Virtual Appliance for VMware Server Getting Started Guide Revision 2.0.2 Warning and Disclaimer This document is designed to provide information about the configuration and installation of the CensorNet Virtual Appliance (CNVA). Every effort has been made to make this document as complete and accurate as possible, but no warranty or fitness is implied. CensorNet Ltd does not accept any liability for poorly designed or malfunctioning networks. Copyright CensorNet Limited, 2005-2009
Table of Contents Table of Contents...2 Getting Started Guide...4 Introduction...4 Requirements...4 Software...4 Hardware...4 Converting to other Virtual Machine Environments...4 Download the Virtual Appliance...4 Installing the Virtual Appliance...5 Decompressing the 7-zip Archive...5 Installing the Virtual Appliance...6 Starting the Virtual Appliance...9 Configuring the Virtual Appliance...12 Changing the default passwords...16 Accessing the CensorNet Control Panel...18 Product Activation...19 Common Problems...20 Trial Mode...20 Downloading the URL database...21 Common Problems...21 Configuring your web browser...22 Securing the Network...23 Bypass List...23 Configuring CensorNet...24 2 / 24
Technical Support...24 3 / 24
Getting Started Guide Introduction The CensorNet Virtual Appliance is a fully certified VMware Virtual Appliance containing the CensorNet Professional Web Filtering & Content Control software, ready to run on VMware Server, ESX, Workstation and Player. The Virtual Appliance eliminates the need for a dedicated server to run CensorNet, allows for rapid evaluation and deployment and reduces security implications by complying with the Just Enough OS (JeOS) methodology, which ensures that only the required software is installed as part of the Virtual Appliance. Requirements In order to install the CensorNet Virtual Appliance you will need the following software installed on your machine. For installation instructions, please refer to the installation guide provided with each piece of software. Software VMware Server*, the free virtualisation platform available from www.vmware.com 7-zip. A free archive compression tool available from http://www.7-zip.org/ *Note you can use any VMware product to host the CensorNet virtual appliance, however this document relates to using VMware Server 2.x. Hardware At least 32GB of spare disk space At least 1GB of free memory, though 2GB is highly recommended Converting to other Virtual Machine Environments Even though we provide individual downloads for each type of virtual machine, you can if you wish convert this virtual appliance to another type of virtual machine using VMware converter (available from www.vmware.com). Please be aware that version 3.0.3 has a known issue in how whole-disk conversions of virtual machines are handled, and in some circumstances the target VMFS3 volume may transiently need free space equal to twice the size of the virtual disk being imported. This issue was just identified, and has not yet been fully characterized; this is just for your information. Download the Virtual Appliance You may download the Virtual Appliance from the following location:- http://www.censornet.com/evaluate It may take several hours to download depending upon the speed of your Internet connection. Make sure you select the correct radio button when filling in the form. If you would prefer a CD to be posted to you rather than downloading the software, there are buttons on the form to allow you to request such an action takes place. 4 / 24
Installing the Virtual Appliance Decompressing the 7-zip Archive Once the appliance has downloaded, find the archive on your machine and double click on it. Assuming you have 7-zip associated with 7z archives, the 7-zip archive tool will open up and display the following window: Figure 1 The 7-zip application window Press the Extract icon to extract the Virtual Appliance from the archive. You will be prompted to enter a location to extract the files to. Choose a suitable location as shown below: Figure 2 The location to extract the Virtual Appliance to When you select your location, click ok. The extraction process will start automatically. This can take several minutes depending on the speed of your computer and available resources. A progress bar will be displayed, as shown in Figure 3. 5 / 24
Figure 3 The progress window Installing the Virtual Appliance In order to start the Virtual Appliance you will first need to add it to your VMware Server console window. First, login to the VMware Server Console as shown in Figure 4. Figure 4 The VMware Server Login The username you use should have administrative rights on your workstation. Typically it is the username you use to log in to your PC. Note: If you don t currently use a password with your username, you will need to use the User Manager in the Control Panel to assign a password before you can log in to the VMWare Infrastructure web interface. Once you click on the Log In button you will see something similar to Figure 5 in your browser. 6 / 24
Figure 5 VMWare Server Console Click on the Add Virtual Machine to Inventory link under the Commands section and a new dialogue will open as shown in Figure 6. 7 / 24
Figure 6 Virtual Machine Inventory dialogue By default the only inventory you will have is the standard inventory, as shown. If you installed VMWare Server and accepted the default settings, this will relate to the C:\Virtual Machines directory into which you unpacked the virtual appliance. If the standard datastore does not map to where you unpacked the virtual appliance you can create additional data stores. Just use the Add datastore link on the main page to map the relevant directory to a new store. We will assume you don t need that level of complexity, and so you should be able to select the Virtual Machine file and press OK to load the settings into VMware Server Console, as shown in Figure 7 below. 8 / 24
