ISA Server Plugins Setup Guide

ISA Server Plugins Setup Guide Secure Web (Webwasher) Version 1.3

Copyright 2008 Secure Computing Corporation. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Secure Computing Corporation. Trademarks 2008 Secure Computing Corporation. All Rights Reserved. Secure Computing, SafeWord, Sidewinder, Sidewinder G2, Sidewinder G2 Firewall, SmartFilter, Type Enforcement, CipherTrust, IronMail, IronIM, SofToken, Enterprise Strong, Mobile Pass, G2 Firewall, PremierAccess, SecureSupport, SecureOS, Bess, Cyberguard, SnapGear, Total Stream Protection, Secure Web (Webwasher), Strikeback and Web Inspector are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. G2 Enterprise Manager, Secure Web Reporter, SecurityReporter, Application Defenses, Central Management Control, RemoteAccess, SecureWire, TrustedSource, On- Box, Securing connections between people, applications and networks and Access Begins with Identity are trademarks of Secure Computing Corporation. Technical Support information Secure Computing works closely with our reseller partners to offer the best worldwide Technical Support services. Your Secure Computing reseller is the first line of support when you have questions about our products and services; however, if you require additional assistance, contact us directly. To contact Secure Computing Technical Support directly, telephone +1.800.700.8328 or +1.651.628.1500. To inquire about obtaining a support contract, refer to our "Contact Secure" Web page for the latest information at www.securecomputing.com. To use our web support site, point your browser to support.securecomputing.com. This site allows you to submit support issues and to monitor, edit, and set the severity of issues 24 hours a day. To use the Secure Knowledge Base, go to kb.securecomputing.com. Enter your company ID. Customer Advocate information To suggest enhancements in a product or service, or to request assistance in resolving a problem, please contact a Customer Advocate at +1.877.851.9080. If you prefer, send an e-mail to customer_advocate@securecomputing.com. If you have comments or suggestions you would like to make regarding this document or any other Secure Computing document, please send an e-mail to techpubs@securecomputing.com. Publishing history Date Part number Software release October 2008 86-0949094-A Webwasher ISA Server Plugins 1.3 i

ii

CONTENTS About this guide........................................................ 1 About ISA Server and Webwasher ISA Server Plugins.......................... 2 ISA Server......................................................... 2 Webwasher ISA Server Plugins......................................... 2 Requirements.......................................................... 3 System requirements................................................. 3 License requirements................................................. 3 Installing the plugins..................................................... 4 Before you begin.................................................... 4 Install plugins....................................................... 4 Configuring the plugins................................................... 5 ICAP Plugin........................................................ 5 Configure Webwasher ICAP(S) Server................................... 9 Enable Webwasher to log REQMOD and RESPMOD........................ 9 Proxy Chaining Plugin............................................... 11 Configuring ISA Server for proxy chaining................................ 14 iii

Table of Contents iv ISA Server Plugin Setup Guide

About this guide About this guide This guide explains how to install and configure the Webwasher ISA Server Plugins. This guide is intended for administrators and assumes you have a working knowledge of: Secure Web (Webwasher) (hereafter referred to as Webwasher ) Microsoft ISA Server (hereafter referred to as ISA Server ) Microsoft Windows operating system on which the ISA Server and Webwasher ISA Server Plugins are installed ICAP and proxy chaining The following table lists the acronyms and the corresponding full names used through this guide. Table 1: Table of Acronyms Acronym ISA ICAP HTTP HTTPS REQMOD RESPMOD URI URL SSL Full Name Internet Security and Acceleration Internet Content Adaptation Protocol Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Request Modification Response Modification Uniform Resource Identifier Uniform Resource Locator Secure Socket Layer ISA Server Plugin Setup Guide 1

