. Accept the default or enter new text. This text is a message displayed when the file has been scanned. Users are provided with a link to save the file to their computer following a successful scan. Accept the default or enter new text. Select to automatically download the file after it has been scanned and approved for download. 3. Click Save to apply any changes. Note: If requested content fails the malware scan, Network Guardian will deny the download. To allow such downloads, you should first be confident that the requested content is safe before creating a policy which allows the content to be downloaded. 82 Smoothwall Ltd

93 Working with Policies Editing Anti-malware Policies You can edit an existing anti-malware policy to suit your organization s requirements. To edit an anti-malware policy: 1. Browse to the Guardian > Anti-malware > Manage policies page and locate the policy you want to edit. 2. Click the Edit policy button. Network Guardian displays the policy settings on the Guardian > Anti-malware > Policy wizard page. 3. Make the changes necessary, see Managing Anti-malware Policies on page 79 for more information on working with policies. 4. Click Confirm. Network Guardian displays the settings you have selected. Review them and click Save to save the changes to the policy. Network Guardian updates the policy and makes it available on the Guardian > Anti-malware > Manage policies page. Deleting Anti-malware Policies You can delete an anti-malware policy you no longer require. To delete an anti-malware policy: 1. Browse to the Guardian > Anti-malware > Manage policies page and locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. Click Remove. Network Guardian deletes the policy. Using the Policy Tester Network Guardian s policy tester enables you to determine what policy actions would apply for a given URL and, optionally, a specific user or group at a specific location and/or time. This is done by the policy tester sending an impersonated request for access to a URL. Tip: Use the policy tester to check possible negative side effects of adding a user/group, time slot or location to a Guardian policy. 83

94 Working with Policies To use the policy tester: 1. Browse to the Guardian > Quick links > Policy tester page. 2. Configure the following settings: Setting URL Who Where When Enter the URL to be requested. If the URL contains www, enter that too. Optionally, select the group(s) or user who would make the request. Group From the drop-down list, select the group(s) who would make the request. User Enter the name of the user making the request. Optionally, select the location(s) or IP address from which the content would be requested. Location From the drop-down list, select the location(s) from which the request would be made. IP address Enter the IP address from which the request would be made. Optionally, select at what time or during which time slot(s) the content would be requested. Time Enter the time at which the content would be requested. Time slot Specify the time slot(s) during which the content would be requested. Tip: It is possible to impersonate a request made in the past. For example, you can check if someone could have accessed a URL previously. 84 Smoothwall Ltd

95 Working with Policies Setting Detailed diagnostics Optionally, select this to determine what policy actions would apply to resources such as images, javascript, CSS tags, HTML5 multimedia tags and other resources at the URL. Note: Hyperlinks to other pages are not tested. 3. Click Test. For each Guardian policy enabled at that time, Network Guardian displays what action has been applied regarding the URL and the options you specified. When testing a URL which results in a redirect, the URL to which the original is redirected and its status are displayed. This enables you to policy test the redirect URL. For information about URL statuses, see: Note: The policy tester can impersonate a user or group(s) attempting to access web content. Network Guardian does not log impersonated requests. However, an upstream proxy may capture and log the request as coming from the user or group(s) being impersonated. Other Ways of Accessing the Policy Tester The policy tester is also available: On the Dashboard page. If the Web filter option is enabled on the System > Preferences > User interface page, you can run quick policy tests. On user portals. If the policy tester has been enabled for a user portal, it will be available when users access the portal. For more information, refer to the Network Guardian Operations Guide. Working with Policy Folders Policy folders enable you to organize and apply policies according to whatever criteria are most appropriate to your organization. For example, by default, Network Guardian blocks all adverts for all users all the time in every location. If you want to allow some users and/or groups to access adverts sometimes and others to access them always at specific locations, you can accomplish this by creating a policy folder which contains a general web filter policy allowing access to adverts. You can then add policies to the folder specifying which groups are allowed access, at what times and in which locations. Using policy folders makes it easier to understand the policy table on the manage policies page and more accurately reflects how a policy is applied to specific groups. 85

96 Working with Policies Creating a Policy Folder You create a policy folder by using a policy wizard. To create a policy folder: 1. When running a policy wizard, do not add a policy object for the criterion you want to use to determine the type of policy folder. For example, if you want to create a web filter policy folder to contain policies that can be applied to specific groups and/or users, do not add any users or groups to the policy. 2. When configuring the policy action, select Create policy folder. After you have completed the policy wizard, Network Guardian makes the policy folder available on the manage policies page. 3. To add a policy to a folder, browse to the relevant manage policies page, locate the policies folder and click Add policy to folder. Network Guardian opens the folder and displays it on the policy wizard page. 4. Add the policy object, for example a group to which you want to apply the policy and click Confirm. Network Guardian displays the policy settings. Review the settings and then click Save. Network Guardian creates the policy, places it in the policy folder and makes it available on the manage policies page. Editing Policy Folders You can edit policy folders by changing the policy objects it contains. To edit a policy folder: 1. On the relevant manage policies page, locate the policy folder and click Edit policy folder. Network Guardian opens the folder and displays it on the policy wizard page. 2. Make changes to the policy object(s) included in the folder by adding or removing them as required. 3. Click Confirm, review the changes and click Save to apply the changes and update the folder. Deleting Policy Folders You can delete policy folders you no longer require. To delete a policy folder: 1. On the relevant manage policies page, locate the policy folder and click Delete policy folder. Click Remove when prompted to confirm that you want to delete the folder. Network Guardian deletes the folder and removes it from the relevant manage policies page. 86 Smoothwall Ltd

97 Working with Policies Censoring Web Form Content The following section explains how to create and apply a censor policy for content and/or files posted using web forms. A censor policy consists of a filter, an action and a time period. To create and apply a censor policy: 1. Browse to the Services > Message censor > Policies page. 2. Configure the following settings: Setting Service Filter Time period Action From the drop-down menu, select one of the following options: Web filter outgoing Select to apply the policy to content and/or files being posted in web forms, such as to message boards or Wikipedia, using HTTP. Web filter secure outgoing (HTTPS) Select to apply the policy to content and/or files being posted in web forms, such as to message boards or Wikipedia, using HTTPS. Note: A HTTPS inspection policy must be deployed for this to work. See Managing HTTPS Inspection Policies on page 68 for more information. Click Select to update the policy settings available. From the drop-down menu, select a filter to use. For more information about filters,. From the drop-down menu, select a time period to use, or accept the default setting. For more information about time settings,. From the drop-down menu, select one of the following actions: Block - Content which is matched by the filter is blocked. Allow - Content which is matched by the filter is allowed and is not processed by any other filters. 87

98 Working with Policies Setting Log severity level Group Comment Enabled Network Guardian enables you to store all blocked content, no blocked content or only blocked content above a certain severity level. If you want Network Guardian to only store blocked content above a certain severity level, you must assign severity levels to the content. The Log severity level option enables you to this. From the drop-down list, select the severity level to assign to content that has been blocked by this policy. Note: You must also configure the options for storing blocked content on the Guardian > Web filter > Outgoing page. See below for more information. From the drop-down list, select the group to which you want to apply the policy. Optionally, enter a description of the policy. Select to enable the policy. 3. Click Add and, at the top of the page, click Restart to apply the policy. 4. Browse to the Guardian > Web filter > Outgoing page. 5. Configure the following settings: Setting MessageCensor filtering and logging Store blocked content Store blocked content above severity level Select Enable to enable censoring of content and/or files posted using web forms. Select this option if you want Network Guardian to store content it blocks. Note: This option does not apply to content posted using HTTPS. If you have selected to store blocked content, from the drop-down list, select one of the following options: Always store Network Guardian stores all blocked content and makes it available for review in the web filter log. 4 to 5 Select a severity level above which Network Guardian stores the blocked content and makes it available for review in the web filter log. For more information, see the Log severity option above. Note: This option does not apply to content posted using HTTPS. 88 Smoothwall Ltd

99 Working with Policies 6. Click Save. Network Guardian applies the policy. Configuring Organization Accounts Before your organization can deploy Swurl, the organization account must be configured on Network Guardian. To configure the organization s account: 1. On the Swurl home page, click View account. The Organization account screen opens. 2. Make a note of the information displayed. 3. On Network Guardian, browse to Guardian > Swurl > Settings page. 4. Configure the following settings: Setting Swurl Select Enable. 89

100 Working with Policies Setting Fetch lists when centrally managed Organization User ID Password Select this setting if Swurl is managed centrally. See your Network Guardian Administrator s Guide for more information on centrally managed systems. Enter the name of your organization as shown on the Organization account screen. Enter your user ID as shown on the Organization account screen. Enter your password as shown on the Organization account screen. 5. Click Save. Network Guardian saves the information and enables Swurl. 90 Smoothwall Ltd

101 5 Managing Authentication Policies This chapter introduces authentication policies, including: About Authentication Policies on page 91 Creating Authentication Policies on page 92 Managing Authentication Policies on page 101 Managing Authentication Exceptions on page 103 Identification by Location on page 103 Connecting to Network Guardian on page 106 Authentication Scenarios on page 108 About Authentication Policies Note: By default, Network Guardian comes with an authentication policy in place. To use it, you configure your users web browsers to use Network Guardian as their web proxy. For more information, see Creating a Non-transparent Connection Manually on page 106. Network Guardian uses authentication to: Identify users and assign them to groups, so that Network Guardian can apply different policies to each group Allow access to registered users or trusted workstations Provide logging and auditing facilities in case of misuse Show in real time which users are accessing content An authentication policy is comprised of a connection type, an authentication method, port information and a location. 91

102 Managing Authentication Policies Network Guardian can use several different authentication methods to identify a user or group, with different requirements and restrictions. Authentication policies determine which method is used. They also determine which interfaces and ports Network Guardian listens on for web requests. Creating Authentication Policies Network Guardian enables you to create the following types of authentication policies: Non-transparent authentication policies this type of policy is applied to users whose web browsers are configured to connect to the Internet using Network Guardian as their web proxy. For more information, see Creating Non-transparent Authentication Policies on page 92 Transparent authentication policies this type of policy is applied to users whose computers network connection uses Network GuardianFor more information, see Creating Transparent Authentication Policies on page 97. Creating Non-transparent Authentication Policies Non-transparent authentication policies enable you to apply a web filter policy and authentication requirements to a user or group of users. To create a non-transparent authentication policy: 1. Browse to the Web proxy > Authentication > Policy wizard page. 2. Select Non-Transparent and from the Method drop-down list, select one of the following authentication methods: Method No authentication Kerberos Setting Identify users by their IP address only. All requests are assigned to the Unauthenticated IPs group. Identify users by using the Kerberos keytab stored on Network Guardian. For more information, see Managing Kerberos Keytabs on page Smoothwall Ltd

103 Managing Authentication Policies Method Kerberos (Terminal Services compatibility mode) Proxy authentication Proxy authentication (Terminal Services compatibility mode) NTLM identification NTLM identification (Terminal Services compatibility mode) Setting Identify users by using the Kerberos keytab stored on Network Guardian. For more information. For information about Kerberos pre-requisites and troubleshooting, see Managing Kerberos Keytabs on page 198. This method is designed to work with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server Identify users by requesting a username and password from the user s browser. This authentication method prompts users to enter a username and password when they try to web browse. The username and password details are encoded in all future requests made by the user s browser. Identify users by requesting a username and password from the user s browser. This method is designed to work with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server Identify users according to the username logged into their Microsoft Windows workstation. Note: NTLM identification does not verify a user's credentials. It should only be used where all client workstations are secured and members of a Microsoft Windows domain. Unsecured clients can spoof their credentials. Note: Network Guardian supports NTLM on Microsoft operating system software and browsers only. NTLM should not be used with any other browser or platform, even if the platform claims to support NTLM. NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames. Identify users according to the username logged into their Microsoft Windows workstation. Can be used in conjunction with Microsoft Terminal Services. Note: NTLM identification does not verify a user s credentials. It should only be used where all client workstations are secured and members of a Microsoft Windows domain. Unsecured clients can spoof their credentials. Note: Network Guardian supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames. This method works with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server

104 Managing Authentication Policies Method NTLM authentication NTLM authentication (Terminal Services compatibility mode) Redirect users to SSL Login page (with background tab) Setting Identify users according to the username logged into their Microsoft Windows workstation, and validate their credentials with the domain controller. Prerequisites: There must be a computer account for Network Guardian in Active Directory The account specified on the Services > Authentication > Settings page must have permission to join the computer to the domain. Note: Network Guardian supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames Identify users according to the username logged into their Microsoft Windows workstation, and validate their credentials with the domain controller. Can be used in conjunction with Microsoft Terminal Services. Prerequisites: There must be a computer account for Network Guardian in Active Directory The account specified on the Services > Authentication > Settings page must have permission to join the computer to the domain. Note: Network Guardian supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. Note: NTLM should only be used on single domain networks because the protocol does not support the transmission of domain information with usernames. This method works with network clients using Microsoft Terminal Services, including Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server Identify users with the Network Guardian authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Network Guardian authentication service supports only one user per client IP address. Using this method, the SSL Login page automatically refreshes itself so that the authentication time-out period does not elapse; because of this, the user must leave the SSL Login page open at all times. Select this method if a user s browser cannot accept cookies. This method is also suitable if a user s browser plugins or applications require the authenticated session to remain active. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Network Guardian system is encrypted. To securely logout, the user must click Logout on the SSL Login page see About SSL Authentication on page Smoothwall Ltd

105 Managing Authentication Policies Method Redirect users to SSL Login page (with session cookie) Core authentication Ident Identification by Location Setting Identify users with the Network Guardian authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Network Guardian authentication service supports only one user per client IP address. Using this method, Network Guardian stores a session cookie on the user s browser. The cookie removes the need for the user to reauthenticate. This method is useful for users of tablet PCs and other mobile devices which have problems keeping tabs in browsers open in the background. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Network Guardian system is encrypted. To securely logout, the user must click Logout from the SSL Login page see About SSL Authentication on page 196. Identify users with the Network Guardian authentication service. If no user is logged in, identify the user by their IP address and assign the request to the Unauthenticated IPs group. The Network Guardian authentication service supports only one user per client IP address. Core authentication is typically used with the SSL Login page. For example, anonymous users can be allowed to certain sites only, but users can optionally log in to gain a higher level of access. Identify users according to the username returned by an Ident server running on their workstation. Network Guardian supports Ident for compatibility with any Identenabled networks your organization may already be using. Networks supporting Ident authentication require an Ident server application to be installed on all workstations that can be queried by Ident-enabled systems. The user does not need to enter their username as it is automatically supplied by the Ident server application. Once a user s Ident server has identified the user, the user s web activities will be filtered according to their authentication group membership. For details of how to configure this with your choice of Ident server, please refer to the ident server s administrator's guide. Note: Ident does not verify a user s credentials. It should only be used where all client workstations are secured and running an Ident server controlled by the network administrator. Unsecured clients can spoof their credentials. Identify users by their IP address. Assign a group based on the identification by location policy configured for their location. Identification by location is typically used where certain clients do not support the authentication method used by the rest of the network. For more information, see Identification by Location on page 103. For information about locations, see Working with Location Objects on page

106 Managing Authentication Policies Method Kerberos (via redirect) Smart redirect NTLM identification (via redirect) NTLM authentication (via redirect) Global Proxy using NTLM Setting Identify users with the Network Guardian authentication service. If no user is logged in, redirect Web requests to the Kerberos login page, which obtains the username logged into their Microsoft Windows workstation. For information about Kerberos pre-requisites and troubleshooting, see Managing Kerberos Keytabs on page 198. The Network Guardian authentication service supports only one user per client IP address. Identify the user s device in order to redirect them to an NTLM authentication service, or an SSL login service. This redirect is based on the User-Agent data received in the browser s HTTP header packet. This is a best-guess scenario, based on pattern-matching and compatibility. Note that within the user activity screen (see Managing User Activity on page 195), smart redirected users will show the authentication method used, not Smart redirect. Identify users with the Network Guardian authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation. The Network Guardianauthentication service supports only one user per client IP address. Note: This option is for backwards compatibility with earlier versions of Guardian. Identify users with the Network Guardianauthentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation and validates their credentials with the domain controller. The Network Guardianauthentication service supports only one user per client IP address. Note: This option is for backwards compatibility with earlier versions of Guardian. Identify users using the Secure Global Proxy service. Users must be logged in using NTLM credentials. Note: Note that even if your Smoothwall System has multiple internal interfaces, you can only create one Global Proxy using NTLM authentication policy. Enabling this policy automatically adds firewall rules to allow external access to the proxy port. Device authentication can be implemented using client-side certificates. For a detailed description of how to configure these, see Using Global Proxy Certificates on page 104. For more information about Secure Global Proxy, refer to the Secure Global Proxy Installation and Administration Guide. 3. Configure the following settings: Setting Interface Port From the drop-down list, select the interface on which to apply the authentication policy. From the drop-down list, select the port on which to apply the authentication policy. 96 Smoothwall Ltd

107 Managing Authentication Policies Setting Enabled Select to enable the policy. 4. Click Next and add the location at which the policy will apply. 5. Click Next and review the options for handling unauthenticated requests. When requests are permitted without requiring authentication, for example, entries on the Web proxy > Authentication > Exceptions page, Network Guardian assigns them to the Unauthenticated IPs group. If you want to assign them to a different group, add the group to the Included groups list. 6. Click Next, select Enabled and click Confirm. Network Guardian displays the policy settings. 7. Review the settings and click Save to make the policy available for use. Creating Transparent Authentication Policies Transparent authentication policies enable you to apply a web filter policy and authentication requirements to a user or group of users. To create a transparent authentication policy: 1. Browse to the Web proxy > Authentication > Policy wizard page. 2. Select Transparent and, from the Method drop-down list, select one of the following authentication methods: Method No authentication Setting Identify users by their IP address only. All requests are assigned to the Unauthenticated IPs group. 97

108 Managing Authentication Policies Method Redirect users to SSL Login page (with background tab) Redirect users to SSL Login page (with session cookie) Core authentication Identification by location Setting Identify users with the Network Guardian authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Network Guardian authentication service supports only one user per client IP address. Using this method, the SSL Login page automatically refreshes itself so that the authentication time-out period does not elapse; because of this, the user must leave the SSL Login page open at all times. Select this method if a user s browser cannot accept cookies. This method is also suitable if a user s browser plugins or applications require the authenticated session to remain active. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Network Guardian system is encrypted. To securely logout, the user must click Logout on the SSL Login page see About SSL Authentication on page 196. Identify users with the Network Guardianauthentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password. The Network Guardian authentication service supports only one user per client IP address. Using this method, Network Guardian stores a session cookie on the user s browser. The cookie removes the need for the user to reauthenticate. This method is useful for users of tablet PCs and other mobile devices which have problems keeping tabs in browsers open in the background. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user s workstation and the Network Guardian system is encrypted. To securely logout, the user must click Logout from the SSL Login page see About SSL Authentication on page 196. Identify users with the Network Guardian authentication service. If no user is logged in, identify the user by their IP address and assign the request to the Unauthenticated IPs group. The Network Guardian authentication service supports only one user per client IP address. Core authentication is typically used with the SSL Login page. For example, anonymous users can be allowed to certain sites only, but users can optionally log in to gain a higher level of access. Identify users by their IP address. Assign a group based on the identification by location policy configured for their location. Identification by location is typically used where certain clients do not support the authentication method used by the rest of the network. For more information, see Identification by Location on page 103. For information about locations, see Working with Location Objects on page Smoothwall Ltd

109 Managing Authentication Policies Method Kerberos (via redirect) Smart redirect NTLM identification (via redirect) NTLM authentication (via redirect) Setting Identify users with the Network Guardian authentication service. If no user is logged in, redirect Web requests to the Kerberos login page, which obtains the username logged into their Microsoft Windows workstation. For information about Kerberos pre-requisites and troubleshooting, see Managing Kerberos Keytabs on page 198. The Network Guardian authentication service supports only one user per client IP address. Identify the user s device in order to redirect them to an NTLM authentication service, or an SSL login service. This redirect is based on the User-Agent data received in the browser s HTTP header packet. This is a best-guess scenario, based on pattern-matching and compatibility. Note that within the user activity screen (see Managing User Activity on page 195), smart redirected users will show the authentication method used, not Smart redirect. Identify users with the Network Guardian authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation. The Network Guardian authentication service supports only one user per client IP address. Note: NTLM identification does not verify a user's credentials. It should only be used where all client workstations are secured and members of a Microsoft Windows domain. Unsecured clients can spoof their credentials. Identify users with the Network Guardian authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation and validates their credentials with the domain controller. The Network Guardian authentication service supports only one user per client IP address. 3. Configure the following settings: Setting Interface From the drop-down list, select the interface on which to apply the authentication policy. Note: For more information about the WCCP interface option, see Configuring WCCP on page

110 Managing Authentication Policies Setting HTTPS Spoofing Enabled Filter HTTPS traffic Select this option to transparently intercept HTTPS connections. Allow HTTPS traffic with no SNI header for the 'Transparent HTTPS incompatible sites' category Select this option to allow HTTPS traffic without a server name indication (SNI) field in its header. This allows access to content in the Transparent HTTPS incompatible sites content category based on a best-guess of the destination host by using DNS reverse lookup. For more information about content categories, see Working with Category Group Objects on page 55. Note: When enabled, web requests allowed by this option will bypass any deployed HTTPS policies and will not be subjected to inspection or certificate checking. Note: This option is not applicable when configuring an authentication policy folder. For more information about folders, see Working with Policy Folders on page 85. Select this option to allow upstream services to see network traffic as coming from Network Guardian s IP address rather than the originating client s IP address. Note: This option is only available when configuring a policy which uses a bridged interface. Select to enable the policy. When disabled, no filtering is performed on HTTPS requests from clients without deployed proxy settings. Note: Transparent HTTPS interception is not compatible with Internet Explorer running on Windows XP or earlier. 4. Click Next and add the location at which the policy will apply. 5. Click Next and review the options for handling unauthenticated requests. When requests are permitted without requiring authentication, for example, entries on the Web proxy > Authentication > Exceptions page, Network Guardian assigns them to the Unauthenticated IPs group. If you want to assign them to a different group, add the group to the Included groups list. 6. Click Next, select Enabled and click Confirm. Network Guardian displays the policy settings. 7. Review the settings and click Save to make the policy available for use. 100 Smoothwall Ltd

111 Managing Authentication Policies Managing Authentication Policies Network Guardian applies authentication policies in the order they are displayed on the Web proxy > Authentication > Manage policies page. You can change the order the policies are applied by dragging and dropping them in new positions. To change the order of the authentication policies, do the following: 1. Browse to the Web proxy > Authentication > Manage policies page. Network Guardian displays the current authentication policies assigned to each interface 2. To move an authentication policy, either: Click and hold the policy number and drag it to its new position; or Highlight the policy by clicking it, and use the Up or Down button to move the it to its new position 3. Click Save. 4. You must restart Network Guardian s proxy service if any changes are made to the authentication policies. Click Restart proxy when prompted. Editing Authentication Policies You can make changes to existing authentication policies, including disabling them for later use, without removing the policy. To edit an authentication policy, do the following: 1. Browse to the Web proxy > Authentication > Manage policies page. 2. Locate the policy you want to change. 3. To enable or disable an existing policy, highlight the relevant one, and click the grey box in the Enabled column. 101

