advertisement
4.6.1.
HTTP
Using the Security System
The HTTP menu allows you to configure the security system as a HTTP Caching
Proxy. This proxy can provide caching services in addition to simple proxy services, resulting in dramatic performance increases: because the system can store a copy of often-visited pages locally, these pages do not need to be loaded across the Internet.
Note:
WebAdmin should not be used through a proxy. Configure your browser so that connections to the security system’s IP address do not use a proxy server.
Disabling Netscape Communicator, Proxy:
1In Netscape, open the Edit/Settings/Advanced/Proxies menu.
2Under Manual Proxy Configuration click Show.
237.
In the No Proxy for this address field, enter the IP address of your security system.
238.
Click OK to save your changes.
221
Using the Security System
Disabling Proxy Use with Microsoft Explorer:
1In Explorer, open the Extras/Internet Options menu.
2Choose the Connections tab.
239.
Open the LAN Settings/Advanced menu.
240.
Under Exceptions, enter the IP Address of your security system.
241.
Click OK to save your settings.
The HTTP proxy controls web transactions using the HTTP protocol
(usually TCP/IP Port 80). Please note that some web servers transmit some data, in particular streaming video and audio, over a port other than 80. These requests will not be noticed when the proxy is in
Transparent mode: to support such requests, you must either use a different mode, or enter an explicit rule in the Packet Filter/Rules allowing them.
Example:
Source: a local network
Service: service with target address (the service must first be defined in the Definitions/Services menu)
Destination: IP address of the web server (or Any)
Action: Allow
HTTPS (TCP/IP Port 443) data is passed directly through the security system without processing.
Note:
In order to use the Proxy in Standard mode, the client Browser must be configured with the TCP/IP Address of the security
system and the proxy port configured in the Proxies/HTTP menu.
In addition, the HTTP proxy service requires a valid Name server
(DNS). Without configuring the client browser, the Proxy can only be used in Transparent mode.
222
Using the Security System
Global Settings
Operation Modes:
Standard: In this mode, you must select all networks which should be allowed to use the HTTP proxy service. If a browser on a nonconfigured network is configured to use the proxy, it will have no access to HTTP services.
If a browser on a non-proxied network is not configured to use the proxy, an appropriate packet filter rule can allow (un-proxied) access to HTTP services.
Example:
Source: IP address of a local client
Service: HTTP
Destination: IP address of the web server or Any
Action: Allow
To use the proxy, configure the client browser proxy settings to use the IP address of the security system and port 8080.
Transparent: In this mode, the system notices HTTP requests on the internal network, automatically processes them, and forwards them to the remote server. The client browser is entirely unaware of the proxy server. The advantage of this mode is that no additional administration or configuration is required on the client; the disadvantage is that only pure HTTP (port 80) requests can be forwarded.
All networks allowed to use the transparent proxy must be explicitly listed in the Allowed Networks menu. When Transparent mode is used, the client browser settings cannot be used to control proxy settings. Moreover, no data can be downloaded from a FTP server in this mode. HTTPS connections (SSL) must be executed via a Packet
Filter.
User Authentication: This mode complies with the functions of the
Standard mode. In addition, user access to the HTTP proxy is only authorized after previous Authentication.
223
Using the Security System
Active Directory/NT Domain Membership: This mode is only available if you have selected the Active Directory/NT Domain
Membership authentication method in the menu.
If this operation mode is set, only those users are allowed to access the HTTP-Proxy, who belong to a corresponding group (e. g.
htt_access) on the Domain Controller.
In the Content Filter window also the Profile Order/Activation function will be displayed.
To give Internet access to a user, he must be assigned to a specific profile in the Profiles-table. If you have already defined the group in your Active Directory (AD) you must give the same name to the profile (e. g. http_access) as to the group in the tab service. Like that, you only need to define those profiles for the user group, for which the access to specific websites shall be prevented.
Configuring Surf Protection Profiles is described in chapter on page 229.
Note:
Changes in Proxies become effective immediately, without further notice.
Enabling the HTTP Proxy:
1In the Proxies tab, open the HTTP menu.
2Enable the proxy by clicking the Enable button in the Global
Settings window.
Another entry window will open.
242.
In the Operation mode drop-down menu, select the mode to use.
Note again that some modes require client-side configuration.
The modes are described in chapter "Operation Modes“.
224
Using the Security System
Having set the Standard or Transparent mode, continue with step .
243.
If you have selected the User Authentication mode from the
Operation mode drop-down menu, define the authentication method to use here in the User Authentication window.
Authentication Methods: Only those authentication methods that you have configured in the Settings/User Authentication menu are available here.
