User Guide. Hosted Web Security. Copyright CensorNet Limited, 2007-2012

User Guide Hosted Web Security Copyright CensorNet Limited, 2007-2012 This document is designed to provide information about the first time configuration and administrator use of the Hosted Web Security (cloud based web filtering). Every effort has been made to make this document as complete and accurate as possible, but no warranty or fitness is implied. CensorNet Ltd does not accept any liability for poorly designed or malfunctioning networks. 1

CONTENTS Basics... 3 Getting started with Cloud Link installation... 3 Getting started with web console functionality... 10 Home... 10 Account... 12 Custom Filters... 14 Policies... 16 Policy Schedule... 21 Users & Groups... 23 Reports... 27 Unblocks... 30 Status... 32 Technical support... 33 2

BASICS Hosted Web Security is a web content filtering service hosted in the cloud that enables you to quickly and effectively centrally manage web access for fixed or mobile computers (and any windows based device). You are able to define rules which allow or deny web access based on conditions such as time, user, group, domain or category. Hosted Web Security is a SaaS (Software-as-a-Service) product. This method of delivery means there is no need to install hardware on the local network. The product is hosted in data centres on the Internet and the management of the product takes place by logging into www.cloudwebfiltering.com Software Requirements: Windows XP, 2000 Windows Vista, Windows 7 32-bit or 64-bit Web Console: Internet Explorer 9 and above Firefox 10 and above Chrome 11 and above For more details about this product, please visit www.censornet.com/en/products/hostedwebsecurity GETTING STARTED WITH CLOUD LINK INSTALLATION In order to use CensorNet Hosted Web Security, you will need to download Cloud Link. Cloud Link is a small piece of software that acts as a proxy on the local PC. It captures traffic and filters it. Why do you need Cloud Link? This enables 100% ICAP compliant communication between the client and service, which delivers optimal performance to the user. The client also provides a 'single-sign-on' style authentication system which is transparent to the end-user. The client is locked down so that only administrators can change the configuration, making it ideal for remote and mobile computers. IMPORTANT: You will need access credentials from CensorNet Ltd in order to configure Cloud Link correctly. Please make sure you have this information to hand. Note for Windows 7 / Vista: You should run the setup program with administrator privileges or have an administrator account to hand during installation. Double click the setup program that you downloaded or right click and choose "Run as Administrator" if using Vista or Windows 7. To find out which system your computer is using and its bit version, click Start, right click Computer and select Properties. 3

Go to: http://www.censornet.com/en/kb/how_to_install_cloud_link_software_for_use_with_hosted_web_security Select the relevant download for your computer from the list and click to run. The Setup Wizard will start up. Press Next to continue. You will be asked to choose a path where the Cloud Link files should be installed. Unless you have a specific reason, accepting the default is fine. Press Next. 4

The next screen will ask you what mode you wish to use. For Cloud Link with Hosted Web Security you should select ICAP Mode. Now press Next. You will now be asked to enter the settings for ICAP Mode. They are: ICAP host: icap.cloudwebfiltering.com for Europe or icap.us.cloudwebfiltering.com for the US. ICAP port: 1344 5

Global/Admin Password: This is an administrator password that prevents the employee from configuring or removing Cloud Link from their PC. You should choose a secure password and keep it safe. If you are using Active Directory authentication, you must enter here the global password that you have configured in the web console under Account -> Global Settings -> Global Password. This password must be used when installing all Cloud Link clients on your network. Note: If you change the Global Password via the web console you must also change it in all of your Cloud Link installations otherwise users will receive a message stating Login Failed Due To Incorrect Credentials. This password also doubles up as the admin password for configuring Cloud Link after installation. You should choose a secure password and keep it safe. Do not forget this password! Intercepted ports: These are the ports that Cloud Link will intercept traffic on before forwarding it to the cloud. The only ports supported are 80 (HTTP) and 443 (HTTPS). You can intercept both, or just one, by specifying a comma separated list here. You can alter this later. Active Directory Authorization: If you are not planning to use Active Directory as a method of authentication or you have no email address within Active Directory to use, untick this option to revert to the standard method of authentication (See AD PDF for further advise http://www.censornet.com/en/customers/documentation/hostedwebsecurity).) Fail Open Enabled: You can chose to leave this ticked so that in the unlikely event that Cloud Link cannot connect to the Cloud servers e.g. The ICAP port is blocked by a firewall, internet routing issue or the computer running Cloud Link is using a Hot Spot environment, open internet access will be provided. When Cloud Link can reconnect to the Cloud, filtering will resume. Cloud Link is now ready to be installed. Click Back if you need to alter any settings, otherwise click Next to start the installation. Click Install. 6

