Web Security Firewall Setup. Administrator Guide

Web Security Firewall Setup Administrator Guide

Web Security Firewall Setup Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Clients are advised to seek specialist advice to ensure that they use the Symantec services in accordance with relevant legislation and regulations. Depending on jurisdiction, this may include (but is not limited to) data protection law, privacy law, telecommunications regulations, and employment law. In many jurisdictions, it is a requirement that users of the service are informed of or required to give consent to their email being monitored or intercepted for the purpose of receiving the security services that are offered by Symantec. Due to local legislation, some features that are described in this documentation are not available in some countries. Configuration of the Services remains your responsibility and entirely in your control. In certain countries it may be necessary to obtain the consent of individual personnel. Symantec advises you to always check local legislation prior to deploying a Symantec service. You should understand your company s requirements around electronic messaging policy and any regulatory obligations applicable to your industry and jurisdiction. Symantec can accept no liability for any civil or criminal liability that may be incurred by you as a result of the operation of the Service or the implementation of any advice that is provided hereto. The documentation is provided "as is" and all express or implied conditions, representations, and warranties, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement, are disclaimed, except to the extent that such disclaimers are held to be legally invalid. Symantec Corporation shall not be liable for incidental or consequential damages in connection with the furnishing, performance, or use of this documentation. The information that is contained in this documentation is subject to change without notice. Symantec may at its sole option vary these conditions of use by posting such revised terms to the website.

Technical support If you need help on an aspect of the security services that is not covered by the online Help or administrator guides, contact your IT administrator or Support team. To find your Support team's contact details in the portal, click Support > Contact us.

Contents Technical support... 3 Chapter 1 Introduction to firewall configuration... 7 Firewall rules for web browsing... 7 Firewall access for the CSP... 8 Other guidance on Web Security... 9 Support on firewalls... 9 Chapter 2 Cisco firewall... 11 Cisco: DNS configuration... 11 Cisco: setting up the HTTP proxy... 11 Chapter 3 Juniper firewall... 13 Juniper: configuring a custom service... 13 Juniper: configuring policies... 13 Chapter 4 ISA Server... 15 Configuring a custom service for Microsoft ISA Server... 15 Configuring rules for Microsoft ISA server... 16 Chapter 5 SonicWall... 19 Creating a custom service for SonicWall... 19 Configuring rules for SonicWall... 19

6 Contents

Chapter 1 Introduction to firewall configuration This chapter includes the following topics: Firewall rules for web browsing Firewall access for the CSP Other guidance on Web Security Support on firewalls Firewall rules for web browsing If you set up Web Security to route through us using the Client Site Proxy, or directly on port 3128, the rules in the following table are required for web browsing. In the table, the proxy address is shown as [Proxy Address] and the Port is shown as [Port]. Replace these entries with the proxy details included in your provisioning documentation.

8 Introduction to firewall configuration Firewall access for the CSP Note: If you connect to Web Security using Smart Connect, you may work in an OFFLAN status. This type of connection requires communication with our NED and Web proxies on port 443 and port 80. To avoid your users bypassing our service and routing directly, we recommend one of the following methods. Either, lock down outbound traffic on port 80 and port 443 to our IP ranges. Or lock down your Group Policy to only use Smart Connect. Table 1-1 Firewall rules required for web browsing Source Destination Service Action Notes Client PCs [Proxy Address] [Port] Allow All web traffic is directed to one address on the Internet: that of Web Security. Client PCs Internet Web browsing (port 80) Block If port 80 traffic is permitted access, a user can possibly bypass the protection and control that Web Security provides. Client PCs Internet Secure web browsing (port 443) FTP (ports 20 and 21) Block This assumes that client PCs are set up to use the same proxy server as normal web browsing for these services, so the well-known ports for these services can be blocked. Client PCs Internet DNS Allow DNS requests are resolved in the normal way. Firewall access for the CSP The standalone Client Site Proxy (CSP) is simple to install and configure. Note the following: The CSP should be secured behind a firewall. The CSP needs to be a member of the domain against which the users will be authenticated. All workstations that want to use the CSP must be able to access the server. The CSP server needs to have the following access to the Internet. These ports may need to be allowed on your firewall. In the table, the proxy address is shown as [Proxy Address] and the Port is shown as [Port]. Replace these entries with the proxy details included in your provisioning documentation.

