Getting Started Guide

Similar documents
Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

User Guide. Cloud Gateway Software Device

PineApp Surf-SeCure Quick

Click Studios. Passwordstate. Installation Instructions

Active Directory 2008 Implementation. Version 6.410

Configuring Sponsor Authentication

Configuring your client to connect to your Exchange mailbox

Using Logon Agent for Transparent User Identification

NETASQ SSO Agent Installation and deployment

How to Configure Captive Portal

Quick Start Guide for VMware and Windows 7

Quick Start Guide for Parallels Virtuozzo

Professional Mailbox Software Setup Guide

Configuration Guide. BES12 Cloud

Installing and Configuring vcloud Connector

Click Studios. Passwordstate. Installation Instructions

F-Secure Messaging Security Gateway. Deployment Guide

Active Directory 2008 Implementation Guide Version 6.3

User Guide. Hosted Web Security. Copyright CensorNet Limited,

Exchange 2013 mailbox setup guide

NSi Mobile Installation Guide. Version 6.2

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

Configuration Manual English version

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

NetSpective Global Proxy Configuration Guide

READYNAS INSTANT STORAGE. Quick Installation Guide

iboss Enterprise Deployment Guide iboss Web Filters

Other documents in this series are available at: servernotes.wazmac.com

BaseManager & BACnet Manager VM Server Configuration Guide

Initial Access and Basic IPv4 Internet Configuration

Citrix Access Gateway Plug-in for Windows User Guide

Professional Mailbox Software Setup Guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

System Administration Training Guide. S100 Installation and Site Management

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

ReadyNAS Setup Manual

WINDOWS 7 & HOMEGROUP

SchoolBooking SSO Integration Guide

Steps for Basic Configuration

Websense Support Webinar: Questions and Answers

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

ReadyNAS Duo Setup Manual

IBM Remote Lab Platform Citrix Setup Guide

Quick Start Guide. Sendio System Protection Appliance. Sendio 5.0

Parallels Plesk Panel

Setting Up Scan to SMB on TaskALFA series MFP s.

SSL Intercept Mode. Certificate Installation Guide. Revision Warning and Disclaimer

2X Cloud Portal v10.5

User-ID Best Practices

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Single Sign-On in SonicOS Enhanced 5.6

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

VMware Identity Manager Administration

Simple Scan to Setup Guide

User Identification and Authentication

Windows XP Exchange Client Installation Instructions

Security Provider Integration RADIUS Server

CONNECT-TO-CHOP USER GUIDE

v7.8.2 Release Notes for Websense Content Gateway

How To Use Senior Systems Cloud Services

Contents. Platform Compatibility. Directory Connector SonicWALL Directory Services Connector 3.1.7

2X ApplicationServer & LoadBalancer Manual

Citrix Access on SonicWALL SSL VPN

MITA End-User VPN Troubleshooting Guide

VERALAB LDAP Configuration Guide

Installation Steps for PAN User-ID Agent

Administering Cisco ISE

How to Enable LDAP Directory Services Authentication to Microsoft Active Directory in the HP cclass Onboard Administrator

VMware Identity Manager Connector Installation and Configuration

Chapter 2 Connecting the FVX538 to the Internet

Installation Guide for Pulse on Windows Server 2012

Installation Notes for Outpost Network Security (ONS) version 3.2

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

2X ApplicationServer & LoadBalancer & VirtualDesktopServer Manual

Customer Tips. Basic Configuration and Troubleshooting. for the user. Overview. Basic Configuration. Xerox Multifunction Devices.

How-to: Single Sign-On

User Source and Authentication Reference

Skyward LDAP Launch Kit Table of Contents

SINGLE SIGN-ON FOR MTWEB

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V

Smart Card Authentication Client. Administrator's Guide

Installing, Uninstalling, and Upgrading Service Monitor

User guide. Business

Dell SonicWALL SRA 7.5 Citrix Access

PREFACE iss.01 -

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

Installation Guide for Pulse on Windows Server 2008R2

Eucalyptus User Console Guide

Installing and Configuring vcloud Connector

Instructions for Adding a MacOS 10.4.x Server to ASURITE for File Sharing. Installation Section

Active Directory Integration

RLP Citrix Setup Guide

Siteminder Integration Guide

Configure thin client settings locally

SONICWALL SONICOS ENHANCED 5.6 SINGLE SIGN-ON

2X ApplicationServer & LoadBalancer Manual

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

Networking Best Practices Guide. Version 6.5

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Transcription:

Getting Started Guide CensorNet Professional Copyright CensorNet Limited, 2007-2011 This document is designed to provide information about the first time configuration and testing of the CensorNet Professional web content filtering software. Every effort has been made to make this document as complete and accurate as possible, but no warranty or fitness is implied. CensorNet Ltd does not accept any liability for poorly designed or malfunctioning networks. 1

CONTENTS Getting started... 6 Logging in to the web control panel... 6 Navigation and assistance... 7 Product activation... 8 Common problems... 9 Cloud mode... 10 Downloading the URL database (CSRV)... 10 Common problems... 11 Locale settings... 12 Time zone... 12 Common problems... 12 Language... 13 Parent proxy configuration... 13 Web browser configuration... 14 Securing the network... 15 User authentication... 16 Transparent Kerberos... 17 Configuring Transparent Kerberos authentication... 17 Verify that Transparent Kerberos is working... 19 Common problems with Transparent Kerberos... 20 Transparent NTLM... 20 Configuring transparent NTLM authentication... 21 Verify that NTLM authentication is working... 22 Common problems with NTLM... 23 Censornet Active Directory Agent... 24 Installing the Censornet Active Directory Agent... 24 Configuring the CensorNet Active Directory Agent... 24 Verify that user identification is working with the Active Directory Agent... 25 2

Active Directory (Kerberos)... 25 Configuring Active Directory (Kerberos)... 26 Verify that Active Directory (Kerberos) authentication is working... 26 Common problems... 27 Windows NT or SAMBA server... 28 Configuring Windows NT or SAMBA server authentication... 28 Verify that Windows NT or SAMBA server authentication is working... 29 NetwareNDS (E-Directory)... 30 LDAP server authentication... 30 Internal authentication... 31 Managing user accounts... 32 Managing user passwords... 33 No user authentication... 34 Global user authentication settings... 34 Active Directory integration... 36 Synchronising with Active Directory... 36 Installing the Censornet Synchronisation Service... 36 Configuring the CensorNet Synchronisation Service... 36 Verify that the CensorNet Synchronisation Service is working... 37 Replicating the Active Directory structure... 37 Replicating by Organisational Unit (OU)... 38 Replicating by Primary Group... 40 Computer identification... 43 Configuring the computer identification method... 43 MAC Address method... 44 Import computers automatically... 44 Import computers from CSV... 45 Common problems... 45 IP Address method... 46 3

Import computers automatically... 46 Hostname method... 47 Import computers automatically... 47 SSL Intercept mode... 49 Enabling SSL Intercept mode... 49 Installing web browser SSL certificate... 49 Bypassing SSL intercept mode... 49 Completely bypass SSL web sites... 50 Disabling SSL intercept mode... 50 Filtering policies... 52 Default policy... 52 The default policy explained... 52 Creating new policies... 54 Applying policies to groups of users or Computers... 55 Global filtering modules... 56 Custom URL module... 58 Creating a Custom URL category... 58 Adding Custom URLs... 58 Custom URL Patterns... 59 Administrators... 60 Bypassing non-proxy-aware sites / applications... 61 Common error messages... 62 The upstream proxy did not respond in time... 62 Unable to retrieve MAC address of the peer... 62 The authenticity of the web site could not be verified... 62 Content length exceeded... 62 YOUR REQUEST COULD NOT BE PROCESSED AT THIS TIME, THIS IS PROBABLY DUE TO NETWORK CONGESTION.... 62 Troubleshooting... 63 4

Single-sign-on with Transparent Kerberos prompts me to login... 63 Allow or block instant messaging applications... 63 Web sites such as youtube no longer stream correctly... 63 Web pages do not load correctly missing styles and images... 63 Problem authenticating users using Apple OSX... 63 Intermittent access to web sites or slow web Sites... 63 Citrix notes... 64 Summary... 65 Technical support... 66 5