112 Managing Authentication Policies 4. To edit the policy configuration, click the Edit policy button. Network Guardian displays the policy on the Web proxy > Authentication > Policy wizard page. 5. Adjust the policy as required. For more information, see Creating Authentication Policies on page Click Confirm. 7. Review your changes and then click Save to save and apply the changes. 8. You must restart Network Guardian s proxy service if any changes are made to the authentication policies. Click Restart proxy when prompted. Deleting Policies You can delete authentication policies you no longer require. Note: If you remove all authentication policies assigned to a policy folder, but do not remove the folder assigned to an interface, the Guardian service stops responding to requests and appears as stopped on the Dashboard. To prevent an interface from using authentication policies, it is recommended you remove the folder as well. To delete an authentication policy, do the following: 1. On the to the Web proxy > Authentication > Manage policies page, locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. 3. Click Delete. 4. You must restart Network Guardian s proxy service if any changes are made to the authentication policies. Click Restart proxy when prompted. 102 Smoothwall Ltd

113 Managing Authentication Policies Managing Authentication Exceptions You can configure Network Guardian to allow access to content without requiring authentication. For example, automatic Windows updates can be accessed without user authentication. Tip: Log in to our support portal and read more about applications known not to support authenticated proxies and how to put an authentication exception in place for them. To create an exception: 1. Browse to the Web proxy > Authentication > Exceptions page. 2. Select the content to be excepted from authentication and click Add. 3. Click Save to create the exception. Identification by Location You can configure Network Guardian to identify groups and/or users by the location in which they are situated. This ident by location status can be used to configure an identification by location authentication policy. Note: The settings configured on this page are only used when Identification by Location is selected as the method in an authentication policy. See Creating Authentication Policies on page 92 for more information. 103

114 Managing Authentication Policies To configure identification by location: 1. Browse to the Web proxy > Authentication > Ident by location page. 2. From the Selected location drop-down list, select the location. 3. Select the groups and/or users to include in the location and click Add. 4. Click Confirm. Network Guardian lists the location in the Location to group mappings table. Using Global Proxy Certificates As well as utilizing NTLM authentication to authenticate users, you can use client-side certificates to ensure only approved devices have access to web filter policies. This has the additional advantage of providing an additional layer of security. The same certificate is used by all devices. You must download the client certificate from the Smoothwall System licenced for Secure Global Proxy, and install them on the relevant devices. Note: The home page of the device s browser must be set to the external IP address of your Smoothwall System, and port 62444, to validate the certificate before web traffic is allowed through. To download a client certificate, do the following: 1. On the Smoothwall System, browse to Web proxy > Global Proxy > Settings. 2. Ensure Proxy security is ticked as Client certificates. 104 Smoothwall Ltd

115 Managing Authentication Policies 3. Click Save. 4. From the Client certificate panel, click Download certificate. 5. Copy this certificate into the relevant devices internal storage, and import it into the browsers. For a detailed description of supported browsers, and how to import the certificates, refer to the Secure Global Proxy Installation and Administration Guide. Using Multiple, Distinct Proxies You can configure multiple Secure Global Proxy servers in separate locations, which are not part of a centrally managed solution. Each proxy server must have the same Root Certificate Authority (CA) to validate the same client certificates presented to them. This allows the connecting client to use an alternative Secure Global Proxy server without having to import a new or additional certificates, with the additional advantage of load-balancing the web traffic from a large number of clients. Note: Secure Global Proxy servers which are part of a centrally managed solution should have the Root CA bundle uploaded to them via replication. If this does not happen, the following procedure should also be used. To download a Root CA bundle, do the following: 1. On the Smoothwall System, browse to Web proxy > Global Proxy > Settings. 2. Click Advanced. 3. From the Download Root CA Bundle panel, click Download certificate. 4. Manually upload the Root CA certificate (connect_ca.tgz) to all other Secure Global Proxy servers as detailed below. To upload a Root CA bundle, do the following: 1. On the Smoothwall System, browse to Web proxy > Global Proxy > Settings. 2. Click Advanced. 3. From the Upload Root CA Bundle panel, click Choose File, and browse to the Root CA bundle (connect_ca.tgz). 4. Click Upload to make the Root CA available. Note: Uploading a new Root CA bundle will overwrite the existing Root CA. Using an Unsecured Proxy It is not recommended you configure an unsecured (open) proxy as this has security implications. If you configure Secure Global Proxy as an open proxy, connecting clients do not need to present the client-side certificate, although NTLM authentication is still required. Open proxies allow all connection attempts through without authentication, and can potentially be exploited by users, such as spammers. To remove the need for client-side certificate checking, do the following: 1. On the Smoothwall System, browse to Web proxy > Global Proxy > Settings. 2. Change Proxy security to None (Open proxy). 105

116 Managing Authentication Policies 3. Click Save. Viewing the Global Proxy Logs The Secure Global Proxy log contains information about the users logged into your network via Secure Global Proxy, and the length of time left on their session. To view the Secure Global Proxy log, do the following: From the Smoothwall System, browse to Web Proxy > Global Proxy > Certificate Activity. Connecting to Network Guardian The following sections explain how to connect non-transparently and transparently to Network Guardian. About Non-transparent Connections Non-transparent connections from users web browsers to Network Guardian are suitable when content is accessed using HTTPS or when using NTLM or proxy authentication or identification in terminal services compatibility mode. Connecting to Network Guardian non-transparently entails configuring users web browsers to use Network Guardian as the web proxy using one of the following methods: Manually Web browser LAN settings are manually configured, see Creating a Nontransparent Connection Manually on page 106 for more information Automatic configuration script Web browser LAN settings are configured to receive proxy configuration settings from an automatic configuration script which is generated by Network Guardian, see Configuring Non-transparent Connections Using a PAC Script on page 107 for more information WPAD automatic script Web browser LAN settings are configured to detect proxy settings, see Configuring a Non-transparent Connection Using a WPAD Automatic Script on page 107 for more information. Creating a Non-transparent Connection Manually Note: The following instructions apply to Internet Explorer 7. For information about other browsers, see the documentation delivered with the browsers. To create a non-transparent connection manually: 1. On users computers, start Internet Explorer, and from the Tools menu, select Internet Options. 2. On the Connections tab, click LAN settings. 3. In the Automatic configuration area, check that Automatically detect settings and Use automatic configuration script are not selected. 4. In the Proxy server area, select Use a proxy server for your LAN 5. Enter Network Guardian's IP address and port number 800 and select Bypass proxy server for local addresses. 106 Smoothwall Ltd

117 Managing Authentication Policies 6. Click Advanced to access more settings. In the Exceptions area, enter Network Guardian s IP address and any other IP addresses to content that you do not want filtered, for example, your intranet or local wiki. 7. Click OK and OK to save the settings. Configuring Non-transparent Connections Using a PAC Script A proxy auto-config (PAC) script is a file generated by Network Guardian. Once configured, any changes to connections are automatically retrieved by the user s web browser. For information about working with PAC scripts, see Using PAC Scripts on page 116. Note: The following instructions apply to Internet Explorer 7. For information about other browsers, see the documentation delivered with the browsers. To configure a non-transparent connection using a PAC script: 1. On the user s computer, start Internet Explorer, and from the Tools menu, select Internet Options. 2. On the Connections tab, click LAN settings. 3. Configure the settings as follows: Setting Automatically detect settings Use automatic configuration script Address Deselect this option. Select this option. Enter the address of the script. Tip: To locate the address, navigate to the Web proxy > Web proxy > Settings page. The address is listed in the Automatic configuration script address area. 4. Ensure that no other proxy settings are enabled or have entries. Note: You may need to restart the web browser for the settings to take effect. Configuring a Non-transparent Connection Using a WPAD Automatic Script Note: This method is only for administrators familiar with configuring web and DNS servers. Enduser browsers must support WPAD the latest versions of Microsoft Internet Explorer support this method. The WPAD method works by the web browser pre-pending the hostname wpad to the front of its fully qualified domain name and looking for a web server on port 80 that can supply a wpad.dat file. The file works in the same way as the automatic configuration script and tells the browser what web security policy it should use. To use WPAD: 1. Configure your network to use Network Guardian as the network web proxy. Consult your network documentation for more information about how to do this. 107

118 Managing Authentication Policies 2. Using a local DNS server or Network Guardian s static DNS, add the host 'wpad.yourdomainname' substituting your own domain name. The host must resolve to Network Guardian s IP address. 3. Configure users browsers to automatically detect LAN settings. About Transparent Connections You configure transparent connections from users computers Network Guardian by configuring computers network connections to use Network Guardian as the default gateway. In order for a transparent policy to work, the following must be in place: DNS must be set up correctly on your network so that user computers can resolve the short form of Network Guardian s hostname, for example: resolve mysystem for the hostname mysystem.example.com User computers and Network Guardian must be within the same DNS domain Internet Explorer must be configured to authenticate automatically with intranet sites. Authentication Scenarios The following are high level examples of how you can configure Network Guardian to suit your organization s authentication requirements. New Content Filtering Changing the Listening Port Anna runs an Internet cafe. She is replacing her current content filter with Network Guardian because of its superior filtering. To avoid reconfiguring each workstation, she needs Network Guardian to listen on the same port as before, which was port Anna goes to the Web proxy > Authentication > Policy page which shows the default configuration of no authentication on port 800. She clicks the Edit button on the entry displayed which takes her to the Web proxy > Authentication > Policy wizard page. On this page, all fields apart from interface and port are disabled. She changes the port to 3128 and saves her changes, and a message prompts her to restart Network Guardian. Providing Filtered Web Access to the Public Brian is a network administrator for a university. Staff and student web access is unfiltered, but Brian wants to provide filtered web access for a new conference centre open to the public. He does not want delegates to need to configure a proxy in their browsers. Brian configures Network Guardian to listen in transparent mode. On the Web proxy > Authentication > Policy wizard page, he selects Transparent and No authentication and leaves the other options at their defaults. 108 Smoothwall Ltd

119 Managing Authentication Policies After adding this entry, on the Web proxy > Authentication > Policy page, he can see the new transparent authentication policy so he removes the default entry for port 800. He then configures the firewall and DHCP servers on the network to route traffic through Network Guardian. Requiring Authentication to Browse the Web Charlotte is a hotel manager. The hotel provides Internet access to guests via their own laptops and shared PCs in the lobby. The wireless network is secured but Charlotte needs to know which guest is responsible for web traffic in case of misuse. She wants a simple system which doesn t require guests to register their wireless devices. Charlotte creates a local user account for each room, with names like room23 and a random simple password. Guests are told the password for their room when they check in if they request Internet access, and the password is changed when they check out. Charlotte then configures Network Guardian in transparent mode on the Web proxy > Authentication > Policy page by adding a new entry for Transparent and Redirect to SSL Login, leaving the other options at their defaults. She removes the entry for port 800 before restarting Network Guardian. Using Multiple Authentication Methods Donald is a college system administrator. His network contains Windows PCs, Macs, and network points for student laptops. Donald wants to provide authentication across the network using single sign on wherever possible. For Macs, Donald creates a location on the Guardian > Location > Policy wizard page, which he names Macs. This location contains the IP address ranges assigned to macs. On the Web proxy > Authentication > Policy page, he edits the default entry for port 800, changing the authentication method to NTLM authentication. Then he adds a new entry, choosing Ident authentication for the location Macs. This is displayed above the entry for NTLM on the policy page. Finally he adds an entry for the laptops for transparent connections and Redirect to SSL Login. Using group policy and central admin tools, he configures the Windows PCs and Macs to use Network Guardian, and installs an Ident server on the Macs. Windows and Mac users now authenticate to Network Guardian using their desktop login session, but laptop users are presented with the SSL Login screen when they browse. Controlling an Unruly Class Ellen is a secondary school teacher. Ellen s students are supposed to be reading about the Civil War but are inclined to waste time when her back is turned. Ellen needs to be able to ban students from accessing the Internet as a punishment for misbehavior. While the students are working, Ellen looks around the room and also monitors web usage on the Logs and reports > Realtime > Web filter page. She sees that one of her students, Fred, is watching videos on YouTube, so she goes to the Services > Authentication > User activity page, scrolls to his login entry, and selects Ban. This takes her to the temporary bans page where she configures the ban to expire at the end of the lesson. When Fred clicks on another video, he is shown the block page. 109

120

121 6 Managing Web Security This chapter includes: Overview of the Web Proxy on page 112 Using PAC Scripts on page 116 Limiting Bandwidth Use on page 118 Configuring WCCP on page 120 Managing Upstream Proxies on page 122 Managing Blocklists on page 130 Managing Block Pages on page

122 Managing Web Security Overview of the Web Proxy The following sections provide an overview of Network Guardian s web proxy settings. To access Network Guardian s web proxy settings: 1. Navigate to the Web proxy > Web proxy > Settings page. Global Options The following table lists Network Guardian s global web proxy setting: Setting Guardian Select Enable to enable content filtering and Network Guardian s web proxy. 1. Click Advanced to access advanced web proxy settings which are documented in the following sections. Advanced Web Proxy Settings The following advanced web proxy settings are available. Web Filter Options The following optional advanced web filter settings are available: Settings HTTP strict mode By default, this option is enabled. However, for certain client applications going through Network Guardian you may need to disable this so as to handle problems, for example, with headers that the applications send. 112 Smoothwall Ltd

123 Managing Web Security Settings File upload policy Resume interrupted NTLM connections Resolve single component hostnames Allow access to web servers on these additional ports The following options are available: Allow unlimited uploads All file uploads are allowed. Block all uploads All file uploads are blocked. Restrict upload size to Files below the size specified are allowed. By default Network Guardian resumes interrupted NTLM connections caused by non-standard web browser behavior. Enable This is the default setting. Select this setting to configure Network Guardian to resume interrupted NTLM connections. Disable Select this setting to disable resumption of interrupted NTLM connections when restrictive Active Directory account lockout policies are in operation. By default, Network Guardian makes no attempt to interpret single component hostnames which are not fully qualified. Enable Select this setting to enable Network Guardian to attempt to interpret single component hostnames which are not fully qualified if single component hostnames are being used. Disable Select this setting to stop Network Guardianfrom trying to interpret single component hostnames which are not fully qualified. By default, Network Guardian only allows requests to servers running on a certain subset of privileged ports, i.e. ports below 1024, such as HTTP (80), HTTPS (443) and FTP (21). If you require access to servers running on non-standard ports, enter them here. Logging Options The following advanced logging settings are available: Setting Proxy logging Organization name Filter logging mode We recommend that you disable this option when Filter logging mode is enabled. This is because Network Guardian proxy logs are effectively duplicated subsets of Network Guardian web filter logs. Disabling proxy logging can lead to improved performance by reducing system storage and processing requirements. Enter a name which can be used to identify Network Guardian in your organization. Organization names are also referenced in certain web reports. From the drop-down list, select one of the following logging modes: Normal Select this option to generate proxy logs with all recorded data. Anonymized Select this option to generate filter logs with anonymous username and IP address information. Disabled Select this option to disable content filter logging. 113

124 Managing Web Security Setting Client hostnames Client user-agents Advert blocks Select one of the following options: Log Select this option to record hostnames of computers using Network Guardian. When enabled, filter logs and reports incorporating hostname information can be generated. It is important that DNS servers exist on the local network and are correctly configured with the reverse DNS of all machines if this option is enabled, otherwise performance will suffer. Do not log Select this option to disable the logging of hostnames of computers using Network Guardian. Select one of the following options: Log Select to record the types of browsers used by users. Do not log Select to disable the logging of the types of browsers used by users. Select one of the following options: Log Select this option to log information about advert blocking. Do not log Select to disable the logging of information about advert blocking. Cache Options The following advanced, optional cache settings are available: Setting Global cache size Max and min object size that can be stored in the cache The size entered here determines the amount of disk space allocated to Network Guardian for caching web content. Web and FTP requests are cached. HTTPS requests and pages including username and password information are not cached. The specified size must not exceed the amount of free disk space available. The cache size should be configured to an approximate size of around 40% of the system s total storage capacity, up to a maximum of around 1.5 gigabytes. Larger cache sizes can be specified, but may not be entirely beneficial and can adversely affect page access times. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection. For slower external connections such as dial-up, the cache can dramatically improve access to recently visited pages. The values entered here determine the maximum and minimum sizes of objects stored the cache. Max object size Enter the largest object size that will be stored in Network Guardian s cache. Any object larger than the specified size will not be cached. This prevents large downloads filling the cache. The default of bytes (30 MB) should be adjusted to suit the needs of your users. Min object size Enter the smallest object size that will be stored in Network Guardian s cache. Any object smaller than the specified size will not be cached. This can be useful for preventing large numbers of tiny objects filling the cache. The default is no minimum this should be suitable for most purposes. 114 Smoothwall Ltd

125 Managing Web Security Setting Max object size that can pass in and out of proxy Do not cache these domains The values entered here determine the maximum sizes of objects which can pass through the web proxy. Max outgoing size Enter the maximum amount of outbound data that can be sent by a browser in any one request. This can be used to prevent large uploads or form submissions. The default no limit. Max incoming size Enter the maximum amount of inbound data that can be received by a browser in any one request. This limit is independent of whether the data is cached or not. This can be used to prevent excessive and disruptive download activity. The default is no limit. Used to specify domains that should be excluded from the web cache. This can be used to ensure that old content of frequently updated web sites is not cached. Enter domain names without the www prefix, one entry per line. To apply the option to any subdomains, enter a leading period, for example:.example.com Internet Cache Protocol The following advanced, optional Internet Cache Protocol (ICP) settings are available: Setting ICP server ICP server IP addresses Select one of the following options: Enable Select to allow ICP compatible proxies to query Network Guardian's cache. ICP is a technique employed by proxies to determine if an unfulfilled local cache request can be fulfilled by another proxy s cache. ICP-enabled proxies work together as cache peers to improve cache performance across a LAN. ICP is recommended for LANs with multiple Network Guardian proxy servers; non-smoothwall proxies must use port 801 for HTTP traffic. Disable Select to disable Network Guardian as an ICP server. Use this area to enter the IP addresses of other ICP-enabled proxies on the LAN that Network Guardian should query. Use in conjunction with the ICP server option enabled to allow two-way cache sharing. Load Balancing The following load balancing option is available: Setting Direct Return Server Virtual IP Enables you to use a load balancing device which uses a virtual IP with Network Guardian. Enter the IP address on which Network Guardian can accept load balanced connections. Assuming a load balancer has been setup, Network Guardian will form part of its cluster. Note: This IP address must not respond to ARP queries, as ARP-ing behavior is what sets this type of Virtual IP apart from a simple alias. 115

126 Managing Web Security Using PAC Scripts Network Guardian enables you to create and make available proxy auto-config (PAC) scripts which determine which IP addresses and domains to access via Network Guardian and which to access directly. Network Guardian supports built-in PAC scripts and custom PAC script templates. Using a Built-in Script A built-in script is an auto configuration script which you can customize with additional settings such as exceptions. To use a built-in script: 1. Browse to the Web proxy > Web proxy > Automatic configuration page. 116 Smoothwall Ltd

127 Managing Web Security 2. Select Built-in and configure the following settings: Setting Bypass proxy server for local addresses Refer to the proxy by domain name Exception domains and IP addresses Exception regular expression domains Select this option to not use Network Guardian when connecting to local addresses. When selected, this option makes users browsers bypass the Network Guardian proxy if the address is a hostname only, for example: myhostname. Browsers will not bypass the Network Guardian proxy if the address is a fully qualified domain name (FQDN) for example: myhostname.example.local. Select this option so that the Network Guardian proxy uses its domain name instead of IP addresses in the configuration file. Note: Before enabling this option, ensure that you have a valid DNS configuration which resolves correctly for this hostname. This option must be enabled when using Kerberos authentication to use proxy automatic configuration. In this text box, enter an IP address, IP address range, network address or hostname that users may access directly. For example: /24 hostname.local Optionally, click Advanced to access the Exception regular expression domains area. In the text box, enter one regular expression domain per line that users may access directly. For example: ^(.*\.)?youtube\.com$ ^(.*\.)?ytimg\.com$ would disable usage of Network Guardian for youtube.com, ytimg.com and subdomains such as but not, for example, fakeyoutube.com. 3. Click Save. Network Guardian creates the script and makes it available at: Using a Custom Script A custom script provides advanced functionality by enabling you to use a script customized to suit your organization. Tip: You can use the built-in template as starting point for creating a custom script. On the Web proxy > Web proxy > Automatic configuration page, click Download and save the default script to a suitable location. Edit the file to suit your requirements and save it using a different name. See below for how to upload it. 117

128 Managing Web Security To use a custom script: 1. After configuring the custom script, browse to the Web proxy > Web proxy > Automatic configuration page. 2. Select Custom script template and click Browse. Locate and select the script and click Upload. Network Guardian uploads the script and makes it available at: Managing the Configuration Script You define the policy for each interface, by configuring which proxy address the configuration script should direct clients to. To manage the configuration script: 1. Browse to the Web proxy > Web proxy > Automatic configuration page. 2. In the Manage configuration script area, from the Interface drop-down list, select the address the configuration script should direct clients to. 3. Click Save. Limiting Bandwidth Use By default, Network Guardian does not limit bandwidth use. However, it is possible to configure bandwidth limiting policies which can, for example, stop a user or group of users from overloading your Internet connection. To create a bandwidth limiting policy: 1. Navigate to the Web proxy > Web proxy > Bandwidth limiting page. 118 Smoothwall Ltd

129 Managing Web Security 2. Click Create a new policy. The policy wizard is displayed. Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where Step 4: When Step 5: Action From the Available users or groups list, select the user(s) and/or group(s) to whom the policy will apply. For information about users and groups,. Tip: Enter a name or part of a name and Network Guardian will search for names of users and groups that match. Click Add and, when you have added all the users and/or groups, click Next to continue. From the Available categories or category groups list, select what is to be filtered. For information about categories, see Working with Category Group Objects on page 55. Tip: Enter the name or part of the name and Network Guardian will search for content that matches. Click Add and, when you have selected all the content, click Next to continue. From the Available locations list, select where the policy will apply. For more information about locations, see Working with Location Objects on page 60. Tip: Enter the name or part of the name and Network Guardian will search for locations that match. Click Add and, when you have added the location(s), click Next to continue. From the Available time slots list, select when the policy will apply. For more information about time slots, see Working with Time Slot Objects on page 59. Tip: Enter the name or part of the name and Network Guardian will search for time slots that match. Click Add and, when you have added the time slot(s), click Next to continue. Limit bandwidth to Enter the number of kilobytes per second to which bandwidth is limited when this policy is applied. Shared between clients Select this option to share the bandwidth specified between all clients on the network. If this option is not selected then the limit specified applies to each client, determined by IP, not by user or group. Note: A user or group may be able to draw on bandwidth from several policies. Note: Each step must be completed in order to create the policy. If you skip a step, Network Guardian creates a policy folder in which you can store policies. For more information about policy folders, see Working with Policy Folders on page Select Enable policy to enable the policy and then click Confirm. Network Guardian displays the settings you have selected. 4. Review the settings and click Save to create the policy. Network Guardian creates the policy and makes it available on the Web proxy > Web proxy > Bandwidth limiting page. 119