Figure 7 The CensorNet Appliance loaded into the VMware Console Starting the Virtual Appliance To start the CensorNet Virtual Appliance, press the Power On link under the Commands pane. The Virtual Appliance will start up. If you wish to keep an eye on it as it boots you should select the Console tab as shown in Figure 8 below. Figure 8 The console tab Click anywhere in the console tab to open a virtual console. Figure 9 shows the open console during the boot sequence, it will normally be well underway by the time the window opens. 9 / 24
Figure 9 The CensorNet Appliance is booting Note: As you can see from the screenshot, there is a protocol error in mounting a filesystem. This is normal and is a benign error. Figure 9a The CensorNet Appliance startup sequence Once the Virtual Appliance has finished loading, you will be presented with the setup screen, as shown below. 10 / 24
Figure 9b. The setup screen. Hit Enter on your keyboard, and you will be presented with the Change Password dialog box. This will allow you to set the root password for your censornet server. Figure 9c. The password screen. 11 / 24
Configuring the Virtual Appliance In order to deploy the CensorNet Virtual Appliance on your network it is necessary to configure the network settings. You will be presented with the Welcome Screen as shown in Figure 11. Note: If at any point you need to reconfigure the network, type setup at the prompt to start the CensorNet Configuration Tool. Figure 11 The CensorNet Configuration Tool welcome screen Press the Enter key to view the main menu, as shown in Figure 12 below. Figure 12 The main menu 12 / 24
Press the Enter key again to select 1. Network Configuration. This will display the default IP address settings of the Virtual Appliance, shown in Figure 13.. If these are correct, you may choose Exit now and skip to the next section. If you need to alter the default settings, press Enter again to change the IP Address. Figure 13 The default Virtual Appliance network settings If the Virtual Appliance has access to more than one network card, the interface names will be presented in a list as shown in Figure 14. By default, there is only one eth0 press Enter to configure it. Figure 14 The network interface list You will have the choice to use a static or dynamic (DHCP) address for the CensorNet Virtual Appliance. We strongly recommend that you configure a static IP address for your CensorNet Appliance. 13 / 24
Figure 15 Choose the type of IP address assignment Press Enter to select a Static IP address. You will then need to specify the IP address and Subnet Mask, as shown in Figure 16. Figure 16 Specify an IP address and Subnet Mask Choose OK to save the settings and you will be returned to the Network Configuration menu, shown in Figure 13. Use the down arrow key to select 2. DNS & Gateway Settings and press Enter. You will be presented with the DNS & Gateway Settings dialog, as shown in Figure 17 below. 14 / 24
Figure 17 DNS & Gateway Settings IMPORTANT It is extremely important that you specify a valid DNS server and Gateway address. If CensorNet is unable to contact a valid DNS server then it will not function correctly. Please contact your network administrator for the correct DNS and Gateway settings on your network. Press OK to save the changes and return to the Network Configuration menu. Choose Exit to return to the Main Menu. Choose Exit again to return to the command line. 15 / 24
Changing the default passwords It is important that you change the default passwords for your CensorNet Virtual Appliance. To do this, choose Option 4 from the main menu and you will be presented with a menu similar to that shown in figure 18 below. Figure 18 The password menu Note: You will always have the option to change the root password, you may or may not have a system user password entry. Choose option 1 and heed the warning shown in figure 19. Figure 19 Heed the warning Press RETURN and then fill in the fields on the following screen (figure 20). 16 / 24
Figure 20 Fill in the password fields Fill in the password on the first field and confirm it in the second. You will only see asterisks displayed. IMPORTANT Please choose a strong password, such as a mixture of 8 letters and numbers. Do not forget or lose the root password. Once you have filled in the password, select OK and a new password will be set. If you have a system user you can change its password in a similar way. 17 / 24
Accessing the CensorNet Control Panel Apart from initial Network Configuration, CensorNet is configured and managed using a Web based Graphical User Interface known as the Control Panel. To access the Control Panel, you will need to use a Web browser on a machine that is on the same network as the Virtual Appliance. Open the Web browser, and in the address bar type: http://ip.of.censornet/censornet/ Where ip.of.censornet is replaced with the IP address you configured for the Virtual Appliance, e.g. http://192.168.1.1/censornet/ You will be presented with the Control Panel Login screen, as shown in Figure 21 below. The default credentials are:- Username Password admin password N.B. Case sensitivity is important. Figure 21 The Control Panel Login screen 18 / 24
Product Activation It is necessary to activate CensorNet with a valid license in order to start the proxy service and accept connections. You can activate the CensorNet software for 10 days (this can be extended if necessary) by using the activation code that was issued to you when you downloaded the software. If you have lost the activation code, please contact Technical Support. To activate the software:- 1. Enter the Activation Code which was issued to you when you downloaded the software. 2. Click the Activate for 10 days button. Activation can take up to 30 seconds. Once activated, you will see the green dialogue box below, indicating that the 10 day license has been installed successfully. After a few seconds you will see the CensorNet Filtering Proxy service attempting to start. As there is no local URL database installed, CensorNet will attempt to contact one of the online lookup servers. 19 / 24