GETTING STARTED This document is designed to guide you through the steps needed to set up and configure CensorNet Professional for the first time. It is not meant to be an exhaustive reference to all the features and functionality available this can be found within the product documentation under the HELP menu or in our online KNOWLEDGE BASE. LOGGING IN TO THE WEB CONTROL PANEL The CensorNet product is administered using a Web based graphical user interface, known as the CONTROL PANEL. To access the Control Panel, you will need to use a Web browser on a machine that is on the same network as the CensorNet server. Open the Web browser, and in the address bar type: HTTP://IP.OF.CENSORNET/ Where IP.OF.CENSORNET is replaced with the IP address you configured for the CensorNet server, e.g. http://192.168.1.1/ You will be presented with the CONTROL PANEL LOGIN SCREEN, as shown in the figure below. The default credentials are:- Username admin Password password N.B. Case sensitivity is important 6

NAVIGATION AND ASSISTANCE CensorNet has been designed to be easy to use and entirely manageable from a Web browser. Navigating to the various sections of the application is achieved via the drop down menu at the top of the browser window, as shown below:- IF YOU NAVIGATE AWAY FROM A PAGE WITHOUT SAVING THE SETTINGS, THEN THE SETTINGS WILL BE LOST. AT THE BOTTOM OF EVERY PAGE THERE IS A SET OPTIONS BUTTON WHICH CAN BE USED TO SAVE CHANGES. The product manual is integrated into the product and from each page you can click the taken to the relevant page of the manual based on the current page you are viewing. help icon to be Tooltips are also available next to each option and provide a quick way to understand what should be entered in the required text box. Simply roll the mouse pointer over the field name to reveal the tooltip, as shown below:- Additional help can also be found in the HELP menu where you can access the full product manual, visit the KNOWLEDGE BASE or access the LIVE SUPPORT DESK where you can speak to an operator in real time for assistance. See the Technical Support section for more details. 7

PRODUCT ACTIVATION It is necessary to activate CensorNet with a valid license in order to start the proxy service and accept connections. You can generate an Activation Key by logging into MY ACCOUNT at www.censornet.com and choosing MANAGE ACTIVATION KEYS. To activate the software:- 1. Enter the Activation Code which was you have created at www.censornet.com. 2. Click ACTIVATE FOR 10 DAYS. Activation can take up to 30 seconds. Once activated, you will see the green dialogue box below, indicating that the 10 day license has been installed successfully. After a few seconds you will see the CensorNet proxy service attempting to start. As there is no local URL database installed, CensorNet will attempt to contact one of the online lookup servers. 8

If successful, the Filtering Proxy will change from orange to green and CLOUD MODE will be active. Please see the section on Cloud Mode below. COMMON PROBLEMS If the activation fails, it may be for a number of reasons:- 1. The CensorNet server does not have access to the Internet. Please double check DNS and gateway settings by using the SETUP program. Refer to the Installation Guide for network configuration. 2. You have already used the activation code on a different machine. Once the activation code has been used on a particular machine, you cannot use it again on a different piece of hardware. Contact Technical Support for a new activation code. 9

CLOUD MODE During the evaluation period CensorNet will operate in CLOUD MODE. This is a special mode that CensorNet uses when it does not have a locally installed copy of the URL database. When in CLOUD MODE, CensorNet will use DNS to rate URL's on the fly for every web request. For evaluation purposes this is acceptable however in production, it is much better to cache the most frequently visited web sites in a local URL database so that the proxy only needs to connect to the cloud when it encounters a new web site for the first time. It is possible to exit CLOUD MODE during your evaluation period by requesting to download the URL database using the link within the green dialogue box. You will be required to complete a short form with your contact details and then a username/password will be issued to you within 24hrs. The database is approximately 1GB and may take several hours to download depending on the speed of your Internet connection. DOWNLOADING THE URL DATABASE (CSRV) Once you receive your username and password, you will need to configure CensorNet to download the database. To do this:- 1. Go to the FILTERS menu and select URL DATABASE UPDATES. 2. Set the Update Mode to DOWNLOAD ALL UPDATES 3. Select the closest geographical download site from the Source list. 10

4. Enter the username and password provided to you. 5. Select an update time for daily updates to occur. It is recommended that these updates happen outside of office hours. 6. Click SET OPTIONS and then click UPDATE NOW. You can verify that the download has started by refreshing the System Overview page. To do this, go to the SYSTEM menu and then select OVERVIEW and scroll down to the URL DATABASE UPDATE SUBSCRIPTION panel, as shown below. Whilst the database is downloading please do not switch off or reboot the CensorNet server. The update status will change to IDLE when successful. COMMON PROBLEMS The message Update failed appears instead of the download status. 1. Check that the CensorNet server has Internet access ensure DNS and gateway settings are correct. Try pinging csrv.censornet.com and if it doesn t reply, look again at the network configuration. 2. Double check the username and password entered and click UPDATE NOW again. 3. Do you have to use a parent / upstream proxy server for web access? If so, you must configure this under System -> Configuration -> Parent Proxy settings before attempting to download the database. Once configured, attempt the download again. 4. If the problem persists, try a different update Source. 5. Contact Technical Support for assistance. The message Download in progress is displayed but there is no % complete. This usually happens when a parent proxy is being used because CensorNet is unable to generate a progress counter. It is working; it just cannot tell you how much has been downloaded. 11

LOCALE SETTINGS It is important to configure the locale settings for your CensorNet server. These may have been set during installation however you should verify they are correct and make any changes that you need to now. TIME ZONE Time is very important to CensorNet. Everything relies on accurate time therefore you should verify the date, time and time zone is correct. To do this, go to SYSTEM -> CONFIGURATION -> TIME ZONE. Current Timezone this is the time zone that CensorNet is currently using and is based on the time zone selected during installation. If this is incorrect, select the correct time zone from the drop down list and press Set Options. Current Server Local Time this is the current time and date based on the clock in the CensorNet server. It is important to check that the date and time are correct and that they stay correct. If you need to change the time, alter it here and press Set Date & Time and then monitor it to ensure the clock stays correct. COMMON PROBLEMS The clock keeps drifting on a virtual machine this is common especially on Virtual Machines which do not have the required tools installed to synchronise the virtual clock with the host machine. Please see this Knowledge Base article: http://www.censornet.com/en/kb/clock_drift_and_ntp The clock drifts on a physical server on some hardware, there is a problem with Linux communicating with the real time clock. Please see this Knowledge Base article: http://www.censornet.com/en/kb/repeated_license_failure 12

LANGUAGE CensorNet supports viewing the Web control panel in different languages. The language can be chosen when you login to the control panel or a default language can be set for all users. To select the default language, go to SYSTEM -> CONFIGURATION -> LANGUAGE. Click SET OPTIONS to set the default language. You will need to logout and log back for the changes to take effect. PARENT PROXY CONFIGURATION If there is an existing proxy server on the network or a proxy server upstream at your ISP, and you are forced to use it, then you should configure the proxy server on CensorNet. To do this, go to SYSTEM -> CONFIGURATION -> PARENT PROXY SETTINGS. 13

WEB BROWSER CONFIGURATION NOTE: IF YOU HAVE CONFIGURED CENSORNET IN INLINE MODE IT IS NOT NECESSARY TO CONFIGURE YOUR WEB BROWSER PROXY SETTINGS. PLEASE IGNORE THIS SECTION. In order to use the CensorNet proxy server you need to configure your web browser to use CensorNet. This is a straightforward step which you can do individually on each browser or automatically using Active Directory Group Policy or Web Proxy Auto Discovery (WPAD). For the purposes of this guide, the following steps can be followed to configure Internet Explorer to use CensorNet: Start Internet Explorer Select the TOOLS menu and then INTERNET OPTIONS Click the CONNECTIONS tab and then LAN SETTINGS Tick the box to USE A PROXY SERVER and enter in the CensorNet IP address into the ADDRESS field. Enter port 8080 into the PORT field. Tick the box to BYPASS PROXY SERVER FOR LOCAL ADDRESSES Click the ADVANCED button Enter the IP of CensorNet into the EXCEPTIONS box. Click OK, OK and OK on each dialogue box to return to the browser window. 14

SECURING THE NETWORK Please review this Knowledge Base article on securing the network so that users cannot bypass the proxy:- http://www.censornet.com/en/kb/enforce_proxy_use 15