About ISA Server and Webwasher ISA Server Plugins ISA Server ISA Server provides an extensible enterprise firewall and a scalable Web cache server, acting as an Internet gateway for securing connections and optimizing network performance. For more information about ISA Server, visit these Web sites: www.isaserver.org www.microsoft.com/technet/prodtechnol/isa/default.mspx For information about authentication configuration methods for ISA Server, see www.isaserver.org/tutorials/configuring_authentication_methods_for_isa.html Webwasher ISA Server Plugins The Webwasher ISA Server Plugins include: Tip: Secure Computing recommends running Webwasher and the ISA Server on separate machines. Webwasher ISA Server ICAP Plugin (hereafter referred to as ICAP Plugin ) Webwasher ISA Server Proxy Chaining Plugin (hereafter referred to as Proxy Chaining Plugin ) ICAP Plugin The ICAP Plugin is an ICAP client that enables an ISA Server to use a compatible ICAP server to filter Web content. When used with Webwasher, all Webwasher HTTP filters are supported except for the SSL Scanner. ICAP is a standard Internet content filtering protocol that provides simple object-based content vectoring for HTTP services. The protocol allows ICAP clients to pass HTTP messages to ICAP servers for scanning, transformation, or other processing. An ICAP server executes its transformation service on messages and sends back responses to the ICAP client, usually with modified messages. Typically, the adapted messages are either HTTP request modifications (REQMOD) or HTTP response modifications (RESPMOD). For more information on REQMOD and RESPMOD, see About REQMOD on page 10. Proxy Chaining Plugin The Proxy Chaining Plugin allows you to use Webwasher as an upstream proxy server in a proxy chaining environment. During proxy authentication, the ISA Server obtains user and group information, then forwards that information to Webwasher using the Proxy Chaining Plugin. For configuration information, see Proxy Chaining Plugin on page 11. The proxy chaining method allows you to forward Web proxy connections from one proxy to another, each proxy acting as a link in the chain. For example, you can forward Web proxy connections from one ISA Server to another in order to reduce bandwidth use. The chain consists of upstream and downstream proxies proxies closer to the Internet connection are upstream, and proxies farther away from the Internet connection are downstream. Downstream proxies forward requests to upstream proxies. 2 ISA Server Plugin Setup Guide Caution: When using the Proxy Chaining Plugin with caching enabled on the ISA Server, all requests may not be forwarded from ISA to Webwasher for additional filtering. Because of this, if you enable user-based policies on Webwasher, then we recommend disabling caching on the ISA Server.

Requirements Requirements System requirements The system requirements are listed below: Microsoft ISA Server 2004 Service Pack 1 for: Windows 2000 Server with Service Pack 4 Windows Server 2003 with Service Pack 1 Microsoft ISA Server 2006 for: Windows 2000 Server with Service Pack 4 Windows Server 2003 with Service Pack 1 A currently supported version of Webwasher Please see the Webwasher Installation Guide for more information about installing Webwasher. Note: The ICAP Plugin has been successfully tested on stand-alone and array-configured ISA servers. License requirements Use your existing Webwasher license to enable the Webwasher ISA Server Plugins. If you have questions regarding your Webwasher license, please contact Secure Computing Customer Service: Online support.securecomputing.com Telephone (Europe) +49.5251.8717.660 Telephone (Americas) +1.800.700.8328 International +1.651.628.1500 ISA Server Plugin Setup Guide 3

Installing the plugins Use the following information to download and install the Webwasher ISA Server Plugins. Before you begin Before you install the plugins, complete the following steps: 1. Log into the operating system as an administrator. 2. Download the Webwasher ISA Server Plugins software from the Webwasher extranet, https://extranet.webwasher.com. 3. Open Control Panel > Administrative Tools > Services. 4. Select Microsoft Firewall and click Stop the service You can now install the plugins. Install plugins Important: If you have an array environment, install the Webwasher ISA Server Plugins on each member of the array. Use the following steps to install the plugins: 1. Run the installation program. The Welcome window appears. 2. Click Next. The License Agreement window appears. 3. Select I accept the terms of the license agreement and click Next. The Information window appears. 4. Review the information, click Next. The installer looks for an existing version of the plugin software: If an older version is found, the Upgrade window appears. If the same version is found, the Reinstall window appears. If no previous installation is found, the Install window appears. 5. Click Next. The Summary window appears. 6. Click Install. The Installation Complete window appears. 7. Click Finish to exit the installation wizard. The plugins are installed and are disabled. 8. Restart the Microsoft Firewall service. The Webwasher ISA Server Plugins installer automatically installs both the ICAP Plugin and the Proxy Chaining Plugin. By default, both plugins are disabled. Use the sections on the following pages to enable and configure the plugins: For the ICAP Plugin, see ICAP Plugin on page 5. For the Proxy Chaining Plugin, see Proxy Chaining Plugin on page 11. 4 ISA Server Plugin Setup Guide