If successful, the Filtering Proxy will change from orange to green and Trial Mode will be active. Please see the section on Trial Mode below. Common Problems If the activation fails, it may be for a number of reasons:- 1. The CensorNet server does not have access to the Internet. Please double check DNS and gateway settings by using the setup program. 2. You have already used the Activation Code on a different machine. Once the Activation Code has been used on a particular machine, you cannot use it again on a different piece of hardware. Activation is successful but you receive the error Unable to establish an outbound connection to csrv.censornet.com on port 2200. Please see this Knowledge Base article. Trial Mode During the evaluation period CensorNet will operate in Trial Mode. This is a special mode that CensorNet uses when it does not have a locally installed copy of the URL database. When in Trial Mode, CensorNet will connect to the nearest online database server and use that instead. As a result, during Trial Mode web access may seem delayed by 1-3 seconds due to each web request being passed to one of the online servers. It is possible to exit Trial Mode during your evaluation period by requesting to download the URL database using the link displayed on the System Overview page. You will be required to complete a short form with your contact details and then a username/password will be issued to you within 24hrs. The database is 2.5GB and may take several hours to download depending on the speed of your Internet connection. If you require the database on DVD please contact Technical Support. At least 2GB of RAM is required (preferably 4GB for larger networks) in order for the database to run effectively. 20 / 24
Please see the section Downloading the URL database for instructions on how to download the database. Downloading the URL database Once you receive your username and password, you will need to configure CensorNet to download the database. To do this:- 1. Go to the Filters menu and select URL Database Updates 2. Set the Update Mode to Download all updates 3. Select the closest geographical download site from the Source list. 4. Enter the username and password provided to you. 5. Select an update time for daily updates to occur. It is recommended that these updates happen outside of office hours. 6. Click Set Options and then click Update Now. You can verify that the download has started by refreshing the System Overview page. To do this, go to the System menu and then select Overview and scroll down to the URL Database Status panel. Whilst the database is downloading please do not switch off or reboot the CensorNet server. The Update Status will change to Database update complete when successful. Common Problems The message Update failed appears instead of the download status. 21 / 24
1. Check that the CensorNet server has Internet access ensure DNS and gateway settings are correct. Try pinging csrv.censornet.com and if it doesn t reply, look again at the network configuration. 2. Double check the username and password entered and click Update Now again. 3. Do you have to use a parent / upstream proxy server for web access? If so, you must configure this under System -> Configuration -> Parent Proxy settings before attempting to download the database. Once configured, attempt the download again. 4. If the problem persists, try a different update Source. 5. Contact Technical Support for assistance. The message Download in progress is displayed but there is no % complete. This usually happens when a parent proxy is being used because CensorNet is unable to generate a progress counter. It is working; it just cannot tell you how much has been downloaded. Configuring your web browser NOTE: If you have configured CensorNet in inline mode it is not necessary to configure your web browser proxy settings. Please ignore this section. In order to use the CensorNet proxy server you need to configure your web browser to use CensorNet. This is a straightforward step which you can do individually on each browser or automatically using Active Directory Group Policy or Web Proxy Auto Discovery (WPAD). For the purposes of this guide, the following steps can be followed to configure Internet Explorer to use CensorNet. 1. Start Internet Explorer 2. Select the Tools menu and then Internet Options 3. Click the Connections tab and then LAN Settings 4. Tick the box to Use a proxy server and enter in the CensorNet IP address into the Address field. Enter port 8080 into the Port field. 5. Tick the box to Bypass proxy server for local addresses 6. Click the Advanced button 7. Enter the IP of CensorNet into the Exceptions box. 8. Click OK, OK and OK on each dialogue box to return to the browser window. 22 / 24
Example Internet Explorer proxy settings 9. Attempt to browse the web as normal. 10. Attempt to visit a site blocked by the Default filtering policy, e.g. www.porn.com. If everything is working correctly you will see the CensorNet Access Denied page. Securing the Network Please review this article on securing the network so that users cannot bypass the proxy:- http://wiki.censornet.com/foswiki/bin/view/main/enforceproxyuse Bypass List CensorNet is designed to filter any content that conforms to the HTTP protocol whether that is through a web browser or a different kind of user agent. Depending on the size and complexity of your network there may be several applications that do not require filtering or will actually malfunction if there is a web filter in operation. The URI s (hostname/ip and port) for these services should be added to the CensorNet bypass list under Filters -> Filer Bypass -> URL Manager to avoid any issues. The follow is a non-exhaustive list of applications that should be bypassed:- Local web servers such as Intranet sites Thin client servers such as Citrix Application servers such Microsoft Outlook Web Access Trusted extranet sites Desktop applications that use HTTP/S e.g. GoToMeeting, WebEx 23 / 24
Configuring CensorNet Please click the Help Contents link from the Help menu within the CensorNet Control Panel to review the Configuration & User Guide. Technical Support If you require help installing, configuring or activating the CensorNet Virtual Appliance please contact our Technical Support department in the following ways. Live Support http://www.censornet.com/support Telephone +44 (0) 845 230 9592 E-mail Knowledge Base support@censornet.com http://wiki.censornet.com 24 / 24