USER AUTHENTICATION CensorNet can identify users browsing the web, apply different policies to them and include the usernames in reports. To achieve this, you must configure a method of user authentication for CensorNet to use. The following methods are supported:- Transparent Kerberos for networks with Windows Server 2003 and above with clients running Internet Explorer 7 or above. Transparent Kerberos is a single sign-on authentication method compatible with the latest Windows Server and Windows desktop operating systems (Vista, Windows 7). Compatible with Citrix or Terminal Services environments and SIDEWAYS mode where you do not want users to be prompted to login when they open a Web browser. Transparent NTLM (pre Windows Server 2003) CensorNet creates a trust relationship with the Active Domain controller and transparently authenticates users using the NTLM protocol. This is particularly useful in Citrix or Terminal Services networks and in SIDEWAYS mode where you do not want users to be prompted to login when they open a Web browser. NTLM is only supported by Internet Explorer and Firefox web browsers. This authentication method is not available when operating in Inline mode. CensorNet Active Directory Agent The Agent is a small piece of software that is installed on your Active Directory domain controller(s) that provides user identification between CensorNet and the Active Directory agent. The agent runs as a system service and must be installed on all domain controllers for the domain. The agent is ideal for providing user identification when in INLINE mode, however is not suitable for Citrix or Terminal Services networks. For Citrix or Terminal Services please use Transparent NTLM. For further information about the agent please visit http://www.censornet.com/adagent/ Windows NT or Samba for use with Windows NT or Samba (Linux or Apple). CensorNet will prompt for a username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode. Netware NDS (edirectory) for use with Novell NDS or edirectory. CensorNet will prompt for a username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode. LDAP for use with OpenLDAP and similar directories. CensorNet will prompt for a username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode. Internal Authentication allows you to create a list of usernames and passwords on the CensorNet server which are used to login with when a web browser is opened. Useful if you require user identification but do not have a domain controller. This authentication method is not available when operating in INLINE mode. No User Authentication Do not require users to authenticate to access the Web. 16

TRANSPARENT KERBEROS Transparent Kerberos is a single sign-on authentication method compatible with Windows Server 2003 and above. This method supersedes NTLM Authentication and is compatible with the latest Windows desktop operating systems such as Vista and Windows 7. Transparent Kerberos allows users to authenticate with CensorNet without prompting to re-enter network login credentials. In order to use Transparent Kerberos authentication your network needs to meet the following requirements: Windows Server 2003 or above Internet Explorer 7 or above, Firefox 2 or above or Safari on Mac OSX 10.4 or above on all client machines. CONFIGURING TRANSPARENT KERBEROS AUTHENTICATION IMPORTANT: If you have previously configured CensorNet Professional with NTLM Authentication It is important that you remove the CensorNet machine account in Active Directory on all domain controllers before attempting to configure Transparent Kerberos. You can do this from the Windows Server by running the Active Directory Users & Computers manager and then deleting the CensorNet machine account from the Computers folder. The machine account name will be same as the CensorNet servers hostname. To find this, login as root and type hostname to display the hostname. To configure Transparent Kerberos, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Transparent Kerberos radio button. You will need the following information: Server IP Address This is the IP address of your Active Directory server or Primary Domain Controller if there are more than one domain controllers on the network. Server Hostname This is the hostname of your Active Directory server or Primary Domain Controller. This is just the name of the server, not the fully qualified domain name. AD Domain This is the fully qualified Active Directory domain name without the hostname or computer name at the beginning. Domain Admin Username This is the username of a user account on the Active Directory server with administrator privileges (member of DOMAIN\ADMINS). Domain Admin Password This is the password of the admin username specified in Domain Admin Username. The password cannot contain any special characters (e.g. % & $, etc). If your password does contain special characters and you do not wish to change it, create a new user account for CensorNet (e.g. username: censornet) and set its password to something in standard characters. AFTER CREATING THE NEW USER ACCOUNT, RESET ITS PASSWORD AGAIN TO WORK AROUND A KNOWN ISSUE WITH LINUX AND ACTIVE DIRECTORY. The new account is only required to establish the trust relationship and after which can be removed if necessary. 17

Click SET OPTIONS to enable Transparent Kerberos authentication. After a few seconds, you should receive a SUCCESS message if CensorNet was able to establish a trust relationship with the Active Directory server (see below). UPDATE WEB BROWSER PROXY SETTINGS Transparent Kerberos requires that the proxy server address is specified with its fully qualified domain name (FQDN) rather than its IP address in the web browser proxy settings. You can find the FQDN by logging into the CensorNet server as root and typing hostname f. You should see an output similar to this: In the above example censornet.ad2008r2.local is the FQDN and this should be configured in your browser proxy server settings see Web Browser Configuration. On a network, this can be updated using a group policy object if you use Internet Explorer. 18

Please ensure that the FQDN can be resolved to the IP address of the CensorNet server. You can verify this by typing NSLOOKUP CENSORNET.AD2008R2.LOCAL on a client desktop machine. If it fails to resolve to the CensorNet server IP address, you will need to create a forward facing DNS record (A) on your internal DNS server (usually the primary domain controller). VERIFY THAT TRANSPARENT KERBEROS IS WORKING IMPORTANT After configuring Transparent Kerberos authentication it is important that the network user logs out and logs back into the domain. This will create a new authentication token for the user. This procedure is only required once. You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user account from the Active Directory (the test user ) and open a Web browser that is configured to use CensorNet as a proxy server (see section on Web Browser Configuration and ensure if Internet Explorer that it is using the FQDN described in the note above). Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser should not prompt the test user to login if this happens please see Common Problems below. If the web site loads as expected, you should now verify that CensorNet has correctly identified the test user by going to REPORTS -> WHO S BROWSING within the CensorNet web control panel. This will list the currently active Internet users and the test user should appear here as shown in the example below. Click on the test user, in this case foo to drill-down into the recent web site visits. Here you should see the test sites that you accessed using the web browser, e.g. www.google.co.uk. If this is correct, then you should move on to Active Directory Integration for details on how to replicate your Active Directory structure within CensorNet. If you do not see any user names in the WHO S BROWSING report then please read the section Common Problems below. 19

COMMON PROBLEMS WITH TRANSPARENT KERBEROS If the trust relationship fails you will receive a FAILURE message (see below). This can happen for a number of reasons. o The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 MINUTES of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please visit the Knowledge Base: http://www.censornet.com/en/kb o If you have previously configured NTLM on this CensorNet server, you should remove the censornet machine account from all the domain controllers on the network. o The administrator password contains special characters, e.g. å, $, _, \%, ^,, etc. Please change the administrator password or create a new user account with administrator privileges that does not use these characters. o If you have created a new administrator account for CensorNet, please ensure you reset its password TWICE to work around a known issue with Linux and Active Directory. o Please ensure that the hostname on CensorNet does not use a reserved word, such as internet. We recommend the CensorNet hostname stays as cnadmin to avoid any conflicts. o Ensure that the hostname of your CensorNet server is not the same as your Windows domain name. The BROWSER HANGS whenever you try and configure Transparent Kerberos authentication. o This can happen if there is a user or machine account with the same name as the CensorNet server in Active Directory. Please delete or rename this account and try again. The trust relationship is SUCCESSFUL but users are prompted to login o Ensure that you have specified the fully qualified domain name (FQDN) in Internet Explorer s proxy server settings (see the Important Note under Verify Transparent Kerberos is working) o Ensure that the FQDN can be resolved from client machines. Type: nslookup <FQDN> in a Command Prompt and ensure it resolves to the CensorNet IP address. If it does not, you will need to add a forward facing A record to your internal DNS server (usually the primary domain controller). o Ensure the user logs out of the domain and logs back in again the first time Transparent Kerberos is configured. The web browser hangs whilst trying to set up the trust relationship. This can happen if there is a user account with the same name as the machine account that is created by the trust relationship. Look for the name of the CensorNet machine record and then delete any user accounts with the same name, then retry creating the trust relationship. TRANSPARENT NTLM NTLM (NT Lan Manager) is a Microsoft authentication protocol that is supported by Internet Explorer and Mozilla Firefox as a means to transparently authenticate client browsers with a server side proxy. NTLM uses the Windows logon network credentials and encodes them within each HTTP request in a 4 way handshake 20

with the proxy server. This provides a transparent way of identifying users without requiring them to login every time a browser window is opened. CONFIGURING TRANSPARENT NTLM AUTHENTICATION To configure Transparent NTLM, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Transparent NTLM radio button. You will need the following information: Server IP Address This is the IP address of your Active Directory server or Primary Domain Controller if there are more than one domain controllers on the network. Server Hostname This is the hostname of your Active Directory server or Primary Domain Controller. This is just the name of the server, not the fully qualified domain name. AD Domain This is the fully qualified Active Directory domain name without the hostname or computer name at the beginning. NetBIOS Domain The short domain name, often called the Pre-Windows 2000 or workgroup style name. This is usually the first part of the Active Directory domain name (before the first dot), written in upper case. Domain Admin Username This is the username of a user account on the Active Directory server with administrator privileges (member of DOMAIN\ADMINS). Domain Admin Password This is the password of the admin username specified in Domain Admin Username. The password cannot contain any special characters (e.g. % & $, etc). If your password does contain special characters and you do not wish to change it, create a new user account for CensorNet (e.g. username: censornet) and set its password to something in standard characters. AFTER CREATING THE NEW USER ACCOUNT, RESET ITS PASSWORD AGAIN TO WORK AROUND A KNOWN ISSUE WITH LINUX AND ACTIVE DIRECTORY. The new account is only required to establish the trust relationship and after which can be removed if necessary. 21

