Smoothwall Guardian Secure Web Gateway User Manual

Secure Web Gateway
Guardian Installation and Administration Guide
For future reference
Guardian serial number:
Date installed:
Smoothwall contact:
Smoothwall® Guardian, Installation and Administration Guide, March 2015
Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other
guides delivered with earlier versions of Guardian.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of Smoothwall.
For more information, contact: [email protected]
© 2001 – 2015 Smoothwall Ltd. All rights reserved.
Trademark notice
Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd.
Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC.
DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95,
Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered
trademark of Netscape Communications Corporation in the United States and other countries. Apple and
Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation.
Core is a trademark of Intel Corporation.
All other products, services, companies, events and publications mentioned in this document, associated
documents and in Smoothwall software may be trademarks, registered trademarks or service marks of
their respective owners in the UK, US and/or other countries.
Acknowledgements
Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team:
Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley,
Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan
Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S.
Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves
Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul
Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez
Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc
Wormgoor.
Guardian contains graphics taken from the Open Icon Library project http://
openiconlibrary.sourceforge.net/
Address
Smoothwall Limited
1 John Charles Way
Leeds. LS12 6QA
United Kingdom
Email
[email protected]
Web
www.smoothwall.net
Telephone
USA and Canada:
United Kingdom:
All other countries:
1 800 959 3760
0870 1 999 500
+44 870 1 999 500
Fax
USA and Canada:
United Kingdom:
All other countries:
1 888 899 9164
0870 1 991 399
+44 870 1 991 399
Contents
About This Guide...................................................... 1
Audience and Scope ......................................................................... 1
Organization and Use ....................................................................... 1
Conventions....................................................................................... 2
Related Documentation.................................................................... 2
Chapter 1
Introducing Guardian................................................ 3
About Guardian ................................................................................. 3
Chapter 2
Installing Guardian .................................................... 5
Before Installing ................................................................................ 5
Installing Guardian ............................................................................ 5
Getting the Latest Blocklists .................................................. 6
Deploying a Web Security Policy............................................ 6
Trying to Access a Blocked Site ............................................ 6
Guardian ............................................................................................ 7
Quick Links .............................................................................. 7
Web Filter Policies .................................................................. 7
HTTPS Inspection Policies ..................................................... 8
Content Modification Policies ............................................... 8
Anti-malware Policies ............................................................ 8
Block Page Policies ................................................................. 9
Policy Objects ......................................................................... 9
Web Proxy ......................................................................................... 9
Web Proxy ............................................................................. 10
Upstream Proxy .................................................................... 10
Authentication ....................................................................... 10
MobileProxy ........................................................................... 11
Global Proxy .......................................................................... 11
iii
Guardian Installation and Administration Guide
Chapter 3
Contents
Deploying Web Filtering ......................................... 13
Getting Up and Running ................................................................. 13
Blocking and Allowing Content Immediately ...................... 14
Blocking Locations ................................................................ 14
Excepting Computers from Web Filtering ........................... 14
About Shortcuts ..................................................................... 17
About Guardian’s Default Policies................................................. 17
About the Default Web Filter Policies .................................. 17
About the Default Authentication Policies .......................... 18
Chapter 4
Managing Web Security ......................................... 19
Overview of the Web Proxy ............................................................ 20
Global Options ....................................................................... 20
Advanced Web Proxy Settings ............................................. 20
Using PAC Scripts........................................................................... 24
Using a Built-in Script ........................................................... 24
Using a Custom Script .......................................................... 25
Managing the Configuration Script...................................... 26
Limiting Bandwidth Use ................................................................. 26
Ordering Bandwidth Limiting Policies ................................. 28
Editing Bandwidth Limiting Policies .................................... 28
Deleting Bandwidth Limiting Policies .................................. 28
Configuring WCCP .......................................................................... 28
Managing Upstream Proxies ......................................................... 30
Overview ................................................................................. 30
Configuring an Upstream Proxy ........................................... 31
Configuring Source and Destination Filters ........................ 33
Using a Single Upstream Proxy............................................ 35
Working with Multiple Upstream Proxies ............................ 36
Managing Blocklists ....................................................................... 38
Viewing Blocklist Information............................................... 38
Manually Updating Blocklists ............................................... 38
Managing Block Pages................................................................... 39
About the Default Block Page .............................................. 39
Customizing the Default Block Page ................................... 40
Using a Custom HTML Template ......................................... 42
Using an External Block Page .............................................. 43
Configuring a Block Page Policy.......................................... 43
Managing Block Page Policies ............................................. 44
Working with Block Pages.................................................... 45
Chapter 5
Working with Policies ............................................. 47
An Overview of Policies.................................................................. 47
Types of Policies.................................................................... 48
How Policies are Applied ...................................................... 48
Guardian Getting Started ...................................................... 50
Working with Category Group Objects ......................................... 51
Creating Category Group Objects ....................................... 51
Creating Custom Categories ................................................ 52
iv
Smoothwall Ltd
Guardian Installation and Administration Guide
Contents
Editing Category Group Objects .......................................... 53
Deleting Category Group Objects ........................................ 53
Working with Time Slot Objects .................................................... 54
Creating a Time Slot .............................................................. 54
Editing a Time Slot................................................................. 55
Deleting a Time Slot .............................................................. 55
Working with Location Objects ..................................................... 55
Creating a Location Object................................................... 56
Editing Location Objects....................................................... 57
Deleting Location Objects .................................................... 57
Working with Quota Objects.......................................................... 57
About the Default Quota Object ........................................... 57
Creating Quota Objects ........................................................ 58
Editing Quota Objects ........................................................... 59
Deleting Quota Objects......................................................... 59
Managing Web Filter Policies ........................................................ 59
Creating Web Filter Policies ................................................. 60
Editing Web Filter Policies .................................................... 62
Deleting Web Filter Policies.................................................. 63
Managing HTTPS Inspection Policies ........................................... 63
Enabling HTTPS Inspection Policies.................................... 64
Creating an HTTPS Inspection Policy.................................. 64
Editing HTTPS Inspection Policies....................................... 67
Deleting HTTPS Inspection Policies .................................... 67
Configuring HTTPS Inspection Policy Settings .................. 67
Clearing the Generated Certificate Cache .......................... 68
Managing Content Modification Policies...................................... 69
Creating a Content Modification Policy............................... 69
Editing Content Modification Policies ................................. 71
Deleting Content Modification Policies ............................... 72
Creating Custom Content Modification Policies ................ 72
Managing Anti-malware Policies................................................... 73
Creating an Anti-malware Policy.......................................... 73
Configuring Anti-malware Protection .................................. 75
Configuring Anti-malware Status Information .................... 76
Editing Anti-malware Policies............................................... 77
Deleting Anti-malware Policies ............................................ 77
Using the Policy Tester................................................................... 77
Other Ways of Accessing the Policy Tester ........................ 79
Working with Policy Folders .......................................................... 79
Creating a Policy Folder........................................................ 80
Editing Policy Folders............................................................ 80
Deleting Policy Folders ......................................................... 80
Censoring Web Form Content ....................................................... 81
Chapter 6
Managing Authentication Policies......................... 85
About Authentication Policies ....................................................... 85
Creating Authentication Policies ................................................... 86
Creating Non-transparent Authentication Policies ............ 86
Creating Transparent Authentication Policies.................... 91
v
Guardian Installation and Administration Guide
Contents
Managing Authentication Policies................................................. 95
Editing Authentication Policies ............................................ 95
Deleting Policies .................................................................... 96
Managing Authentication Exceptions ........................................... 97
Identification by Location............................................................... 97
Using Global Proxy Certificates..................................................... 98
Using Multiple, Distinct Proxies ........................................... 99
Using an Unsecured Proxy ................................................... 99
Viewing the Global Proxy Logs........................................... 100
Connecting to Guardian ............................................................... 100
About Non-transparent Connections................................. 100
About Transparent Connections ........................................ 102
Authentication Scenarios ............................................................. 102
New Content Filtering – Changing the Listening Port...... 102
Providing Filtered Web Access to the Public .................... 102
Requiring Authentication to Browse the Web................... 103
Using Multiple Authentication Methods ............................ 103
Controlling an Unruly Class ................................................ 103
Chapter 7
Guardian Alerts, Logs and Reports ..................... 105
About Guardian Alerts .................................................................. 105
Web Filter Logs ............................................................................. 107
Configuring Web Filter Logs ............................................... 107
Monitoring Log Activity in Realtime................................... 108
Searching for and Filtering Information............................. 109
Exporting Data ..................................................................... 109
Guardian Reports .......................................................................... 109
Chapter 8
Working with MobileProxy ................................... 111
About MobileProxy........................................................................ 111
Enabling and Configuring MobileProxy ...................................... 112
Configuring MobileProxy Servers ...................................... 112
Managing MobileProxy Servers ......................................... 113
Generating Client Keys................................................................. 113
Generating Server Keys................................................................ 114
Installing a Server Key on the MobileProxy Server .......... 114
Configuring MobileProxy User Credentials ................................ 115
Index....................................................................... 117
vi
Smoothwall Ltd
About This Guide
Smoothwall’s Guardian is a licensed feature of your Smoothwall System.
This manual provides guidance for configuring Guardian.
Audience and Scope
This guide is aimed at system administrators maintaining and deploying Guardian.
This guide assumes the following prerequisite knowledge:
•
An overall understanding of the functionality of the Smoothwall System
•
An overall understanding of networking concepts
Note: We strongly recommend that everyone working with Smoothwall products attend
Smoothwall training. For information on our current training courses, contact your Smoothwall
representative.
Organization and Use
This guide is made up of the following chapters and appendices:
•
Chapter 1, Introducing Guardian on page 3
•
Chapter 2, Installing Guardian on page 5
•
Chapter 3, Deploying Web Filtering on page 13
•
Chapter 4, Managing Web Security on page 19
•
Chapter 5, Working with Policies on page 47
•
Chapter 6, Managing Authentication Policies on page 85
•
Chapter 7, Guardian Alerts, Logs and Reports on page 105
•
Chapter 8, Working with MobileProxy on page 111
1
Guardian Installation and Administration Guide
•
About This Guide
Index on page 117
Conventions
The following typographical conventions are used in this guide:
Item
Convention
Example
Key product terms
Initial Capitals
Guardian
Smoothwall System
Menu flow, and screen objects
Bold
System > Maintenance > Shutdown
Click Save
Cross-references
Blue text
See Chapter 1, Introducing Guardian on
page 3
References to other guides
Italics
Refer to the Guardian Administration Guide
Filenames and paths
Courier
The portal.xml file
Variables that users replace
Courier Italics
http://<my_ip>/portal
Links to external websites
Blue text, underlined
Refer to http://www.smoothwall.net/support
Smoothwall System
This may be one of:
•
•
Advanced Firewall
Unified Threat
Management
• Network Guardian
• Secure Web
Gateway
depending on the
license purchased
This guide is written in such a way as to be printed on both sides of the paper.
Related Documentation
The following guides provide additional information relating to Guardian:
2
•
Guardian Upgrade Guide, which describes how to upgrade to Guardian from SmoothGuardian
•
http://www.smoothwall.net/support contains the Smoothwall support portal, knowledge base
and the latest product manuals.
Smoothwall Ltd
1 Introducing Guardian
This chapter introduces the Guardian feature of Secure Web Gateway, including:
•
About Guardian on page 3
About Guardian
Guardian is an intelligent, web content filter which dynamically analyzes, understands and
categorizes all web content requested by your users.
Guardian:
•
Dynamically stops objectionable content
•
Can help increase employee productivity
•
Provides web security and malware protection
•
Has comprehensive reporting functionality
•
Provides user authentication
3
2 Installing Guardian
This chapter describes how to install Guardian, and introduces Guardian features, including:
•
Before Installing on page 5
•
Installing Guardian on page 5
•
Guardian on page 7
•
Web Proxy on page 9
Before Installing
You install Guardian by adding it to your existing Smoothwall System. Before installing, you should
check your system is up-to-date.
To check for updates:
1.
Start a web browser, browse to your Smoothwall System, authenticate yourself and navigate to
System > Maintenance > Updates page.
2.
Click Refresh updates list to check that you have all the latest updates installed on your
Smoothwall System.
3.
If there are any updates available, download and install them.
For more information, refer to your Smoothwall System’s Administration Guide
Installing Guardian
After checking that you have the latest updates installed, you are ready to install Guardian.
To install Guardian:
1.
Browse to System > Maintenance > Modules.
2.
In the Available modules list, select Guardian and click Install. Your Smoothwall System
installs Guardian.
3.
Navigate to the System > Maintenance > Shutdown page.
5
Guardian Installation and Administration Guide
Installing Guardian
4.
Select Immediately and click Reboot.
5.
After your Smoothwall System has rebooted, re-authenticate yourself and log in again. You are
now ready to start configuring and using Guardian.
Getting the Latest Blocklists
Blocklists are groups of settings which are updated on a regular basis by Smoothwall to maintain
Guardian’s list of undesirable, inappropriate or objectionable content.
To update blocklists:
1.
Browse to System > Maintenance > Licenses.
2.
In the Blocklist subscriptions area, click Update. The latest blocklists are downloaded and
installed.
Deploying a Web Security Policy
By default, Guardian comes with a comprehensive web security policy in place. There are several
ways of deploying this policy on users’ workstations, all of which are described in this guide.
In this section, we explain the quickest way to deploy the policy for review and testing purposes.
Note: The following steps explain how to deploy the default web security policy on a user’s
workstation with Internet Explorer 10 installed as the web browser.
To deploy the policy:
1.
Start Internet Explorer, and from the Tools menu, select Internet Options.
2.
On the Connections tab, click LAN settings and in the Proxy server area, select Use a proxy
server for your LAN …
3.
Enter your Guardian's IP address and port number 800.
4.
Click Advanced to access more settings. In the Exceptions area, enter Guardian’s IP address
and any other IP addresses to content that you do not want filtered, for example, your intranet
or local wiki.
5.
Click OK, OK and OK to save the settings.
Trying to Access a Blocked Site
As part of its default acceptable usage policy, Guardian blocks access to many popular social
networking sites, including http://www.myspace.com/
By trying to access this site, you can see Guardian’s default block page.
To try and access a blocked site:
1.
Deploy the default web security policy by configuring Internet Explorer to use Guardian as its
proxy server.
2.
In Internet Explorer, enter: http://www.myspace.com/
Guardian blocks access to the site and displays the block page.
6
Smoothwall Ltd
Guardian Installation and Administration Guide
Installing Guardian
For full information on working with Guardian and how to customize a web security policy to
suit your organization, see Chapter 5, Working with Policies on page 47.
3.
Click Save to save the settings.
You access Guardian through your Smoothwall System’s administrative user interface. The following
sections provide an overview of Guardian’s default sections and pages.
Guardian
The Guardian section contains the following sub-sections and pages:
Quick Links
The most commonly used Guardian functions are found here:
Page
Description
Getting started
This page provides an overview of what comprises a web filter policy,
a link to the default policies and an introduction to policy wizards. For
more information, see Guardian Getting Started on page 50.
Shortcuts
This page provides direct links to tasks you might do on a daily basis,
such as blocking and allowing sites and running reports. For more
information, see About Shortcuts on page 17.
Quick block/allow
This page enables you to block or allow content immediately. For more
information, ee Blocking and Allowing Content Immediately on
page 14.
Policy tester
The policy tester enables you to test whether a URL is available to a
specific person at a specific location and time. For more information,
see Using the Policy Tester on page 77.
Web Filter Policies
You configure web filter policies here:
Pages
Description
Manage policies
This is where you manage how web filtering policies are applied. For
more information, see Managing Web Filter Policies on page 59.
Policy wizard
This is where you can configure a custom web filtering policy. For more
information, see Creating Web Filter Policies on page 60.
Location blocking
Enables you to block computers at a specific location from accessing
web content. For more information, see Blocking Locations on
page 14.
Exceptions
Here you can exempt computers from any web filtering. For more
information, ee Excepting Computers from Web Filtering on page 14.
7
Guardian Installation and Administration Guide
Installing Guardian
Pages
Description
Outgoing
This is where you configure outgoing settings for a censor policy for
content and/or files posted using web forms. For more information, ee
Censoring Web Form Content on page 81.
HTTPS Inspection Policies
You can configure HTTPS inspection policies here:
Pages
Description
Manage policies
This is where you manage HTTPS inspection policies that decrypt and
inspect encrypted communications. For more information, see
Managing HTTPS Inspection Policies on page 63.
Policy wizard
This is where you create custom policies for managing encrypted
communications. For more information, see Creating an HTTPS
Inspection Policy on page 64.
Settings
This is where you manage CA security certificates and configure
HTTPS interception messages. For more information, ee Configuring
HTTPS Inspection Policy Settings on page 67.
Content Modification Policies
You can configure content modification policies here:
Pages
Description
Manage policies
This is where you manage content modification policies that apply
recommended security rules and enforce SafeSearch in browsers. For
more information, see Managing Content Modification Policies on
page 69.
Policy wizard
Enables you to create custom policies for applying security rules and
enforcing SafeSearch in browsers. For more information, see Creating
a Content Modification Policy on page 69.
Content
modifications
Create and manage content modification policies. For more
information, see Managing Content Modification Policies on page 69.
Anti-malware Policies
You can configure anti-malware policies here:
8
Pages
Description
Manage policies
This is where you manage policies that protect against malware. For
more information, see Managing Anti-malware Policies on page 73.
Policy wizard
This is where you can create custom policies to protect against
malware. For more information, see Creating an Anti-malware Policy on
page 73.
Smoothwall Ltd
Guardian Installation and Administration Guide
Installing Guardian
Pages
Description
Status page
Enables you to customize anti-malware information shown when
downloading files. For more information, see Configuring Anti-malware
Status Information on page 76.
Settings
This is where you enable malware protection. For more information, see
Creating an Anti-malware Policy on page 73.
Block Page Policies
You can configure block page policies here:
Pages
Description
Manage policies
This is where you manage block page policies. For more information,
see Managing Block Page Policies on page 44.
Policy wizard
This is where you create and edit block page policies. For more
information, see Configuring a Block Page Policy on page 43.
Block pages
This is where you create and edit block pages. For more information,
see Managing Block Pages on page 39.
Policy Objects
You can configure global policy objects to be used in any Guardian policy:
Pages
Description
Category groups
This is where you manage content categories used when applying a
web filtering policy. For more information, see Working with Category
Group Objects on page 51.
User defined
This is where you manage custom content categories. For more
information, see Creating Custom Categories on page 52.
Time slots
This is where you create and manage time slot policy objects for use in
content filtering policies. For more information, see Working with Time
Slot Objects on page 54.
Locations
This is where you create and manage location policy objects for use in
content filtering policies. For more information, see Working with
Location Objects on page 55.
Quotas
This is where you create and manage quota policy objects for use in
content filtering policies. For more information, see Working with Quota
Objects on page 57.
Web Proxy
The Web proxy section contains the following sub-sections and pages:
9
Guardian Installation and Administration Guide
Installing Guardian
Web Proxy
You can manage the web proxy service here:
Pages
Description
Settings
This is where you configure and manage web proxy settings. For more
information, see Overview of the Web Proxy on page 20.
Automatic
configuration
This is where you create and make available proxy auto-configuration
(PAC) scripts. For more information, see Using PAC Scripts on
page 24.
Bandwidth limiting
This is where you can manage how much bandwidth is made available
to clients. For more information, see Limiting Bandwidth Use on
page 26.
WCCP
This is where you can configure Guardian to join a Web Cache
Coordination Protocol (WCCP) cache engine cluster. For more
information, see Configuring WCCP on page 28.
Upstream Proxy
You can managed the upstream proxy service here:
Pages
Description
Manage policies
This is where you manage upstream proxy policies. For more
information, see Working with Multiple Upstream Proxies on page 36.
Proxies
This is where you configure upstream proxy settings. For more
information, see Configuring an Upstream Proxy on page 31.
Filters
This is where you manage upstream proxy source and destination
filters. For more information, see Configuring Source and Destination
Filters on page 33.
Authentication
You can manage web proxy authentications here:
10
Pages
Description
Manage polices
This is where you manage authentication policies which determine
which web filter policies are applied. For more information, see Chapter
6, Managing Authentication Policies on page 85.
Policy wizard
This is where you create and edit authentication policies. For more
information, see Creating Authentication Policies on page 86.
Exceptions
This is where you can exempt content from authentication. For more
information, see Managing Authentication Exceptions on page 97.
Ident by location
This is where you configure identification of groups and/or users by
their location. For more information, see Identification by Location on
page 97.
Smoothwall Ltd
Guardian Installation and Administration Guide
Installing Guardian
MobileProxy
You can manage the MobileProxy service here:
Pages
Description
Settings
On this page, you configure global MobileProxy server settings. For
more information, see Enabling and Configuring MobileProxy on
page 112.
Proxies
On this page, you manage MobileProxyservers for use with mobile
devices. For more information, see Configuring MobileProxy Servers on
page 112.
Exceptions
On this page, you specify proxy exceptions. For more information, see
Configuring MobileProxy Servers on page 112.
Global Proxy
The Global Proxy section contains the following sub-sections and pages:
Pages
Description
Settings
Used to configured Secure Global Proxy. For more information, For
more information, see Using Global Proxy Certificates on page 98.
Certificate activity
Used to view the Secure Global Proxy logs. For more information, For
more information, see Viewing the Global Proxy Logs on page 100.
11
3 Deploying Web Filtering
This chapter describes how to deploy Guardian’s web filter, including:
•
Getting Up and Running on page 13
•
About Guardian’s Default Policies on page 17
Getting Up and Running
By default, Guardian comes with a comprehensive set of web filter policies and an authentication
policy which you can use immediately in order to protect your users and your organization.
The following section explains how to use these policies to get web filtering up and running quickly.
Tip: Log in to our support portal and read about initial setup considerations, testing and refining filter
settings and tips on content filtering.
To get up and running:
1.
On users’ computers, configure the web browser to use port 800 on Guardian as the web
proxy, that is, non-transparent proxying.
2.
Navigate to the Web proxy > Web proxy > Settings page.
3.
Check that the Guardian option is enabled.
4.
Scroll to the bottom of the page and click Save and Restart. Guardian starts to provide web
security.
5.
On a user’s computer, browse to http://thepiratebay.se/ Guardian blocks access to
the site and displays a block page
You can edit the default policies and create new policies to suit you organization. For more
information, see Chapter 5, Working with Policies on page 47.
13
Guardian Installation and Administration Guide
Deploying Web Filtering
Blocking and Allowing Content Immediately
Guardian enables you to block or allow content immediately without having to create or edit a web
filter policy.
To block or allow content immediately:
1.
Browse to the Guardian > Quick links > Quick block/allow page.
2.
Enter the URL to the content you want to block or allow.
3.
Click Block or Allow depending on what you want. Guardian immediately blocks or allows the
content and adds the URL to the appropriate custom blocked or allowed content lists.
Blocking Locations
Guardian enables you to block web-enabled resources at a specific location from accessing content.
To block a location:
1.
Browse to the Guardian > Web filter > Location blocking page.
2.
Locate the location and click Block. Guardian blocks any web-enabled resources at that
location from accessing web content. For more information about locations, see Chapter 5,
Working with Location Objects on page 55.
Excepting Computers from Web Filtering
Guardian enables you to exempt specific computers from any web filtering. You can configure
exceptions based on the source IP address or the destination IP address.
Configuring Source Exceptions
A source exception IP using a non-transparent connection will have unfiltered access to the Internet
if configured to use port 801. A source exception IP going through an interface where transparent
proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to Guardian.
A source exception IP using a transparent connection requires no client browser configuration.
14
Smoothwall Ltd
Guardian Installation and Administration Guide
Deploying Web Filtering
To configure a source exception:
1.
Browse to the Guardian > Web filter > Exceptions page.
2.
In the Manage source exceptions area, enter the IP addresses, IP ranges or IP addresses with
CIDR notation of the computers to be exempted and click Save. Guardian exempts the
computer(s) from any web filtering.
15
Guardian Installation and Administration Guide
Deploying Web Filtering
Configuring Destination Exceptions
A destination exception IP which goes through an interface where transparent proxy is enabled will
not have outgoing HTTP or HTTPS traffic redirected to Guardian.
To configure a destination exception:
16
1.
Browse to the Guardian > Web filter > Exceptions page.
2.
In the Manage destination exceptions area, enter the IP addresses, IP ranges or IP addresses
with CIDR notation of the computers to be exempted and click Save. Guardian exempts the
computer(s) from any web filtering.
Smoothwall Ltd
Guardian Installation and Administration Guide
Deploying Web Filtering
About Shortcuts
Guardian provides a number of shortcuts to tasks you might carry out on a daily basis.
To access the shortcuts:
1.
Browse to the Guardian > Quick links > Shortcuts page.
2.
Click on a link to be taken to the task’s page.
About Guardian’s Default Policies
The following sections discuss Guardian’s default web filtering and authentication policies.
About the Default Web Filter Policies
Guardian’s default web filtering default policies are:
•
Web filter policies – these policies allow users access to custom specified content, access to
specific web sites at lunch time and Microsoft Windows updates. They also block core and
custom specified undesirable content and adverts and enforce file security. To review this
policy, browse to the Guardian > Web filter > Manage policies page. For information about
customizing web filter policies, see Managing Web Filter Policies on page 59.
•
HTTPS inspection policies – these policies can be enabled to allow users to access online
banking sites securely while inspecting encrypted traffic and checking security certificates. To
review these policies, browse to the Guardian > HTTPS inspection > Manage policies page. For
information about customizing HTTPS inspection policies, see Managing HTTPS Inspection
Policies on page 63.
•
Content modification policies – these policies apply recommended security rules and force
search engines to use SafeSearch functionality. To review these policies, browse to the
Guardian > Content modification policies > Policy page. For information about customizing
content modification policies, see Managing Content Modification Policies on page 69.
•
Anti-malware policy – this policy protects against malware and viruses. To review this policy,
browse to the Guardian > Anti-malware > Manage policies page. For information on
customizing anti-malware policies, see Managing Anti-malware Policies on page 73.
17
Guardian Installation and Administration Guide
Deploying Web Filtering
About the Default Authentication Policies
Guardian comes with the following authentication policy ready for use:
•
18
Non-transparent authentication policy – any user’s browser configured to use Guardian on
port 800 as its web proxy will have this authentication policy applied to it. For information about
creating more authentication policies, see Chapter 6, About Authentication Policies on page 85.
Smoothwall Ltd
4 Managing Web Security
This chapter includes:
•
Overview of the Web Proxy on page 20
•
Using PAC Scripts on page 24
•
Limiting Bandwidth Use on page 26
•
Configuring WCCP on page 28
•
Managing Upstream Proxies on page 30
•
Managing Blocklists on page 38
•
Managing Block Pages on page 39
19
Guardian Installation and Administration Guide
Managing Web Security
Overview of the Web Proxy
The following sections provide an overview of Guardian’s web proxy settings.
To access Guardian’s web proxy settings:
1.
Navigate to the Web proxy > Web proxy > Settings page.
Global Options
The following table lists Guardian’s global web proxy setting:
Setting
Description
Guardian
Select Enable to enable content filtering and Guardian’s web proxy.
1.
Click Advanced to access advanced web proxy settings which are documented in the following
sections.
Advanced Web Proxy Settings
The following advanced web proxy settings are available.
Web Filter Options
The following optional advanced web filter settings are available:
20
Settings
Description
HTTP strict mode
By default, this option is enabled. However, for certain client applications
going through Guardian you may need to disable this so as to handle
problems, for example, with headers that the applications send.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Web Security
Settings
Description
File upload policy
The following options are available:
Allow unlimited uploads – All file uploads are allowed.
Block all uploads – All file uploads are blocked.
Restrict upload size to – Files below the size specified are allowed.
Resume interrupted
NTLM connections
By default Guardian resumes interrupted NTLM connections caused by nonstandard web browser behavior.
Enable – This is the default setting. Select this setting to configure Guardian
to resume interrupted NTLM connections.
Disable – Select this setting to disable resumption of interrupted NTLM
connections when restrictive Active Directory account lockout policies are in
operation.
Resolve single
component
hostnames
By default, Guardian makes no attempt to interpret single component
hostnames which are not fully qualified.
Enable – Select this setting to enable Guardian to attempt to interpret single
component hostnames which are not fully qualified if single component
hostnames are being used.
Disable – Select this setting to stop Guardian from trying to interpret single
component hostnames which are not fully qualified.
Allow access to web
servers on these
additional ports
By default, Guardian only allows requests to servers running on a certain
subset of privileged ports, i.e. ports below 1024, such as HTTP (80), HTTPS
(443) and FTP (21).
If you require access to servers running on non-standard ports, enter them
here.
Logging Options
The following advanced logging settings are available:
Setting
Description
Proxy logging
We recommend that you disable this option when Filter logging mode is
enabled. This is because Guardian proxy logs are effectively duplicated
subsets of Guardian web filter logs.
Disabling proxy logging can lead to improved performance by reducing system
storage and processing requirements.
Organization name
Enter a name which can be used to identify Guardian in your organization.
Organization names are also referenced in certain web reports.
Filter logging mode
From the drop-down list, select one of the following logging modes:
Normal – Select this option to generate proxy logs with all recorded data.
Anonymized – Select this option to generate filter logs with anonymous
username and IP address information.
Disabled – Select this option to disable content filter logging.
21
Guardian Installation and Administration Guide
Managing Web Security
Setting
Description
Client hostnames
Select one of the following options:
Log – Select this option to record hostnames of computers using Guardian.
When enabled, filter logs and reports incorporating hostname information can
be generated. It is important that DNS servers exist on the local network and
are correctly configured with the reverse DNS of all machines if this option is
enabled, otherwise performance will suffer.
Do not log – Select this option to disable the logging of hostnames of
computers using Guardian.
Client user-agents
Select one of the following options:
Log – Select to record the types of browsers used by users.
Do not log – Select to disable the logging of the types of browsers used by
users.
Advert blocks
Select one of the following options:
Log – Select this option to log information about advert blocking.
Do not log – Select to disable the logging of information about advert
blocking.
Cache Options
The following advanced, optional cache settings are available:
Setting
Description
Global cache size
The size entered here determines the amount of disk space allocated to
Guardian for caching web content. Web and FTP requests are cached. HTTPS
requests and pages including username and password information are not
cached.
The specified size must not exceed the amount of free disk space available. The
cache size should be configured to an approximate size of around 40% of the
system’s total storage capacity, up to a maximum of around 1.5 gigabytes.
Larger cache sizes can be specified, but may not be entirely beneficial and can
adversely affect page access times. This occurs when the system spends more
time managing the cache than it saves retrieving pages over a fast connection.
For slower external connections such as dial-up, the cache can dramatically
improve access to recently visited pages.
Max and min object
size that can be
stored in the cache
The values entered here determine the maximum and minimum sizes of objects
stored the cache.
Max object size – Enter the largest object size that will be stored in
Guardian’s cache. Any object larger than the specified size will not be cached.
This prevents large downloads filling the cache.
The default of 30720 bytes (30 MB) should be adjusted to suit the needs of your
users.
Min object size – Enter the smallest object size that will be stored in
Guardian’s cache. Any object smaller than the specified size will not be cached.
This can be useful for preventing large numbers of tiny objects filling the cache.
The default is no minimum – this should be suitable for most purposes.
22
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Web Security
Setting
Description
Max object size that
can pass in and out
of proxy
The values entered here determine the maximum sizes of objects which can
pass through the web proxy.
Max outgoing size – Enter the maximum amount of outbound data that can
be sent by a browser in any one request. This can be used to prevent large
uploads or form submissions. The default no limit.
Max incoming size – Enter the maximum amount of inbound data that can
be received by a browser in any one request. This limit is independent of
whether the data is cached or not. This can be used to prevent excessive and
disruptive download activity. The default is no limit.
Do not cache these
domains
Used to specify domains that should be excluded from the web cache. This can
be used to ensure that old content of frequently updated web sites is not
cached.
Enter domain names without the www prefix, one entry per line.
To apply the option to any subdomains, enter a leading period, for example:
.example.com
Internet Cache Protocol
The following advanced, optional Internet Cache Protocol (ICP) settings are available:
Setting
Description
ICP server
Select one of the following options:
Enable – Select to allow ICP compatible proxies to query Guardian's cache.
ICP is a technique employed by proxies to determine if an unfulfilled local cache
request can be fulfilled by another proxy’s cache. ICP-enabled proxies work
together as cache peers to improve cache performance across a LAN.
ICP is recommended for LANs with multiple Guardian proxy servers; nonSmoothwall proxies must use port 801 for HTTP traffic.
Disable – Select to disable Guardian as an ICP server.
ICP server IP
addresses
Use this area to enter the IP addresses of other ICP-enabled proxies on the LAN
that Guardian should query. Use in conjunction with the ICP server option
enabled to allow two-way cache sharing.
Load Balancing
The following load balancing option is available:
Setting
Description
Direct Return Server
Virtual IP
Enables you to use a load balancing device which uses a virtual IP with
Guardian.
Enter the IP address on which Guardian can accept load balanced connections.
Assuming a load balancer has been setup, Guardian will form part of its cluster.
Note: This IP address must not respond to ARP queries, as ARP-ing behavior
is what sets this type of Virtual IP apart from a simple alias.
23
Guardian Installation and Administration Guide
Managing Web Security
Using PAC Scripts
Guardian enables you to create and make available proxy auto-config (PAC) scripts which determine
which IP addresses and domains to access via Guardian and which to access directly.
Guardian supports built-in PAC scripts and custom PAC script templates.
Using a Built-in Script
A built-in script is an auto configuration script which you can customize with additional settings such
as exceptions.
To use a built-in script:
1.
24
Browse to the Web proxy > Web proxy > Automatic configuration page.
Smoothwall Ltd
Guardian Installation and Administration Guide
2.
Managing Web Security
Select Built-in and configure the following settings:
Setting
Description
Bypass proxy server
for local addresses
Select this option to not use Guardian when connecting to local
addresses.
When selected, this option makes users’ browsers bypass the Guardian
proxy if the address is a hostname only, for example: myhostname.
Browsers will not bypass the Guardian proxy if the address is a fully
qualified domain name (FQDN) for example:
myhostname.example.local.
Refer to the proxy by
domain name
Select this option so that the Guardian proxy uses its domain name
instead of IP addresses in the configuration file.
Note: Before enabling this option, ensure that you have a valid DNS
configuration which resolves correctly for this hostname.
This option must be enabled when using Kerberos authentication
to use proxy automatic configuration.
Exception domains
and IP addresses
In this text box, enter an IP address, IP address range, network address
or hostname that users may access directly.
For example:
192.168.0.1
192.168.0.1-192.168.0.254
192.168.0.0/24
hostname.local
Exception regular
expression domains
Optionally, click Advanced to access the Exception regular expression
domains area. In the text box, enter one regular expression domain per
line that users may access directly.
For example:
^(.*\.)?youtube\.com$
^(.*\.)?ytimg\.com$
would disable usage of Guardian for youtube.com, ytimg.com
and subdomains such as www.youtube.com; but not, for example,
fakeyoutube.com.
3.
Click Save. Guardian creates the script and makes it available at:
http://Your_System_IP_address/proxy.pac
Using a Custom Script
A custom script provides advanced functionality by enabling you to use a script customized to suit
your organization.
Tip: You can use the built-in template as starting point for creating a custom script. On the Web
proxy > Web proxy > Automatic configuration page, click Download and save the default script
to a suitable location. Edit the file to suit your requirements and save it using a different name. See
below for how to upload it.
25
Guardian Installation and Administration Guide
Managing Web Security
To use a custom script:
1.
After configuring the custom script, browse to the Web proxy > Web proxy > Automatic
configuration page.
2.
Select Custom script template and click Browse. Locate and select the script and click
Upload. Guardian uploads the script and makes it available at: http://
Your_System_IP_address/proxy.pac
Managing the Configuration Script
You define the policy for each interface, by configuring which proxy address the configuration script
should direct clients to.
To manage the configuration script:
1.
Browse to the Web proxy > Web proxy > Automatic configuration page.
2.
In the Manage configuration script area, from the Interface drop-down list, select the address
the configuration script should direct clients to.
3.
Click Save.
Limiting Bandwidth Use
By default, Guardian does not limit bandwidth use. However, it is possible to configure bandwidth
limiting policies which can, for example, stop a user or group of users from overloading your Internet
connection.
To create a bandwidth limiting policy:
1.
26
Navigate to the Web proxy > Web proxy > Bandwidth limiting page.
Smoothwall Ltd
Guardian Installation and Administration Guide
2.
Managing Web Security
Click Create a new policy. The policy wizard is displayed. Complete the following steps:
Step
Description
Step 1: Who
From the Available users or groups list, select the user(s) and/or group(s)
to whom the policy will apply. For information about users and groups,
refer to your Smoothwall System’s Administration Guide.
Tip:
Enter a name or part of a name and Guardian will search for
names of users and groups that match.
Click Add and, when you have added all the users and/or groups, click
Next to continue.
Step 2: What
From the Available categories or category groups list, select what is to be
filtered. For information about categories, see Working with Category
Group Objects on page 51.
Tip:
Enter the name or part of the name and Guardian will search for
content that matches.
Click Add and, when you have selected all the content, click Next to
continue.
Step 3: Where
From the Available locations list, select where the policy will apply. For
more information about locations, see Working with Location Objects on
page 55.
Tip:
Enter the name or part of the name and Guardian will search for
locations that match.
Click Add and, when you have added the location(s), click Next to
continue.
Step 4: When
From the Available time slots list, select when the policy will apply. For
more information about time slots, see Working with Time Slot Objects
on page 54.
Tip:
Enter the name or part of the name and Guardian will search for
time slots that match.
Click Add and, when you have added the time slot(s), click Next to
continue.
Step 5: Action
Limit bandwidth to – Enter the number of kilobytes per second to
which bandwidth is limited when this policy is applied.
Shared between clients – Select this option to share the bandwidth
specified between all clients on the network. If this option is not selected
then the limit specified applies to each client, determined by IP, not by
user or group.
Note: A user or group may be able to draw on bandwidth from several
policies.
Note: Each step must be completed in order to create the policy. If you skip a step, Guardian
creates a policy folder in which you can store policies. For more information about policy folders, see
Working with Policy Folders on page 79.
3.
Select Enable policy to enable the policy and then click Confirm. Guardian displays the
settings you have selected.
4.
Review the settings and click Save to create the policy. Guardian creates the policy and makes
it available on the Web proxy > Web proxy > Bandwidth limiting page.
27
Guardian Installation and Administration Guide
Managing Web Security
Ordering Bandwidth Limiting Policies
It is possible to order bandwidth limiting policies. Ordering policies enables you, for example, to apply
one policy to a user and another policy to the group the user belongs to.
To order bandwidth limiting policies:
1.
Browse to the Web proxy > Web proxy > Bandwidth limiting page.
2.
Drag and drop the policy you want applied first to the top of the list and click Save. Guardian
applies the order specified when applying the policies.
Editing Bandwidth Limiting Policies
You can edit an existing bandwidth limiting policy to suit your organization’s requirements.
To edit a bandwidth limiting policy:
1.
Browse to the Web proxy > Web proxy > Bandwidth limiting page and locate the policy you
want to edit.
2.
Click the Edit policy button. Guardian displays the policy settings.
3.
Make the changes necessary, see Limiting Bandwidth Use on page 26 for more information
about working with policies.
4.
Click Confirm. Guardian displays the settings you have selected. Review them and click Save
to save the changes to the policy. Guardian updates the policy and makes it available on the
Web proxy > Web proxy > Bandwidth limiting page.
Deleting Bandwidth Limiting Policies
You can delete a bandwidth limiting policy you no longer require.
To delete a bandwidth limiting policy:
1.
Browse to the Web proxy > Web proxy > Bandwidth limiting page and locate the policy you
want to delete.
2.
Click the Delete policy button. Guardian prompts you to confirm that you want to delete the
policy. Click Delete. Guardian deletes the policy.
Configuring WCCP
Guardian can be added to a Web Cache Communication Protocol (WCCP) cache engine cluster.
When enabled, Guardian broadcasts its availability to a nominated WCCP-compatible router.
The WCCP-compatible router can forward web traffic and perform load balancing across all the
WCCP capable proxies it is aware of. Both HTTP and HTTPS traffic can be transparently proxied via
WCCP.
28
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Web Security
Note: WCCP-compatible routers forward web traffic in a transparent mode over a GRE tunnel,
therefore you must configure a transparent authentication policy for the interface which will receive
redirected traffic. For information about transparent authentication policies, see Chapter 6, Creating
Transparent Authentication Policies on page 91.
For more information about configuring WCCP on your router, refer to the documentation that
accompanies your router.
To configure WCCP:
1.
Browse to the Web proxy > Web proxy > WCCP page.
2.
Select the option you require and configure its settings:
Option
Description
No WCCP
Select to disable WCCP.
WCCP version 1
Select this option to enable WCCP version 1. Version 1 does not require
authentication for caches to join the cluster, and only supports a single
coordinating router.
WCCP router IP – Enter the WCCP router’s IP address.
29
Guardian Installation and Administration Guide
Managing Web Security
Option
Description
WCCP version 2
Select this option to enable WCCP version 2. Version 2 can be more
secure than version 1, as it supports authentication for caches to join the
cluster, providing a level of protection against rogue proxies on the LAN.
In addition, it supports multiple coordinating routers.
Note: Currently, WCCP version 2 in Guardian only supports routers
configured to use the hash assignment method and GRE for both
the forwarding and return methods.
Password – Enter the password required to join the WCCP cluster.
WCCP passwords can be a maximum of 8 characters.
Cache weight – Enter a cache weight to provide a hint as to the
proportion of traffic which will be forwarded to this particular cache.
Caches with high weights relative to other caches in the cluster will
receive more redirected requests.
Device IP addresses – Enter the IP addresses of one or more WCCP
version 2 routers.
3.
Click Save. Guardian saves the settings.
4.
On the Web proxy > Authentication > Manage policies page, create a transparent
authentication policy using the authentication method you require and select WCCP as the
interface. For more information, see Creating Transparent Authentication Policies on page 91.
Guardian completes the WCCP configuration.
Managing Upstream Proxies
Guardian enables you to configure and deploy policies which manage access to upstream proxies.
The policies can:
•
Allow or deny access to upstream proxies based on network location
•
Direct web requests to a specific upstream proxy depending on the type of request
•
Provide load balancing and failover.
The following sections explain how to configure and deploy upstream proxy policies.
Overview
Managing upstream proxies entails:
30
•
Configuring upstream proxy settings, for more information see Configuring an Upstream Proxy
on page 31
•
Creating source and destination filters, for more information see Configuring Source and
Destination Filters on page 33
•
Configuring a single upstream proxy for all web requests, see Using a Single Upstream Proxy
on page 35, or deploying upstream proxy policies to combine multiple upstream proxies and
use load balancing and failover, for more information, see Working with Multiple Upstream
Proxies on page 36.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Web Security
Configuring an Upstream Proxy
The following section explains how to configure an upstream proxy.
To configure an upstream proxy:
1.
Browse to the Web proxy > Upstream proxy > Proxies page.
2.
Configure the following settings:
Setting
Description
Name
Enter a name for the upstream proxy. Only the following characters and
numbers are allowed in a proxy name:
.,
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
The name Default is invalid as it is reserved as the name of the default
proxy.
IP/Hostname
Enter the IP address or the hostname of the upstream proxy.
Port
Enter the port number to use on the upstream proxy.
Comment
Optionally, enter a comment or description.
31
Guardian Installation and Administration Guide
3.
Managing Web Security
Click Advanced to access the following, optional settings:
Setting
Description
Credential
forwarding
Select one of the following credential forwarding options:
Disabled – Select this option to use the static username and password
entered below when logging in to the upstream proxy.
Username only – Forward the username of the client making the
request with the password entered below when logging in to the
upstream proxy. This allows the upstream proxy to identify individual
users without revealing their passwords.
Note: This requires proxy authentication, NTLM authentication or NTLM
identification to be enabled, otherwise usernames cannot be
determined by Guardian.
Username and password – Forward the username and password
of the client making the request when logging in to the upstream proxy.
This could be used if both Guardian and the upstream proxy are
authenticating against the same directory server, but should be used with
caution as it reveals client credentials.
Note: This option requires proxy authentication to be used, not NTLM.
Otherwise, plaintext usernames and passwords cannot be
determined by Guardian.
Note: Guardian can only log in to upstream proxies which require basic
proxy authentication, not NTLM or any other authentication
scheme.
Username
Enter a static username for use when credential forwarding is disabled.
Password
Enter a static password for use when credential forwarding is disabled, or
when forwarding usernames only.
Load balance ratio
Enter a load balance ratio value.
Values are relative. For example, if one upstream proxy has the value: 2
and another upstream proxy has the value: 1 and both use the round
robin load balancing method, then the proxy with value: 2 will receive
twice as many web requests as the proxy with value:1.
For more information, see Configuring Multiple Upstream Proxy Policies
on page 36.
32
4.
Click Save. Guardian adds the upstream proxy to the list of current upstream proxies.
5.
Repeat the steps above to add other upstream proxies.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Web Security
Configuring Source and Destination Filters
Guardian enables you to create source and destination filters which are used when applying
upstream proxy policies.
Configuring a Destination Filter
Guardian uses destination filters to determine which upstream proxy policy to apply based on the
destination domain(s), IP(s) or destination URL regular expressions.
To create a destination filter:
1.
Browse to the Web proxy > Upstream proxy > Filters page.
2.
Configure the following settings:
3.
Setting
Description
Type
Select Destination.
Name
Enter a name for the destination filter.
Comment
Optionally, enter a description or comment.
IPs/Hostnames
Enter a destination IP address or hostname.
Optionally, click Advanced and configure the following setting:
Setting
Description
Destination regular
expression URLs
Optionally, click Advanced. Enter one regular expression URL,
including the protocol, per line.
Note: The full URL is not available for HTTPS requests.
33
Guardian Installation and Administration Guide
Managing Web Security
4.
Click Save. Guardian adds the filter and lists it in the Upstream proxy filters.
5.
Repeat the steps above to add more destination filters.
Configuring a Source Filter
Guardian uses source filters to determine which upstream proxy policy to apply based on the source
IP(s), subnet(s) or IP range(s) of the client machine(s).
To create a source filter:
1.
Browse to the Web proxy > Upstream proxy > Filters page.
2.
Configure the following settings:
Setting
Description
Type
Select Source.
Name
Enter a name for the filter.
Comment
Optionally, enter a description or comment.
IPs/Hostnames
Enter a source IP address, IP address range, network address or
hostname.
For example: 192.168.0.1
192.168.0.1-192.168.0.254
192.168.0.0/24
hostname.local
Note: Hostnames require reverse DNS look-ups to be performed.
34
3.
Click Save. Guardian adds the filter and lists it in the Upstream proxy filters area.
4.
Repeat the steps above to add more source filters.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Web Security
Using a Single Upstream Proxy
After configuring upstream proxy settings, see Configuring an Upstream Proxy on page 31, you can
use a single upstream proxy for all web requests.
To use a single upstream proxy:
1.
Browse to the Web proxy > Upstream proxy > Manage policies page.
2.
In the Global options area, configure the following settings:
Setting
Description
Default upstream
proxy
This setting determines the default proxy which is used when upstream
proxies are not available, not configured or not allowed by policies.
From the drop-down list, select an upstream proxy.
Allow direct
connections
Select this option to allow direct connections to origin servers.
If allowed, direct connections will be made as a final fall-back if the default
proxy is unavailable or not configured.
For more information, see Enforcing Upstream Proxy Usage on page 38.
Leak client IP with Xforwarded-For
header
3.
Select this option to send the originating IP addresses of client requests
upstream.
Click Save. Guardian starts using the single upstream proxy.
35
Guardian Installation and Administration Guide
Managing Web Security
Working with Multiple Upstream Proxies
The following sections discuss general upstream proxy behavior, how to load balance using multiple
upstream proxy policies and how to enforce upstream proxy usage.
About Upstream Proxy Behavior
There are three potential destinations for a web request forwarded to an upstream proxy. These are
as follows, in order of precedence:
1.
A pool of one or more proxies which are allowed by the upstream proxy policies, to service the
request.
2.
The default proxy, if configured.
3.
Direct forwarding of requests to their origin servers, if allowed. An origin server is defined as the
target destination of web request, i.e. the server from which a requested resource originates.
Upstream proxy policies are additive. Guardian checks requests against all the policies, in order. Any
proxy which is allowed to service a particular request is added to the proxy pool in step 1. If the final
pool for a request contains two or more proxies, load-balancing and fail-over rules decide which one
will be sent the request.
Note: The rules above only apply to requests serviced by Guardian. If a client behind Guardian is
able to obtain direct, unfiltered web access, the client’s requests will be treated no differently from
other Internet traffic.
Configuring Multiple Upstream Proxy Policies
By configuring multiple upstream proxy policies, you can balance the web request load across two
or more upstream proxies.
To load balance using upstream proxy policies:
36
1.
On the Web proxy > Upstream proxy > Proxies page, configure the upstream proxies you
will be using. See Configuring an Upstream Proxy on page 31 and Configuring Source and
Destination Filters on page 33 for more information.
2.
Browse to the Web proxy > Upstream proxy > Manage policies page and click Advanced.
Smoothwall Ltd
Guardian Installation and Administration Guide
3.
Managing Web Security
Configure the following settings:
Setting
Description
Load balancing
method
From the drop-down list, select the load balancing method you require.
The following methods are available:
Source IP – Based on the client’s IP address, Guardian selects
one proxy from the set of allowed proxies and uses it as long as
that proxy is available.
•
For example: three requests for example.com from one
machine might all go via proxy A; three requests from the
machine next to it might all go via proxy B.
Username – Based on the client’s username, Guardian selects
•
one proxy from the set of allowed proxies and uses it as long as
that proxy is available.
•
For example: three requests for example.com while logged in
as Alice might all go via proxy A; three requests while logged in as
Bob might go via proxy B, even if Bob has the same IP as Alice.
Round-robin – Guardian cycles through the proxies one by
•
one. Three requests for example.com, with three proxies
allowed to serve the request, would send one request via each.
Note: This method requires Guardian to be configured for username
and password based authentication. See Chapter 6, About
Authentication Policies on page 85 for more information.
•
Upstream proxy
From the drop-down list, select the proxy for which you are configuring
the policy.
Source filter
From the drop-down list, select Everything.
Destination filter
From the drop-down list, select Everything.
Action
Select Allow.
Comment
Optionally, enter a comment describing the proxy.
Enabled
Select to enable the policy.
4.
Click Save. Guardian creates the policy and lists it in the Upstream proxy policies table.
5.
Configure policies for other upstream proxies by repeating steps 2 and 3 above.
Once you have configured policies for the upstream proxies you require, Guardian will check
any web requests against the policy table and each of the proxies will be allowed to service the
request, so load balancing and failover rules will be used to pick the most suitable proxy.
Guardian monitors availability of upstream proxies automatically and avoid forwarding requests
to unavailable proxies.
If none of the proxies permitted to service a request are available, Guardian will use the default
proxy. If the default proxy is not available, or if no default proxy is configured, the request will be
forwarded directly to its origin server.
37
Guardian Installation and Administration Guide
Managing Web Security
Enforcing Upstream Proxy Usage
If you want to prevent web requests from being forwarded directly to their origin servers when other
permissible upstream proxies are unavailable, disable the Allow direct connections option.
Note: As the Allow direct connections option eliminates the last option for forwarding requests in
failure scenarios, only use it to implement strict requirements that all traffic go through an upstream
proxy.
For finer-grained control of direct connection behavior, you can configure policies using the dummy
upstream proxy option None. For example, to prevent only YouTube traffic from being sent directly,
enable the Allow direct connections option, then create a policy with upstream proxy None, action
Block, and a destination filter corresponding to the youtube.com domain.
Conversely, to allow direct access only for requests to certain sites, disable Allow direct connections
and create None, Allow policies matching those requests for which direct access is permissible. This
may be useful for bandwidth conservation, if direct access is routed over a slower link than access
to the upstream proxies.
Managing Blocklists
A blocklist is a group of pre-configured settings which is updated on a regular basis by Guardian. A
blocklist maintains Guardian’s list of undesirable, inappropriate or objectionable content.
Guardian automatically checks for and installs blocklist updates. You can also check for and install
blocklist updates manually.
Viewing Blocklist Information
To view blocklist information:
1.
Navigate to the System > Maintenance > Licenses page.
Note: The information displayed depends on the product you are using.
Blocklist subscription status is displayed.
By default, Guardian checks for updated blocklists hourly. When a new blocklist becomes
available, Guardian automatically downloads and installs it.
Note: As Guardian complies with Internet Watch Foundation (IWF) guidelines, this mode of working
is mandatory. Visit http://www.iwf.org.uk/ for more information.
Manually Updating Blocklists
To manually update blocklists:
38
1.
Navigate to the System > Maintenance > Licenses page.
2.
Click Update. The latest blocklists are installed and displayed in the Blocklists subscription
area.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Web Security
Note: In order to download blocklists, you must have a valid blocklist subscription. To obtain a
blocklist subscription, please contact your Guardian reseller or Guardian directly.
Managing Block Pages
When a user’s web request is blocked, Guardian displays a block page advising the user that they
have been blocked from accessing the requested web content. A default web page is supplied,
showing information such as which group the user is in, what the blocked content is categorized as,
and the computer’s IP address, as well as the reason for the block.
You can choose to create and display multiple block pages. Which block page Guardian displays is
determined by the block page policies in use. You can configure Guardian to display the following
different types of block pages:
•
A block page which you have customized — see Customizing the Default Block Page on
page 40
•
A customized HTML page which you upload to Guardian — see Using a Custom HTML
Template on page 42
•
A block page located at a specified URL — see Using an External Block Page on page 43
About the Default Block Page
Below is an example of the default block page supplied with Guardian:
This block page will be shown if a user attempts to browse to a domain listed in the Web Search,
Image Hosting category (for more information about categories see Working with Category Group
Objects on page 51).
39
Guardian Installation and Administration Guide
Managing Web Security
The following controls are used in this block page:
•
Administrator bypass — Users with bypass privileges can temporarily bypass Guardian for
the time specified
•
Custom allowed content — Users can choose to add the domain or URL to the Custom
allowed, or Custom blocked content categories
•
Add URL to category — Users can choose to add the URL to a specified category
•
Add domain to category — Users can choose to add the domain to a specified category
For more information about Guardian content categories, see Working with Category Group Objects
on page 51.
You can add more controls to the block page, or change the text and images to suit your
organizational needs. For a detailed description of how to do this, see Customizing the Default Block
Page on page 40.
Customizing the Default Block Page
You can choose to customize the default block page, including the reason for the block, and
changing the images. The following instructions also apply if you are creating additional block pages
based on the same layout as the default block page.
To customize the default block page, or create additional ones, do the following:
1.
Navigate to the Guardian > Block page > Block pages page.
2.
Configure the following:

40
Name — Enter a meaningful name for the block page
Smoothwall Ltd
Guardian Installation and Administration Guide

3.
4.
Managing Web Security
Comment — Enter an optional comment describing the block page
Select the Manually create contents for block page option and configure the following:

Block message — Either use the supplied text, or enter the default message explaining the
reason for the block.

Quota message — Either use the supplied text, or enter the default message shown when
a user tries to access content which is time limited. For more information about quotas, see
“Working with Quota Objects” on page 142.

Quota button label — Either use the supplied text, or enter text used on the quota button
which users must click to start using their quota of time to access the content.

Sub message — Either use the supplied text, or enter a custom, secondary message
displayed under the red block banner.

Administrator’s email address — Optionally, enter the administrator’s email address who
will be contacted when a request is blocked.
To change the images on the block page, or add block page controls, click Advanced and
configure the following:

Custom title image — To replace the Smoothwall logo on the block page, click Choose
File, and browse to the location of the required file. Select the image, then click Upload.
installed will appear under Choose File when Guardian successfully uploads the image.
Note that the default Smoothwall logo is 218 x 35 pixels. It is recommended you do not
exceed this depth otherwise the top of the background image may need adjusting. If the
supplied background image is retained, the white space at the top may also need adjusting.
Ensure you select Enable custom title image from the attributes list underneath.

Custom background image — To replace the supplied red motif on the block page, click
Choose File, and browse to the location of the required file. Select the image, then click
Upload. installed will appear under Choose File when Guardian successfully uploads the
image.
Note that the outlined box around the central text is 150 pixels from the top of the page. If
you are replacing the default image, you must ensure the new image has at last 150 pixels
of white space at the top to ensure it appears at the top of the outlined box. It is
recommended the image is 800 pixels wide, with the motif centralized within.
Ensure you select Enable custom background image from the attributes list underneath.

Show unblock request — Select to display a button on the block page which allows users
to request that a blocked page be unblocked. Clicking the button on the block page opens
a pop up form which when completed sends the request via the email server used for alerts.

Show client username — Select to display the blocked user’s username, if applicable.

Show email address — Select to display the administrator’s email address.

Show client IP — Select to display the IP address of the user’s workstation.