Configuring the plugins Configuring the plugins ICAP Plugin Use the instructions on the following pages to enable and configure the ICAP Plugin. Enable the ICAP Plugin Follow these steps to enable the ICAP Plugin: 1. Open the ISA Server Management console, go to <server name> > Configuration > Add-ins and click on the Web Filters tab. 2. Enable the ICAP Plugin: a. Right-click the Webwasher ISA Server ICAP Plugin and select Enable. b. Click Apply. The Saving Configuration Changes window appears with a progress bar. Click OK when the changes are complete. The ICAP Plugin is enabled. General options Follow these steps to configure the General options: 1. Right-click the Webwasher ISA Server ICAP Plugin and select Properties. The Webwasher ISA Server ICAP Plugin Properties window appears with the General tab open. Figure 1: General options 2. In the Relative Path field, verify the path is Webwasher\ISAIcapClient.dll. The path is set during installation and is relative to the ISA Server root path. Important: The Relative Path must be relative to the ISA Server root path in order for the ICAP Plugin to function. ISA Server Plugin Setup Guide 5

Config options Follow these steps to configure the Config options: 1. Select the Config tab. Default REQMOD value Default RESPMOD value Figure 2: Config options 2. Configure the ICAP Server URI options: a. REQMOD: Select the REQMOD check box to filter outgoing HTTP(S) requests and replace the default value (see Figure 2) with your Webwasher ICAP Server URI. Select the Bypass on failure check box to continue allowing user HTTP(S) requests when the Webwasher ICAP Server is unable to respond. b. RESPMOD: Select the RESPMOD check box to filter incoming HTTP(S) responses and replace the default value (see Figure 2) with your Webwasher ICAP Server URI. Select the Bypass on failure check box to continue allowing user HTTP(S) responses when the Webwasher ICAP Server is unable to respond. For more information about REQMOD and RESPMOD, see About REQMOD on page 10. Important: For array environments: The ICAP Server URI entered on one member is not shared across all members of an array. You must configure the ICAP Plugin and enter the appropriate Webwasher ICAP Server URI on each member of the array. All other configuration options are shared across array members. 6 ISA Server Plugin Setup Guide

Configuring the plugins 3. Verify that you have a valid license; see License requirements on page 3. To import a license: a. Click Import and browse to the location of the text file containing your Webwasher license. b. Select the text file and click Open. Your Webwasher license is imported. 4. [Optional] Select the Modify cs-uri field check box to write category information to the ISA Server access log file. If you enable this option, the category information is appended to the ISA Server access log files cs-uri field. Category information is obtained through Webwasher from the TrustedSource Web Database. Note: You also need to configure Webwasher to send categories to the ICAP client; see Configure Webwasher ICAP(S) Server on page 9. Example modified cs-uri ISA Server log field: where: x-attr:"bu" x-filter-result:0 http://www.sampleurl.com x-attr: bu = category information bu = the category (which is Business) x-filter-result:0 = the action taken 0 = there was no action taken (such as block, warn, or allow) Note: For more information about categories, including category codes, refer to the TrustedSource Web Database Reference Guide. You can download the reference guide from www.securecomputing.com/goto/resourcecenter. 5. Configure authentication options: Select the Do not attempt to get groups from Domain Controller check box to prevent retrieving the following: A list of global (domain) groups from the domain controller. A list of local groups from the domain controller. Clear the Do not attempt to get groups from Domain Controller check box to retrieve domain groups, then complete the following: a. From the Select what groups to get from Domain Controller list, select Global, Local, or Both. b. In the Default Domain field, enter the appropriate domain to attach to user names sent without a domain. 6. Select the Send X-Request-URL on ICAP Requests check box to send the requested URL as part of the REQMOD or RESPMOD request to the ICAP server. This is required if using Webwasher policy mapping based on destination and path of the request. 7. Select Trace connections under Debugging to trace and log connection debugging information. The output directory is c:\documents and Settings\<username or NetworkService>\Local Settings\Temp\WWTraces. ISA Server Plugin Setup Guide 7

