advertisement
SonicWall™
Content
Filtering
Client
3.1
Getting Started Guide
Copyright © 2017 SonicWall Inc.
All rights reserved.
SonicWall is a trademark or registered trademark of SonicWall Inc.
and/or its affiliates in the U.S.A.
and/or other countries.
All other trademarks and registered trademarks are property of their respective owners
The information in this document is provided in connection with SonicWall Inc.
and/or its affiliates’ products.
No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of SonicWall products.
EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR
ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS
PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON ‐ INFRINGEMENT.
IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR
ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice.
SonicWall Inc.
and/or its affiliates do not make any commitment to update the information contained in this document.
For more information, visit https://www.sonicwall.com/legal/ .
Legend
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
Content Filtering Client Getting Started Guide
Updated ‐ March 2017
Software Version ‐ 3.1
232 ‐ 003389 ‐ 00 Rev A
Contents
Content Filtering Client Overview .
Content Filtering Client Prerequisites .
Network Security Appliance Registration .
Licensing Content Filtering Client with a Network Security Appliance .
Licensing Content Filtering Client without a Network Security Appliance .
Installing & Uninstalling CFC .
Installing MSI File with the Wizard .
Windows Command Line Uninstall .
Installation via Blocked Page .
Cloning a New Enforcement Policy .
Content Filtering Client Reports .
Enabling Client CFS in Network Zones .
Configuring Client CF Enforcement .
SonicWall Content Filtering Client 3.1
Getting Started Guide
Contents
3
Auto Detection of Content Filtering Client .
Configuring the Network Security Appliance .
SonicWall Content Filtering Client 3.1
Getting Started Guide
Contents
4
1
Overview
SonicWall™ offers comprehensive web content security that blocks selected web content and enforces protection and productivity policies.
The main components are Content Filtering Service (CFS), SonicWall
Content Filtering Client (CFC), and EPRS (Enforced Policy & Reporting System).
CFS runs on the firewall and protects the devices behind the firewall.
Content Filtering Client runs on the client devices—like a laptop, for example—and protects devices regardless of where the device is located, even if it is connected outside the firewall.
EPRS provides administrators with the means to manage Content Filtering Client from a central web interface.
Topics:
•
Content Filtering Client Overview
•
•
•
Content Filtering Client Overview
The SonicWall Content Filtering Client (CFC) provides protection and productivity policy enforcement for businesses, schools, libraries and government agencies.
Content Filtering Client has a revolutionary content filtering architecture that utilizes a scalable, dynamic database to block objectionable and unproductive Web content.
Content Filtering Client combines control and flexibility to ensure protection and productivity.
It prevents individual users from accessing inappropriate content while reducing organizational liability and increasing productivity.
Web sites are rated according to the type of content they contain.
Content Filtering Client filters access to these web sites based upon their ratings and based on the policy settings for that user or group.
Businesses can typically control web surfing behavior and web content when the browsing is initiated on a device within the perimeter of the network security appliance by setting filter policies on the appliance.
But when the same device, a laptop for example, exits the perimeter, the control is lost.
The Content Filtering Client addresses this gap by blocking objectionable and unproductive web content outside the network security appliance perimeter.
SonicWall network security appliances work in conjunction with SonicWall Content Filtering Client automatically.
The client is designed to work with Windows, Mac OS and Chrome devices.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Overview
5
The three main functions of the SonicWall Content Filtering Client solution are:
Network running
security
SonicOS
Automatic
appliance triggering
Facilitates and verifies licensing of the Content Filtering Client.
Also used to configure, enable and disable enforcement, exclusions, and other settings.
Installs the SonicWall Content Filtering Client on any user system attempting to access the Internet without Content Filtering Client installed.
The user is blocked from accessing Websites until it is installed.
EPRS on the cloud ‐ based server Can be used to administer user and group policies.
It is accessed from MySonicWall or from SonicOS running on the appliance.
Platform Compatibility
SonicWall Content Filtering Client is supported on the Windows, MacOS and Chrome OS.
Windows Clients
SonicWall Content Filtering Client is supported on 32 ‐ bit and 64 ‐ bit versions of Microsoft Windows.
• Windows 10
• Windows 8.1
• Windows 8
• Windows 7
The following specifies the minimum hardware requirements for Windows clients:
• Processor: 2 GHz or higher (32 ‐ bit / 64 ‐ bit)
• 2 GB RAM or higher
Mac OS Clients
SonicWall Content Filtering Client is supported on Mac OS X 10.9
and above.
However, 32 ‐ bit Mac OS X is not supported.
Chrome OS Clients
SonicWall Content Filtering Client is supported on Chrome OS versions 1.0.154
and above.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Overview
6
Guide Contents
This document describes how to configure and deploy the SonicWall Content Filtering Client.
It includes:
• This chapter,
, provides an overview of the SonicWall Content Filtering Client and describes the conventions used within this guide.
• Chapter 2,
Content Filtering Client Prerequisites
, reviews the tasks that need to be done before SonicWall
Content Filtering Client can be installed on the client systems.
• Chapter 3,
Installing & Uninstalling CFC ,
describes how to install and uninstall the SonicWall Content
Filtering Client.
• Chapter 4,
, describes how to perform some basic EPRS administration tasks.
• Chapter 5,
describes some content filtering configuration steps that can be performed on the network security appliance, using the SonicOS interface.
• Appendix A,
Auto Detection of Content Filtering Client
, provides information on how to set up auto detection of the firewall when an IP address change is detected.
• Appendix B,
provides additional information on blocked processes and how to allow them.
Go to https://support.sonicwall.com/technical ‐ documents for the latest version of this guide as well as other
SonicWall products and services documentation.
Guide Conventions
The following conventions are used in this guide:
Text conventions
Convention
Bold text
Computer code
<Computer code italic>
Italic
Menu item > Menu item
Use
Used in procedures to identify elements in the user interface like dialog boxes, windows, screen names, and buttons.
Also used for file names and text or values you are being instructed to select or type into the interface.
Indicates sample code or text to be typed at a command line.
Represents a variable name when used in command line instructions within the angle brackets.
The variable name and angle brackets need to be replaced with an actual value.
For example in the segment serialnumber=< your serial number > , replace the variable with the serial number from your device: serialnumber=C0AEA0000011.
Indicates the name of a technical manual.
Also indicates emphasis on certain words in a sentence.
Sometimes indicates the first instance of a significant term or concept.
Indicates a multiple step Management Interface menu choice.
For example,
System > Status means select System option first and then select Status .
SonicWall Content Filtering Client 3.1
Getting Started Guide
Overview
7
2
Content
Filtering
Client
Prerequisites
Prior to configuring and deploying the SonicWall Content Filtering Client, several activities need to be completed to receive the benefits of SonicWall security services, firmware updates, and technical support:
• Create or validate your MySonicWall account.
• Verify the network security appliance is registered.
• License or activate the Content Filtering Client software.
This chapter reviews these activities and provides guidance for ensuring their completion.
Topics:
•
•
Network Security Appliance Registration
•
MySonicWall
SonicWall requires a MySonicWall account prior to configuring your network security appliance and security services.
MySonicWall is used to register your SonicWall appliance and to activate or purchase licenses for security services, support, or software specific to your security solution.
If you haven’t already done so, create a
MySonicWall account; otherwise, you can skip to
Network Security Appliance Registration .
To create a new MySonicWall account from any computer:
1 Navigate to https://www.mysonicwall.com
.
2 In the login screen, click the Register Now link.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Content Filtering Client Prerequisites
8
3 Complete the Registration form.
The fields with an asterisk (*) are required.
4 Click on Register .
5 Verify that the information is correct, and then click Submit .
6 To confirm your account was created, click Continue .
Network Security Appliance Registration
The network security appliance that is part of the SonicWall Content Filtering Client solution needs to be registered before you can configure and implement any security services.
Registering your appliance can be done in different ways, but SonicWall recommends registering your appliance through the SonicOS
Management Interface.
To verify registration of your SonicWall appliance:
1 Log into the network security appliance.
2 Select System > Status .
• If the appliance is not registered yet, a message displays at the top of the screen stating that your
SonicWall appliance is not registered.
You can click on the Register link.
Refer to the Getting
Started Guide for your particular network security appliance for detailed information on how to register your device.
• If the appliance is registered, you see system information similar to the following:
NOTE: You can also validate the license status for SonicWall Content Filtering Client on the
System > Status window (see above).
Look in the Security Services section to see if
SonicWall Content Filtering Client is either Licensed or Not Licensed.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Content Filtering Client Prerequisites
9
Licensing
SonicWall Content Filtering Client can be licensed as a security service associated with a SonicWall network security appliance or as a standalone service without an associated appliance.
Topics:
•
Licensing Content Filtering Client with a Network Security Appliance
•
Licensing Content Filtering Client without a Network Security Appliance
Licensing Content Filtering Client with a Network
Security Appliance
To license SonicWall Content Filtering Client with a network security appliance:
1 Log into your network security appliance as an admin.
2 Navigate to the System > Licenses page.
3 Under Manage Security Services Online , select click here in the line To Activate, Upgrade, or Renew services .
4 Enter your MySonicWall account credentials to log into MySonicWall.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Content Filtering Client Prerequisites
10
5 Find Content Filtering Client in the Managed Services Online list and check the options under Manage
Service:
Manage Service Options
Try or Activate
Upgrade
Renew
Definition
If Content Filtering Client is already licensed, these options do not show.
If Content Filtering Client is not licensed, select Try or
Activate .
Try enables a 30 ‐ day free trial.
Activate enables the
Content Filtering Client service if you have the key.
You have additional licenses that you want to associate with
Content Filtering Client; select Upgrade and provide the activation keys when requested.
You can renew your Content Filtering Client licenses before they expire by selecting this option.
6 Depending on your choice in
, type or paste the activation key into the license key field and click
Submit .
Licensing Content Filtering Client without a Network
Security Appliance
To license SonicWall Content Filtering Client without an associated network security appliance:
1 Log into MySonicWall.
2 Select the link in the Free Trial Software section.
3 Go to the Anti ‐ Virus/SonicWall Content Filtering Client section and type a descriptive name for Content
Filtering Client in the Friendly Name field.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Content Filtering Client Prerequisites
11
4 Click Try Now .
5 In the Manage Client Distribution Group Services page, scroll down to the Applicable Services section.
6 In the row for Content Filtering Client, click one of the following buttons in the Action column:
• To buy the service, click on the shopping cart icon.
• To get a free 30 ‐ day trial, click on the try icon.
• To activate the service, click on the key icon.
To use this option, you should already have a license key from a previous purchase of the service.
7 Follow the on ‐ screen instructions to complete the purchase or activation.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Content Filtering Client Prerequisites
12
3
Installing
&
Uninstalling
CFC
This section describes the process for installing the SonicWall Content Filtering Client on end user systems.
Refer to the section that applies to the operating system for your end user system.
Topics:
•
•
•
•
Content Filtering Client can be installed on groups of systems by using standard tools like group policies.
Those processes are not included in this document.
Windows Options
SonicWall Content Filtering Client can be easily installed on a Windows system, and there are several different ways of doing it.
You need the login information for your MySonicWall account and the serial number for the network security appliance this client should be associated with.
If you are configuring Content Filtering Client without a firewall appliance, refer to
Licensing Content Filtering Client without a Network Security Appliance
for more information.
Topics:
•
Installing MSI File with the Wizard
•
•
•
Windows Command Line Uninstall
SonicWall Content Filtering Client 3.1
Getting Started Guide
Installing & Uninstalling CFC
13
Installing MSI File with the Wizard
To install the Content Filtering Client on a Windows device using the CFC.msi:
1 Log in to your MySonicWall account.
2 Navigate to the Downloads > Download Center page.
3 In the Software Type field, select Content Filtering Client from the drop ‐ down list to sort on that product.
4 Click on Content Filtering Client and save the CFC ‐ < versionNum >.msi
file to your local system, where
<versionNum> is the current version number available.
5 Double ‐ click the CFC ‐ < versionNum >.msi
file to start the installation setup wizard.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Installing & Uninstalling CFC
14
NOTE: If you are behind the SonicWall firewall, you do not need to enter a serial number.
During the install process the firewall is configured for enforcement and the firewall serial number is detected automatically.
6 In the next screen, input the serial number of the network security appliance associated with this system.
NOTE: The serial number is required.
If you are installing Content Filtering Client without a network security appliance you need virtual appliance number.
Refer to
Licensing Content Filtering Client without a Network Security Appliance
for more information.
7 After the Setup Wizard completes the installation, click on Finish to complete the installation.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Installing & Uninstalling CFC
15
After a successful installation, the SonicWall Content Filtering Client program displays in the Control Panel
Programs and Features window on the end user system.
To verify, go to Start > Control Panel and click on
Programs and Features .
Look for Content Filtering Client in the list.
NOTE: Content Filtering Client cannot be uninstalled through the Windows Control Panel Programs and
Features.
It must be uninstalled using the command line.
Refer to
Windows Command Line Uninstall
for more information.
Command Line Installation
To install the Content Filtering Client .msi
file from the command line:
1 Open a command line window.
2 Login in Admin mode.
3 Navigate to where the .msi
file is located.
4 Type in the following command (bold text): msiexec /i CFC <versionNum> .msi
/l*v < cfcsetup.log
> /qn serialnumber=< your serial number > where:
/i Installs the file listed immediately after the /i option.
In this example the file being installed is CFC <versionNum> .msi
, where <versionNum> is the version number of the software.
/l*v
/qn
Log verbose and log all information in the file name specified by the variable
< cfcsetup.log
>.
Performs a silent installation.
NOTE: If you use the /qn option, you must open the DOS prompt as an administrator and specify the serial number of the appliance.
Ghost Installation
The SonicWall Content Filtering Client also supports a ghost installation.
To perform a ghost install:
1 Open a command line window.
2 Login in Admin mode.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Installing & Uninstalling CFC
16
3 Type in the following command: msiexec /i CFC-<versionNum>.msi /l*v cfcsetup.log /qn serialnumber=<your serial number> ghost=1 where <versionNum> represents the version number of the CFC package and <your serial number> represents the serial number of your network appliance.
NOTE: This must be the last application installed on your system.
Do not reboot the system after completing the install until a ghost is created, otherwise the image from the ghost has the same GUID across multiple installs.
Windows Command Line Uninstall
Content Filtering Client does not have an uninstall option in Add/Remove Control Panel.
Content Filtering Client uninstall requires admin privileges.
To uninstall Content Filtering Client version 3.x:
1 Open a command line window in Admin mode.
2 Run the following command to get uninstall information about the CFC application:
• On Windows 64 bit system:
“C:\Program Files (x86)\SonicWall\Content Filtering Client” cfcservice -show install
• On Windows 32 bit system:
“C:\Program Files\SonicWall\Content Filtering Client” cfcservice show install
A sample of the output is shown below.
Values vary, based on your installation.
Product Name: Content Filtering Client
Version: 3.1.55.0314
Publisher: SonicWall
Upgrade Code: {55159624-54cb-4ba1-82bc-1993614361a6}
Product Code: {BAD36ED1-9083-4C36-974D-3941DE2432DD}
Uninstall Command: msiexec.exe /X{BAD36ED1-9083-4C36-974D-
3941DE2432DD} PASSWORD=<password>
Help Link: https://support.soniwall.com
Install Date: 20170315
Installed Language: 1033
Install Location: C:\Program files (x86)\SonicWall\Content Filtering
Client\
Install Source: C:\Users\lsmirnov\Desktop\3.1.55.0314\
Local Package: C:\WINDOWS\Installer\2f673029.msi
3 Find the uninstall command in the output from
and run it from the command line.
msiexec.exe /X{BAD36ED1-9083-4C36-974D-3941DE2432DD}
PASSWORD=<password>
You can also find the uninstall password for this client from EPRS.
Refer to the SonicWall Enforced Client
Policy and Reporting Server Administration Guide for more information.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Installing & Uninstalling CFC
17
Mac Options
SonicWall Content Filtering Client can be easily installed the on a Mac system.
You need the login information for your MySonicWall account and the serial number for the network security appliance this client should be associated with.
Topics:
•
•
Mac OS Installation
To install the SonicWall Content Filtering Client for a system running Mac OS:
1 Log in to your MySonicWall account.
2 Navigate to the Downloads > Download Center page.
3 In the Software Type field, select Content Filtering Client from the drop ‐ down list to sort on that product.
4 Click on SonicWall Content Filtering Client Mac and save the CFCSetup_<versionNum>.pkg
to your local system.
5 Double ‐ click the CFCSetup.pkg
to start the installation setup wizard.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Installing & Uninstalling CFC
18
6 Enter the serial number associated with the client when prompted.
7 Enter your system admin password when prompted.
Once validated, the installation continues.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Installing & Uninstalling CFC
19
After the client is successfully installed, a notification displays.
Mac OS Uninstall
To uninstall the SonicWall Content Filtering Client from a Mac OS system, run the following script from the terminal:
/Library/SonicWALL/CFC/UninstallCFC
NOTE: You may have to enter the admin password to complete the uninstallation process.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Installing & Uninstalling CFC
20
Chrome OS Installation
The most effective way to set up the installation for Chrome systems is for the domain administrator to configure everything in the Google Admin Console.
Then all users associated with this specific domain have CFC installed automatically.
Users not belonging to any domain can follow these instructions to install CFC.
They have to work with their local system administrator to get linked to the EPRS policy.
To install the SonicWall Content Filtering Client on a Chrome device:
1 Open a Chrome browser and navigate to the Chrome web store.
2 Search on content filter ing to narrow the options.
3 Browse the application list and select SonicWall Content Filtering Server and SonicWall Content
Filtering Extension .
4 Click on Install .
NOTE: For more information on configuring Chrome see the Enforced Client Policy & Reporting
Server Administration Guide.
Installation via Blocked Page
NOTE: Blocked page installation is only available on Windows and Mac OS X.
A blocked page installation cannot be performed on Chrome OS.
Blocked Page installation is enforced when a series of conditions in the SonicWall Content Filtering Client configuration are met:
• Client CF Enforcement is enabled.
(
Configuring Client CF Enforcement
has more information on how to configure that.)
• The client tries to communicate with an untrusted network zone using a browser via HTTP.
• The network security appliance has determined that the client system does not have SonicWall Content
Filtering Client installed.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Installing & Uninstalling CFC
21
If all these conditions are met, the network security appliance redirects the end user to a Block Page that has a link for installing SonicWall Content Filtering Client.
To install the client:
1 Click Install Content Filtering Client on the block page.
2 Click the Download button.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Installing & Uninstalling CFC
22
3 After the installer file is downloaded, click Run .
4 When asked if you want the following program to make changes to this computer, say Yes .
NOTE: If you are installing the client while connected behind the network security appliance, you do not need to enter a serial number.
If you are outside the firewall, you need the serial number for the network security appliance.
Contact your system administrator for the appliance for that information.
When installation via Blocked Page is complete, CF Client Enforcement needs to be configured for that user.
Refer to
for details.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Installing & Uninstalling CFC
23
4
Basic
Administration
The administration tool for the Content Filtering Service is EPRS (Enforced Policy & Reporting System).
It provides a common interface to manage the Content Filtering Client policies for clients on the network.
The client pulls its policies from one of the registered policy servers that make up the solution.
This chapter describes how to use some of the EPRS features so you can get started.
For more detailed information regarding administration with EPRS, refer to Enforced Client Policy & Reporting Server
Administration Guide or browse https://support.sonicwall.com/product ‐ support ‐ forums .
Topics:
•
•
•
•
Cloning a New Enforcement Policy
•
•
Content Filtering Client Reports
Accessing EPRS
The easiest way to access EPRS is to login to your MySonicWall account.
You can also access it through links in the SonicOS interface, but that path also leads to MySonicWall.
Topics
•
•
Using MySonicWall
To access EPRS from MySonicWall:
1 Go to MySonicWall: https://www.mysonicwall.com/ .
2 Login in using your account information.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Basic Administration
24
3 Navigate to My Products > CFC Management .
4 On the next screen, select the network security appliance and administer it as needed.
Using SonicOS Interface
To access EPRS from the SonicOS interface:
1 Log into your firewall using administrator privileges.
2 Navigate to the Security Services > Client CF Enforcement page.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Basic Administration
25
3 Follow the link to Create client policies and generate reporting using the Policy & Reporting Service by clicking here .
4 Login to EPRS using either your MySonicWall account or your firewall Authentication Code, which can be found on the System > Status page.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Basic Administration
26
Viewing Status
Under the Policies tab, the System > Status page displays the status information for the appliance from which you accessed EPRS.
Status information similar to the following displays:
• General —Displays the appliance serial number.
• Services —Displays the services licenced to the appliance including:
• Name of the service
• License status ( Current or Expired )
• Expiration date of the license
• Nodes or client machines currently in use with the installed service
• Total number of nodes available to be licenced
• LDAP Settings —Identifies the LDAP Domain Alias, if available.
You can also synchronize the client license of the unit with the license manager on this page by clicking
Synchronize with mySonicWALL.com
.
Schedules
Select System > Schedules to view or change schedule groups.
Topics:
•
•
SonicWall Content Filtering Client 3.1
Getting Started Guide
Basic Administration
27
Viewing Schedules
The System > Schedules page allows you to view and edit schedule objects configured in EPRS.
Click on the arrowhead to expand a specific schedule group for more details.
Click on the edit icon of a particular schedule to change the values of the schedule object.
Adding a Schedule Group
You can create a Schedule Group with various times in which the schedule is enforced.
To add a Schedule Group:
1 Navigate to the System > Schedules page.
2 Click the Add Schedule Group link.
3 Enter the Name of the Schedule Group.
4 Select the Day(s) for the schedule to be enforced.
5 Specify the Start Time for the schedule to begin.
Use a 24 ‐ hour format.
6 Specify the Stop Time for the schedule to end.
Use a 24 ‐ hour format.
7 Click Add .
This saves the newly created schedule, displaying the Day(s) and Time, in the text field.
You can continue to create other schedules for this group by specifying the parameters, then clicking Add .
You can also delete a schedule in the text field by selecting the schedule and clicking Delete , or clicking
Delete All to delete all schedules listed.
8 Click OK to save a Schedule Group.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Basic Administration
28
Cloning a New Enforcement Policy
EPRS uses policies to define what content to block and what content to allow.
SonicWall provides two default policies that can be used immediately: one for desktops and one for mobile devices.
If you wish to develop a customized policy, SonicWall recommends cloning one of the default policies and then editing it to meet your needs.
NOTE: The default policies cannot be edited or deleted.
To clone and edit a policy:
1 Navigate to the Enforcement > Policies page.
2 Click the clone icon for the policy that you want to clone.
3 On the Add Policy window, edit the Name and Comment fields.
NOTE: For a cloned policy, the fields are already populated with text, but these fields are editable.
4 On the Agent Version Settings section, select the desired Agent Version from the drop ‐ down list.
This allows the policy to be configured for a specific Agent version.
You can select General Release , Early
Release , Alpha , Beta or a specific version of the release.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Basic Administration
29
5 Navigate to the Content Filter tab.
6 Select the Default Local Policy from the drop ‐ down list.
7 Select a Scheduled Local Policy from the drop ‐ down list.
This value determines when the policy is enforced.
8 Click OK .
NOTE: For more information regarding Policies, refer to Enforced Client Policy & Reporting Server
Administration Guide .
Adding a New Client Group
You can configure client groups on the Enforcement > Client Groups page.
You can create new client groups or edit existing client groups.
The Default Client Group can be edited, but not deleted.
All clients requesting a policy for the first time are automatically added to the Default Client Group and are served with the policy defined for the group.
The administrator can move a client to a different client group after initially being added.
To add a new client group:
1 Navigate to the Enforcement > Client Groups page on the Polices tab.
2 On the Enforcement > Client Groups page, click Add New Client Group .
SonicWall Content Filtering Client 3.1
Getting Started Guide
Basic Administration
30
3 Type a descriptive name into the Group Name field.
4 In the Comment field, enter a descriptive comment.
5 Select a policy for the group from the Desktop Policy drop ‐ down list.
All existing policies are available for selection.
6 Select a policy for the group from the Mobile Policy drop ‐ down list.
All existing polices are available for selection.
7 Click OK to complete.
Content Filtering Client Reports
The report section of the Content Filtering Client provides different reports summarizing the various events being tracked.
The following illustrations are example of what they can show.
This report shows the different categories that were blocked by the CFC installed on the client systems.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Basic Administration
31
This report shows the actual web sites that were blocked by the CFC under various categories.
This report shows the various systems, as well as the users logged into those systems, that are generating the blocked events.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Basic Administration
32
These reports shows the detailed view of Blocked Events, which contains listing of Categories, Initiators, and
Sites that generated Blocked events.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Basic Administration
33
5
Client
CF
Enforcement
Client CF Enforcement is a service running on the network security appliance that enables the automatic deployment of the SonicWall Content Filtering Client to endpoints (laptops and so forth) within the appliance perimeter.
The SonicWall Content Filtering Client protects the users from accessing harmful and objectionable web sites when the endpoint goes outside the firewall perimeter.
Client CF Enforcement must be enabled on the SonicWall Inc.
network security appliance before you can install the SonicWall Content Filtering Client.
NOTE: If the SonicWall Content Filtering Client is not activated on MySonicWall, you must activate it to enforce client content filtering polices on client systems.
For more information, see
Topics:
•
Enabling Client CFS in Network Zones
•
Configuring Client CF Enforcement
Enabling Client CFS in Network Zones
If you have end users that work both in the office and outside the office, you can configure the content filtering services so that the client manages the filtering when the system is outside the firewall, and the network security appliance manages the filtering when the user is inside the firewall.
The SonicWall Content Filtering
Client detects the zone the user is in and suspends or engages the client accordingly.
To set up this feature, you need to set up network zones on the network security appliance and enable the
Suspend check box in EPRS.
NOTE: The network security appliance needs at least one CF Client license.
To enforce the SonicWall Content Filtering Client on a per ‐ zone basis:
1 Log into the network security appliance using administrator credentials.
2 Navigate to Security Services > Client CFS Enforcement .
SonicWall Content Filtering Client 3.1
Getting Started Guide
Client CF Enforcement
34
3 Click the Network > Zones link in the Note.
NOTE: You can also choose Network > Zones from the left menu.
4 Find the zone on which you want to enforce the SonicWall Content Filtering Client.
5 Click on the edit icon.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Client CF Enforcement
35
6 In the configuration window, check the box for Enable Client CFS Enforcement Service .
7 Click OK .
Configuring Client CF Enforcement
If you want your network security appliance to enforce the installation of the Content Filtering Client on client endpoints, you need to configure that option using the SonicOS management interface.
During this process, you need to decide which items should be included in the Client CF Enforcement List and which should be excluded from enforcement.
To configure Client CF Enforcement on your network security appliance:
1 Log in to your network security appliance.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Client CF Enforcement
36
2 Navigate to Security Services > Client CF Enforcement .
3 Under the Client CF Enforcement Policies section, use the drop ‐ down list to choose the Grace Period during which CF enforcement policies remain valid.
The grace period is the amount of time you allow for an endpoint to get the most current policy.
the default is 5 days ; the options range from 0 days to 5 days .
4 To configure the Client CF Enforcement List (item 1 in the Client CF Enforcement figure above): a Click on the edit icon.
b Highlight the item in the left column that you want added to the Client CF Enforcement List and click on the right arrow.
That item now appears in the right column.
c Repeat the process until you’ve selected all the items you want included.
d Click OK .
SonicWall Content Filtering Client 3.1
Getting Started Guide
Client CF Enforcement
37
5 To configure the Excluded from Client CF Enforcement List (item 2 in the Client CF Enforcement figure above): a Click on the edit icon.
b Highlight the item in the left column that you want added to the Excluded from Client CF
Enforcement List and click on the right arrow.
That item now appears in the right column.
c Repeat the process until you’ve selected all the items you want excluded.
d Click OK .
6 In the drop ‐ down list at the bottom of the page, select Client CFS Enforcement which sets the default enforcement For computers whose addresses do not fall in any of the above lists.
This option prompts all other computers connecting to the Internet through the appliance to install the client.
If you select None from the drop ‐ down list, the service is only enforced on computers that you have configured.
7 As a best practice the Client CF Enforcement cache should be reset.
To perform those steps: a Navigate to System > Status on the interface for your firewall.
b Go to the diagnostics page by changing “ main.html
” to “ diag.html
” in the website address and pressing return.
c Select the Internal Settings button.
d Scroll down to the Security Services Settings.
e Find and select Reset Client CF Enforcement Cache.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Client CF Enforcement
38
8 Click Accept .
9 Click Close to leave the diagnostics page.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Client CF Enforcement
39
A
Auto
Detection
of
Content
Filtering
Client
SonicWall Content Filtering Client (CFC) performs firewall discovery any time the Content Filtering Client is behind an Enforced UTM.
Auto detection is supported on SonicWall Content Filtering Client version 3.0
and above.
Firmware version for the network security appliances is 5.9.x.x, 6.2.x.x
and above.
NOTE: Firmware version 6.1.x.x
will NOT be able to auto detect behind the firewall.
Topics: :
•
Configuring the Network Security Appliance
•
Configuring the Network Security Appliance
To configure the network security appliance for auto detection:
1 Determine the zone where Content Filtering Client will be located.
For example, if Content Filtering
Client is located on the LAN, DMZ and WLAN zone, then Content Filtering and Client CF options for the three zones MUST be enabled as shown below.
2 To enable the above options on a zone, go to Network ‐ >Zones on the interface for the network security appliance.
3 Select the zone to configure.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Auto Detection of Content Filtering Client
40
4 Check the two boxes as shown below:
• Enforce Content Filtering Service
• Enable Client CF Service
SonicWall Content Filtering Client 3.1
Getting Started Guide
Auto Detection of Content Filtering Client
41
5 For systems running SonicOS 6.2.6
or later that support CFS 4.0
(Content Filtering Service), enable the
CFS option: a Navigate to Security Services > Content Filtering .
b Check the box to Enable Content Filtering Service .
Configuring EPRS
EPRS configuration required.
1 Log into MySonicWALL.
2 Navigate to CFC Management and select the network security appliance that you want to update.
3 Select Content Filter > Settings .
4 Enable Suspend CF Client when behind Firewall with Active Gateway CFS .
NOTE: If the CF Client is licensed using the Client Distribution Group, you need to list the serial number of the physical network security appliance the CFC will be behind.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Auto Detection of Content Filtering Client
42
NOTE: In the case of a Firewall Sandwich (FWS), list all the firewall serial numbers in the FWS.
It is recommended that in a FWS deployment, license CFC using the Client Distribution Group.
As shown below on the CFC dashboard, when CFC detects a firewall, the Active Policy is disabled and the
Suspend Behind Firewall option is On .
When working remotely and the system is not behind a firewall, note that the Active Policy is defined and the
Suspend behind FW option is Off .
NOTE: CFC logs when a firewall is NOT detected.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Auto Detection of Content Filtering Client
43
B
Enabling
a
Blocked
Process
When you run diagnostics from your Client dashboard menu it generates an output.
The output includes additional data so the system administrator can determine if the blocked item is actually a valid process and add the exception to the blocked process.
In the screen shot below, you can see an example of blocked data.
Getting process subject names Pass
C:\Users\test\Downloads\curl.exe
C:\Users\test\AppData\Local\Temp\psiphon-tunnel-core.exe
C:\Users\test\Downloads\psiphon3.exe
Psiphon Inc.
Psiphon Inc.
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdg eCP.exe
Microsoft
Corporation
In the output above there were 4 processes blocked.
• Curl.exe
is an application downloaded to perform a local test, and it is blocked because it is an application (a.k.a: process) running from a non ‐ privileged location.
Also, notice that it does not have a
Certificate Subject Name (CN) because this application is not digitally signed.
If you MUST allow this application then in EPRS you must specify the path c:\users\test\downloads\curl.exe
to the application.
• Psiphon ‐ tunnel ‐ core.exe
and Psiphon3.exe
are blocked because they are running from a non ‐ privileged location.
This application is digitally signed and hence has a CN=Psiphon Inc.
But this application is a proxy application and it helps to bypass Content Filtering solutions.
Do not add such applications if they are deemed rogue .
• C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
is a valid application and is blocked because it is invoked by psiphon3.exe.
Since CN=Microsoft Corporation is already in the allowed list, you do not have to do anything to allow it.
If you disconnect psiphon3.exe
then Edge browser starts working again.
An EPRS policy change is required to add either the CN or the path to an application for it to be allowed.
Login to
EPRS and select the policy that needs to allow the process.
This is available on the advanced tab as shown below.
SonicWall Content Filtering Client 3.1
Getting Started Guide
Enabling a Blocked Process
44
If the application is digitally signed then the diagnostics report of the CF Client shows the value of CN.
Add the
CN value under “Authorized Processes – Certificate Subject Name” on the advanced tab of the policy in EPRS.
If the application is NOT digitally signed then the diagnostics report of the CF Client shows the path (location) of the application.
Add the full path including the application name under “Authorized Processes – Process Name” on the advanced tab of the policy in EPRS.
NOTE: In earlier versions of the CF Client, you can find the path and CN by digging thru the logs in the filter.txt
file.
For digitally signed applications, you find the following log with attribute cn= <some value> .
For example:
07/15/16 08:47:57 AMFLT[15720:9844]Debugcfe_proc_cache::Find: EXE is trusted, sn='Cisco Systems,
Inc.'
Add the value of attribute cn= in the EPRS policy.
For applications that are not digitally signed, you find the following log contains the path to the application.
You can use wild card when you specify the path in EPRS policy.
07/15/16 07:44:40 PMFLT[2604:3716]Debugcfe_proc_cache::Find: EXE is not trusted
07/15/16 07:44:40 PMFLT[2604:3716]Debugcfe_proc_cache::Find: fell through ‐ not authorized
07/15/16 07:44:40 PMFLT[2604:3716]DebugProcess
'C:\Users\Ramesh\AppData\Local\CiscoSparkLauncher\2.0.2466.0_3719b98b
‐ b0f6 ‐ 46f4 ‐ ae41 ‐
3abedfbff45b\SparkWindows.exe' is not authorized
SonicWall Content Filtering Client 3.1
Getting Started Guide
Enabling a Blocked Process
45
For example, the path:
'C:\Users\Ramesh\AppData\Local\CiscoSparkLauncher\2.0.2466.0_3719b98b
‐ b0f6 ‐ 46f4 ‐ ae41 ‐
3abedfbff45b\SparkWindows.exe'
Can be specified in EPRS as:
'C:\Users\*\AppData\Local\CiscoSparkLauncher\*\SparkWindows.exe'
SonicWall Content Filtering Client 3.1
Getting Started Guide
Enabling a Blocked Process
46
C
SonicWall
Support
Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract and to customers who have trial versions.
The Support Portal provides self ‐ help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year.
To access the Support Portal, go to https://support.sonicwall.com
.
The Support Portal provides self ‐ help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year.
In addition, the Support Portal provides direct access to product support engineers through an online Service Request system.
The Support Portal enables you to:
• View knowledge base articles and technical documentation
• Download software
• View video tutorials
• Collaborate with peers and experts in user forums
• Get licensing assistance
• Access MySonicWall
• Learn about SonicWall professional services
• Register for training and certification
To contact SonicWall Support, refer to https://support.sonicwall.com/contact ‐ support .
To view the SonicWall End User Product Agreement (EUPA), see https://www.sonicwall.com/legal/eupa.aspx
.
Select the language based on your geographic location to see the EUPA that applies to your region.
SonicWall Content Filtering Client 3.1
Getting Started Guide
SonicWall Support
47
advertisement
Key Features
- Dynamic content filtering database
- Policy enforcement for user groups
- Windows, Mac OS, Chrome OS support
- Blocked page installation
- Integration with SonicWall network security appliance
- EPRS administration interface
- Centralized reporting