user guide - ContentWatch
QUICK START GUIDE
USER GUIDE
Copyright Notice
Copyright © 2004-2008 ContentWatch
All rights reserved. Licensed software and documentation. Use, copy, and disclosure
restricted by license agreement.
DISCLAIMER
Every effort has been made to ensure the accuracy of the features and techniques
presented in this publication. However, ContentWatch, accepts no responsibility, and offers
no warranty whether expressed or implied, for the accuracy of this publication.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted,
in any form or by any means, electronic, mechanical, recording, or otherwise, without the
express written permission of ContentWatch.
The information in this document is subject to change without notice. ContentWatch makes
no warranty of any kind in regard to the contents of this document, including, but not
limited to, any implied warranties of merchantability quality or fitness for any particular
purpose. ContentWatch shall not be liable for errors contained in it or for incidental or
consequential damages concerning the furnishing, performance or use of this document.
FCC TESTING DECLARATION
This equipment has been tested and verified to comply with the limits for a Class B digital
device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interferences in a residential installation. This
equipment generates, uses, and can radiate radio frequency energy and, if not installed and
used in accordance with the instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will not occur in a
particular installation. If this equipment does cause harmful interference to radio or
television reception, which can be determined by turning the equipment off and on, the user
is encouraged to try to correct the interference by one of more of the following measures:
•
•
•
•
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the
receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
ContentWatch
2369 West Orton Circle
Salt Lake City, Utah 84119
801-977-7777
www.ContentWatch.com
DOC-USR-0842-5
ContentProtect Security Appliance User Guide
Table of Contents
Table of Contents ........................................................................................................................ ii
Chapter 1: Introducing ContentProtect Security Appliance ................................................... 1
Chapter 2: Installing ContentProtect Security Appliance ....................................................... 3
Gathering Initial Information ......................................................................................................................................... 4
Connecting to ContentProtect Security Appliance ........................................................................................................ 5
Running the Setup Wizard ............................................................................................................................................. 7
Cutting-Over .................................................................................................................................................................. 7
Accessing ContentProtect Security Appliance .............................................................................................................. 9
Manual Configuration ............................................................................................................................................... 9
Management/Auxiliary Interface ............................................................................................................................ 10
Text Menu Interface................................................................................................................................................ 10
Proxy Mode ............................................................................................................................................................ 13
Configuring Port Settings ............................................................................................................................................ 16
Configuring Cabling .................................................................................................................................................... 17
Testing Fail to Wire or No Failover............................................................................................................................. 17
Fail to Wire ............................................................................................................................................................. 17
Bypass Mode .......................................................................................................................................................... 18
No Failover ............................................................................................................................................................. 18
Chapter 3: Navigating ContentProtect Security Appliance................................................... 20
General Navigation ...................................................................................................................................................... 20
Tasks Pane ................................................................................................................................................................... 22
Help Pane..................................................................................................................................................................... 24
Chapter 4: Generating Reports ................................................................................................ 25
Home Page................................................................................................................................................................... 25
The Message Center................................................................................................................................................ 25
System Notifications ............................................................................................................................................... 26
ii
ContentProtect Security Appliance User Guide
Getting Started ........................................................................................................................................................ 26
Hardware Settings ................................................................................................................................................... 26
System .................................................................................................................................................................... 26
General Reporting Options .......................................................................................................................................... 26
Selected Date .......................................................................................................................................................... 27
Search ..................................................................................................................................................................... 27
Correlated by .......................................................................................................................................................... 27
Result Type ............................................................................................................................................................. 27
Group ...................................................................................................................................................................... 28
Network Node ......................................................................................................................................................... 28
Directory User ........................................................................................................................................................ 28
Encryption Type ..................................................................................................................................................... 28
Application Set ....................................................................................................................................................... 28
Right-Click Options ................................................................................................................................................ 28
Drop-Down Arrows ................................................................................................................................................ 29
Bar-Pie Graph Drop-Down ..................................................................................................................................... 29
Snapshot-Real Time Drop-Down ........................................................................................................................... 29
Report Recommendations ....................................................................................................................................... 29
Users tab ...................................................................................................................................................................... 31
Dashboard Reports .................................................................................................................................................. 31
Applications tab ........................................................................................................................................................... 32
Threats tab ................................................................................................................................................................... 34
Internet Usage tab ........................................................................................................................................................ 34
System Reports tab ...................................................................................................................................................... 35
Dashboards tab ............................................................................................................................................................ 36
Chapter 5: Managing ContentProtect Security Appliance .................................................... 39
General Manage Options ............................................................................................................................................. 39
Policies & Rules tab .................................................................................................................................................... 40
Groups .................................................................................................................................................................... 40
Time-of-Day Rules ................................................................................................................................................. 43
Traffic Flow Rule Sets ............................................................................................................................................ 44
Content Filtering ..................................................................................................................................................... 45
Advanced Filtering ................................................................................................................................................. 47
Internet Usage Rules ............................................................................................................................................... 49
Shaping Rules ......................................................................................................................................................... 53
Policy Manager ....................................................................................................................................................... 55
Directory Users & Nodes ............................................................................................................................................ 56
Network Nodes ....................................................................................................................................................... 56
Directory Users ....................................................................................................................................................... 60
Directory Agent ...................................................................................................................................................... 60
Broadcasts tab .............................................................................................................................................................. 60
System Access tab ....................................................................................................................................................... 61
Applications tab ........................................................................................................................................................... 62
Traffic Flow Rule Sets ............................................................................................................................................ 62
Application Sets ...................................................................................................................................................... 63
Applications ............................................................................................................................................................ 65
Chapter 6: Administrating ContentProtect Security Appliance............................................ 68
Setup Wizard ............................................................................................................................................................... 68
Configuration tab ......................................................................................................................................................... 69
Setup ....................................................................................................................................................................... 69
Advanced Setup ...................................................................................................................................................... 69
Ethernet Settings ..................................................................................................................................................... 71
Company Settings ................................................................................................................................................... 72
iii
ContentProtect Security Appliance User Guide
Registration Settings ............................................................................................................................................... 72
Miscellaneous (Misc.) Settings ............................................................................................................................... 72
Update Settings ....................................................................................................................................................... 73
Custom Category Rules .......................................................................................... Error! Bookmark not defined.
Custom Category Options ....................................................................................................................................... 74
Remote Subnets ...................................................................................................................................................... 74
User Preferences ..................................................................................................................................................... 78
Static Routes ........................................................................................................................................................... 78
SSL Certificate Settings .......................................................................................................................................... 80
License Settings ...................................................................................................................................................... 80
Special Domains ..................................................................................................................................................... 80
LDAP Settings ........................................................................................................................................................ 81
Backup .................................................................................................................................................................... 81
Proxy Settings ......................................................................................................................................................... 82
Diagnostic Tools tab .................................................................................................................................................... 83
Device Status .......................................................................................................................................................... 83
Directory Agent Diagnostics................................................................................................................................... 83
Directory Agent Users ............................................................................................................................................ 83
Display ARP Table ................................................................................................................................................. 83
Ethernet Status ........................................................................................................................................................ 84
Group IP List .......................................................................................................................................................... 84
IP Address Map ...................................................................................................................................................... 84
No LDAP Network Nodes ...................................................................................................................................... 84
PING ....................................................................................................................................................................... 84
Test DNS Settings................................................................................................................................................... 85
Traceroute ............................................................................................................................................................... 85
IP Traffic Monitor ................................................................................................................................................... 85
Downloads tab ............................................................................................................................................................. 85
Logs tab ....................................................................................................................................................................... 85
Activity Log ............................................................................................................................................................ 86
Kernel Log .............................................................................................................................................................. 86
Redirection Pages ........................................................................................................................................................ 87
Blocked URL .......................................................................................................................................................... 87
Directory Agent Login Page ................................................................................................................................... 88
Utilities ........................................................................................................................................................................ 88
System Resets ......................................................................................................................................................... 89
Support Link ........................................................................................................................................................... 91
Spyware Removal Tool .......................................................................................................................................... 91
Chapter 7: Integrating Directory Users with ContentProtect Security Appliance .............. 93
Directory Overview ..................................................................................................................................................... 93
Directory Options ........................................................................................................................................................ 95
Directory Option 1: Directory Agent with Directory Client (cymdir.exe) .............................................................. 95
Directory Option 2: Directory Agent with IP Lookup ............................................................................................ 96
Directory Option 3: Directory Agent with NTLM .................................................................................................. 96
Directory Option 4: Directory Agent with Login Page ........................................................................................... 97
Directory Option 5: LDAP Settings with LDAP Client (cymldap.exe) .................................................................. 98
Directory Configurations ............................................................................................................................................. 99
Install Directory Agents ........................................................................................................................................ 100
Create Directory Agents ....................................................................................................................................... 102
Create ContentProtect Security Appliance Groups ............................................................................................... 103
Create Directory Agent Group .............................................................................................................................. 103
Deploy Directory Client/LDAP Client ................................................................................................................. 106
Create Directory Internet Usage Rules ................................................................................................................. 117
Enable LDAP Settings .......................................................................................................................................... 119
iv
ContentProtect Security Appliance User Guide
Create LDAP Groups ............................................................................................................................................ 120
Directory Troubleshooting......................................................................................................................................... 120
Using Diagnostic Tools ........................................................................................................................................ 120
Troubleshooting GPO Issues ................................................................................................................................ 123
Troubleshooting Directory/LDAP Client.............................................................................................................. 124
Troubleshooting LDAP Settings ........................................................................................................................... 126
Chapter 8: Implementing HTTPS/SSL Filtering with ContentProtect Security Appliance 127
Certificate Authorities ............................................................................................................................................... 128
SSL Anonymous Proxies ........................................................................................................................................... 128
SSL CGI Proxy ..................................................................................................................................................... 129
SSL Full Proxy ..................................................................................................................................................... 129
SOCKS4/5 Proxy .................................................................................................................................................. 129
TorPark Network .................................................................................................................................................. 129
HTTPS/SSL Filtering ................................................................................................................................................ 129
Disable SSL Inspection and Filtering ................................................................................................................... 129
Enable SSL Certificate-Based Content Filtering .................................................................................................. 129
Enable Denied Access Page for SSL Certificate-Based Content Filtering ........................................................... 130
Enable Full SSL Content Filtering ........................................................................................................................ 130
Only Allow Trusted Certificate Authorities and Non-Expired Certificates .......................................................... 130
HTTPS/SSL Filter Exemption List ....................................................................................................................... 130
Content Filtering Rules ......................................................................................................................................... 130
HTTPS/SSL Blocking ............................................................................................................................................... 131
HTTPS/SSL Filtering Requirements ......................................................................................................................... 131
Enabling SSL Certificate-Based Filtering ................................................................................................................. 132
Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filter ......................................................................... 133
Web Filter + Anonymous Proxy Guard + SSL Filter ........................................................................................... 133
Web Filter + SSL Filter ........................................................................................................................................ 133
ContentProtect Security Appliance’s Digital Certificate ........................................................................................... 134
Installing ContentProtect Security Appliance’s Digital Certificate ........................................................................... 135
Deploying ContentProtect Security Appliance’s Certificate via Web Browsers .................................................. 135
Deploying ContentProtect Security Appliance’s Certificate via Active Directory ............................................... 138
Enabling Full SSL Content Filtering ......................................................................................................................... 141
Confirming ContentProtect Security Appliance’s Digital Certificate ....................................................................... 142
Viewing Sensitive Content on HTTPS/SSL Web Sites ............................................................................................. 142
Customer Support and Feedback ......................................................................................... 144
Getting Help .............................................................................................................................................................. 144
Appendix A: Web Filtering Categories ................................................................................. 146
Appendix B: MIME Types ....................................................................................................... 153
Appendix C: File Types .......................................................................................................... 157
Appendix D: ContentWatch CIDR Cheat Sheet .................................................................... 159
Appendix E: ContentWatch License Agreement and Warranty.......................................... 161
v
ContentProtect Security Appliance User Guide
vi
Chapter 1: Introducing ContentProtect Security
Appliance
Welcome to ContentProtect Security Appliance. ContentProtect Security Appliance is a
smart gateway appliance from ContentWatch that offers network administrators an in-depth
view on network traffic and resources. With ContentProtect Security Appliance, you can
monitor and manage traffic generated by specific applications within the network as well as
traffic generated by specific users or computers. Not only can you manage traffic from
users and devices, you can also control which web sites or categories can be visited. In
addition to this, ContentProtect Security Appliance offers protection against spyware and
virus web applications so that your network is running optimally.
ContentProtect Security Appliance helps manage network traffic by reporting which types of
traffic are being utilized on the network. The device also provides tools to help control the
traffic and identify potentially dangerous users or applications. By monitoring all Internet
traffic, ContentProtect Security Appliance will report on how much bandwidth is being used
for browsing the Web, downloading files via File Transfer Protocol (FTP) or Peer-to-Peer
(P2P) applications. This information is valuable as you will begin to see how your network
resources are being used. With this information, you can then use ContentProtect Security
Appliance to optimize traffic, identify high-priority traffic, and restrict unwanted types of
traffic or web sites. In essence, ContentProtect Security Appliance will allow you to receive
the most benefit from your network and users.
ContentProtect Security Appliance provides three essential facets for traffic reporting and
control:
•
Filter content—ContentProtect Security Appliance will monitor and report on web
sites visited. ContentProtect Security Appliance will allow you to block unauthorized
web sites or web categories.
•
Shape traffic—ContentProtect Security Appliance can prioritize applications or users
within the network, allowing you to limit or restrict bandwidth and specific types of
traffic. For example, P2P file sharing can consume large amounts of bandwidth.
1
ContentProtect Security Appliance User Guide
ContentProtect Security Appliance can restrict this traffic allocating more bandwidth
to higher priority traffic.
•
Block spyware and web viruses—ContentProtect Security Appliance will also identify
and block spyware or viral web sites and applications that can potentially harm your
network and consume bandwidth.
ContentProtect Security Appliance can quickly increase bandwidth for high priority traffic,
ensure employee productivity, provide appropriate web content, add an additional layer of
security, and prevent users from compromising your network. This user guide will instruct
you on how to utilize and deploy the various functions of ContentProtect Security Appliance.
2
ContentProtect Security Appliance User Guide
Chapter 2: Installing ContentProtect Security Appliance
In this chapter, you learn how to perform an initial installation of ContentProtect Security
Appliance. The following topics will be covered:
•
Gathering Initial Information
•
Connecting to ContentProtect Security Appliance
•
Running the Setup Wizard
•
Cutting-Over
•
Accessing ContentProtect Security Appliance
•
Using Alternative Configuration Methods
•
Configuring Port Settings
•
Configuring Cabling
•
Testing Fail to Wire or No Failover
ContentProtect Security Appliance is a powerful network device that is relatively easy to set
up in any network environment using the instructions in this document and the Setup
Wizard. Please read and understand all configuration and installation considerations before
proceeding.
If you have questions or are unsure about the installation of ContentProtect Security
Appliance, please contact your Authorized ContentWatch Reseller and/or the person
responsible for the service of your network.
3
ContentProtect Security Appliance User Guide
Gathering Initial Information
Under this section are listed the information and basic definitions of terms you will need to
know before installing ContentProtect Security Appliance. Begin by reviewing the
information and filling out the following table for documentation. You will need the
subsequent information:
License Key
Licenses that have been purchased with your system will ship as a license key on a card in the
Documentation & Accessories box. Locate this card to enable the licenses on your system during the
setup process.
License Key:
Model Number:
Serial Number:
Licensed Network Nodes:
Licensing—licensing with ContentProtect Security Appliance is based on network
connections. One hundred connections on your network will constitute 100 Network Node
license. Please make sure that the amount of licenses purchased is sufficient for the active
connections present on your network.
Model Number and Serial Number—these numbers are associated with your ContentProtect
Security Appliance for device identification and are used in conjunction with the License Key
for verification of the amount of licenses purchased.
IP Configuration
If you are unsure of the following fields, the Setup Wizard will detect available addresses and settings
within your network via DHCP. You may copy over these settings during the Setup Wizard.
ContentProtect Security Appliance (Bridge)
IP address:
Subnet Mask:
Default Gateway (WAN Side) IP address:
DNS Server IP address:
Management/Auxiliary Port IP address:
The Management/Auxiliary Port IP address cannot be in any active subnet in your network.
Management/Auxiliary Port Subnet Mask:
Total Download Bandwidth (in Kbps):
4
ContentProtect Security Appliance User Guide
Total Upload Bandwidth (in Kbps):
Time Zone:
Amounts used in the Total Download Bandwidth and Total Upload Bandwidth will
restrict total throughput through ContentProtect Security Appliance. Please make
sure the amounts you enter in these fields are correct.
If you would like to receive email alerts when users attempt to access viral web sites, you
must fill out the Email Settings. If you are not interested in this option, you may leave the
following fields blank.
Email Settings
In order for ContentProtect Security Appliance to send email alerts, the email server listed below must
be configured to relay messages from ContentProtect Security Appliance.
System Alerts & Broadcasts email address
(System Administrator):
Email Server Hostname or IP address
(optional):
Remote Subnets
ContentProtect Security Appliance will identify and monitor all network traffic native to its local subnet.
If you have a routed network (VLANs, different network addresses, etc.), please note the network
addresses outside ContentProtect Security Appliance’s local subnet with the appropriate CIDR
notation. See Appendix E for CIDR Cheat Sheet.
Subnet Address (CIDR notation):
Subnet Address (CIDR notation):
Subnet Address (CIDR notation):
Once you have this information, you’re ready to make your initial connections to
ContentProtect Security Appliance.
Connecting to ContentProtect Security Appliance
The next step is to power on and establish a connection to ContentProtect Security
Appliance from a local management workstation/laptop. You will also need to connect
ContentProtect Security Appliance to your network.
5
ContentProtect Security Appliance User Guide
Running the Setup Wizard requires an active Internet connection from the
network where ContentProtect Security Appliance will be installed. If you do not
have an active Internet connection available, or you do not wish to use the Setup Wizard,
please consult the section Using Alternative Configuration Methods.
1. Connect a cross-over cable (included in your Accessories Kit) from ContentProtect
Security Appliance’s LAN port to the network port on your workstation/laptop.
2. Connect a straight-through cable from ContentProtect Security Appliance’s WAN port
to an empty port on your local network switch.
Figure 2.1 ContentProtect Security Appliance Configuration Connectivity
3. Write down the existing IP settings of your local workstation/laptop so that you can
easily change them back when configuration is complete.
4. Change your local workstation/laptop IP settings. You will need to change the IP
settings on your local workstation/laptop to communicate with the default settings of
ContentProtect Security Appliance:
a. Default IP Address—192.168.1.80
b. Default Subnet Mask—255.255.255.0
The suggested settings for the local workstation/laptop are the following:
c. IP Address—192.168.1.81
d. Subnet Mask—255.255.255.0
6
ContentProtect Security Appliance User Guide
Running the Setup Wizard
1. To access the Setup Wizard, open Microsoft’s Internet Explorer (IE) 6 or higher and
enter http://192.168.1.80 in the address bar.
2. Login to the system using:
a. Default User Name: admin (all lowercase)
b. Default Password: contentprotect (all lowercase)
3. Please read and accept the EULA agreement.
4. The Welcome Screen is then displayed automatically on new systems, as well as on
systems that have been reset to factory defaults. Read the following information
displayed in the Welcome Screen and select Next>>.
5. Using the information you collected in the section Gathering Initial Information,
complete the steps within the Setup Wizard. Select Next>> when the page fields
are complete. ContentProtect Security Appliance will test the settings of each step
and if successful, will allow you to proceed.
6. The final step in the Setup Wizard allows you to confirm and, if necessary, edit your
configuration. This step will also check for updates and will automatically retrieve
and install them. Major firmware upgrades will result in a reboot of your system
when complete.
Please note that advanced configuration options such as Directory Integration or Ethernet
Settings require additional steps that are not covered in the Setup Wizard. For additional
information, please review their corresponding chapters.
Cutting-Over
Only perform these next steps when network traffic can be momentarily
interrupted.
Now that you have finished the Setup Wizard, you are ready to place ContentProtect
Security Appliance inline with Internet traffic. ContentProtect Security Appliance requires all
Internet traffic to pass through its bridge interface, unless the device is configured in Proxy
Mode. If you are planning to configure ContentProtect Security Appliance in Proxy Mode,
you can skip the current section and proceed to the section Using Alternative Configuration
Methods.
For typical installations you will need to follow the next steps and physically place
ContentProtect Security Appliance inline with your network’s traffic. In general this location
is between the Firewall/WAN Router and the Core Network Switch.
1. Remove the cables connected to ContentProtect Security Appliance’s WAN and LAN
ports.
7
ContentProtect Security Appliance User Guide
2. If you modified your local workstation/laptop IP settings, you will need to change
your local workstation/laptop settings back to their original IP settings.
3. Locate the connection between the Core Network Switch and the Firewall/WAN
Router. Unplug the cable from the Firewall/WAN Router and connect it to the LAN
port on ContentProtect Security Appliance.
4. Using the cross-over cable, connect the WAN port of ContentProtect Security
Appliance to the now open port on the Firewall/WAN Router that was previously used
by the Core Network Switch.
5. Verify that the cross-over cable is plugged into ContentProtect Security Appliance’s
WAN port and the Firewall/WAN Router.
6. Verify that the straight-through cable is plugged into ContentProtect Security
Appliance’s LAN port and the Core Network Switch. ContentProtect Security
Appliance should now be sitting inline with your Internet traffic.
7. Confirm the Light Emitting Diodes (LEDs) for both the WAN and LAN ports are
posting solid green (link) lights and blinking amber (speed) lights.
8. Verify that local workstations can access the Internet by opening a web browser and
navigating to several web sites.
Figure 2.3 ContentProtect Security Appliance Installation Connectivity
If you are able to browse to the Internet, you have completed the installation of
ContentProtect Security Appliance. The device should now be sitting inline with your
Internet traffic and monitoring web requests.
8
ContentProtect Security Appliance User Guide
Accessing ContentProtect Security Appliance
After completing the configuration and installation processes, you can access ContentProtect
Security Appliance by using the IP address you assigned to the device during the Setup
Wizard.
1. Open Microsoft’s IE 6 or higher and navigate to http://IP address assigned.
2. Login using the default credentials (listed under the section Running Setup Wizard)
or with the newly created administrative login.
3. When you login to ContentProtect Security Appliance the Home Page will display.
This page provides a snapshot of system health, filtering effectiveness, current
firmware versions, subscription settings, as well as links to administration of your
new system.
We strongly recommend that you create a new administrative login, and change the
default login password to limit access to ContentProtect Security Appliance. Select the
Manage -> System Access -> Logins link to make these changes.
Using Alternative Configuration Methods
The previous sections discuss the most common steps for installing ContentProtect Security
Appliance. However, there are alternative methods that can be used for initial configuration
of the device as well as different modes that ContentProtect Security Appliance can
accommodate. In this section the topics of installing ContentProtect Security Appliance
without the assistance of the Setup Wizard as well as Proxy Mode will be discussed.
Manual Configuration
Physical connectivity for manual configuration of ContentProtect Security Appliance can be
accomplished using a cross-over cable from a local machine (such as a laptop) to either the
LAN, WAN, or Management/Auxiliary (AUX) ports on ContentProtect Security Appliance.
See the instructions in Connecting to ContentProtect Security Appliance on modifying your
local machine IP settings to connect to ContentProtect Security Appliance.
If you wish to configure ContentProtect Security Appliance without the assistance of the
Setup Wizard, or if you are pre-configuring the system for installation, the Manual
Configuration settings can be accessed through Admin -> Configuration settings screens.
Simply cancel the Setup Wizard and access the settings listed in the table below.
The following table shows where the network configuration information collected in
Gathering Initial Information can be manually entered into ContentProtect Security
Appliance’s configuration pages.
9
ContentProtect Security Appliance User Guide
Quick Start Guide Table Name
Admin -> Configuration -> Page Name
License Key
License
IP Settings
Setup
Total Upload/Download Bandwidth
Misc. Settings
Email Settings
Company Settings
Remote Subnets
Remote Subnets
Management/Auxiliary Interface
ContentProtect Security Appliance can be accessed via the Management/Auxiliary port for
the initial configuration. However, the IP settings for the port will need to be different than
those for the bridge interfaces (WAN and LAN ports) and cannot be an IP address found
under the Remote Subnets listings.
1. Connect a cross-over cable (included in your Accessories Kit) from ContentProtect
Security Appliance’s Management/Auxiliary port to the network port on your
workstation/laptop.
2. Write down the existing IP settings of your local workstation/laptop so that you can
easily change them back when configuration is complete.
3. Change you local workstation/laptop IP settings. You will need to change the IP
settings on your local workstation/laptop to communicate with the default settings of
ContentProtect Security Appliance:
e. Default Management/Auxiliary IP address—10.1.1.1
f.
Default Subnet Mask—255.255.255.0
The suggested settings on the local workstation/laptop are the following:
g. IP address—10.1.1.2
h. Subnet Mask—255.255.255.0
4. From the Management/Auxiliary port, you can access ContentProtect Security
Appliance via the GUI or Text Menu (covered in the following section). If you choose
to configure ContentProtect Security Appliance via the GUI, please follow the steps
listed under the section Setup Wizard. If you choose to configure ContentProtect
Security Appliance via the Text Menu, please follow the steps listed under the next
section.
Text Menu Interface
ContentProtect Security Appliance’s Text Menu allows installers, system administrators, and
other trained technical personnel to access the device via a text interface, similar to a
Command Line Interface (CLI). While some of the basic features and options available
within ContentProtect Security Appliance’s web interface are also available here, most
advanced technical options are only available through the GUI menus. The one exception is
IP Traffic Monitor (Option 2—Utilities, Option 3—IP Traffic Monitor), which is discussed
10
ContentProtect Security Appliance User Guide
under Chapter 6: Administrating ContentProtect Security Appliance, section Diagnostic Tools
tab. Below are the supported options for accessing ContentProtect Security Appliance’s Text
Menu:
•
Secure Shell (SSH)
•
HyperTerminal (via serial connection)
The default login for all these menus is the following:
•
Default User Name: menu (all lowercase)
•
Default Password: contentprotect (all lowercase)
Secure Shell Access
Secure Shell (SSH) access allows administrators to access ContentProtect Security
Appliance’s Text Menu through a secure connection. SSH applications such as PuTTY (a
freeware application available from the installation CD) make it easy to use this secure
method of accessing systems remotely.
1. Download PuTTY.exe from the CD.
2. Double click on the program.
3. Enter in the IP address of ContentProtect Security Appliance.
4. Leave all other settings at default.
5. Click the Open button.
11
ContentProtect Security Appliance User Guide
Figure 2.4 PuTTY Configuration
6. Login with the default credentials.
7. Type 1 to access Configure IP addresses submenu.
Figure 2.5 Text Menu Interface
8. Enter in the information collected in the IP Settings table under Gathering Initial
Information.
Serial Access
The following section lists steps on how to connect to ContentProtect Security Appliance’s
Text Menu using HyperTerminal. Although there are other terminal simulators that can
work with the ContentProtect Security Appliance’s serial connection, the steps listed below
are for a workstation/laptop with Windows XP and HyperTerminal.
Ensure that you have a null modem cable (included with shipping materials) connected to a
communication port of your local workstation/laptop and to ContentProtect Security
Appliance’s serial port (38.4 8N1).
12
ContentProtect Security Appliance User Guide
1. Set up a connection using HyperTerminal (Start -> All Programs -> Accessories ->
Communications -> HyperTerminal).
1. In the New Connection Description dialog, enter a name for the connection in the
Name field and select an icon if you want.
2. Click the OK button.
3. In the Connect To dialog, select the COM port for the connection.
4. Click the OK button.
5. In the COM Port Properties window, select the settings that correspond to:
•
Bits per second: 38,400
•
Data bits: 8
•
Parity: None
•
Stop bits: 1
•
Flow control: None
6. Click the OK button.
7. When the main HyperTerminal screen appears, press the Enter key to confirm a
connection.
8. Login with the default credentials:
a. Default User Name: menu (all lowercase)
b. Default Password: contentprotect (all lowercase)
9. Type 1 to access the Configure IP addresses submenu.
10. Type the information collected in the IP Settings table under Gathering Initial
Information.
Once ContentProtect Security Appliance has been configured using an alternative method
described above, you can perform the steps listed under Cutting-Over of this chapter.
We strongly recommend that you change the default password for the menu account
to limit access to the Text Menu. Select Option 3—Change Menu Password under the
main menu to make this change.
Proxy Mode
For full functionality of ContentProtect Security Appliance, the recommend placement of the
device is inline with traffic. However, if you do not want to place the device inline with
network traffic, or if you have users on the WAN side of ContentProtect Security Appliance
that you want to filter, you can configure ContentProtect Security Appliance as a web proxy.
A web proxy is normally a server that carries out web requests for users. Typically, web
traffic is routed to the server which requests the web sites for the intended users.
ContentProtect Security Appliance does likewise with a configuration called Proxy Mode.
13
ContentProtect Security Appliance User Guide
This configuration does not require ContentProtect Security Appliance to be inline with
network traffic.
To use ContentProtect Security Appliance as a proxy, the device must have a network
connection to the users and the Internet via the WAN or LAN port (only one has to be
active). With this connection, you can then use either the Setup Wizard or an alternative
method to assign the device the required IP settings. Afterwards, you must alter the
connection settings of the users’ web browsers to use the IP address of ContentProtect
Security Appliance as a proxy and port 8888 for browsing. (Port 8888 is the assigned port
utilized by ContentProtect Security Appliance’s filtering engine). If ContentProtect Security
Appliance has a private IP address and you want external users to use ContentProtect
Security Appliance as a proxy, you may need to create a Network Address Translation (NAT)
rule for ContentProtect Security Appliance.
Below are the steps on how to alter the LAN connections using IE 7 and Firefox 2. You can
also alter LAN connections via Group Policy Objects (GPOs), VPN connections, or other
network devices; however, these steps are not covered in the User Guide and will need to
be researched independently.
Internet Explorer (IE) 7
1. Open up IE 7 web browser.
2. Click on Tools -> Internet Options.
3. Click on the Connections tab.
4. Click the LAN Settings button.
5. Under Proxy Server section, select the checkbox for Use a proxy server for your LAN.
6. Under the Address field, enter in ContentProtect Security Appliance’s IP address.
7. Under the Port filed, enter in the number 8888.
8. Click OK until the settings are applied.
Firefox 2
1. Open up Firefox 2 web browser.
2. Click on Tools -> Options.
3. Click on the Advanced menu.
4. Select the Network tab.
5. Under the Connection section, click the Settings button.
6. Select the radio button next to Manual proxy connection.
7. Enter in the IP address of ContentProtect Security Appliance in the HTTP Proxy field.
8. Enter in the number 8888 in the Port field.
9. You may also select the checkbox Use this proxy server for all protocols as well if you
like.
14
ContentProtect Security Appliance User Guide
10. Click OK until the settings are applied.
Once users’ web browsers have been configured to use ContentProtect Security Appliance as
a proxy, you will then need to configure ContentProtect Security Appliance to accept web
requests. This setting is found under Admin -> Configuration -> Advanced Setup. Select
the check box next to Allow HTTP Connections on port 8888. Don’t forget to apply the
changes.
ContentProtect Security Appliance will then begin to create profiles for users as they begin
to send web requests to ContentProtect Security Appliance. You can confirm this under
Manage -> Directory Users & Nodes -> Network Nodes. If you have enabled Directory
settings, ContentProtect Security Appliance will also create Directory Profiles as well
(Manage -> Directory Users & Nodes -> Directory Users). You can then create groups
based on the profiles for content filtering and reporting. Please see Chapter 5: Managing
ContentProtect Security Appliance for steps on how to create groups.
Please note that Proxy Mode does not offer all functions over network traffic normally
associated when the default inline mode, in particular bandwidth control and full reporting.
Because network traffic is not physically passing through ContentProtect Security
Appliance’s bridge interface, the device can no longer confirm which applications are passing
nor control bandwidth. In addition to this, you cannot use all of the Advanced Filtering
options and HTTPS/SSL Filtering settings to ensure content filtering.
With Proxy Mode you will only be able to filter web content and report on web sites visited.
As such, you will not be able to apply all Shaping Rules nor will there be data posted for
under the applications reports (Report -> Applications) or users reports (Report –> Users).
There will, however, be data under Internet Usage and Threats.
Below is a table of all supported reports and menus with Proxy Mode (Report and Manage
Tabs). If a specific feature in not listed in this table, then it is not supported in Proxy Mode.
Proxy Mode Support
Report
Threats
Spyware Overview
Spyware Infected Users
Spyware Threat Names
Virus Overview
Virus Infected Users
Virus Threat Names
Internet Usage
Web Hits Overview
Web Bandwidth Overview
Web Hits by Network Node
Web Bandwidth by Network Node
Web Time Online
Manage
Policies & Rules
Groups
Time of Day Rules
Internet Usage Rules
o TFRS (HTTP Traffic Only) Deny Access,
No Filters, Web Filter Only, Web Logging,
SSL Block, and SSL Filter, Content
Filtering, Advanced Filtering, HTTPS/SSL
Filtering (SSL Certificate Based Content
Filtering), Web Authentication
Shaping Rules
o Web Content
Policy Manager
Directory Users & Nodes
Directory Users
Directory Agent
Network Nodes
15
ContentProtect Security Appliance User Guide
System Reports
Active Users
CPU Utilization
IP Connections
Latency
Packets per Second
RAM Usage
Dashboard
Real Time URL Monitor
Broadcast Manager
Applications
Traffic Flow Rule Sets (HTTP Traffic Only)
Deny Access, No Filters, Web Filter Only, Web
Logging, SSL Block, and SSL Filter
One final note is you can configure ContentProtect Security Appliance inline with traffic and
use the device as a proxy for a combination of functionality. For example, you can install
ContentProtect Security Appliance inline with network traffic for internal users, and then
alter web browser settings for VPN or external users to use ContentProtect Security
Appliance as a proxy. This way, you gain full functionality for internal users and web
filtering functionality for external users.
Configuring Port Settings
ContentProtect Security Appliance’s bridge ports (WAN and LAN) by default are set to autonegotiate for both speed and duplex settings. This means that ContentProtect Security
Appliance will negotiate with the devices that are plugged into these ports to verify their
speeds and duplex mode. Normally auto negotiate will allow ContentProtect Security
Appliance to operate at least 100 Mbps or above and Full-Duplex.
However, you should confirm that ContentProtect Security Appliance is operating at least
100Mbps or above, Full-Duplex, and is not generating any interface errors. You can do this
under Admin -> Diagnostic Tools -> Ethernet Status.
Review both WAN Port and LAN Port tabs to confirm that ContentProtect Security Appliance
is operating at the correct speed and duplex. Also verify that no errors are listed under the
Errors field.
If the auto-negotiating settings list a speed under 100 Mbps, a duplex mode that is not Full
or are generating errors, you may need to hard set these settings on the interfaces. You
can do this under Admin -> Configuration -> Ethernet Settings.
Hard setting the Ethernet settings can cause network interruptions. Only perform these
next steps when network traffic can be momentarily interrupted.
Select the speed and duplex settings you would like to hard set for the desired port(s) and
press the Apply button. In addition to this, you may need to hard set the interface settings
on the devices connected to ContentProtect Security Appliance. This will allow Fail to Wire
and No Failover to work correctly. The next section will explain these options.
16
ContentProtect Security Appliance User Guide
Configuring Cabling
In addition to confirming the port and duplex settings, you should also confirm cables
connected to ContentProtect Security Appliance. Typically, layer 3 devices connected to
ContentProtect Security Appliance require a cross-over cable while layer 2 devices
connected to ContentProtect Security Appliance require straight-through cables.
In a standard installation, ContentProtect Security Appliance’s WAN port will connect to the
firewall via a cross-over cable while ContentProtect Security Appliance’s LAN port will
connect to the core network switch via a straight-through cable.
However, if you are installing ContentProtect Security Appliance in between a firewall and
the core network router, you may need cross-over cables for each port. Also, if the devices
connecting to ContentProtect Security Appliance offer Medium Dependent Interface
Crossover (MDIX), which can compensate for switching transmit and receiving signals, you
may be able to use straight-through cables for each port.
In any case, you will want to confirm the cabling for proper negotiation for Fail to Wire or No
Failover. You can confirm negotiation by reviewing the section Ethernet Status. If after
hard setting the ports, ContentProtect Security Appliance is still generating errors, you may
need to change the cabling. After confirming negotiation, you should confirm Fail to Wire or
No Failover by following the steps listed in the next section.
Testing Fail to Wire or No Failover
ContentProtect Security Appliance offers two options for network connectivity in case of a
device failure or power loss: Fail to Wire and No Failover. Unless specified before purchase,
the model of ContentProtect Security Appliance you receive will be designed for Fail to Wire.
Fail to Wire allows network traffic to pass in case ContentProtect Security Appliance fails or
is powered down, while No Failover stops all network traffic in the event of failure or power
less. Your preference must be specified before purchasing the device as the implementation
is done via hardware. After confirming your preference and the installation of
ContentProtect Security Appliance, you should perform some tests to confirm the
functionality.
Only perform this test when network traffic can be momentarily interrupted and
you are physically next to ContentProtect Security Appliance.
Fail to Wire
Fail to Wire allows network traffic to pass in case of failure by closing a circuit in between
the WAN and LAN ports. However, for this to work properly, the devices connected to
ContentProtect Security Appliance must be able to negotiate correctly.
1. Power off ContentProtect Security Appliance under Admin -> Utilities -> System
Resets -> Hardware Shutdown.
17
ContentProtect Security Appliance User Guide
Do not power down ContentProtect Security Appliance by pulling the power cord
or pressing the power button on the front bezel. These procedures should only be
used when there is no other alternative for powering down the device.
2. Depending upon the devices that are connected to ContentProtect Security
Appliance, the duplex settings and cabling, it may take up to 5 minutes for Fail to
Wire to complete. As such, please wait up to 5 minutes after powering down
ContentProtect Security Appliance completely before performing the next step.
3. Confirm that the firewall/WAN router and the core network switch are still
communicating by the interface LEDs.
•
Confirm that all network options are available, i.e., browse the Web, log into
a remote site, etc.
•
If the test is not successful, check the compatibility of port speed/duplex and
cabling used on ContentProtect Security Appliance and the other devices.
4. Power on ContentProtect Security Appliance using the power button on the front
bezel.
5. After waiting 5 minutes for the device to power up, log into ContentProtect Security
Appliance and verify that the unit in functional.
Bypass Mode
Besides powering down ContentProtect Security Appliance, there are other scenarios that
can cause ContentProtect Security Appliance to fail, i.e., running the device out of specs,
hardware failure, etc. Once a failure is detected, ContentProtect Security Appliance will
initiate the supported Bypass Mode (Fail to Wire or No Failover). This is indicated by the
LEDs on all ports, which will blink and scroll in unison.
If this happens, please contact your Authorized ContentWatch Reseller and/or ContentWatch
Technical support. Diagnosing and troubleshooting the problem may require that you
physically remove ContentProtect Security Appliance from the network.
No Failover
No Failover works by simply grounding the circuit in between the WAN and LAN ports of
ContentProtect Security Appliance. As such, when a failure is detected, all traffic will not be
passed from the LAN port to the WAN port; thereby denying Internet access.
1. Power off Network under Admin -> Utilities -> System Resets -> Hardware
Shutdown.
Do not power down ContentProtect Security Appliance by pulling the power cord
or pressing the power button on the front bezel. These procedures should only be
used when there is no other alternative for powering down the device.
2. Depending upon the devices that are connected to ContentProtect Security
Appliance, duplex settings, and cabling, it may take up to 5 minutes for No Failover
18
ContentProtect Security Appliance User Guide
to complete. As such, please wait up to 5 minutes after powering down
ContentProtect Security Appliance completely before performing the next step.
3. Confirm that the firewall/WAN router and the core network switch are not
communicating by the interface lights.
•
Confirm that all network options are not available, i.e., attempt to browse the
Web, log into a remote site, etc.
•
If the test is not successful, check the compatibility of port speed/duplex and
cabling used on ContentProtect Security Appliance and the other devices.
4. Power on ContentProtect Security Appliance using the power button on the front
bezel.