130 Managing Web Security Ordering Bandwidth Limiting Policies It is possible to order bandwidth limiting policies. Ordering policies enables you, for example, to apply one policy to a user and another policy to the group the user belongs to. To order bandwidth limiting policies: 1. Browse to the Web proxy > Web proxy > Bandwidth limiting page. 2. Drag and drop the policy you want applied first to the top of the list and click Save. Network Guardian applies the order specified when applying the policies. Editing Bandwidth Limiting Policies You can edit an existing bandwidth limiting policy to suit your organization s requirements. To edit a bandwidth limiting policy: 1. Browse to the Web proxy > Web proxy > Bandwidth limiting page and locate the policy you want to edit. 2. Click the Edit policy button. Network Guardian displays the policy settings. 3. Make the changes necessary, see Limiting Bandwidth Use on page 118 for more information about working with policies. 4. Click Confirm. Network Guardian displays the settings you have selected. Review them and click Save to save the changes to the policy. Network Guardian updates the policy and makes it available on the Web proxy > Web proxy > Bandwidth limiting page. Deleting Bandwidth Limiting Policies You can delete a bandwidth limiting policy you no longer require. To delete a bandwidth limiting policy: 1. Browse to the Web proxy > Web proxy > Bandwidth limiting page and locate the policy you want to delete. 2. Click the Delete policy button. Network Guardian prompts you to confirm that you want to delete the policy. Click Delete. Network Guardian deletes the policy. Configuring WCCP Network Guardian can be added to a Web Cache Communication Protocol (WCCP) cache engine cluster. When enabled, Network Guardian broadcasts its availability to a nominated WCCPcompatible router. The WCCP-compatible router can forward web traffic and perform load balancing across all the WCCP capable proxies it is aware of. Both HTTP and HTTPS traffic can be transparently proxied via WCCP. 120 Smoothwall Ltd

131 Managing Web Security Note: WCCP-compatible routers forward web traffic in a transparent mode over a GRE tunnel, therefore you must configure a transparent authentication policy for the interface which will receive redirected traffic. For information about transparent authentication policies, see Chapter 5, Creating Transparent Authentication Policies on page 97. For more information about configuring WCCP on your router, refer to the documentation that accompanies your router. To configure WCCP: 1. Browse to the Web proxy > Web proxy > WCCP page. 2. Select the option you require and configure its settings: Option No WCCP WCCP version 1 Select to disable WCCP. Select this option to enable WCCP version 1. Version 1 does not require authentication for caches to join the cluster, and only supports a single coordinating router. WCCP router IP Enter the WCCP router s IP address. 121

132 Managing Web Security Option WCCP version 2 Select this option to enable WCCP version 2. Version 2 can be more secure than version 1, as it supports authentication for caches to join the cluster, providing a level of protection against rogue proxies on the LAN. In addition, it supports multiple coordinating routers. Note: Currently, WCCP version 2 in Network Guardian only supports routers configured to use the hash assignment method and GRE for both the forwarding and return methods. Password Enter the password required to join the WCCP cluster. WCCP passwords can be a maximum of 8 characters. Cache weight Enter a cache weight to provide a hint as to the proportion of traffic which will be forwarded to this particular cache. Caches with high weights relative to other caches in the cluster will receive more redirected requests. Device IP addresses Enter the IP addresses of one or more WCCP version 2 routers. 3. Click Save. Network Guardian saves the settings. 4. On the Web proxy > Authentication > Manage policies page, create a transparent authentication policy using the authentication method you require and select WCCP as the interface. For more information, see Creating Transparent Authentication Policies on page 97. Network Guardian completes the WCCP configuration. Managing Upstream Proxies Network Guardian enables you to configure and deploy policies which manage access to upstream proxies. The policies can: Allow or deny access to upstream proxies based on network location Direct web requests to a specific upstream proxy depending on the type of request Provide load balancing and failover. The following sections explain how to configure and deploy upstream proxy policies. Overview Managing upstream proxies entails: Configuring upstream proxy settings, for more information see Configuring an Upstream Proxy on page 123 Creating source and destination filters, for more information see Configuring Source and Destination Filters on page 125 Configuring a single upstream proxy for all web requests, see Using a Single Upstream Proxy on page 127, or deploying upstream proxy policies to combine multiple upstream proxies and use load balancing and failover, for more information, see Working with Multiple Upstream Proxies on page Smoothwall Ltd

133 Managing Web Security Configuring an Upstream Proxy The following section explains how to configure an upstream proxy. To configure an upstream proxy: 1. Browse to the Web proxy > Upstream proxy > Proxies page. 2. Configure the following settings: Setting Name IP/Hostname Port Comment Enter a name for the upstream proxy. Only the following characters and numbers are allowed in a proxy name:., abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ The name Default is invalid as it is reserved as the name of the default proxy. Enter the IP address or the hostname of the upstream proxy. Enter the port number to use on the upstream proxy. Optionally, enter a comment or description. 123

134 Managing Web Security 3. Click Advanced to access the following, optional settings: Setting Credential forwarding Username Password Load balance ratio Select one of the following credential forwarding options: Disabled Select this option to use the static username and password entered below when logging in to the upstream proxy. Username only Forward the username of the client making the request with the password entered below when logging in to the upstream proxy. This allows the upstream proxy to identify individual users without revealing their passwords. Note: This requires proxy authentication, NTLM authentication or NTLM identification to be enabled, otherwise usernames cannot be determined by Network Guardian. Username and password Forward the username and password of the client making the request when logging in to the upstream proxy. This could be used if both Network Guardian and the upstream proxy are authenticating against the same directory server, but should be used with caution as it reveals client credentials. Note: This option requires proxy authentication to be used, not NTLM. Otherwise, plaintext usernames and passwords cannot be determined by Network Guardian. Note: Network Guardian can only log in to upstream proxies which require basic proxy authentication, not NTLM or any other authentication scheme. Enter a static username for use when credential forwarding is disabled. Enter a static password for use when credential forwarding is disabled, or when forwarding usernames only. Enter a load balance ratio value. Values are relative. For example, if one upstream proxy has the value: 2 and another upstream proxy has the value: 1 and both use the round robin load balancing method, then the proxy with value: 2 will receive twice as many web requests as the proxy with value:1. For more information, see Configuring Multiple Upstream Proxy Policies on page Click Save. Network Guardian adds the upstream proxy to the list of current upstream proxies. 5. Repeat the steps above to add other upstream proxies. 124 Smoothwall Ltd

135 Managing Web Security Configuring Source and Destination Filters Network Guardian enables you to create source and destination filters which are used when applying upstream proxy policies. Configuring a Destination Filter Network Guardian uses destination filters to determine which upstream proxy policy to apply based on the destination domain(s), IP(s) or destination URL regular expressions. To create a destination filter: 1. Browse to the Web proxy > Upstream proxy > Filters page. 2. Configure the following settings: Setting Type Name Comment IPs/Hostnames Select Destination. Enter a name for the destination filter. Optionally, enter a description or comment. Enter a destination IP address or hostname. 3. Optionally, click Advanced and configure the following setting: Setting Destination regular expression URLs Optionally, click Advanced. Enter one regular expression URL, including the protocol, per line. Note: The full URL is not available for HTTPS requests. 125

136 Managing Web Security 4. Click Save. Network Guardian adds the filter and lists it in the Upstream proxy filters. 5. Repeat the steps above to add more destination filters. Configuring a Source Filter Network Guardian uses source filters to determine which upstream proxy policy to apply based on the source IP(s), subnet(s) or IP range(s) of the client machine(s). To create a source filter: 1. Browse to the Web proxy > Upstream proxy > Filters page. 2. Configure the following settings: Setting Type Name Comment IPs/Hostnames Select Source. Enter a name for the filter. Optionally, enter a description or comment. Enter a source IP address, IP address range, network address or hostname. For example: /24 hostname.local Note: Hostnames require reverse DNS look-ups to be performed. 3. Click Save. Network Guardian adds the filter and lists it in the Upstream proxy filters area. 4. Repeat the steps above to add more source filters. 126 Smoothwall Ltd

137 Managing Web Security Using a Single Upstream Proxy After configuring upstream proxy settings, see Configuring an Upstream Proxy on page 123, you can use a single upstream proxy for all web requests. To use a single upstream proxy: 1. Browse to the Web proxy > Upstream proxy > Manage policies page. 2. In the Global options area, configure the following settings: Setting Default upstream proxy Allow direct connections Leak client IP with X- forwarded-for header This setting determines the default proxy which is used when upstream proxies are not available, not configured or not allowed by policies. From the drop-down list, select an upstream proxy. Select this option to allow direct connections to origin servers. If allowed, direct connections will be made as a final fall-back if the default proxy is unavailable or not configured. For more information, see Enforcing Upstream Proxy Usage on page 130. Select this option to send the originating IP addresses of client requests upstream. 3. Click Save. Network Guardian starts using the single upstream proxy. 127

138 Managing Web Security Working with Multiple Upstream Proxies The following sections discuss general upstream proxy behavior, how to load balance using multiple upstream proxy policies and how to enforce upstream proxy usage. About Upstream Proxy Behavior There are three potential destinations for a web request forwarded to an upstream proxy. These are as follows, in order of precedence: 1. A pool of one or more proxies which are allowed by the upstream proxy policies, to service the request. 2. The default proxy, if configured. 3. Direct forwarding of requests to their origin servers, if allowed. An origin server is defined as the target destination of web request, i.e. the server from which a requested resource originates. Upstream proxy policies are additive. Network Guardian checks requests against all the policies, in order. Any proxy which is allowed to service a particular request is added to the proxy pool in step 1. If the final pool for a request contains two or more proxies, load-balancing and fail-over rules decide which one will be sent the request. Note: The rules above only apply to requests serviced by Network Guardian. If a client behind Network Guardian is able to obtain direct, unfiltered web access, the client s requests will be treated no differently from other Internet traffic. Configuring Multiple Upstream Proxy Policies By configuring multiple upstream proxy policies, you can balance the web request load across two or more upstream proxies. To load balance using upstream proxy policies: 1. On the Web proxy > Upstream proxy > Proxies page, configure the upstream proxies you will be using. See Configuring an Upstream Proxy on page 123 and Configuring Source and Destination Filters on page 125 for more information. 2. Browse to the Web proxy > Upstream proxy > Manage policies page and click Advanced. 128 Smoothwall Ltd

139 Managing Web Security 3. Configure the following settings: Setting Load balancing method Upstream proxy Source filter Destination filter Action Comment Enabled From the drop-down list, select the load balancing method you require. The following methods are available: Source IP Based on the client s IP address, Network Guardian selects one proxy from the set of allowed proxies and uses it as long as that proxy is available. For example: three requests for example.com from one machine might all go via proxy A; three requests from the machine next to it might all go via proxy B. Username Based on the client s username, Network Guardian selects one proxy from the set of allowed proxies and uses it as long as that proxy is available. For example: three requests for example.com while logged in as Alice might all go via proxy A; three requests while logged in as Bob might go via proxy B, even if Bob has the same IP as Alice. Round-robin Network Guardian cycles through the proxies one by one. Three requests for example.com, with three proxies allowed to serve the request, would send one request via each. Note: This method requires Network Guardian to be configured for username and password based authentication. See Chapter 5, About Authentication Policies on page 91 for more information. From the drop-down list, select the proxy for which you are configuring the policy. From the drop-down list, select Everything. From the drop-down list, select Everything. Select Allow. Optionally, enter a comment describing the proxy. Select to enable the policy. 4. Click Save. Network Guardian creates the policy and lists it in the Upstream proxy policies table. 5. Configure policies for other upstream proxies by repeating steps 2 and 3 above. Once you have configured policies for the upstream proxies you require, Network Guardian will check any web requests against the policy table and each of the proxies will be allowed to service the request, so load balancing and failover rules will be used to pick the most suitable proxy. Network Guardian monitors availability of upstream proxies automatically and avoid forwarding requests to unavailable proxies. If none of the proxies permitted to service a request are available, Network Guardian will use the default proxy. If the default proxy is not available, or if no default proxy is configured, the request will be forwarded directly to its origin server. 129

140 Managing Web Security Enforcing Upstream Proxy Usage If you want to prevent web requests from being forwarded directly to their origin servers when other permissible upstream proxies are unavailable, disable the Allow direct connections option. Note: As the Allow direct connections option eliminates the last option for forwarding requests in failure scenarios, only use it to implement strict requirements that all traffic go through an upstream proxy. For finer-grained control of direct connection behavior, you can configure policies using the dummy upstream proxy option None. For example, to prevent only YouTube traffic from being sent directly, enable the Allow direct connections option, then create a policy with upstream proxy None, action Block, and a destination filter corresponding to the youtube.com domain. Conversely, to allow direct access only for requests to certain sites, disable Allow direct connections and create None, Allow policies matching those requests for which direct access is permissible. This may be useful for bandwidth conservation, if direct access is routed over a slower link than access to the upstream proxies. Managing Blocklists A blocklist is a group of pre-configured settings which is updated on a regular basis by Network Guardian. A blocklist maintains Network Guardian s list of undesirable, inappropriate or objectionable content. Network Guardian automatically checks for and installs blocklist updates. You can also check for and install blocklist updates manually. 130 Smoothwall Ltd

141 Managing Web Security Viewing Blocklist Information To view blocklist information: 1. Navigate to the System > Maintenance > Licenses page. Note: The information displayed depends on the product you are using. Blocklist subscription status is displayed. By default, Network Guardian checks for updated blocklists hourly. When a new blocklist becomes available, Network Guardian automatically downloads and installs it. Note: As Network Guardian complies with Internet Watch Foundation (IWF) guidelines, this mode of working is mandatory. Visit for more information. Manually Updating Blocklists To manually update blocklists: 1. Navigate to the System > Maintenance > Licenses page. 2. Click Update. The latest blocklists are installed and displayed in the Blocklists subscription area. Note: In order to download blocklists, you must have a valid blocklist subscription. To obtain a blocklist subscription, please contact your Network Guardian reseller or Network Guardian directly. 131

142 Managing Web Security Managing Block Pages When a user s web request is blocked, Network Guardian displays a block page advising the user that they have been blocked from accessing the requested web content. A default web page is supplied, showing information such as which group the user is in, what the blocked content is categorized as, and the computer s IP address, as well as the reason for the block. You can choose to create and display multiple block pages. Which block page Network Guardian displays is determined by the block page policies in use. You can configure Network Guardian to display the following different types of block pages: A block page which you have customized see Customizing the Default Block Page on page 133 A customized HTML page which you upload to Network Guardian see Using a Custom HTML Template on page 135 A block page located at a specified URL see Using an External Block Page on page 136 About the Default Block Page Below is an example of the default block page supplied with Network Guardian: This block page will be shown if a user attempts to browse to a domain listed in the Web Search, Image Hosting category (for more information about categories see Working with Category Group Objects on page 55). The following controls are used in this block page: Administrator bypass Users with bypass privileges can temporarily bypass Guardian for the time specified Custom allowed content Users can choose to add the domain or URL to the Custom allowed, or Custom blocked content categories 132 Smoothwall Ltd

143 Managing Web Security Add URL to category Users can choose to add the URL to a specified category Add domain to category Users can choose to add the domain to a specified category For more information about Guardian content categories, see Working with Category Group Objects on page 55. You can add more controls to the block page, or change the text and images to suit your organizational needs. For a detailed description of how to do this, see Customizing the Default Block Page on page 133. Customizing the Default Block Page You can choose to customize the default block page, including the reason for the block, and changing the images. The following instructions also apply if you are creating additional block pages based on the same layout as the default block page. To customize the default block page, or create additional ones, do the following: 1. Navigate to the Guardian > Block page > Block pages page. 2. Configure the following: Name Enter a meaningful name for the block page Comment Enter an optional comment describing the block page 3. Select the Manually create contents for block page option and configure the following: Block message Either use the supplied text, or enter the default message explaining the reason for the block. 133

144 Managing Web Security Quota message Either use the supplied text, or enter the default message shown when a user tries to access content which is time limited. For more information about quotas, see Working with Quota Objects on page 142. Quota button label Either use the supplied text, or enter text used on the quota button which users must click to start using their quota of time to access the content. Sub message Either use the supplied text, or enter a custom, secondary message displayed under the red block banner. Administrator s address Optionally, enter the administrator s address who will be contacted when a request is blocked. 4. To change the images on the block page, or add block page controls, click Advanced and configure the following: Custom title image To replace the Smoothwall logo on the block page, click Choose File, and browse to the location of the required file. Select the image, then click Upload. installed will appear under Choose File when Network Guardian successfully uploads the image. Note that the default Smoothwall logo is 218 x 35 pixels. It is recommended you do not exceed this depth otherwise the top of the background image may need adjusting. If the supplied background image is retained, the white space at the top may also need adjusting. Ensure you select Enable custom title image from the attributes list underneath. Custom background image To replace the supplied red motif on the block page, click Choose File, and browse to the location of the required file. Select the image, then click Upload. installed will appear under Choose File when Network Guardian successfully uploads the image. Note that the outlined box around the central text is 150 pixels from the top of the page. If you are replacing the default image, you must ensure the new image has at last 150 pixels of white space at the top to ensure it appears at the top of the outlined box. It is recommended the image is 800 pixels wide, with the motif centralized within. Ensure you select Enable custom background image from the attributes list underneath. Show unblock request Select to display a button on the block page which allows users to request that a blocked page be unblocked. Clicking the button on the block page opens a pop up form which when completed sends the request via the server used for alerts. Show client username Select to display the blocked user s username, if applicable. Show address Select to display the administrator s address. Show client IP Select to display the IP address of the user s workstation. Show client hostname Select to display the workstation s hostname on the block page. Show user group Select to display the users group membership, if applicable. Show unblock controls Select to display controls on the block page which allow administrators to add domains and URLS to the custom allowed or custom blocked content categories. For more information, see Working with Block Pages on page 138. Show reason for block Select to display the reason why the web request was blocked. Show bypass controls Select to display temporary bypass controls on the block page. These controls allow users with bypass privileges to temporarily bypass the Network Guardian. For more information, see Working with Block Pages on page 138. Note that when an HTTPS inspection policy is enabled (see About the Default Web Filter Policies on page 50) and a user visits a site with an invalid certificate, Network Guardian s 134 Smoothwall Ltd

145 Managing Web Security temporary bypass will not work. This is because Network Guardian must check the certificate before authentication information for bypass can be detected. In this case, bypass controls will be visible on the block page if enabled, but will not work. Show URL of blocked page Select to display the URL of the blocked web request. Enable custom title image Select if you have specified a custom title image, see above for more information. Show categories matched Select to display the filter category that caused the page to be blocked, if applicable. Enable custom background image Select if you have specified a custom background image, see above for more information. 5. Click Save to save the block page and make it available for use in a block page policy. Using a Custom HTML Template You can create your own block page, created in HTML. Network Guardianprovides a custom block page template for your use. To use a custom HTML file as a block page, do the following: 1. Browse to Guardian > Block page > Block pages. 2. Download the block page template by clicking Download the custom block page example. Network Guardian downloads a zip file for your use. 3. Update the template as required, and save it in a zip file archive. Ensure all files needed by the custom block page are included in the zip file, and that the archive s location is accessible by Network Guardian. 4. Browse to Guardian > Block page > Block pages if you have navigated away. 5. Configure the following settings: Name Configure a meaningful name for the block page. Comment If required, configure a comment for the block page. 6. Select Import HTML template from zip file. 7. From Upload zip archive, click Choose file. 8. Locate and select the custom block page archive. 9. Click Upload. Network Guardian unpacks the archive, and makes it available for use in a block page policy. 10. If required, enter your system administrator s address to receive unblock requests. 11. Click Save. 135

146 Managing Web Security Using an External Block Page Network Guardian enables you to specify an external page as a block page. To use an external page as a block page: 1. Navigate to the Guardian > Block page > Block pages page and configure the following settings: Setting Name Comment Redirect to block page Block page URL Enter a name for the block page. Enter a comment describing the block page. Select to enable Network Guardian to use an external block page. Enter the block page s URL. 2. Click Save to make it available for use in a block page policy. Configuring a Block Page Policy By default, Network Guardian displays a standard block page whenever it blocks a web request by users. You can configure Network Guardian to display a specific block page when a web request is blocked based on unsuitable or objectionable content, location or time. To configure a block page policy: 1. Browse to the Guardian > Block page > Policy wizard page. 136 Smoothwall Ltd

147 Managing Web Security 2. Complete the following steps: Step Step 1: Who Step 2: What Step 3: Where Step 4: When Step 5: Action From the Available users or groups list, select who will see the block page when content is blocked. Click Next to continue. From the Available categories or category groups list, select what categories or category groups will trigger the content being blocked. Click Next to continue. For information about categories, see Working with Category Group Objects on page 55. From the Available locations list, select where the policy applies. Click Next to continue. For information about locations, see Working with Location Objects on page 60. From the Available time slots list, select when the policy applies. Click Next to continue. For information about time slots, see Working with Time Slot Objects on page 59. Select which block page to use. For information about the types of block pages you can use, see Managing Block Pages on page Select Enable policy to enable the policy and click Confirm. 4. Network Guardian displays the settings you have specified for the policy. Review the settings and then click Save to save the policy and make it available on the manage policies page. Managing Block Page Policies Block page policies are managed on the manage policy page. Network Guardian processes policies in order of priority, from top to bottom, until it finds a match. You can change the order by dragging and dropping them on the page. To manage block page policies: 1. Browse to the Guardian > Block page > Manage policies page. 137

148 Managing Web Security 2. To change the order of the policies displayed, select a policy and drag it to the position you require. 3. Click Save to save the change(s). Network Guardian re-orders the policies. Working with Block Pages Depending on how a block page is configured, there may be controls to add URLS and domains to user-defined blocked or allowed categories as well as temporary bypass features to allow users with the correct privileges to access the blocked content. Adding to User-defined Categories Note: The availability of these options depends on how the block page is configured. For more information, see Customizing the Default Block Page on page 133. To add to user-defined categories: 1. Configure the following settings on the block page: Setting Control Temporary Bypass From the User-defined categories drop-down list, select one of the following options: Custom blocked content Add the blocked URL or domain to the custom blocked category. Custom allowed content Add the blocked URL or domain to the custom allowed category. Enables temporary bypass of the block page if the user has the necessary privileges. Select from the following options: 5 minutes Temporarily bypass the block page for 5 minutes. 30 minutes Temporarily bypass the block page for 30 minutes. 1 hour Temporarily bypass the block page for 1 hour. When prompted, enter the bypass password. Note: The temporary bypass and control options use non-standard port 442. This is to enable administrator access controls to be used without affecting these features. 138 Smoothwall Ltd

149 7 Managing Your Network Infrastructure This chapter describes how to manage various aspects of your Network Guardian network, including: Creating Subnets on page 139 Using the Routing Information Protocol Service on page 141 Load Balancing Traffic on page 143 Using Source NATs and LLB Policies on page 147 Creating Subnets Large organizations often find it advantageous to divide their network into subnetworks, or subnets. You can group computers from different departments, floors and buildings into their own subnets, usually with network hubs and switches. You can use Network Guardian to route traffic between subnets. Note: This functionality only applies to subnets available via an internal gateway. 139