Just before completion, or immediately after, you will most likely be prompted by Windows to allow "ProxyTray" to access the Internet through the firewall. Please accept this exception, by clicking "Allow Access". 7

The cloud link is now installed and running. Click Finish. After installation, you will need to enter the credentials for the user that is being filtered, unless using AD mode. User accounts are created on the www.cloudwebfiltering.com web console. You will be provided with an administrator username and password for accessing the web console. If you have not received this, please contact CensorNet Ltd. Right click the Cloud Link icon in the bottom right hand corner of your screen and select Change Credentials. Enter the credentials of the user to be filtered and press OK. You will not need to enter these credentials again. 8

Note: To make sure the changes have taken effect, shut down your web browsers and restart them. Alternatively you can restart your computer which will achieve the same result. To test if Cloud Link is working, you should try and browse to a site that is normally blocked by our Default Policy e.g. a proxy anonymizer web site etc. If all is working, you should receive the standard blocked page. 9

GETTING STARTED WITH WEB CONSOLE FUNCTIONALITY Go to www.cloudwebfiltering.com You will be prompted for administrator login details; these will be provided by CensorNet. Click login. HOME The Dashboard will now be displayed. This is an overview of web browsing activity that has taken place across all Cloud Link users. This will initially appear blank until Cloud Link is installed and you have user activity. Productivity Monitor (previous 3 hours) shows you the last 3 hours of browsing trends via a line graph. Green line: Sites that have been allowed. Amber line: Sites that have been visited with blocked and unblocked content. Red Line: Sites that have been blocked instantly by rules. Top 10 users by time online (previous 3 hours) show the email of the users and how long they have been online in minutes. Top 10 sites by time online (previous 3 hours) show the top domains and amount of visits to them. Top 10 categories visited (previous 3 hours) uses a pie chart to break down the types of sites users have been accessing. Definitions of the graph can be found on our website: http://www.censornet.com/en/products/hostedwebsecurity/urldb 10

At the bottom of the screen, you will see Message Logs and beneath that two tabs. Logs tab is an audit trail of administrator s activities on the system. News tab contains updates from CensorNet that are relevant to the product. 11

ACCOUNT Account has three tabs that sit within this page. Customer Details will show you your company information, the number of license purchased and authorised domain list. You are not able to edit these details yourself. To make changes please contact CensorNet. Global Settings allow you to view and change filtering options via policy and schedule. The Default Policy is a catch all for any user or group who does not have their own policy applied to them. Initially you will be set to Default Policy and Default Schedule no other options will appear. This can be changed once you have defined your own filtering policies and schedules. Then select your options from the drop down list and click Update. You may of course choose to keep the Default option. Schedule Time Zone. Making sure you set a Schedule Time Zone for your location, ensures that when you create a Policy Schedule, the policy is active according to your time zone. Global Password is used for authenticating all the cloud link clients automatically and transparently that were installed with Active Directory mode enabled. You should set the Global Password first and then set your administrator password for the Cloud Link client to match it. This will enable Active Directory to transparently authenticate users without them being asked for a username or password. Unblock Notifications. When a user accesses a page that is blocked and they request an unblock of that page, an email notification will be sent to the email address of the person specified here. 12