Click SET OPTIONS to enable Transparent NTLM authentication. After a few seconds, you should receive a SUCCESS message if CensorNet was able to establish a trust relationship with the Active Directory server (see below). VERIFY THAT NTLM AUTHENTICATION IS WORKING You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user account from the Active Directory (the test user ) and open a Web browser that is configured to use CensorNet as a proxy server (see section on Web Browser Configuration). Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser should not prompt the test user to login if this happens please see Common Problems below. If the web site loads as expected, you should now verify that CensorNet has correctly identified the test user by going to REPORTS -> WHO S BROWSING within the CensorNet web control panel. This will list the currently active Internet users and the test user should appear here as shown in the example below. 22

Click on the test user, in this case foo to drill-down into the recent web site visits. Here you should see the test sites that you accessed using the web browser, e.g. www.google.co.uk. If this is correct, then you should move on to Active Directory Integration for details on how to replicate your Active Directory structure within CensorNet. If you do not see any user names in the WHO S BROWSING report then please read the section Common Problems below. COMMON PROBLEMS WITH NTLM If the trust relationship fails you will receive a FAILURE message (see below). This can happen for a number of reasons. o o o o The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 MINUTES of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please see the Knowledge Base: http://www.censornet.com/en/kb The administrator password contains special characters, e.g. å, $, _, \%, ^,, etc. Please change the administrator password or create a new user account with administrator privileges that does not use these characters. If you have created a new administrator account for CensorNet, please ensure you reset its password TWICE to work around a known issue with Linux and Active Directory. Please ensure that the hostname on CensorNet does not use a reserved word, such as internet. We recommend the CensorNet hostname stays as censornet to avoid any conflicts. 23

o Ensure that the hostname of your CensorNet server is not the same as your Windows domain name. If the web browser prompts you to login even though the trust was successful, it is usually due to the following: o o The clock has drifted more than 5 minutes apart from the Active Directory clock. Please see the Common Problems section above for more detail. The web browser is using NTLMv2 rather than NTLMv1. This is the default on Windows Vista and Windows 7 computers. You can roll back the version of NTLM using a group policy registry edit. For further information please see: http://www.censornet.com/en/kb/windows_7_ntlm_issue CENSORNET ACTIVE DIRECTORY AGENT The CensorNet Active Directory Agent is a system service that sends network login credentials to CensorNet for the purposes of identifying users and computers. The software should be installed on Windows 2000, 2003 or 2008 domain controller(s) and will run as a system service with administrator rights. Currently the software supports a single domain. The CensorNet Active Directory agent can provide user identification when CensorNet is running in Inline mode and it can also provide a faster alternative to NTLM. NOTE: THE SERVICE IS NOT DESIGNED TO WORK IN CITRIX / TERMINAL SERVICES ENVIRONMENTS. IN THIS CASE, PLEASE CONFIGURE TRANSPARENT KERBEROS OR TRANSPARENT NTLM AS THE USER AUTHENTICATION OPTION WITHIN CENSORNET. INSTALLING THE CENSORNET ACTIVE DIRECTORY AGENT Please visit http://www.censornet.com/adagent/ for download and installation instructions. Please make a note of the secret key that you set during installation. CONFIGURING THE CENSORNET ACTIVE DIRECTORY AGENT After installing the Active Directory agent on each of your Windows Domain Controllers you will need to configure the secret within the CensorNet server. To do this, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and enter the secret key as shown below. The secret keys must match exactly on both the Agent and the CensorNet server for the authentication to work. 24

Press SET OPTIONS to enable the use of the CensorNet Active Directory Agent. VERIFY THAT USER IDENTIFICATION IS WORKING WITH THE ACTIVE DIRECTORY AGENT On the domain controllers, use the Start menu to find and open the CENSORNET AUTHENTICATION SERVICE MONITOR. The status should show as RUNNING, as shown below:- NOTE: THE CENSORNET ACTIVE DIRECTORY AGENT ACTS AS THE PRIMARY AUTHENTICATION METHOD FOR CENSORNET. YOU CAN ALSO CONFIGURE A SECONDARY AUTHENTICATION METHOD USING ANY OF THE OTHER SUPPORTED METHODS (E.G. NTLM, LDAP, ETC). IF THE AGENT FAILS FOR ANY REASON, CENSORNET WILL FALL BACK TO THE SECONDARY METHOD OF AUTHENTICATION. PLEASE SEE THE SECTION CONFIGURING USER AUTHENTICATION FOR THE AVAILABLE SECONDARY METHODS. ACTIVE DIRECTORY (KERBEROS) 25

CensorNet supports standard Kerberos authentication with Active Directory. This is useful if you require users from Active Directory to log in with a username and password when they open a web browser. CONFIGURING ACTIVE DIRECTORY (KERBEROS) To configure Active Directory authentication using Kerberos, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Active Directory (Kerberos) radio button. You will need the following information: Server IP Address This is the IP address of the primary Active Directory server on the network. Server Hostname This is the computer name of the primary Active Directory server. This is just the computer name and not the fully qualified domain name. AD Domain The full Active Directory domain name without the computer name or hostname included at the start. Press SET OPTIONS to enable the use of Active Directory (Kerberos) authentication. VERIFY THAT ACTIVE DIRECTORY (KERBEROS) AUTHENTICATION IS WORKING You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user account from the Active Directory (the test user ) and open a Web browser that is configured to use CensorNet as a proxy server (see section Web Browser Configuration). Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser should prompt the test user to login see below and after you enter a valid username and password access to the Web page should be granted. 26

If the web site loads as expected, you should now verify that CensorNet has correctly identified the test user by going to REPORTS -> WHO S BROWSING within the CensorNet web control panel. This will list the currently active Internet users and the test user should appear here as shown in the example below. Click on the test user, in this case FOO to drill-down into the recent web site visits. Here you should see the test sites that you accessed using the web browser, e.g. www.google.co.uk. COMMON PROBLEMS After entering the username and password three times you receive a LOGIN FAILED message: 27

The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 minutes of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please see: http://www.censornet.com/en/kb/clock_drift_and_ntp The user account on the Active Directory server has been set to Change password on next logon. This will cause CensorNet to fail the authentication until the password has been reset. The username or password provided is actually incorrect. WINDOWS NT OR SAMBA SERVER CensorNet supports authentication with Windows NT or Samba servers using the SMB protocol. This should be used in legacy environments where Active Directory is not yet available or Samba does not support NTLM (some Linux and Apple networks). CONFIGURING WINDOWS NT OR SAMBA SERVER AUTHENTICATION To configure Windows NT or Samba Authentication, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Windows NT or Samba Server radio button You will need the following information: PDC Address This is the IP address of the Primary Domain Controller. BDC Address This is the IP of the Backup Domain Controller (optional) Domain Name This is the Windows Domain on your network. Click SET OPTIONS to enable Windows NT or Samba authentication. 28

VERIFY THAT WINDOWS NT OR SAMBA SERVER AUTHENTICATION IS WORKING You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user account from the domain (the test user ) and open a Web browser that is configured to use CensorNet as a proxy server (see section Web Browser Configuration). Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser should prompt the test user to login see below and after you enter a valid username and password access to the Web page should be granted. If the web site loads as expected, you should now verify that CensorNet has correctly identified the test user by going to REPORTS -> WHO S BROWSING within the CensorNet web control panel. This will list the currently active Internet users and the test user should appear here as shown in the example below. Click on the test user, in this case FOO to drill-down into the recent web site visits. Here you should see the test sites that you accessed using the web browser, e.g. www.google.co.uk. 29