Introduction to firewall configuration Other guidance on Web Security 9 53/TCP,UDP [Port]/TCP DNS (Domain Name System) HTTP used by [Proxy Address] Allow to all external addresses Only allow Web Security IP ranges. See your provisioning documentation for this information The CSP server must also be able to resolve names on the Internet. Ensure that the DNS setting are correct; these can be obtained from your Internet service provider. Other guidance on Web Security These help topics provide further guidance on the Web Security Services. Table 1-2 Help on Web Security Help page Click to open the help page Web Security Configuration Smart Connect Deployment Web Firewall Configuration Web Security Deployment Support on firewalls We provide help for you to configure the following firewalls. Cisco Juniper Microsoft ISA Server SonicWall The Support team cannot assist in configuring these firewall devices. For support on these systems, contact your usual third-party vendor.

10 Introduction to firewall configuration Support on firewalls

Chapter 2 Cisco firewall This chapter includes the following topics: Cisco: DNS configuration Cisco: setting up the HTTP proxy Cisco: DNS configuration You need to configure the Domain Name System on the Cisco Wide Area Application Engine/Content Engine for use with Web Security. To configure DNS 1 Log on to the Content Engine in the usual way. The initial screen looks like this. The Content Engine must be able to resolve Internet names. 2 Select System > DNS 3 Enter the addresses of your DNS servers and click Update. Optionally, enter the name of the local domain. Note: For further support on this firewall, contact Cisco directly (http://www.cisco.com/) or your usual reseller. Cisco: setting up the HTTP proxy You need to define HTTP proxy settings for the Cisco Wide Area Application Engine/Content Engine.

12 Cisco firewall Cisco: setting up the HTTP proxy To set up the HTTP proxy 1 Select Caching > HTTP Proxy. 2 Set Enable Incoming HTTP Proxy to On and enter the port(s) that browsers in your organization will use to connect to it in the box labeled Incoming HTTP Proxy Port List. 3 Enable the OutgoingHTTPProxy and enter proxy.webscanningservice.com on port 3128. Click Update. 4 Enable the HTTPS Proxy and enter proxy.webscanningservice.com on port 3128. Click Update. 5 Enable the FTP Proxy and enter proxy.webscanningservice.com on port 3128. Click Update. The Content Engine configuration is complete. 6 Configure your browser to use the Content Engine as the proxy then test correct operation. 7 Use Reporting > Performance to confirm that requests travel through the Content Engine. Note: Further support on this firewall, contact Cisco directly (http://www.cisco.com/) or your usual reseller.

Chapter 3 Juniper firewall This chapter includes the following topics: Juniper: configuring a custom service Juniper: configuring policies Juniper: configuring a custom service Before configuring the policies in Juniper, create a new custom service on the Juniper NetScreen firewall for use with Web Security. To configure custom service 1 On the left menu, select Objects > Services > Custom 2 Select New (at the top right of the screen) to set up a new custom service. 3 Name it Web Security Services (or another name of your choice), and configure it on TCP Destination Port 3128. 4 Select OK and the new custom service will be listed. Note: For further support on this firewall, contact Juniper directly (http://www.juniper.net/) or your usual reseller. Juniper: configuring policies Configure policies for the Juniper NetScreen firewall. Before configuring your policies, first create a new customer service for Juniper. See Juniper: configuring a custom service on page 13.

14 Juniper firewall Juniper: configuring policies To configure policies 1 On the left menu, select Policies 2 Select Add (at the top right of the screen) to set up a new policy. 3 Name the new policy Permit Web Access 4 Set Source Address > Address Book Entry > Trusted Addresses. 5 Set Destination Address > Address Book Entry > 0.0.0.0/32 using the custom service Web Security Services that you have created for Juniper. 6 Select OK and the policy is shown in the list. 7 You probably already had a policy to Allow normal Web access using HTTP (on port 80). You can now select this policy and change its action to Deny that traffic. All normal Web browsing is now accessed using Web Security on port 3128. This Deny rule will now be listed. Further policies and actions: Secure Web browsing (on port 443) is normally allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All secure Web browsing will now be accessed using Web Security on port 3128. FTP is normally allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All normal FTP downloads will now be accessed using Web Security on port 3128. Configure the Web Security service in the portal. Note: For further support on this firewall, contact Juniper directly (http://www.juniper.net/) or your usual reseller.