Note: Within Active Directory, the users profile must contain their email address. That email address has to match the user profile that has been set up within the web console. Cloud Link Client has been designed so that you can make changes to Ignored Apps and Bypassed Hosts for every user with Cloud Link client installed, from one central location. Ignored Apps adding applications to this section will mean that they are ignored in the filtering process. Cloud Link will intercept all HTTP or HTTPS traffic (depending on the Intercepted ports option) and filter it. Some applications use their own protocol over HTTP(s) and should not be filtered as it will cause degradation in performance. You can bypass these applications. Bypassed Hosts are domains or IP address that run web services that you do not want to filter. 13

CUSTOM FILTERS Custom URL module allows you to maintain a list of your own website address to allow or block and can be used within Policies for individual users or groups, to override the core list of URL categories. Think of this as an index of your own categorised web content. A classification of the categories can be found on our website: http://www.censornet.com/en/products/hostedwebsecurity/urldb Open up Custom Allowed Sites and Custom Blocked Sites to view your customised entries. You have the option to create unlimited new categories to store web domains in. Simply select New Category and enter a name. 14

Click New URL to add a website URL and select an option from the Category drop down list to choose what category to add the URL to. Please Note: When entering Custom URL entries into the Hosted Web Security web console, you will need to obey the following rules: You cannot enter a protocol header http:// or https://, e.g. http://www.bbc.co.uk. This is not required. You cannot enter an asterisk (*) e.g. *bbc.co.uk. This is already implied by the system. You cannot start the URL with a period (.)e.g..bbc.co.uk. To allow or block a specific path within a website you should enter it in full e.g. bbc.co.uk/sport or www.bbc.co.uk/sport To allow a particular sub-domain for domain.com, you must specify the sub domain explicitly e.g. www.your.bbc.co.uk To allow an entire domain (sub domain + path), add just the domain e.g bbc.co.uk The key to Custom URL is to be as specific as you can to avoid matching URL s that you did not intend to block or allow. www.your.bbc.co.uk/news your = Sub domain bbc = Domain co.uk = Top Level Domain /news = Path 15

POLICIES A policy is a set of rules that define a user s ability to access content on the web. Each user will have a policy assigned to them so that their access to content is within the scope of the rules applied to that policy. A policy can be set at default, group and individual user level. Note: A policy cannot be applied directly to the user or group and is instead applied through a schedule (see category on Schedule). Initially all users will have the Default Policy applied, which has been created by CensorNet. This policy is defined to block all malware, pornography, adult content and anonymizers. Everything else is set to ignore which means it will not try to filter or take any other steps after the block rule. The Default Policy is a catch all which means it is applied to any user that does not already have their own user policy or belong to a group which has a policy. You should modify the default policy to be the basic level of filtering that you want to apply to all users and then you can be more specific by defining group and user policies (see section on Groups). When you have highlighted a policy e.g. default policy, there are additional tabs to make changes. The General tab, shown above, lets you type the policy name and give a brief description of the policy. 16

Filter Mode is important and allows you to set the type of filtering action your policy will use. Filter Mode has four options: Filtered - A filtered policy has one or more filters applied. These filters determine the types of sites, or even specific URLs, which are allowed or blocked. A filtered policy is useful when you are setting up rules for general permitted surfing but where unwanted content, such as pornography, or adverts are blocked. Unfiltered - An unfiltered policy has no block rules and will allow a user to access to any site. Restricted - A restricted policy allows users to visit only the specific sites (or categorized sites of a certain type) that the administrator has set. Every other site will be completely blocked from the user. Blocked - A blocked policy is one that is totally closed. A user on this policy cannot surf to any site at all. Conflict Resolution - conflicts occur when accessed content belongs to more than one category. As a default this is set to Block Rules override Allow Rules. You should select the Conflict Resolution rule you would like applied when a conflict is detected e.g. A user tries to access a website that contains both pornographic content and news. The default policy the user is assigned to, is set to allow news and is also set to block pornography. At this point a conflict has occurred because the site belongs to both categories, how will the system react? The option you have select in Conflict Resolution will either Block Rules override Allow Rules (the blocked pornography category takes precedence over the allowed news category and access is denied to the user) or Allow Rules override Block Rules (the allowed news category takes precedence over the blocked pornography category and access is granted). Unknown Sites can either be set to Block and classify or Allow. When a user accesses content that has not been classified e.g. does not belong to a category, access to the page will be denied and you will see from the blocked page that it is noted as unclassified. If you set Unknown Sites to Allow, all unclassified sites can now be access by users who are assigned to this policy. Color is simply the color you choose to view that particular policy in from the main list and is used to identify the policy in Schedule. For any changes you make in this area, you will need to click the Update button. Please note that changes may take up to 5 minutes to take effect. 17