5. After waiting 5 minutes for the device to power up, log into ContentProtect Security
Appliance and verify that the unit in functional.
As with Fail to Wire, there are other scenarios that can cause ContentProtect Security
Appliance to fail besides powering down the device. If ContentProtect Security Appliance is
entering No Failover unintentionally, please contact your Authorized ContentWatch Reseller
and/or ContentWatch Technical support for diagnosis and troubleshooting.
Now that you have confirmed Fail to Wire or No Failover, let’s discuss how to navigate
through ContentProtect Security Appliance’s GUI.
19
ContentProtect Security Appliance User Guide
Chapter 3: Navigating ContentProtect Security Appliance
This section contains guides and tips on how best to navigate through ContentProtect
Security Appliance’s Graphical User Interface (GUI). The chapter is divided into three
sections:
•
General Navigation
•
Task Pane
•
Help Pane
To access ContentProtect Security Appliance, open up Microsoft’s Internet Explorer (IE) 6 or
higher and enter in the IP address assigned to ContentProtect Security Appliance in the
address bar (ContentProtect Security Appliance only supports IE 6 and above). You should
receive the login menu.
General Navigation
Once you login to ContentProtect Security Appliance, you will be presented with the Home
Page. The Home Page provides a snapshot of system health, filtering effectiveness, current
firmware versions, subscription settings, as well as links to guide the administration of your
system.
ContentProtect Security Appliance’s navigation is divided into three tabs: Report, Manage,
and Admin. Each tab presents you with different functions for ContentProtect Security
Appliance. When you click on one of the tabs, the expanded menus for those tabs will
appear. You can then select a sub-menu under the corresponding tabs for more options
which will appear as expandable selections.
In general, the Report tab will be used for generating reports and viewing network traffic.
The Manage tab will be used to create groups, content filtering rules, and shaping rules.
20
ContentProtect Security Appliance User Guide
The Admin tab is used for basic and advanced configuration of the device, as well as
troubleshooting and disaster recovery.
You can navigate back between tabs and reports by using the back arrow button located
. Do not use the back arrow button available on your web browser
next to the Admin tab
as this will take you back to ContentProtect Security Appliance’s login page. You can have
multiple tabs open for ease of use by right-clicking a selection and choosing Open in new
tab. Each tab color will correspond to the main menu tab color.
Figure 3.1 ContentProtect Security Appliance Navigations tabs
For large reports, group membership, or application menus, ContentProtect Security
Appliance has a pagination menu that can be used to navigate to specific pages or towards
the end or beginning of a series. The open box in the pagination menu allows you to view a
certain page after entering the page number and clicking the Go button (the available pages
are listed above the open box).
You can also navigate to the next (Next) or previous (Prev) page by clicking the single
arrow or to the very end or beginning of the series by clicking the double arrows. Where
available, the pagination menu will post towards the bottom of the report, membership box,
or application menu.
Figure 3.2 ContentProtect Security Appliance Pagination arrows
Finally, depending upon which tasks are being preformed, you may receive a
communication error from ContentProtect Security Appliance. This is usually a result of
services being restarted. If you are presented with the below dialog box, select the OK
button, wait 30 seconds, and attempt to access a menu. If the problem persists, you may
need to re-login to ContentProtect Security Appliance.
Figure 3.3 Communication Error Dialog Box
Now that you have become familiar with general navigation, let’s explain the Tasks Pane,
Help pane, and the different navigation options available.
21
ContentProtect Security Appliance User Guide
Tasks Pane
The Tasks Pane is located in the upper–right corner of any of ContentProtect Security
Appliance’s screens. The Tasks Pane lists actions or options that can be selected for the
active page. Because of this, the contents displayed in the Tasks Pane will change
depending on the screen currently displayed. The Tasks Pane is a great help that will post
common accessible actions.
For example, if you select a report, the Tasks Pane will list options on how to present the
report, i.e., Email, Print, Export, etc. These actions are available by clicking on the Tasks
Pane icons located in the Tasks Pane.
Below are listed all options presented in the Tasks Pane with the corresponding action.
Please review Chapter 4: Generating Reports for more information on some of the options.
Actions
—Directory User Dashboard: Displays Directory User Overview
—Directory User Detail: Displays Directory User Detail for selected Directory User profiles
—Network Node Overview: Display the Network Nodes Overview report
—Network Node Detail: Display all details for the Network Node selected
Re-scan Port: This will re-scan profiles under Network Node Manager (Manage -> Directory
Users & Nodes -> Network Nodes). Use this action when a device needs to be re-scanned
due to configuration changes, i.e., new NetBIOS name, new IP address, etc.
Re-scan Directory User Name: This will re-scan profiles under Directory Users (Manage ->
Directory Users & Nodes -> Directory Users). Use this action when Directory Users need to
be re-scanned due to configuration changes, i.e., new domain, new groups, changed name,
etc.
Actions
—Download Certificate: Download the SSL Certificate
Correlate by
—Category: Correlate report by Web categories visited
—Directory User: Correlate report by Directory User profiles
—File Type: Correlate report by File Types downloaded
—Group: Correlate report by Group profiles
—Host: Correlate report by Web sites (hosts) visited
22
ContentProtect Security Appliance User Guide
—MIME Type: Correlate report by MIME Types downloaded
—Network Node: Correlate report by Network Node profiles
—None: No correlation
—Service: Correlate IM reports by IM Client service
Export
—Email: Send the report in an email
—Excel Document: Export the report or polices into a Comma Separated Value (CSV)
format
—Print: Print the report or polices currently displayed on screen
—XML Document: Export the report or policies into an Extensible Markup Language
(XML) document
Getting Started
—Getting Started Videos: Watch tutorial videos on the corresponding topic
Related Dashboards
—Directory User Dashboard: Display all traffic reported for the Directory User selected
—Group Dashboard: Display all traffic reported for the group selected
—Network Nodes Dashboard: Display all traffic reported for the Network Node selected
Related Tasks
—View Bandwidth Report: View amount of bandwidth consumed for selected Web
category, Web site, or profile
—View Hits Report: View amount of URL hits for selected Web category, Web site, or
profile
System Information
System Information will post current system time. If your device does not post the correct
time, you may need to adjust the Time Zone settings or the Network Time Protocol (NTP)
server. Please review the sections Setup and Advanced Setup in Chapter 6: Administrating
ContentProtect Security Appliance.
23
ContentProtect Security Appliance User Guide
Help Pane
The Help Pane lists topics from the User Guide that are related to the page currently posted.
For example, if you select the Application Overview report, the Help Pane will list Related
Topics for the Application Overview. You can then select the link which will display the first
page within the User Guide dealing with the Application Overview. You must have Adobe
Reader installed to use the Help Pane.
The Help Pane also posts information regarding the Product Enhancement Program. The
Product Enhancement Program allows ContentWatch to upload a small file containing
anonymous configuration and system usage details as part of the scheduled update routine.
This file will not contain personal identifiable information, will not be used for direct
marketing, and will not impact system performance. The product details collected as part of
the Product Enhancement Program may change from time to time as new features and
capabilities are added to or changed in the product, but they will never include personal
identifiable information. You can stop participating at any time by disabling the checkbox
located in the Product Enhancement Program.
One last item under the Help Pane is ContentWatch ContentProtect Security Appliance
Privacy Policy. The privacy policy covers how ContentWatch will handle personal
information collected and received with ContentProtect Security Appliance. For full details
on this information, you can select the link for ContentWatch ContentProtect Security
Appliance Privacy Policy under the Help pan.
Lastly, the Tasks Pane and Help Pane are collapsible by selecting the collapse icon located to
the right of the Tasks Pane.
24
ContentProtect Security Appliance User Guide
Chapter 4: Generating Reports
The Report tab will present information concerning network traffic, web sites visited, and
system health. This chapter is divided into each report available and also general reporting
rules that will apply to each different report.
•
Home Page
•
General Reporting Options
•
Users Tab
•
Applications Tab
•
Threats Tab
•
Internet Usage Tab
•
System Reports
•
Dashboards Tab
Home Page
The first page presented under the Report tab is the Home Page. The Home Page is divided
into 5 sections: Message Center, System Notifications, Getting Started, Hardware Settings,
and System. The top display will be the Message Center.
The Message Center
The Message Center posts message about firmware and software releases. The Message
Center will also post important suggestions such as changing default passwords and
25
ContentProtect Security Appliance User Guide
company communications. These messages are posted by date and can be read by
selecting the individual messages. Afterwards, you may delete the messages by either
selecting the trash icon next to the message or by clicking the delete button inside the
messages.
System Notifications
System Notifications will post messages from ContentProtect Security Appliance. These
messages are intended to alert the administrator of ContentProtect Security Appliance of
critical configuration or incompatibility issues that may impede proper ContentProtect
Security Appliance functionality. Messages such as incorrect installation, exceeded license
count, or network scenarios such as asymmetrical routing that require advanced
configuration will be posted here. These messages will be posted in their entirety on the
System Notifications area. You may delete the messages by selecting the trash icon next to
the message; however, the message may return if the problem is not resolved.
Getting Started
The Getting Started area provides you with access to tutorial vides that give you a hands-on
demonstration on some of the main components of ContentProtect Security Appliance.
Select the appropriate link to view a tutorial that will walk you through the selected topic.
The videos cover topics such as Group Management, Time-of-Day Rules, and Policy
Management.
Hardware Settings
The Hardware Settings area provides you with a summary of your ContentProtect Security
Appliance’s hardware settings, i.e., Model, Serial number, and Device ID. This area also
posts the device’s Licensed Nodes, Software Version, Last Known Updates, System Time,
and expiration date of Annual Software Maintenance (ASM).
ASM is used for support on your device and provides ContentProtect Security Appliance with
continued updates on firmware, spyware, anti-virus, and content filtering. ASM also grants
you access to ContentWatch Technical support if needed. If your ASM is not current,
ContentProtect Security Appliance will not be able to update firmware, software, content
filtering, spyware or anti-virus nor will ContentWatch Technical support be available. To
renew your ASM please contact your Authorized ContentWatch Reseller or ContentWatch
Sales at 1 (866) 765-7233.
System
The System area provides you with a summary of ContentProtect Security Appliance
monitoring statistics and system information such as blocked spyware, blocked viruses,
blocked web requests, and average CPU load. Totals for each parameter are displayed for
the last 24 hours.
General Reporting Options
There are several options available that are universal under the Report Tab. These options
are Selected Date, Search, Correlated by, Result Type, Group, Network Node, Directory
User, and Encryption Type. These options allow you to customize reports on any device,
user, or application.
26
ContentProtect Security Appliance User Guide
Figure 4.1 Reporting Options
For example, click on the Application Overview report (Report -> Applications -> Application
Overview). This will post the top applications passing traffic through the network within the
last 24 hours. However, if you would like to search for traffic from a specific device within
the last 30 days, you may adjust the Selected Date and search for device under Network
Node. The report will then modify to display the last 30 days for the specific device. These
same options can be used for a wide variety of reports.
Below are listed all available adjustments with reporting. You may also click on the different
settings contained within the specific reports for a list of available options.
Selected Date
Selected Date allows you to adjust the time frame for the generated report. The options
available are Last Hour, Last 24 Hours, Last 7 Days, Last Week, Last 30 Days, Last Month,
Last Year, and Custom.
If you select Custom, you will be presented with a calendar that will allow you to adjust the
time and days accordingly.
Search
This field will allow you to search for different sections in reports, i.e., specific web sites,
categories, applications, etc. Enter in the search criteria and click the Search button (or
press the Enter key) for results.
Correlated by
This field allows you to link traffic reports to the most bandwidth consuming users (Group,
Directory User, and Network Nodes) for specific applications. You can also use the field to
link Internet Usage reports by the most browsed web Categories, Hosts, File types, and
MIME Types.
Result Type
This field is available under Web Content reporting. This option allows you to customize
web reports based on the four general areas of web sites: No Filter (All web sites
requested), Allowed (web sites that have been accessed), Blocked (web sites that have
been blocked), and Bypassed (web sites that were bypassed using the Bypass Password).
27
ContentProtect Security Appliance User Guide
Group
This field will allow you to search for specific Groups. Clicking this field will populate the
Select Filter Group box. Search the Available Groups list for the desired Group profile,
select the profile and click the Add button. Then click the OK button to run the report.
Network Node
This field will allow you to search for specific Network Nodes (devices on the network).
Clicking this field will populate the Select Filter Network Node box. Search the Available
Network Node list for the desired Network Node Profile, select the profile and click the Add
button. Then click the OK button to run the report.
Directory User
This field will allow you to search for specific Directory Users. Clicking this field will populate
the Select Filter Directory box. Search the Available Directory Users list for the desired
profile, select the profile and click the Add button. Then click the OK button to run the
report.
Encryption Type
This field is available under Web Content reporting. This option allows you to customize
web reports to display all web requests (No Filter), typical web requests that use Hypertext
Transfer Protocol-HTTP (No Encryption), or web requests that use Secure Hypertext
Transfer Protocol—HTTPS (Secure Socket Layer-SSL). Chapter 8: Implementing HTTPS/SSL
Filtering with ContentProtect Security Appliance discusses this topic in more detail.
Application Set
This field is available under Application Overview and some detail reports. This option will
allow you to filter reports by Application Sets. For more information on Application Sets
please see the section Applications Tab in this chapter.
Right-Click Options
Right-click options allow you to customize reports using specific time, users, or devices. For
example, to view specific applications under Application Set reports you can use right-click
options to post the report. Go to Report -> Application -> Application Set Overview. This
report will display all application sets passing through the network within the last 24 hours.
Select an application set, and right-click on the title. You will be presented with several
options that will allow you to correlate the report. Select Correlate by Application to view
the exact applications within the Application set.
Figure 4.2 Right-click Options
28
ContentProtect Security Appliance User Guide
Selecting this option will post the specific applications being used under the application set.
Using right-click options will allow you to quickly access different correlations under all
reports. If you are not sure how to retrieve detailed information within a specific report,
right-clicking will present you with the most common options for the report. Other rightclick options available are correlations by Groups, Network Node, Directory User, etc.
Drop-Down Arrows
Another option that allows you to customize reports is the Drop-Down Arrows. Any of the
reports available can be collapsed by using the Up arrow icon
on the right side of the
corresponding menu bar. You can also expand an area in the Report tab using the Down
arrow icon .
Bar-Pie Graph Drop-Down
Some reports allow you to choose the graph types of either Bar Graphs or Pie Graphs.
Where this is available, you will be presented with a Drop-Down Box located in the Graph
title that will make available a bar graph or pie graph for the report.
Figure 4.3 Bar-Pie Graph Drop-Down
Snapshot-Real Time Drop-Down
The Snapshot-Real Time Drop-Down Menu allows you to view selected information
historically or in real time.
For example, if you are reviewing the report of Web Hits by Category (Report -> Internet
Usage -> Allowed) the default settings will post the results by Snapshot within the last 24
hours (historically). If you select the option of Real Time, the report will change and display
actual web hits as they pass through the device at the moment.
This option is found under Internet Usage reports (Report -> Internet Usage) and is a great
tool for troubleshooting and identifying problematic users or web sites as they occur.
Figure 4.4 Snapshot-Real Time Drop-Down
Real Time options also allow you to correlate reports by Network Node, Directory User,
Groups, and other criteria. This is useful for confirming problems immediately and
preventing them with less response time. For example, if a user is attempting to visit a
prohibited site, you can verify the web sites he or she is visiting right now by correlating
these reports by Network Node or Directory User.
Report Recommendations
ContentProtect Security Appliance is capable of reporting on a tremendous amount of
information. Active users, web sites visited, and general overviews of applications are
examples of the most readily reports available. Please keep in mind that while
ContentProtect Security Appliance is recording information for reporting, the device is also
29
ContentProtect Security Appliance User Guide
filtering web traffic and shaping network applications. This requires that ContentProtect
Security Appliance share resources between the different operations being performed.
Because of this, priority is given to filtering and shaping so that reporting does not consume
resources that may impact network performance. ContentProtect Security Appliance has a
default timeout limit of five minutes for reports to complete. This is done to ensure
reporting will not consume needed resources for other operations. If a report cannot
complete within the five minutes, you will receive a timeout message.
If you receive a timeout message, you may alter the time limit under the Advanced Setup
menu (Admin -> Configuration -> Advanced Setup -> Database Timeout). You can allocate
up to 15 minutes for reports to complete. Don’t forget to Apply the changes. This will allow
the database to dedicate more time to complete the report and post the results.
Nonetheless, detailed reports that span large amounts of time and cover multiple users or
applications may better be executed during non-peak traffic times; thus allowing more
resources for ContentProtect Security Appliance to complete the report without running the
risk of effecting network traffic or filtering and shaping rules.
In addition to running detailed reports during non-peak traffic times, you can also use
Summary Tables to expedite reporting results. Summary Tables allow ContentProtect
Security Appliance to summarize or condense large web reports, allowing for a faster
response time with Internet Usage reports. This utility will index web reports and
correlations for all reports once the option is selected. Summary Tables also decrease
dependency on shared resources.
To enable Summary Tables go to Admin -> Configuration -> Advanced Setup and select the
checkbox next to Enable Summary Tables. This will begin indexing web requests to allow
for faster Internet Usage reporting. Please note that the Enable Summary Tables option will
only begin summarizing from that point forward. If you would like to summarize previous
data gathered before Enabling Summary Tables, you will need to run the Conversion Utility.
The Conversion Utility will take previous data that has not been summarized and create a
summary table for that information. There are three options for converting previous data:
Web Request Summary Table, Level 1 Summary, and Level 2 Summary. Web Request
Summary Table will summarize all Web requests data. Level 1 Summary Table will
summarize the first correlation for those reports, i.e., first correlation by Category, Host,
File Type, MIME Type, Group, Directory User, and Network Node. Level 2 Summary Table
will summarize the second correlation for those reports, i.e., second correlation by
Category, Host, File Type, MIME Type, Group, Directory User, and Network Node.
The Conversion Utility is located under Admin -> Configuration -> Advanced Setup -> Run
Conversion Utility Now. Once selected, you will be presented with the three different levels
of conversion: Web Request Summary Table, Level 1 Summary Table, and Level 2
Summary Table. You can then select the Start Conversion Now button next to each level to
activate the conversion.
The Conversion Utility places additional load on ContentProtect Security Appliance and may
consume a large amount of processes. Because of this, we strongly recommend that you
run the Conversion Utility during non-peak hours to avoid unnecessary interruptions in
network traffic. Also note that you can only run one conversion at a time, and they must be
done in order.
30
ContentProtect Security Appliance User Guide
This concludes the section on general reporting options. In the next sections we will discuss
the different reports for application and web traffic.
Users tab
The Users tab gives you an overview of the Internet traffic generated on your network by
users. This report will display the top 25 users, devices, or groups on your network within
the last 24 hours. However, this time frame is customizable as well as sorting features.
This report will display total network traffic as well as total download and upload for the
corresponding criteria. The reports available are Directory User Overview, Group Overview,
and Network Node Overview. Also available under this report are Directory User Detail,
Group Detail, and Network Node Detail reports. These reports are often referred to as
Dashboard reports.
Dashboard Reports
Dashboard Reports are detailed reports about individual users, devices, or groups. They
present all information available about the selected device, user, or group. For example, go
to Report -> Users -> Network Node Overview. Under the Network Node Details legend,
select any profile and click on the name. This will populate the Network Node Detail report
for the particular device.
Dashboard Reports display all recorded information for the profile selected. The reports
available are listed below:
•
Total Traffic—this traffic is the combined amount of upload and download traffic.
•
Application Traffic—this traffic is the amount of bandwidth consumed for all
applications.
•
Uncategorized Traffic—this is traffic that ContentProtect Security Appliance does not
recognize.
•
Web Requests by Host—these are the host name of Web sites visited by the user,
device, or group.
•
Web Request by Category—these are categories of Web sites visited by the user,
device, or group.
•
Possibly Infected Spyware—these are Web sites visited or applications used by the
user, device, or group that are possibly infected with spyware.
•
Possibly Infected Virus—these are Web sites visited by the user, device, or group
that are possibly infected with Web viruses.
•
Open ports—these are all ports active by the user, device, or group and their
corresponding service.
•
Network Node Information—this report will post the Operating System (OS) as well
as the assigned group for the device.
If you need more detail on the individual reporting aspect, simply select the title of the
report for a more comprehensive representation.
31
ContentProtect Security Appliance User Guide
To display dashboards for different users, devices, or groups, select the profile name located
in the upper right-hand corner of the original dashboard.
Applications tab
The Applications tab displays the amount of bandwidth used by applications and application
sets. These reports are presented in total downloads and uploads according to colors and
amounts. When data is presented as a bar graph, the corresponding Network Node,
Directory User, Group or application will be posted next to a colored bar. When data is
presented as a column graph, the most recent data is presented at the right end of the
graph with the green column representing download traffic and the blue column
representing upload traffic.
ContentProtect Security Appliance identifies traffic based on application signatures.
Applications can then be grouped into application sets (signature sets) of programs that
perform a comparable purpose. For example, the signature set of Remote Desktop/Remote
Control/X Traffic comprises the applications of PC Anywhere, Citrix, GoToMyPC, Microsoft’s
Remote Desktop, and many more. For a complete list of application sets, please see
Chapter 5: Managing ContentProtect Security Appliance.
Also available in this tab are Custom Application Sets and Uncategorized Reports. Custom
Application Sets report on traffic for which ContentProtect Security Appliance administrators
have defined a custom signature. Uncategorized Reports presents specific stats of
applications for which ContentProtect Security Appliance does not have an explicit signature.
Although ContentProtect Security Appliance may not have a signature for this traffic, the
device will record the protocol used, the destination port and the percent of bandwidth used.
These topics are covered in more detail as a tutorial document entitled How to Create a
Custom Signature. This document can be found on ContentWatch Knowledge Base
(http://www.contentwatch.com/kb).
The application sets are listed below as bulleted items.
•
Application Overview—this is a summary of bandwidth consumed by individual
applications.
•
Application Set Overview—this is a summary of bandwidth consumed by application
sets.
•
Total Traffic—this is the amount of total bandwidth consumed.
•
Chat and IM—this is the amount of bandwidth consumed by Chat and IM
applications.
•
Databases—this is amount of bandwidth consumed by Database applications.
•
DNS/Naming/Locators—this is the amount of bandwidth consumed by DNS and other
network naming applications.
•
Email/Collaboration—this is the amount of bandwidth consumed by Email and
services used to send email.
•
FTP/File Transfer—this is the amount of bandwidth consumed by File Transfer
Protocol applications.
32
ContentProtect Security Appliance User Guide
•
ICMP Traffic—this is the amount of bandwidth consumed by Internet Control Message
Protocol applications.
•
Games—this is the amount of bandwidth consumed by online gaming applications.
•
HTTP—this is the amount of bandwidth consumed by Hypertext Transfer Protocol
(Web) applications.
•
NetBIOS/MS File Service—this is the amount of bandwidth consumed by Network
Basic Input/Output and other Microsoft File Service applications.
•
Network Mgt/Monitoring—this is the amount of bandwidth consumed by network
management applications (SNMP, NMS, etc.).
•
Network Routing—this is the amount of bandwidth consumed by network routing
applications (RIP, NCP, etc).
•
Network Utility—this is the amount of bandwidth consumed by network utility
applications (DHCP, NSW, etc.).
•
Peer 2 Peer—this is the amount of bandwidth consumed by Peer 2 Peer applications.
•
Printing and Reporting—this is the amount of bandwidth consumed by printing and
reporting applications.
•
Proxy and Cache—this is the amount of bandwidth consumed by Proxy and cached
applications.
•
RPC/Remote Execution—this is the amount of bandwidth consumed by remote
execution applications.
•
Remote Desktop/Remote Control/X Traffic—this is the amount of bandwidth
consumed by remote desktop and control applications.
•
Security/Authentication—this is the amount of bandwidth consumed by security
applications.
•
Streaming Media—this is the amount of bandwidth consumed by streaming media
(music and video) applications.
•
Telnet/SSH—this is the amount of bandwidth consumed by Telnet and SSH
applications.
•
Uncategorized Traffic—this is the amount of bandwidth consumed by traffic that has
no explicit signature set.
•
VIOP and Voice Chat—this is the amount of bandwidth consumed by Voice over
Internet Protocol (VoIP) and Voice Chat applications.
•
VPN and Tunnel—this is the amount of bandwidth consumed by VPN and Tunneling
applications.
33
ContentProtect Security Appliance User Guide
Threats tab
The Threats tab will report and provide a detailed view of all activity in your network
relating to Spyware and web viruses. These reports will present information on Spyware
and Web viruses and possibly infected devices in your network. You can then use
ContentProtect Security Appliance to identify possible threats before they become
problematic.
•
Spyware Overview—this is a summary of spyware threats that have been blocked.
•
Spyware Infected Users—these are devices that may be infected with spyware.
•
Spyware Threat Names—these are the names of spyware threats present on the
network.
•
Virus Overview—this is a summary of web viruses that have been blocked.
•
Virus Infected Users—these are devices that may be infected with web viruses.
•
Virus Threat Names—these are names of web virus threats present on the network.
Internet Usage tab
Internet Usage tab reports on all web sites requested by users. This is a great report to
give a general indication of which web sites and categories users are visiting or attempting
to visit.
One of the reports, Web Time Online, is a report based on estimated values and generated
by counting the number of hits per page multiplied by the value entered in Miscellaneous
Settings (Admin -> Configuration -> Misc. Settings).
As with most online timers, there is not a definite method for determining if a user is
actively surfing the Web or merely has a program in the background generating hits, i.e.,
weather report, stock ticker, or Internet radio. As such, these are estimates and not exact
values.
•
Web Hits Overview—this report is presented in three categories: Allowed, Blocked,
and Bypassed. Allowed refers to web hits on sites that users have been allowed to
visit. Blocked refers to blocked web hits on sites that users have not been allowed to
visit. Bypassed refers to web hits originally blocked on sites but were later allowed
as users entered in the Bypass Password (for more information on this setting see
Chapter 5: Managing ContentProtect Security Appliance). Clicking on each category
will present all information pertinent to category. For example, clicking on Allowed
will show you all hits for Web categories that users were allowed to visit. This will
also post the percentage in comparison to the total number of hits for the Allowed
category. You can correlate this report by Host, File Type, MIME Type, Group,
Directory User, and Network Node.
•
Web Bandwidth Overview—this report displays how much bandwidth is being
consumed by web requests. The report is presented in a similar format of web Hits
Overview (Allowed, Blocked, and Bypassed) with a column graph showing the
34
ContentProtect Security Appliance User Guide
amount of bandwidth for Web requests. This report can be modified for specific
dates, correlations, result types, and other features.
•
Web Hits by Network Node—this report shows the top users of web traffic in terms of
hits. This reports display a bar graph which shows the top users followed by a detail
view of the corresponding profiles, number of hits, and percentage of the users’ Web
hits compared to total web hits.
•
Web Bandwidth by Network Node—this report shows the top users of Web traffic in
terms of bandwidth. This report shows you the Hardware Profile (Network Node) and
its corresponding download total, upload total, total bytes, and percentage of
bandwidth consumed for web traffic.
•
Web Time Online—this report displays the amount of time users have spent browsing
the Internet. Please remember that this report is an estimation of time spent
browsing the Internet and is not an exact value.
System Reports tab
System Reports tab reports on the actual system health of ContentProtect Security
Appliance. This report posts the CPU and RAM utilization of the device. The report will also
post the active connections in the network as well as requests for Directory Users.
Understanding this report will allow you to schedule maintenance, plan for upgrades, and
prevent problems on the network or with ContentProtect Security Appliance.
•
Active Users—this report refers to active devices present on the network.
•
CPU Utilization—this report refers to how much of the Central Processing Unit (CPU)
ContentProtect Security Appliance is utilizing.
•
Directory Agent Requests—this report lists how many requests ContentProtect
Security Appliance has sent to the Directory Agent installed on your directory server.
For this report to post information, Directory Users must be integrated with
ContentProtect Security Appliance. Please see Chapter 7: Integrating Directory
Users with ContentProtect Security Appliance for more information.
•
IP Connections—this report refers to live IP flows traversing through ContentProtect
Security Appliance.
•
Latency—this report shows in milliseconds the response time for PING requests sent
from ContentProtect Security Appliance to the network’s default gateway.
•
HTTP Connections—this report shows the number of connections per second to Web
sites being filtered by ContentProtect Security Appliance.
•
HTTP Requests—this report shows the number of Web requests per second
ContentProtect Security Appliance has filtered.
•
Packets per Second—this report displays the number of Internet packets per second
passing through ContentProtect Security Appliance.
•
RAM Usage—this report shows the amount of Random Access Memory (RAM)
ContentProtect Security Appliance is using.
35
ContentProtect Security Appliance User Guide
•
SSL Connections—this report shows the number of HTTP Connections that have been
established with SSL. For this report to function, ContentProtect Security Appliance
must be configured for HTTPS/SSL Filtering. For more information on this feature,
please see Chapter 8: Implementing HTTPS/SSL Filtering with ContentProtect
Security Appliance.
Dashboards tab
The Dashboards tab presents two tools that demonstrate traffic and Web request in real
time. These tools are Real Time Monitor (RTM) and Real Time URL Monitor (RTUM).
RTM displays traffic amounts as they happen. This can be helpful in troubleshooting
network problems or resolving bandwidth issues in real time. RTM will post total application
traffic, both upload and download, with a legend representing distinct applications. RTM
parses traffic in three second intervals and display the amounts accordingly.
Figure 4.5 Real Time Monitor
36
ContentProtect Security Appliance User Guide
Figure 4.6 Real Time Monitor Legend
Another capability of RTM is the ability to correlate within the last hour to display the most
bandwidth consuming users. For example, in the above diagram RTM has HTTP as the
highest amount of traffic. If you right-click on this traffic, you will be presented with the
options to correlate by Directory User, Group, or Network Node.
Figure 4.7 Real Time Monitor Right-Click Options
37
ContentProtect Security Appliance User Guide
You can then select Correlate by Network Node to confirm what devices within the last hour
have consumed the highest amount of HTTP traffic. RTM can be used to diagnose a
problem in actual time; thus allowing you to resolve the issue as soon as possible.
RTUM displays web requests as they pass through ContentProtect Security Appliance. This
tool, in addition to RTM, can be used to confirm instantaneously the web sites that are being
accessed, blocked, or bypassed. You can also use the different options to display the web
requests for a specific Network Node, Directory User, and Group as well as the Date, Web
category and Encryption Type of the request.
Figure 4.8 Real Time URL Monitor
This concludes the chapter on generating reports. The next chapter will guide you on how
to manage ContentProtect Security Appliance in regards to creating groups, implementing
policies, and managing devices and traffic.
38
ContentProtect Security Appliance User Guide
Chapter 5: Managing ContentProtect Security Appliance
ContentProtect Security Appliance allows you to control and identify network traffic based
on applications and users. ContentProtect Security Appliance also allows you to separate
problematic users from general traffic or problematic applications based on different criteria,
time of day, and priority. The device can also block web sites or categories protecting users
and your network from improper content. ContentProtect Security Appliance can also
allocate resources to identify proprietary traffic within you network; thus customizing the
device to your specific needs. Most of these options are available under the Manage tab and
are covered in this chapter:
•
General Manage Options
•
Policies & Rules tab
•
Directory Users & Nodes
•
System Access tab
•
Application tab
General Manage Options
The Manage tab is where policies and organization of users will be enforced. Under this tab,
you will create groups, time of day rules, content filtering rules, and shaping rules. This tab
also allows you to customize traffic identification and select which devices or users will or
will not be monitored.
The basic principles behind the Manage tab are “Who, When, What, and How.” “Who” will
define which users will be assigned to which groups. “When” will define what time during
the day the rules take affect, i.e., all day, 9am to 5pm, etc. “What” will define the allowed
39
ContentProtect Security Appliance User Guide
content and applications, and “How” will deal with correlating specific policies to the
corresponding groups. Each menu under the Policies & Rules tab addresses these
principles:
•
Groups—who will be in the group?
•
Time of Day Rules—when will the rules take affect?
•
Internet Usage Rules—what web sites can group members visit?
•
Shaping Rules—what applications can group members access?
•
Policy Manager—how to correlate rules to groups?
As a general rule, these principles must be inline with these steps. For example, once you
create a group, you will then want to define a Time of Day Rule (TDR) and an Internet
Usage Rules (IUR). After those steps, you will create a shaping rule and tie all pieces
together with the Policy Manager.
In addition to these steps, please note that the more information you have about network
traffic, the better prepared you will be to implement policies. Because of this, it is highly
recommended that you first install and run ContentProtect Security Appliance in the network
for at least 24 hours before implementing any policies. Afterwards, you can review the
information collected and make a more precise decision on which web sites should be
blocked, which applications should be shaped, and what threats are present on the network.
The more information you have, the better adapt you’ll be at deciding on policies and
controlling the network and users.
Policies & Rules tab
You will want to become very familiar with the Polices & Rules tab. This tab is used for
creating Groups, Time of Day Rules (TDRs), Internet Usage Rules (IURs), and Shaping
Rules. This is the main management tab used for almost all user organization and policy
implementation with ContentProtect Security Appliance. First let’s define Groups.
Groups
ContentProtect Security Appliance has by default 8 groups for your ease. These Groups are
called ContentProtect Security Appliance Groups. All users and devices are placed in the
Default Group until assigned to another group. You can assign users to ContentProtect
Security Appliance Groups based on several different identifiers.
First let’s discuss the default ContentProtect Security Appliance Groups and their
accompanying policies. Then we we’ll discuss how to add members to ContentProtect
Security Appliance groups and how to create new ContentProtect Security Appliance Groups.
Each group is assigned a default policy for Internet use. These policies are called Internet
Usage Rules (IURs) and are covered in more detail under that section. Also, none of the
default ContentProtect Security Appliance Groups has any shaping rules.
•
Default Group—all users and devices are in this group by default. As such you will
not be able to add users or devices to this group but rather you will be able to
remove them from this group. This is done by creating new groups and adding users
40
ContentProtect Security Appliance User Guide
or devices to the group or adding them to one of the other groups. The Default
Group by default uses the Default Usage Rules.
•
Deny Access Group—members of this group will not be able to access any Internet
traffic. All web sites and application traffic will be denied for this group. Users in
this group will be assigned the Deny Access Usage Rules.
•
Filter Bypass Group—members in this group will not be monitored or filtered by
ContentProtect Security Appliance. Only bandwidth and application reporting will be
recorded for members in this group. This group uses the Filter Bypass Usage Rules.
•
Moderate Group—members in this group will have their web pages monitored and
filtered with typical restrictions on web categories such as Adult, Shopping,
Tasteless, and Obscene. Users will be prohibited from passing web traffic through
proxies and visiting proxy web sites. This group uses the Moderate Policy Rules.
•
Monitor Only—members of this group will have their web pages monitored but not
filtered or blocked. This group uses the Monitor Only Policy Rules.
•
Monitor Only with Threat Protect Group—members in this group will have their web
pages monitored but not filtered or blocked except in the case of Spyware and web
viruses. This group uses the Monitor Only with Threat Protect Policy Rules.
•
Permissive Group—members in this group will have their web pages monitored and
filtered based on light restrictions and a limited amount of blocked categories. Users
will not be able to visit proxy web sites. This group uses the Permissive Policy Rules.
•
Strict Group—members in this group will have their web (HTTP) traffic monitored and
filtered and secure web pages (HTTPS) blocked. A broad range of categories will be
blocked as well as proxy web sites. In addition to this, users will not be able to pass
web traffic through Open or Secure Proxies. Lastly users will not be able to view
blocked content via search engines or search engine cached pages. This group uses
the Strict Policy Rules.
Now that we have described the pre-defined ContentProtect Security Appliance Groups, let’s
discuss how to add members to these groups. Go to Manage -> Policies & Rules -> Groups.
Select one of the ContentProtect Security Appliance Groups to which you want to add
members. Once you select a group, you will be presented with the Add/Edit Group Detail
field. In this field, you can change the name of the group as well as add devices, network
addresses, or specific MAC addresses to the group.
Before adding members to ContentProtect Security Appliance Groups, you need to
understand how ContentProtect Security Appliance identifies devices on the network.
Devices can be identified by several different criteria, i.e., by MAC address, by IP address,
by VLAN, while users can be identified by Directory or user names. Because of this,
ContentProtect Security Appliance allows you to configure how users will be identified
depending on your network. This option is called Member Type.
When you first access the Add/Edit Group Detail field, the default Member Type of Network
Node will be selected. Network Node represents devices on the network that ContentProtect
Security Appliance has already discovered. These devices will be listed by their NetBIOS
name (if available) or by their IP address. If you would like to add devices to
ContentProtect Security Appliance Groups by Network Node, simply click the open check box
next to the profiles under the Member Name column and select Add>.
41
ContentProtect Security Appliance User Guide
However, if you would like to add users to the group by different criteria, click the Select a
Member Type Drop-Down Box. This will present you with fourteen different member types
listed below that allow you to identify users based on distinctive criteria.
Please note that the member type Network Node will post devices already discovered by
ContentProtect Security Appliance. If you have intergraded LDAP with ContentProtect
Security Appliance, LDAP User will post LDAP Profiles already discovered by ContentProtect
Security Appliance. All other fields will present you an Enter New field that will allow you to
manually add a user.
•
Network Node—this member type represents devices discovered by ContentProtect
Security Appliance.
•
LDAP User—this member type represents LDAP profiles discovered by ContentProtect
Security Appliance.
•
MAC Source—this member type represents profiles using the Media Access Control
(MAC) source address of devices.
•
MAC Destination—this member type represents profiles using the MAC destination
address of devices.
•
CIDR Block Source—this member type represents profiles using an IP source address
or IP source address range listed in Classless Inter-Domain Routing (CIDR) notation.
•
CIDR Block Destination—this member type represents profiles using an IP destination
address or IP destination address listed in CIDR notation.
•
CIDR Block Source and Destination—this member type represents profiles using an
IP source and destination address or IP source and destination address range listed
in CIDR notation.
•
VLAN—this member type represents profiles using Virtual Local Area Network (VLAN)
tags.
•
Protocol—this member type represents profiles using different protocols, i.e., TCP,
UDP, etc.
•
TOS—this member type represents Type of Service (TOS) profiles. TOS is a singlebyte field in an IP packet header that specifies the service level required for the
packet.
•
DSCP—this member type represents Differentiated Services Code Point (DSCP)
profiles. DSCP is an integer value encoded in the DS field of an IP header.
•
TTL—this member type represents Time to Live (TTL) profiles. TTL values exist in
each IP packet headers and determine how long the packet can traverse the network
before being dropped.
•
Length—this member type represents the Ethernet Length profiles. Ethernet length
actually specifies the size of the frame used within the network interface.
•
CIDR Block Override—this member type represents IP addresses that you want to
take precedence over any other group assignment. This member type is normally
42
ContentProtect Security Appliance User Guide
used in the Filter Bypass Group to ensure specific IP addresses or ranges of
addresses are not filtered.
Once you have added members to the pre-defined ContentProtect Security Appliance
Groups, you can confirm the assignments by pressing the Save button. The pre-defined
groups and any new groups you create based on the different member types are called
ContentProtect Security Appliance Groups.
To create groups, you can click the Create button under the Group Manager. This will post
the Chose a Group Type dialog box. You can use the previous steps to create a
ContentProtect Security Appliance Group. If you would like to create groups based on
Directory Users, please see Chapter 7: Integrating Directory Users with ContentProtect
Security Appliance.
If you want to create groups based on the different member types, you can then add
members to the newly created ContentProtect Security Appliance Group following the same
steps listed beforehand. If you need to delete groups you may do so with the Delete
Selected button also located under the Group Manager. If you delete groups, all members
from the deleted groups will fall into the Default Group again. Now that we have defined
ContentProtect Security Appliance Groups, we’ll discuss Time of Day Rules.
Time-of-Day Rules
ContentProtect Security Appliance provides the ability to configure policies based on specific
times of the day. For example, if you want to block access to certain web sites during
business hours but allow access to those web sites during non-business hours, you can
create a Time of Day Rule (TDR). Another scenario is if you want E-mail traffic to have
priority during the day, but VPN traffic to have priority during the night, a TDR can allow
you to distinguish accordingly.