NETWARENDS (E-DIRECTORY) CensorNet supports NDS authentication against a Novell Netware directory server, such as Netware 6.5. To configure Windows NT or Samba Authentication, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Netware NDS (e-directory) radio button You will need the following information: Server IP address the IP address of the main Netware server used to authenticate users on your network. Click SET OPTIONS to enable Netware NDS authentication. LDAP SERVER AUTHENTICATION The LDAP Server Authentication method enables the use of a vanilla (non-active Directory) LDAP server, such as Open LDAP, as a source for user authentication. To configure Windows NT or Samba Authentication, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the LDAP Server Authentication radio button 30

You will need the following information: Server IP address - The address of the server running the LDAP service. Server Port number - The port that the LDAP server is listening on. The default is port 389 Base DN - This is the root of the directory tree. For example dc=ldap, dc=example, dc=com. You should enter the correct values for your LDAP server. Queries from the CensorNet server to your LDAP server will start from here. Bind DN - This is an entity authorised to query the LDAP tree. All queries from CensorNet to the LDAP server will use this entity. NOTE: Ensure the BINDDN entity has suitable rights on the LDAP server. Bind DN Password - The password associated with the Bind DN entity. Login Attribute - This attribute within the LDAP tree specifies the username. Most Unix installations use the uid attribute, though it is possible to configure an alternate one. Consequently, CensorNet permits a choice of which attribute is to be used to define the users. NOTE: This attribute must be correct in order for CensorNet to retrieve users from the tree. Object Class Filter - In most installations, this field can safely be left blank. It is provided for those users who have a more complex LDAP configuration. INTERNAL AUTHENTICATION Internal Authentication allows CensorNet to store a list of usernames and passwords to authenticate users when they attempt to browse the web. This is useful for environments where there is no central domain controller or other suitable user authentication source. When in Internal Authentication mode, CensorNet also provides a portal for users themselves to manage their own passwords. To configure Internal Authentication, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Internal Authentication radio button. Click SET OPTIONS to enable Internal Authentication. 31

With Internal Authentication enabled, users will be prompted to login when they open a web browser, as shown in the following screenshot. MANAGING USER ACCOUNTS You must create user accounts on the CensorNet server for each of the users that require access to the Internet. To create a new user account, go to OBJECTS -> USERS -> NEW USER. You will be prompted for the following information: 32

Username this is a unique username for the account. Group this is the group that the new user account will belong to. If there are no groups defined, you will be asked to create one. Password this is the password for the new account. Confirm Password this is the password for the new account. Click ADD USER to create the new user account. You should then test that you can access the Web by entering the new username and password when prompted. To change the password or delete the user, go to OBJECTS -> USERS -> MANAGE USERS and find the username in the list of accounts, e.g. To delete the account, click the tick box and click COMMIT CHANGES. To move the account, select the new group from the groups drop down list and then click COMMIT CHANGES. To change the password, click the CHANGE PASSWORD button and enter a new password. MANAGING USER PASSWORDS CensorNet includes a self-service password management page, which makes managing passwords easier. To access the password page, point a web browser at: HTTP://X.X.X.X/CENSORNET/PASSWORD.PHP Where X.X.X.X is the IP address or hostname of the CensorNet server. 33

The password page will be displayed: This page can be used by a user to reset their own password without needing to contact the network administrator. Furthermore, only users that have an existing account that know their own password can use this page. NO USER AUTHENTICATION It is possible to configure CensorNet without any user authentication or identification at all. In this mode, filtering policies will be applied based on the computer information. The reports will not contain any user details. To enable this mode, go to System -> CONFIGURATION -> USER AUTHENTICATION and click the No User Authentication radio button and then click SET OPTIONS. GLOBAL USER AUTHENTICATION SETTINGS CensorNet has two global authentication settings which are enabled by default: 34

Multiple Login Detection selecting this option prevents the same username from being used to browse the Internet from more than one computer at once. There is a 5 minute timeout, so after finishing a browsing session on one computer users must wait 5 minutes before browsing from another computer. Anonymous Browsing on Inline Intercepted Connections applies to Inline mode only. Selecting this option allows anonymous browsing which effectively disables all the authentication options except for the CensorNet Active Directory Agent. For further information please refer to this Knowledge Base article: http://www.censornet.com/en/kb/anonymous_browsing_on_in_line_intercepted_connections 35

ACTIVE DIRECTORY INTEGRATION CensorNet is compatible with Active Directory running on: Windows 2000 Server Windows 2003, 2003r2 Server Windows 2008, 2008r2 (64-bit) Server It is possible to synchronise or replicate your Active Directory structure with CensorNet. Synchronise (Windows Server 2003 and above) this requires the CensorNet Synchronisation Service to be installed on your domain controller and the structure of your Active Directory will be automatically imported and then kept synchronised on CensorNet. If you create, delete or move user accounts on your Active Directory, CensorNet will automatically update with the changes. Replicate this does not require any software installing on the domain controller. Replication is a manual process of importing the Active Directory structure into CensorNet. Each time a change is made to the Active Directory, you should replicate the structure within CensorNet again. SYNCHRONISING WITH ACTIVE DIRECTORY The CensorNet Synchronisation Service is a system service that runs on Windows Server 2003 and above. The purpose of the service is to synchronise the Active Directory structure with the CensorNet server, specified during installation. With the service running, you do not need to manually update CensorNet with changes to the Active Directory (users, groups, etc). The service can synchronise based on Organisational Unit (OU) or Primary Group. INSTALLING THE CENSORNET SYNCHRONISATION SERVICE Please visit http://www.censornet.com/adsync/ for download and installation instructions. CONFIGURING THE CENSORNET SYNCHRONISATION SERVICE After installing the CensorNet Synchronisation Service on your domain controller you will need to configure a shared secret key on the CensorNet server. To do this, go to OBJECTS -> SYNCHRONISE -> WITH ACTIVE DIRECTORY and enter a secret key as shown below. The secret keys must match exactly on both the Synchronisation Service and the CensorNet server for the synchronisation to work. Press SET OPTIONS to enable the use of the CensorNet Synchronisation Service. 36

On the domain controller, go to START -> ALL PROGRAMS -> CENSORNET SYNCHRONISATION MONITOR to configure the service. Enter the IP address of the CensorNet server, the shared secret key (exactly as you set it on the CensorNet server), select the domain to synchronise and the method to group users by. Then press START SERVICE. If the service fails to start, check the IP address and shared secret are correct and try again. VERIFY THAT THE CENSORNET SYNCHRONISATION SERVICE IS WORKING After a few seconds, the service will synchronise CensorNet with Active Directory. Please check the user manager under OBJECTS -> USERS -> MANAGE GROUPS to verify that the Active Directory structure has been synchronised. Any changes that are made to the Active Directory server will be visible within CensorNet a few seconds later. You are now ready to apply filtering policies to the group or make changes to the group name and/or its members if required. REPLICATING THE ACTIVE DIRECTORY STRUCTURE It is possible to replicate your Active Directory structure within CensorNet. This makes it easy to apply policies to your existing groups. If you change the structure, move users between groups or add new users to groups, you should re synchronise with CensorNet. For automatic synchronization please see Synchronising with Active Directory. You should configure an appropriate User Authentication method before attempting to import user and group information from Active Directory. 37

You can replicate your Active Directory structure based on OU or Primary Group. Most Active Directories use OU containers so this is the most common method. REPLICATING BY ORGANISATIONAL UNIT (OU) Go to OBJECTS -> IMPORT -> USERS FROM ACTIVE DIRECTORY BY OU. You will be prompted to enter the following details: Server Address this is the IP address of the primary Active Directory server on your network. Active Directory Domain this is the full Active Directory domain for the network excluding the hostname or server name of the Active Directory. Admin Username this is a username that has administrator rights on the Active Directory server. Admin Password this is the password for the username specified in Admin Username. Press SYNCHRONISE USER LIST to start the replication. 38

If the credentials have been entered correctly, CensorNet will display a list of OU groups and users within those groups. Review the list and ensure they are correct and then press CREATE/MOVE USERS AS ABOVE. If the list is empty, try using the Import by Primary Group method instead. You will be prompted to confirm this action, which will create new groups and users as per the structure shown above. The replication may take several seconds depending on the size and complexity of your Active Directory server. You will receive a confirmation message, like the one below, once the replication has completed. 39