New Policy To create a new policy select New Policy from the bottom left of the pannel. You will be asked to fill out a policy name and description. You will need to select a filter mode, conflict resolution state, unknown site action and finally the colour to identify the policy. Once you have completed this, click Insert. You will now be able to see your created policy in the main list. Delete Policy click the policy you no longer need so that it is highlighted, now select Delete Policy from the bottom left of the screen. Take care to only highlight the policy you wish to remove. Clone - All of the settings you have applied to the original policy will be replicated into the new one. Once you have created the copy, you are free to edit to make the necessary changes, such as the name of the policy etc. 18

The Custom URL tab allows you to specify, which of your custom URL categories are set to allow or block in this policy. This action will override the setting in the Categories tab, which applies to the category the URL belongs to e.g. If facebook.com belongs to a Custom URL category that is set to Allow, this will override the social networking category that is set to Block in the Categories tab, just for the facebook.com domain, all other social networking sites will still be blocked. Allow - URL s in a category set to Allow will grant access to the web content and no further filtering will take place. Ignore will take no action on the web content and will instead pass the request to the next set of filtering rules. Block will instantly deny access to the content and the user will be shown the Access Denied screen. Click Update to save: Please note that changes may take up to 5 minutes to take effect. Categories - Content from the web is grouped into Categories. For a full list of definitions visit: http://www.censornet.com/en/products/hostedwebsecurity/urldb 19

Categories - The rules that you apply here will determin what web content the users within the policy can access. In the screen shot above, Adult Offensive is set to Block, this is a Top level category. It is useful if you wish to blanket allow, block or ignore access for an entire category. If you expand a top level, you will see the categories within it. Although you may have blocked the Top level category, you are still able to change the action within this category to Allow, Block or Ignore e.g. you can block Adult Offensive, but allow Hate and block Violence, which sits within the same category. If you expand further, you can view the sub-categories, these contain the actual websites to be allowed or blocked. These appear in the reports and on the access denied pages. You can be granular in what you wish to allow, block or ignore e.g. Block category Hate but Allow sub category Hate Speech. If you are unsure what category a website belongs to, use the Quick Site Lookup tool. Simply type in the web address, click Lookup and it will provide you with the relevant category. Click Update to save: Please note that changes may take up to 5 minutes to take effect. 20

POLICY SCHEDULE A policy schedule enables you to define when one or more policies are active during a rolling 7 day week. A policy schedule must contain at least one policy. A policy schedule can be applied to individual users or groups. Schedules are used as a method to apply policies at different times of the day e.g. I want to Allow Social Networking web content only during lunchtime for the default policy on Fridays. When your account is created by CensorNet, it will contain a Default Schedule that applies the default policy 24x7. You can modify the Default Schedule or create your own. As shown above, the General tab lets you view the name and description of the selected schedule. If you wish to make changes to the policy schedules basic details, you can do so and then click Update. To create a new Policy Schedule, click New in the bottom left of the screen. Enter the name you wish your schedule to be called and put in a brief description as to its purpose. Click Insert, you will now be able to see your newly created Policy Schedule in the main list. Delete - If you wish to delete a schedule, highlight it and then select delete from the bottom left of the screen. Take care to only highlight the schedule you wish to remove. 21