Unless otherwise specified all rules created will be in effect 24 hours a day, seven days a
week. TDRs allow you to create different rules for different times or the day or different
days of the week. The first step in creating TDRs is to define the blocks of time that will
separate the different policies. Afterwards, you will assign an IUR to each block of time.
This later step will be covered in the section Policy Manager.
Select Manage -> Policies & Rules -> Time of Day Rules. ContentProtect Security Appliance
ships with two default TDRs: All Day and Business Work Week. All Day (the default TDR)
enforces policies 24 hours a day, seven days a week. Business Work Week enforces policies
Monday through Friday, 9am to 5pm. If you would like to alter these blocks you may select
them individually or create your own by selecting the Create button.
Once you select or create a TDR, you will be presented with the Add/Edit Time of Day Detail
field. Here you will give the TDR a name, a description, and define the blocks of time for
the different polices.
The blocks of time (presented in military time) can be separated by 15 minutes. Select the
Start Time and End Time for each day and click the Add> button. ContentProtect Security
Appliance will automatically separate the blocks from the rest of the day (24 hours) and
post the time after saving the changes.
Also, you can copy the blocks of time from one day to another by using the Copy From
Drop-Down Box. Once you have selected the blocks of time for the individual days of the
week, click the Save button.
43
ContentProtect Security Appliance User Guide
The second step with creating TDRs, is to assign different policies to the time blocks. This is
covered under the section Policy Manager. Also, you can edit and delete any TDR by
selecting them under Time of Day Rule Manager.
Now that you have created groups and TDRs, we will discus Internet Usage Rules (IURs)
and how to manage them. Internet Usage Rules (IURs) are the main content filtering
components of ContentProtect Security Appliance. IURs are used to block web sites, web
categories, File Types, MIME Types, and even common tactics used to bypass content
filtering.
First, we’ll define general options available in all IURs, including Traffic Flow Rule Sets
(TFRS). Second, we’ll list the default IURs and the associated policies. Third, we’ll give an
example on how to customize IURs and other advanced policies.
Traffic Flow Rule Sets
Click on Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules. This
screen will present the options available under Add/Edit Internet Usage Rule Sets. Towards
the top will be posted the Rule Set Name and Rule Set Description followed by the Traffic
Flow Rule Set Drop-Down Box. For you to correctly control and filter web traffic, you will
need to understand Traffic Flow Rule Sets.
Traffic Flow Rule Sets (TFRS) are the basic traffic identification and control engine within
ContentProtect Security Appliance. TFRS allow you to dictate how traffic will be identified,
controlled, reported, filtered, and shaped. TFRS define the content rules and implement
restrictions on identified traffic for users on the network. In essence, TFRS are the
controlling mechanisms that decide what types of traffic are allowed and what types are
not. TFRS will be your tool in managing network traffic and reporting on such.
Select the Traffic Flow Rule Sets Drop-Down Box to view the default TFRS. There are also
listed below with their corresponding targets.
•
Deny Access—this TFRS restricts all traffic that passes through ContentProtect
Security Appliance.
•
No Filters—this TFRS performs no content filtering, no Web logging, no IM client
logging, no Spyware scanning and no virus scanning.
•
Web Filter + Anonymous Proxy Guard—this TFRS performs content filtering, web
logging, Spyware scanning, virus scanning for HTTP traffic (Web Filter), and prohibits
HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous
Proxy Guard).
•
Web Filter + Deny IM—this TFRS performs content filtering, web logging, Spyware
scanning, virus scanning (Web Filter), and denies all IM Client conversations (Deny
IM).
•
Web Filter + Deny IM + Anonymous Proxy Guard—this TFRS performs content
filtering, web logging, Spyware scanning, virus scanning for HTTP traffic (Web Filter),
denies all IM Client conversations (Deny IM), and prohibits HTTP traffic on any port
other than port 80 or a designated proxy port (Anonymous Proxy Guard).
•
Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filter—this TFRS performs
content filtering, web logging, spyware scanning, virus scanning for both HTTP traffic
(Web Filter) and HTTPS traffic (SSL Filter), denies all IM Client conversations (Deny
44
ContentProtect Security Appliance User Guide
IM), prohibits HTTP traffic on any port other than port 80 or a designated Proxy port,
and prohibits HTTPS traffic on any port other than port 443 or a designated Proxy
port (Anonymous Proxy Guard).
•
Web Filter—this TFRS performs content filtering, web logging, spyware scanning,
virus scanning for HTTP traffic (Web Filter). This is the default TFRS for users and
newly created IURs.
•
Web Filter + Anonymous Proxy Guard—this TFRS performs content filtering, web
logging, spyware scanning, virus scanning for HTTP traffic (Web Filter), and prohibits
HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous
Proxy Guard).
•
Web Filter + Anonymous Proxy Guard + SSL Block—this TFRS performs content
filtering, web logging, spyware scanning, virus scanning for HTTP traffic (Web Filter),
prohibits HTTP traffic on any port other than port 80 or a designated proxy port
(Anonymous Proxy Guard), and prohibits all HTTPS traffic from passing through
ContentProtect Security Appliance (SSL Block).
•
Web Filter + Anonymous Proxy Guard + SSL Filter—this TFRS performs content
filtering, web logging, spyware scanning, virus scanning for both HTTP traffic (Web
Filter) and HTTPS traffic (SSL Filter), prohibits HTTP traffic on any port other than
port 80 or a designated proxy port, and prohibits HTTPS traffic on any port other
than port 443 or a designated proxy port (Anonymous Proxy Guard).
•
Web Filter + SSL Filter—this TFRS performs content filtering, web logging, spyware
scanning, virus scanning for both HTTP traffic (Web Filter) and HTTPS traffic (SSL
Filter).
•
Web Logging—this TFRS only logs web requested URLs. No other actions will be
taken as far as content filtering, spyware scanning, and virus scanning.
The most important factor in configuring TFRS is deciding on what needs to happen to
traffic. For example, do you want to block certain web sites or categories? If so, the TFRS
of Web Filter needs to be selected. Do you want to deny IM Client conversations? If so, the
TFRS of Deny IM must be selected. These factors will help determine the active TFRS.
Content Filtering
Now that we have defined TFRS, let’s discuss the other components of the Add/Edit Internet
Usage Rule set. Below the TFRS Drop-Down Box, you will see four tabs: Content Filtering,
Advanced Filtering, HTTPS/SSL Filtering, and Web Authentication. In this section we will
discuss the Content Filtering and Advanced Filtering tabs. HTTPS/SSL Filtering will be
covered in Chapter 8: Implementing HTTPS/SSL Filtering with ContentProtect Security
Appliance. Web Authentication is covered in Chapter 7: Integrating Directory Users with
ContentProtect Security Appliance.
Content Filtering provides general choices for filtering web traffic. For example, this tab
displays Blocked Categories, Blocked URLs, White List URLs, Blocked File Types, Blocked
MIME Types, and Web Authentication White List. If you would like to block a web category,
e.g. Porn, you can select the sub-tab of Blocked Categories, click Edit Blocked Categories,
and, search for the Porn category under Allowed Categories. Once found, select the
category, click the Add> button to move it to the Blocked Category List, and click Ok. Once
you save your changes, this category will be blocked for that particular Internet Usage Rule.
45
ContentProtect Security Appliance User Guide
Below are listed the general explanations of the Content Filtering tab. Appendix A through
Appendix C lists all options for web categories, File, and MIME types.
•
Blocked Categories—this sub-tab lists all selected web categories for preventing
access. They range from Adult and Porn to Online Communities and Shopping. To
add categories to the Blocked Category list select the Blocked Category sub-tab and
click Edit Blocked Categories button.
•
Blocked URLs—this sub-tab allows you to enter in a specific Universal Resource
Locator (URL) address to be blocked. There are three compare strings that can be
used to enter Blocked URLs: URL–Regular Expression, URL, and Domain.
o
URL-Regular Expression—this compare string utilizes regular expressions to
block web sites. Regular expression (regex) is a method used to describe a
string of text using metacharacters or wildcard symbols. To use URL-Regular
Expression, you will need to understand the functions of regular expression
metacharacters. URL-Regular Expression supports regular expressions for
POSIX Basic and Extended Regular Expression. A full explanation of the
syntax for a Regular Expresssion Rule is beyond the scope of this document.
To add a URL-Regular Expression to the Blocked URL list, select the Blocked
URLs sub-tab, click on the Edit the Blocked URLs button, and choose the
URL-Regular Expression setting from the Compare String drop-down box.
Enter the URL-Regular Expression, click the Update button and then the Ok
button.
o
URL—this compare string looks for an exact URL match. Use this compare
string to block specific web pages where an exact match is necessary. For
example, an entry of myspace.com/forums will block MySpace’s forum web
page, but not necessarily other MySpace web pages. However, you can use
an asterisk symbol (*) as a wildcard with the compare string of URL. For
instance, an entry of http://www.myspace.com* will block any web page
that begins with http://www.myspace.com. To add a URL to the Blocked
URL list, select the Blocked URLs sub-tab, click on the Edit the Blocked URLs
button, and choose the URL setting from the Compare String drop-down box.
Enter the URL, click the Update button and then the Ok button.
o
Domain—this compare string looks for any web page that begins with the
domain name of the web site. Use this compare string to block web sites
where the domain name is constant in the URL. For example, an entry of
myspace.com will block all of MySpace’s web pages. You can also use an
asterisk symbol (*) as a wildcard with the compare string of Domain. erFor
instance, an entry of *myspace.com will block any web page that has
myspace.com in the domain name regardless of http, https, or www. To add
a Domain to the Blocked URL list, select the Blocked URLs sub-tab, click on
the Edit the Blocked URLs button, and choose the Domain setting from the
Compare String drop-down box. Enter the Domain name, click the Update
button and then the Ok button.
o
Legacy Keyword Mode—this keyword string was used as a general match
string under firmware releases 8.3.4 and earlier. It has now been replaced
by the stronger compare strings above. This compare string should only be
used to accommodate upgrades from earlier releases until they can be
reclassified using the above compare strings.
46
ContentProtect Security Appliance User Guide
•
White List URLs—this sub-tab allows you to “whitelist” or allow users to access
specific web sites. These fields are mostly used when there is a conflict with another
rule. For example, if you choose to block the web category of Search Engines and
Portals but want to allow Google searches, you would add Google into the White List,
which will override the blocked category. White List URLs will override blocks from
all policies except for web sites under the Blocked URLs and Non-HTTP traffic. White
List URLs follow the same compare strings as Blocked URLs.
•
Other settings available in the Content Filtering tab are Import, Export options,
Remove Selected Rows, Remove All Rows, and Edit Selected Rows under Blocked
URLs and White List URLs. Import, Export options allow you to import or export a
plain text (.txt) version of your Blocked URLs and White List URLs, allowing you to
back up your lists or share lists with multiple IURs. By selecting either option, you
will be presented with Browse utility, where you can direct ContentProtect Security
Appliance to import or export the plain text file. Removes Selected Rows and
Remove All Rows allows you to remove selected entries in the Blocked URLs and
White List URLs. Edit Selected Rows permit manual entries of selected entries.
•
Blocked File Types—this sub-tab lists all File types that can be blocked for download.
To add File Types to the Blocked File Type list, select the Blocked File Type sub-tab
and click Edit File Types button.
•
Blocked MIME Types—this sub-tab lists all Multipurpose Internet Mail Extensions
(MIME) types available that can be blocked for download. To add MIME Types to the
Blocked MIME Types list, select the Blocked MIME Type sub-tab and click the Edit
MIME Types button.
•
Web Authentication White List—this sub-tab is defined in Chapter 7: Integrating
Directory Users with ContentProtect Security Appliance.
Advanced Filtering
Click on Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules. Once
this populates the Add/Edit Internet Usage Rule Set, click the Advanced Filtering tab. The
Advanced Filtering tab presents complex selections that offer more stringent policy control
for content filtering. Some options are selected by default for security reasons; however,
you can enable or disable any of these options depending upon your requirements.
Spyware
•
Enable Spyware URL Blocking—this setting scans web requests for URLs known to
host spyware.
•
Enable Spyware MD5 Blocking—this setting scans web traffic for known MessageDigest algorithm 5 matches utilized for spyware downloads.
•
Enable Spyware ClassID Blocking—this settings scans HTML pages for Class IDs
(identification tags associated with Active X or OLE objects) known to host spyware.
Anti-Virus
•
Enable Anti-Virus Blocking—this settings scans web traffic for web pages that are
infected with viruses.
47
ContentProtect Security Appliance User Guide
•
Enable Anti-Virus Email Alert Email Address—this setting allows the administrator of
ContentProtect Security Appliance to receive an email alert if a user attempts to
download a web virus. For this setting to work, the Technical Admin Name and
Technical Admin E-mail fields under the Miscellaneous tab must be completed
(Admin -> Configuration -> Misc. Settings).
•
Enable Filter Avoidance IP Lookup—this setting associates proxy web sites with their
IP addresses and prevents users from entering them into web browsers.
Filter Avoidance
•
Enable Filter Avoidance Real-Time Filter—this setting performs a real-time scan on
web sites to validate if the web page is hosting proxy services.
•
Enable Filter Avoidance Deep HTTP Inspection—this setting scans content for the
retrieved web pages from a proxy web site.
•
Enable Bypass—this setting allows users to bypass a blocked web site if he/she
knows the Bypass Password.
Filter Bypass
•
Enable Bypass—this setting allows users to access a blocked web site that is
normally blocked by entering the correct password listed in the Bypass Password.
•
Bypass Password—this setting is for the password that will be used with the Enable
Bypass setting.
•
Bypass Timeout (in minutes)—this setting specifies an exact time how long a user
can access a blocked web site using the Enable Bypass setting.
•
Enable Filter Bypass on a Per-IP Address Basis—this setting allows users to bypass
all web sites that are normally blocked instead of just a single blocked web site.
Enable Filter Bypass on a Per-IP Address Basis will use the same password and
timeout as the Enable Bypass setting.
Web Policy
•
Enable Anonymous Browse Mode—this setting continues to block users from
prohibited web sites; however, browsing history for these users will be reported.
•
Enable Safe Search Protection for Search Engines—this setting forces search engines
to use “safe search”, which disallows search engines to post inappropriate results.
The supported search engines for this setting are Google, Yahoo!, Ask, MSN, Hotbot,
AOL, AlltheWeb, AltaVista, Lycos, and Netscape.
•
Block Search Engine Cached Pages—this setting allows you to blocked cached pages
from search engines, i.e., binoculars, Google Image search, etc.
•
Allow ONLY White List URLs—this setting prohibits users from visiting web sites that
are not specifically listed in the White List.
•
Apply White List to Referring URLs—this setting allows white listed web sites to post
all page objects, i.e., banners, images, etc., that are referred within the web site
regardless of the original hosting site.
48
ContentProtect Security Appliance User Guide
•
Add X-Forwarded-For to HTTP header—this setting instructs ContentProtect Security
Appliance to forwarded original host information when Enhanced Bridging Mode
(EBM) is disabled. See Chapter 6: Administrating ContentProtect Security Appliance
for more information.
•
Real-Time Filter—this setting instructs ContentProtect Security Appliance to analyze
content on web pages in real time for better categorization and identification.
•
Enable Reverse DNS Lookups—this setting prohibits users from browsing blocked
web sites via IP addresses instead of domain names.
•
Block IP Address URLs—this setting prohibits users from browsing any web sites via
IP addresses instead of domain names.
•
Allow Non-HTTP Traffic Through the Web Filter—this setting allows Non-HTTP traffic
to pass through port 80 or the designated parent proxy port for web traffic.
•
Non-HTTP Traffic Socket Timeout (in minutes)—this setting allows you to set a time
limit in minutes for how long Non-HTTP traffic can pass through port 80 or the
designated parent proxy port for web traffic.
•
Force HTTP v1.0—this setting allows you to force web browsers to use HTTP version
1. HTTP v1.0 is the first protocol revision for HTTP traffic and is still in wide use,
especially by proxy servers.
Again you can disable or enable any of these options by selecting the sub-tab of each
selection, and then checking the check box next to the settings. Again, don’t forget to Save
your changes. If you create a new IUR, the following table lists the default settings. All
other options will be disabled.
New IUR Default Settings
TFRS
Web Filter
Spyware
Enable Spyware URL Blocking,
Enable Spyware MD5 Blocking,
Enable Spyware ClassID Blocking
Filter Avoidance
Web Policy
Enable Filter Avoidance IP
Lookup, Enable Filter
Avoidance Real-Time Filter,
Enable Filter Avoidance
Deep HTTP Inspection
Real-Time Filter, Allow Non-HTTP
Traffic Through the Web Filter,
Non-HTTP Traffic Socket Timeout
(60 minutes)
Anti-Virus
Enable Anti-Virus Blocking
Now that you are familiar with both the Content Filtering and Advanced Filtering tabs, let’s
discuss the default Internet Usage Rules and how to create a new one.
Internet Usage Rules
ContentProtect Security Appliance has 8 default Internet Usage Rules (IURs). These IURs
correspond to the default groups available with ContentProtect Security Appliance.
Remember that the method is to create a group and then assign that group an IUR.
Because ContentProtect Security Appliance has 8 default groups, their IURs are also
available. The following are the pre-defined IURs and their settings.
49
ContentProtect Security Appliance User Guide
Default Usage Rules are the default settings for all users unless configured otherwise. By
default this IUR will log and filter only HTTP traffic. This IUR will not block any Web sites,
File Types, or MIME Types except spyware and viral web sites. The following table lists all
filtering options for the Default Usage Rules.
Default Usage Rules
TFRS
Web Filter
Spyware
Enable Spyware URL Blocking,
Enable Spyware MD5 Blocking,
Enable Spyware ClassID Blocking
Filter Avoidance
Web Policy
Enable Filter Avoidance IP
Lookup, Enable Filter
Avoidance Real-Time Filter,
Enable Filter Avoidance
Deep HTTP Inspection
Real-Time Filter, Allow Non-HTTP
Traffic Through the Web Filter,
Non-HTTP Traffic Socket Timeout
(60 minutes)
Anti-Virus
Enable Anti-Virus Blocking
Deny Access Policy Rules denies all Web traffic and cannot be altered.
Filter Bypass Policy Rules allows all network traffic to pass and only reports on bandwidth
and applications used. This IUR cannot be altered.
Moderate Policy Rules provides typical restrictions on common web categories and also
blocks several file types. In addition to this, this IUR has some advanced filter avoidance
options selected as well as a TFRS that blocks anonymous web surfing for HTTP traffic. The
following table lists all filtering options for this IUR.
Moderate Policy Rules
TFRS
Web Filter + Anonymous
Proxy Guard
Spyware
Enable Spyware URL
Blocking, Enable Spyware
MD5 Blocking, Enable
Spyware ClassID Blocking
Blocked Categories
Adult, Cheating and Plagiarism,
Crime, Criminal Related, Cults,
Dating, Filter Avoidance,
Gambling, Hacking, Hate Speech,
Illegal Drugs, Job Search,
Lingerie, Non-sexual nudity,
Online Communities, Peer File
Transfer, Porn, Shopping,
Tasteless or Obscene, Vice,
Violence, and Weapons
Anti-Virus
Enable Anti-Virus Blocking
Blocked File Types
bat, cab, cmd, com, dll,
ed2k, emo, exe, ini, iso,
lnk,torrent, wmf
Filter Avoidance
Enable Filter Avoidance IP
Lookup, Enable Filter
Avoidance Real-Time Filter,
Enable Filter Avoidance
Deep HTTP Inspection
Web Policy
Enable Safe Search
50
ContentProtect Security Appliance User Guide
Protection for Search
Engines, Apply White List
to Referring URLs, RealTime Filter, Allow NonHTTP Traffic Through the
Web Filter, Non-HTTP
Socket Timeout (60
minutes)
Monitor Only Policy Rules are intended for users that will only be monitored and not filtered
for web traffic. The following table lists all filtering options for this IUR.
Monitor Only Policy Rules
TFRS
Web Filter
Filter Avoidance
Web Policy
Enable Filter Avoidance IP
Lookup, Enable Filter Avoidance
Real-Time Filter, Enable Filter
Avoidance Deep HTTP Inspection
Apply White List to
Referring URLs, Real-Time
Filter, Allow Non-HTTP
Traffic Through the Web
Filter, Non-HTTP Socket
Timeout (60 Minutes)
Monitor Only with Threat Protection Policy Rules are intended for users that will only be
monitored and not blocked except for in the case of spyware and web viruses. The
following table lists all filtering options for this IUR.
Monitor Only with Threat Protection Policy Rules
TFRS
Web Filter
Spyware
Enable Spyware MD5 Blocking,
Enable Spyware ClassID Blocking
Filter Avoidance
Enable Filter Avoidance IP
Lookup, Enable Filter
Avoidance Real-Time Filter,
Enable Filter Avoidance
Deep HTTP Inspection
Anti-Virus
Enable Anti-Virus Blocking
Web Policy
Apply White List to Referring
URLs, Real-Time Filter, Allow
Non-HTTP Traffic Through the
Web Filter, Non-HTTP Socket
Timeout (60 Minutes)
Permissive Policy Rules are designed for users that will have more leniencies in regards to
the web sites they can visit and what file extensions can be downloaded. Web traffic will be
monitored and filtered. The following table lists all filtering options for this IUR.
Permissive Policy Rules
TFRS
Web Filter
Blocked Categories
Adult, Filter Avoidance, Hacking,
Hate Speech, Illegal Drugs,
Lingerie, Porn, Tasteless or
Obscene, Vice, Violence, and
Weapons
Spyware
Enable Spyware MD5
Blocking, Enable Spyware
Class ID Blocking
51
ContentProtect Security Appliance User Guide
Anti-Virus
Enable Anti-Virus Blocking
Filter Avoidance
Web Policy
Enable Filter Avoidance IP
Lookup, Enable Filter Avoidance
Real-Time Filter, Enable Filter
Avoidance Deep HTTP Inspection
Apply White List to
Referring URLs, Real-Time
Filter, Allow Non-HTTP
Traffic Through the Web
Filter, Non-HTTP Traffic
Socket Timeout (60
minutes)
Strict Policy Rules are intended for users who will have stringent rules applied to Web
browsing as well as file downloads. Users in this group will have HTTP monitored and
filtered and HTTPS traffic blocked. Below is the table with all filtering options.
Strict Policy Rules
TFRS
Web Filter + Anonymous
Proxy Guard + SSL Block
Spyware
Enable Spyware URL
Blocking, Enable Spyware
MD5 Blocking, Enable
Spyware ClassID Blocking
Blocked Categories
Blocked File Types
Adult, Alcohol and Tobacco, Cars
and Motorcycles, Cheating and
Plagiarism, Crime, Criminal
Related, Cults, Dating, Filter
Avoidance, FYI, Gambling,
Games, Hacking, Hate Speech,
Illegal Drugs, Instant Messaging,
Job Search, Lingerie, Lottery and
Sweepstakes, Non-mainstream,
Non-sexual Nudity, Online
Communities, Online Trading,
Peer File Transfer, Porn, Real
Estate, Sex Ed and Abortion,
Shopping, Sports and
Recreation, Streaming Media,
Tasteless or Obscene, Tattoos,
Vice, Violence, Weapons, Web
Messaging, Web-based Chat,
Web-based Email
aac, adp, aiff, asx, avi,
bat, cab, cmd, com, dll,
dmg, ed2k, emo, exe, flac,
flv, fpt, ini, iso, kmz, lit,
lnk, log, m3u, m4a, mid,
midi, moov, mov, mp3,
mp4, mpeg, mpg, mpu,
msi, mst, ogg, ogm, pab,
pls, qt, ra, ram, rm,
torrent, wav, wma, wmf,
wmv
Anti-Virus
Filter Avoidance
Enable Anti-Virus Blocking
Enable Filter Avoidance IP
Lookup, Enable Filter
Avoidance Real-Time Filter,
Enable Filter Avoidance
Deep HTTP Inspection
Web Policy
Enable Safe Search
Protection for Search
Engines, Block Search
Engine Cached Pages,
Real-Time Filter, Enable
Reverse DNS Lookups,
Block IP Address URLs
52
ContentProtect Security Appliance User Guide
Again, these are the default IURs available for ease of use. You may simply add users to
these groups for the policy to apply. You can also alter all default IURs except for Deny
Access Usage Rules and Filter Bypass Usage Rules by selecting the individual IURs under
Internet Usage Rule Manager. If you would like to create you own IUR, select the Create
button under Internet Usage Rule Manager.
Shaping Rules
Shaping Rules allow you to “shape” network bandwidth for applications, users, and web
sites. In essence, Shaping Rules allow you to cap or restrict bandwidth for specific users or
applications on the network. These rules also allow you to shape bandwidth to Web sites as
well as assign priority levels for all traffic. Through Shaping Rules, you can control and
manage network traffic to ensure that critical users and applications have complete access
to the Internet and network resources.
ContentProtect Security Appliance has no default shaping rules. As such, you will need to
create them under the Shaping Rule Manager (Manage -> Policies & Rules -> Shaping
Rules). Here you will be presented with three tabs: Group, Application, and Web Content.
Group shaping rules manage total bandwidth for users and groups. Application shaping
rules administer bandwidth for specific application sets, i.e., P2P, Streaming Media, VoIP,
etc. Web Content shaping rules control bandwidth for specific web sites, web categories, File
Types, and MIME Types.
To create shaping rules, you must first enter a name for Shaping Rule Detail. Afterwards,
you can select the different tabs for each corresponding shaping rule.
Please remember that shaping rules are restrictions. This means that ContentProtect
Security Appliance will not allow a group, application, or web content to exceed the
bandwidth assigned. These rules do not ensure that traffic will meet a certain amount, but
rather will not go beyond the restriction. Think of shaping rules as a ceiling and not a floor.
Because of this, many users and applications may not need a shaping rule unless they pose
a threat to the network or are known consumers of bandwidth. A good practice is to install
ContentProtect Security Appliance in the network and have it report on users and
application before implementing shaping rules. Knowing what types of traffic are passing in
the network and the amounts will help in creating a better shaping rule.
When you decide to implement a shaping rule, keep in mind several things (listed below).
•
All shaping rules will have three settings: Max Upload, Max Download, and Priority
Level. The Max Upload refers to traffic passing from the LAN port to the WAN port of
ContentProtect Security Appliance. Max Download refers to traffic passing from the
WAN port to the LAN port of ContentProtect Security Appliance. Priority refers to the
precedence level assigned to the traffic. The options are Highest, Higher, High,
Default, Low, Lower, and Lowest.
•
Group shaping rules restrict total bandwidth for all users within groups. This means
that if you apply Application shaping rules as well as Web content shaping rules for
the same group, these amounts must not exceed the Group shaping rule.
•
Group shaping rules are divided dynamically between active members. For example,
if only one group member is active within a group that has a shaping rule of 1Mbps,
then that one member will have total access of the bandwidth up to 1Mbps.
However, if another group member becomes active, ContentProtect Security
53
ContentProtect Security Appliance User Guide
Appliance will dynamically divide the restriction and cap each member to 500 Kbps
and so on depending on the amount of active group members.
•
The percentages of traffic shown in the Drop-Down Boxes for all tabs are calculated
from the Available Upload Bandwidth and Available Download Bandwidth listed under
Miscellaneous Settings. The default settings are set to 5000Kbps and will restrict
traffic to that amount. If you have not adjusted this amount for your bandwidth,
please do so during the Setup Wizard or under the Miscellaneous settings (Admin ->
Configuration -> Misc. Settings).
Please note that the amounts listed in the available upload and download under
Miscellaneous Settings will restrict total traffic through ContentProtect Security
Appliance. Make sure that the amounts entered in these fields are the correct amounts for
your network (Admin -> Configuration -> Misc. Settings).
•
If you choose to enter a custom amount for the upload and download restrictions,
remember that this amount is presented in kilobits per second (Kbps). You will need
to compute your bandwidth into this amount (1024Kbps = 1 Mbps).
•
There are two application sets that you probably should not restrict: HTTP and
Uncategorized. The application set of HTTP correlates to all web-based traffic,
including regular web browsing. Because this application set is commonly used more
than any other application set, we recommend that you do not set a highly stringent
shaping rule for HTTP. The application set of Uncategorized correlates to network
traffic for which ContentProtect Security Appliance does not have an explicit
signature. These applications could be proprietary, recent, or uncommon. In
addition to this, this application set could also include traffic that is very important,
such as a custom accounting application, or an unrecognized VoIP system, etc.
Because of this, we strongly recommend that you do not disable this traffic or create
a strict shaping rule for this traffic.
•
Priority levels are only used when there is not enough bandwidth to complete
requests for active users or applications. For example, if you have two shaping
rules: 1Mbps for VPN with a High priority level and 1Mbps for P2P with a Low priority
level and there is not enough bandwidth to complete the requests for both
applications, ContentProtect Security Appliance will restrict P2P even more than
1Mbps to allocate more bandwidth for VPN.
•
There can be some variance between shaping rules and reporting, especially with
P2P and Streaming Media, because of how initial communications for these
applications take place. For example, Bit Torrent will negotiate on random ports and
may be considered Uncategorized until data begins to pass. After data is passed
ContentProtect Security Appliance can identify Bit Torrent as P2P and will then report
on all traffic passed beginning with the initial connections. However, shaping rules
for Bit Torrent will not take effect until the data is confirmed as P2P, normally after
the initial connections. Below are some general expectations for the variance:
o
Shaping rules under 256K can have up to 20% difference in reporting
o
Shaping rules under 1M can have up to 10% difference in reporting
o
Shaping rules under 5M can have up to 5% difference in reporting
54
ContentProtect Security Appliance User Guide
•
If you chose to shape a web URL, use general phrases. For instance, if you want to
shape traffic to the Web site YouTube, enter the phrase youtube instead of
http://www.youtube.com.
•
Web Content shaping rules take precedence over Application shaping rules and will
be recorded jointly for shared applications. For example, if you have an Application
shaping rule for Streaming Media at 1Mbps and a Web Content shaping rule for
YouTube at 1Mbps, the Web Content shaping rule will take preference while the
Application shaping rule will not apply. Reporting for the Streaming Media
Application Set will then report traffic for Streaming Media combined with traffic for
YouTube (2Mbps). To assure that Streaming Media does not exceed a specific
amount, balance the amount with Web Content shaping rules designated for
Streaming Media Web sites.
•
All changes to shaping rules will flush ContentProtect Security Appliance’s forwarding
plane. The forwarding plane is the architecture that decides how to handle packets
arriving on the LAN interface, i.e., applying shaping rules, denying traffic, etc.
Flushing ContentProtect Security Appliance’s forwarding plane will drop all
connections and reassign traffic accordingly. Because of this, we recommend that
you only make changes to shaping rules during off peak hours.
Once you have created a shaping rule, don’t forget to Save the changes. Also remember
that shaping rules are not active until you assign them to a group in the Policy Manager.
Policy Manager
The Policy Manager correlates all polices to groups. That is to say, all the rules you have
created under Time-of-Day Rules, Internet Usage Rules, and Shaping Rules will need to be
assigned to groups using the Policy Manager.
The default groups ContentProtect Security Appliance offers have already been assigned
their corresponding Internet Usage Rules under the Policy Manager. In addition to this, the
default groups use the default Time-of-Day Rule (TDR) of 24 hours a day, 7 days a week.
However, if you would like to change their Internet Usage Rule or TDR, you can do so for all
groups except for the Deny Access Group and the Filter Bypass Group with the Policy
Manager. Also the Policy Manager allows you to assign shaping rules to groups.
Click on Manage -> Policies & Rules -> Policy Manager -> Default Group. This will post the
Add/Edit Policy. Presented here are two tabs: Single Rule Set and Multiple Rule Set. The
Single Rule Set is used for Internet Usage Rules that will apply 24 hours a day, 7 days a
week. The Multiple Rule Set is used for Internet Usage Rules that will use different blocks of
time from TDRs.
Under the Single Rule Set tab, select the Drop-Down Box for Internet Usage Rule Set. This
will present you will all available IURs created under Internet Usage Rules. You may do the
same for shaping rules under the Drop-Down Box for Shaping Rule Set. Once you have
chosen an IUR and Shaping Rule for the group, select Save.
The Multiple Rule Sets are used for assigning different IURs and Shaping Rule for time
blocks created under TDRs. Click on Manage -> Policies & Rules -> Policy Manager ->
Default Group -> Multiple Rule Sets. This tab will post a weekly calendar.
Select the day of the week you will be assigning the time blocks. Towards the bottom will
be a Time-of-Day Rule Set Drop-Down Box. Select this box and chose the TDR you have
created. This will populate the time blocks created. Next, for each time block assign an
55
ContentProtect Security Appliance User Guide
Internet Usage Rule Set and a Shaping Rule that will be active for the time specified.
Repeat these steps for each day of the week (you may use the Copy button) and select the
Save button. Once you complete these steps, Group membership, Time-of-day Rules,
Internet Usage Rules, and Shaping Rules will be active for devices and users. Remember to
always use this method when creating groups and policies: create Groups, create Time-ofDay Rules, create Internet Usage Rules, create Shaping Rules, and tie them all together
with the Policy Manager.
Next we’ll discuss the other options available under the Manage tab.
Directory Users & Nodes
ContentProtect Security Appliance can track Internet traffic by devices (Network Nodes) and
by username (if Directory integration has been enabled). Once a device or user is
discovered, ContentProtect Security Appliance will create a profile and list it accordingly
under Directory Users & Nodes. These profiles (devices or users) will then be available for
group membership assignment under the Group menu (Manage -> Policies & Rules ->
Groups).
Directory Users & Nodes lists three separate options: Network Nodes, Directory Users, and
Directory Agent. Network Nodes will list devices discovered by ContentProtect Security
Appliance, while Directory Users will list Directory profiles. Directory Agent will list agents
you have created for your directory servers. These topics are covered in more detail under
Chapter 7: Integrating Directory Users with ContentProtect Security Appliance.
Network Nodes
Click Manage -> Directory Users & Nodes -> Network Nodes. This will post the Network
Node Manager, which lists all devices (Network Nodes) discovered by ContentProtect
Security Appliance. ContentProtect Security Appliance discovers these devices by
examining network traffic as it passes through the bridge interface. Once a unique device is
discovered, ContentProtect Security Appliance will send a port scan to retrieve several
pieces of information to create a profile, i.e., NetBIOS name, Internet Protocol (IP) address,
Operating System (OS), Media Access Control (MAC) address, and open ports.
ContentProtect Security Appliance will also list the scan status and the date the profile was
created.
ContentProtect Security Appliance accomplishes this scan via a utility called Network Mapper
(Nmap). For Nmap to retrieve these pieces of information successfully, some options may
need to be permitted on the network (listed below):
•
UDP port 137
•
Client for Microsoft Network
•
NetBIOS over TCP/IP
•
Samba to respond to NetBIOS queries
•
DNS entries for Macintosh computers
•
Simple Network Management Protocol (SNMP) for Macintosh computers
56
ContentProtect Security Appliance User Guide
If after enabling these settings, you need to rescan profiles for missing or changed
information, you can select the profiles under Network Node Manager and click Re-scan port
under the Tasks pane. The Scan Status for the selected profiles will then list Pending. After
several minutes, the profile will be updated with the missing or changed information. If
after rescanning a profile ContentProtect Security Appliance still cannot retrieve the missing
or changed information, you can select profiles and manually enter change for the profile
name. Don’t forget to Save your changes afterwards.
If you have profiles listed under the Network Node Manager, click on one to see the
information gathered for each device on the network. The first information posted is the
Scan Name (NetBIOS name if available accompanied by the current IP address), Operating
System (OS), Detected OS, and MAC address. Below that are posted two settings: Ignore
multiple IP Addresses from this Network Node and Treat IPs as Remote Subnets from this
Network Node.
Ignore multiple IP Addresses from this Network Node can be used when ContentProtect
Security Appliance identifies a single unique MAC address being used by multiple IP
addresses. This behavior is typical in an asymmetrical network. Because profiles are
created by MAC addresses, ContentProtect Security Appliance can sometimes incorrectly
associate traffic to the wrong Network Node with asymmetrical networks.
If you have an asymmetrical network, you can select Ignore Multiple IP Addresses from this
Network Node, which will permanently associate the IP address to the MAC address listed.
Thus if ContentProtect Security Appliance sees the MAC address being used by another IP
address, ContentProtect Security Appliance will assume this is due to asymmetrical routing
and group the traffic based on the IP address and attempt to discover the true MAC address
of the original sending device.
The next option is Treat IPs as Remote Subnets from this Network Node. By default
ContentProtect Security Appliance will create profiles for network devices in the local subnet
based on MAC addresses. With routed networks, on the other hand, ContentProtect
Security Appliance will create profiles for network devices based on IP addresses. These
profiles will have the MAC addresses listed as all 0s while local profiles will post true MAC
addresses.
There are rare scenarios where profiles based on MAC addresses within the local subnet
should be treated as remote profiles because of unique network architectures, e.g., network
segments separated by layer three devices that use the same broadcast range or physical
connections, asymmetrical networks, etc. In these cases, you may need to regard local
profiles as remote. For more information on configuring ContentProtect Security Appliance
in an asymmetrical or MAC alternating network, please review the tutorial document entitled
How to Configure ContentProtect Security Appliance with Asymmetrical Routing
(http://www.ContentWatch.com/Tutorials.html).
Also listed under the Add/Edit Network Node Detail are the IP addresses used by this
Network Node as well as the open ports, protocols, state and services utilized by the device.
These settings can be sorted by selecting the Column title of each setting.
Another option available under Network Node Manager is the Search box. You can search
for profiles based on IP address, Profile Name (normally the NetBIOS name or IP address),
MAC address, and OS. Simply select the search criteria from the Search Drop-Down Menu,
enter the corresponding value, and hit Enter. For example, to search for a specific MAC
address, select MAC address from the Search Drop-Down Menu, enter the MAC address you
are searching for, and click the Search icon (or press the Enter key).
57
ContentProtect Security Appliance User Guide
Use the format presented in the Network Node Manager, i.e., IP addresses are separated by
dots (.) and MAC addresses are not separated by colons (:) to search according to the
values. You can also sort the profiles by Name, IP address, OS, MAC address, Scan Status,
and date profiles were created by clicking on the column titles.
Please note that when ContentProtect Security Appliance is first installed or if new devices
are installed on the network, you may see a profile entitled Unknown Network Node (mostly
under the Report tab). Unknown Network Node simply represents profiles that have not
been completely scanned. In essence, ContentProtect Security Appliance has identified new
devices on the network but has not had sufficient time to complete the profile scan or is in
the process of doing so. With time, this profile will disappear as ContentProtect Security
Appliance is able to complete the profile scan and identify the new profiles.
Lastly, Network Node Manager allows you to license and unlicense devices. Licensing with
ContentProtect Security Appliance is based on network connections or active IP addresses
on the network. That is to say, one hundred connections on your network will constitute
100 Network Node licenses.
For example, in a flat network where all devices are connected via switches or hubs,
ContentProtect Security Appliance can normally discover MAC addresses for individual
devices. With this scenario, licensing and profile creation will be based on unique MAC
addresses. You can verify whether ContentProtect Security Appliance is licensing based on
MAC addresses by reviewing the column of MAC Address under Network Node Manager. If
individual MAC addresses are listed, then ContentProtect Security Appliance is essentially
issuing a license to those MAC addresses.
However, if an entry of all zeros is listed under the column of MAC address, then
ContentProtect Security Appliance is licensing based on IP addresses (typical of routed
networks as MAC address remain in local subnets). This means that individual IP addresses
will consume licenses, and profiles will be based on such. You may review Chapter 6:
Administrating ContentProtect Security Appliance for more information on installing
ContentProtect Security Appliance in a routed network.
Knowing how ContentProtect Security Appliance is issuing licenses will help you better
manage your license count as exceeding the license count can cause inconsistencies with
content filtering and reporting.
For example, devices that are unlicensed are handled quite differently than licensed devices.
Reporting for unlicensed devices will not list individual statistics. Traffic from Unlicensed
Network Nodes will be aggregated into one profile entitled Unlicensed Network Nodes.