Statistics Follow these steps to view statistics and configure options: 1. Select the Statistics tab. Figure 3: Statistics 2. Click in the Update Interval field to change the value; click Reset to clear the statistics information. The default Update Interval is 5 seconds. As background information, the Statistics tab displays a variety of statistics for both REQMOD and RESPMOD requests that have been issued to the Webwasher ICAP Server. The following table provides a description for each statistic. Table 2: Statistics description Statistic Name Requests ICAP 200/204/400 Last OPTIONS request Connect Failures Connect Delays Connections Broken Description Number of REQMOD or RESPMOD requests made Number of ICAP status code requests made Most recent OPTIONS request made Number of times a connection could not be made to the ICAP server due to the server being down Number of times a connection was delayed because of too many concurrent connections Number of times a connection was broken during ICAP communication due to unavailable data 8 ISA Server Plugin Setup Guide 3. Click OK to complete the configuration. After the ICAP Plugin is functional, you need to enable the Webwasher ICAP(S) Server and configure the ICAP(S) Sever to send category information; see Configure Webwasher ICAP(S) Server on page 9. Additionally, you can have Webwasher log REQMOD and RESPMOD requests; see Enable Webwasher to log REQMOD and RESPMOD on page 9.

Configuring the plugins Configure Webwasher ICAP(S) Server After the ICAP Plugin is enabled and configured, enable the Webwasher ICAP(S) Server (which will allow Webwasher to accept incoming ICAP connections from the ICAP Plugin) and configure the ICAP(S) Server to return category information and header values. Enable the Webwasher ICAP(S) Server Follow these steps to enable the Webwasher ICAP(S) Server: 1. Login in to the Webwasher interface. 2. Go to Proxies > ICAP(S) Server. The ICAP(S) options open. 3. On the ICAP(S) Server tab, select the Enable ICAP Server check box (if it is not already selected). 4. Click Apply Changes. The ICAP(S) Server is enabled. Configure the Webwasher ICAP(S) Sever Follow these steps to configure the Webwasher ICAP(S) Server to send category information and send range of values of the X-Attribute header: 1. Go to Proxies > ICAP(S) Server > Server Settings tab. 2. Select one of the following: Send all categories to the ICAP client Send only the blocked categories to the ICAP client. 3. Select the Send range of values of the X-Attribute header in OPTIONS response check box. 4. Click Apply Changes. The Webwasher ICAP(S) Server will send category information and X- Attribute header range of values. Enable Webwasher to log REQMOD and RESPMOD You have the option to enable logging for REQMOD and RESPMOD requests on Webwasher. For more information about REQMOD and RESPMOD, see About REQMOD on page 10. To enable REQMOD and RESPMOD logging on Webwasher: 1. Log in to the Webwasher interface. 2. Go to Reporting > Log File Management > Activate Log Files tab. 3. Select the HTTP Access Denied Log check box for: Web Requests REQMOD Web Downloads RESPMOD. 4. Click Apply Changes. Webwasher will now log REQMOD and RESPMOD requests. ISA Server Plugin Setup Guide 9

About REQMOD REQMOD describes a client's request that is redirected to an ICAP server (Webwasher) that modifies the request before it can be fulfilled by the original server (Internet). The ICAP server either sends a modified version of the request back to the ICAP client; a valid HTTP response, like an error message stating that access to a particular URL is not allowed; or a 204 response (if the client indicates that it supports 204 responses) indicating that no modification is required. REQMOD is required in order to use the following Webwasher features: All URL filters (URL Filter Database, Extended List, Shell Expression) Some of the privacy filters (Referer Filter, Cookie Filter) About RESPMOD RESPMOD describes a client's request that is processed by the original server (Internet); in this case, the HTTP response (if available) and the original client request that triggered that response are redirected to the ICAP server (Webwasher) for modification prior to delivery to the client. Similar to REQMOD, the response from the ICAP server can be an adapted HTTP response, an error, or a 204 response code indicating that no adaptation is required. The adapted message or error indication returned by the ICAP server should be forwarded to the client or otherwise passed to the next downstream entity (another proxy server). RESPMOD is required in order to use the following Webwasher features: Anti Malware Content Security filters Some of the privacy filters (Web Bug Filter, Prefix Filter, Cookie Filter) 10 ISA Server Plugin Setup Guide

Configuring the plugins Proxy Chaining Plugin Use the instructions on the following pages to enable and configure the Proxy Chaining Plugin. Enable the Proxy Chaining Plugin 1. Open the ISA Server Management console, go to <server name> > Configuration > Add-ins, and select the Web Filters tab. 2. To enable the Proxy Chaining Plugin: a. Right-click the Webwasher ISA Server Proxy Chaining Plugin and select Enable. b. Click Apply. The Saving Configuration Changes window appears with a progress bar. Click OK when the changes are complete. The Proxy Chaining Plugin is enabled. General options Follow these steps to configure the General options: 1. Select the General tab. 2. Right-click the Webwasher ISA Server Proxy Chaining Plugin and select Properties. The Webwasher ISA Server Proxy Chaining Plugin Properties window appears with the General tab open. Figure 4: General options 3. In the Relative Path field, verify the path is Webwasher\ISAChain.dll. The path is set during installation and is relative to the ISA Server root path. Important: The Relative Path must be relative to the ISA Server root path in order for the Proxy Chaining Plugin to function. ISA Server Plugin Setup Guide 11