If you have configured the Local Users method, use the
Allowed users selection menu to choose users allowed to use the proxy. Local users are defined in the Definitions/ Users menu.
244.
In the Log level drop-down menu, choose the appropriate level of logging.
Full: All relevant information is recorded.
Access Log only: The log only records access information, for example URL accessed and username/IP address of the client.
None: No information about the proxy use is recorded.
245.
The Anonymity drop-down menu allows you to choose how much information about the client is passed on to the remote server in HTTP Request Headers.
Standard: The following headers are blocked: Accept-Encoding,
From, Referrer, Server, WWW-Authenticate and Link.
None: Client headers are not changed at all.
Paranoid: All headers except those listed below are blocked.
Additionally, the “User-Agent” field will be changed so that no information about the internal client is available.
Allow, Authorization, Cache-Control, Content-Encoding, Content-
Length, Content-Type, Date, Expires, Host, If-Modified-Since,
Last-Modified, Location, Pragma, Accept, Accept-Language,
Content-Language, Mime-Version, Retry-After, Title, Connection,
Proxy-Connection and User-Agent.
225
Using the Security System
Note:
In Standard and Paranoid modes, the proxy blocks all cookies.
If you wish to use cookies, you should use the none mode.
246.
Use the Allowed networks selection menu to select which networks should be allowed to use the proxy.
A description of how to use the selection field tool can be found in chapter on page 31.
All settings take effect immediately and will be saved if you leave this menu. Only the HTTP proxy can be accessed from the allowed networks.
See also the functions in the Advanced window.
Parent Proxy
The Parent Proxy function is required in those countries, in which an Internet access is only permitted with a statecontrolled proxy. This applies to many countries in Africa or
Asia. Once, a Parent Proxy has been defined in this window, the
HTTP requests are at first sent to the relevant IP address.
Defining a Parent Proxy:
1In the Proxies tab, open the HTTP menu.
2Enable the proxy by clicking the Enable button in the Parent Proxy window.
An advanced entry window will open.
247.
Define the Parent Proxy.
226
Using the Security System
Host: Select the parent proxy server from the drop-down menu.
Prior to this, the server must be defined in the Definitions/
Networks menu.
Service: Select the service from the drop-down menu. Prior to this, the service must be defined in the Definitions/Networks menu.
248.
Save your settings by clicking on the Save button.
249.
If an authentication is required for the Parent Proxy, click on the Enable button.
Username: Enter a user name in the entry field.
Password: Enter the password in this entry field.
250.
Save your setting by clicking on the Save button.
Advanced
Caching: This function buffers often-used Websites to the HTTP Proxy Cache.
This is enabled by default
(status light shows green).
Clicking on the Disable button disables this function.
Block CONNECT Method on HTTP Proxy: All HTTP connection requests will be blocked by the HTTP proxy. Only the HTTP methods
GET and PUT will be allowed through the proxy. This involves that no
HTTPS connections can be established!
Each Client Request will be introduced through the information of the method. Methods define the respective action for requests. The current HTTP-specification offers eight methods: OPTIONS, GET,
HEAD, POST, PUT, DELETE, TRACE and CONNECT. Only the GET and
PUT methods are explained in this section.
The GET method is used with requests from a document or another
227
Using the Security System source. A source in this case is defined through the request-URL.
There are two types: Conditional GET and partial GET. With the conditional-GET-type the request of data depends on certain conditions. The detail of these conditions is stored in the header-field
Conditional. Often used conditions are for example If-Modified-Since,
If-Unmodified-Since or If-Match. This condition helps to considerably reduce network utilization, since only the necessary data are forwarded. In practice, proxy servers, for example, use this function to prevent that data that are already stored in cache are forwarded several times. Also the partial GET-method has the same purpose. It uses the range-header-field that only forwards parts of the data, which, however, cannot be processed by the client yet. This technique is used for the resumption of an interrupted data transfer.
The PUT method allows for a modification of existing sources and/or for the creation of new data on the server. In contrast to the POSTmethod, the URL in the PUT-request identifies the data sent with the request and not the source.
Clicking on the Enable button enables the function (status light is green).
Allowed Target Services: Use the Allowed target services selection menu to choose services that the HTTP proxy should be allowed to access. By default, the services with the ports are already available, to which a connection is considered as being safe.
TCP Port: Enter the TCP/IP-Port in the entry field. By default, this is set to the TCP/IP-Port 8080.
Clear HTTP Proxy Cache: The HTTP Proxy Cache proxy stores a copy of often-visited pages locally, reducing load times.
By clicking the Start button, the cache will be cleared, and any new accesses will be loaded from the remote Internet site.
228
advertisement