150 Managing Your Network Infrastructure To create a subnet rule, do the following: 1. Browse to Networking > Routing > Subnets. 2. Configure the following: Setting Network Netmask Gateway Metric Comment Enabled Enter the IP address that specifies the network ID part of the subnet definition when combined with a netmask value. Enter a network mask that specifies the size of the subnet when combined with the network field. Enter the IP address of the gateway device by which the subnet can be found. This is an address on a locally recognized network zone. It is necessary for Network Guardian to be able to route to the gateway device in order for the subnet to be successfully configured. The gateway address must be a network that Network Guardian is directly attached to. Enter a router metric to set the order in which the route is taken. This sets the order in which the route is evaluated, with 0 being the highest priority and the default for new routes. Enter a description of the rule. Select to enable the rule. 3. Click Add. The rule is added to the Current rules table. Editing and Removing Subnet Rules To edit or remove existing subnet rules, use Edit and Remove in the Current rules area. 140 Smoothwall Ltd

151 Managing Your Network Infrastructure Using the Routing Information Protocol Service The Routing Information Protocol (RIP) service enables network-wide convergence of routing information amongst gateways and routers. A RIP-enabled gateway passes its entire routing table to its nearest neighbor, typically every 30 seconds. Network Guardian s RIP service can: Operate in import, export or combined import/export mode Support password and MD5 authentication Export direct routes to the system s internal interfaces. To configure the RIP service, do the following: 1. Navigate to the Networking > Routing > RIP page. 2. Configure the following settings: Setting Enabled Scan interval Select to enable the RIP service. From the drop-down menu, select the time delay between routing table imports and exports. Select a frequent scan interval for networks with fewer hosts. For networks with greater numbers of hosts, choose a less frequent scan interval. Note: There is a performance trade-off between the number of RIPenabled devices, network hosts and the scan frequency of the RIP service. The periodic exchange of routing information between RIP-enabled devices increases the ambient level of traffic on the host network. Accordingly, administrators responsible for larger networks should consider increasing the RIP scan interval or the suitability of the RIP service for propagating routing information. 141

152 Managing Your Network Infrastructure Setting Direction Logging level RIP interfaces Authentication Password Again Direct routing interfaces From the drop-down menu, select how to manage routing information. The following options are available: Import and Export The RIP service will add and update its routing table from information received from other RIP enabled gateways. The RIP service will also broadcast its routing tables for use by other RIP enabled gateways. Import The RIP service will add and update its routing table from information received from other RIP enabled gateways. Export The RIP service will only broadcast its routing tables for use by other RIP enabled gateways. From the drop-down menu, select the level of logging. Select each interface that the RIP service should import/export routing information to/from. Enabling RIP authentication ensures that routing information is only imported and exported amongst trusted RIP-enabled devices. Select one of the following options to manage authentication: None In this mode, routing information can be imported and exported between any RIP device. We do not recommend this option from a security standpoint. Password In this mode, a plain text password is specified which must match other RIP devices. MD5 In this mode, an MD5 hashed password is specified which must match other RIP devices. If Password is selected as the authentication method, enter a password for RIP authentication. If Password is selected as the authentication method, re-enter the password to confirm it. Optionally, select interfaces whose information should also include routes to the RIP service s own interfaces when exporting RIP data. This ensures that other RIP devices are able to route directly and efficiently to each exported interface. 3. Click Save. 142 Smoothwall Ltd

153 Managing Your Network Infrastructure Load Balancing Traffic Link load balancing (LLB) describes the process of sharing traffic originating from IP addresses, across multiple interfaces to increase available bandwidth, maximise throughput, and add redundancy. Note: This is separate from shaping traffic originating from applications. For a detailed description of how to shape traffic originating from applications, refer to the Bandwidth Installation and Administration Guide. The relevant licence is required to install the Bandwidth module. For more information, refer to your Smoothwall representative. If Network Guardian is only configured to route Internet-bound traffic through a single gateway, you do not need to configure any load balancing pools. Additionally, if there are no specific requirements to route IP address-originated traffic to particular gateways, load balancing pools can be ignored. Migrated Network Guardian installations, that is, those upgraded from an earlier version, have a predefined load balancing pool for the following: Forwarded For load balanced outgoing traffic. Migrated primaries For load balanced traffic, originating from the previous primary interface, or interfaces. Web filter For load balanced, proxied traffic. Note that this pool is only created if Guardian is installed. Predefined pools are configured to use the maximum available bandwidth for that interface. You can change this to suit your organizational needs. For a detailed description of how to do this, see Creating Load Balancing Pools on page 143. Creating Load Balancing Pools An LLB pool identifies the level of bandwidth needed to avoid creating a bottleneck. You allocate to the pool those interfaces required to fulfil the targeted bandwidth. Note that the total bandwidth from all allocated interfaces can be more than the targeted bandwidth to allow for high availability. Network Guardian balances the traffic load according to the number of interfaces assigned, and the bandwidth allocated and available on each interface. For example, a pool with 2 interfaces assigned, where one interface has twice the allocated bandwidth, balances the traffic using a 2:1 weighting ratio. Note: Link load balancing does not limit bandwidth for that pool, nor any allocated connection. New installations of Network Guardian do not have predefined pools. You can create load balancing pools to suit your organizational needs. 143

154 Managing Your Network Infrastructure You do this as follows: 1. Browse to Networking > Configuration > Link Load Balancing. 2. Click Add new LLB pool. 3. Configure the following: Name Configure a meaningful name for this pool. Targeted bandwidth Choose the minimum level of bandwidth needed to satisfy this load balancing pool. You can choose to: Option Use maximum bandwidth User defined Select this option to use the maximum available bandwidth for this pool, resulting in traffic being load balanced across all available connections in the pool. Select this option to define the minimum bandwidth needed to satisfy this pool. Network Guardian uses as many of the assigned interfaces, in top down order, needed to meet the bandwidth target see below. Configure the minimum level needed within Targeted bandwidth, specifying whether this is in kilobits per second (kbps) or megabits per second (Mbps). A value less than the lowest interface bandwidth results in 1 connection ever being used at once. Comment Configure an optional comment for this pool. An additional button, Show comments, is displayed on the Link Load Balancing pools table if any comments are configured. Clicking this displays configured comments under the rule. 4. Click Add. You must assign interfaces, as connections, to the LLB pool. You do this as follows: 1. Expand the load balancing pool you have created by clicking the black arrow beside the name. 2. From the Connection table, click Add new connection. 3. Configure the following: Status New connections are enabled by default. Clear the check box to create a disabled connection. 144 Smoothwall Ltd

155 Managing Your Network Infrastructure Local address From the drop-down menu, select the relevant interface for traffic to use from this pool. You can only select one interface at a time. Comment Configure an optional comment for this connection. An additional button, Show comments, is displayed in the Connections table if any comments are configured. Clicking this displays configured comments under the local address. 4. Click Add. 5. Repeat step 2. to step 4. to assign additional interfaces for this pool. You can also can also choose to associate load balancing pools with source Network Address Translation (NAT) policies for a detailed description of how to do this, see Using Source NATs and LLB Policies on page 147. Editing an Load Balancing Pool To edit a LLB pool, do the following: 1. Browse to Networking > Configuration > Link Load Balancing. 2. From the Link Load Balancing pools table, highlight the relevant pool, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Creating Load Balancing Pools on page Click Save changes. Deleting Link Load Balancing Pools To delete an existing pool, do the following: 1. Browse to Networking > Configuration > Link Load Balancing. 2. From the Link Load Balancing pools table, locate and highlight the relevant pool. 3. Click Delete. You can also delete multiple pools at the same time. You do this as follows: 1. Browse to Networking > Configuration > Link Load Balancing. 2. From the Link Load Balancing pools table, mark each pool for deletion by selecting the check box to the left of Local address. 3. Click Delete at the bottom of the panel. Reordering Load Balancing Pools Connections must be listed in the order they are to be applied, so that if the first connection is not equal to or greater than the target bandwidth, the next connection is also used to fulfil the pool s targeted bandwidth, even if that results in exceeding the target. You re-order assigned interfaces as follows: 1. From the Link Load Balancing pools table, either: Click and drag the relevant pool to its new position Mark the relevant pool in the first cell of the row, and use the Down and Up buttons to change its position 145

156 Managing Your Network Infrastructure A dotted blue line wraps around the moved row, to indicate it has changed position. 2. Click Save moves. Note that once Save moves is clicked, you cannot undo the changes by clicking Cancel moves. Example Configuration 2 LLB pools are created: Pool Name Sales Office Research Office Targeted Bandwidth 5 Mbps Use maximum bandwidth The interfaces are assigned as follows: Sales Office: Local Address MyTelecom Link 1 ( /24) MyTelecom Link 2 ( /24) MyTelecom Link 3 ( /24) Bandwidth 5 Mbps 5 Mbps 10 Mbps Research Office: Local Address MyTelecom Link 3 ( /24) MyTelecom Link 4 ( /24) Bandwidth 10 Mbps 20 Mbps The Sales Office pool only requires 5 megabits per second of bandwidth to be able to meet all clients bandwidth needs. This pool can make use of 3 connections in order to fulfil this. As MyTelecom Link 1 provides the bandwidth needed, the other 2 assigned connections are only used should the first link fail, with Link 3 only used if 1 and 2 are unavailable. As the Research Office pool can use the maximum available bandwidth, Network Guardian uses both connections for traffic, but balances the load using a 2:1 weighting ratio as Link 4 has double the allocated bandwidth than Link 3. Note that Link 3 can be used by both pools. If Link 3 is used by both pools, traffic is balanced as follows: All traffic from the Sales Office pool One third of traffic from the Research Office pool weighting of 2:1 is still maintained for this pool even if other pools are using the same link as available bandwidth and link saturation are not measured. 146 Smoothwall Ltd

157 Managing Your Network Infrastructure Using Source NATs and LLB Policies You can configure how traffic is routed out of Network Guardian, including: Whether it is hidden behind an IP address that Network Guardian owns (see Allocating IP Addresses to Interfaces on page 28). This is source Network Address Translation (NAT). Which external interface it uses. Source NAT-ing is needed when accessing the Internet. It can either by done by Network Guardian, or by another device between Network Guardian and the Internet such as the gateway, or both. Typically, source NAT-ing is carried out by the gateway. You can also specify the gateway device to direct traffic to, or an LLB pool of external connections to use, including a default LLB pool to use. For a detailed description of load balancing external connections, see Load Balancing Traffic on page 143. Using LLB Pools for Local Traffic You can choose to have local traffic, that is, traffic for installed services such as Guardian (see Chapter 1, Introducing Guardian on page 3), or Anti-Spam (refer to the Anti-Spam Installation and Administration Guide), use a load balancing pool. To load balance local traffic, do the following: 1. Browse to Networking > Configuration > Source NAT & LLB policies. Network Guardian provides a drop-down list for every service that can be load balanced. 2. You must first configure the connections for the Default LLB pool to use. Scroll down to the Local traffic panel. 3. From the Default LLB pool drop-down list, select the relevant external connection. 4. Use the drop-down lists for the relevant services to choose the appropriate load balancing pool to use. 5. Click Save changes. Creating a NAT Policy Upon installation, Network Guardian defines a policy for each gateway configured, and an Automatic catch-all policy for internal networks. 147

158 Managing Your Network Infrastructure Note: If Network Guardian is configured to use a single gateway, additional source NAT policies are not required beyond the predefined rules. If more than one gateway is used, you must ensure each gateway is assigned to a policy. You can create additional source NAT policies as follows: 1. Browse to Networking > Configuration > Source NAT & LLB policies. 2. Click Add new policy. 3. Configure the following: Status New policies are enabled by default. Clear the check box to create a disabled policy. Source IP Choose whether this policy applies to all source IP addresses (Any), or from a specific list. To apply this policy to a specific source IP address, or range of IP addresses, select User defined. Either enter the source IP addresses, address range, or subnet ranges individually in the box provided, or click the down arrow and select the relevant IP addresses, or ranges. Optionally, select Save selected objects as group to create a new address object that can be re-used in other areas of Network Guardian s user interface without re-entering each individual IP address, or address range. For more information about using address objects see Working with Address Objects on page 157. Destination IP Choose whether this policy applies to all destination IP addresses (Any), or from a specific list. To apply this policy to a specific destination IP address, or range of IP addresses, select User defined. Either enter the destination IP addresses, address range, or subnet ranges individually in the box provided, or click the down arrow and select the relevant IP addresses, or ranges. Optionally, select Save selected objects as group to create a new address object that can be re-used in other areas of Network Guardian s user interface without re-entering each individual IP address, or address range. For more information about using address objects, see Working with Address Objects on page Smoothwall Ltd

159 Managing Your Network Infrastructure Protocol Choose Any for all protocols, or from the drop-down list, choose the relevant protocol that applies to this policy. Valid values are: Any, UDP, TCP, TCP&UDP, ICMP, GRE, ESP, AH. Destination port Rules for TCP or UDP protocols can also be restricted to specific destination ports. Choose whether this policy applies to all destination ports (Any), or from a specific port. To apply this policy to a specific port, either select it from the Predefined drop-down list, or enter it into the User defined box. Note that you can specify a range of ports using the format: <lowest_port_number>:<highest_port_number>. SNAT Choose whether to hide the source IP address of the network client behind the external IP address of Network Guardian (SNAT using a Link Load Balancing pool), or not hide it (Preserve the original source IP). If SNAT using a Link Load Balancing pool is selected, the following additional parameter must be configured: Option Link Load Balancing pool or Local IP address From the drop-down list, select the relevant pool for this policy. If Preserve the original source IP is selected, the following additional parameter must be configured: Option Gateway From the drop-down list, select the Gateway to route traffic to. If you have more than one gateway configured, do not select Automatic. Comment Configure an optional comment for this policy. An additional button, Show comments, is displayed on the Source NAT policies table if any comments are configured. Clicking this displays configured comments under the source IP address. 4. Click Add. Editing a NAT Policy To edit a source NAT policy, do the following: 1. Browse to Networking > Configuration > Source NAT & LLB policies. 2. From the Source NAT policies table, highlight the policy, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Creating a NAT Policy on page Click Save changes. Deleting a NAT Policy To delete an existing NAT policy, do the following: 1. Browse to Networking > Configuration > Source NAT & LLB policies. 2. From the Source NAT policies table, locate and highlight the relevant policy. 3. Click Delete. 149

160 Managing Your Network Infrastructure You can also delete multiple policies at the same time. You do this as follows: 1. Browse to Networking > Configuration > Source NAT & LLB policies. 2. From the Source NAT policies table, mark each policy for deletion by selecting the check box to the left of Source IP. 3. Click Delete at the bottom of the panel. Reordering NAT Policies Network Guardian applies source NAT policies in the order they are listed in the Source NAT policies table. To change the order the policies are applied, do the following: 1. From the Source NAT policies table, either: Click and drag the relevant policies to its new position Mark the relevant policy in the first cell of the row, and use the Down and Up buttons to change its position A dotted blue line wraps around the moved row, to indicate it has changed position. 2. Click Save moves. Note that once Save moves is clicked, you cannot undo the changes by clicking Cancel moves. 150 Smoothwall Ltd

161 8 Managing Network Security This chapter describes how to secure your Network Guardian network, including: Blocking by IP on page 151 Blocking Services on the Ethernet Bridge on page 153 Working with Port Groups on page 155 Working with Address Objects on page 157 Configuring Advanced Networking Features on page 160 Blocking by IP IP block rules can be created to block network traffic originating from certain source IPs or network addresses. IP block rules are primarily intended to block hostile hosts from the external network, however, it is sometimes useful to use this feature to block internal hosts, for example, if an internal system has been infected by malware. IP block rules can also operate in an exception mode allowing traffic from certain source IPs or network addresses to always be allowed. Creating IP Blocking Rules IP block rules block all traffic to/from certain network hosts, or between certain parts of distinct networks. 151

162 Managing Network Security To create an IP block rule: 1. Navigate to the Networking > Filtering > IP block page. 2. Configure the following settings: Control Source IP or network Destination IP or network Drop packet Reject packet Exception Log Comment Enter the source IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt: An individual network host, enter its IP address, for example: A range of network hosts, enter an appropriate IP address range, for example: A subnet range of network hosts, enter an appropriate subnet range, for example, / or /24. Enter the destination IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt: An individual network host, enter its IP address, for example: A range of network hosts, enter an appropriate IP address range, for example: A subnet range of network hosts, enter an appropriate subnet range, for example, / or 19 Select to ignore any request from the source IP or network. The effect is similar to disconnecting the appropriate interface from the network. Select to cause an ICMP Connection Refused message to be sent back to the originating IP, and no communication will be possible. Select to always allow the source IPs specified in the Source IP or Network field to communicate, regardless of all other IP block rules. Exception block rules are typically used in conjunction with other IP block rules, for example, where one IP block rule drops traffic from a subnet range of IP addresses, and another IP block rule creates exception IP addresses against it. Select to log all activity from this IP. Optionally, describe the IP block rule. 152 Smoothwall Ltd

163 Managing Network Security Control Enabled Select to enable the rule. 3. Click Add. The rule is added to the Current rules table. Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it. Editing and Removing IP Block Rules To edit or remove existing IP block rules, use Edit and Remove in the Current rules area. Blocking Services on the Ethernet Bridge When configured in bridging mode, Network Guardian can block certain services on its ethernet bridge. This enables you to block traffic such as BitTorrent file sharing. To block services on the ethernet bridge: 1. Browse to the Networking > Filtering > Ethernet bridging page. 2. Select the services you want to block and click Save changes. Network Guardian blocks the selected service(s). For a detailed description of all services, refer to your Network Guardian Operations Guide. Note: The service categories available to you in Services depends on whether you are licenced for Deep Packet Inspection. For more information, refer to your Smoothwall representative. 153

164 Managing Network Security Managing Exceptions to Blocked Services You can except one or more IP address(es), IP ranges and subnets from service blocking on the ethernet bridge. Adding an Exception It is possible to add exceptions to service blocking on the ethernet bridge. To add an exception: 1. On the Networking > Filtering > Ethernet bridging page, in the Exceptions area, click Add new exception. In the Add new exception dialog box, configure the following settings: Setting Status Source IP Comment Select Enabled to enable the exception. Enter the IP address, range or subnet to be excepted from service blocking on the ethernet bridge. Optionally, add a comment describing the exception. 2. Click Add. Network Guardian adds the exception and lists it in the Exceptions area. 3. Repeat the steps above to add more exceptions. Editing an Exception It is possible to edit the settings of configured blocked service exceptions. To edit an exception: 1. On the Networking > Filtering > Ethernet bridging page, in the Exceptions area, point to the exception you want to edit and click Edit. Network Guardian displays the exception s settings. 2. Make the changes you require to the exception. See Adding an Exception on page 154 for more information about the settings available. 3. Click Save changes. Network Guardian makes the changes to the exception and lists it in the Exceptions area. Deleting an Exception It is possible to delete an exception which is no longer required. To delete an exception: 1. On the Networking > Filtering > Ethernet bridging page, in the Exceptions area, point to the exception you want to delete. 2. Click Delete. Network Guardian deletes the exception and removes it from the Exceptions area. 154 Smoothwall Ltd

165 Managing Network Security Working with Port Groups You can create and edit named groups of TCP/UDP ports for use throughout Network Guardian. Creating port groups significantly reduces the number of rules needed and makes rules more flexible. For example, you can create a port group to make a single port forward to multiple ports and modify which ports are in the group without having to recreate the rules that use it. In this way you could easily add a new service to all your DMZ servers. Creating a Port Group To create a port group: 1. Browse to Networking > Settings > Port groups. 2. In the Port groups area, click New and configure the following settings: Setting Group name Name Port Comment Enter a name for the port group and click Save. Enter a name for the port or range of ports you want to add to the group. Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example: 1024:65535 For non-consecutive ports, create a separate entry for each port number. Optionally, add a descriptive comment for the port or port range. 3. Click Add. The port, ports or port range is added to the group. 155

166 Managing Network Security Adding Ports to Existing Port Groups To add a new port: 1. Navigate to the Networking > Settings > Port groups page. 2. Configure the following settings: Setting Port groups Name Port Comment From the drop-down list, select the group you want to add a port to and click Select. Enter a name for the port or range of ports you want to add to the group. Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example: 1024:65535 Optionally, add a descriptive comment for the port or port range. 3. Click Add. The port, ports or range are added to the group. Editing Port Groups To edit a port group: 1. Navigate to the Networking > Settings > Port groups page. 2. From the Port groups drop-down list, select the group you want to edit and click Select. 3. In the Current ports area, select the port you want to change and click Edit. 4. In the Add a new port, edit the port and click Add. The edited port, ports or range is updated. Deleting a Port Group To delete a Port group: 1. Navigate to the Networking > Settings > Port groups page. 2. From the Port groups drop-down list, select the group you want to delete and click Select. 3. Click Delete. Note: Deleting a port group cannot be undone. 156 Smoothwall Ltd

167 Managing Network Security Working with Address Objects Similar to port groups (see Working with Port Groups on page 155), you can create and edit named groups of IP addresses for use throughout Network Guardian. Where allowed, using address objects significantly reduces the amount of time taken to configure various aspects of your network infrastructure. For example, if you create multiple port forwarding rules to the same set of server, you can reduce duplication by creating an address object made up of those server IP addresses. If required, you can also create an address object containing multiple, existing objects, for example, an object for each subnet used, plus a parent object for network zone. You can either create address objects in supported pages, such as, Add a new port forward (see Creating Port Forward Rules on page 174), or create and manage them in the dedicated Address object manager page. The following address objects are provided by default: Internal networks All individual interfaces that are not reached via an external interface, that is, basic interfaces, VLAN interfaces, and so on. Any DHCP/PPPoE DNS servers Any automatically detected DNS server (using Network Guardian s configuration). Remote IP address of <PPPoE_interface> where PPPoE_interface is the configured name of the PPPoE connection. If a PPPoE interface is configured, this pool is created. For more information, see Using a Point-to-Point Protocol over Ethernet Interface on page 37. DNS server(s) on PPPoE connection <PPPoE_interface> where PPPoE_interface is the configured name of the PPPoE connection. If a PPPoE interface is created, this pool is available. Default address objects are indicated by italic text in the Address object manager table. You cannot edit default address objects, but they can be used to make new, additional address objects. Creating an Address Object To create a simple address object, do the following: 1. Browse to Networking > Settings > Address object manager. 2. Click Add new address object. 157