Another drawback for Unlicensed Network Nodes is the inability to add these devices to a
group via the Network Node Manager. If a device is unlicensed, you will not be able to
select it when adding members to groups. Lastly, filtering will be handled differently with
Unlicensed Network Nodes.
Filtering for Unlicensed Network Nodes will still be in effect for these devices but depending
upon your group configuration, traffic from Unlicensed Network Nodes can be in different
groups. More than likely traffic from Unlicensed Network Nodes will fall into the Default
Group, but different configurations can change this. For more information on how
ContentProtect Security Appliance handles traffic from Unlicensed Network Nodes, please
see the tutorial document entitled How to Manage Licensing with ContentProtect Security
Appliance (http://www.ContentWatch.com/Tutorials.html).
58
ContentProtect Security Appliance User Guide
Other scenarios to be aware of with licensing are devices such as printers, scanners,
network cameras, plotters, or any other “non-user” specific devices that have Internet
connections. Because these devices are configured with a MAC or IP address, they can
potentially consume licenses unless configured otherwise. Also, a device with multiple
Internet connections can possibly take up two licenses, e.g. a laptop with a wireless card
and an Ethernet port.
In addition to multiple Internet connections being a problem, large Dynamic Host
Configuration Protocol (DHCP) ranges or short DCHP lease times can possibly pose an issue
as well with licensing. If licensing is based on IP addresses, for example, a device will be
assigned an IP address via DHCP. ContentProtect Security Appliance will issue a license to
that IP address. If that same device is assigned a different IP address via DHCP,
ContentProtect Security Appliance will again issue an additional license but now to the new
IP address.
Hence, in this scenario a device could possibly consume several licenses depending on how
DHCP is configured. Also please note that historical data and grouping based on IP
addresses will follow IP addresses as well and not the devices per se.
Because of this, it is highly recommended that you purchase sufficient licenses to filter and
report on all connections present in the network. Also, you will want to closely watch your
license count and confirm that you do not exceed the license amount. This can be
accomplished with Network Node Manager.
Click Manage -> Directory Users & Nodes -> Network Nodes. Towards the bottom of the
page you will see a listing of how many licenses have been issued (Showing 1—25 of 100).
The last number listed is the complete number of profiles that have consumed licenses. You
will want to periodically compare this number to your license count to confirm that you have
sufficient licenses to report and filter correctly. Also, the total license count is posted on the
Home Page under Hardware Settings, and System Message Alerts will be sent when the
license count is nearing 80%, 90%, and 100%.
Network Node Manager also allows you to license and unlicense selected nodes. For
example, if you had several printers that you do not wish to consume licenses you can
select those profiles and click the Unlicense Selected Nodes button located at the bottom of
the page of the Network Node Manager (Manage -> Directory User & Nodes -> Network
Nodes -> Unlicense Selected Nodes). This will flag those profiles as unlicensed, and
ContentProtect Security Appliance will no count those devices towards the total license
count.
Again, unlicensed nodes are handled quite differently than licensed nodes; however, devices
such as printers, network cameras, etc., normally do not need content filtering and shaping.
You can also license profiles that have been unlicensed by changing the License Status to
Unlicensed (located in the top right corner of Network Node Manager). This will post all
devices that have not been issued a license. You may select those profiles that you want be
licensed and select License Selected Nodes. These profiles will now be issued a license and
counted towards the total license count.
If you need to purchase additional licenses, you may do so from ContentWatch or your
Authorized ContentWatch Reseller. Additional licenses are issued in the form of a license
key and may be entered during the Setup Wizard (Step 1) or under Admin -> Configuration
-> License.
59
ContentProtect Security Appliance User Guide
Directory Users
Directory User Manager is similar to Network Node Manager in the sense that this manager
keeps track of all reported profiles. The difference being that Directory User Manager tracks
all Directory Users and not Network Node Profiles. If you have implemented Directory Users
with ContentProtect Security Appliance, the Directory User Manager will post all Directory
Users Profiles discovered by ContentProtect Security Appliance.
Directory User Manager will list all user names that ContentProtect Security Appliance has
discovered. Please review Chapter 7: Integrating Directory Users with ContentProtect
Security Appliance for more information. The Directory User Manager will also list the
domain names associated with the profiles, as well as the Directory Agent (if applicable) and
username used to access the directory.
Another option available with the Directory Users Manager is Re-scan Directory User Name
(located under the Tasks pane). This option allows you to update a profile by selecting the
checkbox next to the user profile(s) you want to rescan. After selecting the profiles, select
Re-scan Directory User Name and any changes made to the profiles, i.e., changed name,
new directory group, etc., will be posted under the Directory Users Manager.
Again, Chapter 7 covers these topics in more detail. One last important detail to note is
that Directory Users have no effect on licensing.
Directory Agent
The Directory Agent Manager lists all created Directory Agents used for synchronization of
Directory Users. For more information on this menu, please refer to Chapter 7: Integrating
Directory Users with ContentProtect Security Appliance.
Broadcasts tab
The Broadcast tab grants access to the Broadcast Manager, which displays all email reports
that have been created for automated reporting. Email reports must first be created by
selecting the report you want to email. Once you have done this, you may select the Email
icon under the Tasks pane.
For example, click on Report -> Application -> Application Overview. As a practice, you can
set up this report for a weekly email. Under the Tasks pane select the Email icon, which will
populate the Add/Edit Broadcast field. Fill out the required information such as Name,
Description, Send To: Send From:, Reply To:, Subject Line, Send Format, and Schedule.
If you need to send the email to multiple recipients, separate the emails with a semicolon
(;). Also, the recommended Send Format is PDF as this format is more presentable;
however, other formats available are HTML, XML, CSV.
The schedule will depend on how frequent you want the automated report sent. For
example, if you choose Weekly, several new fields will appear that will allow you to select
the day of the week you want the report to run. The same is true with Monthly and Yearly.
Once you have created the report and filled out the necessary fields, you will need to select
which Activation mode for the email.
Run Now will send the email report as soon as it is created. Send Once and Delete will send
the report at the scheduled time and will then automatically delete the report once it has
60
ContentProtect Security Appliance User Guide
been sent. Activate Broadcast must be selected for any action to occur. Once you have
selected all settings, don’t forget to select the Save button.
Now that you have created the email report, it will be saved under the Broadcast Manager
(unless you have selected Send Once and Delete). If you need to alter or delete the report
in the future, you may do so under the Broadcast Manager by selecting the individual Email
Broadcast or selecting the checkbox next to the report and clicking the Delete Selected
button.
All Email Broadcasts are handled by ContentWatch’ in-house Report Server. After you have
created and activated an Email Broadcast, the data is encrypted using Secure Socket Layer
(SSL) and sent to ContentWatch’ Report Server. The Report Server processes the
encrypted data and creates the desired report in the selected format. The Report Server
then sends the completed report to the requested email address(es) for retrieval. The
process creates performance advantages for ContentProtect Security Appliance while still
allowing automatic delivery of important reports and information.
Also after the finalized Email Broadcast has been sent, the data is immediately deleted from
the Report Server. The entire process normally takes less than 5 seconds. Physical access
at ContentWatch’ Report Server is permitted through a minimum of two biometric
authentication systems. On-site staff is notified of all building access in real time and
environmental systems are maintained with N+1 redundancy.
Because the data is leaving ContentProtect Security Appliance, some technical
considerations may need to be implemented in order for the recipients to receive email
reports. For example, if a spam filter is present on the network, you may need to allow
email transmissions from ContentWatch’ Internet Service Provider (IP.XMISSION.COM).
In addition to this, you may need to alter the sender and receiver of the email to be
different email addresses as same email addresses are commonly flagged as spoofing
techniques. Also note that when the data leaves ContentProtect Security Appliance to
ContentWatch Report Server, all data is encrypted. However, the transmission from
ContentWatch’ Report Server to the recipients is not encrypted. Nevertheless, this is the
same level of security as most common email messages sent over the Internet.
System Access tab
ContentProtect Security Appliance allows you to create multiple login accounts used to
access the system. All accounts are listed under the Manage -> System Access -> Logins
menu. By default only one account is present on the device (the admin account with a
password of contentprotect).
Administrative login accounts can do anything that the default admin account can do. They
can view any report and can make any configuration changes. Another access level exists
(Read-Only) which allows users to view reports and configuration settings. However, users
with Read-Only access cannot make configuration or administrative changes to the device.
The Add/Edit Login Detail field (Manage -> System Access -> Logins -> Admin) allows you
to customize all logins with User Name, Password, First Name, Last Name, Email Address,
Admin Level (if you would like to create a login that does not have Admin Level, uncheck
the box), and Activate Login (the login will not be accessible until this option is checked).
Don’t forget to Save your changes after creating or modifying a login.
61
ContentProtect Security Appliance User Guide
We strongly recommend that you create a new administrative login, and change the
default login password to limit access to the management interface. Select the Manage
-> System Access -> Logins link to make these changes.
Applications tab
The Applications tab is designed for expert use. This menu and submenus allow you to
customize applications and redefine default signature sets for a more tailored environment.
The default application sets provided should be sufficient for most environments.
Nonetheless, if you would like to customize signature definitions as well as Traffic Flow Rule
Sets (TFRS), you can do so under the Applications tab. The three options available under
the Applications tab are Traffic Flow Rule Sets, Applications Sets, and Applications. A more
detailed explanation on how to customize TFRS and Application Sets is available on
ContentWatch Knowledge Base entitled How to Create Custom Signatures
(http://www.ContentWatch.com/Tutorials.html).
Traffic Flow Rule Sets
Traffic Flow Rule Sets (TFRS) are the basic traffic identification and control engine within
ContentProtect Security Appliance. By default, TFRS define content rules and implement
restrictions on identified traffic. ContentProtect Security Appliance ships with 12 default
TFRS (for more information see previous section on Traffic Flow Rules Sets); however, you
can customize TFRS using the Traffic Flow Rule Set Manager.
For example, suppose you had a group of users that needed a variety of functions not
available in the default TFRS. Case in point would be the need to filter Web traffic (Web
Filter), deny IM Client communications (Deny IM), and block HTTPS traffic (SSL Block).
There are several default TFRS that can do some of these options; however, there is no one
TRFS that has all components (Web Filter + Deny IM + SSL Block). Nevertheless, the
Traffic Flow Rule Set Manager allows you to combine or delete components of the TFRS to
tailor how traffic will be handled.
Select Manage -> Applications -> Traffic Flow Rule Sets. Rather than editing the default
TFRS, you can copy them and make the necessary changes to create a custom TFRS.
Although you can select the default TFRS and edit them, it is highly recommended that
you do not edit default TFRS. Doing so can cause severe problems if the TFRS are
configured incorrectly. You are better served by copying default TFRS and editing the
copies.
The key factor in creating a custom TFRS is to choose a default one that closely represents
the end result. For this example, we will select to copy the TFRS of Web Filter + Deny IM
and afterwards add the component of SSL Block. Copying TFRS is quite simple: select the
checkbox next to the TFRS that is going to be copied and select the Copy Selected button.
This will bring up the Add/Edit Traffic Flow Rule Set field. Here, you can create a distinct
name and description for the custom TFRS. This field also allows you to remove certain
applications for the TFRS. For example, if you didn’t want this TFRS to identify ICMP traffic,
you could remove this application using the < Remove button. More often than not, you will
62
ContentProtect Security Appliance User Guide
only want to customize the name and description in this field as removing applications can
cause unexpected effects. Another suggestion is to name the TFRS according to the
targets. In our example, we would name the TFRS Web Filter + Deny IM + SSL Block.
Again, don’t forget to Save your changes.
Once you have created a custom TFRS, you will alter the targets according to the desired
modifications. This is done under the Application Signature Manager (covered later under
the Applications section). In our example we will need to alter the SSL targets to block this
traffic. Now that we have created a custom TFRS to block SSL traffic, we will need to alter
the targets. The steps to alter targets are covered under the next sections.
Other options available under the Traffic Flow Rule Set Manager are deleting and creating.
There is also a search box to search available TFRS. Now let’s continue our example of a
custom TFRS by discussing the Application Sets and Applications menus. The following
sections will give a brief explanation of the options available and a common example of
configuration changes.
Application Sets
Application sets, or simply signature sets, are groups of signatures for similar applications
that perform a comparable purpose. For example, the signature set of Remote Desktop
/Remote Control /X comprises the applications of PC Anywhere, Citrix, GoToMyPC,
Microsoft’s Remote Desktop, and many more. Because these applications use similar
signatures and perform an equivalent purpose (connecting users remotely to computers)
the different applications are grouped together in an Application set.
The Application Signature Set Manager (Manage -> Applications -> Application Sets) lists all
sets of applications that ContentProtect Security Appliance can identify and shape.
Currently there are 23 Application Sets that ContentProtect Security Appliance identifies.
•
Chat and IM—this application set comprises signature definitions for chat and IM
applications, e.g., Windows Live Messenger, Yahoo! Messenger, etc.
•
Databases—this application set comprises signature definitions for database
applications, e.g., SQL, Oracle, etc.
•
DNS/Naming/Locators and Information—this application set comprises signature
definitions for services that identify domains, users, and devices on a network, e.g.,
Domain Name Service (DNS), Lightweight Directory Access Protocol (LDAP), etc.
•
Email, Paging, and Collaboration—this application set comprises signature definitions
for email services and protocols used to transmit emails, e.g., Simple Mail Transfer
Protocol (SMTP), Internet Message Access Protocol (IMAP), etc.
•
FTP/File Transfer—this application set comprises signature definitions for File
Transfer Protocol (FTP).
•
Games—this application set comprises signature definitions for online games or
network games, e.g., XBOX Live, War of World Craft, etc.
•
HTTP—this application set comprises signature definitions for Web traffic or
Hypertext Transfer Protocol (HTTP).
•
ICMP—this application set comprises signature definitions for Internet Control
Message Protocol (ICMP) e.g., PING.
63
ContentProtect Security Appliance User Guide
•
NetBIOS/Microsoft File Services—this application set comprises signature definitions
for Network Basic Input/Output Service (NetBIOS) and Server Message Block (SMB
or Samba) protocol.
•
Network Management and Monitoring—this application set comprises signature
definitions for services that manage and monitor networks, e.g., Simple Network
Management Protocol (SNMP), Network Management Service (NMS), etc.
•
Network Routing—this application set comprises signature definitions for networking
protocols, e.g., Routing Information Protocol (RIP), Network Control Program (NCP),
etc.
•
Network Utility—this application set comprises signature definitions for protocols
used to manage networking devices, e.g., Dynamic Host Configuration Protocol
(DHCP), NSW under System FE.
•
Peer to Peer—this application set comprises signature definitions for programs that
share files via a direct (peer to peer) connection, e.g., Bit Torrent, Gnutella, etc.
•
Printing and Reporting—this application set comprises signature definitions for
printing and reporting services, e.g., Network Printing, Internet Printing, etc.
•
Proxy and Cache—this application set comprises signature definitions for Proxy and
cache servers, e.g., Squid, Sockets Server (SOCKS), etc.
•
Remote Desktop/Remote Control/X—this application set comprises signature
definitions for programs used for remote management and administration, e.g., PC
Anywhere, Citrix, etc.
•
RPC/Remote Execution and Message—this application set comprises signature
definitions for programs that execute other programs or routines remotely, e.g.,
Remote Procedure Call (RPC), IBM’s Tivoli, etc.
•
Security, Auditing, and Auth—this application set comprises signature definitions for
network protocols that authenticate and secure users or devices, e.g., Kerberos,
Pretty Group Privacy (PGP), etc.
•
Streaming Media—this application set comprises signature definitions for programs
that stream audio and video content, e.g., Windows Media Player, Flash, etc.
•
Telnet and SSH—this application set comprises signature definitions for applications
that use Telecommunication Network (Telnet) and Secure Shell (SSH) protocols.
•
Uncategorized—this application set comprises all traffic that does not meet a specific
application set.
•
VOIP and Voice Chat—this application set comprises signature definitions for Voice
over Internet Protocol (VoIP) and programs that facilitate voice conversations over
the Internet, e.g., Ventrilo, Buddy Phone, etc.
•
VPN and Tunnel—this application set comprises signature definitions for protocols
used for Virtual Private Network (VPN) and for tunneling, e.g., Internet Protocol
Security (IPSec), Secure Socket Layer (SSL), etc.
64
ContentProtect Security Appliance User Guide
The Application Signature Set Manager also allows you to select Application Sets to review
all applications present within the set. In addition to reviewing the applications within the
set, you may add or remove individual applications. For example, if you wanted to separate
Citrix traffic from Remote Desktop/Remote Control/X application set for individual shaping
and reporting, you could create a new application set or custom TFRS to do so.
Once more, this menu is intended for expert use. As such, you may want to review the
Tutorial Document on how to create a custom signature located at ContentWatch Knowledge
Base (http://www.ContentWatch.com/Tutorials.html). Still, following the example in the
previous section of creating a custom TFRS of Web Filter + Deny IM + SSL Block, we will
create a custom Application Set. In this example, we will separate SMTP traffic from Email,
Paging, and Collaboration Application set.
Click Manage -> Applications -> Application Set -> Create. This will populate the Add/Edit
Application Set Details field. Here you will give the custom application set a Name and
Description. In our example, we will call the Application Set SMTP. Don’t forget to Save the
changes.
Once a custom TFRS and Application Set have been created, you will need to alter the
individual applications under the Application Manager. These final steps are covered in the
next section.
Two other options available under the Application Signature Set Manager is the ability to
search for Application Sets using the Search box (located in the upper-left corner) and
delete a custom Application Set using the Delete Selected button (located in the bottom of
the page).
Applications
Now that we have detailed the applications listed under each Application Set, we can now
look at the individual applications that ContentProtect Security Appliance can shape. This
can be accomplished under the Applications Menu.
Like other menus under the Applications menu, this menu is intended for expert use. The
Applications menu will allow you to finish creating the custom TFRS. You can also finish
altering the Application Set to add or remove specific applications for an Application Set.
Lastly, this menu allows you to search for individual applications, values (ports), and
application sets to see how traffic is being categorized.
Click Manage -> Applications -> Applications. This will bring up the Application Signature
Manager. The Application Signature manager lists each individual application alphabetically
according to the Traffic Flow Rule Set listed in the top right-hand corner. You can also
search for a particular application based on the Name, Application Set, or Value and sort the
different applications by the column titles. Below are the column titles and corresponding
definitions:
•
Name—this is the name of the application.
•
Application Set—this will list which application set the application belongs under.
•
Type—this will list the type of signature identification used to recognize the traffic.
The different types are the following:
o
Destination Port—this type is the target port of the application.
65
ContentProtect Security Appliance User Guide
o
Diff Serv—this type is the Differentiated Services (DiffServ) of the application.
DiffServ is a networking architecture that specifies a simple, scalable and
coarse-grained mechanism for classifying, managing network traffic and
providing Quality of Service (QoS).
o
Type of Service—this type is the Type of Service (TOS) of the application.
TOS is a single-byte field in an IP packet header that specifies the service
level required for the packet.
o
Length—this type is the Ethernet Length of the application. Ethernet length
specifies the size of the frame used within the network interface.
o
VLAN—this type is the Virtual Local Area Network (VLAN) used for the
application.
o
Protocol Only—this type is the protocol used for the application, i.e., TCP,
UDP, etc.
o
Layer7—this type is ContentProtect Security Appliance’s Layer 7 signature
used for the application.
o
Source and Destination Port—this type is the sending and target port of the
application.
o
Source Port—this type is the target port of the application.
o
XLi Engine—this type is the Cross Layer Intelligence (XLi) Engine used for the
application. XLi is the component of ContentProtect Security Appliance that
scans and identifies packet payload using 6 layers of the OSI model.
o
Web Request MIME Type—this type is the Multipurpose Internet Mail
Extensions (MIME) for the application.
o
Web Request File Type—this type is the File Type for the application.
•
Value—this will list the corresponding measures from the Type field. For example,
under the application of HTTP, the Type is listed Destination and Port; hence, the
Value is listed as 80 as this is the Destination and Port number for HTTP traffic.
Other entries listed here will be the XLi values, File Type values, MIME values, and all
other associated values for Types.
•
Target—this will list what actions will be taken with the corresponding application.
For example, if the target is set to Pass Thru the application will be allowed. Other
options available are Deny (block traffic), None (no action taken), Web Filter
(content filtering, web logging, spyware scanning, and virus scanning) and Web
Logging (only logs web request URLs).
To review the different options for each application, you will need to create a custom TFRS.
Let’s continue with the example of the custom TFRS created in the previous section. In the
top right-hand corner, select the link for the TFRS of IM Only. This will then list all TFRS
available. Chose Web Filter + Deny IM + SSL Block.
Notice how the individual applications are now clickable. By creating a custom TFRS and
application set, you can adjust each application and change settings such as Protocol, Type,
66
ContentProtect Security Appliance User Guide
and Value. Remember that we need to change the target of the custom TFRS to deny SSL
traffic. You can do this by changing the Target field under the SSL applications.
Click on the drop-down search box and select Value as the search criteria. Enter in the
value of SSL and hit the Enter key. The Application Signatures Manager will post the
associated applications for SSL traffic. Select the application of SSL CONNECT L7. This will
show the Add/Edit Application Detail page.
The Add/Edit Application Detail field allows you to change the Name of the application as
well as other options, i.e., the Description, Application Set, Traffic Flow Rule Set, Type,
Value, Protocol, and Target. Again, changing options can cause serious errors if you are
unsure of the settings. More often than not you will only need to change the Application
Set, Traffic Flow Rule Set, and Value. In general only use Destination Port, Source Port, and
Source and Destination Port for the Type field. Finally, for Protocol you will probably only
need to use TCP and UDP, and Target with Pass Thru or Deny.
To block all SSL connections, you will change the targets from Pass Thru to Deny. Once you
save the changes, this will block all SSL connections. You will need to do this for all other
application that use SSL, (search for HTTPS applications as well).
Once you have set all SSL applications to Deny, you only need to apply the custom TFRS.
This is done by creating an Internet Usage Rule and applying it to a group under the Policy
Manager. Please review the sections Internet Usage Rules and Policy Manager for more
information.
Before leaving the Application Signature Manager, we can continue with the example of
separating an application from an application set. Again, click on Manage -> Applications > Applications. Make sure the custom TFRS is selected as the Traffic Flow Rule Sets in the
top right-hand corner.
Now, let’s search for the application that we’re going to separate. Select Name as the
Search criteria and enter in the name of the application. In our example we will search for
SMTP traffic. This will post all applications that use SMTP as a signature. Because we have
created a custom TFRS and application set, we can select the applications to separate or
modify them. In this example, we will separate SMTP from the application set of E-mail,
Paging, and Collaboration and tie it to the custom Application set of SMTP (created in the
previous section).
Click on the first SMTP application (On Demand SMTP Relay). This will post the Add/Edit
Application Detail. Here, change the Application Set to SMTP from E-mail, Paging, and
Collaboration. Don’t forget to Save your changes. Repeat the previous steps for all
applications listed after the search.
Again, these changes will take final effect once they are initiated under Internet Usage Rules
and Policy Manager.
One last option available under the Applications Set Manager is deleting custom
applications. You may follow the general instructions listed above to create custom TFRS or
Applications Set or review a more complete tutorial of these steps entitled How to Create
Custom Signatures (http://www.ContentWatch.com/Tutorials.html).
This concludes Chapter 5: Managing ContentProtect Security Appliance. The next chapters
describe advanced configuration methods and options with ContentProtect Security
Appliance followed by chapters dedicated to Directory Users and HTTPS/SSL Filtering.
67
ContentProtect Security Appliance User Guide
Chapter 6: Administrating ContentProtect Security Appliance
The Admin tab of ContentProtect Security Appliance provides you with administration
functions for initial configuration of the device. Also available are maintenance options such
as backup settings and diagnostic tools that allow you to prevent failures or down time.
Lastly, the Admin tab has advanced configuration options for Directory Users, SSL
Certificate, custom redirection pages, and Spyware Removal. This chapter is divided into 6
sections.
•
Setup Wizard
•
Configuration tab
•
Diagnostic Tools tab
•
Downloads tab
•
Logs tab
•
Redirection Pages tab
•
Utilities tab
Setup Wizard
The Setup Wizard is available during the first login to ContentProtect Security Appliance and
if the device has been reset back to factory defaults. If you would like to run the Setup
Wizard again after the initial setup, you may do so with this tab. Remember that the Setup
Wizard does require a live Internet connection to the network and will reboot if a firmware
upgrade is downloaded. For more information, please review Chapter 2: Installing
ContentProtect Security Appliance.
68
ContentProtect Security Appliance User Guide
Configuration tab
The Configuration tab provides you with a variety of tools that can help manage the
installation and maintenance of ContentProtect Security Appliance. The options available
under this tab allow you to optimize and customize your ContentProtect Security Appliance
to meet the organization’s needs. Among these settings are basic and advanced settings,
license settings, LDAP, remote subnets, backup settings and static routes. This menu is
intended for manual configurations of ContentProtect Security Appliance if you are unable to
run the Setup Wizard or need to customize settings. Below are all the options available
under the Configuration tab.
Setup
Use this menu to manually assign an IP address and Subnet Mask to the Bridge (WAN/LAN)
interface. You can also assign a default gateway, DNS Server, and an IP address and
Subnet Mask to the Management/Auxiliary Port. Remember that the IP address assigned to
the Management/Auxiliary Port cannot be in any active subnet in your network. You can
also use this menu to enter in the name or IP address of the Email server (if you would like
to receive email alerts for viral web downloads). Lastly, you can specify the time zone for
ContentProtect Security Appliance. Don’t forget to Apply any changes made.
Advanced Setup
The Advanced Setup provides you with enhanced configuration settings that are used for
customization of ContentProtect Security Appliance within the network. Most of the below
options are enabled by default; however, if ContentProtect Security Appliance is installed in
a more complex or uncommon network topology, you may need to disable or adjust some of
the settings.
•
Domain—this allows you to identify the domain name in which ContentProtect
Security Appliance is installed.
•
Enable Port Scanning / OS Detection—this refers to the Nmap scan that is performed
when a unique profile is discovered. This setting allows ContentProtect Security
Appliance to post unique information about each device present on the network.
However, some security settings may identify Nmap scans as intrusions; as such,
you can disable this feature by unchecking this setting. For more information see
section Network Nodes in Chapter 5: Managing ContentProtect Security Appliance.
•
Enable TCP Window Scaling—this allows ContentProtect Security Appliance to send a
larger window size to improve TCP performance in networks with large bandwidth.
However, some routers or web sites do not support this feature and can cause
latency. If you are experiencing latency with ContentProtect Security Appliance or
connection failure to web sites, you may need to disable this option to improve
performance.
•
Disable MAC based Network Node Discovery—this is used when you do not want
ContentProtect Security Appliance to create profiles based on MAC addresses. As
previously mentioned in Chapter 5, devices located in ContentProtect Security
Appliance’s local subnet will be profiled based on MAC addresses. If you would
prefer ContentProtect Security Appliance to profile these devices based on IP
addresses, you will need to check this option.
69
ContentProtect Security Appliance User Guide
•
NTP Server—this is used to specify a Network Time Protocol (NTP) server used to
sync time for ContentProtect Security Appliance. The default setting is pool.ntp.org;
however, if you have an NTP server or an Active Directory server and would prefer to
use those devices instead, you may enter in either the IP address or domain name
for the device in this field. Also, for NTP to function properly UDP port 123 must be
open for ContentProtect Security Appliance.
•
HTTP Keep-Alive Mode HTTP—this allows ContentProtect Security Appliance to use
the same connection to send and receive multiple HTTP requests and responses, as
opposed to opening new connections for every single HTTP request or response. This
option can improve performance on frequently visited web sites and should be
checked. This option is also necessary if you want to enable HTTPS/SSL Filtering.
•
Enhanced Bridging Mode (EBM)—this allows ContentProtect Security Appliance to act
as a transparent bridge. As a transparent bridge, ContentProtect Security Appliance
does not modify the web request or response beyond what is required for content
filtering and identification.
EBM facilitates an easier installation, especially in a routed network, without
requiring static routes or running the risk of dropping network traffic. Because EBM
does not alter web requests, ContentProtect Security Appliance can rely on
networking devices already present to route traffic correctly.
We highly recommend that EBM is enabled to avoid interrupting network traffic.
Lastly, EBM can improve performance with ContentProtect Security Appliance and is
necessary for HTTPS/SSL Filtering.
•
Allow HTTP Connections on port 8888—this allows ContentProtect Security Appliance
to act as a proxy for web traffic. This option must be selected if you would like to
install ContentProtect Security Appliance in Proxy Mode or use NTLM Web
Authentication. Please see sections Proxy Mode in Chapter 2 and NTLM Web
Authentication in Chapter 7 for more information.
•
Enable Summary Tables—this allows ContentProtect Security Appliance to summarize
or condense large web reports, allowing for faster response times for Internet Usage
reports. This utility will index web reports and correlations for all reports. For more
information please see the section Report Recommendations in Chapter 3:
Generating Reports.
•
Summary Table Conversion Utility—this utility will take previous data that has not
been summarized and create summary tables. Selecting the link will present three
options for converting previous data: Web Request Summary Table, Level 1
Summary, and Level 2 Summary. Web Request Summary Table will summarize all
Web requests data. Level 1 Summary Table will summarize the first correlation for
those reports, i.e., first correlation by Category, Host, File Type, MIME Type, Group,
Directory User, and Network Node. Level 2 Summary Table will summarize the
second correlation for those reports, i.e., second correlation by Category, Host, File
Type, MIME Type, Group, Directory User, and Network Node. For more information
please see the section Report Recommendations in Chapter3: Generating Reports.
•
Network Normalization Mode—this setting enables ContentProtect Security Appliance
to discover MAC addresses in an asymmetrical network or where MAC addresses are
70
ContentProtect Security Appliance User Guide
alternating. For example, if MAC addresses change during data transmission,
ContentProtect Security Appliance can encounter a problem with group assignments
and reporting. However, by enabling Network Normalization Mode, ContentProtect
Security Appliance can send Address Resolution Protocol (ARP) requests and discover
MAC addresses of devices, and therefore group and report correctly. The
recommended setting for this option is to be enabled (checked). For more
information on this setting, please review the tutorial document entitled How to
Configure ContentProtect Security Appliance with Asymmetrical Routing
(http://www.ContentWatch.com/Tutorials.html).
•
Allow DNS and HTTP block page for Deny Access Traffic Flow Rule Set—this will
present group members of the Deny Access Group a blocked redirection page if they
attempt to access the Internet. Please note, that for this page to post, DNS and
HTTP traffic will be allowed to pass for the Deny Access Group for initial connections.
•
Database Timeout—this setting places a limit (in minutes) of how much time
ContentProtect Security Appliance has to complete a report. Because ContentProtect
Security Appliance runs several different functions simultaneously (filtering, shaping,
reporting, etc.), priority is given to filtering and shaping so that reporting does not
consume resources that may impact network performance. ContentProtect Security
Appliance has a default timeout of five minutes for reports to complete. If a report
cannot complete within the five minutes, you will receive a timeout message stating
accordingly.
If needed, you may alter the time limit with this setting. You can allocate up to 15
minutes for reports to complete. Please see the section Report Recommendations in
Chapter 4: Generating Reports for more information.
•
Group Member Type Precedence (GMTP)—this option is critical for assigning devices
and users to correct groups. Because ContentProtect Security Appliance allows for
multiple groups, a problem can arise when a device or a user can possibly be in
multiple groups at the same time. For example, if a user begins to access the
Internet, ContentProtect Security Appliance can identify the user and place him/her
in a group by MAC address, IP address, or the Directory User account. The scenario
can become even more complex if ContentProtect Security Appliance is configured to
identify multiple groups based on VLANs, specific IP addresses, or Classless InterDomain Routing (CIDR) Blocks. The default list should be sufficient; nonetheless, if
you are experiencing problems with users being assigned to incorrect groups, please
review the Tutorial Document entitled How to Configure Group Member Type
Precedence on ContentWatch Knowledge Base
(http://www.ContentWatch.com/Tutorials.html).
Ethernet Settings
This menu allows you to hard code speed and duplex settings for the WAN, LAN, and
Management/Auxiliary ports. As mentioned in Chapter 2: Installing ContentProtect Security
Appliance, normally ContentProtect Security Appliance will auto-negotiate correctly with the
devices directly connected into the ports. However, if ContentProtect Security Appliance is
unable to auto-negotiate correctly, you may need to hard set the speed and duplex settings.
This can be done under the Ethernet Settings menu. Please note that if you make changes
under this menu, more than likely you will need to hard code the interface settings of the
devices connected to ContentProtect Security Appliance’s ports. Also note that you may
experience some network interruption while ContentProtect Security Appliance makes the
necessary changes.
71
ContentProtect Security Appliance User Guide
Company Settings
Company Settings allows you to customize ContentProtect Security Appliance and the GUI
with information pertinent to the organization. This menu allows you to enter in the
Company Name, Company Address, Company City, Company State, Company ZIP Code,
Technical Admin Name, and Technical Admin E-mail. Once done, these settings will reflect
in other menus as well (Anti-Virus Email Alert, ContentProtect Security Appliance’s Menu
Bar, etc.)
Registration Settings
The Registration Settings menu presents the information that is used to register
ContentProtect Security Appliance. The settings are the same settings as Company settings
with two differences; Company Address 2 and Technical Admin Phone.
Miscellaneous (Misc.) Settings
Miscellaneous Settings displays five important options that are used in a variety of menus.
The first two settings (Available Upload Bandwidth and Available Download Bandwidth) are
used to calculate percentage for both shaping rules and reporting values and will cap total
bandwidth available within the network. The default settings are set to 5000Kbps and will
restrict traffic to that amount. If you have not adjusted this amount for your bandwidth,
please do so during the Setup Wizard or under this menu.
Please note that the amounts listed in the available upload and download under
Miscellaneous Settings will restrict total traffic through ContentProtect Security
Appliance. Make sure that the amounts entered in these fields are the correct amounts for
your network.
The next option, Web Time Online seconds per hit, is used to calculate the amount of time
for the Web Time Online Report (Report -> Internet Usage -> Web Time Online). Please
note that the Web Time Online report is an estimated value generated by counting the
number of hits per page, and then multiplying the number of hits by the number listed
under this setting.
The default setting of 20 seconds is an approximation based on typical business usage.
However, in other circumstances the values may need to be altered.
Simple Network Management Protocol (SNMP) can be used to monitor the state of
ContentProtect Security Appliance and poll the device to verify its CPU, hard drive usage,
and other pertinent information. SNMP works by a software component called an agent that
runs on ContentProtect Security Appliance and reports information via SNMP to the
managing systems. The managing system can retrieve the information through the GET
and WALK protocol operations. Although you will have to supply the SNMP managing
system to retrieve the information, the following fields will allow you to interact with
ContentProtect Security Appliance’s SNMP agent.
The first field, SNMP Read Only Community is the password used for the GET requests and
allows access to ContentProtect Security Appliance’s SNMP agent. The default setting for
this field is public, but the Read Only Community password can be changed to the desired
password with this menu. Don’t forget to Apply the changes after altering the field.
Afterwards, you can use the SNMP GET command to poll the following values from
ContentProtect Security Appliance.
72
ContentProtect Security Appliance User Guide
ContentProtect Security Appliance SNMP Values
Value
Result
1
CPU Percent
2
Hard Drive Usage Percent
3
Web Hits
4
Web Hits by Category ID
5
Web Category Name by ID
6
Application Set Name by ID
7
Application Set Upload by ID
8
Application Set Download by ID
9
Total Traffic Upload/Download
10
Number of Possibly Infected
Spyware
11
Number of Possibly Infected
Virus
Also, please note that Object Identifier (OID) for ContentProtect Security Appliance is
1.3.6.1.4.1.31010. With the above listed values and ContentProtect Security Appliance’s
OID, you should be able to use the SNMP Get command:
snmpget –v 2c –c public localhost 1.3.6.1.4.1.31010.1.
The WALK command allows you to use the SNMP GETNEXT request to query ContentProtect
Security Appliance for a several pieces of information. SNMPWALK will search all SNMP
values for ContentProtect Security Appliance and post the corresponding values. Again,
with ContentProtect Security Appliance’s OID, you can query ContentProtect Security
Appliance’s SNMP agent for all values present:
snmpwalk –v 2c –c publick localhost 1.3.6.1.4.1.31010.1
The next setting is the SNMP Read Write Community. This setting is used to set SNMP MIB
variables to a specified value. These writes are protected by the write community string
and are set to the default settings of private. However, this field allows you to alter the
password for the SNMP Read Write Community. Any changes made to these two fields will
not take effect until you Apply the changes.
Update Settings
The Update Settings menu lists the available updates for ContentProtect Security Appliance.
These updates are divided into five categories: Firmware, Software, Content Filter,
Spyware, and Anti-Virus. Firmware updates deal with new features, ContentProtect
Security Appliance OS upgrades, and signature updates. Software updates deal with
component changes, maintenance patches, and code resolutions. Content Filter updates
73
ContentProtect Security Appliance User Guide
are for updating web categories, web sites, and file types. Spyware updates are for new
definitions on spyware, while Anti-Virus handles new definitions for web viruses.
All updates can be configured to execute automatically via the Enable check boxes and Daily
Schedule Drop-Down Boxes, except for Firmware updates. The reason being is that
Firmware updates require a reboot. Because of this you will need to manually update the
firmware using the Update Now button. You will be notified via the Message Center on the
Home Page when a new firmware version is offered.
For updates to be successful, ContentProtect Security Appliance will need access to port 80
as well as authorization to download MD5 check sums. Also, you should schedule updates
during non-peak traffic times as some services may need to restart after the updates have
completed. Default settings for Update Settings are 1am for Software, 2am for Content
Filter, 3am for Spyware, and 4am for Anti-Virus.
Custom Category Rules
The Custom Category Rules menu allows you to modify or create web site categorization.
This menu allows you to categorize web sites that has been miss-categorized, do not have
an explicit categorization, or your organization needs a distinct categorization for the web
site. For example, by default the web site YouTube is categorized as Online Communities.
However, for your organization YouTube may be considered more of a streaming media web
site than an online community. The Custom Category Rules allow you to enter the URL of
YouTube and “re-categorize” the site as Streaming Media instead of Online Communities.
This rule will then take effect for both reporting and Internet Usage Rules (IURs).
To categorize a web site with the Custom Category Rules, enter the URL in the Match String
field. Afterwards, chose a Compare String for the entry. There are three distinct compare
strings that can be used to categorize web sites: URL-Regular Expression, URL, and Domain.
•
URL-Regular Expression—this compare string utilizes regular expressions to
categorize web sites. Regular expression (regex) is a method used to describe a
string of text using metacharacters or wildcard symbols. To use URL-Regular
Expression, you will need to understand the functions of regular expression
metacharacters. URL-Regular Expression supports regular expressions for POSIX
Basic and Extended Regular Expression. A complete discussion of Regular
Expression capabilities is beyond the scope of this document.
•
URL—this compare string looks for an exact URL match. Use this compare string to
categorize specific web pages where an exact match is necessary. For example, an
entry of youtube.com/forums will categorize YouTube’s forum web page, but not
necessarily other YouTube web pages. However, you can use an asterisk symbol (*)
as a wildcard with the compare string of URL. For instance, an entry of
http://www.youtube.com* will categorize any web page that begins with
http://www.youtube.com.
•
Domain—this compare string looks for any web page that begins with the domain
name of the web site. Use this compare string to categorize web sites where the
domain name is constant in the URL. For example, and entry of youtube.com will
categorize all of YouTube’s web pages. You can also use an asterisk symbol (*) as a
wildcard with the compare string of Domain. For instance, an entry of *youtube.com
will categorize any web page that has youtube.com in the domain name regardless
of http, https, or www.
74
ContentProtect Security Appliance User Guide
After you make your entry in the Match String field and chose a Compare String, select
which categorize the web site will be assigned. You can also create your own category by
selecting the **Add a Custom Category** selection. Once selected, you can entry in the
name of the custom category.
Afterwards, you can choose which priority level will be assigned to the entry. Priority levels
are only used when there are conflictions with other custom categorizations. For example,
if you chose to categorize the web site youtube.com as Streaming Media but the web page
of youtube.com/forums as Online Communities, you would select the URL of
youtube.com/forums as a high priority. This indicates to ContentProtect Security Appliance
to always categorize youtube.com/forums as Online Communities while other web sites
under youtube.com will be categorized as Streaming Media. If there is any site with
conflicting criteria, the higher priority rule will direct the categorization.