Schedule Definition Allows you to specify the times of day when policies are active. From the drop down list in the top left hand corner, select the policy that you wish to add to the schedule. Down the left hand side you will see all the days in the week, followed by AM and PM. With your cursor, click on the selected time slots you wish the policy to be active on. The time slot will change to the colour of the policy, indicating that this has been made active. Above you can see a highlighted section where a chosen policy has been applied to Monday AM and Monday PM (as an example). Build the policy schedule that you need. Note: Time slots are defaulted to increments of 5 minutes but you can change this to increments of 15, 30 or 1 hour. Fill At the end of the row is an option Fill, if you wish to apply the selected policy to the whole day click Fill. Clone at the end of the row allows you to replicate a day schedule to every day in the week. This saves you having to recreate the same schedule for each day. 22

USERS & GROUPS Users Initially the user list will only contain one user which is the administrator. This user is set up by CensorNet and there must always be at least one administrator. To apply filtering to members of your organization, you should add them as a user. The administrator will need the user s login credentials when they install the Cloud Link software onto a machine. After the first time login has been completed, authentication from this point on is transparent, the user will no longer be asked to log in as it will be automatic. From the main tree you will be able to see your user list and groups. To create a new user, click New User from the bottom left of your screen. You will be asked to enter an E-Mail address and password. You should enter the email address of the user. Please note the email domain name must match a domain found in the Account information (see section on Accounts). You are however, required to enter a unique email address for every user e.g. captain.kirk@enterprise.com / lieutenant.commander.spock@enterprise.com etc you should also specify a password. Click Insert to add the user. 23

From the main tree, highlight the user and view the details in the General tab. If you wish the user to be a member of a group e.g. The Marketing Team, from the Group drop down choose the group and click Update. In the main tree the user will now belong to the group The Marketing Team. There is an option to assign a Policy Schedule to this user. From the drop down list select the schedule you wish to apply and click Update. The chosen Policy Schedule will be applied to this user regardless of the Group Policy. If you do not need a separate policy schedule for this user, select the No Schedule option. Note: The user Policy Schedule will take precedence over the group policy, so be careful when applying these settings. The General tab lets you set whether your user is to be an Administrator or normal user. Click the box next to Administrator to set your user at Admin level. Ticking the Administrator box allows that person to view and use the Web Console. Leaving the box unticked means the user does not have access to the web console. 24

To Delete a user or reset their Password, select required option from within the General tab. You may right click on the user from the main tree and select either Delete or Reset Password according to your needs. Existing users can be dragged and dropped into a group using the cursor. CSV Uploader - If you wish to upload bulk users, rather than add them manually, you are able to upload a CSV file. Click Upload CSV (button located next to New Group and New user). The format for CSV is username,group,password. For more information visit http://www.censornet.com/en/kb/uploading_users_and_groups_via_csv Click the computer screen icon circled above and select your file. Now click Upload. 25

Groups Groups allow you to collate users so they are more manageable and so policies can be applied on Group basis. You can group by department, team, function, position etc From the main tree, if you expand a Group, below it you will find a list of the users you have assigned to that group. To create a new group, click New Group at the bottom of the main tree. Type the name you wish your Group to be called. Now select a Policy Schedule from the drop down list that you would like applied to that Group. If you do not wish to apply a Policy Schedule to the group, you can select No Schedule. Note: You should only use No Schedule if you want the Default Policy applied automatically or the individual users within the Group have their own policy. When you highlight the Group, you are able to view the name and Policy Schedule details now applied. 26

REPORTS Reports The reporting function has been designed to give the administrator full disclosure as to the web activities of any user with Cloud Link installed. Understanding the type of web browsing that takes place within your organization can lead to cost saving and greater efficiency. Within the Reports tab, you have various reporting tools available to you. Analyse The analyse tab allows you to set the type of criteria you wish to search for. You can request a search for one or multiple criteria based on Timespan, Username, Web Domain and Display action. Timespan is broken down into specific time increments of web activity. Starting at Previous 15 mins. Select the option for your search. 27