168 Managing Network Security 3. Configure the following: Name Configure a meaningful name for this address object Address Names Either enter the IP address, or IP address range in the box provided, or click the down arrow and select the relevant IP addresses, or ranges. IP addresses and ranges entered in Address Names appear in Selected objects. Comment Configure an optional comment for this address object. An additional button, Show comments, is displayed on the Address object manager table if any comments are configured. Clicking this displays configured comments under the rule. 4. Click Save changes. Creating Nested Address Objects Address object manager also allows you to create nested address objects, that is, several child address objects under a parent address object. For example, in a corporate environment, you can create an address object for each subnet or team, linked to a parent address object for each building or branch. You can choose to create each address object separately, as described in Creating an Address Object on page 157, or create the whole structure at the same time. To create nested address objects at the same time, do the following: 1. Browse to Networking > Settings > Address object manager. 2. Click Add new address object. 3. Configure a meaningful Name for the parent address object. 4. Configure the following: Address Names Enter the IP address, or IP address range in the box provided for one of the child address objects. Options Select Save selected objects as group. Group name This box is now visible. Configure a meaningful name for this child address object. Click Add. Network Guardian replaces all items in Selected objects with the name configured in Group name. 5. Remove the new address object in Selected objects by clicking the accompanying red cross. 6. Repeat step 4. and step 5. until all child address objects are created. 7. Click inside Address Names to display all configured address objects. 8. Select all relevant child address objects. 9. Remove the tick for Save selected objects as group. 10. Configure an optional Comment for this address object. An additional button, Show comments, is displayed on the Address object manager table if any comments are configured. Clicking this displays configured comments under the rule. 11. Click Save changes. 158 Smoothwall Ltd

169 Managing Network Security Editing Address Objects To edit an existing address object, do the following: 1. Browse to Networking > Settings > Address object manager. 2. From the Address object manager table, highlight the relevant address object, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Creating an Address Object on page Click Save changes. Deleting Address Objects Note: You cannot delete address objects that are assigned elsewhere, for example, used as part of a port forwarding rule (see Managing Inbound Traffic with Port Forwards on page 173) or source NAT policy (see Using Source NATs and LLB Policies on page 147). To delete an existing address object, do the following: 1. Browse to Networking > Settings > Address object manager. 2. From the Address object manager table, locate and highlight the relevant rule. 3. Click Delete. 4. When prompted, confirm the deletion. You can also delete multiple objects at the same time. You do this as follows: 1. Browse to Networking > Settings > Address object manager. 2. From the Address object manger table, mark each address object for deletion by selecting the check box to the left of Name. 3. Click Delete at the bottom of the panel. 159

170 Managing Network Security Configuring Advanced Networking Features You can enable additional networking features in Network Guardian to tighten network security. To configure advanced networking features, do the following: 1. Browse to Networking > Settings > Advanced. 2. Locate the relevant feature, and configure the appropriate settings: Blocking and Ignoring Traffic on page 161 Enabling Advanced Networking Features on page 161 Configuring ARP Table Size on page 162 Configuring Connection Tracking Table Size on page 162 Configuring SYN Backlog Queue Size on page 162 Configuring Traffic Audits on page 163 Dropping Direct Traffic on page 163 Enabling Network Application Helpers on page 163 Managing Bad External Traffic on page Click Save changes. 160 Smoothwall Ltd

171 Managing Network Security Blocking and Ignoring Traffic You can configure Network Guardian to block and ignore the following types of traffic: ICMP ping broadcast Internet Control Message Protocol (ICMP) ping broadcasts are used to determine to determine the status of network devices. It can be used as a denial of service (DoS) attack. Select this option to prevent Network Guardian from responding to ping broadcast messages from all network zones, including external zones. ICMP ping Select this option to block all ICMP ping requests going to Network Guardian. This effectively hides Network Guardian from ICMP pings, but can also make connectivity problems harder to diagnose. ICMP timestamps Select this option to block all ICMP timestamp requests going to Network Guardian. IGMP packets Internet Group Management Protocol (IGMP) is used to establish multicast group membership. Typically, IGMP packets are harmless, and are most commonly observed when using cable modems to provide external connectivity. Select this option to ignore all IGMP packets without generating log entries. Multicast traffic Select this option to block all multicast traffic on address from ISPs, and prevent them from generating large volumes of spurious log entries. SYN+FIN packets Typically SYN and FIN scans generate large numbers of log entries. Select this option to automatically discard packets used in SYN+FIN scans. Enabling Advanced Networking Features You can enable the following networking features in Network Guardian: SYN cookies The use of SYN cookies is a standard defence mechanism against a SYN flood attack, where a large number of SYN packets (connection requests) are sent to a machine as a DoS attack. Select this option to defend against SYN flood attacks. TCP timestamps (RFC1323) Select this option to enable TCP timestamps to improve TCP performance in high speed links. Selective ACKs (RFC2018) Select this option to enable selective ACKs (acknowledgements) to improve TCP performance in links where packet loss is high. Window scaling Select this option to enable TCP window scaling to improve TCP performance in high speed links. 161

172 Managing Network Security ECN Explicit Congestion Notification (ECN) is a mechanism for avoiding network congestion. While effective, ECN requires communicating hosts to support it and some routers are known to drop packets marked with the ECN bit. For this reason, this feature is disabled by default. Select this option to enable ECN. ARP filter The Address Resolution Protocol (ARP) filter filters out ARP flux. Select this option to enable the ARP filter. Configuring ARP Table Size You can change the maximum number of remembered hosts in the ARP table if the number of directly connected machines, or IP addresses, is more then the value shown in the drop-down box. Directly connected machines are those which are not behind a intermediate router but are instead directly attached to one of Network Guardian's network interfaces. Typically, the default value of 2048 is adequate, but in very big networks, select a bigger value. Valid table sizes are: Configuring Connection Tracking Table Size Information about all connections known to the system is stored in the connection tracking table, including NAT-ed sessions, and traffic passing through the firewall. During operation, the table is automatically scaled to an appropriate size within a specified limit, according to the number of active connections and their collective memory requirements. Occasionally, the default maximum number of connections to track, which is set according to the amount of memory, is insufficient. Configure a large table size in the space provided. Configuring SYN Backlog Queue Size You can change the maximum number of requests in a queue, waiting to be answered. Increasing the value may reduce connection problems for an extremely busy proxy service. Valid queue sizes are: Smoothwall Ltd

173 Managing Network Security Configuring Traffic Audits You can choose to create verbose traffic logs for the purpose of analyzing incoming, outgoing, and forwarded traffic: Direct incoming traffic Select to logs all new connections to all interfaces that are destined for the firewall. Forwarded traffic Select to log all new connections passing through one interface to another. Direct outgoing traffic Select to log all new connections from any interface. Note: Typically, traffic auditing generates large amounts of data. You must ensure there is sufficient disk space in Network Guardian before enabling this refer to your Network Guardian Operations Guide. You can view traffic audit logs from Logs and reports > Logs > Firewall refer to your Network Guardian Operations Guide. Dropping Direct Traffic This option is for internal interfaces that have hosts attached on them. Enabling this option drops all direct traffic to those interfaces, but allows access to other internal networks connected to Network Guardian. Enabling Network Application Helpers Network application helpers enable specified traffic to pass through the firewall correctly. It is recommended you enable the relevant network application helper if you use any of the following protocols: FTP IP information is embedded within File Transfer Protocol (FTP) traffic. This application helper ensures that FTP active mode client connections are not adversely affected by the firewall. H.323 This application helper enables pass-through of H.323 traffic, a common protocol used in voice over IP (VoIP) applications. It is also possible to receive incoming H.323 calls through the use of a port forward on the H.323 port. This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. It is recommended you only enable this feature if you require VoIP functionality. 163

174 Managing Network Security IRC IP information is embedded within Internet Relay Chat (IRC) traffic. This application helper ensures that IRC communication is not adversely affected by the firewall. Advanced PPTP client support This application helper enables Point-to-Point Tunneling protocol (PPTP) client traffic. This is the protocol used in standard Windows VPNs. When disabled, it is still possible for PPTP clients to connect through to a server on the outside, but not in all circumstances. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. In this case, this application helper should be used. When enabled, it is not possible to forward PPTP traffic. For this reason, this option is not enabled by default. SIP IP information is embedded within Session Initiation Protocol (SIP) traffic. This application helper ensures that SIP communications are not adversely affected by the firewall. Managing Bad External Traffic Bad external traffic, such as those being address to ports but without any content, is rejected and a No one here ICMP message bounced back to the sender. You can choose to do the following to bad external traffic: Reject Network Guardian notifies the sender when bad external traffic is rejected. Drop Network Guardian silently drops bad external traffic, enabling you to stealth your firewall, making port scans, and so on, much harder to do. 164 Smoothwall Ltd

175 9 Using Zone Bridging Rules This chapter describes how to configure network bridges and bonds between network zones, including: About Zone Bridging Rules on page 165 About Group Bridging Rules on page 169 About Zone Bridging Rules By default, all internal network zones are isolated by Network Guardian. Zone bridging modifies this in order to allow communication to take place between a pair of network zones. A zone bridging rule defines a bridge in the following terms: Term Zones Direction Source Destination Service Protocol Defines the two network zones between which the bridge exists. Defines whether the bridge is accessible one-way or bi-directionally. Defines whether the bridge is accessible from an individual host, a range of hosts, a network or any host. Defines whether the bridge allows access to an individual host, a range of hosts, a network or any hosts. Defines what ports and services can be used across the bridge. Defines what protocol can be used across the bridge. It is possible to create a narrow bridge, for example, a one-way single-host to single-host bridge using a named port and protocol, or a wide or unrestricted bridge, for example, a bi-directional anyhost to any-host bridge using any port and protocol. 165

176 Using Zone Bridging Rules It is recommended you make bridges as narrow as possible to prevent unnecessary or undesirable use. Creating Zone Bridging Rules Zone bridging rules enable communications between specific parts of separate internal networks. To create a zone bridging rule, do the following: 1. Browse to Networking > Filtering > Zone bridging. 2. Configure the following settings: Setting Source interface Destination interface Bi-directional Protocol Source IP From the drop-down menu, select the source network zone. From the drop-down menu, select the destination network zone. Select to create a two-way bridge where communication can be initiated from either the source interface or the destination interface. Note: To create a one-way bridge where communication can only be initiated from the source interface to the destination interface and not vice versa, ensure that this option is not selected. From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. Enter the source IP, IP range or subnet range from which access is permitted. To create a bridge from: A single network host, enter its IP address, for example: A range of network hosts, enter an appropriate IP address range: for example, A subnet range of network hosts, enter an appropriate subnet range, for example: / or /24. Any network host in the source network, leave the field blank. 166 Smoothwall Ltd

177 Using Zone Bridging Rules Setting Destination IP Service Port Comment Enabled Enter the destination IP, IP range or subnet range to which access is permitted. To create a bridge to: A single network, enter its IP address, for example, A range of network hosts, enter an IP address range, for example, A subnet range of network hosts, enter a subnet range, for example: / or /24. To create a bridge to any network host in the destination network, leave the field blank. From the drop-down list, select the services, port range or group of ports to which access is permitted. Or, select User defined and leave the Port field blank to permit access to all ports for the relevant protocol. Note: This is only applicable to TCP and UDP. If User defined is selected as the destination port, specify the port number. Or, leave the field blank to permit access to all ports for the relevant protocol. Enter a description of the bridging rule. Select to enable the rule. 3. Click Add. The rule is added to the Current rules table. Editing and Removing Zone Bridge Rules To edit or remove existing zone bridging rules, use Edit and Remove in the Current rules area. Example Zone Bridging Rules In this example, the following two local network zones are used: Network zone IP address Protected network Contains local user workstations and confidential business data /24 DMZ Contains a web server /24 Note: The DMZ network zone is a DMZ in name alone until appropriate bridging rules are created, neither zone can see or communicate with the other. 167

178 Using Zone Bridging Rules In this example, the DMZ network zone: Allows restricted external access to a web server in the DMZ, from the Internet. Does not allow access to the protected network from the DMZ. Allows unrestricted access to the DMZ from the protected network. A single zone bridging rule will satisfy the bridging requirements, while a simple port forward will forward HTTP requests from the Internet to the web server in the DMZ. Zone Bridging Rule Configuration For the local network zones detailed above, the zone bridging rule is configured as: From Networking > Filtering > Zone bridging: Settings Source interface Destination interface Protocol Enabled Interface assigned to the Protected network Interface assigned to the DMZ network All Selected Hosts in the Protected network will now be able to access any host or service in the DMZ, but not vice versa. Access to External Web Server Configuration To allow access to a web server in the DMZ network zone, from the Internet, the following configuration is made: From Networking > Interfaces > Port forwarding: Setting Enabled Client IPs Local IP Protocol Local port Target IP Target port Log connections IPS Selected Any Interface receiving requests to the web server TCP Predefined; HTTP (80) (to forward HTTP requests to the web server) (IP address of the web server) Preserved Leave disabled Leave disabled 168 Smoothwall Ltd

179 Using Zone Bridging Rules Accessing a Database on the Protected Network Multiple zone bridging rules can be used to further extend the communication allowed between the zones. As a extension to the previous example, a further requirement might be to allow the web server in the DMZ network to communicate with a confidential database in the Protected network. The following configuration is made: From Networking > Filtering > Zone bridging: Setting Source interface Destination interface Protocol Source IP Destination IP Service Interface assigned to the DMZ network Interface assigned to the Protected network TCP (IP address of the web server) (IP address of the database server) User defined Port 3306 (The database service is accessed on port 3306) Enabled Selected About Group Bridging Rules By default, authenticated users may only access network resources within their current network zone, or that are allowed by any active zone bridging rules. Group bridging is the process of modifying this default security policy in order to allow authenticated users from any network zone to access specific IP addresses, IP ranges, subnets and ports within a specified network zone. Authenticated groups of users can be bridged to a particular network by creating group bridging rules. A group bridging rule defines a bridge in the following terms: Group The group of users from the authentication sub-system that may access the bridge Zone The destination network zone Destination Defines whether the bridge allows access to an individual host, a range of hosts, a subnet of hosts or any hosts Service Defines what ports and services can be used across the bridge Protocol Defines what protocol can be used across the bridge Like zone bridges, group bridges can be narrow (for example, allow access to a single host, using a named port and protocol) or wide (for example, allow access to any host, using any port and protocol). It is recommended you make bridges as narrow as possible to prevent unnecessary or undesirable use. 169

180 Using Zone Bridging Rules Group Bridging and Authentication Group bridging uses the core authentication mechanism users must be pre-authenticated before group bridging rules can be enforced by Network Guardian. Users can authenticate themselves using the authentication system s login mechanism, either automatically when they try to initiate outbound web access, or manually by browsing to the secure SSL Login page. Authentication can also be provided by any other mechanism used elsewhere in the system. For more information about authentication, see Chapter 11, Authentication and User Management on page 177. Creating Group Bridging Rules Group bridging rules apply additional zone communication rules to authenticated users. To create a group bridging rule, do the following: 1. Browse to Networking > Filtering > Group bridging. 2. Configure the following settings: Setting Groups Select Destination interface From the drop-down menu, select the group of users that this rule will apply to. Click to select the group. Select the interface that the group is permitted to access. 170 Smoothwall Ltd

181 Using Zone Bridging Rules Setting Destination IP Protocol Service Port Comment Enabled Enter the destination IP, IP range or subnet range that the group is permitted to access. To create a rule to allow access to: A single network host in the destination network, enter its IP address, for example: A range of network hosts in the destination network, enter an appropriate IP address range, for example: A subnet range of network hosts in the destination network, enter an appropriate subnet range, for example: / or /24. Any network host in the destination network, leave the field blank. From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. From the drop-down list, select the service, port or port range to be used. To restrict to a custom port, select User defined and enter a port number in the Port field. To allow any service or port to be used, select User defined and leave the Port field empty. If applicable, enter a destination port or range of ports. If this field is blank, all ports for the relevant protocol is permitted. Enter a description of the rule. Select to enable the rule. 3. Click Add. The rule is added to the Current rules table. Editing and Removing Group Bridges To edit or remove existing group bridging rules, use the Edit and Remove buttons in the Current rules region. 171

182

183 10 Managing Inbound Traffic This chapter describes how to manage network traffic, including: Managing Inbound Traffic with Port Forwards on page 173 Managing Inbound Traffic with Port Forwards Typically, port forwards are used to forward requests that arrive at an external network interface to a particular network host in an internal network zone. It is common to think of such requests arriving from hosts on the Internet; however, port forwards can be used to forward any type of traffic that arrives at an interface, regardless of whether the interface connects to the Internet or some other network zone. If required, you can also create port forwarding rules for requests from an internal network addresses. About Port Forward Rules Port forward rules can be configured to forward traffic based on the following criteria: Criterion Local IP Local Port Forward traffic if it arrived at a particular interface, or alias. Forward traffic if it arrived at a particular port, or range of ports. 173

184 Managing Inbound Traffic Criterion Protocol Target IP Target port Forward traffic if it uses a particular protocol. Supported protocols include: UDP TCP TCP & UDP ICMP GRE ESP AH A port forward will send traffic to a specific destination IP. A port forward will send traffic to a specific destination port. For example, you can create a port forward rule to forward HTTP requests on port 80 to a web server listening on port 81 in a Demilitarized Zone (DMZ). If the web server has an IP address of , you can create a port forward rule to forward all port 80 TCP traffic to port 81 on Note: It is important to consider the security implications of each new port forward rule. Any network is only as secure as the services exposed upon it. Port forwards allow unknown hosts from the external network to access a particular internal host. If a cracker manages to break into a host that they have been forwarded to, they may gain access to other hosts in the network. For this reason, we recommend that all port forwards are directed towards hosts in isolated network zones, that preferably contain no confidential or security-sensitive network hosts. Use the Networking > Filtering > Zone bridging page to ensure that the target host of the port forward is contained within a suitably isolated network, that is, a DMZ scenario. Creating Port Forward Rules To create a port forward rule, do the following: 1. Browse to Networking > Configuration > Port forwards. 2. Click Add new port forward. 3. Configure the following: Status New port forwarding rules are enabled by default. Clear the check box to create a disabled rule. 174 Smoothwall Ltd

185 Managing Inbound Traffic Client IPs Choose whether to forward traffic from Any client IP address, or from a specific list. To route traffic from a specific IP address, or range of IP addresses, select User defined. Either enter the IP addresses, address range, or subnet ranges individually in the box provided, or click the down arrow and select the relevant IP addresses, or ranges. Optionally, select Save selected objects as group to create a new address object that can be re-used in other areas of Network Guardian s user interface without re-entering each individual IP address, or address range. For more information about using address objects see Working with Address Objects on page 157. Local IP From the drop-down list, select the external interface that this rule applies to. Protocol From the drop-down list, select the network protocol for this rule. For example, to port forward an HTTP request, which is a TCP-based protocol, select TCP. Local port Choose whether to forward received traffic to all destination ports (Any), or to a specific port. To forward traffic to a specific port, either select it from the Predefined drop-down list, or enter it into the User defined box. Note that you can specify a range of ports using the format: <lowest_port_number>:<highest_port_number>. Target IPs Either enter the IP addresses, address range, or subnet to forward traffic to in the box provided, or click the down arrow and select the relevant IP addresses or ranges. If multiple IP addresses or ranges have been specified, traffic forwarded to them is automatically load balanced. Target port Select Preserve to forward traffic to the same port number it originated from. To use a different port number, enter it in the box provided. Log connections Select to log all port forwarded traffic. Comment Configure an optional comment for this rule. An additional button, Show comments, is displayed on the Port forwards table if any comments are configured. Clicking this displays configured comments under the rule. 4. Click Add. Editing an Existing Port Forward Rule To edit an existing rule, do the following: 1. Browse to Networking > Configuration > Port forwards. 2. From the Port forwards table, locate and highlight the relevant rule. 3. Click Edit. 4. Edit the configuration as required. For a detailed description of each setting, see Creating Port Forward Rules on page Click Save changes. Deleting an Existing Port Forward Rule To delete an existing rule, do the following: 1. Browse to Networking > Configuration > Port forwards. 2. From the Port forwards table, locate and highlight the relevant rule. 3. Click Delete. 175

186 Managing Inbound Traffic You can also delete multiple rules at the same time. You do this as follows: 1. Browse to Networking > Configuration > Port fowards. 2. From the Port forwards table, mark each rule for deletion by selecting the check box to the left of Client IPs. 3. Click Delete at the bottom of the panel. 176 Smoothwall Ltd

187 11 Authentication and User Management This chapter describes how to configure authentication methods, and manage users, including: About User Authentication on page 177 Configuring Global Authentication Settings on page 178 About Directory Services on page 179 Managing Local Users on page 189 Managing Groups of Users on page 190 Mapping Groups on page 192 Managing Temporarily Banned Users on page 193 Managing User Activity on page 195 About SSL Authentication on page 196 Managing Kerberos Keytabs on page 198 Authenticating Chromebook Users on page 201 About User Authentication User authentication determines who the user is and their group membership, if configured or received from an external source. This in turn determines the level of access available to authentication-enabled services. The majority of web filtering policies require mandatory user authentication. Typically, unauthenticated users are prevented from accessing authentication-enabled services such as the Internet. 177

188 Authentication and User Management Firewall services typically classify unauthenticated users as Unauthenticated IPs (see Managing Groups of Users on page 190). Unauthenticated users may only have limited access to authentication-enabled services is available to this group, or even no access at all. In any case, a failed authentication attempt results in either a request to retry authentication, or a error. Configuring Global Authentication Settings Global authentication settings determine the common behavior, irrespective of the authentication method used, such as, login timeout and debug level. To configure global authentication settings, do the following: 1. Browse to Services > Authentication > Settings. 2. Configure the following: Login timeout (minutes) Determines the inactivity period after which the user is logged out. The default timeout is 10 (minutes). Setting a short login timeout increases the load on the machine, SSL (see About SSL Authentication on page 196) login methods. It also increases the rate of re-authentication requests. Setting a long login timeout may enable unauthorized users to access the network if users leave computers without actively logging out. The behavior of some authentication mechanisms is automatically adjusted by the timeout period. For example, the SSL Login refresh rate updates to ensure that authenticated users do not time-out see Managing Authentication Policies on page 101. Concurrent login sessions (per user) Determines the number of log in attempts allowed per user. You can either choose to have No limit on the number of attempts, or enter the number of attempts allowed. Logging level Determines the level of authentication logging. Valid choices are: Normal Logs user login and LDAP server information Verbose As Normal, but also request, response and result information. This is useful when troubleshooting possible authentication issues. 178 Smoothwall Ltd

189 Authentication and User Management Normalize usernames Determines whether all variations of username and domain are normalized into the same format. For example, Active Directory prefers DOMAIN\user, but can accept user, DOMAIN.COM\user, DOMAIN\user, and so on. Network Guardian stores the user-supplied username in the configured directory server s preferred format. This reduces the number of possible forms of a username to one, preventing users circumventing temporary bans by using a different format of username for example. For a detailed description of each preferred format, see About Directory Services on page 179. If you are migrating configuration from another Network Guardian installation (refer to the Network Guardian Installation Guide), this setting is disabled by default to prevent logsearches and username-based reports from not working, and ensuring any temporary bans before the migration still apply. If required, this feature can then be enabled at a convenient time. 3. Click Save changes. Tip: You should encourage users to proactively log out of the system to ensure that other users of their workstation cannot assume their privileges if Login timeout (minutes) is yet to occur. About Directory Services The Network Guardian authentication service is designed to enable Network Guardian to connect to multiple directory services in order to: Retrieve groups configured in directories, and apply network and web filtering permissions to users based on group membership within directories Verify the identity of a user who is trying to access network or Internet resources. Once the connection to a directory service has been configured, Network Guardian retrieves a list of the groups configured in the directory and maps them to the groups available in Network Guardian. When the groups have been mapped, permissions and network access permissions in the filtering and outgoing sections can be granted on the basis of group membership. Network Guardian supports the following directory services: Directory Microsoft Active Directory Microsoft Active Directory - Legacy Method Microsoft s directory service for Windows domain networks. Preferred format for normalized usernames: DOMAIN\user For more information, see Configuring a Microsoft Active Directory Connection on page 180. Microsoft s directory service for Windows domain networks, without the use of Samba. Preferred format for normalized usernames: LDAP distinguished name, for example, cn=user,ou=users,dc=mydomain,dc=net For information about using the legacy method to connect to Active Directory, see Configuring an Active Directory Connection Legacy Method on page