To finalize your entry, click the Update button followed by the Apply button. Other options
available in this menu are Reset (clear current entries under the Add/Edit Custom Category
Rules), Remove Selected Rows (clear selected custom category entry), Edit Selected Rows
(modify selected custom category entry), Export List and Import List (export or import a
plain text file of entries from the custom category list), and Cancel button.
Custom Category Options
The Custom Options menu works in conjunction with the Custom Category Rules and has
two tabs: Categories and Precedence. The Categories tab allows you to create or modify
categories listed in ContentProtect Security Appliance’s current category list.
For example, the category of Computers and Internet covers web sites that post information
about computers and software but also covers web sites with information about the Web
and the Internet in general. If you wanted to separate this category into two separate
categories, i.e., one category called Internet and another called Computers, you could
create two new categories with the Custom Category Options menu.
As you add web sites to these new categories, the names of these categories will appear in
the new category list under Admin -> Configuration -> Custom Category Rules -> Assign a
Category as well as under the Edit Blocked Categories list. To add a new category, enter
the name of category in the Add/Edit Category Name field and click the Update button.
Other options available are Edit Selected Row, Apply, and Cancel.
The Precedence tab allows you to modify the order in which the Compare String is examined
for classification of web sites. The Custom Category Rules use three compare strings to
classify web sites: URL-Regular Expression, URL, and Domain. The Default order should be
sufficient, but you can alter the order by clicking and dragging an entry and then selecting
the Apply button. The Cancel button is also available under this menu.
Remote Subnets
By default, ContentProtect Security Appliance will monitor all traffic within the local subnet.
However, ContentProtect Security Appliance can also monitor subnets outside the local
subnet. These subnets are called Remote Subnets because they are not within
ContentProtect Security Appliance’s local subnet.
Review the following topology. This is an example of a flat network. Characteristics of a
flat network are all devices are connected via switches or hubs, there are no layer three
devices (routers or layer 3 switches), and the network is not segmented logically by
different IP address ranges (VLANs or remote subnets). If you have a flat network, all
75
ContentProtect Security Appliance User Guide
devices will fall into the local subnet, and you will not need to add entries to the Remote
Subnets menu as ContentProtect Security Appliance will be able to track by MAC addresses.
Figure 6.1 Flat Network Topology
Now review the following topology. This is an example of a routed network. Notice how
there are different logical segments separated by the IP address ranges within the network,
i.e., 192.168.255.0, 172.16.0.0, and 10.0.0.0. Also notice how there is a layer three device
present in the network (Router 1). These are characteristics of a routed network.
76
ContentProtect Security Appliance User Guide
Figure 6.2 Routed Network Topology
In this example, the network subnets of 10.0.0.0 and 172.16.0.0 will be identified as
remote subnets. ContentProtect Security Appliance can track Internet traffic by IP
addresses once these networks are identified as remote subnets. ContentProtect Security
Appliance will not be able to track by MAC addresses for remote subnets as layer three
devices maintain MAC addresses within their corresponding subnets. For more information
on this you can review Chapter 5: Managing ContentProtect Security Appliance, section
Directory Users & Nodes or the Tutorial Document called How to Install ContentProtect
Security Appliance in a Routed Network (http://www.ContentWatch.com/Tutorials.html).
To add network segments to the Remote Subnet menu, enter in the network address with
the subnet mask in Classless Inter-Domain Routing (CIDR) notation. For example, a
network address of 172.16.1.0 with a subnet mask of 255.255.255.0 would be entered in as
172.16.1.0/24. For more information on CIDR notation, please see Appendix D: CIDR
Cheat Sheet. Once you have entered in the network address, select the Add> button and
Apply.
Please note that you may at any time add network addresses to remote subnets for
monitoring and filtering. If you remove network addresses from remote subnets, this will
require a Reset on Telemetry and Profile Data because of how ContentProtect Security
Appliance profiles devices. Please review section System Utilities for more information on
resetting the database.
Once you have added the remote subnets, you can create static routes for those subnets.
This topic is covered the section Static Routes.
77
ContentProtect Security Appliance User Guide
User Preferences
User Preferences menu allows you to customize how reports and filters will be displayed by
ContentProtect Security Appliance. This menu also allows you to automatically accept
downloads from ContentProtect Security Appliance’s GUI.
Default Rows per Page indicate how many results will be posted for each report. For
example, if you want to see how many users have passed Peer to Peer traffic, you can
access this information under Report -> Applications -> Peer to Peer -> Correlate by
Network Node. This report will post by default the top 25 users of Peer to Peer traffic.
However, if you wanted the report to post the top 30 users of Peer to Peer traffic, you will
need to change the amount of Default Rows per Page to 30. Afterwards, all reports by
default will post 30 results instead of 25.
Report Filter Per Page is for Group, Network Node, and Directory User filters. These filters
are available under individual reports and allow you to search for specific Groups, Network
Nodes, or Directory Users for the specified reports. Clicking these fields will populate the
Select Filter Group, Network Node, or Directory User box. You can then search the
Available profiles listed for the desired Group, Network Node, or Directory User profile. By
default these filters will post 10 profiles per page. You can change this amount by altering
the Report Filter Per Page. Once the amount has been altered, all report filters will post the
number specified on every filter page accordingly. Lastly, the lowest amounts for both
fields are 5 and the highest is 500.
The last setting in the User Preferences menu is Enable Automatic Downloads.
ContentProtect Security Appliance has several downloads for different features, i.e., SSL
Certificate, Directory Clients, etc. Selecting these downloads will post a file download dialog
box with an additional link for the download. If you would like to skip the additional dialog
box and have files from ContentProtect Security Appliance be downloaded automatically,
you will need to enable this option. Please note that may also need to add the IP address of
ContentProtect Security Appliance to the “Local Internet” security zone on your web browser
as well as select Medium-Low security settings for downloads. Once you make changes to
the User Preferences menu, don’t forget to Apply the changes. Default setting for Enable
Automatic Downloads is unchecked.
Static Routes
The Static Routes menu is used in conjunction with the Remote Subnets menu. For
example, if you have entries in the Remote Subnet menu, you may need to create static
routes for those subnets. However, if you do not have entries in that menu, more than
likely you will not need to add static routes.
In addition to this, static routes are only necessary under certain circumstances. One
circumstance is remote administration. For instance, if you had a network entry in the
Remote Subnet menu and wanted to allow users on that remote subnet administrative
access to ContentProtect Security Appliance, you would need to create a static route for that
network.
Other scenarios that require static routes are disabling Enhanced Bridging Mode (EBM),
using Redirect blocked pages, and installing Directory Agents outside ContentProtect
Security Appliance’s local subnet. If you meet some of these requirements, you will need to
create static routes.
78
ContentProtect Security Appliance User Guide
Static routes are created by identifying the next hop for ContentProtect Security Appliance
to the remote subnets. Review the following topology. Notice how ContentProtect Security
Appliance is installed on a network with a schema of 192.168.255.0. However, most users
are located on 10.0.0.0.
For ContentProtect Security Appliance to communicate properly with the users on the
10.0.0.0 network, the device will need to know the next hop to this network. The next hop
is referred to as the gateway or destination gateway for the remote subnets. In this
example, the remote subnet will be 10.0.0.0/8 with a gateway of 192.168.255.3.
Figure 6.3 Static Routes Diagram
Please take special notice of the different gateways. The 10.0.0.0 has a default gateway of
10.0.0.1. This is not the gateway for ContentProtect Security Appliance’s static route as
this address is not the next hop for the remote subnet. The gateway will be 192.168.255.3
as this is the next hop for ContentProtect Security Appliance to communicate to users on
the 10.0.0.0 network. Essentially, the static route will indicate to ContentProtect Security
Appliance the routing path to take when direct communication is required to a host on the
10.0.0.0 network.
Also, do not confuse the static route with ContentProtect Security Appliance’s default
gateway. ContentProtect Security Appliance uses the default gateway to access the
Internet for updates while static route gateways are used to communicate with users on the
remote subnet. Things that can help you to identify proper static gateways for
ContentProtect Security Appliance are the following:
•
Static route gateways will always be in the same local subnet as ContentProtect
Security Appliance’s Bridge IP address.
•
Static route gateways will always be on the LAN side of ContentProtect Security
Appliance.
•
Static route gateways will never be the same IP address as ContentProtect Security
Appliance’s default gateway.
•
Static route gateways will never be the default gateway for the remote subnets.
79
ContentProtect Security Appliance User Guide
After you have identified the correct static route with the corresponding remote subnet, you
can enter them by entering in the network address of the remote subnet and the route
gateway. Again, network addresses will be entered in CIDR notation. Once you have
correctly entered in the settings, you can select the Add button and then apply. For more
information on static routes, you can review the Tutorial Document How to Install
ContentProtect Security Appliance in Routed Networks
(http://www.ContentWatch.com/Tutorials.html)
Remember that static routes are only necessary for remote subnets. Do not add a static
route that will encompass the local subnet as this may cause routing problems with the
default gateway for ContentProtect Security Appliance.
SSL Certificate Settings
This menu is covered in Chapter 8: Implementing HTTPS/SSL Filtering with ContentProtect
Security Appliance.
License Settings
The License Settings menu allows you to enter a license key to increase the amount of
devices ContentProtect Security Appliance will profile. Licensing with ContentProtect
Security Appliance is based on network connections. That is to say, one hundred
connections on your network will constitute 100 licenses.
For full functionality of ContentProtect Security Appliance, you will need to have sufficient
licenses for all active connections on your network. You can purchase the license key from
ContentWatch or your Authorized ContentWatch Reseller. Once purchased, you can enter in
the License Key by selecting the Update button. ContentProtect Security Appliance will then
confirm that License Key, and if correct will alter the Licensed Network Nodes to the correct
amount. Don’t forget to Apply the changes. This option is also available during the Setup
Wizard.
Information pertinent to the device, such as Model Number, Serial Number, and Annual
Software Maintenance (ASM) Expiration Date are posted on this menu as well. ASM is used
for support on your device and provides ContentProtect Security Appliance with continued
updates on Web content, Spyware, Web viruses, and application signatures. ASM also
allows you to utilize ContentWatch Technical support if needed.
If ASM is not current, ContentProtect Security Appliance will not be able to update on
firmware, software, content filtering, Spyware, or virus definitions nor will ContentWatch
Technical support be available. To renew your ASM please contact your Authorized
ContentWatch Reseller or ContentWatch Sales at 1 (866) 765-7233.
Other stats available on this menu are Current Software Version, Available Software
Version, Last Software Update Date, Last Anti-Virus Update Date, and Last Spyware
Definition Update Date.
Special Domains
The Special Domains menu offers two settings to assist in troubleshooting group
membership as well as Directory User integration. The first setting is Web Authentication
Logout Domain. Web Authentication allows ContentProtect Security Appliance to identify
Directory Users without using the Directory/LDAP Client. ContentProtect Security Appliance
does this by associating initial web connections to Directory Users. However, Web
80
ContentProtect Security Appliance User Guide
Authentication does not identify when Directory Users have logged out unless an inactivity
or session timeout have been met.
By using the URL in Web Authentication Logout Domain, Directory Users can immediately
notify ContentProtect Security Appliance when they have logged out. The default setting is
logout.ContentWatch.com, but you can use this menu to change the URL. Once users enter
this URL into their web browser, ContentProtect Security Appliance will present them with a
logout page. After logging out, ContentProtect Security Appliance will disassociate the web
connections to the Directory Users.
For this setting to work properly, you must have some form of Web Authentication enabled
for users. For more information on Web Authentication, please see Chapter 7: Integrating
Directory Users with ContentProtect Security Appliance.
The next setting is Web Filter Info Domain. Web Filter Info Domain allows you to confirm
group membership, Internet Usage Rules, and HTTPS/SSL Filtering rules. By entering in the
URL into a web browser, you can confirm how ContentProtect Security Appliance is
identifying the user, to which group the user is being assigned, and if the correct rules are
being applied. To use Web Filter Info, enter the URL into a web browser (default setting is
info.ContentWatch.com), and the Web Filter Status Report will post the results.
Please note that any changes to these two settings will require correct Domain Name
Service (DNS) resolution. If you alter the URLs under the Special Domains menu, you will
need to make specific entries for these web sites in users’ DNS records.
LDAP Settings
LDAP Settings are defined in Chapter 7: Integrating Directory Users with ContentProtect
Security Appliance.
Backup
ContentProtect Security Appliance allows you to back up configuration data and telemetry
data. These backups can be completed via FTP or HTTP manual backups. The submenus
available here are Backup File Settings, FTP Automated Backup, FTP Manual
Backup/Restore, and HTTP Manual Backup.
The options available under Backup are Backup File Name, Add Timestamp to File Name,
Backup Configuration Data (device configuration, groups, IUR, shaping rules, etc.), and
Backup Telemetry Data (Web logs, application reports, etc.). Once these settings are
configured, you will need to create the backup file using the Create File button. Afterwards,
you can manually push the backup file to a FTP server or use HTTP to place the backup file
in a folder accessible to ContentProtect Security Appliance.
The FTP Automatic Backup menu allows you to automate backups via File Transfer Protocol.
For this to work, ContentProtect Security Appliance needs write access to a FTP server. You
can select Enable Automatic Backups and select the day and time for the backup to execute.
In addition to this, ContentProtect Security Appliance will need to have listed the hostname
or IP address of the FTP server as well as the Server User Name, Server Password, and path
for the backup directory. Lastly, you can specify that ContentProtect Security Appliance
only create a backup file automatically and not downloaded to an FTP server. This option is
available as the check box for Create Backup File Only.
You can also restore backups to ContentProtect Security Appliance in the case of device
failure. For example, if you need to replace your current ContentProtect Security Appliance
81
ContentProtect Security Appliance User Guide
with another device, you can use a stored backup file to restore device settings on the
replacement device. Although easy to execute, the restore options can only be
accomplished with a FTP server. Also please note that restores are only possible through
same ContentProtect Security Appliance models. In other words you cannot restore a DC10
backup file to a DC30.
Again, ContentProtect Security Appliance will need specifics related to the FTP server, i.e.,
Hostname or IP address, Server User Name, Server Password, Path, and File Name. The
options available under this submenu are Restore From FTP Server and Backup To FTP
Server. If you are intending to restore information to ContentProtect Security Appliance,
you will need to select Restore from FTP Server. The Backup To FTP Server is for manual
backups to a FTP server as opposed to automated backups available in the previous
submenu.
Finally, you can backup manually via HTTP if they do not have access to a FTP server.
Again, you will need to create the backup file using the submenu Backup File Settings.
Afterwards, you can select the Download button and browse to a network drive, network
directory, or even to your desktop to place the backup file. When you are finished
modifying the backup settings, remember to Apply the changes.
Proxy Settings
Proxy Settings menu allows you to configure ContentProtect Security Appliance to work with
your network’s proxy server. The most important factor with configuring ContentProtect
Security Appliance with your network’s proxy server is the placement of the device in
regards to the proxy server.
If the proxy server is an inline device, the recommended placement for ContentProtect
Security Appliance will be in between the proxy server and users to allow for correct
identification of users and devices. In addition to this, if the proxy server requires users to
enter a username and password for Internet connectivity, ContentProtect Security Appliance
likewise will need such information to access the Internet for updates. These settings are
entitled Parent Proxy Username and Parent Proxy Password. We recommend that you
create a user specific account on the proxy server for ContentProtect Security Appliance.
ContentProtect Security Appliance will also need access to the Web for updates and TCP port
22 for the Support Link utility to work. For correct reporting, ContentProtect Security
Appliance will need to know the IP address and port used (other than port 80 and 8080) for
the proxy server.
If your network’s Proxy Server is not an inline device, please contact your
Authorized Reseller or ContentWatch support before installing ContentProtect
Security Appliance.
If the network’s proxy server is not an inline device, you will not be able to place
ContentProtect Security Appliance in between users and the proxy server as web requests
will be traversing the proxy server’s connection twice; once for the initial request and once
for the response. As such, you will need to contact ContentWatch Support or your
Authorized ContentWatch Reseller for assistance with installing ContentProtect Security
Appliance with this scenario.
If ContentProtect Security Appliance cannot be placed in between the users and your
network’s proxy server, you will need to configure ContentProtect Security Appliance
82
ContentProtect Security Appliance User Guide
differently. First, you will not need to enter any information in the Proxy Settings menu as
your network’s proxy server will be on the LAN side of ContentProtect Security Appliance.
Second, some advanced options are specifically designed for interoperability with current
proxy servers, in particular Enhanced Bridging Mode (EBM) and HTTP Keep-Alive Mode.
With the proxy server on the LAN side of ContentProtect Security Appliance, the device no
longer needs these options enabled as the proxy server will perform similar functions. You
may need to disable these options (Admin -> Configuration -> Advanced Setup).
Finally, most proxy servers execute web requests via Network Address Translation (NAT).
NAT is a technique of routing network traffic that involves re-writing or masquerading IP
addresses. ContentProtect Security Appliance will only see the IP address of the proxy
server passing web traffic instead of unique users. If the proxy server is located on
ContentProtect Security Appliance’s LAN side, individual filtering and reporting may be
impossible because ContentProtect Security Appliance will not receive the users IP
addresses. If your network’s proxy server allows you to disable NAT, this may be an option
for individual reporting and filtering.
Diagnostic Tools tab
The Diagnostic Tools provides you with a variety of tools that you can use to test the
functionality of your network as well as ContentProtect Security Appliance. The Diagnostic
Tools tab includes utilities to test network connectivity and device status. This menu is a
great place to start the troubleshooting process to confirm device settings and status.
Device Status
Device Status posts the condition of ContentProtect Security Appliance and several key
components of the device. Here you can confirm that the IP address for the bridge interface
is correctly assigned. You can also verify the status of all Ethernet ports, WAN, LAN, and
Management/Auxiliary. Lastly, you can validate device settings (Device Key, Serial
Number) and device status in regards to uptime (how long the device has been up), CPU
load, and Used Disk Space.
Directory Agent Diagnostics
This menu is covered in more detail under Chapter 7: Integrating Directory Users with
ContentProtect Security Appliance.
Directory Agent Users
This menu is covered in more detail under Chapter 7: Integrating Directory Users with
ContentProtect Security Appliance.
Display ARP Table
The Display ARP Table lets you view current entries in ContentProtect Security Appliance’s
Address Resolution Protocol (ARP) table. ARP provides dynamic address mapping between
an IP address and hardware or MAC address. ContentProtect Security Appliance’s ARP
tables displays IP or MAC address of devices that have directly communicated with
ContentProtect Security Appliance within the last 5 minutes. The columns listed in the ARP
table are Address (IP address), HW Types (Ethernet), MAC Address, Flags (C—reachable),
and Interface (bro—Bridge, eth0—WAN, eth1—LAN).
83
ContentProtect Security Appliance User Guide
Ethernet Status
The Ethernet Status menu lists the state of ContentProtect Security Appliance’s ports, WAN,
LAN, Management/Auxiliary. The tabs are divided by each port and list the status, autonegotiate, speed, duplex, packets, and errors. Use this tab to confirm that each active port
is operating at correct speeds and duplex settings and not generating any errors. AutoNegotiation is recommended, but not necessary.
Group IP List
Group IP List is a great tool that can be used to verify group membership for individual
users. For example, if you have a device or user that is not being assigned to a group
correctly, you can confirm which group is being assigned within the past five minutes for
that user or device.
Group IP List will list the Group, MAC address (where available), and IP address of the
devices currently passing traffic through ContentProtect Security Appliance. Also available
is a drop-down list that allows you to search entries based on Group name, MAC address, or
IP address.
You can then verify this group assignment against the member type and assigned group
(Manage -> Policies & Rules -> Groups). If users or devices are being assigned to incorrect
groups, you can use this tool as well as Group Member Type Precedence to resolve the issue
and better configure ContentProtect Security Appliance.
IP Address Map
This menu is covered in more detail under Chapter 7: Integrating Directory Users with
ContentProtect Security Appliance.
No LDAP Network Nodes
This menu is covered in more detail under Chapter 7: Integrating Directory Users with
ContentProtect Security Appliance.
PING
Packet Internet Groups (PING) is a useful troubleshooting tool for computer networks. This
tool is used to test whether or not network hosts are reachable by sending an ICMP Echo
Request packet. When the destination system receives the packet, it responds with an
ICMP Echo Response packet.
ContentProtect Security Appliance includes PING as a troubleshooting tool in the event that
a device or web site cannot communicate with ContentProtect Security Appliance. You can
enter in the hostname or IP address to run the PING test. You can also alter the number of
attempts. If the test results in a failure, you may want to review the network topology and
the Static Routes menu.
Please note that many host-based software firewalls, such as those that ship with Microsoft
Windows XP and Vista, deny PING traffic by default. You may need to enable ICMP traffic
through firewall systems for this utility to be successful.
84
ContentProtect Security Appliance User Guide
Test DNS Settings
Test Domain Names System (DNS) Settings menu allows you to test the DNS settings for
ContentProtect Security Appliance, e.g., if ContentProtect Security Appliance can resolve
web sites or NetBIOS names to their corresponding IP addresses correctly. Enter in the
URL of the web site, i.e., www.google.com, or the NetBIOS name of the computer, i.e.,
computername.mydomain.com, and select Run for a test. You can also change the DNS
server for the test by entering in a different IP address for the DNS server. A positive result
will reply with a host name and an IP address.
Traceroute
Traceroute is a computer networking tool used to determine the route taken by packets
across an IP network. ContentProtect Security Appliance’s Traceroute menu allows you to
confirm the path taken by ContentProtect Security Appliance to reach individual computers,
routers, or web sites that respond to traceroute. Similar to Test DNS Settings, enter in the
hostname or IP address for the Traceroute and select the Run button. You can also alter
the Timeout in seconds.
If the test is successful, the menu will list how many hops are taken for the packet to reach
the destination. The menu will also list the time spent in reaching each individual hop.
IP Traffic Monitor
IP Traffic Monitor is a console-based network statistics utility that gathers a variety of data
such as TCP connection packet and byte counts, interface statistics and activity indicators.
IP Traffic Monitor shows information on network traffic as it passes in real-time through
ContentProtect Security Appliance. Some of the information posted can be used to diagnose
network connectivity problems as well as confirm highest bandwidth consuming IP
addresses within the network. The difference with this diagnostic tool is that it is not
accessible from the Diagnostic tab or any other menu in ContentProtect Security Appliance’s
GUI. Instead, you can access this utility via the Text Menu Interface (Option 2—Utilities,
Option 3—IP Traffic Monitor). Please see Chapter 1: Configuring ContentProtect Security
Appliance, Section Text Menu Interface for more information.
Downloads tab
The Downloads tab stores the Directory Agent, Directory Client, LDAP Client, and SSL
Certificate necessary for Directory Users integration and SSL Filtering respectively. These
topics are covered in Chapter 7: Integrating Directory Users with ContentProtect Security
Appliance and Chapter 8: Implementing HTTPS/SSL Filtering with ContentProtect Security
Appliance.
Logs tab
As ContentProtect Security Appliance completes its day-to-day tasks, the device will track
important events, activities, and errors in log files. You can use the Activity Logs and Kernel
logs to view these files for troubleshooting purposes.
85
ContentProtect Security Appliance User Guide
Activity Log
The Activity Log records information about programmed events and their status, i.e.,
backups, updates, etc. If some of these functions are not working properly, you can use the
Activity Log to troubleshoot the process. Also, the Activity Log is useful in troubleshooting
Directory Users, which will be covered in Chapter 7: Integrating Directory Users with
ContentProtect Security Appliance.
By default, all types of Activity Log messages are for the last 24 hours. However, you can
use the Selected Date option to browse for messages during different times, e.g., Last Hour,
Last 24 Hours, Last 7 Days, Last Week, Last Month, Last Year, and custom dates.
Also available are message type filters that can be used to post messages only relative to
problem. The message type options are No Filter, Verbose, Informational, Status, Warning,
Error, Comment, and Invalid. Comment, Informational, Verbose are debug-level
messages. These messages will give information regarding normal operation of processes
and events.
Warnings are non-fatal process errors or unexpected conditions, while Errors are fatal
process faults that can affect device functionality. Invalid messages denote invalid or
unexpected conditions that might prevent future code execution or cause future Warnings or
Errors. Status messages give information regarding the current status of processes and or
programmed event.
The other option available under logs is Context. Context describes which components of
ContentProtect Security Appliance have delivered the message. For example, if an error
happens with the backup utility of ContentProtect Security Appliance, the Context will be
backup and the message will be error. The options available under Context are No Filter,
System, Initialization, Updates, Backup, Broadcast, and Alert.
System Context means the error came from the forwarding plane. The forwarding plane is
the ContentProtect Security Appliance architecture that decides how to handle packets
arriving on the LAN interface, i.e., applying shaping rules, denying traffic, etc.
Initialization messages are from boot-up or process launchers. Updates Context indicates
the messages were generated by the update system, e.g., Firmware, Software, Content
Filter, etc. Backup messages come from the backup system (automated and forced), and
Broadcast messages come from the e-mail broadcast system. Alert messages are not
currently used.
Kernel Log
The Kernel is the central component of ContentProtect Security Appliance’s Operating
System (OS). The Kernel’s responsibilities include managing communication between the
hardware and software components. As the Kernel does this, it keeps several key entries in
a log file that can be reviewed. This is an excellent place to begin troubleshooting hardware
or software problems. Some of the entries are common markers or steps that are routinely
run by ContentProtect Security Appliance. However, pay close attention to messages that
concern the hard drive and messages that repeat several times in a row.
86
ContentProtect Security Appliance User Guide
Redirection Pages
ContentProtect Security Appliance offers two customizable pages for blocking web sites and
authentication Directory Users. The Directory Agent Login Page is defined in Chapter 7:
Integrating Directory Users with ContentProtect Security Appliance.
Blocked URL
When ContentProtect Security Appliance blocks web sites based on Internet Usage Rules
(IURs), users will be presented a Block Redirection or Block Uniform Resource Locator (URL)
page. The Redirection Pages menu allows you to customize the Block URL page to display
company messages, customized phrases, etc.
The first option available under Block URL Redirection Page is Display Blocked Reason. This
will post the reason to users why the page has been blocked, i.e., because of a Blocked
Category, Blocked URL, etc. The next option is the Blocked Phrase. Blocked Phrase allows
you to customize the message posted to users. The default message is “Your access to the
website %blockedURL% was blocked for the following reason:”. The Blocked Reason will
then post underneath the message.
The Bypass Message is for those users who have the password for the Enable Bypass
(setting that allows users to bypass a blocked web site if he/she knows the Bypass
Password). The default message for the Bypass Message is “Click here to bypass the filter
for this website”. Please note that if you have not enabled the Enable Bypass, this message
will not post.
Contact Message allows users to contact the ContentProtect Security Appliance
administrator in case a web site needs to be re-categorized or allowed. For example if a
user is blocked from http://www.myspace.com.com, but believes that the web site should
be allowed or re-categorized, he/she can send an email by clicking on the link posted in the
Blocked URL page. For this setting to be active, the Contact Email needs to have the email
address of the ContentProtect Security Appliance administrator. Also note that the URL will
not be automatically posted in the email. You should alter the Contact Message asking
users to place the URL in the email.
For ContentProtect Security Appliance to send the Blocked URL Page, the device needs to
know the route taken by the initial request for redirection. Normally this is handled by a
200 HTTP response, indicating that the request was received and that the result is the
Blocked URL Page. However, by selecting Redirect blocked pages, you can change the
response to a 302 HTTP response, which redirects the response to another page. The
difference with these options is that the 302 HTTP response posts an image of a stop sign
located in the top right-hand corner of the Blocked URL Page. Also the IP address of
ContentProtect Security Appliance will be displayed in the URL of the web browser
requesting the page. To activate the 302 HTTP response, select the checkbox next to
Redirect blocked pages.
Please note that the option of Redirect blocked pages requires static routes for remote
subnets to issue the Blocked URL Page. Please see the previous section of Static Routes for
more information.
The last checkbox available is Reset to Defaults. This option allows you to erase any
alternations to the Blocked URL Redirection Page and default back to the original settings.
The box below the Reset to Defaults is the actual Hypertext Markup Language (HTML) code
87
ContentProtect Security Appliance User Guide
used for the Blocked URL Redirection Page. If you are familiar with HTML, you can alter the
text, color, and format of the Blocked URL Redirection Page manually using the code
present on the page.
The following are some suggestions on what lines of codes handle the different format
options within the page; however, again, you should be familiar with HTML code to make
any alterations.
Name
Bypass URL
Syntax
%bypassURL%
Spyware Removal Tool
ContentProtect Security
Appliance Trademark
Blocked URL
%spywareCleaner%
%productName%
Blocked Reason
%blockedReason%
Blocked Message
%blockedMessage%
Bypass Message
%bypassHTML%
Contact Message
%contactMessage%
Contact Email
%contactAddr%
%blockedURL%
Function
Posts a link to the Enable Bypass
Password
Posts a link to the Spyware Removal tool
Posts the trademark on ContentProtect
Security Appliance
Posts the original URL requested by users
that has been blocked
Posts the reason for the Block URL
Redirection Page, e.g., Category, URL.
Posts an explanation why the pages has
been blocked, i.e., access to this URL is
restricted because…
Post a link to bypass the Blocked Web
site, i.e., Click here to bypass…
Allows users to send an email to the
ContentProtect Security Appliance
administrator for re-categorization of a
blocked Web site, etc.
Posts the email address of the
ContentProtect Security Appliance
administrator.
Once you have completed the alterations, don’t forget to Apply the changes.
Directory Agent Login Page
This menu is covered in more detail under Chapter 7: Integrating Directory Users with
ContentProtect Security Appliance.
Utilities
The Utilities menu offers several functions that are used for troubleshooting and also
deletion of information. Also available are the menus of Support Link (allows ContentWatch
Technicians to access your device for remote assistance) and Spyware Removal Tool (utility
that allows you to remotely scan and delete Spyware present on infected devices). Each
utility should be used with caution as some of the options can drastically erase data and
configuration of ContentProtect Security Appliance.
88
ContentProtect Security Appliance User Guide
System Resets
System Resets is divided into four subsections: Restart Services, Filter Resets, Database
Resets, and Device Power Resets.
Restart Services
Restart All Services will stop and reinitialize all system processes such as content filtering,
application shaping, and report generating. Normally, you will not need to select this
option; however, for troubleshooting you may need to select this option if a service is not
responding correctly.
For example, if you are unable to run a report, you may need to restart all services to
terminate an orphan process and enable the particular report to run again. Restart All
Services may cause a temporary drop in traffic, but should allow you to continue a service if
it was not functioning correctly before.
Filter Resets
The first option under Filter Resets is Clear SSL Certificate. This option is covered in
Chapter 8: Implementing HTTPS/SSL Filtering with ContentProtect Security Appliance.
After that come Force cymdir.exe Session Timeouts and Flush Web Auth Cache. These
utilities are covered in Chapter 7: Integrating Directory Users with ContentProtect Security
Appliance.
Database Resets
Reset to Factory Defaults sets ContentProtect Security Appliance back to the factory
settings. This means that all information is erased as well as configuration data. Basically
the device will be reset to the original settings as the device was received.
Use this option with care, as Reset to Factory Defaults completely wipes the entire
system. You will lose your configuration parameters, accounts, rules, telemetry data,
licensing information, and annual support contract information. Access to the device is
reset to the username of admin and a password of contentprotect. If you select this option,
you must connect a system to ContentProtect Security Appliance’s LAN port and run the
initial configuration of the device.
The next option is Reset the Database. Reset the Database erases the database used by
ContentProtect Security Appliance for group configuration, device profiling, Internet Usage
Rules, and Shaping Rules. This option also erases all historical data on the device. This
utility is almost as drastic as Reset to Factory Defaults except that basic configuration
settings, such as the bridge IP address, subnet mask, default gateway, and DNS server will
remain intact. Licensing and ASM information will still remain.
The following is a table that lists all settings lost with Reset the Database. Followed by a
table that lists which options will be enabled or disabled after resetting the database. If an
item is not mentioned, then it will be retained accordingly.
Lost Settings after Resetting the Database
Report
Manage
Admin
89
ContentProtect Security Appliance User Guide
All information
Groups
Mail server
Time of Day Rules
Backup Settings
Custom IURs
Update Settings (dates erased)
Shaping Rules
Logs (erased)
Network Nodes
Directory Users
Broadcasts
Custom Logins
Custom TFRS
Custom Application Sets
Custom Applications
Default Settings after Resetting the Database
Manage
Admin
All users assigned to Default
Group
Domain set to ContentWatch.com
Default IUR set to Web Filter
+ IM
Enable Port Scanning/OS Detection selected
System Access
Enable TCP Window Scaling selected
admin; contentprotect
NTP Server set to pool.ntp.org
HTTP-Keep Alive Mode Selected
Allow DNS and HTTP Block page for Deny Access Traffic Flow
Rule Set not selected
Enable Summary Tables selected
Database Timeout set to 5 minutes
Default Settings for Group Member Type Precedence
Default Settings for Special Domains
Web Time Online set to 20 seconds
Default Times for Update Settings
SSL Certificate Settings set to default
90
ContentProtect Security Appliance User Guide
Blocked URL Redirection Page set to default
Directory Agent Login Page set to default
Although resetting the database can be drastic, this option is necessary in many scenarios.
For example, if you have made extensive changes to your network such as IP address
schemes or new hardware, you will want to reset the database to avoid invalid licenses,
incorrect device profiles, or inconsistent grouping.
Another scenario that may require resetting the database is if you move ContentProtect
Security Appliance within the network or from one network to another. Also, at any time
that you remove subnets from the Remote Subnets settings, you will need to reset the
database.
Reset Telemetry Data is the least drastic of the reset options. This utility only erases the
historical data from ContentProtect Security Appliance. For example, web logs, Application
reports, Device Status reports will be erased with this option; but groups, IURs, Shaping
Rules, and other settings will be retained. This utility is mostly used when a particular web
log needs to be erased while rules and groups will remain.
The final database reset option is Reset Telemetry and Profile Data (Preserves IURs,
Shapers, and the Filter Bypass Group). This option is similar to Resetting the Database
except that Internet Usage Rules, Shaping Rules, and members of the Filter Bypass Group
by CIDR Block Override will be retained. If you need to reset the database but would like to
retain these settings, you can select this option instead.
Device Power Resets
The last two options are for the actual power for ContentProtect Security Appliance.
Hardware Shutdown will physically shut down the device and should be used when the
device needs to be powered down. Hardware Reboot powers down the device and
automatically powers it back up. All these options will require confirmation via a dialog box.
Do not power down ContentProtect Security Appliance by pulling the power cord
or pressing the power button on the front bezel. These procedures should only be
used when there is no other alternative for powering down the device.
Support Link
Support Link is a utility that allows a ContentWatch technician to access your ContentProtect
Security Appliance remotely and assist in troubleshooting or configuring the device. To
activate a support link, you must first call ContentWatch Technical Support for a port
number. This port number is only relevant to the technician and used on his/her side.
ContentProtect Security Appliance will require outbound access to the Internet on port 22
(both TCP and UDP) for the support link to work. Once the technician issues you the port,
enter in the number and select Connect.
Spyware Removal Tool
ContentProtect Security Appliance has several tools that can identify applications and
devices that are infected with spyware. Once a device has been identified as infected,
ContentProtect Security Appliance offers a removal tool that allows you to scan the hard
91
ContentProtect Security Appliance User Guide
drive of the infected device and remove or quarantine the infected program. This tool is
powered by Counter Spy and is called Spyware Removal Tool.
This tool can be activated by accessing the GUI of ContentProtect Security Appliance from
the infected device or having the user browse to http://spyware.ContentWatch.com. Once
activated, the Spyware Removal Tool will prompt the user to download and install a
program called WebDeploy.cab. This program is used to push the latest spyware definitions
to the computer. You may also need to install an Active X Control for browsing capabilities.
Once the Spyware Removal Tool has been installed properly, you can then select to perform
a Quick Scan, Full Scan, or Cookies. After you choose which scan to perform, the Spyware
Removal Tool will begin to scan the hard drive for infected applications. You can pause or
stop this scan at any time. As soon as the scan is completed, you will be presented with the
results of the scan, i.e., which applications were infected, which applications were
quarantined, etc.
Please note that the Spyware Removal Tool can only be used on computers using Windows
OS, and users must have administrative rights to the hard drive as the Spyware Removal
Tool will scan the entire drive.
This concludes the chapter on administrating ContentProtect Security Appliance. The next
chapters deal with additional options that allow you to use ContentProtect Security
Appliance with an existing directory on the network to track traffic by Directory Users, and
to filter secure web traffic via HTTPS/SSL Filtering.
92
ContentProtect Security Appliance User Guide
Chapter 7: Integrating Directory Users with ContentProtect
Security Appliance
ContentProtect Security Appliance by default tracks all web and application traffic based on
device addresses (MAC addresses or IP addresses). This is to say, by default
ContentProtect Security Appliance will report traffic by each individual device located on the
network and list the traffic by Network Nodes.
However, reporting by these criteria may be daunting or insufficient as IP addresses can
change constantly or users will move from one machine to another on the network. In
these cases, reporting by Directory Users may be more useful as ContentProtect Security
Appliance can monitor and report based on Directory User Names as well as by Network
Nodes. This chapter will explain how to integrate Directory Users with ContentProtect
Security Appliance. The following topics will be explained.
•
Directory Overview
•
Directory Options
•
Directory Configurations
•
Directory Troubleshooting
Directory Overview
Integrating Directory Users with the ContentProtect Security Appliance consists of two
steps: (1) allowing ContentProtect Security Appliance access to your directory server, and
(2) identifying when users are accessing the network. The first step can be accomplished
through either the Directory Agent or LDAP settings while the second step is done via the
Directory Client, LDAP Client, or Web Authentication. Choosing which option depends upon
93
ContentProtect Security Appliance User Guide
the architecture of your network and how you are going to identify Directory Users on your
network.
The Directory Client, LDAP Client, and Web Authentication are processes that signal to
ContentProtect Security Appliance when users are logging onto the network. These
processes correlate the Directory User profile to the corresponding Network Node in use.
Review the following diagram.
Figure 7.1 Directory Integration with ContentProtect Security Appliance
ContentProtect Security Appliance uses both processes to identify Directory Users and filter
accordingly. For example, when a user logs into a computer, the Directory Client, the LDAP
Client, or Web Authentication will signal to ContentProtect Security Appliance where the
user is located and what credentials were used to access the network.
When ContentProtect Security Appliance receives this traffic, it then queries the directory
server either through the Directory Agent or LDAP Settings to find the user with his/her
associated group, Organizational Unit (OU), attribute, or other settings from your directory
structure.
Once the user has been identified, ContentProtect Security Appliance will then apply any
filtering or shaping rules to the user and begin reporting traffic by the Directory User profile.
When the user logs out or logs into another computer, the Directory Client, LDAP Client, or
Web Authentication again will send an appropriate signal to ContentProtect Security
Appliance that the user has logged out or started using a new workstation. Using these
processes, ContentProtect Security Appliance can monitor all web traffic by Directory User
94
ContentProtect Security Appliance User Guide
regardless of where in the network he/she is located and apply appropriate rules to the
traffic.
The first step in integrating Directory Users with ContentProtect Security Appliance is
deciding on which option will fit best for your network. Each option is designed for specific
scenarios and has inherited advantages as well as disadvantages.
Directory Options
Use the following Directory User Decision Tree to help you decide which Directory Option is
correct for your environment. Again, each Directory Option is designed for specific
scenarios or networks to facilitate Directory User integration. In essence, you will need to
decide which level of Directory User integration is right for your organization and which
requirements can be met by your network.
Followed by the Directory Decision Tree are descriptions of each Directory Option with a
Directory Matrix listing advantages and disadvantages of each Directory Option.