Timespan option Custom, allows you to set your own From and To timescale. This is ideal if you know the exact period you need information for. Username can be selected from the drop down list or typed in manually. You can type a partial username such as kirk, captain.kirk or the full username captain.kirk@enterprise.com the wildcard will do the rest of the work but being as specific as possible is always best for accuracy. Web Domain is the name of the website you wish to search for user activity on, for example bbc.co.uk or www.bbc.co.uk, again the key is always to be as specific as possible for the best accuracy. Display allows you to filter the report based on action. The options are Only with Blocked which means only show results where the user has been blocked from accessing a site. Only with Allowed which means only show results where the user has been allowed to access a site. Allowed & Blocked which includes both. After you have selected all of your criteria, click Run Report All matching results will be displayed to you in the right hand pane of the screen. 28

The data provided by the report can be saved in two formats, PDF and CSV. To save the data as a CSV file, select CSV (located just above your Allow Hits column) shown above. A pop up box will inform you that the data will be sent to your email address. Click OK. The subsequent email you receive will have the subject header Your cloudwebfiltering.com report. Follow the same process to have the data sent in PDF format. Report tab (located next to analyse), is a list of pre defined reports that you can view. You have the option to select a report for 5 minutes, 1 hour, 3 hours, 1 day, 1 week, 1 month or 1 year ago. 29

UNBLOCKS Unblocks If a user tries to access web content that is blocked, they may genuinely require access, when this happens; they are given the opportunity to request access to that website. The Unblock tab allows you to review these requests. This is Unblock home screen. You will be presented with a list of all the requests that have been made by users to access web content. When a user tries to access a web page that is blocked, they will be shown the Access to this page has been denied screen. On the same screen there is a Request access to this site button which they can click to request unblock. They can optionally supply a reason for access to the site. They will now need to enter their Cloud link password and then click Request Unblock. This will send an email to the Technical Contact (specified in Accounts tab) to notify them of the request. 30

Unblock requests are available to view in the console by clicking the Unblocks tab. You can select a request by clicking the check box next to it. This will highlight the whole line. You will now be given the option to add the website to a custom URL category or your own created category. Select an option from the drop down list and click Add to category to allow or deny. The web site will now be Allowed/Blocked depending on how the category is configured in Policy. If you wish to delete a request from the list, tick the box next to it so that it appears highlighted and then click Dismiss selected. That entry will now be removed. There is an option for you to send a message to the requesting user. Tick the box next to the request to highlight it, tick the box for Send a message back, type your message and when you click either, Add to category or Dismiss selected, your message will be sent to the end user automatically. 31

STATUS Status gives you full visibility of the performance of our service to you. HAproxy Is a load balancer and will choose which server to assign requests to, based on their current workload. icap001 Is a server that handles the filtering. icap002 - Is a server that handles the filtering. Portal Is a web server running the user interface console. Portal SSL Is an encrypted version of Portal. Please note: These details are liable to change over time or more details may be added. LEGEND Service is operating normally 99.90% uptime or better (less than 2 minutes of downtime). Service disruption 99.98/98.00% uptime (between 2 minutes to 29 minutes of downtime). Service outage Less than 98.00% uptime (more than 29 minutes of downtime). No data available Unmonitored. 32

By clicking on a server name e.g. HAproxy, you will be shown details specific to the server. You are able to change the server you wish to view from the drop down box at the top of the screen, shown above. Alternatively, you can go back to the main status page and select the next server you wish to see information on. TECHNICAL SUPPORT Telephone +44 (0) 845 230 9592 E-mail Live Support Desk Knowledge Base support@censornet.com http://www.censornet.com/support/ http://www.censornet.com/en/kb 33