Chapter 4 ISA Server This chapter includes the following topics: Configuring a custom service for Microsoft ISA Server Configuring rules for Microsoft ISA server Configuring a custom service for Microsoft ISA Server To configure Microsoft ISA Server (Internet Security and Acceleration Server) for use with Web Security, first you must create a new custom service. Use the New Protocol Definition wizard to set up the new custom service. Note: The configuration described here concerns the firewall capabilities of the Microsoft server, while setting the client PCs to proxy directly to the Web Security servers. Refer to the Client Site Proxy Administrator Guide for configuration details when using the upstream proxy capabilities of the ISA server. To configure a custom service 1 On the left menu, select Firewall Policy. 2 In the right pane select Toolbox > Common Protocols 3 Select New > Protocol This will trigger the New Protocol Definition Wizard. 4 Name the service Web Security Services (or another name of your choice) and select Next. 5 Select New to define the port range to be used for this service. 6 Set up the service on TCP port 3128. Select OK.

16 ISA Server Configuring rules for Microsoft ISA server 7 Select Next. No secondary connection will be used. 8 Select Next. The service configuration should appear as below. 9 Select Finish to complete the wizard. 10 Select Apply to save the changes. You can now configure the firewall rules. Note: For support on this server, contact Microsoft directly (http://www.microsoft.com/) or your usual reseller. Configuring rules for Microsoft ISA server Before configuring your rules, first create a new custom service for Microsoft ISA server. See Configuring a custom service for Microsoft ISA Server on page 15. To configure rules 1 On the left menu, select Firewall Policy 2 In the right pane select Create New Access Rule This will trigger the New Access Rule wizard. 3 Name the access rule Permit Web Access (or another name of your choice) and select Next. This rule will be used to Allow the specified traffic. 4 Select Next. The rule will be applied to Selected Protocols only. 5 Select Add. 6 Select User-Defined > Web Security Services (i.e. the protocol set up for the new custom service you have created), and then click Add. The Web Security Services protocol will be listed. 7 Select Next. 8 Select Add to specify the source of the traffic.

ISA Server Configuring rules for Microsoft ISA server 17 9 Select Networks > Internal > Add. The 'Internal' network will be listed. 10 Select Next. 11 Set up the access rule Destination in the same way: select Add > Networks > External > Add > Next. This rule will be applied to All Users. 12 Select Next. The access rule configuration should appear as below. 13 Select Finish to complete the wizard. 14 Select Apply to save the changes. The new rule will be shown in the Firewall Policy list. You will also need to ensure that a rule is in place to enable DNS, before being able to browse the Web. You probably already had a rule to allow normal Web access using HTTP (on port 80). This rule can now be selected and changed to Deny that traffic. All normal Web browsing will now be accessed using Web Security on port 3128. Further rules to consider Secure Web browsing (on port 443) will normally be allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All secure Web browsing will now be accessed using Web Security on port 3128. FTP will normally be allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All normal FTP downloads will now be accessed using Web Security on port 3128.

18 ISA Server Configuring rules for Microsoft ISA server

Chapter 5 SonicWall This chapter includes the following topics: Creating a custom service for SonicWall Configuring rules for SonicWall Creating a custom service for SonicWall Before configuring the rules in SonicWall, create a new custom service on the SonicWall firewall. To configure custom service 1 On the left menu, select Firewall > Services 2 Under CustomServices, select Add to set up a new custom service using TCP protocol on port 3128. Name it Web Security Services (or another name of your choice). 3 Select OK and the new service will be listed under Custom Services. Note: For support on this firewall, contact SonicWall directly (http://www.sonicwall.com/), or your usual reseller. Configuring rules for SonicWall Before configuring your rules, first create a new custom service for SonicWall. See Creating a custom service for SonicWall on page 19.

20 SonicWall Configuring rules for SonicWall To configure rules 1 On the left menu, select Firewall > Access Rules 2 Select Add, and set up a new rule to allow access from your network using the custom service (Web Security) that you have created. 3 Select OK and the rule will be shown in the list. You will also need to ensure that a rule is in place to enable DNS, before being able to browse the Web. 4 You probably already had a rule to Allow normal Web access using HTTP (on port 80). This rule can now be selected, and changed to Deny that traffic. All normal Web browsing will now be accessed using Web Security on port 3128. This Deny' rule will now be listed. Further rules to consider: Secure Web browsing (on port 443) will normally be allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All secure Web browsing will now be accessed using Web Security on port 3128. FTP will normally be allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All normal FTP downloads will now be accessed using Web Security on port 3128. Note: For support on this firewall, contact SonicWall directly (http://www.sonicwall.com/), or your usual reseller.