Figure 7.2 Directory User Decision Tree
Directory Option 1: Directory Agent with Directory Client (cymdir.exe)
This is the recommended option for most networks. This option allows ContentProtect
Security Appliance to immediately identify when users are accessing the network while
95
ContentProtect Security Appliance User Guide
synchronizing with the already defined directory groups, OUs, or user attributes. This
method involves installing the Directory Agent on your directory server and deploying a
Directory Client through the login process to identify when users access the network.
The advantages to this option are immediate identification of users when they access the
network and more accurate application reporting based on Directory Users. Because users
will be executing the Directory Client as they login to the network, ContentProtect Security
Appliance will be instantly notified of the user and will be able to associate all traffic to the
corresponding Directory User. The Directory Client supports Windows 64-bit, 32-bit (2000
SP4 or above), and Macintosh OSX (10.3 or above) Operating Systems (OS).
Some of the disadvantages with this option are that it only supports Microsoft Active
Directory and computers that are members of the Active Directory domain. In addition to
this, this option will not report on individual users through Terminal Services sessions or
Citrix sessions.
Directory Option 2: Directory Agent with IP Lookup
This option is designed for networks that cannot deploy the Directory Client because no
login process is initiated, login credentials are cached on devices locally, or company policies
restrict pushing end client processes. With this option, ContentProtect Security Appliance
identifies Directory Users when they initiate web (HTTP) traffic. After ContentProtect
Security Appliance intercepts initial web requests from users, ContentProtect Security
Appliance (through the Directory Agent) will petition the directory server to find the
credentials used to login to the device.
This option involves installing the Directory Agent on your directory server and creating an
Internet Usage Rule to use IP Lookup. Because IP Lookup will petition the directory server
to find login credentials, the Directory Agent must be installed on the Directory server with
administrator rights (Log on as Administrator). In addition to this, the Operating System
(OS) of users will need to be Windows 2000 (SP4) or above, and their computers must be
joined to the domain.
For computers to successfully communicate login credentials to the directory server, File
and Print share rights must be enable as well as their primary DNS server set to the IP
address of the Active Directory server. Also, these computers must be joined to the domain
and use Windows (2000 SP4 or above) OS. Lastly, you will need to create two groups with
this feature; one for the devices used by the users (Network Node Group) and another for
the Directory Users (Directory Group). Both these groups will need to use the same
Internet Usage Rule (IUR) configured to use Web Based Authentication-IP Lookup.
The main advantage to this option is that you do not have to execute the Directory Client
during the login process. Also, if successfully executed, IP Lookup will seamlessly identify
users without presenting them a secondary login page. One disadvantage is that users will
not be correctly identified until ContentProtect Security Appliance first receives web (HTTP)
traffic from users. As such, there may be some discrepancy with application control and
reporting for users.
Directory Option 3: Directory Agent with NTLM
This option is intended for networks that use Terminal Server and Citrix Server sessions.
Please note that Citrix Servers offer a feature called Virtual IPs (VIPs), which will allow you
to use Directory Option 1: Directory Agent with Directory Client. If you can enable VIPs
with your Citrix Servers, using Directory Option 1 is recommended.
96
ContentProtect Security Appliance User Guide
Directory Option 3 allows ContentProtect Security Appliance to identify individual users
through devices or applications that use one single IP address for several users. With this
option, you will be able to identify and filter individual users that access the Internet from
the same device.
This option requires that you install the Directory Agent on your directory server and then
deploy proxy settings to users’ web browsers. Essentially, users will send web traffic to
ContentProtect Security Appliance, acting as a proxy. This allows ContentProtect Security
Appliance to identify users based on web sessions rather than by IP addresses (method
used by all other directory options).
In addition to this, you will need to create two groups; one Network Node Group that will
include the Terminal Services servers or Citrix Servers, and one Directory User Group that
will include the Directory Users. Both groups will use the same Internet Usage Rule set to
Web Authentication-NTLM.
The main advantage to this option is the ability to individually identify and filter users
through Terminal Server or Citrix Server sessions. Although users will be using identical
devices to browse the Web, you can enforce different filtering policies based on Directory
Users. The main disadvantage is that all application reporting and control are global for
these users. Essentially, you will be able to control application and bandwidth traffic for the
Terminal Services server or Citrix server, but you will not be able to control application and
bandwidth traffic for specific users. Also, you will need to configure proxy settings
accordingly. This option will only support Windows (2000 SP4 or above) devices.
Directory Option 4: Directory Agent with Login Page
This option is designed as a failsafe in the event that Directory Option 2 or Directory Option
3 does not succeed, or if users have directory accounts but their devices are not members
of the domain. This option allows you to present users with a login page, where they can
enter in their username and password. ContentProtect Security Appliance will then verify
the credentials and enforce any filtering or shaping rules to the devices used to access the
network.
This option requires that the Directory Agent is installed on your directory server and that
you create an IUR set to Require Web based authentication. This allows ContentProtect
Security Appliance to identify users by on initial web (HTTP) requests and then query the
directory server to confirm the user. You can also edit the login page presented to users
under Admin -> Redirection Pages -> Login Page. This menu allows you to name the Login
Page, add a description, and a username hint. You can also completely alter the page by
using HTML code present on the page.
The main advantage to this scenario is you can confirm Directory Users regardless of the
device in use. Whether users access the network via Microsoft PC, Macintosh computers,
Linux devices, or even hand held PDAs, ContentProtect Security Appliance will present all
users with a login page before accessing the Web.
The main disadvantage to this scenario is (depending upon your network) users may be
presented with two login processes; one for the computer or network and one for Internet
access. Also, users must have a login for the directory to use this feature. You cannot
create a ContentProtect Security Appliance login specific for this feature. If you are
attempting to use this feature for guest users, we recommend you create a guest account
on your directory server and inform guest users of the credentials or alter the login page to
present this information.
97
ContentProtect Security Appliance User Guide
Another disadvantage is that users will not be correctly identified until ContentProtect
Security Appliance first receives web (HTTP) traffic from users. As such, there may be some
discrepancy with application control and reporting for users.
In addition to this, as with all Web Authentication options, you will need to create two
groups for users, one for their devices (Network Node Group) and one for Directory Users
(Directory Group). Both groups will need to use the same Internet Usage Rule set to Web
Authentication.
Directory Option 5: LDAP Settings with LDAP Client (cymldap.exe)
The last directory option is mainly designed for networks that do not use Microsoft’s Active
Directory. This option supports eDirectory, True Open LDAP, and also Microsoft AD if you
can not install the Directory Client on the directory server.
This option allows ContentProtect Security Appliance to identify users based on user names
and manual creation of groups for these users. This option requires that you create an
account for ContentProtect Security Appliance on your directory server and that you deploy
the LDAP Client during the login process. Directory Option 5 will support both Windows
(2000 SP4 or above) devices as well as Macintosh OSX (10.3 or above) computers.
The main advantage with this option is support for networks that do not use Microsoft’s AD.
The main disadvantage to this option is that you will have to manually create groups on
ContentProtect Security Appliance for these users. In other words, you will not be able to
synchronize already created directory groups, OUs, or attributes from your directory server.
Lastly, this option only supports integration with one directory.
Below is a Directory Matrix listing all Directory Options with their accompanied advantages
and disadvantages. Although each Directory Option is targeted for a distinct network, you
can use a combination of options. For example, you could use Directory Option 1 for you
static directory users, and for rooming users you could use Directory Option 4. Also, Web
Authentication (which encompasses Directory Options 2 through 4) can be used in
conjunction with all other options.
By identifying which option is best for which set of users, you can create Directory Groups
designed around each option. Once you decide which option is best for your groups, you
can proceed by following the configuration steps for the Directory Options.
98
ContentProtect Security Appliance User Guide
Figure 7.3 Directory User Matrix
Directory Configurations
After deciding which Directory Option to use, you will need to follow the individual steps for
the corresponding option. Below are listed the instructions on how to configure the various
Directory Options.
Directory Instructions
Directory Option 1
Install Directory Agent
Create Directory Agent
Create Directory Agent Group
Deploy Directory Client
Create Directory IURs
Directory Option 3
Install Directory Agent
Create Directory Agent
Create ContentProtect Security Appliance
Directory Option 2
Install Directory Agent
Create Directory Agent
Create ContentProtect Security Appliance
Group
Create Directory Agent Group
Create Directory IURs
Directory Option 4
Install Directory Agent
Create Directory Agent
Create ContentProtect Security Appliance
99
ContentProtect Security Appliance User Guide
Group
Create Directory Agent Group
Create Directory IURs
Directory Option 5
Enable LDAP Settings
Deploy LDAP Client
Create LDAP Groups
Create Directory IURs
Group
Create Directory Agent Group
Create Directory IURs
Install Directory Agents
The Directory Agent will allow ContentProtect Security Appliance to synchronize your
Directory groups, OUs, or user attributes with ContentProtect Security Appliance’s Directory
Groups. The Directory Agent will also indicate how to display user names under Reports.
You can download the Directory Agent under Admin -> Downloads -> Directory/LDAP
Software -> Download 32-bit Active Directory Agent. The Directory Agent must be installed
on a Windows (2000 or above) Server that has access to the directory, e.g., Active
Directory server, domain controller, etc.
Once downloaded, double-click on the Directory Agent installation package. This will
present you with the Directory Agent Installation Wizard. Follow the steps of the Wizard by
accepting the License Agreement, selecting a destination folder (C:\\Program
Files\ContentWatch Directory Agent\ is the recommended placement), and Directory Agent
Settings.
Figure 7.4 Directory Agent Settings
100
ContentProtect Security Appliance User Guide
The Directory Agent Settings allow you to specify how ContentProtect Security Appliance will
communicate with the Directory Agent. In this step, you can adjust the port used to
communicate (we recommend you use the default setting of TCP 3462), and the password
for authentication to and from the Directory Agent. Remember these settings in this step as
you will need to use the same settings for creating the Directory Agent on ContentProtect
Security Appliance.
Once complete, select Finish as the last step for installing the Directory Agent. If you need
to support multiple directories, perform the same steps on the additional directory servers.
There are certain events that can cause the Directory Agent to fail. To avoid this, you can
configure the Directory Agent to restart after failures. Access the Services on your directory
server (Start -> Administrative Tools -> Services) and search for the service called
ContentWatch Directory Agent. Right-click on the ContentWatch Directory Agent service
and select Properties. On the Recovery Tab, you can select Restart the Service under First
Failure, Second Failure, and Subsequent Failures.
Figure 7.5 ContentWatch Directory Agent Properties
One final note is that the Directory Agent needs domain user access with all Directory
Options except for Directory Option 2: Directory Agent with IP Lookup. This option requires
that the Directory Agent has administrative access (Log on as Administrator) to the
directory server. This allows the Directory Agent to force the directory server to retrieve
user credentials. Please make sure you select Log On as Administrator with this option.
101
ContentProtect Security Appliance User Guide
Figure 7.6 ContentWatch Directory Agent Properties
Create Directory Agents
The second part to using the Directory Agent is to establish an association with
ContentProtect Security Appliance. This is done by creating the Directory Agent on
ContentProtect Security Appliance, which will allow the device to synchronize directory
groups, OUs, and user attributes.
Under Manage -> Directory Users & Nodes -> Directory Agent -> Click the Create button.
This will bring up the Add/Edit Directory Agent menu. In this menu you can create a name
for the Directory Agent, but more importantly you will specify the IP address of the AD
server where the Directory Agent is installed.
Also, indicate the Directory Agent settings from the previous section, i.e., TCP port
(recommended port 3462), and the Directory Agent Password. Once you have entered
these settings, click Save and ContentProtect Security Appliance will attempt to contact the
Directory Agent confirming it can communicate with the Directory Agent. If any errors are
returned, verify that you have entered the correct IP address, TCP port number, and
password. If you have installed multiple Directory Agents, you will need to create multiple
Directory Agents as a result.
102
ContentProtect Security Appliance User Guide
Create ContentProtect Security Appliance Groups
Directory Options 2, 3, and 4 are different in the fact that the Directory Client is not used to
indicate when Directory Users access the network. Rather, ContentProtect Security
Appliance identifies Directory Users by initial web (HTTP) requests. Because of this, there is
a potential that non-web (HTTP) traffic coming from users will not be handled or grouped
correctly until they access the Web. To compensate for this, you will need to create
Network Node Groups for the devices that will be used by Directory Users to ensure that all
their traffic is handled correctly.
To do this, follow the steps under the section Groups in Chapter 5: Managing ContentProtect
Security Appliance. Add the devices that the Directory Users will be using to access the
network. For example, if you are using Directory Option 3: Directory Agent with NTLM, you
will place the Citrix servers or Terminal Services servers into this group. Later, you will
create a single Internet Usage Rule that will be used by both the Network Node Group as
well as the Directory Users Group.
If you are unaware of the exact devices that will be in use by the Directory Users, you can
create a ContentProtect Security Appliance Group based on the IP address range assigned
to their devices. Again, see the section Groups in Chapter 5: Managing ContentProtect
Security Appliance for information on how to create ContentProtect Security Appliance
Groups with different member types. An additional option is to have the Default Group (all
unassigned devices) use the same Internet Usage Rule as your Directory Users.
Create Directory Agent Group
Directory Agent Groups are created under the same menu as ContentProtect Security
Appliance Groups. The difference with Directory Agent Groups is that these groups will use
the Directory Agent and your directory sever to identify Directory Users. You must first
install and create a Directory Agent before you can create Directory Agent Groups.
Click on Manage -> Policies & Rules -> Groups -> Create -> Create a Directory Agent
Group. This will post the Add/Edit Directory Agent Group Detail. In this menu, you will
need to assign a name for the Directory Agent Group as well as a description. Afterwards,
select which Directory Agent you will use to synchronize the Directory Agent Group with the
Directory Agent drop-down box. Once you have selected your Directory Agent, click the
Add Members button.
ContentProtect Security Appliance will now communicate with the Directory Agent and query
your directory server for Distribution Groups or Security Groups. To add these groups
select the empty checkboxes next to the groups and then click the Ok button. If you need
to select multiple profiles, you can use the Shift + Click or CTRL + Click accordingly.
Distribution or Security Groups are just one of four member types you can synchronize with
the Directory Agent. You can also synchronize Organizational Units (OUs) and user
attributes. To select these different member types, click on the Chose a Member Type dropdown box under the Add Directory Group Members menu.
If you select OUs, again, ContentProtect Security Appliance will communicate with the
Directory Agent and query your directory server for OUs. You can then select the profiles
for the OUs with the empty checkboxes and select Add. If you choose Attribute or Custom,
you will be prompted to define the user attribute of the Directory Users you want to
synchronize to the Directory Agent Group.
103
ContentProtect Security Appliance User Guide
Attributes are characteristics or distinguishing features that are applied to users. You can
use the Directory Agent to query the directory server and find distinguishing attributes and
group users accordingly.
The two menus (Attributes and Custom) require advanced knowledge of your directory and
users attributes. With Attribute you will need to specifically identify which user attributes
will identify members of the Directory Agent Group, i.e., phone numbers, names, locations,
etc. With Custom, you can use a combination of Attributes.
Below is a table of some common examples used in directory servers and how to
synchronize groups based on attributes. Use this guide or your own directory attributes to
assist in synchronizing Directory Agent Groups with ContentProtect Security Appliance.
Common Directory Attributes
CN (Common Name)
displayName
givenName
objectCategory
sAMAccountName
userPrincipalName
mail
c (Country)
company
department
location
manager
postalCode
st (State)
streetAddress
telephoneNumber
CN=John Doe
displayName=John Doe
givenName=Joe
objectClass =user
sAMAccountName=jdoe
[email protected]
[email protected]
c=usa
company=mycompany
department=IT
location=remote site
manager=boss
postalCode=11111
st=New York
streetAddress=123 Main
telephoneNumber=111-111-1111
An example of how to synchronize Directory Agent Groups based on Attributes would be
creating a Directory Agent Group for all users that are upper level managers. The Attribute
would read “manager” followed by “is exactly” and then “upper level”.
Figure 7.7 Attribute Example
This Directory Agent would then query the directory server for any user that has an
Attribute of manager set to upper level. Accordingly, every time upper level managers
access the network, ContentProtect Security Appliance will group the users as a result.
Again, the member type of Attribute requires a high level of understanding on how to
identify specific characteristics with Directory Users. The examples listed above are
common directory attributes, but keep in mind that your directory server may have its own
104
ContentProtect Security Appliance User Guide
attributes specific to your organization. Because of this, you may need to perform some
independent research on how to use the Attribute feature.
The drop down options for the Attribute member type are is exactly, is approximately, is
not, is less than or equal to, is greater then or equal to, contains, does not contain, starts
with, and ends with. The Attribute and Value field allow you to enter case sensitive options
from your directory server.
The member type of Attribute allows you specifically identify how to synchronize Directory
Agent Groups based on a single attribute. However, if you want to synchronize Directory
Agent Groups based on multiple Attributes, you will need to select the member type of
Custom.
Custom allows you to synchronize Directory Agent Groups based on combined attributes.
Using the example above we could create a group based on all upper level managers that
didn’t include those from a remote site.
The custom attribute would read “manager” followed by “= upper level”. Towards the end
would be the attribute for the stipulation to not include the remote site “! location=remote
site”. The Custom member type would require that you separate the different Attributes as
well as enclose the entire string with parenthesis to identify these Directory Users correctly,
e.g., ((manager=upperlevel)!(location=remote site)).
Figure 7.8 Custom Example
The following table lists common operators with Directory Custom Attributes.
Common Directory Operators
&
|
!
=
~=
>
<
>=
<=
And
Or
Not
Equals
Approximately
Greater than
Less than
Greater than or equals
Less than or equals
Once more, using Custom member type requires advanced knowledge of how to define
Directory Attributes. If you are having difficulty creating Directory Agent Groups based on
Attributes or Custom, please contact your Authorized ContentWatch Reseller or
ContentWatch Support at 1 (800) 485-4008. One last note is that you can also combine
Directory Users into one group using a combination of the different member types.
105
ContentProtect Security Appliance User Guide
After you have added members to the Directory Agent Group, you can also review the
Directory Members by selecting Show User List. This menu is available under the Add/Edit
Directory Agent Group Detail. Select the checkbox next to each Directory Member and click
the Show User List button. You can also remove Directory Members with the Remove
Members button. The Edit Member button is only available with Directory Members based
on Attributes or Custom member types.
The last option available with the Add/Edit Directory Agent Group Detail is the Edit
Precedence. This setting is used when you have created multiple Directory Agent Groups
and may have conflicting user membership. For example, if you have two Directory Agent
Groups based on OUs and some users of the Directory Agent Groups are members of both
OUs, you can use the Edit Precedence to specify which Directory Agent Group assignment
will take priority. The Edit Precedence allows you to drag and drop Directory Agent Group
names to adjust group precedence. After you have synchronized your Directory Agent
Groups, make sure to Save your changes.
Deploy Directory Client/LDAP Client
The Directory and LDAP Client are small executable files that send user information to
ContentProtect Security Appliance. These transmissions are called heartbeats. They allow
ContentProtect Security Appliance to identify the specific user that is generating network
traffic from a particular computer. In essence, the Directory and LDAP Client identify the
traffic by user name and associate it with the current computer’s IP address.
While the Directory and LDAP Client continue to send heartbeats, ContentProtect Security
Appliance watches traffic from that IP address and associates it with the user. Once the
user logs out, the Directory and LDAP Client stop sending heartbeats, and ContentProtect
Security Appliance disassociates the IP address from the user name. Thus, the Directory
and LDAP Client allow ContentProtect Security Appliance to identify user traffic for
monitoring, shaping, and blocking. The steps to deploy these two clients are similar.
Directory Client/LDAP Client Versions
There are three versions of the Directory and LDAP Client. The three versions of the
Directory Client are cymdir.exe (Directory Client for 32-bit Windows OS), cymdir_64.exe
(Directory Client for 64-bit Windows OS), and cymdir_MAC (Directory Client for Macintosh
computers).
The three versions of the LDAP Client are cymldap.exe (LDAP Client for 32-bit Windows OS),
cymldap_64.exe (LDAP Client for 64-bit Windows OS), and cymldap_MAC (LDAP Client for
Macintosh computers).
Please note that both the Directory and LDAP Client are compatible for Windows 2000 SP4
and above platforms as well as Macintosh OSX 10.3 and above platforms. This next section
details how to deploy the Directory and LDAP Client for 32-bit Windows XP. The Macintosh
clients have read me files that instruct on how to deploy cymdir_MAC and cymldap_MAC
clients. You can download the Macintosh client to access the read me files under Admin ->
Configuration -> Downloads -> Directory/LDAP Software.
The other Directory Clients are also available under Admin -> Downloads -> Directory/LDAP
Software. The LDAP Clients are available under Admin -> Downloads -> Directory/LDAP
Software -> Click here for legacy executables.
Once you download the Directory or LDAP Client, you will want to execute the file locally to
present some of the help features that the Clients offer. You can also test how user names
106
ContentProtect Security Appliance User Guide
will be posted with ContentProtect Security Appliance. You will need to be logged into a
Windows PC that is a member of the domain for these steps to work.
Executing the Directory/LDAP Client
Place the Directory or LDAP Client on your desktop. Now, double-click the executable.
Although the Clients are signed applications, your security settings may trigger a warning
about running executables.
Without any parameters set for the Clients, you should receive a help dialog box. This help
dialog box will post when the Clients are unable to send heartbeats to ContentProtect
Security Appliance or have other communication errors. This box will also appear if there
are syntax errors or if no ContentProtect Security Appliance’s IP address is not provided.
The Help Dialog will provide several useful pieces of information:
•
Error Messages—this message will post when a connection failure is present for the
Clients. Causes of connection failures are invalid IP addresses assigned as
parameter values, ContentProtect Security Appliance is powered off, computers
running the Clients are unable to connect to the network, bad command line
parameters, etc. You can use the Error Message to diagnose problems with the
Clients if they occur.
•
Authentication Type—this message will post which type of authentication appears to
be on the network, such as Windows authentication or Novell authentication. If both
are available, you can choose which you prefer by using the /AD switch (please see
section Usage below).
•
Authentication Information—this option displays the current user logged into the
computer as well as the Domain (Windows) or Context (eDirectory). If the computer
is not part of a Domain, the Clients will return the name of the Windows workstation.
107
ContentProtect Security Appliance User Guide
•
Usage—this is intended to show the proper syntax for command line options given to
the Clients. Please note that ContentProtect Security Appliance’s IP address is
always required and should always come last.
o
/ad switch—this option is only necessary under either of the following
conditions:
ƒ
Some of your workstations have the Novell Client installed.
ƒ
You want to use Active Directory even though eDirectory is present.
This option will force the Clients to send Windows Active Directory user
information and not eDirectory user information.
o
/tcp switch—this option is used to force the Clients to use TCP connections
instead of UDP. UDP connections are preferred as they do not require static
routes; however, this option is available for backwards compatibility and
troubleshooting. If you enable this option, you will need to create static
routes accordingly. Please see the section Static Routes in Chapter 6:
Administrating ContentProtect Security Appliance.
•
/silent switch—this option will prevent the help dialog from coming up under any
circumstances. This setting is not recommended for troubleshooting and testing
purposes; however, under normal usage this option is recommended. This option
should be used when you deploy the Clients in your production environment. By
doing so, you will prevent end users from seeing this dialog box and possibly
disabling it or causing other problems.
•
/sleep switch—this option allows you to change the number of minutes the Clients
will allow to pass before sending heartbeats and becoming dormant. The default
setting is 5 minutes. The value must be 1 minute or greater, and with the LDAP
Client (cymldap.exe) should be less than the LDAP Client Heartbeat Timeout (Admin
-> Configuration -> LDAP Settings).
•
IP address—this option is necessary to direct the Client to ContentProtect Security
Appliance for heartbeats. You will need to use the IP address of ContentProtect
Security Appliance.
•
Complete Usage Information—this option lists further reference information for
assistance on deploying the Clients.
Once you have reviewed the options available on the help dialog box for the Clients, you
may exit the dialog box and properly execute the client locally for testing. Please follow
these steps:
1. Open a Windows Run Prompt (Start -> Run).
2. Type “cmd” in the open dialog box.
3. Click OK.
4. Drag cymdir.exe or cymldap.exe to the Command Prompt, and drop it (this will paste
the full path).
108
ContentProtect Security Appliance User Guide
5. After “cymdir.exe” or “cymldap.exe” type in the IP address of the ContentProtect
Security Appliance (in this example, we will use 192.168.255.2).
Figure 7.10 Command Line Syntax for Directory Client
6. Execute the command by pressing ENTER.
a. If the help dialog is raised, then there were communication errors. Please
review the syntax and correct any possible errors, i.e., IP address, switches,
etc.
b. If the help dialog is not raised, then the command executed properly. You
can verify this by looking at the process list of the Windows Task Manager. A
process called cymdir.exe or cymldap.exe should be listed.
Now that you have properly executed the Client locally, let’s confirm that ContentProtect
Security Appliance received the heartbeat and posted the correct username. Click Manage > Directory Users & Nodes -> Directory Users. Verify there is a new profile listed by
username used to access the computer.
Deploying the Directory/LDAP Client
Now that you have confirmed that the Client can communicate to ContentProtect Security
Appliance, you are ready to deploy the Client in your network.
Because each network is unique, the User Guide and ContentWatch cannot make specific
recommendations as to how you should integrate Directory/LDAP Client into your network
109
ContentProtect Security Appliance User Guide
and directory server. This section will provide the best information; however, please note
that this information is provided “AS-IS” and without warranty of any kind.
There are a variety of ways to deploy Directory/LDAP in your network that will execute
when users login to the domain. The most common ways are the following:
•
Batch file
•
Registry Setting
•
Domain Group Policy Object (GPO)
•
Netware Login Script
•
VB Script
•
Registry Key
•
Shortcut in Startup folder
All of these methods employ different means for executing Directory/LDAP Client. However,
this chapter will only cover how to deploy Directory/LDAP Clients via a batch file, registry
settings, Domain GPO, and Netware Login Script. Other methods presented will need to be
researched and deployed at your discretion. Again, because each network is different, this
User Guide will not advise which method is better. This guide will merely present the most
common techniques used. The examples below are for the Directory Client. However,
simply substitute cymdir.exe for cymldap.exe if you are using the LDAP Client.
Creating a Batch File for Directory/LDAP Client
1. Pick a file directory on your directory server that will store both the batch file and
Client (for example \\server\share\folder).
2. Copy Directory/LDAP Client to this folder.
3. Create a Windows batch/command file in this folder (you can do this from notepad
and change the file extension to .bat).
4. Enter the following text into the file: start /d “\\server\share\folder” cymdir.exe
/silent IP address of ContentProtect Security Appliance (in this example we will use
the path of \\mydomain.tld\netlogon\ContentWatch and the IP address of
192.168.255.2).
a. Using Windows shell environment variables can add power and flexibility to
the batch file. For example, by using the syntax: start /d
“\\%directoryserver%\netlogin\” cymdir.exe /silent 192.168.255.2 you can
deploy Directory/LDAP Client over multiple directory servers. However, this
may require additional troubleshooting if the variables do not resolve
correctly. If this is the case, use the full syntax as displayed below.
110
ContentProtect Security Appliance User Guide
Figure 7.11 Batch File for Client
5. Verify that the newly created batch file executes when users login to the domain by
loading the Windows Task Manger and confirming Directory/LDAP Client is in the
process list.
Deploying the Directory/LDAP Client in a Group Policy Object
1. Log on to your Domain or Active Directory server.
2. Open a Windows Run Prompt (Start -> Run).
3. In the Open field type “mmc” (Microsoft Management Console).
4. Click OK.
5. In the File menu select Add/Remove Snap-in.
Figure 7.12 Console Prompt
6. Click the Add button.
7. Scroll down and select Group Policy Object Editor.
111
ContentProtect Security Appliance User Guide
Figure 7.13 Add Standalone Snap In
8. Click the Add button (this will launch the Group Policy Object Wizard).
9. Press the Browse button.
10. Select Default Domain Policy.
11. Click OK.
Figure 7.14 Browse for Group Policy Object
12. Click Finish on the Add Group Policy Wizard.
13. Close the Add Standalone Snap-in dialog box.
14. Click OK on the Add/Remove Snap-in dialog box (you should now be looking at the
MMC screen with the Console Root Folder above the new Default Domain Policy you
have just added.
Figure 7.15 Console Root
112
ContentProtect Security Appliance User Guide
15. Expand the Default Domain Policy.
16. Expand the User Configuration option.
17. Expand the Windows Settings option.
Figure 7.16 Scripts Logon
18. Select Scripts (Logon/Logoff).
19. Right-click the Logon option for the Logon Properties dialog box (depending on your
current configuration you may already have several scripts running).
20. In order to place Directory/LDAP Client in the correct folder for your Domain Policy
select Show Files button (this will open a new window displaying the current files for
the Domain Policy).
21. Copy Directory/LDAP Client and paste it into the logon scripts folder (please confirm
that you copied the entire file into the folder and not just a shortcut to the file or the
file path).
22. Close the logon scripts folder to return to the Logon Properties dialog box.
23. Click Add to open the Add a Script dialog box.
24. Click Browse to open the Logon Script Folder.
25. Select Directory/LDAP Client and click Open (you should now be in the Add a Script
Dialog box; Directory/LDAP Client should appear in the Script Name box).
113
ContentProtect Security Appliance User Guide
26. Enter ContentProtect Security Appliance’s IP address in the Script Parameters box (in
this example we will use 192.168.255.2).
Figure 7.17 Script Parameters
27. Click OK to close the Add a Script dialog box.
28. Click OK again to close the Logon Properties dialog box.
29. Confirm any other changes to the Console Root settings that you have edited.
Directory/LDAP Client is now ready to run the next time users login to the Active Directory
domain. Again, you can confirm this by reviewing the Directory User tab in ContentProtect
Security Appliance to verify that ContentProtect Security Appliance is receiving heartbeats
from users.
Deploying Directory/LDAP Client in a Registry Entry
114
ContentProtect Security Appliance User Guide
This method requires additional administrative effort as Directory/LDAP Client must be
deployed to each work station in question and a registry key imported. Directory/LDAP
Client also may require multiple running instances in some circumstances; however, this will
not impact performance or reporting.
1. Create a Windows registry file (you can do this from notepad and change the file
extension to .reg).
2. Insert the following text. (You may need to adjust the path depending on your
settings. Also the last line requires the IP address of ContentProtect Security
Appliance. In this example, we will use 192.168.255.2)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ContentWatch”=”cymdir.exe /silent 192.168.255.2”
3. Save and exit the registry file
4. Place a copy of Directory/LDAP Client on each workstation’s Windows folder. (You
can also choose any location in PATH).
5. Import the registry file into each Windows’s registry.
Deploying the LDAP Client in a Netware Login Script
Because the Directory Client cannot be used in an eDirectory environment, the following
steps are just for the LDAP Client.
Please note that the screen shots presented here are represented in ConsoleOne for Novell
eDirectory. Similar functionality is available from iManager. We will use an Organizational
Unit to set a common login script for all users. The LDAP Client will be executed with
“/silent” and the IP address of ContentProtect Security Appliance.
1. Run ConsoleOne (this is usually located at Z:\mgmt\ ConsoleOne\1.2\bin\
ConsoleOne.exe if your Netware “Public” share is mapped or
C:\novell\consoleone\1.2\bin if you have installed it locally).
115
ContentProtect Security Appliance User Guide
Figure 7.18 ConsoleOne
2. Copy the cymldap.exe to an accessible location (this could be on a Netware Server
with a mapped drive, network attached storage, or the local workstation.
3. Navigate to an Organizational Unit containing users.
4. Edit the properties of the OU to add a login script similar to the following.
Figure 7.19 Login Script Properties
Depending on your LDAP settings, eDirectory could be requiring TLS for simple binds.
However, TLS can prevent ContentProtect Security Appliance from retrieving user data. To
allow ContentProtect Security Appliance to retrieve LDAP User data, you will need to disable
TLS for simple binds.
5. Open the properties and of the LDAP group.
6. Verify the Require TLS for simple binds with password is unchecked.
116
ContentProtect Security Appliance User Guide
Figure 7.20 Properties of LDAP group
This concludes the section on how to deploy Directory/LDAP Client. Again, because each
network is unique, you may need to determine the best method (or perhaps combination of
methods) to deploy the Directory and LDAP Client.
Create Directory Internet Usage Rules
Creating Internet Usage Rules (IURs) for Directory Groups in quite similar to creating IURs
for ContentProtect Security Appliance Groups. If you have chosen Directory Option 1 and
Directory Option 5 for integrating Directory Users, you will follow the same steps listed in
Chapter 5: Managing ContentProtect Security Appliance for your IURs.
If you have chosen Directory Options 2, 3, and 4, you will need to enable the different
features tailored for each option under the Internet Usage Rule Manager. This is done
under the Web Authentication tab. There are several options that are universal for
Directory Options 2, 3, 4 that are listed under Web Authentication.
Web Authentication
Remember that Web Authentication identifies uses by web (HTTP) requests. Because of
this, non Web traffic, e.g., IM, P2P, etc, may not at first be correctly reported or controlled
until ContentProtect Security Appliance receives a web request from Directory Users.
Because of this, the IUR you assign to the Directory Users needs to be the same IUR you
assign to device in use by Directory Users. Directory Options 2, 3, 4, require you to make
two groups, ContentProtect Security Appliance Groups for Directory Users’ devices and
Directory Groups for Directory Users. Both these groups will need to use the exact same
IUR.
Also, remember that Directory Option 4 is the safeguard for Directory Option 2 and 3. If for
some reason, these two Web Authentication pieces fail (IP Lookup or NTLM) ContentProtect
Security Appliance will present a login page for members of the Directory Group. Below are
settings that can be used with all Web Authentication rules.
117
ContentProtect Security Appliance User Guide
•
Web Authentication White List—these are web sites for which ContentProtect
Security Appliance will not require Directory credentials to access.
•
Inactivity Timeout—this setting allows you to identify how much inactive time can
pass before ContentProtect Security Appliance re-confirms Directory Users. For
example, if you use Directory Option 4: Directory Agent with Login Page,
ContentProtect Security Appliance will present a user with a login page on his/her
first initial web (HTTP) request. If after logging in, the user does not pass any
more web traffic within a certain amount of time, ContentProtect Security
Appliance will again present the login page to the user. The default time for this
setting is 5 minutes.
•
Session Timeout—this setting allows you to identify how much time can pass,
regardless of activity, before ContentProtect Security Appliance re-confirms
Directory Users. With Directory Option 2: Directory Agent with IP Lookup,
ContentProtect Security Appliance will again (via the Directory Agent) have the
Directory Server re-confirm the credentials of the Directory Users. With Directory
Option 3: Directory Agent with NTLM, ContentProtect Security Appliance will
review the Proxy connections of the users and re-confirm their credentials.
Lastly, with Directory Option 4: Directory Agent with Login Page, ContentProtect
Security Appliance will present users with a Login page. The default time for this
setting is 30 minutes.
Directory Option 2: Directory Agent with IP Lookup
For Directory Option 2, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create.
Name the Internet Usage Rule after its corresponding Directory Group. You can also select
web categories, URLs, and other settings to block for the Directory Group by following the
instructions listed under Internet Usage Rules in Chapter 5: Managing ContentProtect
Security Appliance for your IURs.
Afterwards, click on the Web Authentication tab and select Require Web Based
Authentication. Once you have selected this, the checkbox next to Directory Agent IP
Lookup will be available. Check the box next to the option and Save your changes. Don’t
forget to apply the IUR to the Directory Group and its corresponding ContentProtect
Security Appliance Group using the Policy Manager.
Directory Option 3: Directory Agent with NTLM
For Directory Option 3, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create.
Name the Internet Usage Rule after its corresponding Directory Agent Group. You can also
select Web categories, URLs, and other settings to block for the Directory Agent Group by
following the instructions listed under Internet Usage Rules in Chapter 5: Managing
ContentProtect Security Appliance for your IURs.
Afterwards, click on the Web Authentication tab and select Require Web Based
Authentication. Once you have selected this, the checkbox next to Directory Agent NTLM
Handshake will be available. Check the box next to the option and Save your changes.
Don’t forget to apply the IUR to the Directory Group and ContentProtect Security Appliance
Group using the Policy Manager.
Because the NTLM handshake will be issued via a proxy connection, make sure that
ContentProtect Security Appliance is configured in Proxy mode (Admin -> Configuration ->
Advanced Setup -> Allow HTTP Connections on Port 8888). For more information on this
setting please see Chapter 2: Installing ContentProtect Security Appliance.
118
ContentProtect Security Appliance User Guide
Directory Option 4: Directory Agent with Login Page
For Directory Option 4, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create.
Name the Internet Usage Rule after its corresponding Directory Group. You can select
which web categories, URLs, and other settings to block for the Directory Group by following
the instructions listed under Internet Usage Rules in Chapter 5: Managing ContentProtect
Security Appliance for your IURs.
Afterwards, click on the Web Authentication tab and select Require Web Based
Authentication. User will now be presented with a Login Page as soon as they initiate a web
(HTTP) request. Remember to Save your changes and apply the IUR to the Directory Group
as well as the ContentProtect Security Appliance Group using the Policy Manager.
Enable LDAP Settings
To enable LDAP settings on ContentProtect Security Appliance, you will need the information
listed below. If you are unaware of some of these settings, ContentProtect Security
Appliance offers utilities that can scan your network for the appropriate information. In
addition to this, a brief explanation follows the terms for clarification.
•
LDAP Server IP/Hostname—this is the IP address or hostname of the LDAP Server,
e.g., 192.168.255.2 or ldap.mycompany.com. If you are unsure of the IP address
assigned to the LDAP Server, you may select Scan My Network during the Setup
Wizard or under Admin -> Configuration -> LDAP Settings for possible LDAP Servers.
•
LDAP Server Query Port—TCP port 389 is registered with the Internet Assigned
Numbers Authority (IANA) for LDAP Traffic. Do not change this value unless your
LDAP Server uses a port other than 389.
•
LDAP Server Base Distinguished Name (DN)—the LDAP Server Base Distinguished
Name tells ContentProtect Security Appliance where to begin searching for user
information. For example, if users are located in different directories, you will want
to select a common directory where are users can be found. Usually the root
directory is the preferred setting for the LDAP Server Base DN as all users can be
found from the root directory. If you are unsure of the LDAP Server Base DN, you
may select Query My LDAP Server during the Setup Wizard or under Admin ->
Configuration -> LDAP Settings for possible options.
•
LDAP Profile Default Name Mask—this value controls which LDAP attributes are used
for the names associated with each LDAP User. The default Given Name
%givenName% and Surname %sn% use standard LDAP attributes that should work
for all LDAP Servers. A default name mask of such will result in displaying a name of
“John Doe” for a user. However, some LDAP deployments do not populate these
attributes and should instead use %displayName%, %cn%, or
%sAMAccountName%.
•
o
Windows Active Directory example—DC=mydomain,DC=com
o
Novell eDirectory example—O=MyOrganization
LDAP Server User Name—this represents an LDAP account with sufficient access in
the directory to perform searches associated with the network users and groups. In
Windows, this means a user with “Domain User” privileges. This field must use the
User Principle Name with Active Directory and the Fully Qualified Distinguished Name
119
ContentProtect Security Appliance User Guide
(FQDN) for eDirectory. Also, we recommend that you create an account on your
LDAP Server that is specific to ContentProtect Security Appliance and no other user.
o
Windows Active Directory example—[email protected]
o
Novell eDirectory example—CN=username,O=MyOrganization
o
mycompany\jdoe may not work as expected because some LDAP Servers
don’t accept this setting by default.
•
LDAP Server Password—this is the password associated with the LDAP Server User
Name. Please remember that the password is case sensitive and will need to be
updated if you change the password on the LDAP Server.
•
LDAP Client Heartbeat Timeout (in minutes)—this setting indicates to ContentProtect
Security Appliance how many minutes must pass with no heartbeat before a user is
considered to be gone. Because CymLDAP tracks when a user logs in or out and
sends heartbeats at regular interval, a timeout is most likely under two
circumstances:
o
The LDAP Client, CymLDAP, has terminated (likely by user intervention)
o
The user disconnects his/her computer from the network
The default value is 15 minutes. When a timeout occurs, network traffic associated
with that particular network node is not associated with the former user.