Show client hostname — Select to display the workstation’s hostname on the block page.

Show user group — Select to display the users group membership, if applicable.

Show unblock controls — Select to display controls on the block page which allow
administrators to add domains and URLS to the custom allowed or custom blocked content
categories. For more information, see Working with Block Pages on page 45.

Show reason for block — Select to display the reason why the web request was blocked.
41
Guardian Installation and Administration Guide

Managing Web Security
Show bypass controls — Select to display temporary bypass controls on the block page.
These controls allow users with bypass privileges to temporarily bypass the Guardian. For
more information, see Working with Block Pages on page 45.
Note that when an HTTPS inspection policy is enabled (see About the Default Web Filter
Policies on page 17) and a user visits a site with an invalid certificate, Guardian’s temporary
bypass will not work. This is because Guardian must check the certificate before
authentication information for bypass can be detected. In this case, bypass controls will be
visible on the block page if enabled, but will not work.
5.

Show URL of blocked page — Select to display the URL of the blocked web request.

Enable custom title image — Select if you have specified a custom title image, see above
for more information.

Show categories matched — Select to display the filter category that caused the page to
be blocked, if applicable.

Enable custom background image — Select if you have specified a custom background
image, see above for more information.
Click Save to save the block page and make it available for use in a block page policy.
Using a Custom HTML Template
You can create your own block page, created in HTML. Guardian provides a custom block page
template for your use.
To use a custom HTML file as a block page, do the following:
1.
Browse to Guardian > Block page > Block pages.
2.
Download the block page template by clicking Download the custom block page example.
Guardian downloads a zip file for your use.
3.
Update the template as required, and save it in a zip file archive. Ensure all files needed by the
custom block page are included in the zip file, and that the archive’s location is accessible by
Guardian.
4.
Browse to Guardian > Block page > Block pages if you have navigated away.
5.
Configure the following settings:

Name — Configure a meaningful name for the block page.

Comment — If required, configure a comment for the block page.
6.
Select Import HTML template from zip file.
7.
From Upload zip archive, click Choose file.
8.
Locate and select the custom block page archive.
9.
Click Upload.
Guardian unpacks the archive, and makes it available for use in a block page policy.
10. If required, enter your system administrator’s email address to receive unblock requests.
11. Click Save.
42
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Web Security
Using an External Block Page
Guardian enables you to specify an external page as a block page.
To use an external page as a block page:
1.
2.
Navigate to the Guardian > Block page > Block pages page and configure the following
settings:
Setting
Description
Name
Enter a name for the block page.
Comment
Enter a comment describing the block page.
Redirect to block
page
Select to enable Guardian to use an external block page.
Block page URL
Enter the block page’s URL.
Click Save to make it available for use in a block page policy.
Configuring a Block Page Policy
By default, Guardian displays a standard block page whenever it blocks a web request by users. You
can configure Guardian to display a specific block page when a web request is blocked based on
unsuitable or objectionable content, location or time.
To configure a block page policy:
1.
Browse to the Guardian > Block page > Policy wizard page.
43
Guardian Installation and Administration Guide
2.
Managing Web Security
Complete the following steps:
Step
Description
Step 1: Who
From the Available users or groups list, select who will see the block
page when content is blocked. Click Next to continue.
Step 2: What
From the Available categories or category groups list, select what
categories or category groups will trigger the content being blocked.
Click Next to continue.
For information about categories, see Working with Category Group
Objects on page 51.
Step 3: Where
From the Available locations list, select where the policy applies. Click
Next to continue.
For information about locations, see Working with Location Objects on
page 55.
Step 4: When
From the Available time slots list, select when the policy applies. Click
Next to continue.
For information about time slots, see Working with Time Slot Objects on
page 54.
Step 5: Action
Select which block page to use.
For information about the types of block pages you can use, see
Managing Block Pages on page 39.
3.
Select Enable policy to enable the policy and click Confirm.
4.
Guardian displays the settings you have specified for the policy. Review the settings and then
click Save to save the policy and make it available on the manage policies page.
Managing Block Page Policies
Block page policies are managed on the manage policy page. Guardian processes policies in order
of priority, from top to bottom, until it finds a match. You can change the order by dragging and
dropping them on the page.
To manage block page policies:
1.
44
Browse to the Guardian > Block page > Manage policies page.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Web Security
2.
To change the order of the policies displayed, select a policy and drag it to the position you
require.
3.
Click Save to save the change(s). Guardian re-orders the policies.
Working with Block Pages
Depending on how a block page is configured, there may be controls to add URLS and domains to
user-defined blocked or allowed categories as well as temporary bypass features to allow users with
the correct privileges to access the blocked content.
Adding to User-defined Categories
Note: The availability of these options depends on how the block page is configured. For more
information, see Customizing the Default Block Page on page 40.
To add to user-defined categories:
1.
Configure the following settings on the block page:
Setting
Description
Control
From the User-defined categories drop-down list, select one of the
following options:
•
•
Temporary Bypass
Custom blocked content – Add the blocked URL or domain
to the custom blocked category.
Custom allowed content – Add the blocked URL or domain
to the custom allowed category.
Enables temporary bypass of the block page if the user has the
necessary privileges. Select from the following options:
•
•
5 minutes – Temporarily bypass the block page for 5 minutes.
30 minutes – Temporarily bypass the block page for 30
minutes.
1 hour – Temporarily bypass the block page for 1 hour.
•
When prompted, enter the bypass password.
Note: The temporary bypass and control options use non-standard port 442. This is to enable
administrator access controls to be used without affecting these features.
45
5 Working with Policies
This chapter describes how to configure, and maintain, Guardian policies, including:
•
An Overview of Policies on page 47
•
Working with Category Group Objects on page 51
•
Working with Time Slot Objects on page 54
•
Working with Location Objects on page 55
•
Working with Quota Objects on page 57
•
Managing Web Filter Policies on page 59
•
Managing HTTPS Inspection Policies on page 63
•
Managing Content Modification Policies on page 69
•
Using the Policy Tester on page 77
•
Working with Policy Folders on page 79
•
Censoring Web Form Content on page 81
An Overview of Policies
Policies determine how Guardian handles web content to best protect your users and your
organization. You can create and deploy custom policies to fit your organization. Deploying custom
policies entails:
•
Configuring custom policies based on your organization’s Acceptable Usage Policies (AUPs);
for more information, see Types of Policies on page 48
•
Configuring authentication policies; for more information, refer to your Smoothwall System’s
Administration Guide
•
Configuring users’ browsers or network connections to use Guardian as their web proxy or
default gateway; for more information, see Connecting to Guardian on page 100.
47
Guardian Installation and Administration Guide
Working with Policies
Types of Policies
Guardian enables you to create the following types of policies:
•
Web filter policies – Web filter policies determine whether to allow, block, soft block or
whitelist web content that a user has requested. For more information, see Managing Web Filter
Policies on page 59
•
HTTPS inspection policies – when enabled, HTTPS inspection policies determine whether to
decrypt and inspect encrypted content in order to determine to handle the content based on
web filter policies. HTTPS inspection policies can also be used to validate web site certificates.
For more information, see Managing HTTPS Inspection Policies on page 63
•
Content modification policies – Content modification policies can be used to identify and
stop malicious content embedded in web pages from being accessed. For information, see
Managing Content Modification Policies on page 69.
•
Anti-malware policies – Anti-malware policies are used to against malware and viruses. For
information on customizing anti-malware policies, see Managing Anti-malware Policies on
page 73.
How Policies are Applied
How Guardian applies policies depends on the original web request from a user. The following
diagrams give a high-level view of what happens when a user makes a non-encrypted (HTTP) web
request and an encrypted (HTTPS) web request.
48
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Applying Policies to a HTTP Web Request
49
Guardian Installation and Administration Guide
Working with Policies
Guardian Getting Started
The Getting started page explains policies and policy objects.
50
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Working with Category Group Objects
A category group object is a collection of URLs, domains, phrases, lists of file types and/or security
rules. Guardian uses category group objects in policies to determine if a user should be allowed
access to the content they have requested using their web browser.
Creating Category Group Objects
The following section explains how to create a category group object to be used in a web filter policy.
To create a category group object:
1.
Browse to the Guardian > Policy objects > Category groups page.
2.
In the Manage category groups area, configure the following settings:
Setting
Description
Name
Enter a name for the category group.
51
Guardian Installation and Administration Guide
Working with Policies
Setting
Description
Comment
Optionally, enter a comment to make it easier to remember what the
category contains.
Content categories
Select the content you want to include in the category group object. Click
[ + ] to access and view any sub-categories available.
Tip:
3.
Click the Advanced view option to access more detailed
information about the content.
Click Save. The category group object is saved and added to the list of groups of content
available.
Creating Custom Categories
You can define new categories of content for use in category group objects to suit you organizations
requirements.
To create custom categories, do the following:
1.
Browse to the Guardian > Policy objects > Categories page.
2.
From the Manage categories panel, configure the following parameters:

Name — The name of the category.

Comment — Enter an optional description for this category.

Domain/URL filtering — Enter the domains and or URLs for this category.
Only one entry is allowed per line. Note that www. is not needed for URLs.
3.
Optionally, click Advanced to access the following settings:
Setting
Description
Search term filtering
Enter one search term, surrounded by delimiters, per line for example:
( hardcore )
(xxx)
Spaces before and after a term are not removed, thus simplifying
searching for whole words.
Parenthesis are required.
You can use the following delimiters: [] () {} <> ||
URL patterns
Enter a URL pattern per line, for example:
( adultsite|sexdream )
The example above looks for URLs containing either the word
adultsite or the word sexdream.
You can use the following delimiters: [] () {} <> ||
Note: If the URL pattern you enter contains a delimiter, you must use a
different delimiter to contain the whole pattern. For example:
[ mysearchwith(abracket) ]
File extensions
52
Enter one file extension, e.g. .doc, or MIME type, e.g.
application/octet-stream per line. You must include the dot
(.) when entering file extensions.
Smoothwall Ltd
Guardian Installation and Administration Guide
4.
Working with Policies
Click Save. Guardian creates the content category and makes it available on the Guardian >
Policy objects > Category groups page.
Searching for URLs in User-defined Categories
You can search in user-defined categories to determine which ones match a particular URL.
Note: A search can take up to a minute to complete.
To search for a URL in a category:
1.
Browse to the Guardian > Policy objects > User defined page.
2.
In the Enter URL field, enter the URL you want to search for.
3.
Click Find categories. displays the names and components of any categories in which the
URL was found.
Editing Category Group Objects
You can edit category group objects to suit you organizations requirements.
To edit a category group object:
1.
Browse to the Guardian > Policy objects > Category groups page.
2.
From the Category groups list, select the object you want to edit and click Edit category
group. Guardian displays the object in the Manage category groups area. Click [ + ] to access
and view any sub-categories available.
Tip: Click the advanced view option to access more detailed information about the content and
sub-categories.
3.
Select any new content you want to add to the object and de-select any content you want to
remove from the object.
4.
Click Save. Guardian saves and applies the changes.
Deleting Category Group Objects
You can delete category group objects you no longer require.
To delete a category group object:
1.
Browse to the Guardian > Policy objects > Category groups page.
2.
From the Category groups list, select the content category object you want to delete and click
Delete category group. Guardian deletes the object.
Note: You cannot delete a category group object if it is in use in a policy. You must first remove the
object from the policy.
53
Guardian Installation and Administration Guide
Working with Policies
Working with Time Slot Objects
You can configure Guardian to allow or stop users accessing the Internet during certain time periods
depending on the time and day.
Creating a Time Slot
The following section explains how to create a time slot for use in a web filter policy.
To create a time slot:
54
1.
Navigate to the Guardian > Policy objects > Time slots page.
2.
Configure the following settings:
Setting
Description
Name
Enter a name for the time slot.
Comment
Optionally, enter a comment to help identify when the period is used
3.
In the time-table, click and drag to select the periods of time you want to include in the time slot.
4.
Click Save. Guardian creates the time slot and adds it to the list of time slots. It also makes the
time slot available where applicable on the policy wizard pages for inclusion in policies.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Editing a Time Slot
The following section explains how to edit a time slot.
To edit a time slot:
1.
Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area,
locate the time slot you want to edit.
2.
Click the Edit time button. Guardian displays the time slot in the time-table.
Tip: You can use the Clear and Edit in full-text mode options to make changes the time slot.
3.
Make the changes you require and click Save. Guardian makes the changes and saves the time
slot.
Deleting a Time Slot
The following section explains how to delete a time slot.
To edit a time slot:
1.
Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area,
locate the time slot you want to delete.
2.
Click the Delete time button. Guardian deletes the time slot.
Working with Location Objects
Guardian enables you to create locations into which you can place resources such as desktop and
laptop computers. You can use a location to block the resources at the location from accessing
external networks or the Internet.
55
Guardian Installation and Administration Guide
Working with Policies
Creating a Location Object
To create a location object:
1.
Browse to the Guardian > Policy objects > Locations page.
2.
In the Manage location area, configure the following settings:
Setting
Description
Name
Enter a name for the location object.
Addresses
Enter an IP address, hostname, IP range or a subnet of the resource(s),
for example:
For a computer, enter: 192.168.0.58
For a range of computers, enter: 192.168.0.61-192.168.0.71
For content identified by a hostname, enter: roaming_laptop
3.
Optionally, click Advanced and configure the following settings to define exceptions to any
address ranges you specified in the previous step:
Setting
Description
Exceptions
Enter an individual IP, hostname, IP range or a subnet of the resource(s),
for example:
To make an exception for a computer, enter: 192.168.0.53
To make an exception for a range of computers, enter:
192.168.0.65-192.168.0.67
4.
56
Click Save. Guardian adds the resources to the location object and lists it in the Locations list.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Editing Location Objects
You can edit a location object.
To edit a location object:
1.
On the Guardian > Policy objects > Locations page, in the Locations area, select the
location and click the Edit location button.
2.
Make the changes you require and click Save, Guardian displays the settings.
3.
Click Save. Guardian updates the resources in the location object and lists it in the Locations
list.
Deleting Location Objects
You can delete location objects you no longer require.
Note: You cannot delete a location object if it is in use in a policy. You must first remove the object
from the policy.
To delete a location object:
1.
Browse to the Guardian > Policy objects > Locations page.
2.
In the Locations list, locate the location object you want to delete and click the Delete location
button. Guardian deletes the location object.
Working with Quota Objects
Guardian’s quota objects enable you to limit user access to content on a daily basis. When a quota
is used in a web filter policy, users to whom the policy is applied are prompted to confirm that they
want to access the content and are told how long their quota is and how much of the quota they
have left.
About the Default Quota Object
Guardian comes with a default quota object which is ready for use in a web filtering policy. When
used, the default quota limits access to the relevant content to 60 minutes per 24 hours. Users will
be prompted every 10 minutes to confirm that they want to continue using their quota. Default quotas
are reset daily at 04:00. You can edit the default quota but you cannot remove it – there must always
be a default in case the quota action is used in a web filtering policy.
For more information about using quotas and web filtering policies, see Creating Web Filter Policies
on page 60.
57
Guardian Installation and Administration Guide
Working with Policies
Creating Quota Objects
Creating a quota object entails specifying who the quota applies to, how long the quota is, how often
to prompt the user to confirm that they want to continue using their quota and when the quota is
reset.
To create a quota object:
1.
Browse to the Guardian > Policy objects > Quotas page.
2.
Click Create a new quota and configure the following settings:
Setting
Description
Available users or
groups
From the list, select the user(s) and/or group(s) to whom the quota will
apply.
Tip:
Enter a name or part of a name and Guardian will search for
names of users and groups that match.
Click Add.
58
Duration
Move the slider to set the duration of the quota.
Prompt every
From the drop-down list, select how often users will be prompted to
confirm that they want to use more of their quota.
Reset at
From the drop-down list, select when to rest the quota.
Enable quota
Select to enable the quota.
3.
Click Save. Guardian creates the quota and lists it on the Guardian > Policy objects > Quotas
page.
4.
Drag and drop the quota object to the correct position.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Note: Quotas are applied as listed on the Guardian > Policy objects > Quotas. You must
consider their position when using them. Take, for example Bob. Bob is a member of the Staff group.
The Staff group has a quota of 60 minutes. However, because of Bob’s responsibilities, he needs a
quota of 120 minutes.
To ensure Bob gets the quota he needs, create a quota object that applies to Bob and, on the
Guardian > Policy objects > Quotas page, list it above the Staff quota object. When Guardian
applies the web filtering policy to the Staff group, it will check for quotas and allow Bob 120 minutes
while other people in the Staff group will get 60 minutes. If Bob’s quota object is listed below the Staff
group’s quota object, Bob will get 60 minutes just like everyone else.
For more information about using quotas and web filtering policies, see Creating Web Filter Policies
on page 60.
Editing Quota Objects
It is possible to edit a quota object’s settings.
To edit a quota object:
1.
On the Guardian > Policy objects > Quotas page, locate the quota you want to change and
click its Edit quota button. Guardian displays the settings.
2.
Make the changes required. See Working with Quota Objects on page 57 for more information
about the settings available.
3.
Click Save. Guardian edits and updates the quota and lists it on the Guardian > Policy objects
> Quotas page.
Deleting Quota Objects
You can delete a quota object when it is no longer required.
To delete a quota object:
1.
On the Guardian > Policy objects > Quotas page, locate the quota you want to change and
click its Delete quota button. Guardian deletes the quota and removes it from the Guardian >
Policy objects > Quotas page.
Managing Web Filter Policies
Guardian processes web filter policies in order of priority, from top to bottom, until it finds content
that matches. When it finds a match, Guardian applies the action, block, allow, whitelist, soft block
or limit to quota as configured in the policy.
You can review the default web filter policies on the Guardian > Web filter > Manage policies page
and you can change the order by dragging and dropping policies in the list.
The following sections discuss how to create, edit and delete web filter policies.
59
Guardian Installation and Administration Guide
Working with Policies
Creating Web Filter Policies
You can create custom web filter policies to allow or block specific content, allow access to specific
web sites at certain times or apply an acceptable usage policy (AUP) to meet your organization’s
requirements.
To create a web filter policy:
1.
Browse to the Guardian > Web filter > Policy wizard page.
2.
Complete the following steps:
Step
Description
Step 1: Who
From the Available users or groups list, select the user(s) and/or group(s)
to whom the policy will apply.
Tip:
Enter a name or part of a name and Guardian will search for
names of users and groups that match.
Click Add and, when you have added all the users and/or groups, click
Next to continue.
Step 2: What
From the Available categories or category groups list, select what is to be
filtered.
Tip:
Enter the name or part of the name and Guardian will search for
content that matches.
Click Add and, when you have selected all the content, click Next to
continue.
Step 3: Where
From the Available locations list, select where the policy will apply.
Tip:
Enter the name or part of the name and Guardian will search for
locations that match.
Click Add and, when you have added the location(s), click Next to
continue.
60
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Step
Description
Step 4: When
From the Available time slots list, select when the policy will apply.
Tip:
Enter the name or part of the name and Guardian will search for
time slots that match.
Click Add and, when you have added the time slot(s), click Next to
continue.
Step 5: Action
Select one of the following actions to use when applying this policy:
Create policy folder – Select this action when configuring a policy at
a central installation where you need to create policy folders for multiple
locations or groups.
Block – Select this action to block the selected content.
Allow – Select this action to allow the content.
Guardian may also categorize the content and apply any content
modification policies in place. You can use this option to create specific
exceptions to broad blocking policies.
Another possible use is to prevent over-blocking of diverse content such
as news articles, which may fall under a variety of categorizations
depending on the type of news article.
Whitelist – Select this action to whitelist the selected content.
When content is whitelisted, Guardian does not examine it any further.
Whitelisting is applied early on when Guardian is checking URLs. Content
which is whitelisted will not be subjected to outgoing filtering or dynamic
content analysis. Content modification policies may still be applied,
unless the categorization of the original, unmodified URL matches the
whitelist.
Whitelisting content may help to conserve system resources and prevent
unintentional blocking when dealing with trusted content, such as online
banking sites or Windows updates.
Soft block – Select this action to soft block the selected content.
Anyone trying to access the content will be prompted by Guardian to
confirm that they want to access content.
Limit to quota – Select this action to apply a quota when applying the
policy. When the policy is applied, Guardian will check the quotas defined
on the Guardian > Policy objects > Quotas page and limit access to the
requested content based on the quota object’s settings.
Note: Any content being streamed or downloaded by a user will not be
stopped when the user’s quota runs out.
Note: Each step must be completed in order to create the policy. If you skip a step, Guardian
creates a policy folder in which you can store policies. For more information about policy folders, see
Working with Policy Folders on page 79.
3.
Select Enable policy to enable the policy and click Confirm.
4.
Guardian displays the settings you have selected. Review them and click Save to create the
policy. Guardian creates the policy and makes it available on the Guardian > Web filter >
Manage policies page. You must now specify in what order Guardian should apply the policy.
61
Guardian Installation and Administration Guide
Working with Policies
5.
Browse to the Guardian > Web filter > Manage policies page.
6.
Locate the policy in the Filtering policies area. Drag and drop the policy to where you want
Guardian to apply it. For example, if you have created a policy which allows media students to
access advertising content during their lunch break, drag the policy to the top of the list of
policies.
7.
Click Save. Guardian re-orders and applies the filtering policies and allows all users in the media
student group to access adverts during their lunch break.
Editing Web Filter Policies
You can edit an existing web filter policy to suit your organization’s requirements.
To edit a web filter policy:
62
1.
Browse to the Guardian > Web filter > Manage policies page and locate the policy you want
to edit.
2.
Click the Edit policy button. Guardian displays the policy settings on the Guardian > Web filter
> Policy wizard page.
3.
Make the changes necessary, see Creating Web Filter Policies on page 60 for more information
about working with policies.
4.
Click Confirm. Guardian displays the settings you have selected. Review them and click Save
to save the changes to the policy. Guardian updates the policy and makes it available on the
Guardian > Web filter > Manage policies page.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Deleting Web Filter Policies
You can delete a web filter policy you no longer require.
To delete a web filter policy:
1.
Browse to the Guardian > Web filter > Manage policies page and locate the policy you want
to delete.
2.
Click the Delete policy button. Guardian prompts you to confirm that you want to delete the
policy. Click Remove. Guardian deletes the policy.
Managing HTTPS Inspection Policies
The following sections discuss how to create, edit and delete HTTPS inspection policies.
HTTPS inspection policies enable you to inspect and manage communication between users on your
network and web sites which use HTTPS by configuring an inspection method for different user
groups, destinations and locations.
Guardian processes HTTPS inspection policies in order of priority as listed on the Guardian >
HTTPS inspection > Manage policies page, from top to bottom, until a match is found. You can
change the order by dragging and dropping policies in new positions.
Guardian comes with three pre-configured HTTPS inspection policies which handle the following
content:
•
Online banking – when enabled, this policy allows users to do online banking without
communications being decrypted and inspected
•
All encrypted content accessed by unauthenticated IPs – when enabled, this policy
decrypts and inspects all encrypted content that users at unauthenticated IPs try to access
•
Certificate validation – enabled by default, this policy check secure certificates on web sites.
Any sites whose certificates are self-signed, out of date or otherwise invalid will be blocked.
63
Guardian Installation and Administration Guide
Working with Policies
Enabling HTTPS Inspection Policies
The following section explains how to enable HTTPS inspection policies that are listed on the
Guardian > HTTPS inspection > Manage policies page.
To enable HTTPS inspection policies:
1.
Browse to the Guardian > HTTPS inspection > Manage policies page.
2.
Locate the policy you want to enable, click on the Enabled button and select Enable.
3.
Repeat the step above for any other policies you want to enable and then click Save. Guardian
enables the policies.
Note: When, for the first time, you enable a HTTP inspection policy which decrypts and inspects
content Guardian informs you that users’ browsers must have the Guardian CA certificate in order
for the policy to work.
You can click on Guardian CA certificate in the text displayed and download the certificate ready
for import into browsers. See Managing Certificates on page 67 for more information about how to
import the certificate.
Creating an HTTPS Inspection Policy
When an HTTPS inspection policy is in place, Guardian displays a warning page informing users who
try to access a HTTPS web site that their communication with the site is being monitored. Users must
actively accept the monitoring by clicking Yes in order to continue to the site, or click No to end the
communication.
Note: You must configure HTTPS settings and certificates in order for an HTTPS inspection policy
to work. For more information, see Configuring HTTPS Inspection Policy Settings on page 67.
64
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
To create an HTTPS inspection policy:
1.
Browse to the Guardian > HTTPS inspection > Policy wizard page.
2.
Complete the following steps:
Step
Description
Step 1: Who
From the Available users or groups list, select who the policy will apply to.
Tip:
Enter a name or part of a name and Guardian will search for
names of users and groups that match.
Click Add and, when you have added all the users and/or groups, click
Next to continue.
Step 2: What
From the Available categories or category groups list, select what is to be
inspected.
Tip:
Enter the name or part of the name and Guardian will search for
content that matches.
Click Add and, when you have added all the categories or category
groups, click Next to continue.
Step 3: Where
From the Available locations list, select where the policy will apply.
Tip:
Enter the name or part of the name and Guardian will search for
locations that match.
Click Add and, when you have added the location(s), click Next to
continue.
Step 4: When
From the Available time slots list, select when the policy will apply.
Tip:
Enter the name or part of the name and Guardian will search for
time slots that match.
Click Add and, when you have added the time slot(s), click Next to
continue.
65
Guardian Installation and Administration Guide
Working with Policies
Step
Description
Step 5: Action
Select one of the following actions to apply:
Create policy folder – Select this action when configuring Guardian
at a central installation where you need to create policy folders for multiple
locations or groups.
Decrypt and inspect – Select this action to decrypt and inspect the
encrypted content.
Validate certificate only – Select this action to check secure
certificates on web sites. Any sites whose certificates are self-signed, out
of date or otherwise invalid will be blocked.
Do not inspect – Select this action to not inspect the communication.
An example of using this would be to not intercept communication with
banking sites if a blanket policy of inspecting all HTTPS communication
was in place.
Note: Each step must be completed in order to create the policy. If you skip a step, Guardian
creates a policy folder in which you can store policies. For more information about policy folders, see
Working with Policy Folders on page 79.
66
3.
Select Enable policy to enable the policy and then click Confirm.
4.
Guardian displays the settings you have selected. Review them and click Save to create the
policy. Guardian creates the policy and makes it available on the Guardian > HTTPS Inspection
> Manage policies page. You must now specify in what order Guardian should apply the policy.
5.
Browse to the Guardian > HTTPS Inspection > Manage policies page.
6.
Locate the policy in the HTTPS policies area. Drag and drop the policy to where you want
Guardian to apply it. For example, if you have created a policy which does not inspect the
Google HTTPS AdSense site when accessed by marketing students, drag the policy to the top
of the list of policies.
7.
Click Save. Guardian re-orders and applies the HTTPS inspection policies and allows all users
in the marketing student group to access the Google AdSense site.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Editing HTTPS Inspection Policies
You can edit an existing HTTPS inspection policy to suit your organization’s requirements.
To edit a HTTPS inspection policy:
1.
Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy
you want to edit.
2.
Click the Edit policy button. Guardian displays the policy settings on the Guardian > HTTPS
inspection > Policy wizard page.
3.
Make the changes necessary, see Creating an HTTPS Inspection Policy on page 64 for more
information about working with policies.
4.
Click Confirm. Guardian displays the settings you have selected. Review them and click Save
to save the changes to the policy. Guardian updates the policy and makes it available on the
Guardian > HTTPS inspection policies > Manage policies page.
Deleting HTTPS Inspection Policies
You can delete a HTTPS inspection policy you no longer require.
To delete a HTTPS inspection policy:
1.
Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy
you want to delete.
2.
Click the Delete policy button. Guardian prompts you to confirm that you want to delete the
policy. Click Remove. Guardian deletes the policy.
Configuring HTTPS Inspection Policy Settings
For HTTPS inspection policies to work, you must configure HTTPS inspection policy settings.
Configuring these settings entails exporting certificate authority certificates, import them into the list
of trusted CA certificates on the computers in your network and configuring warning and confirmation
messages that are displayed to users when communications are being decrypted and inspected.
Managing Certificates
Managing certificate authority (CA) certificates entails exporting them and then installing them on
users’ computers. Without certificates on users’ computers, HTTPS inspection policies cannot work.
To export a certificate:
1.
Browse to the Guardian > HTTPS inspection > Settings page.
2.
Click Export. Guardian generates the Guardian CA Cert.crt file. Save the certificate and
import it into the list of trusted CA certificates on the computers in your network on which you
want to implement HTTPS filtering. Refer to your browser, or directory service for a detailed
description of how to do this.
67
Guardian Installation and Administration Guide
Working with Policies
Configuring Warning Information
When implemented, Guardian displays a warning page informing users who try to access HTTPS
web sites that their communication with the site is being decrypted and inspected. Users must
actively accept the decryption and inspection in order to continue to the site.
To configure a warning message, do the following:
1.
Browse to the Guardian > HTTPS inspection > Settings page.
2.
In the Manage HTTPS interception warning panel, configure the following:
3.

Warning message — Either accept the default message, or enter a custom message
informing users that their HTTPS connections will be decrypted and filtered if they continue
to the site they have requested

Confirmation button label — Either accept the default label, or enter new text to display
on the button that users must click to confirm that they accept that their HTTPS connections
will be decrypted and filtered. Once they have clicked on the button, they will be able to
continue to the site they requested.

Warning frequency — Choose how often the warning message is displayed to the user:
Warning Frequency
Description
Daily
Select to display the warning daily.
Weekly
Select to display the warning weekly.
Never
Select to never display a warning. Typically, you would not use this
option, however, if you are using the Smoothwall Connect Filter for
Windows client, it is recommended you disable the warning
message to ensure correct operations. For more information, refer
to the Smoothwall Connect Filter for Windows Installation and
Administration Guide.
Click Save.
The URL used to present the warning page, refers to the Guardian IP address. However, if a system
redirection to hostname setting is in place, you can force the hostname to be used instead. You do
this from the System > Preferences > Hostname page. For a detailed description of how to
configure this page, .
Clearing the Generated Certificate Cache
It is possible to clear Guardian’s cache of certificates generated for use with HTTPS inspection
policies.
To clear the cache:
1.
68
Browse to the Guardian > HTTPS inspection > Settings page and click Clear. Guardian
clears the cache.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Managing Content Modification Policies
The following sections discuss how to create, edit and delete content modification policies.
A content modification policy can apply recommended security rules, determine if Internet searches
should use SafeSearch functionality, warn about address spoofing and more. It can also ignore
content thus making it possible to exempt content from modification for specific users or locations.
Creating a Content Modification Policy
You can create a content modification policy that enforces or ignores security rules and/or
SafeSearch for specific users at certain locations.
To create a content modification policy:
1.
Browse to the Guardian > Content modification > Policy wizard page.
2.
Complete the following steps:
Step
Description
Step 1: Who
From the Available users or groups list, select who the policy applies to.
Tip:
Enter a name or part of a name and Guardian will search for
names of users and groups that match.
Click Add and, when you have added all the users and/or groups, click
Next to continue.
Step 2: What to target
From the Available categories or category groups list, select what the
policy applies to.
Tip:
Enter the name or part of the name and Guardian will search for
matches.
Click Add and, when you have selected the categories or category
groups, click Next to continue.
69
Guardian Installation and Administration Guide
Working with Policies
Step
Description
Step 3: Where
From the Available locations list where the policy will apply.
Tip:
Enter the name or part of the name and Guardian will search for
locations that match.
Click Add and, when you have selected the location(s), click Next to
continue.
Step 4: Action
Select one of the following options:
Create policy folder – Select this action to group related rules in a
policy folder. You can then use Apply or Ignore actions within this folder.
For more information about policy folders, see Working with Policy
Folders on page 79.
Apply – Select this action to modify the categories and category groups
selected.
Ignore – Select this action to exempt the categories and category
groups from being modified.
Note: Usually creating a policy which ignores content implies that there
is another policy which modifies content. For example, there
might be an Apply policy which enforces SafeSearch for
everyone, and another Ignore policy which exempts certain users
who need unrestricted search. In such a case, on the Guardian >
Content modification > Manage policies page, the Ignore policy
which creates the exception must be placed before the Apply
policy which modifies the content.
From the Available categories or category groups list, select the content
modification to apply and click Add.
Note: If you are creating a policy that ignores content, the options here
are disabled.
Note: Each step must be completed in order to create the policy. If you skip a step, Guardian
creates a policy folder in which you can store policies. For more information about policy folders, see
Working with Policy Folders on page 79.
70
3.
Select Enable policy to enable the policy and click Confirm.
4.
Guardian displays the settings you have selected. Review them and click Save to create the
policy. Guardian creates the policy and makes it available on the Guardian > Content
modification > Manage policies page.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Guardian applies all content modification policies in the order found. You must specify in what order
Guardian should apply the content modification policies.
You do this as follows:
1.
Browse to the Guardian > Content modification > Manage policies page.
2.
Using the drag and drop method, reorder the list of policies according to the how you want
Guardian to apply them.
For example, if you have created a policy which exempts search results from modification for
users in the teachers group, and another policy which exempts particular terms from allowed
searches, drag the latter policy to the top of the list of policies.
Editing Content Modification Policies
You can edit an existing content modification policy to suit your organization’s requirements.
To edit a content modification policy:
1.
Browse to the Guardian > Content modification > Manage policies page and locate the
policy you want to edit.
2.
Click the Edit policy button. Guardian displays the policy settings on the Guardian > Content
modification > policy wizard page.
3.
Make the changes necessary, see Creating a Content Modification Policy on page 69 for more
information about working with policies.
4.
Click Confirm. Guardian displays the settings you have selected. Review them and click Save
to save the changes to the policy. Guardian updates the policy and makes it available on the
Guardian > Content modification > Manage policies page.
71
Guardian Installation and Administration Guide
Working with Policies
Deleting Content Modification Policies
You can delete a content modification policy you no longer require.
To delete a content modification policy:
1.
Browse to the Guardian > Content modification > Manage policies page and locate the
policy you want to delete.
2.
Click the Delete policy button. Guardian prompts you to confirm that you want to delete the
policy. Click Remove. Guardian deletes the policy.
Creating Custom Content Modification Policies
You can define new content modification policies for use to suit your organizations’ requirements.
To create a content modification policy, do the following:
1.
Browse to Guardian > Content modification > Content modifications.
2.
Configure the following parameters:

Name — The name of the content modification policy.

Comment — Enter an optional description for this policy.

Request headers to override — Enter the algorithm to use the requested website’s
capability to override HTTP headers sent to it, and redirect users to other content.
Only one entry is allowed per line.
For example:
A redirect to YouTube Education would be configured as:
X-YouTube-Edu-Filter: Abc_dEf
72
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
where Abc_dEf is the search term or phrase which causes the redirect. Note that an
account and key must be setup on YouTube for this to work — for more information, refer
to http://www.youtube.com/schools.
A restriction on available Google Apps to only allow access to Google Calendar and Google
Drive would be configured as:
X-GoogApps-Allowed-Domains: https://www.google.com/calendar/render,
https://drive.google.com
Note that for a Google Apps restriction, HTTPS interception is required as Google Apps uses
HTTPS throughout.
3.
Click Save.
Managing Anti-malware Policies
The following sections discuss how to create, edit and delete anti-malware policies.
Anti-malware policies provide protection against many malware threats, including viruses, worms,
spyware and trojans by scanning content passing through Guardian.
Creating an Anti-malware Policy
An anti-malware policy provides protection by scanning content requested by users. The following
section explains how to create an anti-malware policy and configure anti-malware settings.
Note: Anti-malware scanning is not enabled by default. You must enable anti-malware scanning in
order to apply any anti-malware policies you have created and enabled. For more information, see
Configuring Anti-malware Protection on page 75.
To create an anti-malware policy:
1.
Browse to the Guardian > Anti-malware > Policy wizard page.
73
Guardian Installation and Administration Guide
2.
Working with Policies
Complete the following steps:
Step
Description
Step 1: Who
Guardian
Step 2: What
From the Available categories or category groups list, select what is to be
scanned.
Tip:
Step 3: Where
Enter the name or part of the name and Guardian will search for
content that matches.
From the list of locations, select where the policy will apply.
Tip:
Enter the name or part of the name and Guardian will search for
locations that match.
Click Add and when you have added the location(s), click Next to
continue.
Step 4: Action
Select one of the following options:
Create policy folder – Select this action when configuring Guardian
at a central installation where you need to create policy folders for multiple
locations or groups.
Scan – Select this action to scan the content specified for malware.
Do not scan – Select this action to allow the user to access the content
without scanning it for malware.
Note: Each step must be completed in order to create the policy. If you skip a step, Guardian
creates a policy folder in which you can store policies. For more information on policy folders,
seeWorking with Policy Folders on page 79.
74
3.
Select Enable policy to enable the policy and click Confirm.
4.
Guardian displays the settings you have selected. Review them and click Save to create the
policy. Guardian creates the policy and makes it available on the Guardian > Anti-malware >
Manage policies page. You must now specify in what order Guardian should apply the policy.
5.
Browse to the Guardian > Anti-malware > Manage policies page.
6.
Locate the policy. Drag and drop the policy to where you want Guardian to apply it. For
example, if you have created a policy which does not scan archives that system administrators
want to download, drag the policy to the top of the list of policies.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Configuring Anti-malware Protection
The following section explains how to enable anti-malware scanning and set a maximum size for files
to be scanned.
To configure anti-malware protection:
1.
Navigate to the Guardian > Anti-malware > Settings page.
2.
Configure the following settings:
Setting
Description
Anti-malware
scanning
Select Enable to activate malware scanning.
Max file size to scan
Enter the maximum file size to scan in megabytes. The value can be
between 1 MB and 100 MB.
Note: To download files larger than 100 MB with malware scanning
enabled, you may need to create an anti-malware policy which
never scans files from these sites. Sites which stream audio/video
over HTTP may also experience problems when malware
scanning is enabled.
File uploads
3.
Select Scan or Do not scan as required.
Click Save to apply the malware protection.
75
Guardian Installation and Administration Guide
Working with Policies
Configuring Anti-malware Status Information
You can configure Guardian to display information on files being scanned for malware.
To configure the information displayed:
1.
Navigate to the Guardian > Anti-malware > Status page page.
2.
Configure the following settings:
Setting
Description
Status page title
This text displays information on the name and size of the file being
downloaded.
Accept the default or enter new text.
The keywords %%FILENAME%% and %%FILESIZE%% can be used to
provide file-specific information.
After download
This information is displayed after the file has been downloaded and while
it is being scanned.
Accept the default or enter new text.
After scan
This text is a message displayed when the file has been scanned. Users
are provided with a link to save the file to their computer following a
successful scan.
Accept the default or enter new text.
Auto-start
downloads
3.
Select to automatically download the file after it has been scanned and
approved for download.
Click Save to apply any changes.
Note: If requested content fails the malware scan, Guardian will deny the download.
To allow such downloads, you should first be confident that the requested content is safe before
creating a policy which allows the content to be downloaded.
76
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Editing Anti-malware Policies
You can edit an existing anti-malware policy to suit your organization’s requirements.
To edit an anti-malware policy:
1.
Browse to the Guardian > Anti-malware > Manage policies page and locate the policy you
want to edit.
2.
Click the Edit policy button. Guardian displays the policy settings on the Guardian > Antimalware > Policy wizard page.
3.
Make the changes necessary, see Managing Anti-malware Policies on page 73 for more
information on working with policies.
4.
Click Confirm. Guardian displays the settings you have selected. Review them and click Save
to save the changes to the policy. Guardian updates the policy and makes it available on the
Guardian > Anti-malware > Manage policies page.
Deleting Anti-malware Policies
You can delete an anti-malware policy you no longer require.
To delete an anti-malware policy:
1.
Browse to the Guardian > Anti-malware > Manage policies page and locate the policy you
want to delete.
2.
Click the Delete policy button. Guardian prompts you to confirm that you want to delete the
policy. Click Remove. Guardian deletes the policy.
Using the Policy Tester
Guardian’s policy tester enables you to determine what policy actions would apply for a given URL
and, optionally, a specific user or group at a specific location and/or time. This is done by the policy
tester sending an impersonated request for access to a URL.
Tip: Use the policy tester to check possible negative side effects of adding a user/group, time slot
or location to a Guardian policy.
77
Guardian Installation and Administration Guide
Working with Policies
To use the policy tester:
1.
Browse to the Guardian > Quick links > Policy tester page.
2.
Configure the following settings:
Setting
Description
URL
Enter the URL to be requested. If the URL contains www, enter that too.
Who
Optionally, select the group(s) or user who would make the request.
Group – From the drop-down list, select the group(s) who would make
the request.
User – Enter the name of the user making the request.
Where
Optionally, select the location(s) or IP address from which the content
would be requested.
Location – From the drop-down list, select the location(s) from which
the request would be made.
IP address – Enter the IP address from which the request would be
made.
When
Optionally, select at what time or during which time slot(s) the content
would be requested.
Time – Enter the time at which the content would be requested.
Time slot – Specify the time slot(s) during which the content would be
requested.
Tip:
78
It is possible to impersonate a request made in the past. For
example, you can check if someone could have accessed a URL
previously.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Setting
Description
Detailed diagnostics
Optionally, select this to determine what policy actions would apply to
resources such as images, javascript, CSS tags, HTML5 multimedia tags
and other resources at the URL.
Note: Hyperlinks to other pages are not tested.
3.
Click Test. For each Guardian policy enabled at that time, Guardian displays what action has
been applied regarding the URL and the options you specified.
When testing a URL which results in a redirect, the URL to which the original is redirected and
its status are displayed. This enables you to policy test the redirect URL. For information about
URL statuses, see: http://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html#sec6.1.1.
Note: The policy tester can impersonate a user or group(s) attempting to access web content.
Guardian does not log impersonated requests. However, an upstream proxy may capture and log
the request as coming from the user or group(s) being impersonated.
Other Ways of Accessing the Policy Tester
The policy tester is also available:
•
On the Dashboard page. If the Web filter option is enabled on the System > Preferences >
User interface page, you can run quick policy tests.
•
On user portals. If the policy tester has been enabled for a user portal, it will be available when
users access the portal. For more information, refer to your Smoothwall System’s
Administration Guide.
Working with Policy Folders
Policy folders enable you to organize and apply policies according to whatever criteria are most
appropriate to your organization.
For example, by default, Guardian blocks all adverts for all users all the time in every location. If you
want to allow some users and/or groups to access adverts sometimes and others to access them
always at specific locations, you can accomplish this by creating a policy folder which contains a
general web filter policy allowing access to adverts. You can then add policies to the folder specifying
which groups are allowed access, at what times and in which locations.
Using policy folders makes it easier to understand the policy table on the manage policies page and
more accurately reflects how a policy is applied to specific groups.
79
Guardian Installation and Administration Guide
Working with Policies
Creating a Policy Folder
You create a policy folder by using a policy wizard.
To create a policy folder:
1.
When running a policy wizard, do not add a policy object for the criterion you want to use to
determine the type of policy folder. For example, if you want to create a web filter policy folder
to contain policies that can be applied to specific groups and/or users, do not add any users or
groups to the policy.
2.
When configuring the policy action, select Create policy folder. After you have completed the
policy wizard, Guardian makes the policy folder available on the manage policies page.
3.
To add a policy to a folder, browse to the relevant manage policies page, locate the policies
folder and click Add policy to folder. Guardian opens the folder and displays it on the policy
wizard page.
4.
Add the policy object, for example a group to which you want to apply the policy and click
Confirm. Guardian displays the policy settings. Review the settings and then click Save.
Guardian creates the policy, places it in the policy folder and makes it available on the manage
policies page.
Editing Policy Folders
You can edit policy folders by changing the policy objects it contains.
To edit a policy folder:
1.
On the relevant manage policies page, locate the policy folder and click Edit policy folder.
Guardian opens the folder and displays it on the policy wizard page.
2.
Make changes to the policy object(s) included in the folder by adding or removing them as
required.
3.
Click Confirm, review the changes and click Save to apply the changes and update the folder.
Deleting Policy Folders
You can delete policy folders you no longer require.
To delete a policy folder:
1.
80
On the relevant manage policies page, locate the policy folder and click Delete policy folder.
Click Remove when prompted to confirm that you want to delete the folder. Guardian deletes
the folder and removes it from the relevant manage policies page.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Censoring Web Form Content
The following section explains how to create and apply a censor policy for content and/or files posted
using web forms. A censor policy consists of a filter, an action and a time period.
To create and apply a censor policy:
1.
Browse to the Services > Message censor > Policies page.
2.
Configure the following settings:
Setting
Description
Service
From the drop-down menu, select one of the following options:
Web filter outgoing – Select to apply the policy to content and/or files
being posted in web forms, such as to message boards or Wikipedia,
using HTTP.
Web filter secure outgoing (HTTPS) – Select to apply the policy
to content and/or files being posted in web forms, such as to message
boards or Wikipedia, using HTTPS.
Note: A HTTPS inspection policy must be deployed for this to work. See
Managing HTTPS Inspection Policies on page 63 for more
information.
Click Select to update the policy settings available.
Filter
From the drop-down menu, select a filter to use. For more information
about filters, refer to your Smoothwall System’s Operations Guide.
Time period
From the drop-down menu, select a time period to use, or accept the
default setting. For more information about time settings, refer to your
Smoothwall System’s Operations Guide.
Action
From the drop-down menu, select one of the following actions:
Block - Content which is matched by the filter is blocked.
Allow - Content which is matched by the filter is allowed and is not
processed by any other filters.
81
Guardian Installation and Administration Guide
Working with Policies
Setting
Description
Log severity level
Guardian enables you to store all blocked content, no blocked content or
only blocked content above a certain severity level.
If you want Guardian to only store blocked content above a certain
severity level, you must assign severity levels to the content.
The Log severity level option enables you to this.
From the drop-down list, select the severity level to assign to content that
has been blocked by this policy.
Note: You must also configure the options for storing blocked content
on the Guardian > Web filter > Outgoing page. See below for
more information.
82
Group
From the drop-down list, select the group to which you want to apply the
policy.
Comment
Optionally, enter a description of the policy.
Enabled
Select to enable the policy.
3.
Click Add and, at the top of the page, click Restart to apply the policy.
4.
Browse to the Guardian > Web filter > Outgoing page.
5.
Configure the following settings:
Setting
Description
MessageCensor
filtering and logging
Select Enable to enable censoring of content and/or files posted using
web forms.
Store blocked
content
Select this option if you want Guardian to store content it blocks.
Note: This option does not apply to content posted using HTTPS.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with Policies
Setting
Description
Store blocked
content above
severity level
If you have selected to store blocked content, from the drop-down list,
select one of the following options:
Always store – Guardian stores all blocked content and makes it
available for review in the web filter log.
–4 to 5 – Select a severity level above which Guardian stores the
blocked content and makes it available for review in the web filter log. For
more information, see the Log severity option above.
Note: This option does not apply to content posted using HTTPS.
6.
Click Save. Guardian applies the policy.
83
6 Managing
Authentication Policies
This chapter introduces authentication policies, including:
•
About Authentication Policies on page 85
•
Creating Authentication Policies on page 86
•
Managing Authentication Policies on page 95
•
Managing Authentication Exceptions on page 97
•
Identification by Location on page 97
•
Using Global Proxy Certificates on page 98
•
Connecting to Guardian on page 100
•
Authentication Scenarios on page 102
About Authentication Policies
Note: By default, Guardian comes with an authentication policy in place. To use it, you configure
your users’ web browsers to use Guardian as their web proxy. For more information, see Creating a
Non-transparent Connection Manually on page 100.
Guardian uses authentication to:
•
Identify users and assign them to groups, so that Guardian can apply different policies to each
group
•
Allow access to registered users or trusted workstations
•
Provide logging and auditing facilities in case of misuse
•
Show in real time which users are accessing content
85
Guardian Installation and Administration Guide
Managing Authentication Policies
An authentication policy is comprised of a connection type, an authentication method, port
information and a location.
Guardian can use several different authentication methods to identify a user or group, with different
requirements and restrictions. Authentication policies determine which method is used. They also
determine which interfaces and ports Guardian listens on for web requests.
Creating Authentication Policies
Guardian enables you to create the following types of authentication policies:
•
Non-transparent authentication policies – this type of policy is applied to users whose web
browsers are configured to connect to the Internet using Guardian as their web proxy. For more
information, see Creating Non-transparent Authentication Policies on page 86
•
Transparent authentication policies – this type of policy is applied to users whose computers’
network connection uses GuardianFor more information, see Creating Transparent
Authentication Policies on page 91.
Creating Non-transparent Authentication Policies
Non-transparent authentication policies enable you to apply a web filter policy and authentication
requirements to a user or group of users.
To create a non-transparent authentication policy:
86
1.
Browse to the Web proxy > Authentication > Policy wizard page.
2.
Select Non-Transparent and from the Method drop-down list, select one of the following
authentication methods:
Method
Setting
No authentication
Identify users by their IP address only. All requests are assigned to the
Unauthenticated IPs group.
Kerberos
Identify users by using the Kerberos keytab stored on Guardian. For more
information, refer to your Smoothwall System’s Administration Guide.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Authentication Policies
Method
Setting
Kerberos (Terminal
Services
compatibility mode)
Identify users by using the Kerberos keytab stored on Guardian. For more
information.
For information about Kerberos pre-requisites and troubleshooting, refer
to your Smoothwall System’s Administration Guide.
This method is designed to work with network clients using Microsoft
Terminal Services, including Microsoft Windows NT 4.0 Terminal
Services Edition, Microsoft Windows 2000 Server, and Microsoft
Windows Server 2003.
Proxy authentication
Identify users by requesting a username and password from the user’s
browser.
This authentication method prompts users to enter a username and
password when they try to web browse. The username and password
details are encoded in all future requests made by the user’s browser.
Proxy authentication
(Terminal Services
compatibility mode)
Identify users by requesting a username and password from the user’s
browser.
NTLM identification
Identify users according to the username logged into their Microsoft
Windows workstation.
This method is designed to work with network clients using Microsoft
Terminal Services, including Microsoft Windows NT 4.0 Terminal
Services Edition, Microsoft Windows 2000 Server, and Microsoft
Windows Server 2003.
Note: NTLM identification does not verify a user's credentials. It should
only be used where all client workstations are secured and
members of a Microsoft Windows domain. Unsecured clients can
spoof their credentials.
Note: Guardian supports NTLM on Microsoft operating system software
and browsers only. NTLM should not be used with any other
browser or platform, even if the platform claims to support NTLM.
NTLM should only be used on single domain networks because
the protocol does not support the transmission of domain
information with usernames.
NTLM identification
(Terminal Services
compatibility mode)
Identify users according to the username logged into their Microsoft
Windows workstation.
Can be used in conjunction with Microsoft Terminal Services.
Note: NTLM identification does not verify a user’s credentials. It should
only be used where all client workstations are secured and
members of a Microsoft Windows domain. Unsecured clients can
spoof their credentials.
Note: Guardian supports NTLM on Microsoft operating system software
and browsers only. NTLM mode should not be used with any
other browser or platform, even if the platform claims to support
NTLM.
Note: NTLM should only be used on single domain networks because
the protocol does not support the transmission of domain
information with usernames.
This method works with network clients using Microsoft Terminal
Services, including Microsoft Windows NT 4.0 Terminal Services Edition,
Microsoft Windows 2000 Server, and Microsoft Windows Server 2003.
87
Guardian Installation and Administration Guide
Managing Authentication Policies
Method
Setting
NTLM authentication
Identify users according to the username logged into their Microsoft
Windows workstation, and validate their credentials with the domain
controller.
Prerequisites:
•
•
There must be a computer account for Guardian in Active Directory
The account specified on the Services > Authentication > Settings
page must have permission to join the computer to the domain.
Note: Guardian supports NTLM on Microsoft operating system software
and browsers only. NTLM mode should not be used with any
other browser or platform, even if the platform claims to support
NTLM.
Note: NTLM should only be used on single domain networks because
the protocol does not support the transmission of domain
information with usernames
NTLM authentication
(Terminal Services
compatibility mode)
Identify users according to the username logged into their Microsoft
Windows workstation, and validate their credentials with the domain
controller.
Can be used in conjunction with Microsoft Terminal Services.
Prerequisites:
•
•
There must be a computer account for Guardian in Active Directory
The account specified on the Services > Authentication > Settings
page must have permission to join the computer to the domain.
Note: Guardian supports NTLM on Microsoft operating system software
and browsers only. NTLM mode should not be used with any
other browser or platform, even if the platform claims to support
NTLM.
Note: NTLM should only be used on single domain networks because
the protocol does not support the transmission of domain
information with usernames.
This method works with network clients using Microsoft Terminal
Services, including Microsoft Windows NT 4.0 Terminal Services Edition,
Microsoft Windows 2000 Server, and Microsoft Windows Server 2003.
Redirect users to
SSL Login page (with
background tab)
Identify users with the Guardian authentication service. If no user is
logged in, redirect web requests to the SSL Login page which checks
their username and password.
The Guardian authentication service supports only one user per client IP
address.
Using this method, the SSL Login page automatically refreshes itself so
that the authentication time-out period does not elapse; because of this,
the user must leave the SSL Login page open at all times.
Select this method if a user’s browser cannot accept cookies. This
method is also suitable if a user’s browser plugins or applications require
the authenticated session to remain active.
SSL login is more secure than Ident or web proxy authentication because
the authentication process between the user’s workstation and the
Guardian system is encrypted.
To securely logout, the user must click Logout on the SSL Login page.
For information on SSL Login, refer to your Smoothwall System’s
Administration Guide.
88
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Authentication Policies
Method
Setting
Redirect users to
SSL Login page (with
session cookie)
Identify users with the Guardian authentication service. If no user is
logged in, redirect web requests to the SSL Login page which checks
their username and password.
The Guardian authentication service supports only one user per client IP
address.
Using this method, Guardian stores a session cookie on the user’s
browser. The cookie removes the need for the user to reauthenticate.
This method is useful for users of tablet PCs and other mobile devices
which have problems keeping tabs in browsers open in the background.
SSL login is more secure than Ident or web proxy authentication because
the authentication process between the user’s workstation and the
Guardian system is encrypted.
To securely logout, the user must click Logout from the SSL Login page.
For information on SSL Login, see your Smoothwall System
Administration Guide.
Core authentication
Identify users with the Guardian authentication service. If no user is
logged in, identify the user by their IP address and assign the request to
the Unauthenticated IPs group.
The Guardian authentication service supports only one user per client IP
address.
Core authentication is typically used with the SSL Login page. For
example, anonymous users can be allowed to certain sites only, but
users can optionally log in to gain a higher level of access.
Ident
Identify users according to the username returned by an Ident server
running on their workstation.
Guardian supports Ident for compatibility with any Ident-enabled
networks your organization may already be using. Networks supporting
Ident authentication require an Ident server application to be installed on
all workstations that can be queried by Ident-enabled systems.
The user does not need to enter their username as it is automatically
supplied by the Ident server application.
Once a user’s Ident server has identified the user, the user’s web
activities will be filtered according to their authentication group
membership.
For details of how to configure this with your choice of Ident server,
please refer to the ident server’s administrator's guide.
Note: Ident does not verify a user’s credentials. It should only be used
where all client workstations are secured and running an Ident
server controlled by the network administrator. Unsecured clients
can spoof their credentials.
Identification by
Location
Identify users by their IP address. Assign a group based on the
identification by location policy configured for their location.
Identification by location is typically used where certain clients do not
support the authentication method used by the rest of the network.
For more information, see Identification by Location on page 97.
For information about locations, see Working with Location Objects on
page 55.
89
Guardian Installation and Administration Guide
Managing Authentication Policies
Method
Setting
Kerberos (via
redirect)
Identify users with the Guardian authentication service. If no user is
logged in, redirect Web requests to the Kerberos login page, which
obtains the username logged into their Microsoft Windows workstation.
For information about Kerberos pre-requisites and troubleshooting, refer
to your Smoothwall System’s Administration Guide.
The Guardian authentication service supports only one user per client IP
address.
Smart redirect
Identify the user’s device in order to redirect them to an NTLM
authentication service, or an SSL login service. This redirect is based on
the User-Agent data received in the browser’s HTTP header packet. This
is a best-guess scenario, based on pattern-matching and compatibility.
Note that within the user activity screen (refer to your Smoothwall
System’s Administration Guide), smart redirected users will show the
authentication method used, not Smart redirect.
NTLM identification
(via redirect)
Identify users with the Guardian authentication service. If no user is
logged in, redirect Web requests to the NTLM login page, which obtains
the username logged into their Microsoft Windows workstation.
The Guardianauthentication service supports only one user per client IP
address.
Note: This option is for backwards compatibility with earlier versions of
Guardian.
NTLM authentication
(via redirect)
Identify users with the Guardianauthentication service. If no user is logged
in, redirect Web requests to the NTLM login page, which obtains the
username logged into their Microsoft Windows workstation and validates
their credentials with the domain controller.
The Guardianauthentication service supports only one user per client IP
address.
Note: This option is for backwards compatibility with earlier versions of
Guardian.
Global Proxy using
NTLM
Identify users using the Secure Global Proxy service. Users must be
logged in using NTLM credentials.
Note: Note that even if your Smoothwall System has multiple internal
interfaces, you can only create one Global Proxy using
NTLM authentication policy. Enabling this policy automatically
adds firewall rules to allow external access to the proxy port.
Device authentication can be implemented using client-side certificates.
For a detailed description of how to configure these, see Using Global
Proxy Certificates on page 98.
For more information about Secure Global Proxy, refer to the Secure
Global Proxy Installation and Administration Guide.
3.
90
Configure the following settings:
Setting
Description
Interface
From the drop-down list, select the interface on which to apply the
authentication policy.
Port
From the drop-down list, select the port on which to apply the
authentication policy.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Authentication Policies
Setting
Description
Enabled
Select to enable the policy.
4.
Click Next and add the location at which the policy will apply.
5.
Click Next and review the options for handling unauthenticated requests. When requests are
permitted without requiring authentication, for example, entries on the Web proxy >
Authentication > Exceptions page, Guardian assigns them to the Unauthenticated IPs group. If
you want to assign them to a different group, add the group to the Included groups list.
6.
Click Next, select Enabled and click Confirm. Guardian displays the policy settings.
7.
Review the settings and click Save to make the policy available for use.
Creating Transparent Authentication Policies
Transparent authentication policies enable you to apply a web filter policy and authentication
requirements to a user or group of users.
To create a transparent authentication policy:
1.
Browse to the Web proxy > Authentication > Policy wizard page.
2.
Select Transparent and, from the Method drop-down list, select one of the following
authentication methods:
Method
Setting
No authentication
Identify users by their IP address only. All requests are assigned to the
Unauthenticated IPs group.
91
Guardian Installation and Administration Guide
Managing Authentication Policies
Method
Setting
Redirect users to
SSL Login page (with
background tab)
Identify users with the Guardian authentication service. If no user is
logged in, redirect web requests to the SSL Login page which checks
their username and password.
The Guardian authentication service supports only one user per client IP
address.
Using this method, the SSL Login page automatically refreshes itself so
that the authentication time-out period does not elapse; because of this,
the user must leave the SSL Login page open at all times.
Select this method if a user’s browser cannot accept cookies. This
method is also suitable if a user’s browser plugins or applications require
the authenticated session to remain active.
SSL login is more secure than Ident or web proxy authentication because
the authentication process between the user’s workstation and the
Guardian system is encrypted.
To securely logout, the user must click Logout on the SSL Login page.
For information on SSL Login, refer to your Smoothwall System’s
Administration Guide.
Redirect users to
SSL Login page (with
session cookie)
Identify users with the Guardian authentication service. If no user is
logged in, redirect web requests to the SSL Login page which checks
their username and password.
The Guardian authentication service supports only one user per client IP
address.
Using this method, Guardian stores a session cookie on the user’s
browser. The cookie removes the need for the user to reauthenticate.
This method is useful for users of tablet PCs and other mobile devices
which have problems keeping tabs in browsers open in the background.
SSL login is more secure than Ident or web proxy authentication because
the authentication process between the user’s workstation and the
Guardian system is encrypted.
To securely logout, the user must click Logout from the SSL Login page.
For information on SSL Login, refer to your Smoothwall System’s
Administration Guide.
Core authentication
Identify users with the Guardian authentication service. If no user is
logged in, identify the user by their IP address and assign the request to
the Unauthenticated IPs group.
The Guardian authentication service supports only one user per client IP
address.
Core authentication is typically used with the SSL Login page. For
example, anonymous users can be allowed to certain sites only, but
users can optionally log in to gain a higher level of access.
Identification by
location
Identify users by their IP address. Assign a group based on the
identification by location policy configured for their location.
Identification by location is typically used where certain clients do not
support the authentication method used by the rest of the network. For
more information, see Identification by Location on page 97.
For information about locations, see Working with Location Objects on
page 55.
92
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Authentication Policies
Method
Setting
Kerberos (via
redirect)
Identify users with the Guardian authentication service. If no user is
logged in, redirect Web requests to the Kerberos login page, which
obtains the username logged into their Microsoft Windows workstation.
For information about Kerberos pre-requisites and troubleshooting, refer
to your Smoothwall System’s Administration Guide.
The Guardian authentication service supports only one user per client IP
address.
Smart redirect
Identify the user’s device in order to redirect them to an NTLM
authentication service, or an SSL login service. This redirect is based on
the User-Agent data received in the browser’s HTTP header packet. This
is a best-guess scenario, based on pattern-matching and compatibility.
Note that within the user activity screen (refer to your Smoothwall
System’s Administration Guide), smart redirected users will show the
authentication method used, not Smart redirect.
NTLM identification
(via redirect)
Identify users with the Guardian authentication service. If no user is
logged in, redirect Web requests to the NTLM login page, which obtains
the username logged into their Microsoft Windows workstation.
The Guardian authentication service supports only one user per client IP
address.
Note: NTLM identification does not verify a user's credentials. It should
only be used where all client workstations are secured and
members of a Microsoft Windows domain. Unsecured clients can
spoof their credentials.
NTLM authentication
(via redirect)
Identify users with the Guardian authentication service. If no user is
logged in, redirect Web requests to the NTLM login page, which obtains
the username logged into their Microsoft Windows workstation and
validates their credentials with the domain controller.
The Guardian authentication service supports only one user per client IP
address.
3.
Configure the following settings:
Setting
Description
Interface
From the drop-down list, select the interface on which to apply the
authentication policy.
Note: For more information about the WCCP interface option, see
Configuring WCCP on page 28.
93
Guardian Installation and Administration Guide
Managing Authentication Policies
Setting
Description
HTTPS
Filter HTTPS traffic – Select this option to transparently intercept
HTTPS connections.
Allow HTTPS traffic with no SNI header for the 'Transparent
HTTPS incompatible sites' category – Select this option to allow
HTTPS traffic without a server name indication (SNI) field in its header.
This allows access to content in the Transparent HTTPS incompatible
sites content category based on a best-guess of the destination host by
using DNS reverse lookup. For more information about content
categories, see Working with Category Group Objects on page 51.
Note: When enabled, web requests allowed by this option will bypass
any deployed HTTPS policies and will not be subjected to
inspection or certificate checking.
Note: This option is not applicable when configuring an authentication
policy folder. For more information about folders, see Working with
Policy Folders on page 79.
Spoofing
Select this option to allow upstream services to see network traffic as
coming from Network Guardian’s IP address rather than the originating
client’s IP address.
Note: This option is only available when configuring a policy which uses
a bridged interface.
Enabled
Select to enable the policy. When disabled, no filtering is performed on
HTTPS requests from clients without deployed proxy settings.
Note: Transparent HTTPS interception is not compatible with Internet
Explorer running on Windows XP or earlier.
94
4.
Click Next and add the location at which the policy will apply.
5.
Click Next and review the options for handling unauthenticated requests. When requests are
permitted without requiring authentication, for example, entries on the Web proxy >
Authentication > Exceptions page, Guardian assigns them to the Unauthenticated IPs group. If
you want to assign them to a different group, add the group to the Included groups list.
6.
Click Next, select Enabled and click Confirm. Guardian displays the policy settings.
7.
Review the settings and click Save to make the policy available for use.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Authentication Policies
Managing Authentication Policies
Guardian applies authentication policies in the order they are displayed on the Web proxy >
Authentication > Manage policies page. You can change the order the policies are applied by
dragging and dropping them in new positions.
To change the order of the authentication policies, do the following:
1.
Browse to the Web proxy > Authentication > Manage policies page.
Guardian displays the current authentication policies assigned to each interface
2.
To move an authentication policy, either:

Click and hold the policy number and drag it to its new position; or

Highlight the policy by clicking it, and use the Up or Down button to move the it to its new
position
3.
Click Save.
4.
You must restart Guardian‘s proxy service if any changes are made to the authentication
policies. Click Restart proxy when prompted.
Editing Authentication Policies
You can make changes to existing authentication policies, including disabling them for later use,
without removing the policy.
To edit an authentication policy, do the following:
1.
Browse to the Web proxy > Authentication > Manage policies page.
2.
Locate the policy you want to change.
3.
To enable or disable an existing policy, highlight the relevant one, and click the grey box in the
Enabled column.
95
Guardian Installation and Administration Guide
Managing Authentication Policies
4.
To edit the policy configuration, click the Edit policy button. Guardian displays the policy on the
Web proxy > Authentication > Policy wizard page.
5.
Adjust the policy as required. For more information, see Creating Authentication Policies on
page 86.
6.
Click Confirm.
7.
Review your changes and then click Save to save and apply the changes.
8.
You must restart Guardian‘s proxy service if any changes are made to the authentication
policies. Click Restart proxy when prompted.
Deleting Policies
You can delete authentication policies you no longer require.
Note: If you remove all authentication policies assigned to a policy folder, but do not remove the
folder assigned to an interface, the Guardian service stops responding to requests and appears as
stopped on the Dashboard. To prevent an interface from using authentication policies, it is
recommended you remove the folder as well.
To delete an authentication policy, do the following:
96
1.
On the to the Web proxy > Authentication > Manage policies page, locate the policy you
want to delete.
2.
Click the Delete policy button. Guardian prompts you to confirm that you want to delete the
policy.
3.
Click Delete.
4.
You must restart Guardian‘s proxy service if any changes are made to the authentication
policies. Click Restart proxy when prompted.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Authentication Policies
Managing Authentication Exceptions
You can configure Guardian to allow access to content without requiring authentication. For
example, automatic Windows updates can be accessed without user authentication.
Tip: Log in to our support portal and read more about applications known not to support
authenticated proxies and how to put an authentication exception in place for them.
To create an exception:
1.
Browse to the Web proxy > Authentication > Exceptions page.
2.
Select the content to be excepted from authentication and click Add.
3.
Click Save to create the exception.
Identification by Location
You can configure Guardian to identify groups and/or users by the location in which they are situated.
This ident by location status can be used to configure an identification by location authentication
policy.
Note: The settings configured on this page are only used when Identification by Location is selected
as the method in an authentication policy. See Creating Authentication Policies on page 86 for more
information.
97
Guardian Installation and Administration Guide
Managing Authentication Policies
To configure identification by location:
1.
Browse to the Web proxy > Authentication > Ident by location page.
2.
From the Selected location drop-down list, select the location.
3.
Select the groups and/or users to include in the location and click Add.
4.
Click Confirm. Guardian lists the location in the Location to group mappings table.
Using Global Proxy Certificates
As well as utilizing NTLM authentication to authenticate users, you can use client-side certificates to
ensure only approved devices have access to web filter policies. This has the additional advantage
of providing an additional layer of security.
The same certificate is used by all devices. You must download the client certificate from the
Smoothwall System licenced for Secure Global Proxy, and install them on the relevant devices.
Note: The home page of the device’s browser must be set to the external IP address of your
Smoothwall System, and port 62444, to validate the certificate before web traffic is allowed through.
To download a client certificate, do the following:
98
1.
On the Smoothwall System, browse to Web proxy > Global Proxy > Settings.
2.
Ensure Proxy security is ticked as Client certificates.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Authentication Policies
3.
Click Save.
4.
From the Client certificate panel, click Download certificate.
5.
Copy this certificate into the relevant devices internal storage, and import it into the browsers.
For a detailed description of supported browsers, and how to import the certificates, refer to the
Secure Global Proxy Installation and Administration Guide.
Using Multiple, Distinct Proxies
You can configure multiple Secure Global Proxy servers in separate locations, which are not part of
a centrally managed solution. Each proxy server must have the same Root Certificate Authority (CA)
to validate the same client certificates presented to them.
This allows the connecting client to use an alternative Secure Global Proxy server without having to
import a new or additional certificates, with the additional advantage of load-balancing the web traffic
from a large number of clients.
Note: Secure Global Proxy servers which are part of a centrally managed solution should have the
Root CA bundle uploaded to them via replication. If this does not happen, the following procedure
should also be used.
To download a Root CA bundle, do the following:
1.
On the Smoothwall System, browse to Web proxy > Global Proxy > Settings.
2.
Click Advanced.
3.
From the Download Root CA Bundle panel, click Download certificate.
4.
Manually upload the Root CA certificate (connect_ca.tgz) to all other Secure Global Proxy
servers as detailed below.
To upload a Root CA bundle, do the following:
1.
On the Smoothwall System, browse to Web proxy > Global Proxy > Settings.
2.
Click Advanced.
3.
From the Upload Root CA Bundle panel, click Choose File, and browse to the Root CA
bundle (connect_ca.tgz).
4.
Click Upload to make the Root CA available.
Note: Uploading a new Root CA bundle will overwrite the existing Root CA.
Using an Unsecured Proxy
It is not recommended you configure an unsecured (open) proxy as this has security implications. If
you configure Secure Global Proxy as an open proxy, connecting clients do not need to present the
client-side certificate, although NTLM authentication is still required. Open proxies allow all
connection attempts through without authentication, and can potentially be exploited by users, such
as spammers.
To remove the need for client-side certificate checking, do the following:
1.
On the Smoothwall System, browse to Web proxy > Global Proxy > Settings.
2.
Change Proxy security to None (Open proxy).
99
Guardian Installation and Administration Guide
3.
Managing Authentication Policies
Click Save.
Viewing the Global Proxy Logs
The Secure Global Proxy log contains information about the users logged into your network via
Secure Global Proxy, and the length of time left on their session.
To view the Secure Global Proxy log, do the following:
•
From the Smoothwall System, browse to Web Proxy > Global Proxy > Certificate Activity.
Connecting to Guardian
The following sections explain how to connect non-transparently and transparently to Guardian.
About Non-transparent Connections
Non-transparent connections from users’ web browsers to Guardian are suitable when content is
accessed using HTTPS or when using NTLM or proxy authentication or identification in terminal
services compatibility mode.
Connecting to Guardian non-transparently entails configuring users’ web browsers to use Guardian
as the web proxy using one of the following methods:
•
Manually – Web browser LAN settings are manually configured, see Creating a Nontransparent Connection Manually on page 100 for more information
•
Automatic configuration script – Web browser LAN settings are configured to receive proxy
configuration settings from an automatic configuration script which is generated by Guardian,
see Configuring Non-transparent Connections Using a PAC Script on page 101 for more
information
•
WPAD automatic script – Web browser LAN settings are configured to detect proxy settings,
see Configuring a Non-transparent Connection Using a WPAD Automatic Script on page 101
for more information.
Creating a Non-transparent Connection Manually
Note: The following instructions apply to Internet Explorer 7. For information about other browsers,
see the documentation delivered with the browsers.
To create a non-transparent connection manually:
100
1.
On users’ computers, start Internet Explorer, and from the Tools menu, select Internet
Options.
2.
On the Connections tab, click LAN settings.
3.
In the Automatic configuration area, check that Automatically detect settings and Use
automatic configuration script are not selected.
4.
In the Proxy server area, select Use a proxy server for your LAN …
5.
Enter Guardian's IP address and port number 800 and select Bypass proxy server for local
addresses.
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Authentication Policies
6.
Click Advanced to access more settings. In the Exceptions area, enter Guardian’s IP address
and any other IP addresses to content that you do not want filtered, for example, your intranet
or local wiki.
7.
Click OK and OK to save the settings.
Configuring Non-transparent Connections Using a PAC Script
A proxy auto-config (PAC) script is a file generated by Guardian. Once configured, any changes to
connections are automatically retrieved by the user’s web browser. For information about working
with PAC scripts, see Using PAC Scripts on page 24.
Note: The following instructions apply to Internet Explorer 7. For information about other browsers,
see the documentation delivered with the browsers.
To configure a non-transparent connection using a PAC script:
1.
On the user’s computer, start Internet Explorer, and from the Tools menu, select Internet
Options.
2.
On the Connections tab, click LAN settings.
3.
Configure the settings as follows:
Setting
Description
Automatically detect settings
Deselect this option.
Use automatic configuration script
Select this option.
Address
Enter the address of the script.
Tip:
4.
To locate the address, navigate to the Web
proxy > Web proxy > Settings page. The
address is listed in the Automatic configuration
script address area.
Ensure that no other proxy settings are enabled or have entries.
Note: You may need to restart the web browser for the settings to take effect.
Configuring a Non-transparent Connection Using a WPAD Automatic Script
Note: This method is only for administrators familiar with configuring web and DNS servers. Enduser browsers must support WPAD – the latest versions of Microsoft Internet Explorer support this
method.
The WPAD method works by the web browser pre-pending the hostname wpad to the front of its
fully qualified domain name and looking for a web server on port 80 that can supply a wpad.dat file.
The file works in the same way as the automatic configuration script and tells the browser what web
security policy it should use.
To use WPAD:
1.
Configure your network to use Guardian as the network web proxy. Consult your network
documentation for more information about how to do this.
101
Guardian Installation and Administration Guide
Managing Authentication Policies
2.
Using a local DNS server or Guardian’s static DNS, add the host 'wpad.YOURDOMAINNAME'
substituting your own domain name. The host must resolve to Guardian’s IP address.
3.
Configure users’ browsers to automatically detect LAN settings.
About Transparent Connections
You configure transparent connections from users’ computers Guardian by configuring computers’
network connections to use Guardian as the default gateway.
In order for a transparent policy to work, the following must be in place:
•
DNS must be set up correctly on your network so that user computers can resolve the short
form of Guardian’s hostname, for example: resolve mysystem for the hostname
mysystem.example.com
•
User computers and Guardian must be within the same DNS domain
•
Internet Explorer must be configured to authenticate automatically with intranet sites.
Authentication Scenarios
The following are high level examples of how you can configure Guardian to suit your organization’s
authentication requirements.
New Content Filtering – Changing the Listening Port
Anna runs an Internet cafe. She is replacing her current content filter with Guardian because of its
superior filtering. To avoid reconfiguring each workstation, she needs Guardian to listen on the same
port as before, which was port 3128.
Anna goes to the Web proxy > Authentication > Policy page which shows the default configuration
of no authentication on port 800. She clicks the Edit button on the entry displayed which takes her
to the Web proxy > Authentication > Policy wizard page. On this page, all fields apart from interface
and port are disabled. She changes the port to 3128 and saves her changes, and a message
prompts her to restart Guardian.
Providing Filtered Web Access to the Public
Brian is a network administrator for a university. Staff and student web access is unfiltered, but Brian
wants to provide filtered web access for a new conference centre open to the public. He does not
want delegates to need to configure a proxy in their browsers.
Brian configures Guardian to listen in transparent mode. On the Web proxy > Authentication > Policy
wizard page, he selects Transparent and No authentication and leaves the other options at their
defaults.
After adding this entry, on the Web proxy > Authentication > Policy page, he can see the new
transparent authentication policy so he removes the default entry for port 800.
He then configures the firewall and DHCP servers on the network to route traffic through Guardian.
102
Smoothwall Ltd
Guardian Installation and Administration Guide
Managing Authentication Policies
Requiring Authentication to Browse the Web
Charlotte is a hotel manager. The hotel provides Internet access to guests via their own laptops and
shared PCs in the lobby. The wireless network is secured but Charlotte needs to know which guest
is responsible for web traffic in case of misuse. She wants a simple system which doesn’t require
guests to register their wireless devices.
Charlotte creates a local user account for each room, with names like ‘room23’ and a random simple
password. Guests are told the password for their room when they check in if they request Internet
access, and the password is changed when they check out.
Charlotte then configures Guardian in transparent mode on the Web proxy > Authentication > Policy
page by adding a new entry for Transparent and Redirect to SSL Login, leaving the other options at
their defaults. She removes the entry for port 800 before restarting Guardian.
Using Multiple Authentication Methods
Donald is a college system administrator. His network contains Windows PCs, Macs, and network
points for student laptops. Donald wants to provide authentication across the network using single
sign on wherever possible.
For Macs, Donald creates a location on the Guardian > Location > Policy wizard page, which he
names ‘Macs’. This location contains the IP address ranges assigned to macs.
On the Web proxy > Authentication > Policy page, he edits the default entry for port 800, changing
the authentication method to NTLM authentication. Then he adds a new entry, choosing Ident
authentication for the location ‘Macs’. This is displayed above the entry for NTLM on the policy page.
Finally he adds an entry for the laptops for transparent connections and Redirect to SSL Login.
Using group policy and central admin tools, he configures the Windows PCs and Macs to use
Guardian, and installs an Ident server on the Macs. Windows and Mac users now authenticate to
Guardian using their desktop login session, but laptop users are presented with the SSL Login screen
when they browse.
Controlling an Unruly Class
Ellen is a secondary school teacher. Ellen’s students are supposed to be reading about the Civil War
but are inclined to waste time when her back is turned. Ellen needs to be able to ban students from
accessing the Internet as a punishment for misbehavior.
While the students are working, Ellen looks around the room and also monitors web usage on the
Logs and reports > Realtime > Web filter page. She sees that one of her students, Fred, is watching
videos on YouTube, so she goes to the Services > Authentication > User activity page, scrolls to his
login entry, and selects Ban. This takes her to the temporary bans page where she configures the
ban to expire at the end of the lesson. When Fred clicks on another video, he is shown the block
page.
103
7 Guardian Alerts, Logs
and Reports
This chapter describes the alerts, log files, and reports that are available in Guardian, including:
•
About Guardian Alerts on page 105
•
Web Filter Logs on page 107
•
Guardian Reports on page 109
About Guardian Alerts
You access the Guardian alerts and their settings on the Logs and reports> Alerts > Alerts page.
Alert
Description
Guardian Violations
Constantly monitors Guardian activity and generates warnings about
suspicious or blocked web access.
Guardian upstream
proxy status
Web proxy failover status notifications occur when the web proxy either fails
over, or fails back. Monitored once every five minutes
Guardian URL violations
Monitors URL activity once every five minutes.
Guardian Web Proxy
Failover Status
Web proxy failover status notifications occur when the web proxy either fails
over, or fails back. Monitored once every five minutes
105
Guardian Installation and Administration Guide
Guardian Alerts, Logs and Reports
Configuring the Guardian Violations Alert
When configured and enabled, Guardiangenerates warnings about suspicious or blocked web
accesses.
To set the alert:
1.
On the Logs and reports > Alerts > Alert settings page, configure the following settings:
Setting
Description
Forbidden user
accesses
Monitor for blocked accesses – Select to alert when the warning
and caution thresholds are exceeded.
Warning threshold – Accept the default threshold, or enter a
threshold above which a warning alert is generated.
Caution threshold – Accept the default threshold, or enter a
threshold above which a caution alert is generated.
Exclude adverts – Select to exclude adverts when monitoring the
number of accesses.
Note: The alert will be triggered only if the method used to authenticate
users supplies a username. For more information on
authentication methods, see Chapter 6, Managing Authentication
Policies on page 85.
Forbidden IP address
accesses
Monitor for blocked accesses – Select to alert when the warning
and caution thresholds are exceeded.
Warning threshold – Accept the default threshold, or enter a
threshold above which a warning alert is generated.
Caution threshold – Accept the default threshold, or enter a
threshold above which a caution alert is generated.
Exclude adverts – Select to exclude adverts when monitoring the
number of accesses.
2.
Click Save to save and apply the settings.
Configuring the Guardian URL Violations Alert
When configured and enabled, Guardian generates warnings about suspicious URL activity.
To set the alert:
1.
On the Logs and reports > Alerts > Alert settings page, configure the following settings:
Setting
Description
URLs to monitor
Enter a URL or part of a URL to monitor. Guardian will search for each
entry exactly as entered.
For example, any of the following entries:
http://www.example.com
example.com
real
would match:
http://www.example.com/we%20are%20not%20real
106
Smoothwall Ltd
Guardian Installation and Administration Guide
2.
Guardian Alerts, Logs and Reports
Setting
Description
Warning threshold
Enter the number of URL matches above which a warning alert is
generated.
Caution threshold
Enter the number URL matches above which a caution alert is generated.
Click Save to save and apply the settings.
Web Filter Logs
Web filter logs provide detailed, configurable and searchable information on web filtering activity
regarding user and group activity, source IPs, requested URLs, categories of web content requested
and domains recorded.
Configuring Web Filter Logs
To access and configure the web filter log:
1.
Navigate to the Logs and reports > Logs > Web filter page. Guardian displays the currently
configured log entries.
2.
Click Advanced, the following options are displayed:
Option
Description
Username
Select to display the usernames of users making web requests.
Source IP
Select to display source IP addresses that web requests are coming
from.
Group
Select to display the logs for groups of users.
Code
Select to display the HTTP response status code.
107
Guardian Installation and Administration Guide
Guardian Alerts, Logs and Reports
Option
Description
URL
Select to display the URLs of the requested web resources.
Note: When content matches a web filter policy, Guardian displays a
link to the policy.
To exclude certain types of URLs:
1.
2.
•
•
•
•
3.
Category
Click Exclude to display the drop-down menu.
Select which URLs to exclude from the viewer. The options are:
Images – Select to exclude all images.
Javascript – Select to exclude Javascript resource requests.
CSS – Select to exclude CSS resource requests.
User defined – Enter a regular expression to find and exclude a
web resource.
Close the drop-down menu. Guardian excludes the web
resource(s) specified and refreshes the displayed log entries.
Select to display the categories a request was categorized as being in.
Depending on how the request was categorized, Guardian may also
display the following status information:
Infected – malware was found in the content. The name of the malware
found is displayed.
Denied – access to the content was denied. The name(s) of the
category/categories which caused the request to be denied is displayed.
Policy
Select to display which web filtering policy has been applied to the
content. For more information on policies, see 5Working with Policies on
page 47.
Domain
Select to display log entries recorded against domains.
SNI
Select to display when an HTTPS request has not included a server name
indication (SNI) field in its header. For more information on SNI, see
Chapter 6, Creating Transparent Authentication Policies on page 91.
Note: If an HTTPS request with no SNI field fails, the Code field will
display 0.
4.
Select the options you want to display. Guardian updates what is displayed.
Monitoring Log Activity in Realtime
It is possible to monitor web filter log activity in realtime.
To monitor activity in realtime:
1.
On the Logs and reports > Logs > Web filter page, click Realtime. Guardian displays the
currently configured log options in realtime in a table of log entries and in the web filter graph.
The results are updated automatically.
Tip: To get a closer look at what is happening at a specific time, locate and click on that time in the
graph. Guardian stops the realtime display and shows what has been logged at the time you clicked
on.
2.
108
To stop realtime monitoring, click Realtime. Guardian stops displaying realtime data.
Smoothwall Ltd
Guardian Installation and Administration Guide
Guardian Alerts, Logs and Reports
Searching for and Filtering Information
Guardian enables you to search for/filter information in a number of ways.
To search for/filter information:
1.
2.
On the Logs and reports > Logs > Web filter page, use one or more of the following
methods:
Method
Description
Graph
On the graph, locate and click on the time you are interested in. Guardian
displays what was logged at the time you clicked on.
Time
Click in the date and time picker and specify when to search from. Click
Apply. Guardian displays search results from the time specified and two
hours forward.
Free search term
In the Username, Source IP, Code, URL or Domain column(s), enter one
or more search terms. Guardian displays the search results.
Group
From the Group column drop-down menu, select the group you want to
search for.
Depending on your search criteria, Guardian updates the information displayed.
Exporting Data
It is possible to export logged data in comma-separated (CSV) format.
To export data:
1.
On the Logs and reports > Logs > Web filter page, configure or search for the data you want
export. For more information, see Configuring Web Filter Logs on page 107 and Searching for
and Filtering Information on page 109.
2.
Click Export. Follow your browser’s prompts to save and export the data.
Guardian Reports
Guardian provides a number of Guardian reports which supply information on IP activity, sites visited
and much more.
Report types
Description
Blogs
Contains reports on bloggers, blogs and WordPress activity.
Category
analysis
Contains reports on categories by hits and bandwidth and categories and the users
who viewed sites within them.
Image and video
sharing
Contains reports on Dailymotion, Flickr, Fotolog, ImageShack, ImageVenue and
YouTube.
News
Contains reports on BBC News, CNet, CNN, general news and Slashdot.
109
Guardian Installation and Administration Guide
Guardian Alerts, Logs and Reports
Report types
Description
Reference and
educational
Contains reports on IMDB and Wikipedia.
Shopping and
online auctions
Contains reports on Amazon, Craigslist, EBay and shopping and online auctions.
Social
bookmarking
Contains reports on Delicious, Digg, Reddit and StumbleUpon.
Social
networking
Contains reports on Bebo, Facebook, Friendster, Hi5, Linkedin, MySpace, Orkut,
general social networking and Twitter.
Sport
Contains reports on BBC Sport, ESPN and general sport.
Web portals and
search engines
Contains reports on AOL, Google, search engines, Windows Live and MSN and
Yahoo.
For information on working with reports, refer to your Smoothwall System’s Administration Guide.
110
Smoothwall Ltd
8 Working with
MobileProxy
This chapter introduces the MobileProxy feature, including:
•
About MobileProxy on page 111
•
Enabling and Configuring MobileProxy on page 112
•
Generating Client Keys on page 113
•
Generating Server Keys on page 114
•
Configuring MobileProxy User Credentials on page 115
Note: If running a Network Guardian system, configure a port forward rule from your firewall to
Network Guardian.
About MobileProxy
Guardian’s MobileProxy enables you to enforce your web filtering policy on mobile devices owned
by your organization, wherever they are located. You can use Smoothwall Connect Filter on your
devices to act as a web redirector for web traffic, to MobileProxy.
For a detailed description of how install and use Smoothwall Connect Filter, refer to the Smoothwall
Connect Filter Installation and Administration Guides.
111
Guardian Installation and Administration Guide
Working with MobileProxy
Enabling and Configuring MobileProxy
You must enable MobileProxy on your Smoothwall System before installing Guardian on your
devices.This enables proxy authentication for Guardian users.
To enable MobileProxy, do the following:
1.
From Guardian, browse to Web proxy > Mobileproxy > Settings.
2.
From the Global options panel, select Enable and click Save.
3.
Ensure you click Restart Proxy when prompted.
4.
Browse to System > Administration > External access.
5.
From the Interface drop-down menu, select External.
6.
From the Service drop-down list, select MobileProxy server (61001).
7.
Click Add.
Guardian makes MobileProxy available as an external service.
Note: You will need to open port 61001 on your firewall to allow Guardian into the proxy from
outside the network.
Configuring MobileProxy Servers
You must configure the Guardian proxy servers for MobileProxy-protected devices to proxy through.
To specify the IP address or hostname, do the following:
1.
From Guardian, browse to Web proxy > Mobileproxy > Proxies.
2.
Within the Manage MobileProxy server panel, configure the following parameters:

Server name — The name to identify the proxy server.

Server address — The IP address or hostname of the proxy server. Typically, this is the
external IP address of your Smoothwall System. You can also use the IP address that
forwards through to your Smoothwall System instead.

Comment — You can choose to enter optional text about the proxy server.
3.
Click Save to save your settings.
4.
Repeat steps 2 and 3 to add additional proxy servers.
Note: Any additional proxy servers added here, must have the server key of the original proxy server
installed. For a detailed description of how to do this, see Generating Server Keys on page 114.
112
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with MobileProxy
Guardian also supports proxy exceptions when running in a remote location. Proxy exceptions are
URLs or IP addresses that do not need to be redirected through the tunnel to the remote Smoothwall
proxy server.
To specify a proxy exception, do the following:
1.
From Guardian, browse to Web proxy > Mobileproxy > Exceptions.
2.
Enter a valid IP address or hostname for each exception.
3.
Click Save to save your settings.
Managing MobileProxy Servers
All configured proxy servers will appear in the MobileProxy servers panel. The order they are listed
determines the order of priority, from top to bottom. Guardian will try each proxy server until an
available proxy responds to requests.
You can change the priority order by dragging and dropping the servers in the MobileProxy servers
panel into the required order.
You can also edit and delete servers as required.
To edit a MobileProxy server, do the following:
1.
From Guardian, browse to Web proxy > Mobileproxy > Proxies.
2.
Click the Edit button for the configured MobileProxy server.
The configured parameters will appear in the Manage MobileProxy server panel.
3.
Change the parameters as required, and click Save.
To delete a MobileProxy server, do the following:
1.
From Guardian, browse to Web proxy > Mobileproxy > Proxies.
2.
Click the Deletebutton for the configured MobileProxy server.
3.
Confirm the correct MobileProxy server, and click Delete.
Generating Client Keys
Each MobileProxy-protected device must have a client key installed. MobileProxy requires the client
key to authenticate the device requesting web traffic redirection.
To generate a client key, do the following:
1.
From Guardian, browse to Web proxy > Mobileproxy > Settings.
2.
From the Manage MobileProxy keys pane, click Download.
3.
Make the client key accessible to the device on a secure server or download it to the device.
113
Guardian Installation and Administration Guide
Working with MobileProxy
Generating Server Keys
All MobileProxy servers listed in the MobileProxy servers panel must have the same MobileProxy
server key installed. This forces Guardian to only use a limited number of MobileProxy servers. This
has the advantage of load-balancing the web traffic from a large number of MobileProxy-protected
devices’s across a number of MobileProxy servers.
To generate a server key, do the following:
1.
From the Guardian which supplied the client key (see Generating Client Keys on page 113),
browse to Web proxy > Mobileproxy > Settings.
2.
From the Manage MobileProxy keys pane, click Advanced >>.
Two Download button options are available:

Download MobileProxy client key

Download MobileProxy server key
3.
Click the bottom Download button to download the server key.
4.
Make the server key accessible to other MobileProxy servers or manually upload it. For more
information, see Installing a Server Key on the MobileProxy Server on page 114.
Installing a Server Key on the MobileProxy Server
You can install the server key using one of two methods:
•
By downloading it from the Guardian which supplied the MobileProxy client key, then manually
uploading it to each MobileProxy server. For a detailed description of how to do this, see below.
•
Replicating it from the Guardian which supplied the MobileProxy client key.
Your Guardian must be part of a centrally managed solution for the replication to be successful.
For a detailed description of how to setup and manage a centrally managed Guardian, refer to
the Guardian’s Administration Guide.
To manually upload a server key to the MobileProxy server, do the following:
114
1.
Log into the other Guardian, browse to Web proxy > Mobileproxy > Settings.
2.
From the Manage MobileProxy keys panel, click Advanced >>.
3.
Click Choose File and browse to the server key.
4.
Click Upload and the server key will be made available. MobileProxy-protected devices will now
be able to connect to the proxy server.
Smoothwall Ltd
Guardian Installation and Administration Guide
Working with MobileProxy
Configuring MobileProxy User Credentials
MobileProxy-protected devices require user authentication for both local and remote internet access.
Usernames and passwords for MobileProxy-protected devices users must be setup in your Guardian
first, via your configured directory services, or as local users.
To configure MobileProxy Local User credentials, do the following:
1.
From Guardian, browse to Services > Authentication > Directories.
2.
Expand the Local users directory tree.
3.
Configure your MobileProxy user accounts as required.
For a detailed description of how to configure local users, and other directory services, refer to
the Guardian’s Administration Guide.
For a detailed description of authentication and how to configure it, refer to the Guardian’s
Administration Guide.
Note: MobileProxy also supports user authentication from account directories, such as Active
Directory.
115
Index
F
A
filters
about 60, 64, 69, 73
alerts
administration login failures 105
G
guardian upstream proxy status 105
guardian URL violations 105
url violations 106
anti-malware policies 8
authentication 10
core 89, 92
identification by IP 89, 92
NTLM 88
SSL
background tab 88, 92
session cookie 89, 92
B
bandwidth
limiting 26
block page policies 9
blogs 109
Global Proxy 98
global proxy 11
Global Proxy certificates 98
Guardian 7
H
HTTPS inspection policies 8
https inspection policies 63
I
identification
NTLM 87
image and video sharing 109
installing 5
L
leak client ip with x-forwarded-for header 35
load balancing 37
M
C
category analysis 109
client key 113
content modification policies 8
menu
anti-malware policies 8
block page policies 9
content modification policies 8
D
global proxy 11
documentation 2
Guardian 7
HTTPS inspection policies 8
E
enable filtering 13
mobileproxy 11
policy objects 9
quick links 7
117
Guardian Installation and Administration Guide
Index
upstream proxy 10
manage policies 7
web filter policies 7
outgoing 8
policy wizard 7
web proxy 9, 10
web proxy
web proxy authentication 10
authentication
message censor filtering
enable 82
exceptions 10
MobileProxy 112
configuring 112
ident by location 10
manage polices 10
enable 112
policy wizard 10
mobileproxy 11
mobile proxy
N
exceptions 11
news 109
proxies 11
settings 11
P
upstream proxy
pages
guardian
filters 10
manage policies 10
anti malware policies
proxies 10
manage policies 8
web proxy
policy wizard 8
automatic configuration 10
settings 9
bandwidth limiting 10
status page 9
settings 10
block page policies
wccp 10
block pages 9
manage policies 9
policy wizard 9
content modification policies
manage policies 8
policies
https inspection 63
policy objects 9
policy tester 77
prerequisites 111
policy wizard 8
https inspection policies
manage policies 8
Q
quick links 7
quotas 57
policy wizard 8
settings 8
policy objects
category groups 9
locations 9
quotas 9
time slots 9
user defined 9
quick links
getting started 7
quick block/allow 7
shortcuts 7
web filter policies
exceptions 7
R
reference and educational 110
reports
blogs 109
category analysis 109
image and video sharing 109
news 109
reference and educational 110
shopping and online auctions 110
social bookmarking 110
social networking 110
sport 110
web portals and search engines 110
location blocking 7
118
Smoothwall Ltd
Guardian Installation and Administration Guide
Index
S
shopping and online auctions 110
sni 94
social bookmarking 110
social networking 110
sport 110
T
training 1
U
upstream proxies 35
allow direct connections 35
default proxy 35
leak client ip with x-forwarded-for header 35
load balancing 37
upstream proxy 10
url violations alert 106
user credentials 115
username 115
W
web filter policies 7
web filtering
configuring
manual 100
web portals and search engines 110
web proxy 9, 10
web proxy authentication 10
119
">