Click CONTINUE to view the newly imported groups and users. You are now ready to apply filtering policies to the group or make changes to the group name and/or its members if required. REPLICATING BY PRIMARY GROUP Go to OBJECTS -> IMPORT -> USERS FROM ACTIVE DIRECTORY BY PRIMARY GROUP. You will be prompted to enter the following details: Server Address this is the IP address of the primary Active Directory server on your network. Active Directory Domain this is the full Active Directory domain for the network excluding the hostname or server name of the Active Directory. Admin Username this is a username that has administrator rights on the Active Directory server. Admin Password this is the password for the username specified in Admin Username. Press SYNCHRONISE USER LIST to start the replication. 40

If the credentials have been entered correctly, CensorNet will display a list of Primary Groups and users within those groups. Review the list and ensure they are correct and then press CREATE/MOVE USERS AS ABOVE. If the list is empty, try using the Import by OU method instead. You will be prompted to confirm this action, which will create new groups and users as per the structure shown above. The replication may take several seconds depending on the size and complexity of your Active Directory server. You will receive a confirmation message, like the one below, once the replication has completed. 41

Click CONTINUE to view the newly imported groups and users. You are now ready to apply filtering policies to the group or make changes to the group name and/or its members if required. 42

COMPUTER IDENTIFICATION CensorNet is capable of logging and filtering based on the computer credentials as well as the user credentials. A computer can be identified in a number of ways and it is worthwhile deciding on the best method to use up front, as changing the mode later will require you to import the computers again. CensorNet can identify computers in three ways:- Method When to use MAC Address (default) On a LAN when using DHCP IP Address On a WAN or with multiple subnets Hostname On a LAN/WAN with DNS to resolve computers to hostname The COMPUTER IDENTIFICATION methods are described in detail in this section. CONFIGURING THE COMPUTER IDENTIFICATION METHOD To set the Computer Identification method, go to SYSTEM -> CONFIGURATION -> COMPUTER IDENTIFICATION. Press SET OPTIONS to enable the specified Identification Method. NOTE: CHANGING THE COMPUTER IDENTIFICATION MODE WILL REMOVE ANY EXISTING COMPUTER OBJECTS FROM CENSORNET 43

MAC ADDRESS METHOD By default, CensorNet is configured to identify computers by their MAC address. In order for computer details to appear in the reports and to apply filtering rules specifically to computers, you must tell CensorNet about the computers on your network. There are two ways you can do this. The first is an automatic PROBE LAN which will scan the entire subnet and attempt to auto-detect any computers that are connected to the network and add their MAC address and hostname. The second way is to import the computer information from a compatible file, such as CSV. IMPORT COMPUTERS AUTOMATICALLY You must have at least one computer group defined. To create a new group, go to OBJECTS -> COMPUTERS -> NEW GROUP. Group Name this should be a plain text name for the group, e.g. Computers. Require User Authentication Select Yes to force authentication when accessing the Internet from computers in this group (if you have enabled User Authentication, see section User Authentication). Select No if you do not require authentication for this group of computers, for example, if it is a suite of guest computers or public access computers. Click ADD GROUP to create the new computer group. To probe the network for computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN. Scan on interface select the network Interface to use for scanning the network. If your CensorNet server has more than one NIC then you can select which one to use for the probe. Import into group select the group to import computer information into. All automatically discovered computers will appear in this group. Later, you can move the computers into different groups if you require different filtering rules for different groups of machines. Click RUN PROBE to start the automatic detection. The progress bar will be shown on the screen: 44

NOTE: IF YOUR SUBNET IS PARTICULARLY LARGE, THE PROBE MAY TAKE A WHILE TO RUN AND MAY CAUSE AN UNEXPECTED PEAK IN NETWORK TRAFFIC. After the probe has completed you will be able to view the computers that have been detected. Go to OBJECTS ->COMPUTERS -> MANAGE COMPUTER page to make changes to the hostnames, MAC address information and group membership for the imported computers. IMPORT COMPUTERS FROM CSV CensorNet supports a number of CSV formats for importing computer information. HOSTNAME,MAC ADDRESS this is a simple CSV format containing the hostname and MAC address separated by a comma, one per line, without any header. E.g. samurai,00:0c:29:7f:5f:6f sword,00:02:e3:0a:8f:72 ANGRYIP AngryIP is a free network scanner that can probe the network for connected devices and export the contents to CSV. This CSV file can be imported directly into CensorNet. CSVDE CSVDE is a tool provided by Microsoft to export user and computer information from Active Directory. The exported file can be imported directly into CensorNet. COMMON PROBLEMS The Probe LAN option does not detect all of the computers on the network this can happen for a number of reasons: 45

o Ensure that all the computers are powered on and connected to the network and re-run the probe. o If the computers do not respond to NetBIOS requests then the Probe cannot detect them. You will need to enter the hostname and MAC address manually or import them from CSV (see Import Computers from CSV). o If the computers have a secure firewall running this may block the NetBIOS requests. The Probe LAN takes too long If your subnet is larger than 255.255.252.0 then we recommend that you import computer information via CSV. IP ADDRESS METHOD IP address mode can be used if you have a network topology consisting of multiple routers, VLANs, VPNs or you identify computers based on static IP addresses rather than DHCP. In order for computer information to appear in the reports you must import all or part of the subnet into CensorNet. IMPORT COMPUTERS AUTOMATICALLY To automatically import computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN. You can import by IP address range or by subnet. This allows you to import different ranges into different groups if required. Optionally, CensorNet can attempt to resolve the IP address to a hostname using NetBIOS. If this is selected, the import will take slightly longer. PLEASE NOTE: IF YOU TICK TO USE NETBIOS AND THE IP ADDRESS CANNOT BE RESOLVED IT WILL NOT BE ADDED TO CENSORNET. 46

Go to OBJECTS ->COMPUTERS -> MANAGE COMPUTER page to make changes to the hostnames, IP address information and group membership for the imported computers. HOSTNAME METHOD The Hostname method should be used on networks with single or multiple subnets where the internal DNS servers are configured to return a hostname for each IP address on the network. If the IP address does not resolve to a hostname, CensorNet will deny access to the Internet from this computer as a security measure. In order for computer information to appear in the reports you must import all or part of the subnet into CensorNet. IMPORT COMPUTERS AUTOMATICALLY To automatically import computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN. You can import by IP address range or by subnet. This allows you to import different ranges into different groups if required. CensorNet will attempt to resolve all IP addresses to a hostname. 47

NOTE: IF CENSORNET CANNOT RESOLVE THE IP ADDRESS TO A HOSTNAME IT WILL NOT IMPORT IT AND THE COMPUTER MAY BE DENIED ACCESS TO THE INTERNET UNTIL THERE IS A VALID PTR RECORD, OR YOU MANUALLY ADD THE INFORMATION TO CENSORNET 48

SSL INTERCEPT MODE CensorNet has the ability to intercept, decrypt and filter secure SSL web sites. This option is off by default when CensorNet is configured in SIDEWAYS mode and on by default when CensorNet is configured in INLINE mode. SSL sites can harbour web based threats such as anonymous proxy servers and malware. They are also used legitimately to transfer confidential and secure information. You should decide whether you wish to allow SSL completely with no filtering (bypass), block it completely, or allow CensorNet to intercept and filter it regardless of the type of content on the site. ENABLING SSL INTERCEPT MODE To enable SSL Intercept mode, go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT MODE. Select Enabled and press SET OPTIONS. INSTALLING WEB BROWSER SSL CERTIFICATE The act of SSL interception replaces the requested Web server certificate with a certificate signed by the CensorNet server. This causes a browser warning to appear when viewing SSL web sites. It is necessary for you to install the CensorNet root certificate authority (CA) into each of the browsers on your network to avoid the browser warning from appearing. This can be achieved in one of two ways: Using an Active Directory group policy update to install the certificate (see Knowledge Base article) Manual installation Please refer to the guide SSL Certificate Installation for detailed information and installation instructions. http://www.censornet.com/pdf/ssl-certificate-installation.pdf BYPASSING SSL INTERCEPT MODE If you do not want to filter any SSL web sites you can configure CensorNet to completely ignore any SSL enabled web requests (e.g. https://). This is a global setting and will apply to all users and computers. It is also possible to allow or deny SSL sites on a per policy basis, please see the section on Policies. 49

COMPLETELY BYPASS SSL WEB SITES First of all, you should disable the SSL Intercept Mode. Go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT MODE, select Disabled and press SET OPTIONS. Next, you need to create a Bypass rule to ignore SSL sites. GO TO FILTERS -> FILTER BYPASS MODULE -> BYPASS CATEGORIES. WARNING: This will allow all HTTPS/SSL enabled web sites regardless of their content which may be legitimate or harmful. Create a new category called SSL Bypass and click ADD. Click on the category name from the EXISTING CATEGORIES list. Add the pattern: :443 to the new category (without the quotes) and press ADD URL, as shown below: DISABLING SSL INTERCEPT MODE Disabling SSL mode will prevent CensorNet from intercepting and filtering SSL enabled web sites. As a result, by default, CensorNet will block all SSL web sites unless you specifically allow access to them in a filtering policy. To disable SSL Intercept, go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT MODE, select Disabled and press SET OPTIONS. 50

NOTE: If you disable SSL Intercept Mode, SSL web sites will be blocked by default unless you bypass filtering for SSL or add explicit URL s to allow in the Custom URL module. 51

FILTERING POLICIES CensorNet provides a powerful and granular way of filtering Web content in the form of policies. Policies are sets of rules which instruct the filtering modules to act in a certain way (ALLOW / IGNORE / BLOCK) and these policies can be applied to user groups or computer groups. The filtering modules are plug-in components that provide a specific type of filtering, e.g. URL matching, image filtering, real time classification, streaming content, etc. By building a policy, you can control what can be accessed online, by whom and at what time. Policies can operate in one of five modes. The modes decide the base functionality of the policy and, depending on the mode, can be further customised by the administrator. The five filtering modes are: OPEN An open mode policy provides unfiltered, but logged, access to the Web. CLOSED The closed mode policy prevents access to the Web. RESTRICTED The restricted mode policy creates a walled garden and only allows access to a specified list of Web sites or web site categories. FILTERED The filtered mode policy allows you to specify granular filtering rules for each of the filter modules. ADVISORY This is the same as the filtered mode but any web site that is blocked can be overridden by the user. This is a coaching mode. A policy can be applied to more than one group of users or computers, but only one policy can be active at any one time for any particular group. Combinations of policies can be scheduled to activate and deactivate at certain times during the week for a specified group. DEFAULT POLICY At least one policy must exist on the CensorNet server. CensorNet comes pre-configured with a default policy. This policy operates in the filtered mode and contains common rules, which you should use as a basis to customise to meet your exact requirements as an organisation. The default policy is meant to be an example from which you can build rules to match your requirements. The default policy is applied to any user or computer that does not already have a policy assigned to their group or to an unknown user or computer trying to use CensorNet. It is a useful catch all policy that will provide the minimum level of filtering on the network. THE DEFAULT POLICY EXPLAINED The default policy is a good starting point to familiarise yourself with how filtering policies work within CensorNet. Go to POLICIES -> MANAGE POLICIES and click on the Default Policy entry. After a few moments, the rules will load and you will be able to make changes to the policy if you require. Under the Policy Details section there are several import configuration options for the policy, as described below. 52

Name this is a plain text name for the policy. It is useful to give meaningful names to the policies as it makes administering them easier. Description this is a plain text description of the policy, which is useful to tell other administrators the purpose of the policy. Colour Label this is the colour that will identify the policy when you create a policy schedule. Mode this defines the filtering mode that this policy will use (please see Policies section for a description of the five modes). If rules conflict Web sites can be classified into more than one category by the filtering modules. If a module has conflicting block and allow rules, then CensorNet will use this option to resolve the conflict. The choices are Block rules override allow rules or Allow rules override block rules. Dynamic sites Web sites categorised as having highly dynamic content (e.g. Google, Wikipedia) may contain unsuitable content even though they are in a legitimate category (e.g. Search Engines, Reference). Forcing the real-time analysis will attempt to block adult, obscene or explicit pages that may exist within the dynamic site even though the category they are in has been set to allow. The choices are Force real-time content analysis or URL database categories override real-time content analysis. The latter will disable any real-time analysis of dynamic web sites and allow or deny the web site based upon the rules configured in the Content Classifier module, which is explained below. Time Quota a policy can contain a Time Quota for categories of web site that you choose. Every time you access a web site that is in a category which is part of the time quota, the time will be reduced. When the time quota has reached zero, access to the web sites in those categories will be blocked until the next day. The quotas are reset at midnight. NOTE: The Time Quota feature only works if User Authentication is enabled. For more information on Time Quotas please see: http://www.censornet.com/en/kb/quotas_explained The Filter modules section provides a way to set the rules for each of the filter modules that are available to the Filtered Mode policy. With the exception of the Active Image Control, the modules use categories which can be set to trigger ALLOW, DENY or IGNORE. The categories may contain lists of URL s or represent a single entity, such as a file extension. 53

The three triggers, ALLOW, DENY and IGNORE are used to instruct CensorNet what to do if it encounters a match with the category configured in the filtering module. Allow allow the request. Processing of the policy stops as soon as a match is triggered. Block block the request. Processing of the policy stops as soon as a match is triggered. Ignore pass the request to the next filter module and continue running the policy. Within a policy there are five modules which can be configured:- Custom URL The Custom URL module allows you to maintain categories of web site yourself, which override or compliment those provided in the URL database. The Custom URL module uses patterns to match URL s so you can also use it to block keywords in the URL or to match multiple addresses with a wildcard. Categories that are set to allow can also be placed into a Time Quota. For more information on Custom URL patterns please see http://www.censornet.com/en/kb/url_patterns_explained Content Classifier The Content Classifier allows you to specify which categories from the URL database should be matched as part of the policy and what action should be taken. There are over 70 categories, in multiple languages, which contain over 65,000,000 individual web sites. Categories that are set to allow can also be placed into a Time Quota. File Extension Filter The File Extension Filter contains a list of file extensions which you can control using the policy. MIME Type Filter The MIME Type Filter contains a list of MIME types which you can control using the policy. Setting a MIME type to allow will also allow it to stream properly through CensorNet without being cached first. Active Image Control The Active Image Control uses image recognition techniques to attempt to block explicit images from being displayed in the web browser. Upload Filter The upload filter inspects any HTTP POST requests for specific file types being uploaded When a policy is processed, the modules are executed in order from top to bottom as they appear under the Filter Modules section. This means, for example, that if a rule is matched in the Custom URL module to block the request, it will not reach any of the other modules for processing. For further information on policy parsing please see this Knowledge Base article: http://www.censornet.com/en/kb/how_are_the_policies_parsed Any changes that you make to the policy must be confirmed by pressing the UPDATE POLICY button at the bottom of the page. CREATING NEW POLICIES To create a new policy, go to POLICIES -> NEW POLICY. Alternatively, you can clone an existing policy. Go to POLICIES -> MANAGE POLICIES and click on the policy to clone. Select a new COLOUR LABEL for the new policy otherwise it will be the same as the existing one, which 54

could cause confusion when setting up schedules, and then scroll to the bottom of the page and click the CLONE POLICY button. You will be prompted to provide a name for the new policy. Enter the new name and press enter or click OK. The policy will be cloned and the new policy will appear in the Manage Policies list. After creating a new policy you need to apply the policy to a group of users or computers. APPLYING POLICIES TO GROUPS OF USERS OR COMPUTERS Policies must be applied to groups in order for them to be active, with the exception of the Default Policy which is active for any group that does not have a policy assigned to it. Assigning policies in CensorNet is straight forward. After creating your policy, decide whether you wish to apply it to a group of users or a group of computers. The method is the same for both; however you should note that computer policies override user policies. To apply a policy, go to OBJECTS -> USERS (OR COMPUTERS) -> MANAGE GROUP. Click the SCHEDULE POLICY button for the group that you wish to apply a policy to. This will load the SCHEDULE EDITOR. 55

The schedule editor allows you to specify when policies will be active for the chosen group. Each small square represents a 5 MINUTE TIME PERIOD. Along the bottom of the editor is a legend which shows the policy names and their associated colours. From the POLICY PAINT BRUSH drop down box, you can select the policy to apply. You can then apply the policy in a number of ways: Draw when the policy will be active using the mouse. Hover over a time period, press and hold the left mouse button, and drag the policy until it reaches the end time. The policy will be active between each start and end point on the editor. You can increase the number of time blocks each mouse press will add by using the second drop down list the default is 5 MINUTE BLOCKS. Clone a schedule you have drawn for a specific day by clicking the radio button to the right of the day and click Clone. This will replicate the day s schedule on all other days. To apply the policy all day every day, select the policy to apply and click the Fill All button. The policy will be active 24x7 for that group. To apply the policy to a specific day of the week, click the radio button to the right of the day and click Fill Selected. You must click UPDATE SCHEDULE for the changes to take effect. GLOBAL FILTERING MODULES There are three global modules that apply to all policies, which are found under the Filters menu: 56

Safe Search enforces Google, Yahoo! and Bing image safe search on regardless of whether the user tries to disable it in their web browser. On-demand Anti-Virus (optional extra) powered by AVG, the anti-virus module scans web pages in real time for threats such as viruses, Trojans, spyware, etc. Filter Bypass a list of trusted sites that you do not ever want to filter with CensorNet. Sites in the bypass list are not logged and are not authenticated in any way. This list should be kept to a minimum. 57

CUSTOM URL MODULE The Custom URL module allows you to maintain your own categories of URLs for use within filtering policies. You can create an unlimited number of categories and they can contain an unlimited number of URL s. The Custom URL module is generally used to override the categories provided in the URL database or to control access to specific URLs from within a filtering policy. CREATING A CUSTOM URL CATEGORY Go to FILTERS -> CUSTOM URL MODULE -> CATEGORIES. Enter the name of the new category and press ADD. The category will appear in the EXISTING CATEGORIES list where you can click on it to start adding URLs. ADDING CUSTOM URLS Go to FILTERS -> CUSTOM URL MODULE -> URL MANAGER or click on a category name from the EXISTING CATEGORIES list. NOTE: CUSTOM URLS IN CENSORNET DO NOT USE THE HTTP:// OR HTTPS:// PREFIX Add the new URL pattern and select a category to add the URL to and then click ADD URL. At this point, the category containing the URL is just a container for the URL and does not block or allow it. To decide how the category and its URLs will be handled, the category must be activated within a filtering policy. Go to POLICIES -> MANAGE POLICIES and select a policy to use the new URL category with, e.g. default policy. Scroll down to the CUSTOM URL MODULE and the new category will be displayed in the list. 58

By default the URL category is set to IGNORE. To block the URLs in the custom category change the trigger to BLOCK or to allow the URLs change the trigger to ALLOW. If you allow a category in the Custom URL module then all URLs within the category will be allowed and no further filtering will take place. Scroll to the bottom of the policy page and click UPDATE POLICY to save the changes. CUSTOM URL PATTERNS For more information on Custom URL patterns please see this Knowledge Base article: http://www.censornet.com/en/kb/url_patterns_explained 59

ADMINISTRATORS It is possible to define multiple administrator users that can login and administer the CensorNet system. The administrator users can have different roles and be restricted to only accessing certain parts of the system. To create a new administrator, go to OBJECTS -> ADMINISTRATORS -> NEW ADMINISTRATOR. You will be required to enter: Username a username for the new administrator. Password a password for the new administrator. Confirm confirmation of the password for the new administrator. Rights select the rights that this administrator should have over the system. At least one right should be applied to the new administrator. 60

BYPASSING NON-PROXY-AWARE SITES / APPLICATIONS CensorNet is designed to filter any content that conforms to the HTTP protocol whether that is through a web browser or a different kind of user agent. Depending on the size and complexity of your network there may be several applications that do not require filtering or will actually malfunction if there is a web filter in operation. The URI s (hostname/ip and port) for these services should be added to the CensorNet bypass list so it is a good idea to make a note of them now in order to avoid any issues when you deploy CensorNet. The follow is a non-exhaustive list of applications that should be bypassed:- Local web servers such as Intranet sites Thin client servers such as Citrix Application servers such Microsoft Outlook Web Access Trusted extranet sites Desktop applications that use HTTP/S e.g. GoToMeeting, WebEx. To bypass these applications, go to FILTERS -> FILTER BYPASS -> BYPASS URL MANAGER. Please refer to this guide on URL patterns within CensorNet: http://www.censornet.com/en/kb/url_patterns_explained 61

COMMON ERROR MESSAGES THE UPSTREAM PROXY DID NOT RESPOND IN TIME This error can occur for a number of reasons. The DNS server that you have specified is not responding or is running slow. Try specifying a public DNS server as the primary DNS server for CensorNet. You can alter the DNS settings by logging into the console as root and typing setup and then choosing Option 2 Network Configuration. Refer to the Installation Guide for network configuration. You have specified a parent proxy and the details are either incorrect or the parent proxy is offline. The parent proxy is not responding to CensorNet in time. Try an alternative parent proxy or contact Technical Support for assistance. UNABLE TO RETRIEVE MAC ADDRESS OF THE PEER This error occurs if you are on a network with multiple routers and subnets. You should change the Computer Identification method to IP or Hostname. See the section on Computer Identification for more information. THE AUTHENTICITY OF THE WEB SITE COULD NOT BE VERIFIED This error can occur when SSL INTERCEPT MODE is enabled and CensorNet encounters a web site that has an invalid certificate, or a certificate that is signed by a root authority that CensorNet does not know about, e.g. intranet certificate. The solution is to add the URL to the Filter Bypass module by going to FILTERS -> FILTER BYPASS MODULE -> BYPASS URL MANAGER. For further information please refer to this Knowledge Base article: http://www.censornet.com/en/kb/the_authenticitiy_of_the_secure_web_site_could_not_be_verified CONTENT LENGTH EXCEEDED For further information please refer to this Knowledge Base article: http://www.censornet.com/en/kb/content_length_exceeded YOUR REQUEST COULD NOT BE PROCESSED AT THIS TIME, THIS IS PROBABLY DUE TO NETWORK CONGESTION. This can happen if the proxy has no Internet access and cannot connect to the cloud database servers or if the local URL database has become corrupt. Please see the following Knowledge Base article: http://www.censornet.com/en/kb/your_request_could_not_be_processed_at_this_time_this_is_probably_du e_to_ne 62

TROUBLESHOOTING SINGLE-SIGN-ON WITH TRANSPARENT KERBEROS PROMPTS ME TO LOGIN There are a number of reasons why this can happen. Please refer to the following Knowledge Base articles for a checklist of things to check. http://www.censornet.com/en/kb/transparent_kerberos_issues http://www.censornet.com/en/kb/using_transparent_kerberos_and_some_but_not_all_users_are_prompted _to_login ALLOW OR BLOCK INSTANT MESSAGING APPLICATIONS It is possible to control any application that uses the HTTP protocol using CensorNet, for example Instant Messenger applications. Please see the following Knowledge Base article for information on blocking Instant Messaging applications: http://www.censornet.com/en/kb/allow_access_to_instant_messenging_software_and_webmail_sites WEB SITES SUCH AS YOUTUBE NO LONGER STREAM CORRECTLY To correctly stream media content through the CensorNet proxy server, it is necessary to allow certain MIME types and URLs related to the streaming media site. Please see this Knowledge Base article for more information: http://www.censornet.com/en/kb/problem_with_streaming_media_sites_such_as_youtube WEB PAGES DO NOT LOAD CORRECTLY MISSING STYLES AND IMAGES Please see this Knowledge Base article: http://www.censornet.com/en/kb/web_pages_do_not_load_correctly_missing_images_colours_and_styles PROBLEM AUTHENTICATING USERS USING APPLE OSX http://www.censornet.com/en/kb/problems_with_user_authentication_on_apple_mac INTERMITTENT ACCESS TO WEB SITES OR SLOW WEB SITES Please see this Knowledge Base article:- http://www.censornet.com/en/kb/intermittent_access_to_web_sites_or_slow_browsing_for_certain_sites 63

CITRIX NOTES CensorNet is used by many organisations, of varying sizes, that have implemented Citrix or Terminal Services. To identify users within a Citrix environment, you should configure Transparent Kerberos or Transparent NTLM authentication. In addition, to allow certain Citrix servers and applications to communicate through CensorNet, you should add rules to the FILTER BYPASS module. Please see the following Knowledge Base articles for more information: http://www.censornet.com/en/kb/citrix_port_numbers http://www.censornet.com/en/kb/citrix_server_connections 64

SUMMARY This guide has taken you through the key elements of setting up and configuring CensorNet Professional for the first time. You should now be in a position to use, test and familiarise yourself with the product and its extensive features. For further information please consult the product documentation under HELP -> HELP CONTENTS or review the Knowledge Base. 65

TECHNICAL SUPPORT Telephone +44 (0) 845 230 9592 E-mail Live Support Desk Knowledge Base support@censornet.com http://www.censornet.com/support/ http://www.censornet.com/en/kb 66

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information