With the previous information provided, you are now ready to enable ContentProtect
Security Appliance LDAP settings. You can enable LDAP under Admin -> Configuration ->
LDAP Settings. Remember to Apply the changes once you enter in the information.
Once you have enabled LDAP Settings within ContentProtect Security Appliance, you will
need to deploy the LDAP Client for user reporting and filtering.
Create LDAP Groups
LDAP Groups are created the same as ContentProtect Security Appliance groups; however,
you will use the member type of LDAP instead of Network Node, MAC address, CIDR Block
Source and Destination or any other member types. Please see Chapter 5: Managing
ContentProtect Security Appliance for more information.
Directory Troubleshooting
There are several variables that can cause Directory integration to not work properly with
ContentProtect Security Appliance. Identifying which components of Directory integration
are not working properly, will help you find a solution. We’ll first discuss using
ContentProtect Security Appliance to diagnose the problem. We then discuss
troubleshooting Group Policy Objects with the Directory and LDAP Client, scripting issues,
and other possible problems.
Using Diagnostic Tools
There are five ContentProtect Security Appliance diagnostic tools that can be used to
confirm if Directory is working properly. The first four tools are located under Admin ->
120
ContentProtect Security Appliance User Guide
Configuration -> Diagnostic Tools. The last is listed under Admin -> Logs. All the tools are
listed below as bulleted items:
•
Directory Agent Diagnostics—this menu allows you to confirm Directory group
synchronization, Directory User assignment, and current devices in use by Directory
Users. This menu has several options to confirm that the Directory Agent is
operating correctly, and that ContentProtect Security Appliance is able to associate
network traffic with the correct Directory User.
The first option is User Lookup. User Lookup can determine where users are located
on the Directory Server to ensure they are synchronized correctly to Directory
Groups on ContentProtect Security Appliance. Select Test Type User Lookup and the
Directory Agent that is installed on the Directory Server for the corresponding user.
Enter in the Username and click the Run Diagnostic button.
If the Directory Agent can successfully find the Username, the user’s Common Name,
Directory Agent Group (the synchronized group for ContentProtect Security
Appliance), the Directory Agent Group (the actual user group from the Directory
Server), the Distinguished Name, and the time taken to run the test will be posted.
If this information is not posted or is incorrect, verify that the Directory Agent is
running correctly and can communicate to ContentProtect Security Appliance. Also,
confirm that the user’s account is present on the Directory Server where the
Directory Agent is installed.
The next option is IP Lookup. This option allows you to query a workstation and
confirm that the user present on the workstation. This option is used in conjunction
with Directory Option 2: Directory Agent with IP Lookup and will (via the Directory
Agent) petition the Directory Server to confirm user credentials for specific IP
addresses.
Select the IP Lookup from the Test Type drop-down box and the Directory Agent for
the specific Directory User. Enter in the IP address of the device you want to query,
and click the Run Diagnostic button. If the Directory Server can successfully
communicate to IP address, the Directory Agent will post the Username, the user’s
Common Name, Directory Agent Group (the synchronized group for ContentProtect
Security Appliance), the Directory Agent Group (the actual user group from the
Directory Server), the Distinguished Name, and the time taken to run the test.
If the test is unsuccessful, confirm that File and Print share rights are enabled on the
end user’s device. Also, verify that the user’s DNS server is set to use the Directory
server where the Directory Agent is installed. Lastly, confirm that the user’s account
is present on the Directory Server where the Directory Agent is installed.
The last option available Directory Agent Diagnostics menu is Validate
Username/Password. This option will query the Directory Server to verify the
username and password of the user. If users are having trouble accessing their
Directory account, you can use this tool to confirm credentials.
Select the Validate Username/Password selection from the Test Type drop-down box.
Then, select the corresponding Directory Agent from the Directory Agent drop-down
box. You can then enter the Username and Password and click the Run Diagnostic
button.
121
ContentProtect Security Appliance User Guide
Again, if the test is successful, the Results will post the Username, the user’s
Common Name, Directory Agent Group (the synchronized group for ContentProtect
Security Appliance), the Directory Agent Group (the actual user group from the
Directory Server), the Distinguished Name, and the time taken to run the test. One
additional line will post with this test confirming if the password is valid or not.
If this test is unsuccessful, confirm the Username and Password (case sensitive) for
the user on the Directory Server. You will also want to verify that ContentProtect
Security Appliance can communicate to the Directory Server and that the user’s
account is present on the Directory Server where the Directory Agent is installed.
•
Directory Agent Users—this menu allow you to confirm how ContentProtect Security
Appliance is identifying Directory Users, which Directory Group users are being
assigned, and their associated IP addresses. The columns of Username, Common
Name, IP Address, Directory Agent Group, Mode, and Status will list current
conditions for the selected Directory Users.
The fist option (Username) allows you to enter a Username and confirm the user’s
Username, and Common Name from the Directory. However, also listed are the IP
address of the user currently in use, the Directory Agent Group to which
ContentProtect Security Appliance is assigning the user, and the Mode (Directory
Option 1, 2, 3, 4, or 5) being used to identify the Directory User. Lastly, the status
will be listed to post the current status stage of the user, i.e., active, inactive, etc.
Other search options available are Common Name, IP Address, and Directory Agent
Group. Simply select the searchable option you want to use as criteria, enter in the
parameters for the search, and click the Search icon (or hit the Enter key).
ContentProtect Security Appliance will then query the Directory Agent Users menu
and post the results. If Directory Users are being assigned to incorrect groups or by
incorrect modes, you should confirm how you have created your Directory Groups or
what particular attributes have been assigned to your users on your Directory
Server.
•
IP Address Map—IP Address Map shows the association between Directory Users and
IP addresses. You can use this tool to confirm that an active IP Address is being
assigned to the correct Directory User. If after a user logs in and the IP address is
not posting the correct Directory User profile, you can then confirm that the
Directory/LDAP Client is not executing correctly. Review your deployment of the
Directory/LDAP Client as a possible culprit for this problem.
•
No LDAP Network Nodes—this menu lists all devices currently passing traffic that do
not have an associated Directory/LDAP heartbeat. This is a great tool to use to
confirm if a computer on the network is sending Directory/LDAP heartbeats.
Please keep in mind that there will inevitably be some devices on the network that
do not execute the Directory/LDAP Client upon login (such as network printers,
wireless access points, network appliances, etc). You can use IP Address Map and
No LDAP Network Nodes to confirm if a user is executing the Directory/LDAP Client
upon login.
•
Activity Logs—this log keeps tracks of all process running from ContentProtect
Security Appliance. If ContentProtect Security Appliance cannot communicate with
the Directory Agent or cannot query the Directory Server, the Activity log will post an
error or alert accordingly. Verify that the Directory Agent is running or that the LDAP
122
ContentProtect Security Appliance User Guide
settings are correct as this log normally indicates a failed communication between
ContentProtect Security Appliance and the Directory server. If after using these
tools, you are still experiencing problems with LDAP, continue with the following
suggestions.
•
Force cymdir.exe Session Timeouts—this utility forces all cymdir.exe sessions to time
out immediately. Use this tool if cymdir.exe users are not being correctly grouped
and you need to verify the deployment process. If the Directory Client has been
deployed correctly, ContentProtect Security Appliance should receive new heartbeats
after forcing session timeouts and begin to regroup users according to their Directory
Agent Group assignment.
•
Flush Web Auth Cache—this utility forces all Web Authentication sessions to time out
immediately. Use this tool if Web Authentication users are not being correctly
grouped and you need to verify the Web Authentication process. If Web
Authentication is working properly, ContentProtect Security Appliance should identify
users after forcing session timeouts and begin to regroup users according to their
Directory Agent Group assignment.
Troubleshooting GPO Issues
To troubleshoot potential GPO issues, replace the text in cymdir or cymldap Login Script.bat
with the following (where the text is bold and italicized you will need to replace with the
pertinent information). These steps are written for the Directory Client (cymdir.exe). If you
are using the LDAP Client, replace cymdir.exe with cymldap.exe.
@ECHO OFF
REM This part runs the login client for troubleshooting and testing
REM add /tcp if you suspect network/routing problems
start /d \\server\share\ cymdir.exe /log %tmp% 192.168.1.80
REM This part runs the version 8 login client for production use
REM start /d \\server\share\ cymdir.exe /silent 192.168.1.80
REM This part verifies that this Login Script is being run by calling standard Windows routines.
time /t > %TMP%\login.txt
date /t >> %TMP%\login.txt
echo %USERNAME% >> %TMP%\login.txt
REM Browse to “%tmp%” in windows explorer by typing %TMP% in the address bar (use internet
explorer if necessary)
REM There should be BOTH a cymdir.log and also a login.txt file in %TMP% folder.
REM If both are missing, this script is not being run
REM if both are present, send cymdir.log to [email protected]
123
ContentProtect Security Appliance User Guide
The purpose of this script is the put the date, time, and username of the last login in a text
file called login.txt located in the user’s %TMP% directory. As these are all standard
Windows Shell Functions, there are no references to cymdir or cymldap.
Figure 7.21 %TMP% Folder
After logging in with this policy, browse to the temporary folder %TMP%. %TMP% is a
Windows Shell Variable that corresponds to each user’s Temporary Files Folder. You can
navigate to it directly by putting %TMP% in the Address Line of Windows Explorer.
Open login.txt if it exists. If login.txt is in the Temporary Directory, verify the login time,
date, and username are correct. If so, then Group Policies seem to be working properly,
and you should try some of the other troubleshooting methods mentioned below. If the
login.txt does not exist or does not contain the correct information, you will more than likely
need to contact perform some troubleshooting and verify your GPO settings. Once your
Group Policy Object Login scripts are performing as expected, cymdir.exe can be deployed
in your network.
Troubleshooting Directory/LDAP Client
If the Directory/LDAP Client Help Dialog Box keeps popping up, look for an error message.
The top portion of the cymdir.exe or cymldap.exe dialog will display a relevant error
message (connection failure, unrecognized option, bad or misspelled command name,
Invalid IP address, etc).
Double check the login script. If there are no error messages, it implies that no command
line arguments were given to Directory/LDAP Client (Similar to double clicking cymdir.exe or
cymldap.exe). Some scripting languages require enclosing the parameters in quotes.
If there are no Directory User profiles under Manage -> Directory Users & Nodes ->
Directory Users, ContentProtect Security Appliance is not receiving heartbeats from the
Directory/LDAP Client. Verify that Admin > Configuration > LDAP > Use LDAP is checked
for the LDAP Client. Also confirm that cymdir.exe and cymldap.exe are being loaded at
login by checking the Process list in the Windows Task Manager. If not, there may be a
script problem.
If one or more users are not sending heartbeats, network routing issues can prevent
packets from reaching ContentProtect Security Appliance. Use the /tcp switch to test for
connection failures. Please note that you will not be able to use the /silent option for this
test.
124
ContentProtect Security Appliance User Guide
Another scenario that will impede ContentProtect Security Appliance from posting the
Directory User profile for a user is if the computer has not sent Internet traffic through
ContentProtect Security Appliance. If the workstation has not sent traffic to the Internet,
then ContentProtect Security Appliance has no Network Node profile (IP address or MAC
address) with which to attach the Directory User. This will correct itself as soon as the
workstation sends traffic to the Internet through ContentProtect Security Appliance.
(Checking the Admin -> Logs -> Activity Log can be used to identify this issue).
By default, the Directory/LDAP Client use port 3642 to communicate with ContentProtect
Security Appliance. You can verify that this port is open by using telnet and attempting to
connect to ContentProtect Security Appliance on port 3642 from an affected workstation.
The syntax for the Windows command line telnet client is this: C:\>telnet 192.168.1.80
3642. Remember to use the IP address of your ContentProtect Security Appliance.
If you are able to connect and receive an error message about needing to authenticate then
there are no network issues. If you are not able to connect, then please review your
firewall or settings on the network as they may be blocking access on port 3642. Also, you
may need to restart services to ensure that the LDAP service is working properly (Admin ->
Utilities -> System Resets -> Restart All Services).
If the Directory/LDAP Client causes long login times, this could be due to the syntax in the
batch file. Make sure that the batch file begins with the “start”. Start is required to detach
programs from the Windows shell. If it is omitted, Windows may not detach the referenced
program as an independent process, and wait 10 minutes before terminating the process.
Occasionally, some traffic is not associated with a Directory User. Cymdire.exe and
cymldap.exe run when a user logs in, and stop running when a user logs off. If traffic
occurs when no user is logged into a Network Node, it will not be associated with any user.
This commonly occurs when a user reboots, which logs the user off and then generates
network traffic, or when Windows updates are downloaded and installed.
In some circumstances (particularly involving laptop computers) a user will not run the login
script or Group Policy Object from the network as they log in. This could be because they
are not connected to any network, they are connected to a network that is not their home
network, or they have somehow bypassed their network login script. (Consider using an
alternate method like Web Authentication for these users instead of using the
Directory/LDAP Client.
Also, users can potentially terminate the cymdir.exe or cymldap.exe process from the Task
Manager in an attempt to escalate their network privileges. If this happens, their
workstation will be added to the next appropriate group (typically the Default Group). To
prevent privilege escalation, simply make the Default Group (or other group as appropriate)
have the fewest network privileges available. This way, users will only deescalate their
access by terminating the Directory/LDAP Client.
Some security settings may impede the Directory/LDAP Client from executing correctly. If
you are unable to execute the client after following the deployment steps, you may need to
unblock the executable from running. You can do this by right-clicking on the cymdire.exe
or cymldap.exe and selecting Properties. Under the General tab, click the Unblock button
and then apply the changes.
Lastly make sure that you use the correct Directory/LDAP Client for your Operating System.
Remember that the Directory/LDAP Clients have three versions (32-bit, 64-bit, and
Macintosh) and should be deployed accordingly.
125
ContentProtect Security Appliance User Guide
Troubleshooting LDAP Settings
ContentProtect Security Appliance must be able to query the LDAP Server in order to gather
accurate user information. However, if a user is located in a directory path not include in
the LDAP Server Base DN, ContentProtect Security Appliance may not be able to retrieve
that user’s information. A good practice is to use the root or base of the directory for the
LDAP Server Base DN. For example, instead of using ou=IT,dc=mydomain,dc=com, use
dc=mydomain,dc=com. Thus, ContentProtect Security Appliance will have complete access
to the entire directory.
Also remember that ContentProtect Security Appliance is compatible with Windows Active
Directory and Novell’s eDirectory. If you are using a different directory service, i.e.,
Windows NT4 or NetWare 3, ContentProtect Security Appliance may not be able to post the
information correctly. In such scenarios, you may have to use the Fully Qualified Username
or User Principle Name for tracking.
Verify that your LDAP Default Name Mask (Admin -> Configuration -> LDAP Settings) is
asking for the LDAP Attributes you want posted. For example, using Active Directory Users
use a mask that is appropriate to LDAP attribute (%givenName% = First Name, %sn% =
Last Name). If you prefer to use different attributes, %displayName%, %cn%, or
%sAMAccountName% may be good alternatives.
Lastly make sure that the Username and Password used for LDAP Settings are current. If
you have changed the password or have deleted the account, ContentProtect Security
Appliance will not be able to query the directory for LDAP Profiles.
This concludes the chapter on implementing LDAP with ContentProtect Security Appliance.
There is an additional Tutorial Document entitled How to Implement LDAP posted on
ContentWatch Knowledge Base (http://www.ContentWatch.com/Tutorials.html). That
document complements the information presented here. The next chapter will deal with
filtering HTTPS/SSL traffic.
126
ContentProtect Security Appliance User Guide
Chapter 8: Implementing HTTPS/SSL Filtering with
ContentProtect Security Appliance
Secure Socket Layer (SSL) is a technology that is used to encrypt data sent over the
network. (Newer versions of SSL are called Transport Layer Security or TLS. Statements in
this User Guide regarding SSL also apply to TLS.) This encryption is done to insure that the
data transmission is secure and only readable by the intended recipients. This technology is
most commonly associated with Secure Hypertext Transfer Protocol (HTTPS) sent over the
Internet.
For example, web pages such as banking or ecommerce sites post information that is very
sensitive for users, i.e., credit card numbers, social security numbers, etc. Because this
information is important, the web site must take some special precautions to make sure
that this information is not viewed by the wrong person. Also, the Web site needs to
confirm the identity of the site visitor and make sure that the transmission of data across
the Internet is not intercepted by anyone.
However, SSL can also be used to conceal web traffic and visit prohibited sites. The most
common practice of this is with proxy web sites or proxy web servers. ContentProtect
Security Appliance utilizes HTTPS/SSL Filtering to allow you to view and restrict Web traffic
for secure web sites and also prohibit users from viewing unauthorized content. This
chapter can be used to enable HTTPS/SSL Filtering. The following topics will be covered.
•
Certificate Authorities
•
SSL Anonymous Proxies
•
HTTPS/SSL Filtering
•
HTTPS/SSL Blocking
•
HTTPS/SSL Filtering Requirements
127
ContentProtect Security Appliance User Guide
•
Enabling SSL Certificate-Based Filtering
•
ContentProtect Security Appliance’s Digital Certificate
•
Installing ContentProtect Security Appliance’s Digital Certificate
•
Enabling Full SSL Content Filtering
•
Confirming ContentProtect Security Appliance’s Digital Certificate
•
Reporting on HTTPS/SSL Web Sites
•
Viewing Sensitive Content on HTTPS/SSL Web Sites
Certificate Authorities
For Web sites to use SSL to post secure data, they employ a digital certificate signed by
Certificate Authorities (CA), like VeriSign or Thawte. A CA issues and signs a digital
certificate which confirms the identity of the Web site and that the page is secure. The CA
also attests that the certificate belongs to the organization, server, or other entity noted in
the certificate. How do users know if a web site is secure?—through the digital certificate
presented on the web site.
Normally, web browsers have a list of trustworthy CAs. When users connect to a secure
web site, the web browser will check the name of the web site with the corresponding
certificate. If the certificate name matches the name of the web site, is not expired, and is
signed by a trusted CA, the web browser will display the web site. If any of these checks
fail, a warning is displayed indicating the error. Thus web sites and users depend on digital
certificates to confirm identities and information.
SSL Anonymous Proxies
In addition to using SSL for securing web traffic, SSL can also be used to conceal web
traffic. The purpose of ContentProtect Security Appliance’s HTTPS/SSL Filtering is to
prohibit users from concealing their web traffic and from viewing unauthorized content.
One of the ways users can conceal web traffic with SSL is by using SSL Anonymous Proxies.
SSL Anonymous Proxies, available to anyone with Internet access, instruct users on how to
direct their web traffic to a specific web site or service. Like traditional anonymous proxies,
they allow a user to put in a URL, which the proxy then fetches and returns to the user.
From a web filter’s perspective, it is as if all the content was from the proxy site. An SSL
Anonymous Proxy takes this one step further by encrypting this data, thereby concealing
the user’s traffic and visiting prohibited web sites. The most common tactics of SSL
Anonymous Proxy Servers is using Common Gateway Interface (CGI) web sites that create
tunnels to web sites.
However, there are many forms of proxy servers that are designed to make web surfing
anonymous and bypass content filtering. Below are listed the most common Anonymous
Proxy Services and how they conceal web traffic.
128
ContentProtect Security Appliance User Guide
SSL CGI Proxy
This type of proxy has users enter the Universal Resource Locator (URL) of the web site
they want to browse to into a web form. The web site then processes the request and
retrieves the page on behalf of the user. The web sites changes the links and images within
the page so that the requests are actually hosted by the proxy web site and not the original
web site.
SSL Full Proxy
This type of proxy requires users to modify their web browser settings to use a proxy
server. Some of these sites will also use non-standard ports to conceal web traffic.
SOCKS4/5 Proxy
This type of proxy also has users modify web browser settings to use a proxy server.
TorPark Network
This type of proxy is a SSL based network that allows users to hide web browsing. TorPark
normally uses non standard port numbers to avoid detection and uses SSL to conceal the
content of web sites.
ContentProtect Security Appliance has several options that allow you to block Anonymous
SSL web surfing and users from concealing their traffic. These options are discussed in the
next section.
HTTPS/SSL Filtering
ContentProtect Security Appliance offers you several tools to filter HTTPS/SSL traffic, and to
block proxy web sites that allow users to cover their web traffic. Depending upon the type
of control you want over SSL traffic, you will need to configure HTTPS/SSL Filtering
accordingly. All HTTPS/SSL filtering options are handled by Traffic Flow Rule Sets (TFRS).
TFRS are the basic traffic identification and control engine within ContentProtect Security
Appliance. TFRS allow you to dictate how traffic will be identified, controlled, reported,
filtered and shaped. In the case of HTTPS/SSL traffic, ContentProtect Security Appliance
has several TFRS that will handle HTTPS/SSL traffic according to the settings listed below.
The component of TFRS that handle HTTPS/SSL Filtering is called SSL Filter. SSL Filter can
perform content filtering, web logging, spyware scanning, and virus scanning on all HTTPS
web sites. However, there are several options with SSL Filtering. Below are all available
options.
Disable SSL Inspection and Filtering
This option will not perform any HTTPS/SSL Filtering or Inspection. This is the default
option and will not filter, report, or inspect any HTTPS/SSL traffic.
Enable SSL Certificate-Based Content Filtering
This option allows you to filter HTTPS web sites based only on the certificate name present.
In addition to this, this option will only log and filter the first web page accessed for the site.
129
ContentProtect Security Appliance User Guide
No other pages on the web site will be scanned. Also, if the certificate name does not
match the URL of the web site, some miss-categorization can happen. Finally, if users
attempt to access an HTTPS web site that has been prohibited, they will not receive a
redirection page alerting them that the site has been blocked by ContentProtect Security
Appliance. This is the level of protection provided by almost all Secure Net Gateway devices
that support SSL features.
Enable Denied Access Page for SSL Certificate-Based Content Filtering
This option allows you to filter HTTPS web sites based only on the certificate name present.
In addition to this, this option will only log and filter the first web page accessed for the site.
No other pages on the web site will be scanned. Also, if the certificate name does not
match the URL of the web site, some miss-categorization can happen. However, this option
will present users with a blocked redirection page if the web site has been prohibited and
can be used in conjunction with SSL Certificate-Base Content Filtering.
Enable Full SSL Content Filtering
This option allows you to filter HTTPS web sites based on both the certificate name present,
the name of the web site, and the site’s content. This option is the most robust and
complete of all SSL Filter options as it allows for better categorization of HTTPS web sites,
continued filtering of all pages within the web site, and blocked redirection pages for
prohibited secure sites. Also, this is the only SSL Filter option that offers full scanning of
HTTPS web sites for spyware and virus.
Because of the additional steps required to enable Full SSL Content Filtering, you will not be
able to turn on this option without first contacting a ContentWatch Support Technician. If
you are interested in enabling Full SSL Content Filtering, please call ContentWatch Technical
Support at 1 (800) 485-4008.
Do not enable Full SSL Content Filtering without deploying ContentProtect Security
Appliance’s Digital Certificate beforehand. Doing so will cause interruption with HTTPS
web sites. Please read the section on Installing ContentProtect Security Appliance’s
Certificate before enabling this option.
Only Allow Trusted Certificate Authorities and Non-Expired Certificates
This option will increase security for web traffic as it will not allow users to visit HTTPS sites
that have expired certificates or certificates issued from non-trusted CAs. This option can
be used in conjunction with SSL Certificate-Based Content Filtering and Full SSL Content
Filtering.
HTTPS/SSL Filter Exemption List
This option allows you to enter URLs of secure web sites that will be exempt from SSL
Filtering. For sensitive web sites, such as banking and ecommerce, you may want to enter
the URLs of these sites to avoid content filtering on specific web sites. This option can be
used in conjunction will all SSL filtering options.
Content Filtering Rules
Once you have enabled any of the HTTPS/SSL Filtering options, all your Content Filtering
Rules will now apply to HTTPS web sites. For example, if you have entered myspace in the
130
ContentProtect Security Appliance User Guide
Blocked URL list under the Content Filtering tab and enabled HTTPS/SSL Filtering, users will
not be able to access http://www.myspace.com or https://www.myspace.com.
As such, if you want to block a specific web category or web site that is using HTTPS, enter
the web site as blocked in the Content Filtering tab, select a TFRS that has SSL Filtering and
chose one of the HTTPS/SSL Filtering options.
HTTPS/SSL Blocking
There is an additional TFRS for SSL traffic entitled SSL Block. This TFRS does not perform
any content filtering, web logging, spyware scanning, and virus scanning on HTTPS web
sites. This TFRS only prohibits all HTTPS/SSL traffic from passing through ContentProtect
Security Appliance. By default there is only one TFRS that is set to block HTTPS traffic.
This TFRS is called Web Filter + Anonymous Proxy Guard + SSL Block.
This TFRS performs content filtering, web logging, spyware scanning, virus scanning for
HTTP traffic (Web Filter). This TFRS also prohibits HTTP traffic on any port other than port
80 or a designated proxy port (Anonymous Proxy Guard). Finally this TFRS prohibits all
HTTPS/SSL traffic from passing through ContentProtect Security Appliance (SSL Block).
HTTPS/SSL Filtering Requirements
HTTPS/SSL Filtering does place additional processing load on ContentProtect Security
Appliance. As such, HTTPS traffic cannot be more 25% of bandwidth specs (see following
table). Before enabling any form of HTTPS/SSL Filtering, please confirm that your HTTPS
traffic does not exceed the specified amount listed below.
Model
CP100
CP200
CP300
CP350
CP450
CP550
CP650
Max Throughput
1.5 Mbps
5Mbps
8 Mbps
20 Mbps
45 Mbps
100 Mbps
200 Mbps
Max HTTPS Throughput
400 Kbps
1.25 Mbps
2 Mbps
5 Mbps
12 Mbps
25 Mbps
50 Mbps
If the amount of HTTPS traffic exceeds 25% of maximum bandwidth, ContentProtect
Security Appliance will be outside of operating specification. In this case, you may either
purchase a more powerful ContentProtect Security Appliance or an SSL Acceleration
ContentProtect Security Appliance model.
SSL Acceleration ContentProtect Security Appliance models come equipped with a Peripheral
Component Interconnect (PCI) expansion cards that contain co-processors. These coprocessors perform part of the HTTPS/SSL Filtering, relieving the load on ContentProtect
Security Appliance. These models are called the CP350S, CP450S, CP550S, and CP650S.
Model
CP350S
Max Throughput
20 Mbps
Max SSL Throughput
20 Mbps
131
ContentProtect Security Appliance User Guide
CP450S
CP550S
CP650S
45 Mbps
100 Mbps
200 Mbps
45 Mbps
100 Mbps
200 Mbps
If you are interested in purchasing a more powerful ContentProtect Security Appliance or a
SSL Accelerating ContentProtect Security Appliance, please contact your reseller or
ContentWatch sales at 1 (866) 765-7233.
Also, HTTPS/SSL Filtering does require a live Internet connection preferably active for at
least 24 hours. A good practice is to install ContentProtect Security Appliance and let the
device collect data for at least 24 hours. This way you can verify via Report -> Application
Overview -> HTTPS if the amount of traffic is below 25% of ContentProtect Security
Appliance’s maximum bandwidth specification and afterwards enable HTTPS/SSL Filtering.
Lastly, ContentProtect Security Appliance only supports HTTPS/SSL Filtering for web
browsers that use SSL v2.0, SSL v3.0, and Transport Layer Security (TLS) v1.0. Current
web browsers use these versions by default, but you may want to verify that your network’s
web browsers are updated.
In addition to bandwidth and connections requirements, HTTPS/SSL Filtering requires that
you enable two options under the Advanced Setup tab (Admin -> Configuration ->
Advanced Setup) that will allow ContentProtect Security Appliance to support HTTPS/SSL
filtering. These two options are HTTP Keep-Alive Mode and Enhanced Bridging Mode (EBM).
HTTP Keep-Alive Mode allows ContentProtect Security Appliance to use the same connection
to send and receive multiple HTTP requests and responses, as opposed to opening a new
connection for every single HTTP request or response. Using HTTP Keep-Alive Mode is
essential for improving Web performance with HTTPS/SSL Filtering.
EBM allows ContentProtect Security Appliance to act as a transparent filter. As a
transparent filter, ContentProtect Security Appliance does not modify the Web request or
response beyond what is required for authentication and identification. EBM also improves
the quality of service delivering content at higher bandwidth and reducing transmission
latency. If either of these options is not enabled, HTTPS/SSL Filtering is not possible.
One last requirement before enabling HTTPS/SSL Filtering is deciding on what options to
use. All HTTPS/SSL filtering is handled by TFRS. However, some of the different
HTTPS/SSL Filtering options will determine what steps need to be preformed first. For
example, Full SSL Content Filtering requires additional steps for configuration before
enabling HTTPS/SSL Filtering.
This option utilizes a digital certificate from ContentProtect Security Appliance similar to
ones used by CAs. If you plan on utilizing Full SSL Content Filtering, you will need to deploy
the certificate before enabling HTTPS/SSL Filtering. Please review the section entitled
Installing ContentProtect Security Appliance’s Digital Certificate.
Enabling SSL Certificate-Based Filtering
Enabling SSL Certificate-Based Content Filtering allows you to filter HTTPS web sites based
only on the certificate name present. You can also select Denied Access Page for SSL
Certificate-Based Content Filtering to present users a redirection page for blocked HTTPS
132
ContentProtect Security Appliance User Guide
Web sites as well as Only Allow Trusted Certificate Authorities and Non-expired Certificates.
To do this, you will first select an Internet Usage Rule (IUR).
Click Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules (or
another group’s usage rules). The first step is to alter an IUR for HTTPS/SSL Filtering by
choosing a TFRS that can identify and filter HTTPS traffic. Select the Drop-Down Box for
TFRS and chose a rule set that has SSL Filter as a component. This will then allow you to
access the HTTPS/SSL Filtering tab.
ContentProtect Security Appliance has three default TFRS that filter HTTPS/SSL traffic.
These TFRS are listed below with their corresponding targets. Please note that these are
the default settings for the TFRS and can be changed or customized based on your needs.
Please see the Tutorial Document entitled How to Manage Traffic Flow Rule Sets for more
information (http://www.ContentWatch.com/Tutorials.html).
Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filter
This TFRS performs content filtering, web logging, spyware scanning, virus scanning for
both HTTP (Web Filter) and HTTPS traffic (SSL Filter). This TFRS also denies all IM Client
conversations (Deny IM) and prohibits HTTP traffic on any port other than port 80 or the
designated proxy ports and SSL traffic on any port other than port 443 (Anonymous Proxy
Guard).
Web Filter + Anonymous Proxy Guard + SSL Filter
This TFRS performs content filtering, web logging, spyware scanning, virus scanning for
both HTTP (Web Filter) and HTTPS traffic (SSL Filter). This TFRS also prohibits HTTP traffic
on any port other than port 80 or a designated proxy port and SSL traffic on any port other
than port 443 (Anonymous Proxy Guard).
Web Filter + SSL Filter
This TFRS performs content filtering, web logging, spyware scanning, virus scanning for
both HTTP (Web Filter) and HTTPS traffic (SSL Filter).
Depending upon how you would like to filter HTTPS traffic, you can choose the TFRS
accordingly. Again, once you have selected a TFRS of SSL Filter, you can now select options
under the HTTPS/SSL Filtering tab. In this section, we will only be detailing the options of
SSL Certificate-Based Filtering. Click on the HTTPS/SSL Filtering tab, and select the radio
button for Enable SSL Certificate-Based Content Filtering. Also, if you like you can select
the check box for the Enable “Denied Access” page and Only Allow for Trusted Certificate
Authorities and Non-expired Certificates. You can also enter in any URLs for the Filter
Exemption List. Once modified, don’t forget to save your changes.
Once the IUR has been saved, make sure that the new rules are being applied to the group
under the Policy Manager. You can review how to do this under Chapter 5: Managing
ContentProtect Security Appliance.
You have now finished creating an Internet Usage Rule that will filter certificates for HTTPS
Web sites and assigned it to the corresponding group. You can follow the previous
mentioned steps to assign additional IURs that will filter certificates for HTTPS web sites or
groups as well.
133
ContentProtect Security Appliance User Guide
ContentProtect Security Appliance’s Digital Certificate
For ContentProtect Security Appliance to fully scan HTTPS web sites, the device will need to
inspect the data traversing the SSL connection between the user and the Web site.
Consequently, deploying a third party certificate to act as the “middle man” for the user and
the secure Web site is the most effective method to allow the secure connection while
examining the content.
By deploying a third party certificate from ContentProtect Security Appliance to the user, a
secure connection between the two is established. ContentProtect Security Appliance then
issues a separate secure connection between itself and the secure Web site or server. In
this fashion, ContentProtect Security Appliance acts as an SSL proxy, allowing the two
connections to be fully inspected without dropping the connection (see the following
diagram).
Figure 8.1 ContentProtect Security Appliance Certificate
In essence, ContentProtect Security Appliance establishes two SSL connections, one to the
user and one to the web site. After these connections are established, the user sends the
SSL request to ContentProtect Security Appliance. ContentProtect Security Appliance
reviews the SSL request, verifies filtering rules, and then sends a SSL request on behalf of
the user to the web site. This process allows ContentProtect Security Appliance to fully
inspect the SSL traffic from both the user and the responding web server.
Again for this option to work correctly, users will need ContentProtect Security Appliance’s
digital certificate installed in their individual Web browsers. This certificate can be
downloaded from ContentProtect Security Appliance under Admin -> Configuration ->
Downloads -> SSL Authority Certificate or at http://IP address of ContentProtect Security
Appliance/downloads/cacert.cer. Although you can install the certificate individually for
each user, this chapter has several options on how to deploy the certificate on a wider scale.
Lastly, you can also customize the certificate used for Full SSL Content Filtering. If you
would prefer the certificate to display your company information, your company’s
organizational unit, or your contact information, you may modify these settings under
Admin -> Configuration -> SSL Certificate Settings.
If you make any errors or need to change the SSL Certificate Settings, you can select the
Clear SSL Certificates (Admin -> Utilities -> System Resets -> Clear SSL Certificates). This
will set the SSL Certificate Settings back to default settings. However, if you alter the SSL
certificate in any form, make sure that users have the new finalized certificate before
enabling Full SSL Filtering.
134
ContentProtect Security Appliance User Guide
Installing ContentProtect Security Appliance’s Digital Certificate
ContentProtect Security Appliance’s certificate can be deployed individually on each
computer’s Web browser or it can be deployed as a Group Policy Object (GPO) by Active
Directory. The following sections describe how to perform each accordingly.
Deploying ContentProtect Security Appliance’s Certificate via Web Browsers
ContentProtect Security Appliance’s certificate can be downloaded and installed directing by
your users into their Web browsers. A good practice is to download and install the
certificate in a network share and have users install the certificate directly from the shared
drive. Another option is to send an email to users with an attached zipped file of the
certificate or with the URL of the certificate (http://IP address of ContentProtect Security
Appliance/downloads/cacert.cer). Once you have distributed the certificate, simply have
users import the certificate.
Depending upon users OS or default web browsers, the steps will be different on how to
install the certificate. Below are email templates you can copy and use to instruct users
how to install the certificate using Windows PCs and Internet Explorer and Firefox. Areas
where you need to add information before sending the template are italicized and bold.
With other Web browsers or OS you will need to research and find how to import digital
certificates.
Email Template for Windows XP and Internet Explorer 6
As part of our efforts to better provide a secure work environment and offer users reliable
Web access, we have decided to employ content filtering for Secure Hypertext Transfer
Protocol (HTTPS). Although you maybe unfamiliar with the term HTTPS, this protocol is
used by web sites to secure information.
However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to
users and the network. Filtering HTTPS web sites will improve our ability to protect the
network and ensure safe web browsing.
You will need to import a digital certificate into your web browser that will allow you to
access legitimate web sites that use HTTPS. Please click on the following link and save
the certificate (cacert.cer) to your desktop: http://IP address of your
ContentProtect Security Appliance/downloads/cacert.cer. Or please download the
following zipped attachment (cacert.cer) to your desktop.
Then follow the instructions listed below to import the certificate. Thanks and have a nice
day.
1. Open up Internet Explorer 6.
2. Click on Tools -> Internet Options
3. Select the Content tab and click the Certificates button (this will bring Certificate
dialog box)
4. Select the Trusted Root Certification Authorities tab and then click the Import button
(this will bring up the Certificate Import Wizard)
135
ContentProtect Security Appliance User Guide
5. Begin the Wizard by selecting Next and when prompted browse to the certificate you
downloaded to your desktop
6. If asked, allow Windows to automatically select the certificate store.
7. Complete the Certificate Import Wizard by selecting Next when prompted.
8. After you have completed the Certificate Import Wizard click the Finish button (you
may receive a security warning about installing the certificate; select Yes to allow the
import).
You have now completed the Certificate Import Wizard for Internet Explorer 6. You can
delete the certificate file on your desktop.
Email Template for Windows XP and Internet Explorer 7
As part of our efforts to better provide a secure work environment and offer users reliable
web access, we have decided to employ content filtering for Secure Hypertext Transfer
Protocol (HTTPS). Although you maybe unfamiliar with the term HTTPS, this protocol is
used by web sites to secure information.
However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to
users and the network. Filtering HTTPS web sites will improve our ability to protect the
network and ensure safe web browsing.
You will need to import a digital certificate into your Web browser that will allow you to
access legitimate web sites that use HTTPS. Please click on the following link and save
the certificate (cacert.cer) to your desktop: http://IP address of your
ContentProtect Security Appliance/downloads/cacert.cer. Or please download the
following zipped attachment (cacert.cer) to your desktop.
Then follow the instructions listed below to import the certificate. Thanks and have a nice
day.
1. Open up Internet Explorer 7.
2. Click on Tools -> Internet Options
3. Select the Content tab and click the Certificates button (this will bring Certificate
dialog box)
4. Select the Trusted Root Certification Authorities tab and then click the Import button
(this will bring up the Certificate Import Wizard)
5. Begin the Wizard by selecting Next and when prompted browse to the certificate you
downloaded to your desktop
6. If asked, allow Windows to automatically select the certificate store.
7. Complete the Certificate Import Wizard by selecting Next when prompted.
8. After you have completed the Certificate Import Wizard click the Finish button (you
may receive a security warning about installing the certificate; select Yes to allow the
import).
136
ContentProtect Security Appliance User Guide
You have now completed the Certificate Import Wizard for Internet Explorer 7. You can
delete the certificate file on your desktop.
Email Template for Windows Vista and Internet Explorer 7
As part of our efforts to better provide a secure work environment and offer users reliable
web access, we have decided to employ content filtering for Secure Hypertext Transfer
Protocol (HTTPS). Although you maybe unfamiliar with the term HTTPS, this protocol is
used by web sites to secure information.
However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to
users and the network. Filtering HTTPS web sites will improve our ability to protect the
network and ensure safe web browsing.
You will need to import a digital certificate into your web browser that will allow you to
access legitimate web sites that use HTTPS. Please click on the following link and save
the certificate (cacert.cer) to your desktop: http://IP address of your
ContentProtect Security Appliance/downloads/cacert.cer. Or please download the
following zipped attachment (cacert.cer) to your desktop.
Then follow the instructions listed below to import the certificate. Thanks and have a nice
day.
1. Open up Internet Explorer 7.
2. Click on Tools -> Internet Options
3. Select the Content tab and click the Certificates button (this will bring Certificate
dialog box)
4. Select the Trusted Root Certification Authorities tab and then click the Import button
(this will bring up the Certificate Import Wizard)
5. Begin the Wizard by selecting Next and when prompted browse to the certificate you
downloaded to your desktop
6. When asked, Place the certificate in the Trusted Root Certification Authorities store.
7. Complete the Certificate Import Wizard by selecting Next when prompted.
8. After you have completed the Certificate Import Wizard click the Finish button (you
may receive a security warning about installing the certificate; select Yes to allow the
import).
You have now completed the Certificate Import Wizard for Internet Explorer 7. You can
delete the certificate file on your desktop.
Email Template for Windows XP/Vista and Firefox 2
As part of our efforts to better provide a secure work environment and offer users reliable
web access, we have decided to employ content filtering for Secure Hypertext Transfer
Protocol (HTTPS). Although you maybe unfamiliar with the term HTTPS, this protocol is
used by web sites to secure sensitive information.