Config options Follow these steps to configure the Config options: 1. Select the Config tab. Default user header name Default group header name Default forwarded for header name Figure 5: Config options 2. Select or clear the options for outbound headers and verify or enter the header name. By default, all options are selected and default header names are entered (see Figure 5). Include User Header forwards the user name of the user making the request Include Group Header forwards the groups the user belongs to Include Forwarded For Header forwards the IP address of the machine making the request Caution: The header names must match the Web Mappings header names configured on your Webwasher. 3. Verify that you have a valid license, see License requirements on page 3. To import a license: a. Click Import and browse to the location of the text file containing your Webwasher license. b. Select the text file and click Open. Your Webwasher license is imported. 4. Configure authentication options: Select the Do not attempt to get groups from Domain Controller check box to prevent retrieving the following: A list of global (domain) groups from the domain controller A list of local groups from the domain controller Clear the Do not attempt to get groups from Domain Controller check box to retrieve domain groups, then complete the following: a. From the Select what groups to get from Domain Controller list, select Global, Local, or Both. b. In the Default Domain field, enter the appropriate domain you want attached to user names sent without a domain. 5. Click OK to complete setup. 12 ISA Server Plugin Setup Guide

Configuring the plugins Once the Proxy Chaining Plugin is functional, you must configure the ISA Server to allow proxy chaining; see Configuring ISA Server for proxy chaining on page 14. ISA Server Plugin Setup Guide 13

Configuring ISA Server for proxy chaining Configure proxy chaining on the ISA Server by adding a Web Chaining rule. Create and configure a new Web Chaining rule by logging in to the ISA Server Management console and following the steps below: 1. Go to Arrays > <array name> > Configuration > Networks and select the Web Chaining tab 2. Select the Tasks tab in the window on the right. 3. Select Create New Web Chaining Rule. The New Web Chaining Rule Wizard appears. 4. Enter a name in the Web chaining rule name field and click Next. 5. Click Add, select the appropriate network entities for the rule, then click Add > Close. 6. Click Next. 7. For the request action, select Redirect requests to a specified upstream server and click Next. Note: Leave the Allow delegation of basic authentication credentials check box cleared. 8. Configure the primary route: Server Enter the Webwasher IP address. Port Enter the HTTP port used by the Webwasher proxy; the default is 9090. SSL Port Enter the HTTPS port used by the Webwasher proxy; the default is 443. 9. Click Next, select the desired backup action, and click Next again. 10. Click Finish. The new Web Chaining rule is created. The Proxy Chaining Plugin setup is complete. 14 ISA Server Plugin Setup Guide

www.securecomputing.com Corporate Headquarters 55 Almaden Blvd., Suite 500 San Jose, CA 95113 USA Tel +1.800.379.4944 Tel +1.408.494.2020 European Headquarters Berkshire, UK Tel +44.0.1344.312.600 Japan Headquarters Tokyo, Japan Tel +81.3.5339.6310 Asia/Pacific Headquarters Wan Chai, Hong Kong Tel +852.2598.9280 Worldwide, 24/7 Support Tel +1.800.700.8328 Tel +1+651.628.1500 2008 Secure Computing Corporation. All Rights Reserved. Secure Computing, SafeWord, Sidewinder, Sidewinder G2, Sidewinder G2 Firewall, SmartFilter, Type Enforcement, CipherTrust, IronMail, IronIM, SofToken, Enterprise Strong, Mobile Pass, G2 Firewall, PremierAccess, SecureSupport, SecureOS, Bess, Cyberguard, SnapGear, Total Stream Protection, Webwasher, Strikeback and Web Inspector are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. Secure Computing CommandCenter, G2 Enterprise Manager, SmartReporter, SecurityReporter, Application Defenses, Central Management Control, RemoteAccess, SecureWire, TrustedSource, On-Box, Securing connections between people, applications and networks and Access Begins with Identity are trademarks of Secure Computing Corporation. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form by any means without the written permission of Secure Computing Corporation.