190 Authentication and User Management Directory Novell edirectory Apple / Open LDAP 389 Directory RADIUS Local users Various directories which support the LDAP protocol. Preferred format for normalized usernames: LDAP distinguished name, for example, cn=user,ou=users,dc=mydomain,dc=net For more information, see Configuring an LDAP Connection on page 181 Remote Authentication Dial In User Service. Preferred format for normalized usernames: None. For more information, see Configuring a RADIUS Connection on page 184. For more information, see Configuring a RADIUS Connection on page 184. A directory of Network Guardian local users. Preferred format for normalized usernames: As configured in Network Guardian For more information, see Configuring a Local Users Directory on page 188. Configuring a Microsoft Active Directory Connection The following sections explain the prerequisites for Microsoft Active Directory and how to configure Network Guardian to work with Microsoft Active Directory. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: On the Networking > Interfaces > Interfaces page, check that the primary, and optionally the secondary, DNS server containing the Active Directory information is specified correctly. This DNS server is used by Network Guardian for name lookups. For more information, see Secure Web Gateway and DNS on page 15. In Active Directory, choose or configure a non-privileged user account to use for joining the domain. Network Guardian stores this account s credentials, for instance, when backing-up and replicating settings. Note: We strongly recommend that you do not use an administrator account. The account that you use needs permission to modify the Computers container. To delegate these permissions to a non-privileged user account, choose Delegate Control on the Computers container, create a custom task to delegate and, for Computer objects, grant the full control, create and delete privileges. Ensure that the times set on Network Guardian and your Active Directory server are synchronized using NTP. For more information, refer to the Network Guardian Operations Guide. 180 Smoothwall Ltd

191 Authentication and User Management Configuring an Active Directory Connection The following section explains what is required to configure a connection to Active Directory. To configure the connection: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select Active Directory and configure the following settings: Setting Status Domain Username Password Confirm Cache timeout (minutes) Comment Select Enabled to enable the connection. Enter the full DNS domain name of the domain. Other trusted domains are accessible automatically. Enter the username of the user account. Enter the password for the user account. Re-enter the password to confirm it. Click Advanced. Accept the default or specify the length of time Network Guardian keeps a record of directory-authenticated users in its cache. Network Guardian will not need to query the directory server for users who log out and log back in as long as their records are still in the cache. Note: Setting a short cache timeout increases the load on the directory server. Setting a long cache timeout means that old passwords are valid for longer, that is, until the cache timeout has been passed. Optionally, enter a comment about the directory. 3. Click Add. Network Guardian adds the directory to its list of directories and establishes the connection. 4. You must map Active Directory groups to Network Guardian groups. For a detailed description of how to do this, see Mapping Groups on page 192. Configuring an LDAP Connection The following section explains what is required to configure a connection to an edirectory, Apple /OpenLDAP or 389 directory server. To configure an LDAP connection: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select one of the following: edirectory, Apple/OpenLDAP Directory or 389 Directory and configure the following settings: Setting Status Select Enabled to enable the connection. 181

192 Authentication and User Management Setting LDAP server Username Password Confirm Bind method Kerberos realm User search root Enter the directory s IP address or hostname. Note: If using Kerberos as the bind method, you must enter the hostname. Enter the username of a valid account in the LDAP notation format The format depends on the configuration of the LDAP directory. Normally it should look something like this: cn=user,ou=container,o=organization This is what is referred to in the Novell edirectory as tree and context. A user part of the tree Organization and in the context Sales would have the LDAP notation: cn=user,ou=sales,o=organization For Apple Open Directory, when not using Kerberos, the LDAP username can be written as: uid=user,cn=users,dc=example,dc=org Consult your directory documentation for more information. Enter the password of a valid account. Note: A password is not required if using simple bind as the bind method. Re-enter the password to confirm it. Accept the default bind method, or from the drop-down list, select one of the following options: TLS (with password) Select to use Transport Layer Security (TLS). Kerberos Select to use Kerberos authentication. Simple bind Select to bind without encryption. This is frequently used by directory servers that do not require a password for authentication. If using Kerberos, enter the Kerberos realm. Use capital letters. Enter where in the directory, Network Guardian should start looking for user accounts. Usually, this is the top level of the directory. For example: ou=myusers,dc=mydomain,dc=local In LDAP form, this is seen in the directory as dc=mycompany,dc=local. OpenLDAP based directories will often use the form o=myorganization Apple Open Directory uses the form: cn=users,dc=example,dc=org A Novell edirectory will refer to this as the tree, taking the same form as the OpenLDAP-based directories o=myorganization. Note: In larger directories, it may be a good idea to narrow down the user search root so Network Guardian does not have to look through the entire directory. For example, if all users that need to be authenticated have been placed in an organizational unit, the user search root can be narrowed down by adding ou=userunit in front of the domain base. Note: When working with multi domain environments, the user search root must be set to the top level domain. 182 Smoothwall Ltd

193 Authentication and User Management Setting Group search roots Cache timeout LDAP port Extra user search roots Extra group search roots Extra realms Discover Kerberos realms through DNS Comment Enter where in the directory, Network Guardian should start looking for user groups. Usually this is the same location as configured in the user search root field. For example: ou=mygroups,dc=mydomain,dc=local Apple Open Directory uses the form: cn=groups,dc=example,dc=org Note: With larger directories, it may be necessary to narrow down the group search root. Some directories will not return more than 1000 results for a search, so if there are more than 1000 groups in the directory, a more specific group search root needs to be configured. The principle is the same as with the user search root setting. If there are multiple OUs containing groups that need to be mapped, add the other locations in the advanced section. Accept the default or specify the length of time Network Guardian keeps a record of directory-authenticated users in its cache. Network Guardian does not query the directory server for users who log out and log back in as long as their records are still in the cache. Accept the default or enter the LDAP port to use. Note: LDAPs (SSL) is automatically used if you enter port number 636. This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. Enter one search root per line. Optionally, enter where in the directory Network Guardian should start looking for more user groups. Enter one search roots per line. For more information, see Working with Large Directories on page 16. This setting enables you to configure subdomains manually using DNS. Use the following format: <realm><space><kdc server> For example: example.org kdc.example.org Enter one realm per line. Only available if you have selected Kerberos as the authentication method, select this advanced option to use DNS to discover Kerberos realms. Using DNS to discover realms configures Network Guardian to try to find all the domains in the directory server by querying the DNS server that holds the directory information. Optionally, enter a comment about the directory. 3. Click Add. Network Guardian adds the directory to its list of directories and establishes the connection. 4. You must map LDAP groups to Network Guardian groups. For a detailed description of how to do this, see Mapping Groups on page

194 Authentication and User Management Configuring a RADIUS Connection You can configure Network Guardian to use a Remote Authentication Dial In User Service (RADIUS) as an authentication service. About Normalizing Usernames in a RADIUS Configuration It should be noted that Network Guardian is unable to differentiate between an unknown user, and a valid user that has entered an incorrect password in a RADIUS configuration, as RADIUS servers require a valid password to be able to provide user information to Network Guardian. If Normalize usernames is enabled (see Configuring Global Authentication Settings on page 178), Network Guardian assumes the supplied username is valid and stores it in a lower-case format. Prerequisites Before you configure any settings: Configure the RADIUS server to accept queries from Network Guardian. Consult your RADIUS server documentation for more information. Configuring the Connection To configure the connection: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select RADIUS and configure the following settings: Setting Status RADIUS server Secret Confirm Action on login failure Identifying IP address Obtain groups from RADIUS Cache timeout (minutes) Select Enabled to enable the connection. Enter the hostname or IP address of the RADIUS server. Enter the secret shared with the server. Re-enter the secret to confirm it. Try next directory server Select this option if users in RADIUS are unrelated to users in any other directory server. Deny access Select this option if the RADIUS password should override the password set in another directory server, for example, when using an authentication token. Enter the IP address to use to identify the caller connecting to the RADIUS server, if it must be different to the internal IP address of the system. If the RADIUS server can provide group information, select this option to enable Network Guardian to use the group information in the RADIUS Filter-Id attribute. When not enabled, Network Guardian will use group information from the next directory server in the list. If there are no other directories in the list, Network Guardian will place all users in the Default Users group. Accept the default or specify the length of time Network Guardian keeps a record of directory-authenticated users in its cache. Network Guardian does not query the directory server for users who log out and log back in as long as their records are still in the cache. 184 Smoothwall Ltd

195 Authentication and User Management Setting Port Comment Accept the default port or specify a UDP port to use when communicating with the RADIUS server. The default is port Optionally, enter a comment about the directory. 3. Click Add. Network Guardian adds the directory to its list of directories and establishes the connection. 4. You must map RADIUS groups to Network Guardian groups. For a detailed description of how to do this, see Mapping Groups on page 192. Note that you must use the same RADIUS group names as configured for the group_attribute parameter in your RADIUS server. For more information, refer to your RADIUS server documentation. Configuring an Active Directory Connection Legacy Method Note: This is the legacy method of configuring an Active Directory connection. For a simpler method, we recommend that you use the latest method, see Configuring a Microsoft Active Directory Connection on page 180 for more information. The following sections explain the prerequisites for Microsoft Active Directory and how to use the legacy method to configure Network Guardian to work with Microsoft Active Directory. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: Run the Network Guardian Setup program and check that the DNS server containing the Active Directory information is specified correctly. This DNS server is used by Network Guardian for name lookups. For more information, see Secure Web Gateway and DNS on page 15 and the Network Guardian Getting Started Guide. Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active Directory servers. Ensure that the times set on Network Guardian and your Active Directory server are synchronized. Note: Do not use the administrator account as the lookup user. Often the administrator account will not have a Windows 2000 username, preventing the account from being used by the authentication service. 185

196 Authentication and User Management Configuring an Active Directory Connection Configuring an Active Directory connection entails specifying server details and optionally the Kerberos realm to use, search roots and any advanced settings required. To configure the connection: 1. Navigate to the Services > Authentication > Directories page. 2. In the Add directory server area, from the Directory server drop-down list, select Active Directory and click Next. Network Guardian displays the settings for Active Directory. 3. Configure the following settings: Setting Status Active Directory server Username Password Confirm Cache timeout (minutes) Kerberos realm User search root Select Enabled to enable the connection. Enter the directory server s full hostname. Note: For Microsoft Active Directory, Network Guardian requires DNS servers that can resolve the Active Directory server hostnames. Often, these are the same servers that hold the Active Directory. The Active Directory DNS servers will need a reverse lookup zone with pointer (PTR) records for the Active Directory servers for a successful lookup to be able to take place. Refer to the Microsoft DNS server help if you need assistance in setting up a reverse lookup zone. See also, Secure Web Gateway and DNS on page 15 for more information. Enter the username of a valid account. Enter the username without the domain. The domain is added automatically by Network Guardian. In a multi domain environment, the username must be a user in the top level domain. For more information, see Active Directory on page 17. Enter the password of a valid account. Re-enter the password to confirm it. Accept the default or specify the length of time Network Guardian keeps a record of directory-authenticated users in its cache. Network Guardian will not need to query the directory server for users who log out and log back in as long as their records are still in the cache. Note: Setting a short cache timeout increases the load on the directory server. Setting a long cache timeout means that old passwords are valid for longer, that is, until the cache timeout has been passed. Optionally, select Automatic or enter the Kerberos realm. Optionally, to configure Network Guardian to start looking for user accounts at the top level of the directory, select Automatic. Or enter the user search root to start looking in, for example: ou=myusers,dc=mydomain,dc=local search root. Note: When working with multi-domain environments, the user search root must be set to the top level domain. 186 Smoothwall Ltd

197 Authentication and User Management Setting Group search root Comment Enabled Optionally, to configure Network Guardian to start looking for user groups at the top level of the directory, select Automatic. Or enter the group search root to start looking in, for example: ou=mygroups,dc=mydomain,dc=local Note: Some directories will not return more than results for a search, so if there are more than groups in the directory, a more specific group search root needs to be configured. Optionally, enter a comment about the directory server and the settings used. Select this option to enable the connection to the directory server. 4. Optionally, click Advanced to access and configure the following settings: Setting LDAP port Discover Kerberos realms through DNS Use samaccountname NetBIOS workgroup Extra user search roots Extra group search roots Extra realms Accept the default, or enter the LDAP port to use. Select this option to use DNS to discover Kerberos realms. Using DNS to discover realms configures Network Guardian to try to find all the domains in the directory server by querying the DNS server that holds the directory information. This setting applies when using Microsoft Windows NT4 or older installations. Enter the samaccountname to override the userprinciplename. This setting applies when using NTLM authentication with Guardian. Network Guardian cannot join domains required for NTLM authentication where the workgroup, also known as NetBIOS domain name or pre- Windows 2000 domain name, is not the same as the Active Directory domain. Select Automatic or enter the NetBIOS domain name to use when joining the workgroup. This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. Enter search roots one per line. Optionally, enter where in the directory, Network Guardian should start looking for more user groups. Enter search roots one per line. For more information, see Working with Large Directories on page 16. This setting enables you to configure subdomains manually, as opposed to automatically, using DNS. Use the following format: <realm><space><kdc server> For example: example.org kdc.example.org Enter one realm per line. 187

198 Authentication and User Management 5. Click Add. Network Guardian adds the directory to its list of directories and establishes the connection. 6. You must map Active Directory groups to Network Guardian groups. For a detailed description of how to do this, see Mapping Groups on page 192. Configuring a Local Users Directory Network Guardian stores user account information comprised of usernames, passwords and group membership in local user directories so as to provide a standalone authentication service for network users. To configure a local users directory: 1. On the Services > Authentication > Directories page, click Add new directory. 2. In the Add new directory dialog box, select Local users and configure the following settings: Setting Status Name Comment Select Enabled to enable the connection. Accept the default name or enter a new name. Optionally, enter a comment about the directory. 3. Click Add. Network Guardian adds the directory to its list of directories. For information about adding and managing local users, see Managing Local Users on page 189. Reordering Directory Servers Tip: If most of your users are in one directory, list that directory first so as to reduce the number of queries required. If user passwords are checked by a RADIUS server and group information is obtained from LDAP, list the RADIUS server first. To reorder directory servers: 1. On the Services > Authentication > Directories page, select the directory server you want to move and click Up or Down until the server is where you want it. 2. Repeat the step above for any other directories you want to move. 3. Click Save moves. Network Guardian applies the changes. Tip: You can also drag and drop directories to where you want them. Just remember to click Save moves. Editing a Directory Server To edit a directory server: 1. On the Services > Authentication > Directories page, point to the directory server and click Edit. The Edit directory dialog box opens, 2. Make the changes required, see About Directory Services on page 179 for information about the settings available. 3. Click Save changes. Network Guardian applies the changes. 188 Smoothwall Ltd

199 Authentication and User Management Deleting a Directory Server To delete a directory server: 1. On the Services > Authentication > Directories page, point to the directory server and click Delete. When prompted, confirm that you want to delete the directory. Network Guardian deletes the server. Diagnosing Directories It is possible to review a directory s status and run diagnostic tests on it. To diagnose a directory: 1. On the Services > Authentication > Directories page, point to the directory server and click Diagnose. Network Guardian displays current directory connection, user account and status information. Tip: You can diagnose multiple directories at the same time. Select the directories and click Diagnose. Managing Local Users Network Guardian stores user account information comprised of usernames, passwords and group membership in local user directories so as to provide a standalone authentication service for network users. Adding Users To add a user to a local user directory: 1. On the Services > Authentication > Directories page, click on the local user directory you want to add a user to. Network Guardian displays any current local users 2. Click Add new user. In the Add new user dialog box, configure the following settings: Setting Enabled Username Password Repeat password Select group Select to enable the user account. Enter the user account name. Enter the password associated with the user account. Passwords must be a minimum of six characters long. Re-enter the password to confirm it. From the drop-down menu, select a group to assign the user account to. 3. Click Add. Network Guardian saves the information. 4. Repeat the steps above to add more users. 189

200 Authentication and User Management Editing Local Users To edit an existing user's details: 1. On the Services > Authentication > Directories page, click on the local user directory containing the user account you want to edit. Network Guardian displays current local users. 2. Point to the user account and click Edit. In the Edit user dialog box, make the changes required. See Adding Users on page 189 for more information about the settings available. 3. Click Save changes. Network Guardian applies the changes. Deleting Users To delete users: 1. On the Services > Authentication > Directories page, click on the local user directory containing the user account(s) you want to delete. Network Guardian displays current local users. 2. Point to the user account and click Delete. When prompted, confirm that you want to delete the account. Network Guardian deletes the account. 3. Repeat the steps above to delete other accounts. Managing Groups of Users The following sections discuss groups of users and how to manage them. About Groups Network Guardian uses the concept of groups to provide a means of organizing and managing similar user accounts. Authentication-enabled services can associate permissions and restrictions to each group of user accounts, thus enabling them to dynamically apply rules on a per-user account basis. Local users can be added or imported to a particular group, with each group being organized to mirror an organization s structure. Groups can be renamed by administrators to describe the users that they contain. Currently, Network Guardian supports 1000 groups and by default, contains the following groups: Group Unauthenticated IPs The main purpose of this group is to allow certain authenticationenabled services to define permissions and restrictions for unauthenticated users, that is, that is, that is,users that are not logged in, currently unauthenticated or cannot be authenticated. Note: This group cannot be renamed or deleted. 190 Smoothwall Ltd

201 Authentication and User Management Group Default Users Banned Users Network Administrators Users can be mapped to Default Users. The main purpose of this group is to allow certain authentication-enabled services to define permissions and restrictions for users that are not specifically mapped to an Network Guardian group, that is, users that can be authenticated, but who are not mapped to a specific Network Guardian authentication group. Note: This group cannot be renamed or deleted. This purpose of this group is to contain users who are banned from using an authentication-enabled service. Note: This group cannot be renamed or deleted. This group is a normal user group, configured with a preset name, and setup for the purpose of granting network administrators access to an authentication-enabled service. Because the Network Administrators group is a normal group with a preset configuration, it can be both renamed and used by authentication-enabled services to enforce any kind of permissions or restrictions. Adding Groups It is possible to add groups to Network Guardian. Currently, Network Guardian supports 1000 groups. To add a group: 1. On the Services > Authentication > Groups page, click Add new group. 2. In the Add new group dialog box, enter the following information: Field Name Comment Enter a name for the group. Optionally, enter a comment. 3. Click Add. Network Guardian creates the group and lists on the changes. Editing Groups Note: It is not possible to rename the Unauthenticated IPs, Default Users or Banned Users groups To edit a group: 1. On the Services > Authentication > Groups page, point to the group and click Edit. 2. In the Edit group dialog box, enter the following information: Field Name Comment When renaming a group, enter a new name. Edit or enter a new comment. 191

202 Authentication and User Management 3. Click Save changes. Network Guardian applies the changes. Deleting Groups Note: It is not possible to delete the Unauthenticated IPs, Default Users or Banned Users groups To delete a group or groups: 1. On the Services > Authentication > Groups page, select the group(s) and click Delete. 2. When prompted to confirm the deletion, click Delete. Network Guardian deletes the group(s). Mapping Groups Once you have successfully configured a connection to a directory, you can map the groups Network Guardian retrieves from the directory in order to apply permissions and restrictions to the users in the groups. Note: These instructions are only for directories, not configured as Local users. For a detailed description of how to map local users, see Managing Local Users on page 189. To map directories to Network Guardian groups, do the following: 1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and click Add new group mapping. 3. Configure the following parameters: Directory group Depending on the directory service configured, add or select the directory group to map from. Local group From the drop-down menu, select the relevant Network Guardian group. Enabled Select this option to enable or disable the group mapping. 4. Click Add. Remapping Groups It is possible to change group mappings. To remap groups, do the following: 1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and select the relevant group mapping. 3. C lick Edit. 4. Change the Directory group and, or, the Local group as required. 5. Click Save changes. 192 Smoothwall Ltd

203 Authentication and User Management Deleting Group Mappings It is possible to delete group mappings. To delete one or more group mappings, do the following: 1. Browse to Services > Authentication > Directories. 2. Expand the relevant directory group, and select the relevant group mapping. 3. Click Delete. 4. Click Delete to confirm the deletion. Managing Temporarily Banned Users Network Guardian enables you to temporarily ban specific user accounts. When temporarily banned, the user is added to the Banned users group. Note: You can apply any web filtering policy to the Banned users group. Creating a Temporary Ban Note: Only administrators and accounts with Temp ban access can manage banned accounts. For more information, refer to the Network Guardian Operations Guide. To ban an account temporarily: 1. Navigate to the Services > Authentication > Temporary bans page. 2. Click Add new temporary ban. In the Add new temporary ban dialog box, configure the following settings: Setting Status Username Select Enabled to enable the ban immediately. Enter the user name of the account you want to ban. 193

204 Authentication and User Management Setting Ban expires Comment Click and select when the ban expires. Optionally, enter a comment explaining why the account has been banned. 3. Click Add. Network Guardian enforces the ban immediately. Tip: You can edit the block page displayed to banned users so that it gives them information about the ban in force. For more information, refer to the Network Guardian Operations Guide. Tip: There is also a ban option on the Services > Authentication > User activity page, for more information, see Managing User Activity on page 195. Removing Temporary Bans To remove a ban: 1. Navigate to the Services > Authentication > Temporary bans page. 2. In the Current rules area, select the ban and click Remove. Network Guardian removes the ban. Removing Expired Bans To remove bans which have expired: 1. Navigate to the Services > Authentication > Temporary bans page. 2. In the Current rules area, click Remove all expired. Network Guardian removes all bans which have expired. 194 Smoothwall Ltd

205 Authentication and User Management Managing User Activity Network Guardian enables you to see who is logged in and who has recently logged out. You can also log users out and/or ban them. Viewing User Activity To view activity: 1. Navigate to the Services > Authentication > User activity page. Network Guardian displays who is logged in, who recently logged out, the group(s) the user belongs to their source IP and the method of user authentication. Recently logged out users are listed for 15 minutes. Logging Users Out To log a user out: 1. On the Services > Authentication > User activity page, point to the user you want to log out and click Log user out. Network Guardian logs the user out immediately and lists them as logged out. Note: Logging a user out is not the same as blocking a user from accessing web content. Connection-based authentication will automatically log the user back in. If the user is using SSL login, they areis prompted to authenticate again. Banning Users To ban a user: 1. On the Services > Authentication > User activity page, point to the user you want to ban and click Ban user. Network Guardian copies the user s information and displays it on the Services > Authentication > Temporary bans page where you can configure the ban. For more information, see Creating a Temporary Ban on page

206 Authentication and User Management About SSL Authentication Network Guardian provides SSL Login as a built-in authentication mechanism which can be used by authentication-enabled services to apply permissions and restrictions on a customized, per-user basis. When SSL Login is configured, network users requesting port 80 for outbound web access are automatically redirected to a secure login page, the SSL Login page, and prompted for their user credentials. The SSL Login page can be manually accessed by users wishing to pro-actively authenticate themselves, typically where they need to use a non-web authentication-enabled service, for example, group bridging, or where only a small subset of users require authentication. SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated user, thus allowing SSL Login redirection to be bypassed for authenticated users. When an authenticated user logs out or exceeds the time-out limit, the rule is removed and future outbound requests on port 80 will again cause automatic redirection to the SSL Login. For information about the authentication methods that can be used with SSL login, see Managing Authentication Policies on page 101. Customizing the SSL Login Page When using SSL as an authentication method, it is possible to customize the title image, background image and message displayed on an SSL login page. 196 Smoothwall Ltd

207 Authentication and User Management Customizing the Title Image It is possible to customize the title image displayed on the SSL login page. To upload a custom title image: 1. Browse to the Services > Authentication > SSL login page. 2. Click the Title image Browse/Select file button. Using your browser s controls, locate and select the file. 3. Click Save changes. Network Guardian uploads the file and makes it available on the SSL login page. Customizing the Background Image It is possible to customize the background image used on an SSL login page. To upload a background image: 1. On the Services > Authentication > SSL login page, click the Background image Browse/Select file button. Using your browser s controls, locate and select the file. 2. Click Save changes. Network Guardian uploads the file and makes it available on the SSL login page. Removing Custom Files To remove a custom file: 1. Browse to the Services > Authentication > SSL login page. 2. To remove the title image, adjacent to Title image, click Delete. 3. To remove the background image, adjacent to Background image, click Delete. 197

208 Authentication and User Management Customizing the Message It is possible to provide users with a customized message. To customize the login message: 1. Navigate to the Services > Authentication > SSL login page. 2. In the Customize SSL Login area, enter your custom message in the SSL login page text box. 3. Click Save changes to apply the new message. Reviewing SSL Login Pages You can review SSL Login pages. To review the SSL Login page: 1. In the web browser of your choice, enter your Network Guardian system s IP address and /login. For example: or, using HTTPS, Network Guardian displays the SSL login page. Managing Kerberos Keytabs Note: When using Microsoft Active Directory for authentication, Kerberos keys are managed automatically. For other directory servers, it is necessary to import keytabs manually, see the following section for information about how to do this. A Kerberos keytab is a file which contains pairs of Kerberos principals and encrypted keys. By importing and using Kerberos keytabs, Network Guardian services, such as authentication, can use the interoperability features provided by Kerberos. For information about using Kerberos as the authentication method in authentication policies, refer to the Network Guardian Operations Guide. Prerequisites The following are pre-requisites when using Kerberos as an authentication method: Forward and reverse DNS must be working All clocks must be in sync. More than 5 minutes clock drift will cause authentication to fail Adding Keytabs The following section explains how to add Kerberos keytabs into Network Guardian. For information about generating keytabs, consult the documentation delivered with your directory server. Also, available at the time of writing, see which discusses how to get a keytab from Active Directory. 198 Smoothwall Ltd

209 Authentication and User Management To add a keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. Click Add new keytab and configure the following settings: Setting Status Name File Comment Accept the default setting to enable the keytab. Enter a descriptive name for the keytab. Using your browser, locate and select the keytab. Optionally, enter a comment to describe the keytab. 3. Click Add. Network Guardian adds the keytab and lists it in the Kerberos keytabs area. 4. Repeat the steps above for any other keytabs you need to import. Managing Keytabs The following sections explain how to enable, view, edit and delete Kerberos keytabs. Disabling Keytabs Kerberos keytabs are enabled by default. It is possible to disable a Kerberos keytab when required, for example, when troubleshooting. To disable a keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, clear the Enabled option. Click Save changes to save the setting. Network Guardian disables the keytab. 199

210 Authentication and User Management Viewing Keytab Content It is possible to view the contents of a Kerberos keytab. To view a Kerberos keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, click the keytab s display arrow. Network Guardian displays the content. Editing Keytabs It is possible to change the name of the Kerberos keytab file. To change the name of the Kerberos keytab file: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Edit. 3. In the Edit keytab dialog box, change the name as required and click Save changes. Network Guardian changes the name and lists the Kerberos keytab in the Installed Kerberos keytabs area Deleting Keytabs It is possible to delete Kerberos keytabs that are no longer require. To delete a Kerberos keytab: 1. Browse to the Services > Authentication > Kerberos keytabs page. 2. In the Installed Kerberos keytabs area, point to the keytab and select Delete. 3. When prompted to confirm the deletion, click Delete. Network Guardian deletes the keytab. Troubleshooting a Kerberos Service Check the following when troubleshooting a service that uses Kerberos: Make sure all the prerequisites have been met, see Prerequisites on page 198 Try another browser for fault-finding In a Safari browser, try the fully qualified domain name (FQDN) if the short form does not work Check if the user logged on before the keytab was created. Try logging off then on again. Check if the user logged on before Network Guardian joined the domain. Try logging off then on again. Double check you are logged on with a domain account When exporting your own keytabs: Make sure the keytab contains keys with the same type of cryptography as that used by the client The HTTP in the service principal name (SPN) must be in uppercase 200 Smoothwall Ltd

211 Authentication and User Management The keytab should contain SPNs containing the short and fully qualified forms of each hostname. Authenticating Chromebook Users Network Guardian s Chromebook authentication feature allows internal Chromebook users to authenticate themselves using their Google credentials, whilst enforcing organizational web filtering policies wherever they are located. Network Guardian must be assigned a Client ID and Client Secret, provided through the Google developer console (see Creating a Google Client ID and Client Secret (Web Application) on page 201). This allows Network Guardian, and the Connect for Chromebooks to send authorization requests to Google OpenAuth servers. Note: Google Chromebooks allow multiple users to be signed into a single Chromebook device at any one time. For Network Guardian s Google App integration to work, this feature needs to be disabled. For a detailed description of how to do this, refer to the Google Admin console, Creating a Google Client ID and Client Secret (Web Application) Network Guardian must be assigned a Google Client ID and Client Secret to be able to communicate successfully with Google. To create and download the Client ID and Client Secret you must use the Google Developer console, For a detailed description of how to create the ID and Secret, refer to your Google documentation. Tip: The Client ID and Client Secret are created as a web application within the OAuth module of the Google Developer console. Uploading the Client ID and Client Secret To assign the Client ID and Client Secret to Network Guardian, do the following: 1. Log into the Network Guardian administration user interface. 201

212 Authentication and User Management 2. Browse to Services > Authentication > Chromebook. 3. Scroll down to the Google web application settings panel. 4. Copy and paste the Google Client ID into the Client ID text box. 5. Copy and paste the Google Client Secret into the Client Secret text box. 6. Scroll down to the bottom, and click Save changes. Restricting Accepted Google Accounts by Domain You can choose to only accept Google accounts from specified domains, that is, part of the Google address. If this restriction is configured via the Google Admin console, users from restricted domains will not be able to log onto their Chromebook. Alternatively, you can configure a list of accepted domains in Network Guardian. This allows users to log onto their Chromebook devices, but their subsequent authentication request from Connect for Chromebooks is rejected, leaving them unable to connect to the Internet. 202 Smoothwall Ltd

213 Authentication and User Management To configure a list of accepted domains, do the following: 1. Browse to Services > Authentication > Chromebook. 2. Scroll down to the Google web application settings panel. 3. Select Restrict logins to the following domains:. 4. Within the Domains box list the accepted domains, with each one on a new line. 5. Scroll down the bottom, and click Save changes. Customizing the Client Login Page You can customize the login page users see when they first log onto the network via a Chromebook, to suit your organizational needs. The following is an example of the expected layout of the login page: You can change the logo, heading and main body of text. However, only static text and images can be used. You cannot use links to other HTML pages. The Google Sign in button must remain in case a manual login is required. To customize the client login page, do the following: 1. Browse to Services > Authentication > Chromebook. 2. Scroll down to the Client login page panel. 3. Configure the following: Title Enter a meaningful heading for the main body of text Image To change the logo, click Choose File. Locate the relevant image, and click Open. Click the black arrow to view the uploaded image. The Smoothwall logo is provided as the default image if none has been uploaded. Text Enter the text that will appear in the main body. 203

214 Authentication and User Management 4. Click Save changes. Tip: It is recommended you include text advising that by using this Client login page, the user is granting permission for their login credentials to be sent to Google. Managing Chromebooks You can manage the network configuration of all your Chromebooks from the Google Admin console, Key areas needed to make Network Guardian Chromebook authentication work are as follows: Deploying the Connect for Chromebooks Extension on page 204 Diagnosing Connect for Chromebooks on page 205 Validating Network Guardian s HTTPS Certificate on page 206 Routing Traffic to Network Guardian s Proxy Server on page 207 Deploying the Connect for Chromebooks Extension The Connect for Chromebooks extension is a custom utility that can be deployed to all Chromebooks in your network. Once the user is logged into the Chromebook, Connect for Chromebooks performs the additional Google authentication, and handles any subsequent authentication requests. Connect for Chromebooks places an icon in the Chrome browser taskbar. It displays the extension and user authentication status as follows: Status Icon The user is logged into Connect for Chromebooks, and browsing is allowed. Connect for Chromebooks is running but has an error. Connect for Chromebooks has an error. Clicking on the icon displays a pop-up window with a detailed description of the current status: Status The user credentials of the logged in user are displayed. Connect for Chromebooks is unable to connect to the Internet to authenticate the user. 204 Smoothwall Ltd

215 Authentication and User Management Status There is a problem with Connect for Chromebooks. Connect for Chromebooks is busy. Connect for Chromebooks does not require you to install the extension on a server for deployment to all Chromebooks. Instead, you must link to it from the Google Admin console, which then includes it in the Chromebook configuration pushed out to all clients. To deploy Connect for Chromebooks, do the following: 1. Log into the Google Admin console. 2. Under the Chrome Device Management, locate Manage pre-installed apps. 3. Click Specify a Custom App. 4. Enter the following ID: ldmijmkolialklggnnlgaodhaemipjmn 5. Enter the following URL: 6. Click Add. Smoothwall Connect for Chromebooks should appear in the Total to pre-install panel. 7. Click Save. 8. Scroll down to the bottom of the page, and click Save changes. Note: The above instructions are correct at the time of writing. Google feature names and links may change over time. Diagnosing Connect for Chromebooks Connect for Chromebooks provides a log of the user activity from the Chromebook it is installed on, namely which users have logged on, and the status of their login. To view Connect for Chromebooks s log, do the following: 1. From the Chromebook, click Connect for Chromebooks icon. 2. From the pop-up window, click Diagnostics. 205

216 Authentication and User Management Validating Network Guardian s HTTPS Certificate Network Guardian s Client Login page is presented to the Chromebook over SSL. This requires the HTTPS certificate presented by Network Guardian to be validated by the Chromebooks. To do this, you must download the HTTPS certificate from your Network Guardian, and upload it to Google s Admin console. Note: The Network Guardian appliance must be configured with a fully qualified hostname, for example, my.smoothwall.com. For a detailed description of how to change the hostname, refer to the Network Guardian Operations Guide. Tip: Ensure the DNS server used by the Chromebooks maps Network Guardian s fully qualified hostname to the Network Guardian internal IP address used by the Chromebooks to connect to. All references to the client login page (see Customizing the Client Login Page on page 203) must be made using the fully qualified hostname. You must first verify that the certificate uses the correct hostname, as follows: 1. From a network machine, in a Chrome browser, browse to your Network Guardian appliance using the fully qualified hostname on port 442, for example: Note that HTTPS in the URL, and the SSL padlock icon are both crossed through. 2. Click on the crossed SSL padlock icon in the URL bar. 3. From the Connection tab, click Certificate information. 4. Confirm that the hostname used in the certificate is the fully qualified hostname. This is the name listed against Issued to: and Issued By:. 5. Click OK. If the fully qualified hostname is not used by the certificate, refer to the Network Guardian Operations Guide for a detailed description of how to change the hostname. If the fully qualified hostname appears in the certificate, download the certificate as follows: 1. From the Network Guardian user interface, browse to Services > Authentication > Chromebook. 2. Scroll down to the HTTPS certificate panel. 3. Click Download certificate. 4. If you manage your Google directory from the same machine, click Open the Google Admin console in a new window. If not, copy the downloaded HTTPS certificate to the relevant machine, and browse to the Google Admin console. 5. Upload the certificate to the Google Admin console s Manage Certificates module to deploy it to all Chromebooks in your organization. For a detailed description of how to do this, refer to your Google documentation. Tip: Ensure Use this certificate as an HTTPS certificate authority is selected for Network Guardian s HTTPS certificate in the Manage certificates dialog. 206 Smoothwall Ltd

217 Authentication and User Management Routing Traffic to Network Guardian s Proxy Server Using the Google Admin console, you can have all Chromebooks redirect internet traffic to proxy through Network Guardian s proxy servers. The following recommendations are made: The DHCP server used by the Chromebooks should point to the DNS server which hosts the client login page (see Customizing the Client Login Page on page 203). The following domains should be whitelisted in Guardian: gstatic.com ajax.googleapis.com accounts.google.com plus.google.com apis.google.com ssl.gstatic.com oauth.googleusercontent.com For a detailed description of how to configure a whitelist, see Managing Web Filter Policies on page 64 Within the Google Admin console, check the following: The proxy server URL uses the fully qualified hostname of your Network Guardian appliance. The proxy settings are locally applied for the appropriate network groups. Proxy mode should be set to Always use the proxy specified below. Include Network Guardian s hostname in the proxy bypass list. The startup homepage should be set to Homepage is always the homepage URL, set below. Set the URL for your startup homepage to: Guardian_hostname:442/modules/auth/cgibin/google/login.cgi where Network Guardian_hostname is the fully qualified hostname assigned to Network Guardian. Enter the same URL for Pages to load on startup. The above setup in the Google Admin console is for a non-transparent proxy method. Should Connect for Chromebooks be unable to determine a proxy server, or your network is configured for a transparent proxy method, the following recommendations are made: An additional DNS entry should be added to your local DNS settings: autodiscover.smoothwall.net mapped to the internal IP address of Network Guardian. This is because Connect for Chromebooks uses the above domain name when attempting to communicate directly with Network Guardian in the absence of a proxy setup. 207

218

219 12 Centrally Managing Smoothwall Systems This chapter describes how to configure, and maintain a centrally managed Smoothwall system, including: About Centrally Managing Smoothwall Systems on page 209 Setting up a Centrally Managed Smoothwall System on page 210 Managing Nodes in a Smoothwall System on page 215 Using BYOD in a Centrally Managed System on page 219 About Centrally Managing Smoothwall Systems Network Guardian s central management enables you to monitor and manage nodes in a Smoothwall system. A Smoothwall system is comprised of an instance of a Smoothwall product running as a parent node and one or more compatible Smoothwall products running as child nodes being managed by the parent node. Configuring and managing a Smoothwall system entails: Configuring a parent and the nodes in the system, for more information, see Setting up a Centrally Managed Smoothwall System on page 210 Actively monitoring the nodes in the system, for more information, see Monitoring Node Status on page 216 Applying updates, for more information, see Scheduling and Applying Updates to One or More Nodes on page 217 Rebooting nodes as required, for more information, see Rebooting Nodes on page 218 Disabling nodes as required, for more information, see Disabling Nodes on page

220 Centrally Managing Smoothwall Systems Pre-requirements Before you start to set up a centrally managed Smoothwall system: Check that all the Smoothwall machines you intend to include in the system have the latest updates applied. For more information, refer to the Network Guardian Operations Guide Check that you have administrator access to all of the computers you want to include in the system Check that there is IP access from the computer that is a the parent node to the computers that are child nodes in the system. Setting up a Centrally Managed Smoothwall System Setting up a centrally managed Smoothwall system entails: Configuring the parent node in the system Configuring child nodes settings, installing the central management key and enabling SSH on child nodes Adding child nodes to the system. Configuring the Parent Node The first step when configuring a Smoothwall system is to configure the parent node in the system. To configure the parent node: 1. Log in to the instance of Network Guardian you want to function as the parent node. 2. Browse to the System > Central management > Local node settings page. 210 Smoothwall Ltd

221 Centrally Managing Smoothwall Systems 3. Configure the following settings: Setting Local node options Parent node Select this option to enable central management and configure this instance of Network Guardian as the parent node in the Smoothwall system. 4. Click Save. This instance of Network Guardian becomes the parent node and can be used to centrally manage the Smoothwall system. Configuring Child Nodes Every child node in a Smoothwall system must have a central management key installed and SSH enabled. To configure a child node: 1. On the system s parent node, browse to the System > Central management > Local node settings page. 2. Configure the following settings: Setting Local node options Manage central management keys Parent node Check that this option is selected so that you can generate a central management key for installation on child nodes. Central management key Click Download to download and save the central management key in a secure, accessible location for distribution to the child nodes in the system. 211

222 Centrally Managing Smoothwall Systems 3. On the Smoothwall system you want to add as a child node, browse to the System > Central management > Local node settings page and configure the following settings: Setting Local node options Manage central management keys Child node Select this option to configure this machine as a child node in the system. Click Save to save this setting. Upload central management key Using your browser s controls, browse to and select the key. Click Save to upload the key to the child node. Note: If you are reconfiguring a child node to be the child of a new parent, reboot the child node to apply the changes. 4. On the System > Administration > Admin options page, select SSH and click Save. 5. Repeat step 3. and step 4. above on any other machines you want to use as child nodes. When finished, you are ready to add them the system. See Adding Child Nodes to the System on page 212 for more information. Adding Child Nodes to the System When you have installed the central management key and enabled SSH on all child nodes, you are ready to add them to the system. You can add nodes: Manually by adding each node separately, see Manually Adding Child Nodes on page 212 By importing node information from a CSV file, for more information, see Importing Nodes into the System on page 213. Manually Adding Child Nodes Adding child nodes manually entails entering the information for each node separately. To add child nodes manually: 1. On the parent node, browse to the System > Central management > Child nodes page. 212 Smoothwall Ltd

223 Centrally Managing Smoothwall Systems 2. Click Add node and configure the following settings: Setting Node details Node settings Node name Enter a unique name to identify the node. Node names may only consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported. IP/hostname Enter the IP address or hostname of the child node. Comment Optionally, enter a comment describing the child node. Replication profile From the drop-down list, select the replication profile to be deployed on the child node. The replication profile enables the sharing of system settings between nodes. For information about configuring a replication profile, refer to the Network GuardianOperations Guide. Central logging Select to enable central logging for the child node. Note: Do not select this option if you want to access the child node s logs on the child node itself. Allow parent to monitor status Select to enable central monitoring for the child node. Allow parent to manage resources Select to enable the parent node in the group to manage child node resources such as quotas which limit user access to web content. When enabled and quotas have been used in a web filtering policy, the parent ensures that users cannot access content for longer than allowed by using different child nodes. 3. Select Enable node and click Confirm. When prompted, review the node details and then click Save to add the node. 4. Repeat step 2. and step 3. for each node you want to add to the system. 5. When you have added all of the nodes, browse to the System > Central management > Overview page. The parent node lists the child nodes and displays their current status. For more information, see Monitoring Node Status on page 216. Importing Nodes into the System If child node information is available in a comma separated format (CSV) file, you can import it directly into the parent node. About the CSV File Each line in the CSV file must contain 8 fields. The fields must be separated by commas and ordered as follows: Name,IP/hostname,Centrallogging,Monitorstatus,Centralresources, Replicationprofile,Enabled,Comment 213

224 Centrally Managing Smoothwall Systems The possible values for the fields are as follows: Field Name IP/hostname Central logging Monitor status Central resources Replication profile Enabled Comment Value The node name. This field is required. Note: If the name is the same as that of a child node already in the system, the child node in the system is overwritten. A node name may consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported. The IP or hostname of the node. This field is required. Determines if central logging is enabled or disabled. This field is required. Enabled Enter: yes, on, or 1. Disabled Enter: no, off, or 0. Note: Do not enable this option if you want to access the child node s logs on the child node itself. Determines if central monitoring is enabled or disabled. This field is required. Enabled Enter: yes, on, or 1. Disabled Enter: no, off, or 0. Determines if resources are managed by the parent. This field is required. Enabled Enter: yes, on, or 1. Disabled Enter: no, off, or 0. The name of the replication profile used on the node. This field is optional and may be empty. For more information, refer to the Network Guardian Operations Guide. Determines if the node settings are enabled or disabled. This field is required. Enabled Enter: yes, on, or 1. Disabled Enter: no, off, or 0. A comment. This field is optional. It may consist of letters, numbers, spaces, underscores and full stops. Unicode is not supported. For full information about what the settings do, see Manually Adding Child Nodes on page 212. Importing Node Information The following steps explain how to import node information from a CSV file. For more information about CSV files, see About the CSV File on page 213. To import node information from a CSV file: 1. On the parent node, browse to the System > Central management > Child nodes page. 2. Click Import CSV, browse to the file and select it. Click Import to import the contents of the file. 3. The parent node displays the contents of the file and notifies you of any errors in the file. Note: Importing settings from a CSV file will overwrite existing nodes with the same name. 214 Smoothwall Ltd

225 Centrally Managing Smoothwall Systems 4. Click Confirm to import the information in the file. The parent node imports the node information and displays it. Editing Child Node Settings When required, it is possible to edit child node settings. To edit a child node s settings: 1. Browse to the System > Central management > Child nodes page, locate the node you want to edit and click Edit node. 2. Make the changes required, see Manually Adding Child Nodes on page 212 for full information about the settings. 3. Click Confirm, review the changes and then click Save to save and implement the changes. Deleting Nodes in the System It is possible to delete nodes that are no longer required in the system. To delete a node: 1. On the System > Central management > Child nodes page, locate the node you want to delete and click Delete node. When prompted, click Delete to confirm the deletion. 2. Repeat the step above for any other nodes you want to delete. Managing Nodes in a Smoothwall System Managing nodes in a Smoothwall system entails: Monitoring node status Applying updates to nodes Scheduling updates for application at a specific time Rebooting nodes when necessary Disabling nodes when necessary 215

226 Centrally Managing Smoothwall Systems Monitoring Node Status The central management node overview on the parent node displays a list of all of the nodes in the Smoothwall system. It also displays the nodes current status and whether updates for the nodes are available. To monitor node status: 1. On the parent node, browse to the System > Central management > Overview page. The parent node displays current node status, for example: Node information is contained in the following fields: Field Name Status Updates The Name field displays the name of the node. Click on the name to log in to the node. The Status field displays the current state of the node. Click on the Status text to display detailed information about the node. For more information, see Accessing the Node Details Page on page 217. The following statuses are possible: OK the node is functioning and does not require attention. Critical the node requires immediate attention. Click on the node s status field for more information. Warning the node does not require immediate attention but should be checked for problems. Click on the node s status field for more information. The Updates field enables you to schedule the application of available updates. For more information, see Scheduling and Applying Updates to One or More Nodes on page 217. Click on the Updates text to display detailed information about the node. 216 Smoothwall Ltd

227 Centrally Managing Smoothwall Systems Accessing the Node Details Page It is possible to view detailed information about a node by accessing the node details page. To access a node details page: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate the node you want more information about and click on its Status text. Network Guardian displays the node details page. 3. Click on the displayed headings for more information. 4. Click Refresh node to refresh the information displayed. 5. Click Reboot node to reboot the node. Working with Updates You can review and apply updates to a node as they become available. You can also apply updates to one or more nodes immediately or at a later date. Reviewing and Applying Available Updates to a Node You can review and apply updates to a node as they become available. To review and apply updates: 1. On the parent node, browse to the System > Central management > Overview page. 2. Click the Updates tab and then click the Status field of the node. The node details are displayed. 3. Click on the Updates line to review detailed information about the updates available. To apply the updates to the node, click Schedule update. The Schedule node update page is displayed. 4. In the Install updates area, select one of the following options: Option Now Later Select to apply the updates to the node immediately. From the drop-down list, select when you want the updates applied to the node. 5. Click Schedule update. The updates are applied to the node as specified in the previous step and the node is rebooted. Scheduling and Applying Updates to One or More Nodes You can apply updates to one or more nodes immediately or schedule them for application later. To apply updates: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate and select the node(s) that require updates and click Schedule update. The Schedule node update page is displayed. 217

228 Centrally Managing Smoothwall Systems 3. In the Install updates area, select one of the following options: Option Now Later Select to apply the update(s) to the node(s) immediately. From the drop-down list, select when you want the update(s) applied to the node(s). 4. Click Schedule update. The updates are applied to the node(s) as specified in the previous step and the node(s) are rebooted. Clearing Schedule Updates It is possible to clear any scheduled updates. To clear scheduled updates: 1. On the System > Central management > Overview page or the node details page, under Updates, click Clear schedule. 2. Network Guardian displays the updates that are currently scheduled. Click Clear schedule to clear the updates. Rebooting Nodes When required, you can reboot a child node from the system s parent node. To reboot a child node: 1. On the parent node, browse to the System > Central management > Overview page. 2. Locate the node you want to reboot and click on the Status text. The node details are displayed. 3. Click Reboot node. The Schedule node reboot page opens. In the Reboot node area, select one of the following options: Option Now Later Select to reboot the node immediately. From the drop-down list, select when you want to reboot the node. 4. Click Schedule reboot. The node is rebooted. 218 Smoothwall Ltd

229 Centrally Managing Smoothwall Systems Disabling Nodes It is possible to disable nodes locally and system-wide. Disabling Nodes Locally You may need to work on a child node in a system and, for example, want to stop replication settings from being applied by the parent. You can do this by disabling the child node locally. To disable a node locally: 1. On the node you want to disable, browse to the System > Central management > Local node settings page. 2. In the Local node options area, select Disable and click Save. 3. Repeat the step above for any other nodes in the system that you want to disable. Note: On the parent node, on the System > Central management > Overview page, nodes that have been disabled locally are listed as Node uncontactable. Disabling Nodes System-wide You may need to disable a child node in a system, for example, in the case of hardware failure. You can do this by disabling the child node system-wide. To disable a node system-wide: 1. On the parent node, browse to the System > Central management > Child nodes page. 2. Locate the node you want to disable area, select Disable and click Save. 3. Repeat the steps above for any other nodes in the system that you want to disable system-wide. Using BYOD in a Centrally Managed System It is possible to provide a bring your own device (BYOD) service in a centrally managed Smoothwall System. In such a configuration, you can choose to have a single node, typically the parent node, receive RADIUS requests and forward them onto the other RADIUS servers, or have a number of nodes act as the RADIUS server for the network access server (NAS) for authentication requests, authorization requests, accounting packets, or a mixture of all three. For a detailed description of how to configure Network Guardian to support a BYOD service, including an example of a centrally managed implementation, refer to the Network Guardian Operations Guide. 219

230

231 Glossary Numeric 2-factor authentication The password to a token used with the token. In other words: 2- factor authentication is something you know, used together with something you have. Access is only be granted when you use the two together. 3DES A triple strength version of the DES cryptographic standard, usually using a 168-bit key. A Acceptable Use Policy Access control Active Directory ActiveX* AES AH Algorithm See AUP The process of preventing unauthorized access to computers, programs, processes, or systems. Microsoft directory service for organizations. It contains information about organizational units, users and computers. A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser. Advanced Encryption Standard A method of encryption selected by NIST as a replacement for DES and 3DES. AES supports key lengths of 128-bit, 192-bit and 256-bit. AES provides high security with fast performance across multiple platforms. Authentication Header Forms part of the IPSec tunnelling protocol suite. AH sits between the IP header and datagram payload to maintain information integrity, but not secrecy. Smoothwall products, an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it. 221

232 Glossary Alias ARP ARP Cache AUP Authentication or External Alias In Smoothwall terminology, an alias is an additional public IP that operates as an alternative identifier of the red interface. Address Resolution Protocol A protocol that maps IP addresses to NIC MAC addresses. Used by ARP to maintain the correlation between IP addresses and MAC addresses. Acceptable Use Policy An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organization s and Internet systems. The policy explains the organization s position on how its users should conduct communication within and outside of the organization both for business and personal use. The process of verifying identity or authorization. B Bandwidth BIN Buffer Overflow Bandwidth is the rate that data can be carried from one point to another. Measured in Bps (Bytes per second) or Kbps. A binary certificate format, 8-bit compatible version of PEM. An error caused when a program tries to store too much data in a temporary storage area. This can be exploited by hackers to execute malicious code. C CA Certificate Cipher Ciphertext Client Cracker Cross-Over Cable Cryptography Certificate Authority A trusted network entity, responsible for issuing and managing x509 digital certificates. A digital certificate is a file that uniquely identifies its owner. A certificate contains owner identity information and its owner's public key. Certificates are created by CAs. A cryptographic algorithm. Encrypted data which cannot be understood by unauthorized parties. Ciphertext is created from plain text using a cryptographic algorithm. Any computer or program connecting to, or requesting the services of, another computer or program. A malicious hacker. A network cable with TX and RX (transmit and receive) reversed at either end to provide a direct peer-to-peer network connection. The study and use of methods designed to make information unintelligible. 222 Smoothwall Ltd

233 Glossary D Default Gateway Denial of Service DER DES DHCP Dial-Up DMZ DNS Domain Controller Dynamic IP Dynamic token The gateway in a network that will be used to access another network if a gateway is not specified for use. Occurs when a network host is flooded with large numbers of automatically generated data packets. The receiving host typically slows to a halt while it attempts to respond to each request. Distinguished Encoding Rules A certificate format typically used by Windows operating systems. Data Encryption Standard A historical 64-bit encryption algorithm still widely used today. DES is scheduled for official obsolescence by the US government agency NIST. Dynamic Host Control Protocol A protocol for automatically assigning IP addresses to hosts joining a network. A telephone based, non-permanent network connection, established using a modem. Demilitarized Zone An additional separate subnet, isolated as much as possible from protected networks. Domain Name Service A name resolution service that translates a domain name to an IP address and vice versa. A server on a Microsoft Windows network that is responsible for allowing host access to a Windows domain's resources. A non-permanent IP address automatically assigned to a host by a DHCP server. A device which generates one-time passwords based on a challenge/response procedure. E Egress filtering Encryption ESP Exchange Server Exploit The control of traffic leaving your network. The transformation of plaintext into a less readable form (called ciphertext) through a mathematical process. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it. Encapsulating Security Payload A protocol within the IPSec protocol suite that provides encryption services for tunnelled data. A Microsoft messaging system including mail server, client and groupware applications (such as shared calendars). A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service. 223

234 Glossary F Filter FIPS Firewall A filter is a collection of categories containing URLs, domains, phrases, lists of file types and replacement rules. Filters are used in policies to determine if a user should be allowed access to information or files he/she has requested using their web browser. Federal Information Processing Standards. See NIST. A combination of hardware and software used to prevent access to private network resources. G Gateway A network point that acts as an entrance to another network. H Hacker Host Hostname HTTP HTTPS Hub A highly proficient computer programmer who seeks to gain unauthorized access to systems without malicious intent. A computer connected to a network. A name used to identify a network host. Hypertext Transfer Protocol The set of rules for transferring files on the World Wide Web. A secure version of HTTP using SSL. A simple network device for connecting networks and network hosts. I ICMP IDS IP IPS IP Address IPtables Internet Control Message Protocol One of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. Intrusion Detection System Internet Protocol Intrusion Prevention System A 32-bit number that identifies each sender and receiver of network data. The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities. 224 Smoothwall Ltd

235 Glossary IPSec IPSec Passthrough ISP Internet Protocol Security An internationally recognized VPN protocol suite developed by the Internet Engineering Task Force (IETF). A 'helper' application on NAT devices that allows IPSec VPN traffic to pass through. An Internet Service Provider provides Internet connectivity. K Key Kernel Key space A string of bits used with an algorithm to encrypt and decrypt data. Given an algorithm, the key determines the mapping of plaintext to ciphertext. The core part of an operating system that provides services to all other parts the operating system. The name given to the range of possible values for a key. The key space is the number of bits needed to count every distinct key. The longer the key length (in bits), the greater the key space. L L2F L2TP LAN Leased Lines Lockout Layer 2 Forwarding A VPN system, developed by Cisco Systems. Layer 2 Transport Protocol A protocol based on IPSec which combines Microsoft PPTP and Cisco Systems L2F tunnelling protocols. Local Area Network A network between hosts in a similar, localized geography. Or private circuits A bespoke high-speed, high-capacity site-to-site network that is installed, leased and managed by a telephone company. A method to stop an unauthorized attempt to gain access to a computer. For example, a three try limit when entering a password. After three attempts, the system locks out the user. M MAC Address MX Record Media Access Control An address which is the unique hardware identifier of a NIC. Mail exchange An entry in a domain name database that specifies an server to handle a domain name's

236 Glossary N NAT-T NIC NIST NTP Network Address Translation Traversal A VPN Gateway feature that circumvents IPSec NAT-ing problems. It is a more effective solution than IPSec Passthrough Network Interface Card National Institute of Standards and Technology NIST produces security and cryptography related standards and publishes them as FIPS documents. Network Time Protocol A protocol for synchronizing a computer's system clock by querying NTP Servers. O OU An organizational unit (OU) is an object used to distinguish different departments, sites or teams in your organization. P Password PEM Perfect Forward Secrecy PFS A protected/private string of characters, known only to the authorized user(s) and the system, used to authenticate a user as authorized to access a computer or data. Privacy Enhanced Mail A popular certificate format. A key-establishment protocol, used to secure previous VPN communications, should a key currently in use be compromised. See Perfect Forward Secrecy Phase 1 Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security parameter agreement. Phase 2 Ping Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the agreed parameters from Phase 1 to bring the tunnel up. A program used to verify that a specific IP address can be seen from another. PKCS#12 Public Key Cryptography Standards # 12 A portable container file format for transporting certificates and private keys. PKI Plaintext Public Key Infrastructure A framework that provides for trusted third party vetting of, and vouching for, user identities; and binding of public keys to users. The public keys are typically in certificates. Data that has not been encrypted, or ciphertext that has been decrypted. 226 Smoothwall Ltd

237 Glossary Policy Port Port Forward PPP PPTP Private Circuits Private Key Protocol Proxy PSK Public Key PuTTY Contains content filters and, optionally time settings and authentication requirements, to determine how Network Guardian handles web content and downloads to best protect your users and your organization. A service connection point on a computer system numerically identified between 0 and Port 80 is the HTTP port. A firewall rule that routes traffic from a receiving interface and port combination to another interface and port combination. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router. Point-to-Point Protocol Used to communicate between two computers via a serial interface. Peer-to-Peer Tunnelling Protocol A widely used Microsoft tunnelling standard deemed to be relatively insecure. See Leased Lines. A secret encryption key known only by its owner. Only the corresponding public key can decrypt messages encrypted using the private key. A formal specification of a means of computer communication. An intermediary server that mediates access to a service. Pre-Shared Key An authentication mechanism that uses a password exchange and matching process to determine authenticity. A publicly available encryption key that can decrypt messages encrypted by its owner's private key. A public key can be used to send a private message to the public key owner. A free Windows / SSH client. Q QOS Quality of Service In relation to leased lines, QOS is a contractual guarantee of uptime and bandwidth. R RAS Remote Access Server A server which can be attached to a LAN to allow dial-up connectivity from other LANs or individual users. RAS has been largely superseded by VPNs. 227

238 Glossary RIP Road Warrior Route Routing Table Rules Routing Information Protocol A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are. An individual remote network user, typically a travelling worker 'on the road' requiring access to a organization s network via a laptop. Usually has a dynamic IP address. A path from one network point to another. A table used to provide directions to other networks and hosts. In firewall terminology, rules are used to determine what traffic is allowed to move from one network endpoint to another. S Security policy Server SIP Single Sign-On Site-To-Site Smart card Spam SQL Injection Squid SSH SSL SSL VPN Strong encryption A security policy is a collection of procedures, standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. It should include password, account and logging policies, administrator and user rights and define what behavior is and is not permitted, by whom and under what circumstances. In general, a computer that provides shared resources to network users. Session Initiation Protocol A protocol for initiating, modifying, and terminating an interactive user session that involves multimedia elements such as video, voice, instant messaging, online games, and virtual reality. Commonly used in VOIP applications. (SSO) The ability to log-in to multiple computers or servers in a single action by entering a single password. A network connection between two LANs, typically between two business sites. Usually uses a static IP address. A device which contains the credentials for authentication to any device that is smart card-enabled. Junk , usually unsolicited. A type of exploit whereby hackers are able to execute SQL statements via an Internet browser. A high performance proxy caching server for web clients. Secure Shell A command line interface used to securely access a remote computer. A cryptographic protocol which provides secure communications on the Internet. A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client configuration. A term given to describe a cryptographic system that uses a key so long that, in practice, it becomes impossible to break the system within a meaningful time frame. 228 Smoothwall Ltd

239 Glossary Subnet Switch Syslog An identifiably separate part of an organization s network. An intelligent cable junction device that links networks and network hosts together. A server used by other hosts to remotely record logging information. T Triple DES (3-DES) Encryption Tunneling A method of data encryption which uses three encryption keys and runs DES three times Triple-DES is substantially stronger than DES. The transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. U User name / user ID A unique name by which each user is known to the system. V VPN VPN Gateway Virtual Private Network A network connected together via securely encrypted communication tunnels over a public network, such as the global Internet. An endpoint used to establish, manage and control VPN connections. X X509 An authentication method that uses the exchange of CA issued certificates to guarantee authenticity. 229

240

241 Index A accessing 4 active directory cache timeout 181 domain 181 extra realm 187 password 181 status 181 username 181 active directory legacy cache timeout 186 discover kerberos realms through dns 187 extra group search roots 187 extra realms 187 extra user search roots 187 kerberos realm 186 netbios domain name 187 password 186 port 187 sam account name 187 server 186 server username 186 status 186 user search root 186 additional IP addresses 28 address object manager 157 address objects 157 creating 157 deleting 159 editing 159 nested objects 158 admin 5 admin options 13 administration 13 administrative users 13 advanced 9 advanced networking 160, 161 alerts 6 settings 6 anti-malware policies 16 archives 12 ARP table size 162 authentication 10, 18, 177, 178 core 95, 98 diagnositics 178 global settings 178 identification by IP 95, 98 normalize usernames 178 NTLM 94 SSL background tab 94, 98 session cookie 95, 98 time-out 178 timeout 178 B bad external traffic 164 bandwidth limiting 118 banned users 191 block page policies 16 blocking traffic 161 bridge 34 bridging 231

242 Index groups 169 C ca 14 central management 12, 209 about 209 pre-requirements 210 central management key 211 centrally manage 209 certificates 14 certs ca 14 child node 211 Chromebooks 201 Client ID 201 Client Login page 203 Client Secret 201 Connect for Chromebooks 201 cluster 209 Connect for Chromebooks 201, 204 connection tracking table size 162 connections 23 console connecting via 20 content modification policies 15 control page 5 create 6 csv 213 importing nodes 213 csv files 213 custom categories 11 D dashboard 5 database settings 8 default users 191 diagnostics 14 directories 10 directory settings 179 prerequisites 180, 184, 185 DNS 40 conditional forwarder 42 conditional server 42 domain-specific server 42 forwarder 41 global 40 resolver 40 server 41 static 43 DNS forwarder 41 DNS resolver 40 DNS server 41 documentation 2 domain-specific DNS server 42 dropping direct traffic 163 E 7 enable filtering 46 ethernet bridge 153 blocking 153 external access 13 external connection 25 F filtering 9 ethernet bridging 153 filters 11 about 65, 69, 75, 79 firewall 6, 7 connecting 20 FTP 163 G global DNS 40 Global Proxy 104 global proxy 18 Global Proxy certificates 104 group bridging 9, 169 groups 8, 10, 190 banned users 191 default users 191 mapping 192 network administrators 191 renaming 191 unauthenticated ips 190 Guardian 14 H H hardware 13 hostname 13 HTTPS inspection policies 15 https inspection policies 68 I identification NTLM 93 ignoring traffic Smoothwall Ltd

243 Index im proxy 7 im proxy 7 interface bridge 34 interfaces 8, 23 additional IP 28 external 25 PPPoE 37 inter-zone security 165 ip block 9 tools 14 IP address additional 28 IRC 163 K kerberos keytabs 10 L ldap directory bind method 182 cache timeout 183 discover kerberos realms through dns 183 extra group search root 183 extra realms 183 extra user search roots 183 group search roots 183 kerberos realm 182 password 182 port 183 server 182 status 181 user search root 182 username 182 leak client ip with x-forwarded-for header 127 licenses 12 link load balancing 143 deleting 145 editing 145 pools 143 reordering pools 145 LLB 143 deleting 145 editing 145 policies 147 pools 143 LLB policies 147 llb policies 147 load balancing 129 local users 188 activity 195 adding 189 configuring 188 deleting 190 editing 190 managing 189 status 188 log settings 7 logs 7 logs and reports 6 M maintenance 12 menu administration 13 alerts 6 anti-malware policies 16 authentication 10 block page policies 16 central management 12 certificates 14 configuration 8 content modification policies 15 diagnostics 14 global proxy 18 Guardian 14 hardware 13 HTTPS inspection policies 15 logs 7 logs and reports 6 maintenance 12 message censor 11 mobileproxy 18 policy objects 16 preferences 13 proxies 11 quick links 14 realtime 6 report settings 8 routing 9 SNMP 11 SWURL

244 Index upstream proxy 17 user portal 10 web filter policies 15 web proxy 17 web proxy authentication 18 message censor 11 custom categories 11 filters 11 time 11 message censor filtering enable 88 mobileproxy 18 modules 12 N NAT policies 147 NAT policy configuring 147 deleting 149 editing 149 reordering 150 network administrators 191 network address translation 147 network application helpers 163 FTP 163 H IRC 163 PPTP 163 SIP 163 networking advanced 160, 161 filtering 9 node 215 add 212 child 211 child delete 215 child edit 215 configure child 12 csv 213 delete 215 disable 219 edit 215 import 213 local settings 12 manage 215 monitor 216 parent 210 reboot 218 review 216 update 217 O output settings 8 overview 4 P pages guardian anti malware policies manage policies 16 policy wizard 16 settings 16 status page 16 block page policies block pages 16 manage policies 16 policy wizard 16 content modification policies manage policies 15 policy wizard 15 https inspection policies manage policies 15 policy wizard 15 settings 15 policy objects category groups 16 locations 16 quotas 16 time slots 16 user defined 16 quick links getting started 14 quick block/allow 14 shortcuts 14 swurl settings 17 web filter policies exceptions 15 location blocking 15 manage policies 15 outgoing 15 policy wizard Smoothwall Ltd

245 Index info alerts alerts 6 custom 6 logs firewall 7 im proxy 7 system 7 realtime firewall 6 portal 7 system 6 traffic graphs 7 reports reports 6 saved 6 scheduled reports 6 settings alert settings 6 database settings 8 groups 8 log settings 7 output settings 8 user portal 7 networking filtering group bridging 9 ip block 9 zone bridging 9 routing rip 9 subnets 9 settings advanced 9 port groups 9 services authentication directories 10 groups 10 kerberos keytabs 10 settings 10 ssl login 10 temporary bans 10 user activity 10 user portal groups 10 portals 10 user exceptions 10 system administration admin options 13 administrative users 13 external access 13 central management child nodes 12 local node settings 12 overview 12 diagnostics configuration report 14 functionality test 14 ip tools 14 whois 14 hardware ups 13 maintenance archives 12 licenses 12 modules 12 scheduler 12 shutdown 12 updates 12 preferences hostname 13 registration options 13 time 13 web proxy authentication exceptions 18 ident by location 18 manage polices 18 policy wizard 18 mobile proxy exceptions 18 proxies 18 settings 18 upstream proxy filters 17 manage policies

246 Index proxies 17 web proxy automatic configuration 17 bandwidth limiting 17 settings 17 wccp 17 parent node 210 passwords 5 policies 11 https inspection 68 policy objects 16 policy tester 83 port forwards 173 creating 174 criteria 173 deleting 175 editing 175 port groups 9 portal 7 portals 10 PPPoE 37 PPTP 163 preferences 13 proxies 11 Q quick links 14 quotas 62 R radius action on login failure 184 cache timeout 184 identifying IP address 184 obtain groups from radius 184 port 185 secret 184 server 184 status 184 realtime 6 7 reboot 218 registration options 13 reports 6 custom 6 reports 6 scheduled 6 rip 9 role external 25 routing 9 rules group bridging 170 ip blocking 151 port forward 173 port forwards 173 subnet 139 zone bridging 166 S scheduled reports 6 scheduler 12 services authentication 178 rip 141 settings 8, 10 menu networking settings 9 shutdown 12 SIP 163 site address 21 sni 100 SNMP 11 snmp snmp 11 source NAT policies 147 source NAT policy configuring 147 deleting 149 editing 149 reordering 150 ssh 20 client 20 ssl login 10 accessing the page 198 customizing 196 stealth mode 164 subnets 9 SWURL 17 SYN backlog queue size 162 system 6, 7 T temporary ban 193 temporary bans 10 time 13 time slots 11 traffic graphs Smoothwall Ltd

247 Index traffic auditing 163 training 1 U unauthenticated ips 190 unknown entity 21 updates 12 ups 13 upstream proxies 127 allow direct connections 127 default proxy 127 leak client ip with x-forwarded-for header 127 load balancing 129 upstream proxy 17 user activity 10, 195 user exceptions 10 user portal 7, 10 users banned 191 default 191 local 189 network administrators 191 temporary ban 193 unauthenticated IPs 190 W web filter 7 web filter policies 15 web filtering configuring manual 106 web proxy 17 web proxy authentication 18 whois 14 Z zone bridge narrow 165 rule create 166 settings 166 wide 165 zone bridging 9, 165 rules

248

249

250