137
ContentProtect Security Appliance User Guide
However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to
users and the network. Filtering HTTPS web sites will improve our ability to protect the
network and ensure safe web browsing.
You will need to import a digital certificate into your web browser that will allow you to
access legitimate web sites that use HTTPS. Please click on the following link and save
the certificate (cacert.cer) to your desktop: http://IP address of your
ContentProtect Security Appliance/downloads/cacert.cer. Or please download the
following zipped attachment (cacert.cer) to your desktop.
Then follow the instructions listed below to import the certificate. Thanks and have a nice
day.
1. Open up Firefox 2.
2. Click on Tools -> Options
3. Select the Encryption tab and click the View Certificates button (this will bring the
Certificate Manager box)
4. Select the Authorities tab and then click the Import button
5. Browse to your desktop and select the certificate you just downloaded.
6. Select Trust this CA to identify web sites.
7. Click OK twice to complete the import.
You have now completed the Certificate Import Wizard for Firefox. You can delete the
certificate file on your desktop.
Deploying ContentProtect Security Appliance’s Certificate via Active Directory
Again, follow the previous steps to download the certificate and place in on the local drive of
the Active Directory server. Once you have done that, follow the subsequent steps.
1. Log on to your Domain or Active Directory server.
2. Open a Windows Run Prompt (Start -> Run).
3. In the Open field type "mmc" (Microsoft Management Console).
4. Click OK.
5. In the File menu select Add/Remove Snap-in.
138
ContentProtect Security Appliance User Guide
Figure 8.2 Console Prompt
6. Click the Add button.
7. Scroll down and select Group Policy Object Editor.
Figure 8.3 Add Standalone Snap-in
8. Click the Add button (this will launch the Group Policy Object Wizard).
9. Press the Browse button.
10. Select Default Domain Policy.
11. Click OK.
139
ContentProtect Security Appliance User Guide
Figure 8.4 Group Policy Object
12. Click Finish on the Add Group Policy Wizard.
13. Close the Add Standalone Snap-in dialog box.
14. Click OK on the Add/Remove Snap-in dialog box (you should now be looking at the
MMC screen with the Console Root Folder above the new Default Domain Policy you
have just added).
Figure 8.5 Console Root
15. Expand the Default Domain Policy.
16. Expand the Computer Configuration option.
17. Expand the Windows Settings option.
18. Expand the Security Settings option.
19. Expand the Public Key Policies.
20. Select the Trusted Root Certification Authorities.
21. In the Action menu, select Import (this will launce the Import Wizard).
140
ContentProtect Security Appliance User Guide
Figure 8.6 Group Policy Object Editor
22. Click the Next button.
23. Browse to where you download ContentProtect Security Appliance’s certificate
(unless you have changed the title, the certificate is entitled cacert.cer).
24. Click the Next button.
25. Make sure the Place All Certificates in the Following Store radio button is selected.
26. Make sure the Certificate Store is Trusted Root Certification Authorities.
27. Click the Next button (the Import Wizard will now display a summary of the import
process.
28. Click the Finish button.
29. The Import Wizard will inform you if the import was successful.
You have now finished deploying ContentProtect Security Appliance’s certificate either via a
direct import or Active Directory’s GPO. Now that you have completed these steps, you are
ready to enable Full SSL Content Filtering. You can also enable Only Allow Trusted
Certificate Authorities and Non-Expired Certificates.
Enabling Full SSL Content Filtering
Now that you have installed ContentProtect Security Appliance’s certificate, you will need to
contact ContentWatch Technical Support to enable Full SSL Filtering. Because Full SSL
Filtering requires additional steps, this option is only available after a certified ContentWatch
Technician reviews the device settings. This precaution has been taken to avoid
141
ContentProtect Security Appliance User Guide
unnecessary interruption with secure Web sites. You can contact ContentWatch Technical
Support at 1 (800) 485-4008.
Once approved by a support technician, he/she will ask you what Internet Usage Rules will
have Full SSL Content Filtering. Afterwards, you can review the settings under Manage ->
Policy & Rules -> Internet Usage Rules -> Default Usage Rules (or another group’s usage
rules). Select the Traffic Flow Rule Set Drop-Down Box and chose a TFRS that has listed
the component of SSL Filter. After a TFRS of SSL Filter has been select, the HTTPS/SSL
Filtering tab is accessible. Click on the tab, and confirm that the radio button of Enable Full
SSL Content Filtering is selected.
If you like you can also select the check box next to Only Allow Trusted Certificate
Authorities and Non-Expired Certificates. In addition to this, you can enter in the URLs for
the Filter Exemption list. Again don’t forget to Save your changes and apply the IUR to the
correct groups under Policy Manager.
Please note that if you clear the SSL Certificate under Admin -> Utilities -> System Resets
or alter the certificate under Admin -> Configuration -> SSL Certificate Settings, you will
need to deploy the new certificate to users’ Web browsers.
Confirming ContentProtect Security Appliance’s Digital Certificate
Now that you have deployed ContentProtect Security Appliance’s certificate, and you have
finished configuring ContentProtect Security Appliance for Full SSL Content Filtering, the last
item to verify is that ContentProtect Security Appliance’s digital certificate is working
correctly. You can do this by browsing to a secure Web site (https) and viewing the digital
certificate on the page. You can click on the padlock icon located at the end of the URL of
the web site and select View certificates. Once selected, make sure that the digital
certificate is issued by the Certificate Common Name from ContentProtect Security
Appliance (Admin -> Configuration -> SSL Certificate Settings).
Reporting on HTTPS/SSL Web Sites
After you have enabled HTTPS/SSL Filtering, you can report on HTTPS/SSL web sites. Click
on Report -> Internet Usage -> Web Hits Overview -> Allowed. This will post all allowed
Web hits within the past 24 hours. In the top right-hand corner of the report is a reporting
option entitled Encryption Type. By default this option is set to No Filter, which will post all
Web hits. Select that option and chose SSL. The report will then display all HTTPS/SSL
Web site hits within the last 24 hours. You can then adjust the report to correlate and filter
for specific user, times frames, etc. Wherever the option of Encryption Type is displayed,
you can adjust reporting to display HTTPS/SSL Web sites.
Viewing Sensitive Content on HTTPS/SSL Web Sites
SSL operates by opening a tunnel session and passing information using a public and
private key for transmission. Although Web sites that use SSL can be monitored and
filtered using ContentProtect Security Appliance, items such as passwords, bank account
numbers, and social security numbers are normally encrypted at an additional layer within
142
ContentProtect Security Appliance User Guide
the SSL tunnel. As such, ContentProtect Security Appliance normally cannot decipher these
items. Typically ContentProtect Security Appliance will only capture the URL and Hypertext
Markup Language (HTML) of the web site accessed and not the additional encrypted items.
However, if you are concerned about sensitive content being captured by ContentProtect
Security Appliance, you can list Web sites in the HTTPS/SSL Filter Exemption List. Web
sites listed in the HTTPS/SSL Exemption List will not be filtered, monitored, or decrypted in
any form. For more information, please review the section HTTPS/SSL Filter Exemption List.
This concludes the chapter for HTTPS/SSL Filtering. If you need further assistance with this
or any other component of ContentProtect Security Appliance, please read the following
section on getting help.
143
ContentProtect Security Appliance User Guide
Customer Support and Feedback
Getting Help
For additional help, please consult ContentWatch’ Knowledge Base
(http://ContentWatch.com/kb). Additionally, contact your Authorized ContentWatch
Reseller for additional support.
ContentWatch Premium Support Services are also available for
•
Configuration & Installation Guidance
•
ContentProtect Security Appliance Training
•
Technical Support Services
For more information or to purchase ContentWatch Premium Support Services, contact
ContentWatch at [email protected] or by phone at 1 (800) 485-4008.
Please have the following information ready:
•
Total bandwidth
•
Total # of network nodes and Directory Users
•
ContentProtect Security Appliance model & serial number
•
ContentProtect Security Appliance firmware version
•
A network topology diagram
•
Presence of VLANs, proxy servers, remote subnets
•
What symptoms or issues you are experiencing
144
ContentProtect Security Appliance User Guide
We Welcome Your Feedback
We welcome your comments on ContentProtect Security Appliance and your ideas for
modifications or feature requests. Contact us at [email protected] Please identify
the ContentProtect Security Appliance model you are using and tell us how we can reach
you.
145
ContentProtect Security Appliance User Guide
Appendix A: Web Filtering Categories
ContentProtect Security Appliance has several distinct layers to identify and filter web sites
depending upon the settings you employ on the device. Among the most distinct layers are
URL checks against database entries, key-word searches, real-time analysis on web page
context, digital certificate scans, and full payload decryption on HTTPS/SSL traffic. These
distinct layers allow ContentProtect Security Appliance to quickly categorize well-known web
sites while providing a more in-depth identification for new, indistinct and constantly
changing Web sites.
If you would like to confirm the categorization of a web site, you can use the diagnostic tool
of /?webFilterCategory. To use this tool, go to any computer that is being filtered by
ContentProtect Security Appliance and open a web browser.
Enter the URL of the web site you want to confirm categorization, and append to it the
phrase /?webFilterCategory, i.e., http://www.google.com/?webFilterCategory. This will post
the Web Filter Category Report and list the categorization of the web page and which
component (URL database, key-word search, or content analysis) categorized the site.
If you would like to re-categorize a web site, you can use the Custom Category Rules menu
(Admin -> Configuration -> Custom Category Rules) or submit the URL to
http://www.ContentWatch.com/category.
The following table lists the available categories, together with the filtering level typically
applied to each. These categories are followed with a brief description of the type of
content contained by each and some web site examples.
146
ContentProtect Security Appliance User Guide
Category
Filtering (Typical)
Adult
Unacceptable
Alcohol and Tobacco
Non-business
Arts and Entertainment
Non-business
Automatic Updating
Non-business
Business and Industry
Business
Cars and Motorcycles
Non-business
Cheating and
Plagiarism
Non-business
Description
These are sites directed to adults, not necessarily
pornographic sites. Adult clubs: strip clubs, swingers
clubs, escort services, strippers; general information
about sex, non-pornographic in nature; genital
piercing; adult products, adult greeting cards;
information about sex not in the context of health or
disease.
Beer, wine, spirits: beer and wine making, cocktail
recipes, liquor sellers, wineries, vineyards,
breweries; mixed drinks, drinking establishments;
tobacco; pipes and smoking products. Also
Tobacco.
Galleries and exhibitions; artists and art;
photography; literature and books, publishing;
movies; performing arts and theater; music and
radio; television; celebrities and fan sites; design;
architecture; entertainment news, venues; humor.
Also Entertainment.
Web pages that monitor activities and automatically
update page content on a regular basis, such as
stock tickers or weather reports.
Sites involved in business-to-business transactions
of all kinds. Advertising, marketing, commerce,
corporations, business practices, workforce, human
resources, transportation, payroll, security, venture
capital, etc; office supplies; industrial equipment
(process equipment), machines and mechanical
systems; heating equipment, cooling equipment;
materials handling equipment; packaging
equipment; manufacturing: solids handling, metal
fabrication construction and building; passenger
transportation; commerce; industrial design;
construction, building materials; industrial design;
shipping and freight: freight services, trucking,
freight forwarders, truckload carriers,
freight/transportation brokers, expedited services,
load & freight matching, track & trace, NVOCC,
railroad shipping, ocean shipping, road feeder
services, moving & storage. Also Industry.
Sites about personal transportation; information
about cars and motorcycles; shopping for new and
used cars and motorcycles; car clubs; boats, RVs,
etc. (Note: auto and motorcycle racing is
categorized as Sports and Recreation). Also
Motorcycles.
Sites promoting cheating and selling written work
(e.g. term papers) for plagiarism. Also Plagiarism.
Examples
fhm.com
cybereroticanews.com
budweiser.com
philipmorrisusa.com
disney.com
mgm.com
ticker.nasdaq.com
pub.weatherbug.com
dow.com
ussteel.com
autobytel.com
autos.msn.com
cheathouse.com
bestpapers.com
147
ContentProtect Security Appliance User Guide
Category
Filtering (Typical)
Computers and Internet
Business
Crime
Business
Criminal Related
Non-business
Cults
Non-business
Dating
Unacceptable
Dinning and Drinking
Non-business
Education
Business
Filter Avoidance
Unacceptable
Finance
Business
FYI
Business
Gambling
Non-business
Games
Non-business
Description
Information about computers and software such as:
hardware, software, software support sites;
information for software engineers, programming
and networking; website design, and the web and
Internet in general; computer science; computer
graphics and clipart. Also Internet.
Sites related to crime, crime reporting, law
enforcement, crime statistics, etc.
Pages that promote crime such as stealing, fraud,
phreaking and cracking; warez and pirated software;
computer viruses; terrorism, bombs, and anarchy;
sites depicting murder and suicide as well as
explaining ways to commit them.
Cults and cult behavior.
Dating sites, online personals, matrimonial
agencies, etc., for adults.
Eating and drinking establishments; restaurants,
bars, taverns, brewpubs, restaurant guides and
reviews
Education-related sites and web pages such as
schools, colleges, universities, teaching materials,
teachers resources; technical and vocational
training; online training; education issues and policy;
financial aid; school funding; standards and testing.
Web pages that promote and aid undetectable and
anonymous surfing
Sites and information that are primarily financial in
nature such as: accounting practices and
accountants; taxation; banking; insurance; investing:
information relating to the stock market, stocks,
bonds, mutual funds, brokers, stock analysis and
commentary, stock screens, stock charts, IPOs,
stock splits; the national economy; personal finance
involving insurance of all types; credit cards;
retirement and estate planning; loans; mortgages;
taxes.
City and state guides; maps, weather, time;
reference sources; dictionaries; libraries; museums;
ski conditions; personal information; mass
transportation: consumer mass transit information
(bus, commuter train, subway, airport), maps,
schedules.
Casinos and online gambling sites; bookmakers and
odds; gambling advice; horse and dog racing in a
gambling context; sports book; sports gambling.
Various card games, board games, word games,
video games; computer games, Internet games
(RPGs and D&D); combat games; sports games;
downloadable games; game reviews; cheat sheets.
Examples
dell.com
update.microsoft.com
crime.com
terrorism.com
illegalworld.com
anarchistcookbook.com
kimmillerconcernedchris
tians.com
heavensgate.com
eharmony.com
friendfinder.com
pizzahut.com
mortons.com
usc.edu
nyu.edu
proxify.com
proxyblind.org
nasdaq.com
wellsfargo.com
maps.google.com
weather.com
partypoker.com
bodog.com
games.yahoo.com
worldofwarcraft.com
148
ContentProtect Security Appliance User Guide
Category
Filtering (Typical)
Gay and Lesbian
Non-business
Government and Law
Business
Hacking
Non-business
Hate Speech
Unacceptable
Health and Nutrition
Non-business
Illegal Drugs
Non-business
Instant Messaging
Non-business
Job Search
Non-business
Lingerie
Unacceptable
Lottery and
Sweepstakes
Non-business
Miscellaneous
Non-business
Description
Gay, lesbian, bisexual, transgender: gay family, gay
parenting, coming out, gay pride sites; gay civil
rights, politics, sports, clubs and events, travel and
accommodations, leisure activities; gay bars
Foreign relations; news and information relating to
politics and elections such as: politics, political
parties, election news and voting; sites and
information relating the field of law such as:
attorneys, law firms, law publications, legal
reference material, courts, dockets, legal
associations; legislation and court decisions; civil
rights issues; immigration; patents and copyrights;
sites and information relating to law enforcement
and correctional systems; sites relating to the
military such as: the armed forces, military bases,
military organizations, and military equipment; antiterrorism. Also Law.
Sites discussing ways to hack into web sites,
software, and computers.
Hate-related sites, involving racism, sexism, racist
theology; hate music; Christian identity religions;
World Church of the Creator; Neo-Nazi
organizations: Aryan Nations, American Nazi
parties, Neo-Nazis, Ku Klux Klan, National Alliance,
White Aryan Resistance, white supremacists;
National Socialist Movement; Holocaust denial.
Health care; disease and disabilities; medical care;
hospitals; doctors; medicinal drugs; mental health;
psychiatry; pharmacology; exercise and fitness;
physical disabilities; vitamins and supplements; sex
in a context of health (disease and health care);
tobacco use, alcohol use, drug use, and gambling in
a context of health (disease and health care); food
in general; food and beverage; cooking and recipes;
food and nutrition, health, dieting.
Information about recreational drugs, drug
paraphernalia, marijuana seeds; advice on how to
grow marijuana.
Web-based instant messaging.
Career advice; advice on resume writing and
interviewing skills; job placement services; job
databanks; employment and temp agencies;
employer sites.
Intimate apparel, especially when modeled.
Sweepstakes, contests and lotteries.
Examples
gay.com
gayamerica.com
foreignaffairs.org
firstgov.gov
elitehackers.com
hackerstuff.com
kkk.com
blacksandjews.com
efitness.com
emedicine.com
weedcity.com
cannabis.com
messenger.yahoo.com
meebo.com
dice.com
monster.com
victoriasecret.com
pamperedpassions.com
powerball.com
calottery.com
Cannot be categorized—often because the web
page is secured from outside visibility or there’s
either no text or too little text to access it.
149
ContentProtect Security Appliance User Guide
Category
Filtering (Typical)
Nature
Non-business
News
Non-business
Non-mainstream
Non-business
Non-sexual nudity
Unacceptable
Online Communities
Non-business
Online Trading
Non-business
Peer File Transfer
Non-business
Porn
Non-business
Real Estate
Non-business
Description
Natural resources; ecology and conservation;
forests; wilderness; plants; flowers; forest
conservation; forest, wilderness, forestry practices;
forest management (re-forestation, forest protection,
conservation, harvesting, forest health, thinning,
prescribed burning); agricultural practices:
agriculture, gardening, horticulture, landscaping,
planting, weed control, irrigation, pruning,
harvesting; pollution issues: air quality, hazardous
waste, pollution prevention, recycling, waste
management, water quality, environmental clean-up
industry; animals, pets, livestock, zoology; biology;
botany.
News, headlines, newspapers; TV station wireless
Non-mainstream approaches to life. Occult
practices: esoteric magic, voodoo, witchcraft,
casting spells; fortune telling practices: I Ching,
numerology, psychic advice, Tarot; paranormal: out
of body, astral travel, séances; astrology,
horoscopes; UFOs and aliens; gay, lesbian and
bisexual: gay family, gay parenting, coming out, gay
pride sites, civil rights issues, politics, sports, clubs
and events, travel and accommodations, leisure
activities; gay bars.
Nudism/nudity; nudist camps; artistic nudes
Personal web pages; affinity groups; special interest
groups; professional organizations for social
purposes; personal photo collections; web
newsgroups.
Online brokerages, sites which afford the user the
ability to trade stocks online.
Peer-to-peer file request sites. This does not track
the file transfers themselves.
Sexually explicit text or depictions. Includes the
following: nude celebrities; anime and XXX
cartoons; general XXX depictions; material of a
sexually violent nature (bondage, domination,
sadomasochism, torture, rape, spanking, snuff,
fantasy death, necrophilia); other fetish material
(foot/legs, infantilism, balloon sex, latex gloves,
enema, pregnant women, pony-play, BBW,
bestiality); XXX chat rooms; sex simulators; gay
pornography; sites that offer strip poker; adult
movies; lewd art; web-based pornographic e-mail.
Information that would support the search for real
estate. This includes: office and commercial space;
real estate listings: rentals, apartments, homes;
house building; roommates, etc.
Examples
peta.org
nature.org
nytimes.com
msnbc.com
tarot.com
psychic.com
barenakedgallery.com
fineartnude.com
myspace.com
facebook.com
franklintrading.com
ameritrade.com
torrentz.com
piratebay.com
hustler.com
penthouse.com
remax.com
century21.com
150
ContentProtect Security Appliance User Guide
Category
Filtering (Typical)
Science and
Technology
Non-business
Search Engines and
Portals
Business
Sex Education and
Abortion
Unacceptable
Shopping
Non-business
Social Science
Non-business
Society and Culture
Non-business
Spiritual Healing
Non-business
Sports and Recreation
Non-business
Streaming Media
Non-business
Tasteless or Obscene
Unacceptable
Tattoos
Non-business
Travel
Non-business
Uncategorized
Non-business
Vice
Non-business
Description
Sites involving science and technology: aerospace,
electronics, engineering, mathematics, etc.; space
exploration; meteorology; geography; environment;
energy: oil, nuclear, wind, sun; communications:
telephones, telecomm. Also Technology.
Web directories and search engines that often serve
as home pages such as Excite, MSN, Alta Vista,
and Google.
Sexual health, information about, or descriptions of,
abortions procedures such as: abortion pills,
medical abortions, surgical abortions; abortion
clinics and abortion providers.
Auctions; bartering; online purchasing; coupons and
free offers; yellow pages; classified ads; general
office supplies; online catalogs; online malls.
Sites related to: archaeology; anthropology; cultural
studies; economics; history; linguistics; philosophy;
political science; psychology; theology; women's
studies.
Family and relationships; religions, ethnicity and
race, social organizations; genealogy; seniors,
clothing and fashion; spas; hair salons; cosmetics
(skin care for diseases or conditions may be
categorized as Health and Nutrition); hobbies; do-ityourself; toys for kids; model and remote control
cars; toy soldiers.
Spiritual healing; alternative approaches to health,
both physical and mental.
All sports, professional and amateur; recreational
activities; hunting; fishing; fantasy sports; gun and
hunting clubs; public parks; amusement parks;
water parks; theme parks; zoos and aquariums.
Sites that involve: net radio; net TV; web casts;
streaming audio; streaming video.
Sites that offer tasteless, often gory photographs
such as autopsy photos, photos of crime scenes,
crime or accident victims; sites displaying excessive
obscene material.
Pictures and text relating to body modification;
tattoos and piercing venues; articles and information
about tattoos and piercing; body painting.
Business and personal travel: travel information;
travel resources; travel agents; vacation packages;
cruises; lodging and accommodations; travel
transportation: flight booking, airfares, renting cars;
vacation homes.
Cannot be categorized—often because the web
page is secured from outside visibility or there’s
either no text or too little text to access it.
Sites involving illegal drugs, alcohol, tobacco, and
gambling.
Examples
space.com
ieee.org
google.com
msn.com
abortion.com
prolife.com
ebay.com
amazon.com
civilwar.com
ssrc.org
unitedway.org
goodhousekeeping.com
aetherius.org
enhancedhealing.com
espn.com
si.com
xmradio.com
sirius.com
facesofdeath.com
torture-museum.com
tatoo.com
tattoofinder.com
travelocity.com
hotels.com
viceland.com
vbs.tv
151
ContentProtect Security Appliance User Guide
Category
Filtering (Typical)
Violence
Unacceptable
Weapons
Business
Web Hosting
Business
Web Messaging
Non-business
Web-based Chat
Non-business
Web-based Email
Non-business
Young Child
Non-business
Description
Sites related to violence and violent behavior.
Sites or information relating to the purchase or use
of conventional weapons such as: gun sellers; gun
auctions; gun classified ads; gun accessories; gun
shows; gun training; general information about
guns; other weapons (e.g., knives, brass knuckles)
may be included.
Sites that provide web site hosting services.
General use of the web for messages: e-cards, online meetings, message boards, etc.
Web-based chat sites.
Email portals and email messages ported through
the web.
Sites directed toward and specifically approved for
young children
Examples
psfights.com
realfights.com
nrahq.org
remington.com
webmasters.com
rackspace.com
bluemountain.com
ecards.com
chatango.com
boldchat.com
hotmail.com
webmail.aol.com
groovygirls.com
pbskids.org
152
Appendix B: MIME Types
The following lists contain the MIME types you can block on your network.
MIME type
application/EDI-Consent
application/EDI-X12
application/EDIFACT
application/activemessage
application/andrew-inset
application/applefile
application/atomicmail
application/batch-SMTP
application/beep+xml
application/cals-1840
application/cnrp+xml
application/commonground
application/cpl+xml
application/cybercash
application/dca-rft
application/dec-dx
application/dicom
application/dns
application/dvcs
application/epp+xml
application/eshop
application/fits
application/font-tdpfr
application/http
MIME type
application/hyperstudio
application/iges
application/im-iscomposing+xml
application/index
application/index.cmd
application/index.obj
application/index.response
application/index.vnd
application/iotp
application/ipp
application/isup
application/mac-binhex40
application/macwriteii
application/marc
application/mathematica
application/mikey
application/mpeg4-generic
application/msword
application/news-message-id
application/news-transmission
application/ocsp-request
application/ocsp-response
application/octet-stream
application/oda
153
ContentProtect Security Appliance User Guide
MIME type
application/ogg
application/parityfec
application/pdf
application/pgp-encrypted
application/pgp-keys
application/pgp-signature
application/pidf+xml
application/pkcs10
application/pkcs7-mime
application/pkcs7-signature
application/pkix-cert
application/pkix-crl
application/pkix-pkipath
application/pkixcmp
application/postscript
application/prs.alvestrand.titrax-sheet
application/prs.cww
application/prs.nprend
application/prs.plucker
application/qsig
application/rdf+xml
application/reginfo+xml
application/remote-printing
application/riscos
application/rtf
application/samlassertion+xml
application/samlmetadata+xml
application/sbml+xml
application/sdp
application/set-payment
application/set-payment-initiation
application/set-registration
application/set-registration-initiation
application/sgml
application/sgml-open-catalog
application/sieve
application/simple-message-summary
application/slate
application/soap+xml
application/spirits-event+xml
application/timestamp-query
application/timestamp-reply
application/tve-trigger
application/vemmi
application/watcherinfo+xml
application/whoispp-query
application/whoispp-response
application/wita
application/wordperfect5.1
application/x400-bp
application/xhtml+xml
application/xml
application/xml-dtd
154
ContentProtect Security Appliance User Guide
MIME type
application/xml-external-parsed-entity
application/xmpp+xml
application/xop+xml
application/zip
audio/32kadpcm
audio/3gpp
audio/AMR
audio/AMR-WB
audio/CN
audio/DAT12
audio/DVI4
audio/EVRC
audio/EVRC-QCP
audio/EVRC0
audio/G.722.1
audio/G722
audio/G723
audio/G726-16
audio/G726-24
audio/G726-32
audio/G726-40
audio/G728
audio/G729
audio/G729D
audio/G729E
audio/GSM
audio/GSM-EFR
audio/L16
audio/L20
audio/L24
audio/L8
audio/LPC
audio/MP4A-LATM
audio/MPA
audio/PCMA
audio/PCMU
audio/QCELP
audio/RED
audio/SMV
audio/SMV-QCP
audio/SMV0
audio/VDVI
audio/basic
audio/clearmode
audio/dsr-es201108
audio/dsr-es202050
audio/dsr-es202211
audio/dsr-es202212
audio/iLBC
audio/mpa-robust
audio/mpeg
audio/mpeg4-generic
audio/parityfec
155
ContentProtect Security Appliance User Guide
MIME type
audio/prs.sid
audio/telephone-event
audio/tone
image/cgm
image/fits
image/g3fax
image/gif
image/ief
image/jp2
image/jpeg
image/jpm
image/jpx
image/naplps
image/png
image/prs.btif
image/prs.pti
image/t38
image/tiff
image/tiff-fx
message/CPIM
message/delivery-status
message/disposition-notification
message/external-body
message/http
message/news
message/partial
message/rfc822
message/s-http
message/sip
message/sipfrag
message/tracking-status
model/iges
model/mesh
model/vrml
multipart/alternative
multipart/appledouble
multipart/byteranges
multipart/digest
multipart/encrypted
multipart/form-data
multipart/header-set
multipart/mixed
multipart/parallel
multipart/related
multipart/report
multipart/signed
multipart/voice-message
text/calendar
text/css
text/directory
text/dns
text/enriched
text/html
MIME type
text/parityfec
text/plain
text/prs.fallenstein.rst
text/prs.lines.tag
text/rfc822-headers
text/richtext
text/rtf
text/sgml
text/t140
text/tab-separated-values
text/uri-list
text/xml
text/xml-external-parsed-entity
video/3gpp
video/BMPEG
video/BT656
video/CelB
video/DV
video/H261
video/H263
video/H263-1998
video/H263-2000
video/H264
video/JPEG
video/MJ2
video/MP1S
video/MP2P
video/MP2T
video/MP4V-ES
video/MPV
video/SMPTE292M
video/mpeg
video/mpeg4-generic
video/nv
video/parityfec
video/pointer
video/quicktime
156
Appendix C: File Types
The following lists contain the file types you can block on your network.
File type
Active Server Page
Active Server Page
Active Server Page
ActiveX Control
Address Book
Audio
Audio
Audio
Audio
Audio
Audio
Audio
Audio
Audio
Audio
Audio
CGI Script
Cascading Style Sheet
Comma Separated
Value
Compressed
Compressed
Compressed
Compressed
Compressed
Compressed
Compressed
File extension
.asmx
.asp
.aspx
.ocx
.pab
.aiff
.m4a
.mid
.midi
.mp3
.mpu
.ra
.ram
.wav
.wma
.aac
.cgi
.css
.csv
.arc
.gz
.gzip
.hqx
.rar
.sea
.sit
File type
Compressed
Compressed
DOS Batch
Database
Database
Disk Image
Disk Image
Document
Document
Document
Document
Dynamic Link Library
eBook
Executable
File Shortcut
Filemaker Pro
Flash
FoxPro
HTML
Icon
Image
Image
Image
Image
Image
Image
Image
File extension
.z
.zip
.bat
.db
.mdb
.dmg
.img
.pdf
.rtf
.wpd
.wpt
.dll
.lit
.exe
.lnk
.fpt
.swf
.dbx
.html
.ico
.bmp
.gif
.jpe
.jpeg
.jpg
.pct
.png
157
ContentProtect Security Appliance User Guide
File type
Image
Image
Initialization
Internet Certificate
Java Archive
JavaScript
Log
Lotus
Lotus Database
Lotus Database
Lotus Database
MIME
MIME
Macro
Metafile
Microsoft Project
Microsoft Publisher
Outlook
PHP
PHP
PHP
PageMaker
Perl Script
Photoshop
Postscript
PowerPoint
File extension
.tga
.tiff
.ini
.cer
.jar
.js
.log
.wk1
.ns2
.ns3
.ns4
.mim
.mime
.wpm
.wmf
.mpp
.pub
.pst
.php
.php3
.php4
.p65
.pl
.psd
.ps
.pps
File type
PowerPoint
Quark Express
SQL
Spreadsheet
Spreadsheet
Spreadsheet
Swap
Tar
Text
Uuencoded
Uuencoded
Video
Video
Video
Video
Video
Video
Video
Video
Video
Visio
Windows Help
Word Document
Word Template
XML
File extension
.ppt
.qxd
.sql
.xls
.xlt
.xlw
.sqp
.tar
.txt
.uu
.uue
.avi
.moov
.mov
.mp4
.mpeg
.mpg
.qt
.rm
.wmv
.vsd
.hlp
.doc
.dot
.xml
158
ContentProtect Security Appliance User Guide
Appendix D: ContentWatch CIDR Cheat Sheet
Classless Inter-Domain Routing (CIDR) is the latest refinement on how to present IP
Addresses and Subnet masks. CIDR replaces the previous generation of IP Address syntax,
Classful networks. Rather than allocating address blocks in 8-bit (octet) boundaries, it uses
a technique of a variable subnet mask to allow more allocation. With ContentProtect
Security Appliance all IP Address are presented as CIDR notations, i.e., the network address
of 192.168.255.0 with a subnet mask of 255.255.255.0 is presented as 192.168.255.0/24.
Below is a CIDR Cheat Sheet that will help you enter IP Address in CIDR notation.
CIDR Cheat Sheet
CIDR Notation
Class
Hosts
Mask
/32
1/256 C
1
255.255.255.255
/31
1/128 C
2
255.255.255.254
/30
1/64 C
4
255.255.255.252
/29
1/32 C
8
255.255.255.248
/28
1/16 C
16
255.255.255.240
/27
1/8 C
32
255.255.255.224
/26
1/4 C
64
255.255.255.192
/25
1/2 C
128
255.255.255.128
/24
1C
256
255.255.255.0
/23
2C
512
255.255.254.0
159
ContentProtect Security Appliance User Guide
/22
4C
1024
255.255.252.0
/21
8C
2048
255.255.248.0
/20
16 C
4096
255.255.240.0
/19
32 C
8192
255.255.224.0
/18
64 C
16384
255.255.192.0
/17
128 C
32768
255.255.128.0
/16
256 C 1B
65536
255.255.0.0
/15
512 C 2 B
131072
255.254.0.0
/14
1024 C 4 B
262144
255.252.0.0
/13
2048 C 8 B
524288
255.248.0.0
/12
4096 C 16 B
1048576
255.240.0.0
/11
8192 C 32 B
2097152
255.224.0.0
/10
16384 C 64 B
4194304
255.192.0.0
/9
32768 C 128 B
8388608
255.128.0.0
/8
65536 C 256 B 1 A
16777216
255.0.0.0
/7
131072 C 512 B 2 A
33554432
254.0.0.0
/6
262144 C 1024 B 4 A
67108864
252.0.0.0
/5
524288 C 2048 B 8 A
134217728
248.0.0.0
/4
1048576 C 4096 B 16 A
268435456
240.0.0.0
/3
2097152 C 8192 B 32 A
536870912
224.0.0.0
/2
4194304 C 16384 B 64 A
1073741824
192.0.0.0
/1
8388608 C 32768 B 128 A
2147483648
128.0.0.0
/0
1677216 C 65536 B 256 A
4294967296
0.0.0.0
160
ContentProtect Security Appliance User Guide
Appendix E: ContentWatch License Agreement and Warranty
PLEASE READ THE FOLLOWING BEFORE USING THE ACCOMPANYING PRODUCT. YOU SHOULD
CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE ACCOMPANYING
SOFTWARE AND HARDWARE (“APPLIANCE”). THE USE OF THE PRODUCT IS LICENSED FOR USE ONLY AS
SET FORTH BELOW. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO
NOT USE THE PRODUCT. IF YOU USE ANY PART OF THE SOFTWARE AND HARDWARE, SUCH USE WILL
INDICATE THAT YOU ACCEPT.
License Grant
Subject to the terms and conditions of this License, ContentWatch grants you a nonexclusive right and license to use
the Software on the Appliance. In addition, (1) you may not reverse engineer, decompile, disassemble or modify the
Software or Appliance, except and only to the extent that such activity is expressly permitted by applicable law
notwithstanding this limitation; and (2) you may not transfer rights under this License unless such transfer is part of a
permanent sale or transfer of the Product, and you transfer at the same time the Appliance and Software to the same
party or destroy such materials not transferred, and the recipient agrees to this License. No license is granted in any
of the Software’s proprietary source code.
You may make a reasonable number of copies of the electronic documentation accompanying the Software for each
Software license you acquire, provided that, you must reproduce and include all copyright notices and any other
proprietary rights notices appearing on the electronic documentation.
ContentWatch reserves all rights not expressly granted herein.
Intellectual Property Rights
The Software and Appliance is protected by copyright laws, international copyright treaties, and other intellectual
property laws and treaties. This license does not grant you any rights to patents, copyright, trade secrets, trademarks
or any other rights with respect to the Software and Appliance. ContentWatch and its suppliers retain all ownership of,
and intellectual property rights in (including copyright), the Software and Appliance. However, certain components of
the Software are components licensed under the GNU General Public License (version 2), which ContentWatch
supports. You may obtain a copy of the GNU General Public License at http:/www.fsf.org/copyleft/gpl.html.
ContentWatch will provide source code for any of the components of the Software licensed under the GNU General
Public License upon request. Additionally this product includes software developed by the OpenSSL Project for use
in the OpenSSL Toolkit (http://www.openssl.org).
Export Restrictions
You agree that you will not export or re-export the Appliance, Software, any part thereof, or any process or service
that is the direct product of the Appliance or Software in violation of any applicable laws or regulations of the United
States or the country in which you obtained them.
161
ContentProtect Security Appliance User Guide
U.S. Government Restricted Rights. The Software and related documentation are provided with Restricted Rights.
Use, duplication, or disclosure by the Government is subject to restrictions set forth in subparagraph (c) (1) (ii) of the
Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c) (1) and (2) of
the Commercial Computer Software–Restricted Rights at 48 C.F.R. 52.227-19, as applicable, or any successor
regulations.
Term and Termination
This License is effective until terminated. The License terminates immediately if you fail to comply with any term or
condition. In such an event, you must destroy all copies of the Software. You may also terminate this License at any
time by destroying the Product.
Governing Law and Attorney’s Fees
This License is governed by the laws of the State of Utah, USA, excluding its conflict of law rules. You agree that the
United Nations Convention on Contracts for the International Sale of Goods is hereby excluded in its entirety and
does not apply to this License. In any action or suit to enforce any right or remedy under this License or to interpret
any provision of this License, the prevailing party will be entitled to recover its costs, including reasonable attorneys’
fees.
Entire Agreement
This License constitutes the entire agreement between you and ContentWatch with respect to the Software, and
supersedes all other agreements or representations, whether written or oral. The terms of this License can only be
modified by express written consent of both parties. If any part of this License is held to be unenforceable as written,
it will be enforced to the maximum extent allowed by applicable law, and will not affect the enforceability of any other
part.
CONTENTWATCH DISCLAIMS ANY AND ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE. OTHER THAN AS STATED HEREIN, THE ENTIRE RISK AS TO SATISFACTORY
QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. ALSO, THERE IS NO WARRANTY
AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE SOFTWARE OR AGAINST INFRINGEMENT. IF
YOU HAVE RECEIVED ANY WARRANTIES REGARDING THE DEVICE OR THE SOFTWARE, THOSE
WARRANTIES DO NOT ORIGINATE FROM, AND ARE NOT BINDING ON, CONTENTWATCH.
NO LIABILITY FOR CERTAIN DAMAGES. EXCEPT AS PROHIBITED BY LAW, CONTENTWATCH SHALL HAVE
NO LIABILITY FOR COSTS, LOSS, DAMAGES OR LOST OPPORTUNITY OF ANY TYPE WHATSOEVER,
INCLUDING BUT NOT LIMITED TO, LOST OR ANTICIPATED PROFITS, LOSS OF USE, LOSS OF DATA, OR ANY
INCIDENTAL, EXEMPLARY SPECIAL OR CONSEQUENTIAL DAMAGES, WHETHER UNDER CONTRACT, TORT,
WARRANTY OR OTHERWISE ARISING FROM OR IN CONNECTION WITH THIS LICENSE OR THE USE OR
PERFORMANCE OF THE SOFTWARE. IN NO EVENT SHALL CONTENTWATCH BE LIABLE FOR ANY AMOUNT
IN EXCESS OF THE PURCHASE PRICE AND/OR ANY LICENSE FEES PAID TO CONTENTWATCH UNDER THIS
LICENSE. SOME STATES AND COUNTRIES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY
FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY TO YOU.
Hardware Warranty
ContentWatch Corp. warrants your ContentWatch product to be in good working order and to be free from defects in
workmanship and material (except in those cases where materials are supplied by the Purchaser) under normal and
proper use and service for the period of one (1) year from the date of purchase from an Authorized ContentWatch
Reseller. In the event that this product fails to meet this warranty within the applicable warranty period, and provided
that ContentWatch confirms the specified defects, Purchaser’s sole remedy is to have ContentWatch, at
ContentWatch’ sole discretion, repair or replace such product at the place of manufacture, at no additional charge
other than the cost of freight of the defective product to and from the Purchaser. Repair costs and replacement
products will be provided on an exchange basis and will be either new or reconditioned. ContentWatch will retain, as
its property, all replaced parts and products. Notwithstanding the foregoing, this hardware warranty does not include
service to replace or repair damage to the product resulting from accident, disaster, abuse, misuse, electrical stress,
negligence, any non-ContentWatch modification of the product except as provided or explicitly recommended by
ContentWatch, or other cause not arising out of defects in material or workmanship. This hardware warranty also
does not include service to replace or repair damage to the product if the serial number or seal or any part thereof
has been altered, defaced, or removed. If ContentWatch does not find the product to be defective, the Purchaser will
be invoiced for said inspection and testing at ContentWatch’ then current rates, regardless of whether the product is
under warranty.
162
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement