Page 1 R3000 | Internet Filter ® USER GUIDE for Authentication R3000IR Model: R3000 Release 2.2.10 • Manual Version 1.01...
Page 2 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 3 8e6 Technologies shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the exam- ples herein.
Page 4 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 5: Table Of Contents
Minimum Filtering Level ............19 Filter Settings ................20 Filtering Rules ................. 21 Authentication Solutions ............24 R3000 Authentication Protocols ............24 R3000 Authentication Tiers and Options ........24 R3000 authentication tiers ............24 , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 6 R3000 authentication options ........... 25 Authentication Solution Compatibility ..........26 Authentication System Deployment Options ........27 Ports for Authentication System Access ......... 28 Configuring the R3000 for Authentication ........29 Configuration procedures ............29 System section..............29 Group section..............32 2: N ........
Page 7 Add the LDAP domain ..............95 Refresh the LDAP branch ............... 96 View, modify, enter LDAP domain details ........97 LDAP Server Type ..............98 Group Objects ................99 User Objects ................101 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 8 ByPass URL frame ..............143 Apply settings ................. 143 Create a Time Profile for the entity ..........144 Add a Time Profile ..............144 Remove an entity’s profile from the tree ........149 viii , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 9 Step 1: Modify the 3-try login script ........191 Step 2: Modify the Global Group Profile ......... 192 7: T ........ 194 HAPTER ECHNICAL UPPORT Hours ..................194 Contact Information ..............194 Domestic (United States) .............. 194 International .................. 194 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 10 Tier 3: Session-based, Web Authentication ......212 8e6 Authenticator ..............213 Environment requirements ............214 Windows minimum system requirements ....... 214 Recommended system requirements ....... 214 Macintosh minimum system requirements ......215 Workstation requirements ............. 215 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 11 Work flow in a Windows environment ........229 Set up AD Agent ................230 Step 1: AD Agent settings on the R3000 ........ 230 Step 2: Configure the domain, service account ...... 232 Step 3: AD Agent installation on Windows server ....233 Step 3A: Download DCAgent.msi ........
Page 12 LDAP Group List Format and Rules ..........285 LDAP Quota Format and Rules ............ 286 E: O ....287 PPENDIX VERRIDE LOCKERS Yahoo! Toolbar Pop-up Blocker ..........288 If pop-up blocking is enabled ............288 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 13 Use the Information Bar ............296 Set up the Information Bar ..........296 Access your override account ........... 296 F: G ..........298 PPENDIX LOSSARY Definitions ................298 ................305 NDEX xiii , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 14 ONTENTS , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 15: About This User Guide
NOTE: Refer to the R3000IR Quick Start Guide for information on installing the R3000 on the network. This document also provides information on how to access the R3000 console to perform the initial installation setup defined in Chapter 2: Network Setup.
Page 16: How To Use This User Guide
WARNING: The “warning” icon is followed by italicized text cautioning you about making entries in the application, executing certain processes or procedures, or the outcome of specified actions. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 17: Terminology
• field - an area in a dialog box, window, or screen that either accommodates your data , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 18 This data can be reorganized in the R3000 console, by changing the order of the columns. • list box - an area in a dialog box, window, or screen that accommo- dates and/or displays entries of items that can be added or removed.
Page 19 • screen - a main object of an appli- cation that displays across your monitor. A screen can contain panels, windows, frames, fields, tables, text boxes, list boxes, icons, buttons, and radio buttons. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 20 By clicking the link for a topic, the window for that topic displays in the right panel of the screen, or a menu of sub-topics opens. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 21 Other types of windows include pop-up windows, login windows, or ones from the system such as the Save As or Choose file windows. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 22: Filtering Elements
• LDAP domain groups NOTES: If authentication is enabled, the global administrator— who has all rights and permissions on the R3000 server—will see all branches of the tree: Global Group, IP, NT, and LDAP. If authentication is disabled, only the Global Group and IP branches will be seen.
Page 23: Ip Groups
IP members, override account and time profiles, and maintains filtering profiles of all members in the master IP group. Fig. 1-1 IP diagram with a sample master IP group and its members , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 24: Nt Domain Groups
If users belong to more than one group, the global adminis- trator sets the priority for group filtering. Fig. 1-2 NT domain diagram, with sample groups and members , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 25: Ldap Domain Groups
. If users belong to more than one group, the global adminis- trator sets the priority for group filtering. Fig. 1-3 LDAP domain diagram, with sample groups and members , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 26: Filtering Profile Types
Authentication filtering profiles • NT/LDAP group filtering profile - used by an NT or LDAP group. • NT/LDAP member filtering profile - used by an NT or LDAP group member. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 27 R3000 and the Radius authentication feature enabled. • TAR profile - used if a Threat Analysis Reporter (TAR) server is connected to the R3000 and an end user is locked out by TAR when attempting to access blocked content in a library category.
Page 28: Static Filtering Profiles
IP sub-group and is customized for sub-group members. Individual IP Member Filtering Profile An individual IP member filtering profile is created by the group administrator.This filtering profile applies to a speci- fied end user in a master IP group. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 29: Active Filtering Profiles
URLs, or warn a user about accessing specified URLs, to redirect the user to another URL instead of the standard block page, to specify usage of appropriate filter options. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 30: Ldap Container Filtering Profile
Strikes Blocking filter option enabled and he/she has received the maximum number of strikes for inappropriate Internet usage. NOTE: Refer to the R3000 User Guide for additional information on the Override Account Profile, Time Profile, and Lock Profile. , R3000 I...
Page 31: Filtering Profile Components
(default) filtering profile • filter settings - used by service ports, filtering profiles, rules, and the minimum filtering level to indicate whether users should be granted or denied access to specified Internet content , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 32: Library Categories
However, unlike 8e6 supplied categories, a custom cate- gory can be deleted. NOTE: 8e6 cannot provide updates to custom categories. Main- taining the list of URLs and keywords is the responsibility of the global or group administrator. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 33: Service Ports
Service ports are used when setting up filter segments on the network (the range of IP addresses/netmasks to be detected by the R3000), the global (default) filtering profile, and the minimum filtering level. When setting up the range of IP addresses/netmasks to be detected, service ports can be set up to be open (ignored).
Page 34: Filter Settings
• ignore - if the filter segment detected on the network has a service port set up to be ignored, that service port will be bypassed , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 35: Filtering Rules
5. For individual IP members: a. An individual IP member filtering profile takes prece- dence over the IP sub-group’s time profile. b. An individual IP member time profile takes precedence over the individual IP member profile. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 36 NOTE: An override account set up in the master IP group section of the R3000 console takes precedence over an override account set up in the global group section of the console. , R3000 I...
Page 37 X Strikes Blocking feature. NOTE: A Threat Analysis Reporter (TAR) profile is another type of lock profile that is weighted the same as a lock profile in the precedence hierarchy. Fig. 1-4 Sample filtering hierarchy diagram , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 38: Authentication Solutions
The R3000 authentication architecture for NT and LDAP authentication protocols is comprised of three tiers. When using NT and/or LDAP authentication with the R3000, one of these three tiers is selected for use on the network, depending on the server(s) used on the network and the preferred authentication method(s) to be employed.
Page 39: R3000 Authentication Options
HAPTER NTRODUCTION UTHENTICATION OLUTIONS R3000 authentication options Depending on the setup of your network, any of the following authentication options can be enabled to ensure the end user is authenticated when logging into his/her workstation: 8e6 Authenticator, Active Directory Agent, and Novell eDirectory Agent.
Page 40: Authentication Solution Compatibility
Authen- tory Directory based based ticator Agent Agent Tier 1 Tier 2 Tier 3 Authen- ticator eDirectory Agent Active Directory Agent KEY: • N/A = Not Applicable • N/R = Not Recommended , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 41: Authentication System Deployment Options
Windows 2000/2003 Server 8e6 Authenticator for Windows Tier 2 or Tier 3 and Novell eDirectory Mixed Novell eDirectory Agent environment AD Agent Open Directory 8e6 Authenticator for Apple Tier 2 or Tier 3 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 42: Ports For Authentication System Access
Used between the R3000’s transmitting inter- face and the SSL block page for Tier 2 or Tier 3 authentication. Used between the R3000’s Virtual IP address and Java applet for Tier 3 authentication. Used between the R3000 and workstations requiring Tier 1 or Tier 3 authentication.
Page 43: Configuring The R3000 For Authentication
System and Group windows in the Administrator console. NOTES: If the network has more than one domain, the first you add should be the domain on which the R3000 resides. The entries described in this section represent entries to be made on a typical network.
Page 44 If you wish to use the tier you specified as a fallback authentication solution, you have the option to enable any of the following authentication solutions as appro- priate to your environment: 8e6 Authenticator, Active Directory Agent, Novell eDirectory Agent. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 45 Options page, accessible from the standard block page. If the “Re-authentication” (NET USE) option is selected, enter the login script path to be used by the R3000 for re- authentication purposes. , R3000 I...
Page 46: Group Section
R3000. NOTE: If the network has more than one domain, the first one you add should be the domain on which the R3000 resides. 2. Do either of the following as necessary: • Assign a group administrator to oversee the newly-...
Page 47: Chapter 2: Network Setup
Firefox 3.0 • JavaScript enabled • Java Virtual Machine • Java Plug-in (use the version specified for the R3000 software version) • Java Runtime Environment, if using Tier 3 authentication NOTE: R3000 administrators must be set up with software instal- lation privileges in order to install Java used for accessing the interface.
Page 48: End User
• Java Runtime Environment, if using Tier 3 authentication • Pop-up blocking software, if installed, must be disabled Network Requirements • High speed connection from the R3000 server to the client workstations • HTTPS connection to 8e6’s software update server •...
Page 49: Set Up The Network For Authentication
(for troubleshooting authentication setup), and Block Page Authentication. Entries for customizing the block page and/ or authentication request form are made in the Common Customization, Authentication Form Customization, and Block Page Customization windows. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 50: Specify The Operation Mode
1. In the Mode frame, select the mode to be used: “Invis- ible”, “Router”, or “Firewall”. 2. In the Listening Device frame, set the Device to “LAN1”. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 51 • “Send Block Page via ARP Table” - this option uses the Address Resolution Protocol method to find the best possible destination MAC address of a specified host, usually the R3000 gateway. • “Send Block to Specified Host MAC Address” - using this preferred method, the block page will always be sent to the MAC address of a specified host, usually the R3000 gateway.
Page 52: Specify The Subnet Mask, Ip Address(Es)
NOTE: If the gateway IP address on the network changes, be sure to update the Gateway IP address in this window. Invisible mode For the LAN1 IP address, select 255.255.255.255 for the subnet mask, and click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 53: Router Or Firewall Mode
IP address of the default router to be used for the entire network segment. 2. Click Apply to apply your settings. NOTE: Whenever modifications are made in this window, the server must be restarted in order for the changes to take effect. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 54: Enable Authentication, Specify Criteria
See Appendix A: Authentication Operations for more information about each tier and for configuring various authentication options. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 55 Active Directory Agent option can be used for capturing end user logon and logoff events and sending a session table to the R3000 so end users receive the correct filtering profile. To use this feature, turn “On” the AD Agent, and then specify settings for administrator computers authorized to configure the AD Agent via the Active Directory Agent console.
Page 56: Net Use Based Authentication
In the Inactive session lifetime (in minutes) field, enter the number of minutes the end user’s session will be kept alive. 3. Click Apply to open the alert box that confirms your selection. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 57: Web-Based Authentication
5000 users, slowness may be experienced during the authentication process. In this scenario, 8e6 recommends using an R3000 Filter with an SSL accelerator card installed. Please contact 8e6 for more information. Tier 2: Use time-based profiles, with time-out (in minutes) –...
Page 58 Runtime Environment (JRE) on end-users' PCs. In some cases, a JRE will need to be downloaded and installed on workstations and the R3000 will allow the JRE download at the time of login. However some operating systems may require this action to be performed manually.
Page 59 “8e6 automatically distributes JRE during user login” or the default selection, “Administrator manually distributes JRE to user worksta- tions”. 4. Click Continue to open the alert box that confirms your selection. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 60: Enter Network Settings For Authentication
2. In the IP Address of WINS Server field, if using a WINS server for name resolution, enter the IP address of each Windows DNS server to be filtered by this R3000, with a space between each IP address. , R3000 I...
Page 61 IP address that from now on will be used for communicating authentication information between the R3000 and the PDC. This must be an IP address that is not being used, on the same segment of the network as the R3000.
Page 62: Create An Ssl Certificate
R3000 server. Using this feature, a Secured Sockets Layer (SSL) self-signed certificate is created and placed on client machines so that the R3000 will be recognized as a valid server with which they can communicate. Click Authentication and select Authentication SSL Certifi-...
Page 63: Create, Download A Self-Signed Certificate
Authentication Request Form, when prompted by the Security Alert warning message to add the certificate to the trusted certifi- cate store. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 64: Create, Upload A Third Party Certificate
1. Click the Third Party Certificate tab: Fig. 2-9 Third Party Certificate tab NOTE: If a third party certificate has not yet been created, the Create CSR button is the only button activated on this tab. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 65 9. Click Create to generate the Certificate Signing Request. NOTE: Once the third party certificate has been created, the Create CSR button displays greyed-out and the Download/View CSR, Upload Certificate, Delete CSR buttons are now activated. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 66: Upload A Third Party Certificate
Browse to open the Choose file window. 3. Select the file to be uploaded. 4. Click Upload File to upload this file to the R3000. 5. Click OK in the Message dialog box to confirm the upload and to close the dialog box.
Page 67: Download A Third Party Certificate
Fig. 2-12 Download CSR pop-up window 2. Click the “X” in the upper right corner of the window to close it. TIP: Click Delete CSR to remove the certificate from the server. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 68: View Log Results
View Log File window: Fig. 2-13 View Log File window NOTE: In this user guide, only authentication-related options will be addressed. For information about all other options, see the View Log File window in the R3000 User Guide. , R3000 I ECHNOLOGIES NTERNET...
Page 69 • “Authentication Module Log (authmodule.log)” - used for viewing information about SEVERE error messages pertaining to LDAP authentication connec- tion attempts. 3. Choose the Last Number of Lines to view (100-500) from that file. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 70 4. Click View to display results in the Result pop-up window: Fig. 2-14 View Log File Result pop-up window 5. Click the “X” in the upper right corner of the pop-up window to close it. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 71: Specify Block Page Settings
ET UP THE ETWORK FOR UTHENTICATION Specify block page settings Click Control and select Block Page Authentication from the pop-up menu to display the Block Page Authentication window: Fig. 2-15 Block Page Authentication window , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 72: Block Page Authentication
TIP: Multiple options can be selected by clicking each option while pressing the Ctrl key on your keyboard. NOTE: See the R3000 User Guide for information about the Override Account feature. 2. If the “Re-authentication” option was selected, in the Logon Script Path field, \\PDCSHARE\scripts displays by default.
Page 73: Block Page
NOTES: See Block Page Customization for information on adding free form text and a hyperlink at the top of the block page. Appendix C: Create a Custom Block Page from the R3000 User Guide for information on creating a customized block page using your own design.
Page 74: User/Machine Frame
• HELP - Clicking this link takes the user to 8e6’s Technical Support page that explains why access to the site or service may have been denied. • 8e6 Technologies - Clicking this link takes the user to 8e6’s Web site. , R3000 I...
Page 75: Optional Links
In the composi- tion window, the email address from the Submission Email Address field populates the “To” field. The user’s message is submitted to the global administrator. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 76: Options Page
• BACK and HELP links • User/Machine frame contents The frame beneath the User/Machine frame includes infor- mation for options (1, 2, and/or 3) based on settings made in the Block Page Authentication window. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 77: Option 1
When the user clicks the link, the Authentication Request Form opens: Fig. 2-18 Authentication Request Form NOTE: See Authentication Form Customization for information on adding free form text and a hyperlink at the top of the Authen- tication Request Form. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 78: Option 2
Logon Script Path field. When the user clicks this link, a window opens: Fig. 2-19 Re-authentication option The user should click the logon.bat icon to run a script that will re-authenticate his/her profile on the network. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 79: Option 3
NOTES: See Appendix E: Override Pop-up Blockers for informa- tion on how a user with an override account can authenticate if a pop-up blocker is installed on his/her workstation. See the R3000 User Guide for information about the Override Account feature. , R3000 I...
Page 80: Common Customization
HTML pages, the Help link points to the FAQs page on 8e6's public site that explains why access was denied, and a sample email address is included for adminis- trator contact information. These details can be modified, as necessary. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 81: Enable, Disable Features
• Blocked URL Display - if enabled, displays “Blocked URL” followed by the blocked URL in block pages • Copyright Display - if enabled, displays 8e6 R3000 copyright information at the footer of block pages and the authentication request form •...
Page 82 Enter the global administrator's email address. 2. Click Apply to save your entries. TIP: Click Restore Default and then Apply to revert to the default settings. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 83: Authentication Form Customization
TIP: An entry in any of the fields in this window is optional, but if an entry is made in the Link Text field, a corresponding entry must also be made in the Link URL field. , R3000 I ECHNOLOGIES NTERNET...
Page 84 Any entries made in these fields will display centered in the Authentication Request Form, using the Arial font type. 2. Click Apply. TIP: Click Restore Default and then Apply to revert to the default text in this window. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 85: Preview Sample Authentication Request Form
• Password field - The user’s IP address displays. • Domain field - All LDAP domain names set up on the R3000 display in the pull-down menu. • Alias field (optional) - All alias names associated with the LDAP domain specified in the field above display in the pull-down menu, if the account names were entered for that LDAP domain.
Page 86 Support page that explains why access to the site or service may have been denied. • 8e6 Technologies - Clicking this link takes the user to 8e6’s Web site. 2. Click the “X” in the upper right corner of the window to close the sample Authentication Request Form.
Page 87: Block Page Customization
Fig. 2-23 Block Page Customization window NOTE: See Appendix C: Create a Custom Block Page from the R3000 User Guide for information on creating a customized block page using your own design. TIP: An entry in any of the fields in this window is optional, but if an entry is made in the Link Text field, a corresponding entry must also be made in the Link URL field.
Page 88 Any entries made in these fields will display centered in the customized block page, using the Arial font type. 2. Click Apply. TIP: Click Restore Default and then Apply to revert to the default text in this window. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 89: Preview Sample Block Page
Exception URL, “Exception” displays instead of the library category name. • Blocked URL field - The URL the user attempted to access displays. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 90 Support page that explains why access to the site or service may have been denied. • 8e6 Technologies - Clicking this link takes the user to 8e6’s Web site. By default, these links are included in the block page under the following conditions: •...
Page 91: Set Up Group Administrator Accounts
Group tree when new IP groups are created. See Chapter 2: Group screen from the Global Administrator Section of the R3000 User Guide for information on creating IP groups. Add Sub Admins to manage groups, users Click Administrator to display the Administrator window: Fig.
Page 92: Add A Group Administrator Account
The password is case sensitive. 3. Enter the same new password again in the Confirm Password field. 4. Click Modify to apply your settings. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 93: Delete A Group Administrator Account
NT/LDAP entity and another group administrator set up for assignment to manage that entity. See Chapter 5: Assign/ Set up Groups, Members for information on assigning and re- assigning an entity for management. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 94: Chapter 3: Nt Authentication Setup
Fig. 3-1 Create Domain Controller 2. In the Domain Name field, enter the name of the domain on which the R3000 resides, using capital letters. NOTES: The Domain Name must be the same name entered in the Authentication Settings window’s Name of Domain field.
Page 95: Refresh The Nt Branch
7. Click Apply to add the domain to the tree. Refresh the NT branch Click NT in the navigation panel to open the pop-up menu, and select Refresh whenever changes have been made in this branch of the tree. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 96: View Or Modify Nt Domain Details
Domain Details window: Fig. 3-2 NT Domain Details window, Settings tab NOTE: To enter profile information for NT groups and users once domain settings are established, see Set up NT Domain Groups, Members. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 97 Password. Whenever criteria on this tab is modified: a. The password from the Password field must be entered in the Confirm Password field for verification. b. Click Modify to apply your settings. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 98: Default Rule
NT domain without a filtering profile established. If “Custom URL” is selected, a URL must be entered in the corresponding text box. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 99: Delete An Nt Domain
Whenever criteria on this tab is modified, click Modify to apply your settings. Delete an NT domain To delete a domain profile, choose Delete from the NT domain menu. This action removes the domain from the tree. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 100: Set Up Nt Domain Groups, Members
Before you can create filtering profiles for groups and/or members in a domain, you must first add the groups and/or members to the tree list for that domain. Fig. 3-4 Select Groups/Members from Domain window , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 101 NOTE: See Add or maintain an entity’s profile under Create and Maintain Filtering Profiles in Chapter 5 for information on defining the filtering profile for the group. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 102: Specify A Group's Filtering Profile Priority
Filtering Level window. If you have just established the minimum filtering level, filter settings will not be effective until the group member/user logs off and back on the server. Refer to the R3000 User Guide for more information on the minimum filtering level.
Page 103 Domain window. An entry for the Group Priority list is added to the end of the list when the group profile for that group is added to the R3000, and is removed automatically when you delete the profile. 2. To change the filtering priority of groups: a.
Page 104: Manually Add A User's Name To The Tree
3. Click OK to add the username to the domain’s section of the tree. NOTE: See Add or maintain an entity’s profile under Create and Maintain Filtering Profiles in Chapter 5 for information on defining the filtering profile for the user. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 105: Manually Add A Group's Name To The Tree
3. Click OK to add the group name to the domain’s section of the tree. NOTE: See Add or maintain an entity’s profile under Create and Maintain Filtering Profiles in Chapter 5 for information on defining the filtering profile for the group. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 106: Upload A File Of Filtering Profiles To The Tree
This window is used for uploading a file to the tree with user or group names and their associated filtering profiles. 2. Click Upload to open the Upload Member Profile File pop-up window: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 107 URLs in that category. NOTE: See Appendix D: User/Group File Format and Rules for examples of valid filtering profile formats to use when creating a list of profiles to be uploaded to the server. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 108 If you have just established the minimum filtering level, filter settings will not be effective until the user logs off and back on the server. Refer to the R3000 User Guide for more informa- tion on the minimum filtering level.
Page 109: Hapter 4: Ldap Authentication Etup
NOTE: The alphanumeric LDAP domain name must be at least two characters but less than 64 characters in length, and can contain a hyphen (-) and underscore (_), though the hyphen cannot be the first or last character of the name. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 110: Refresh The Ldap Branch
View, modify, enter LDAP domain details). Refresh the LDAP branch Click LDAP in the navigation panel to open the pop-up menu, and select Refresh whenever changes have been made in this branch of the tree. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 111: View, Modify, Enter Ldap Domain Details
LDAP domain, preparing the LDAP domain for group and user filtering profile setup. After all entries are made on the wizard tabs, the domain can be activated. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 112: Ldap Server Type
LDAP Server Type Based on the entries made when creating the LDAP domain, the R3000 will attempt to auto-detect the type of server being used, and if successfully detected, the appro- priate LDAP Server Type radio button will be pre-selected on the Type tab.
Page 113: Group Objects
Next button at the bottom of the window, until you reach the Address tab. Group Objects The Group tab is used for including or excluding group objects in the LDAP domain. Fig. 4-3 Domain Details window, Group tab , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 114 3. If any modifications were made on this tab, click Save. 4. Next to go to the User tab. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 115: User Objects
Include or Exclude button. • A user object name can be edited by selecting the user object from the appropriate list box, editing the name in the field, and then clicking the Edit button. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 116: Address Info
2. If any modifications were made on this tab, click Save. 3. Click Next to go to the Address tab. Address Info The LDAP domain address information populates the Address tab: Fig. 4-5 Domain Details window, Address tab , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 117 SSL certificate that will be uploaded to the server. • If necessary, the NETBIOS Domain Name can be entered. • By default, 636 displays in the Server LDAPS Port field. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 118 If this field is not populated, enter the LDAP query base. 2. If any modifications were made on this tab, click Save. 3. Click Next to go to the Account tab. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 119: Account Info
• If you know the authorized user's full LDAP Distin- guished Name, enter it in the LDAP Account Name field. For example, enter the entire string in a format such as: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 120 NOTE: Once the Distinguished Name and password are successfully saved on this tab, the Distinguished Name Auto Discovery frame will no longer display at the bottom of this tab. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 121: Ssl Settings
Sun ONE server’s SSL certificate, or how to export an Active Directory or Novell server’s SSL certfi- cate to your desktop and then upload it to the R3000. 1. If applicable, click in the “Enable Secure LDAP over SSL”...
Page 122 Certificate for LDAPS pop-up window: Fig. 4-9 Upload SSL Certificate for LDAPS b. Click Browse to open the Choose file window and select the R3000 server’s SSL certificate. c. Click Upload File to upload the SSL certificate to the R3000 server.
Page 123: Alias List
Fig. 4-10 Domain Details window, Alias List tab However, if there are many alias names to be loaded, the tab initially displays without any data and the Search in Progress box opens: Fig. 4-11 Search in Progress box , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 124 Enable/Disable All button. This button lets you toggle between these two operations. 2. If any modifications were made on this tab, click Save. 3. Click Next to go to the Default Rule tab. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 125: Default Rule
“Default Block Page”, or “Custom URL”. If Custom URL is selected, enter the redirect URL in the text box. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 126 Activate must be clicked again to re-activate the domain. NOTE: To enter profile information for LDAP groups and users, see Create and Maintain Filtering Profiles in Chapter 5. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 127: Ldap Backup Server Configuration
NOTES: If your LDAP server’s name is not a resolvable, fully qualified DNS name, you may be able to enter the domain name. Be sure the Server DNS Name exactly matches the name on the SSL certificate that will be uploaded to the server. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 128 • LDAP Query Base - root of the LDAP database to query using the LDAP Syntax, e.g. DC=domain,DC=com or o=server-org. TIP: The entry in this field is case sensitive. 3. Click Save. 4. Click Next to go to the Account tab: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 129 • If you know the authorized user's full LDAP Distin- guished Name: a. Enter the authorized user's full LDAP Distinguished Name in the LDAP Account Name field. For example: cn=Administrator,cn=Users,dc=qc2domain, dc=local cn=admin,o=logo-org , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 130 Distinguished Name Auto Discovery frame will no longer display at the bottom of this tab. 6. Click Save to save your entries. 7. Click Next to go to the SSL tab: , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 131 Fig. 4-15 Backup Server Configuration, SSL Settings SSL settings should be made if your network requires a secure connection from the R3000 to the LDAP server. NOTE: See Appendix B: Obtain, Export an SSL Certificate for information on how to export a server’s SSL certficate to your desktop and then upload it to the R3000.
Page 132: Modify A Backup Server's Configuration
• Click the Upload button to open the Upload SSL Certificate for LDAPS pop-up window (see Fig. 4- • Click Browse to open the Choose file window and select the R3000 server’s SSL certificate. • Click Upload File to upload the SSL certificate to the R3000 server.
Page 133: Delete A Domain
4: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN Delete a domain To delete a domain profile, choose Delete from the LDAP domain menu. This action removes the domain from the tree. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 134: Set Up Ldap Domain Groups, Members
Fig. 4-16 LDAP User/Group/Container Browser window Select the LDAP domain, and choose Select Group/ Member from Domain from the pop-up menu to display the , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 135: Perform A Basic Search
5. Click Search to display rows of results in the grid below. The following information is included for each entity: Type (USR, GRP, CTR), Name (as entered on the LDAP server), DN string, Profile (Rule number, if assigned), View button, and Mark checkbox. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 136: Options For Search Results
1. Go to the Mark column and click the checkbox for that entity. 2. Select a filtering rule from the drop-down menu. 3. Click Add Rule to display the selected Rule number in the Profile column. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 137: Delete A Rule
To delete a rule from a profile, the entity must currently display in the grid and have a rule assigned to the profile. 1. Click the Mark checkbox for the entity. 2. Click Delete Rule to remove the entity’s profile from the tree. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 138: Specify A Group's Filtering Profile Priority
Domain window. An entry for the Group Priority list is added to the end of the list when the group profile for that group is added to the R3000, and is removed automatically when you delete the profile. 2. To change the order of groups in the list:...
Page 139: Manually Add A User's Name To The Tree
3. Click OK to add the username to the domain’s section of the tree. NOTE: See Add or maintain an entity’s profile under Create and Maintain Filtering Profiles in Chapter 5 for information on defining the filtering profile for the user. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 140: Manually Add A Group's Name To The Tree
3. Click OK to add the group name to the domain’s section of the tree. NOTE: See Add or maintain the entity’s profile under Create Maintain Filtering Profiles in Chapter 5 for information on defining the filtering profile for the group. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 141: Upload A File Of Filtering Profiles To The Tree
This window is used for uploading a file to the tree with user or group names and their associated filtering profiles. 2. Click Upload to open the Upload Member Profile File pop-up window: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 142 URLs in that category. NOTE: See Appendix D: User/Group File Format and Rules for examples of valid filtering profile formats to use when creating a list of profiles to be uploaded to the server. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 143 Upload Successful pop-up window informs you to click Reload in order for these changes to be effective. 6. Click Reload. 7. Go to the LDAP branch of the tree, and choose Refresh from the LDAP group menu. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 144: Chapter 5: Assign /Set Up Groups , Members
Assignable status. If the node has already been assigned to a group manager, the username for the Assigned User displays. 2. From the Assign to user field, choose from the list of available Sub Admins: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 145 Fig. 5-1 Assign Access window 3. To preview the access view for the proposed Sub Admin, click Preview Assign to open the Assign Access View pop-up window: Fig. 5-2 Assign Access View window , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 146 Sub Admin, click the Unassigned Access checkbox again to remove the check mark from the checkbox. A different Sub Admin can now be selected from the Assign to user pull-down menu. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 147: Create And Maintain Filtering Profiles
Domain Groups, Members for information on setting up groups in an NT or LDAP domain. NOTE: To eliminate the redundancy of like-images in this sub- section, LDAP images are used and NT images are not included. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 148: Add A Group Member To The Tree List
Group name, Full Name (Distinguished Name) of the group if this is an LDAP domain, Domain name, and Domain Type. Members that belong to the group display in the Members list box in the Add Member to Profile frame. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 149: Add Or Maintain An Entity's Profile
(NT group or LDAP static or dynamic group, user member, or LDAP container). Entries made in the Category, Redirect URL, and Filter Options tabs comprise the profile string for the entity. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 150: Category Profile
The minimum filtering level is set up in the Minimum Filtering Level window, accessible from the Global Group options. See the R3000 User Guide for more information about these windows. By default, “Rule0 Minimum Filtering Level” displays in the Available Filter Levels pull-down menu, and the Minimum Filtering Level box displays “Child Pornography”...
Page 151 URL that has not yet been categorized: “Pass”, “Warn”, or “Block”. 4. To use the quota feature to restrict the end user’s access to a passed library group/category, do the following: , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 152 NOTE: See the Quota Settings window in Chapter 1: System screen of the R3000 User Guide for more information on config- uring quota settings and resetting quotas for end users currently blocked by quotas.
Page 153: Redirect Url
If “Custom URL” is selected, enter the redirect URL in the corresponding text box. Users will be redirected to the designated page at this URL instead of the block page. 2. Click Apply to apply your settings. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 154: Filter Options
“Google/Yahoo!/Ask.com/AOL Safe Search Enforce- ment”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”, and “Extend URL Keyword Filter Control”. NOTE: See the R3000 User Guide for information about Filter Options. 2. Click Apply to apply your settings. , R3000 I...
Page 155: Add An Exception Url To The Profile
NOTE: Settings in this window work in conjunction with those made in the Minimum Filtering Level window maintained by the global administrator. See the R3000 User Guide for information on configuring and using the minimum filtering level. , R3000 I...
Page 156: Url Entries
(.) and then the URL, such as: *.coors.com TIP: The minimum number of levels that can be entered for a wildcard entry is three (e.g. *.yahoo.com) and the maximum number of levels is six (e.g. *.mail.attachments.message.yahoo .com). , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 157: Block Url Frame
To block the entity’s access to the URL again: 1. Select the URL from the ByPass URLs list box. 2. Click Remove. Apply settings Click Apply to apply your settings after adding or removing a URL. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 158: Create A Time Profile For The Entity
Description of any time profiles previously set up for the entity that are currently active. Add a Time Profile To create a time profile: 1. Click Add to open the Adding Time Profile pop-up box: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 159 Time Profile pop-up window that displays the name of this profile at the top of the Time Profile frame: Fig. 5-11 Time Profile window Recurrence tab 4. In the Recurrence duration time frame, specify Start and End time range criteria: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 160 • Daily - If this selection is made, enter the interval for the number of days this time profile will be used. By default, “1” displays, indicating this profile will be used each day during the specified time period. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 161 Monday (May 5th in this example). • Yearly - If this selection is made, the year(s), month, and day for this time profile’s interval must be speci- fied: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 162 Exception) and specify criteria to complete the time profile. (See Category Profile, Redirect URL, Filter Options, and Exception URL in this sub-section for infor- mation on the Rule, Redirect, Filter Options, and Excep- tion tabs.) , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 163: Remove An Entity's Profile From The Tree
View/Modify to make any necessary corrections. Remove an entity’s profile from the tree To remove a group, container, or user member’s profile from the tree, select the profile in order to open the pop-up menu, and choose Remove. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 164: Test Authentication Settings
Internet content. This form allows the user to authenticate him/herself in order to access Web content permitted by his/ her filtering profile. Fig. 6-1 Authentication Request Form , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 165 Internet. See Usage Graphs from the Reporting screen section of the R3000 User Guide for more infor- mation about this reporting tool. , R3000 I...
Page 166: Test Web-Based Authentication Settings
Fig. 6-2 Create New Group box 3. Enter test as the Group Name. 4. Enter the password in the Password and Confirm Pass- word fields. 5. Click OK to add the group to the tree. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 167: Step 2: Create A Sub-Group, "Workstation
2. Click Add Sub Group in the pop-up menu to open the Create Sub Group dialog box: Fig. 6-3 Create Sub Group box 3. Enter workstation as the Group Name. 4. Click OK to add the Sub-Group to the IP Group. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 168: Step 3: Set Up "Test" With A 32-Bit Net Mask
3. Click the radio button corresponding to “Source IP”. 4. Enter the Source IP address of the workstation, and select 255.255.255.255 as the subnet mask. 5. Click Add to include the IP address in the Current Members list box. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 169: Step 4: Give "Workstation" A 32-Bit Net Mask
3. Click the radio button corresponding to “Member IP”. 4. In the Member IP fields, enter the IP address of the work- station, and select 255.255.255.255 as the subnet mask. 5. Click Modify. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 170: Step 5: Block Everything For The Sub-Group
Shift key on your keyboard while clicking the last category group, and then clicking in the Block column. 4. For Uncategorized Sites, select “Block”. 5. Click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 171: Step 6: Use Authentication Request Page For Redirect Url
Fig. 6-7 Sub Group Profile window, Redirect URL tab 2. Select “Authentication Request Form”. NOTE: The host name of the R3000 will be used in the redirect URL of the Authentication Request Form, not the IP address. Be sure a forward/reverse DNS entry for the R3000 is made on the DNS server.
Page 172: Step 7: Disable Filter Options
Fig. 6-8 Sub Group Profile window, Filter Options tab 2. Uncheck all the checkboxes: “X Strikes Blocking”, “Google/Yahoo!/Ask.com/AOL Safe Search Enforce- ment”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”, and “Extend URL Keyword Filter Control”. 3. Click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 173: Step 8: Attempt To Access Web Content
2. Enter a URL in the Address field of the browser window. NOTE: The URL should be one that begins with “http”—not “https”. 3. After clicking Go, the Authentication Request Form should open: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 174 5. Click Log In to authenticate or re-authenticate yourself on the network. The test process has been completed successfully if you are now able to access the content for the URL you entered at step 2 in this section. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 175: Test Net Use Based Authentication Settings
1. From the test workstation, go to the NET USE command line and enter the NET USE command using the following format: NET USE \\virtualip\R3000$ For example: NET USE \\192.168.0.20\R3000$ The entry you make should initiate a connection with Tier...
Page 176: Activate Authentication On The Network
• If Tier 1 net use based authentication will be used: Go to the Activate net use based authentication sub-section for instructions on testing the login script and modifying the Global Group Profile for authenticating users. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 177: Activate Web-Based Authentication For An Ip Group
Fig. 6-11 Create New Group box 3. Enter webauth as the Group Name. 4. Enter the password in the Password and Confirm Pass- word fields. 5. Click OK to add the group to the tree. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 178: Step 2: Set "Webauth" To Cover Users In Range
4. Enter the Source IP address of the workstation and specify the subnet mask for the range of user IP addresses of users to be authenticated. 5. Click Add to include the IP address range in the Current Members list box. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 179: Step 3: Create An Ip Sub-Group
3. Enter the Group Name of your choice. 4. Click OK to add the Sub-Group to the IP Group. 5. Select the IP Sub-Group from the tree. 6. Click Members in the pop-up menu to display the Members window: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 180 7. Click the radio button corresponding to “Member IP”. 8. In the Member IP fields, enter the IP address range for members of the Sub-Group, and specify the subnet mask. 9. Click Modify. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 181: Step 4: Block Everything For The Sub-Group
Shift key on your keyboard while clicking the last category group, and then clicking in the Block column. 4. For Uncategorized Sites, select “Block”. 5. Click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 182: Step 5: Use Authentication Request Page For Redirect Url
Authentication Request Form if he/she attempts to access content on the Internet. After filling out this form and being authenticated, the user will be able to access Internet content based on his/her filtering profile. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 183: Step 6: Disable Filter Options
Fig. 6-17 Sub Group Profile window, Filter Options tab 2. Uncheck all the checkboxes: “X Strikes Blocking”, “Google/Yahoo!/Ask.com/AOL Safe Search Enforce- ment”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”, and “Extend URL Keyword Filter Control”. 3. Click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 184: Step 7: Set Global Group To Filter Unknown Traffic
Click Apply. 3. Click the Port tab to display the Port page: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 185 In the Port page, enter the Port number to be blocked. b. Click Add to include the port number in the Block Port(s) list box. c. After entering all port numbers to be blocked, click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 186 4. Click the Default Redirect URL tab to display the Default Redirect URL page: Fig. 6-20 Global Group Profile window, Default Redirect URL tab a. Select “Default Block Page”. b. Click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 187 ETWORK 5. Click the Filter Options tab to display the Filter Options page: Fig. 6-21 Global Group Profile window, Filter Options tab a. Select filter options to be enabled. b. Click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 188 As a result of these entries, the standard block page will display—instead of the Authentication Request Form— when any user in this Sub-Group is blocked from accessing Internet content. Fig. 6-22 Default Block Page , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 189: Activate Web-Based Authentication For The Global Group
Activate Web-based authentication for the Global Group This selection of Web-based authentication creates more of load on the R3000 than the IP Group selection, and should only be used as an alternative to IP Group authenti- cation. Step 1: Exclude filtering critical equipment This step involves the identification of equipment—such as...
Page 190: Step 1A: Block Web Access, Logging Via Range To Detect
2. Select Range to Detect to display the Range to Detect Settings window: Fig. 6-23 Range to Detect Settings window, main window 3. In the Current Ranges frame, click Add to go to the next Settings page: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 191 EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Fig. 6-24 Range to Detect Settings window, main window 4. Click Start the Setup Wizard to display Step 1 of the Range to Detect Setup Wizard: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 192: Range To Detect Setup Wizard
1. Enter the IP address and specify the Netmask, or enter the Individual IP address of the source IP address(es) to be filtered. 2. Click Next to go to Step 2 of the Wizard: , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 193 3. An entry for this step of the Wizard is optional. If there are destination IP address(es) to be filtered, enter the IP address and specify the Netmask, or enter the Indi- vidual IP address. 4. Click Next to go to Step 3 of the Wizard: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 194 5. An entry for this step of the Wizard is optional. If there are source IP address(es) to be ignored, enter the IP address and specify the Netmask, or enter the Indi- vidual IP address. 6. Click Next to go to Step 4 of the Wizard: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 195 7. An entry for this step of the Wizard is optional. If there are destination IP address(es) to be ignored, enter the IP address and specify the Netmask, or enter the Indi- vidual IP address. 8. Click Next to go to Step 5 of the Wizard: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 196 9. An entry for this step of the Wizard is optional. If there are ports to be excluded from filtering, enter each port number in the Individual Port field, and click Add. 10. Click Next to go to the final step of the Wizard: , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 197 As a result of these entries, the IP address(es) specified to excluded will not be logged or filtered on the network. Bypass Step 1B and go on to Step 2 to complete this process. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 198: Step 1B: Block Web Access Via Ip Sub-Group Profile
4. Click Apply. 5. Click the Redirect URL tab to display the Redirect URL page: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 199 6: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Fig. 6-32 Sub Group Profile window, Redirect URL tab 6. Select “Default Block Page”, and then click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 200 As a result of these entries, the machine will not be served the Authentication Request Form, and will use the default block page instead. Go on to Step 2 to complete this process. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 201: Step 2: Modify The Global Group Profile
2. Select Global Group Profile to display the Category tab of the Profile window: Fig. 6-34 Global Group Profile window, Category tab a. Block all categories and specify that uncategorized sites should be blocked. b. Click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 202 Enter the Port number to be blocked, and then click Add to include the port number in the Block Port(s) list box. b. After entering all port numbers to be blocked, click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 203 NOTE: Since the Authentication Request Form radio button selection uses the host name of the server—not the IP address— be sure there is a DNS resolution for the host name. b. Click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 204 Select filter options to be enabled. b. Click Apply. As a result of these entries, a user who does not have a filtering profile will be served the Authentication Request Form so he/she can be authenticated. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 205: Activate Nt Authentication
The script is as follows: echo off :start net use \\192.168.0.20\r3000$ /delete :try1 echo "Running net use..." net use \\192.168.0.20\r3000$ if errorlevel 1 goto :try2...
Page 206: Step 2: Modify The Global Group Profile
Once this updated login script has been added to the domain, each time users log in to Windows they will also log in to the R3000. Users will be blocked according to the profiles set up on the domain. Step 2: Modify the Global Group Profile...
Page 207 Web-based and net use based authentication. 9. Click the Filter Options tab to display the Filter Options page. If necessary, select appropriate filter options to be enabled, and click Apply. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 208: Chapter 7: Technical Support
OURS 7: T HAPTER ECHNICAL UPPORT For technical support, visit 8e6 Technologies’s Technical Support Web page at http://www.marshal8e6.com/ Support/ or contact us by phone, by e-mail, or in writing. Hours Regular office hours are from Monday through Friday, 8 a.m. to 5 p.m. PST.
Page 209: Office Locations And Phone Numbers
Local 714.282.6111 714.282.6116 Domestic US 1.888.786.7999 International +1.714.282.6111 8e6 Taiwan 7 Fl., No. 1, Sec. 2, Ren-Ai Rd. Taipei 10055 Taiwan, R.O.C. Taipei Local 2397-0300 2397-0306 Domestic Taiwan : 02-2397-0300 International 886-2-2397-0300 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 210: Support Procedures
• Your trouble ticket will not be closed until your permission is confirmed. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 211: Appendix A: Authentication Operations
Authentication Tier Selections R3000 authentication is designed to support the following server types for the specified tier(s): Tier 1: Net use based authentication NOTE: Login scripts must be used for net use based authentica- tion.
Page 212: Tier 2, Tier 3: Web-Based Authentication
• Windows 2000 or 2003 Server in mixed/legacy mode NOTE: SMB Signing must not be required. Using an LDAP domain: • Windows Active Directory 2002 and 2003 • Novell eDirectory • SunONE directory server • Open Directory server , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 213: Tier 1: Single Sign-On Authentication
3. The execution of this net use command causes the Windows workstation to create an “IPC share” (command exchange) with the R3000 filter box as a shared network device. NOTE: When the IPC share is created, no drives are mapped in this share.
Page 214 5. Once the user is successfully authenticated, the R3000 matches the user’s login name or group name with a stored list of profile settings in the R3000. As a result of this process, the user is assigned the appropriate level of filtering.
Page 215: Re-Authentication Process
While Microsoft has made this feature avail- able since Windows NT 4.0, it was not a default setting. However, in Windows 2003, this feature is enabled by default. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 216: Ldap Protocol
R3000 instead of the Windows 2003 Server. NOTE: For information on SMB Signing compatibility with the R3000, refer to the chart in Appendix B: Disable SMB Signing Requirements. LDAP protocol LDAP is a directory service protocol that stores entries (Distinguished Names) in a domain’s directory using a hier-...
Page 217: Name Resolution Methods
R3000 hosts file. NOTE: If LDAP is used, client machines will still use the SMB authentication method to communicate with the R3000 server for Tier 1 authentication. LDAP communication only occurs between the R3000 server and the LDAP server.
Page 218: Configuring The Authentication Server
• usernames and passwords • user groups • login scripts Login scripts Login (or logon) scripts are used by the R3000 server for reauthenticating users on the network. The following syntax must be entered in the appropriate directory on the authentication server console:...
Page 219: View Login Script On The Server Console
In addition to the use of login scripts in the console of the authentication server, a login script path must be entered in the Block Page window of the R3000 Administrator console. This script is used for reauthenticating users on the network.
Page 220: Ldap Server Setup Rules
• The administrator in charge of the LDAP server should create a user for the R3000 in order to give that user full read access to the groups and users in the directory. • Since the LDAP directory is structured as a tree, data needs to be retrieved the same way.
Page 221: Tier 2: Time-Based, Web Authentication
1. The user makes a Web request by entering a URL in his/ her browser window. 2. The R3000 intercepts this request and sends the user the Authentication Request Form, requesting the user to log in with his/her login ID and password.
Page 222: Tier 2 Implementation In An Environment
Since both sets of scripts use the NET USE command, the client machine must already have the ability to connect to the R3000 via NET USE in order for the profile to be removed in either environment. , R3000 I...
Page 223: Tier 2 Script
:end :try3 NET USE \\10.10.10.10\LOGOFF$ if errorlevel 1 goto :error if errorlevel 0 echo code 0: Success goto :end :error if errorlevel 1 echo code 1: Failed! :end net use \\10.10.10.10\LOGOFF$ /delete , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 224: Tier 1 And Tier 2 Script
NET USE \\10.10.10.10\LOGOFF$ if errorlevel 1 goto :removalerror if errorlevel 0 echo code 0: Success goto :endremove :removalerror if errorlevel 1 echo code 1: Failed to send removal request! :endremove net use \\10.10.10.10\LOGOFF$ /delete , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 225 2: T PPENDIX UTHENTICATION PERATIONS BASED UTHENTICATION :try1 NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :try2 if errorlevel 0 echo code 0: Success goto :end :try2 NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :try3 if errorlevel 0 echo code 0: Success...
Page 226: Tier 3: Session-Based, Web Authentication
1. The user makes a Web request by entering a URL in his/ her browser window. 2. The R3000 intercepts this request and sends the user the Authentication Request Form, requesting the user to log in with his/her login ID and password.
Page 227: 8E6 Authenticator
Macintosh and contains the Authenticator executable, along with some support files. When installing the Marshal8e6 Authenticator Deployment Kit on a Macintosh, the informational Authenticator Basics.pdf document launches. Please review this document before installing the Authenticator. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 228: Environment Requirements
• VESA compliant 1.2 or higher display adapter • DOS partition with 1 GB of available space • 4 GB of available, unpartitioned disk space outside the DOS partition for volume sys: • One or more network boards , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 229: Macintosh Minimum System Requirements
NOTE: Windows XP Home and Vista Home Editions will not work with the 8e6 Authenticator unless the Novell eDirectory client is installed for login and deployment of the 8e6 Authenticator client using a Novell server. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 230: Work Flow In Environments
Windows or Novell APIs, and sends this informa- tion (LOGON event) to the R3000. 5. The R3000 looks up the groups to which the end user belongs (Windows AD, PDC, or eDirectory through LDAP or NT), and determines the profile assignment.
Page 231: Macintosh Environment
(LOGON event) to the R3000. 5. The R3000 looks up the groups to which the end user belongs, and determines the profile assignment. 6. The R3000 sets the profile for the end user with user- name (including the group name, if it is available) and IP.
Page 232: 8E6 Authenticator Configuration Priority
The source and order in which parameters are received and override one another are described below. NOTES: The RA[] parameter for the R3000 IP address is the only parameter that must be configured. Any parameter set at the end of the list will override any param- eter that was previously set.
Page 233: Macintosh
8e6Authenticator.conf file in the path containing the Authenticator executable, if present 3. Command Line (optional): Options on the command line will override compiled defaults and the configuration file. The command line can be left blank. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 234: 8E6 Authenticator Configuration Syntax
Sample command line parameters authenticat.exe LF[c:\] ra[192.168.0.43]Rr[40000] Sample configuration file RA[100.10.101.30] { R3000 Virtual IP address } RP[139] { R3000 Port } RH[30000] { Heartbeat timer (30 seconds) } RR[30000] { Reconnect time (before connecting again) }...
Page 235: Sample R3000 Configuration Update Packet 'Pcfg
RH[30000]RC[1000]LE[1] You only need to change the options you do not wish to remain as default. Often the IP address of the R3000 (RA) and the log file (LF) are the most desired options to change. Note that full network paths are allowed.
Page 236: Table Of Parameters
Values Meaning Default Default User’s Logon 1-256 (0 = Win32, 1 = Nov- 255 (auto) Environment ell) (auto) RA # * R3000 Virtual IP 255.255.255.255:PORT;… 0.0.0.0 0.0.0.0 Address RV # R3000 VPN Sup- (IP-IP;IP:PORT;…),… port Table R3000 Port 1-65535 R3000 Heartbeat...
Page 237 + If UT[0] is set, then the Novell environment will be ignored, if present, and only the Windows environment information will be retrieved and sent to the R3000. If UT[1] is set and the Novell environment is invalid or the...
Page 238 Reconnect time. After any disconnection, the logic will always begin with the main IP address as its first attempt. • For RV[], sets of R3000 addresses are specified based on an IP range that matches the client’s IP address; multiple destination R3000 addresses may be used in each set and will have the same functionality as multiple destinations specified in the RA[] parameter.
Page 239: Novell Edirectory Agent
GENT Novell eDirectory Agent Novell eDirectory Agent provides Single Sign-On (SSO) authentication for an R3000 set up in a Novell eDirectory environment. Using Novell eDirectory Agent, the R3000 is notified by the eDirectory server when an end user logs on or off the network, and adds/removes his/her network IP address, thus setting the end user’s filtering profile accord-...
Page 240: Client Workstations
• Macintosh: Prosoft NetWare client Version 2.0 Novell eDirectory setup The eDirectory Agent uses the LDAP eDirectory domain configuration setup in the R3000 Administrator console. The eDirectory Agent receives notification from the eDirectory server regarding logon and logoff events by end users. The Novell client must be installed on each end user’s worksta-...
Page 241: R3000 Setup And Event Logs
GENT R3000 setup and event logs When using a Novell eDirectory server and choosing to use the Novell eDirectory Agent option in the R3000: • Enable Novell eDirectory Agent in the Enable/Disable Authentication window. NOTES: If using an SSO authentication solution, Tier 2 or Tier 3 should be selected as a fallback authentication operation.
Page 242: Active Directory Agent
This session table is forwarded to the R3000 so the end user is given the appropriate filtering profile. The AD Agent can be installed on any Windows 2000 or 2003 server on the domain, and does not have to be installed on a domain controller.
Page 243: Windows Server Requirements
(login name, domain name, IP address of machine). 4. AD Agent sends information with the event indicator to the R3000 Authentication Module. 5. R3000 assigns or removes a profile based on the user information and event indicator. , R3000 I ECHNOLOGIES...
Page 244: Set Up Ad Agent
GENT Set up AD Agent Step 1: AD Agent settings on the R3000 To set up Active Directory Agent on the R3000, go to System > Authentication > Enable/Disable Authentication window in the R3000 interface, and specify the following criteria: Fig.
Page 245 Name and then click Delete. 6. After making your entries, click the “X” in the upper right corner of the pop-up window to close it. 7. Click Apply in the Enable/Disable Authentication window to save your settings. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 246: Step 2: Configure The Domain, Service Account
Expand the Local Policies > User Rights Assignment node of the tree. b. Double-click the Manage auditing and security log policy. c. Check the “Define these policy settings” checkbox. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 247: Step 3: Ad Agent Installation On Windows Server
The steps in this section provide instructions for setting up and running AD Agent on a simple, single-domain network. Step 3A: Download DCAgent.msi 1. In the R3000 interface, go to System > Authentication > Enable/Disable Authentication window. 2. In the AD Agent frame, click Download 8e6 AD Agent Installer to download the AD Agent (DCAgent.msi) to the...
Page 248 (EULA) in the 8e6 AD Agent installation setup wizard: Fig. A-6 AD Agent EULA 3. After reading the EULA, click Accept to proceed with specifying the destination folder for installing the AD Agent: Fig. A-7 Specify installation setup destination , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 249 Click Close to close the installation setup window and to open the AD Agent configuration wizard window (see Fig. A-10). The configuration wizard can be completed now or at a later point in time. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 250: Step 3C: Run Ad Agent Configuration Wizard
1. Review the contents of the first wizard page that explains how to configure the domain and service account, as described in Step 2: Fig. A-10 AD Agent configuration wizard, preliminary instructions Click Next to go to the account and password page: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 251 “Do not update service account settings” checkbox to bypass this option. c. Click Next to display the page that lets you specify the role of AD Agent on this machine being configured: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 252 • If the role of this AD Agent is “Primary” - Do the following: a. Make sure “Primary” is selected. b. Click Next to display the page for specifying R3000 criteria (see Fig. A-13). • If the role of this AD Agent is “Satellite” - Do the following: a.
Page 253 Appliance address - Enter the IP address of the R3000 that will receive AD Agent logon/logoff event information. c. Port - By default, “26267” displays for the R3000’s port. This port number should only be changed if the R3000 is using a different port number.
Page 254 (Repeat passphrase) - Re-enter the passphrase entered in the previous field. f. Descriptive name - By default “Filter #1” displays. A descriptive name for the R3000 can be entered in this field. 5. After configuring the AD Agent in either a primary or...
Page 255: Use The Active Directory Agent Console
AD Agent was configured as a satel- lite, and also whenever the Activity tab is clicked in the Active Directory Agent console of a primary AD Agent: Fig. A-15 Primary AD Agent console, Activity tab , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 256 NOTE: Any record that displays in red text indicates an error on the server. All errors reported in this log will be sent in a daily email message to the designated administrator (see the Notifica- tions page Active Directory Agent Configuration window ). , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 257 • View/modify primary AD Agent configuration, stop/start AD Agent service - Click the Configuration button to open a pop-up window containing AD Agent configura- tion tools and configured settings (see Active Directory Agent Configuration window). , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 258: Sessions Tab
Windows server, or machine icon and no user name if a user was not detected at the designated workstation. • IP Address - IP address of the workstation. • Workstation - Network name of the workstation. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 259 • Probe a workstation - The Workstation Interactive Probe window provides tools to probe a workstation on demand, and is accessible by clicking the Probe worksta- tion button, or right-clicking the end user’s record (see Workstation Interactive Probe window). , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 260: Session Table Spreadsheet
“Unknown” if the end user is not logged in or is unde- tected by the probe); Last update date and Verified time (each using the YYYY-MM-DD HH:MM:SS military time format), Update source (type of probe used), and Quality of the data source (percentage). , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 261: Session Properties Window
D/YYYY H:M:SS AM/PM format); Login type ("Interac- tive" if the user is logged in and detected by the probe, "Unknown" if the user is not logged in or is undetected by the probe); Update source (type of probe used); , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 262: Workstation Interactive Probe Window
The IP Address of the workstation displays above the blank screen, along with the following buttons: Nwksta Probe, WMI Probe, Clear log, X Close. Beneath the blank screen, the following information displays: User domain name and username, Worksta- tion name. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 263 TIP: Click Clear log to clear the screen of probe results. 3. After performing the necessary actions in this window, click X Close to close the window. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 264: Active Directory Agent Configuration Window
The Active Directory Agent Configuration window lets you modify settings for the AD Agent team, if there are changes to the AD Agent setup or to the R3000 on your network. For satellite hosts, most of this information can only be viewed...
Page 265 Active Directory Agent Configuration window, and to restart the AD Agent. NOTE: For existing satellites, changes made to the Agent team are automatically distributed, and satellite services automatically restarted. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 266: Service Page
• Refresh work assignments - This button is activated if the AD Agent service is running on the primary host. Clicking this button forces the primary Agent to recal- culate the delegation of work assignments to all satel- lite hosts. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 267: Appliance Page
2. If necessary, click the following objects on a primary host to perform the specified actions: • “Enable transmissions to this appliance” - De-select this option if the R3000 should not be receiving data from the primary host. • Resend all data - Click this button to resend the entire session table from the primary host to the R3000.
Page 268: Agent Hosts Page
• Remove - On a primary host server, selecting a satel- lite in the AD Agent servers list box and clicking this activated button removes the satellite from the list box. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 269: Add A Satellite
AD Agent servers list box. Remove a satellite On a primary host server: 1. Select the satellite Machine in the AD Agent servers list box. 2. Click Remove to remove the satellite from the list box. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 270: Configure A Satellite
• If the satellite will be manually assigned one or more specific servers to scan, enter the name(s) in the Assigned servers field, leaving a space between each server name. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 271 IP Address Filters list box of the Satellite Agent Configuration dialog box. • To specify an IP address range to scan, choose “Range” and make the following entries: Fig. A-26 IP Filter Properties dialog box, Range , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 272: Check The Status Of A Satellite
Role of the server (“Primary” or “Satellite”), and the Last status update (using the M/D/YYYY H:M:S AM/ PM format). The following columns of information display for each record in the table: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 273 • Sources - a list of the modules that reported during the specified time period in which data was obtained. 3. Click Close to close this window. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 274: Options Page
Reset Team State option in the Service page). • “Enable WMI workstation probes”: By default, this probe process is not selected to run. NOTE: In order to use this probe, the dcagent_service account must be a Domain Admins group member. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 275 Satellite Agent Configuration dialog box, accessible via the Agent hosts page. NOTE: Domain controllers should not be added to the Other servers list. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 276: Notifications Page
• Port - By default, 25 displays as the port number used for sending email. This port number should be changed if the sending mail connection fails. • Sender email address - Enter the email address of the server sending the email message. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 277 NOTE: The primary AD Agent sends an alert email message each day to the administrator’s email address designated in this page. This email message includes all alert messages for that day. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 278: Appendix B: Obtain , Export An Ssl Certificate
When using Web-based authentication, the LDAP server’s SSL certificate needs to be exported and saved to the hard drive, then uploaded to the R3000 so that the R3000 will recognize LDAP server as a trusted source. This appendix provides steps on exporting an SSL certifi- cate from a Microsoft Active Directory or Novell server—the...
Page 279: Locate Certificates Folder
Open field, type in mmc.exe to specify that you wish to access the Microsoft Management Console: Fig. B-2 Run dialog box 2. Click OK to open the Console window: Fig. B-3 Microsoft Console window , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 280 Fig. B-4 Add/Remove Snap-in 4. Click Add to open the Add Standalone Snap-in dialog box: Fig. B-5 Add Standalone Snap-in 5. Select Certificates, and click Add to open the Certificates snap-in wizard dialog box: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 281 7. Choose “Local computer: (the computer this console is running on)”, and click Finish to close the wizard dialog box. 8. Click Close to close the Add Standalone Snap-in dialog box. Click OK to close the Add/Remove Snap-in dialog box. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 282: Export The Master Certificate For The Domain
1. Go to the right panel of the Console and select the master certificate for the domain that you just added. 2. Right-click the certificate to open the pop-up menu, and select All Tasks > Export: Fig. B-9 Select the certificate to be exported , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 283 3. Click Next to go to the Export Private Key page of the wizard: Fig. B-11 Export Private Key 4. Select “No, do not export the private key”, and click Next to go to the Export File Format page of the wizard: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 284 File to Export page of the wizard: Fig. B-13 File to Export 6. Enter the File name of the file to be exported, followed by the .cer extension. Click Next to go to the final page of the wizard: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 285 Click Finish to close the wizard dialog box. 8. Close the Console. The certificate can now be uploaded to the R3000. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 286: Export A Novell Ssl Certficate
Console View (right panel): Fig. B-15 Novell Console window 2. Find the tree’s folder and right-click it to open the pop-up menu. Select Properties to open the Properties dialog box: Fig. B-16 Properties dialog box , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 287 The path of the certificate displays in the Filename field. 6. Click Export to open another pop-up window that asks where you would like to save the certificate—the most convenient place would be your desktop. The certificate can now be uploaded to the R3000. , R3000 I ECHNOLOGIES NTERNET...
Page 288: Obtain A Sun One Ssl Certificate
Therefore, a copy of the root certificate—in the .cer or .der format—that was used to sign the LDAP server’s certificate must be uploaded to the R3000. This certificate can be an internally generated root certificate (if you have a certificate authority to generate the certificate), or can be the root certificate used by the external signing authority.
Page 289: Appendix C: Ldap Server Customizations
PPENDIX ERVER USTOMIZATIONS The R3000 has been tested on common types of standard LDAP servers with default settings. However, due to the number of LDAP servers available, and the limitless ways in which any type of LDAP server can be configured, customi-...
Page 290: Appendix D: User /Group File Format And Rules
An NT/LDAP quota filtering profile is set up in the following format: 1. Enter the username, group name, or LDAP container name. 2. Press the Tab key on your keyboard to leave a space. 3. Enter the quota string. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 291: Username Formats
80 = HTTP (Hyper Text Transfer Protocol) 119 = NNTP (Network News Transfer Protocol) 443 = HTTPS (Secured HTTP Transmission) Other • Filter Mode Values: 1 = Default, Block Mode 2 = Monitoring Mode 4 = Bypassing Mode , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 292: Category Codes
NOTE: The list of library category codes and corresponding descriptions is subject to change due to the addition of new cate- gories and modification of current categories. For explanations and examples of category items, go to http://www.8e6.com/ database-categories.html , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 293: Filter Option Codes
NOTE: See http://www.marshal8e6.com/software/8e6/hlp/ r3000help/files/2group_textfile_format_nt.html for examples of NT filtering profile entries, and http://www.marshal8e6.com/software/8e6/hlp/r3000help/files/ 2group_textfile_format_ldap.html for examples of LDAP filtering profile entries. Quota profile entries are included in these pages. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 294: File Format: Rules And Examples
• The string must end with “0x1” if no filter options will be enabled. • If quotas are to be used in filtering profiles, these must be entered in a separate file from the NT or LDAP profile file. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 295: Nt User List Format And Rules
Search Engine Keyword filter options enabled. • NT profile for a user with ID “Doe-Jane”: Bypass all cate- gories, use standard block page, X Strikes Blocking and URL Keyword filter options enabled. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 296: Nt Group List Format And Rules
• NT profile for a group with ID “Tech”: Filter all ports, Always Allow Business/Investments categories, and let all other categories Pass, use filter mode 1, use standard block page, X Strikes Blocking and Google/Yahoo!/ Ask.com/AOL Safe Search Enforcement filter options enabled. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 297: Nt Quota Format And Rules
• NT quota profile for “Tech”: 15 Overall Quota minutes; 15 quota minutes for the first category listed, 5 quota minutes for the second category, and 10 quota minutes for the third category. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 298: Ldap User List Format And Rules
Pornography/Adult Content, Warn on Uncate- gorized URLs, and Pass all other categories, use filter mode 1, use redirect URL http://www.cnn.com in place of the standard block page, no filter options enabled. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 299: Ldap Group List Format And Rules
• LDAP profile for group with ID “Sales”, user group “Users”, domain “qc”, DNS suffix “.local”: Bypass all cate- gories, use filter mode 1, use redirect URL http:// www.cnn.com in place of the standard block page, no filter options enabled. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 300: Ldap Quota Format And Rules
• LDAP quota profile for “Sales”, user group “Reps”, domain “tc”, DNS suffic “.local”: 10 Overall Quota minutes, 5 quota minutes for the first two categories listed, and 10 quota minutes for the last category listed. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 301: Appendix E: Override Pop Up Blockers
This appendix provides instructions on how to use an over- ride account if typical pop-up blocking software is installed, as in the following products: Yahoo! Toolbar, Google Toolbar, AdwareSafe, Mozilla Firefox, and Windows XP Service Pack 2 (SP2). , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 302: Yahoo! Toolbar Pop-Up Blocker
1. Go to the Yahoo! Toolbar and click the pop-up icon to open the pop-up menu: Fig. E-2 Select menu option Always Allow Pop-Ups From 2. Choose Always Allow Pop-Ups From to open the Yahoo! Pop-Up Blocker dialog box: , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 303 Pop-Ups list box to activate the Allow button. 4. Click Allow to move the selected source to the Always Allow Pop-Ups From These Sources list box. 5. Click Close to save your changes and to close the dialog box. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 304: Google Toolbar Pop-Up Blocker
# blocked icon: Fig. E-4 # blocked icon enabled Clicking this icon toggles to the Site pop-ups allowed icon, adding the override account window to your white list: Fig. E-5 Site pop-ups allowed icon enabled , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 305: Adwaresafe Pop-Up Blocker
3. Click the Override button to open the override account pop-up window. 4. Go back to the SearchSafe toolbar and click the icon for Popup protection off to toggle back to # popups blocked. This action turns on pop-up blocking again. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 306: Mozilla Firefox Pop-Up Blocker
3. With the “Block unrequested popup windows” checkbox checked, click Allowed Sites and enter the URL to allow the override account window to pass. 4. Click OK to save your changes and to close the dialog box. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 307: Windows Xp Sp2 Pop-Up Blocker
Internet Options to open the Internet Options dialog box. 2. Click the Privacy tab: Fig. E-7 Enable pop-up blocking 3. In the Pop-up Blocker frame, check “Block pop-ups”. 4. Click Apply and then click OK to close the dialog box. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 308: Use The Ie Toolbar
1. In the Options page (see Fig. E-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 309: Add Override Account To The White List
3. In the Options page (see Fig. E-1), enter your Username and Password. 4. Click the Override button to open the override account pop-up window. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 310: Use The Information Bar
2. Click the Override button. This action displays the following message in the Information Bar: “Pop-up blocked. To see this pop-up or additional options click here...”: Fig. E-10 Information Bar showing blocked pop-up status , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 311 NOTE: To view your white list, go to the Pop-up Blocker Settings dialog box (see Fig. E-9) and see the entries in the Allowed sites list box. 6. Go back to the Options page and click Override to open the override account window. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 312: Ppendix F: Glossary
Container objects can also "contain" other objects, such as user objects, group objects, and computer objects. directory - This information source on a server contains attribute-based data relevant to a DN entry. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 313 Name (DN). Each attribute type of the Distin- guished Name has a type and one or more values. These types are mnemonic strings, such as "cn" for common name, "dc" for domain component, or “ou” for organizational unit. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION...
Page 314 - An R3000 set up in the firewall mode will filter all requests. If the request is appropriate, the original packet will pass unchanged. If the request is inappropriate, the original packet will be blocked from being routed through.
Page 315 - A process that occurs when the R3000 attempts to resolve the IP address of the authentication server with the machine name of that server. This contin- uous and regulated automated procedure ensures the connection between the two servers is maintained.
Page 316 Web page, the proxy server accesses the page from the Internet and sends it to the client. A proxy server may be used for security reasons or in conjunciton with caching for bandwidth and performance reasons. , R3000 I ECHNOLOGIES NTERNET ILTER...
Page 317 URLs for a specified time before being blocked from further access to that category. router mode - An R3000 set up in the router mode will act as an Ethernet router, filtering IP packets as they pass from one card to another. While all original packets from client...
Page 318 URL from that library category or an uncategorized URL is requested. Web-based - An authentication method that uses time- based profiles or persistent login connections. white list - A list of approved library categories for a speci- fied entity’s filtering profile. , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 319: Index
199 servlet 43 setup procedures 197 specifications and requirements 201 test net use settings 161 test settings 150 test Web-based settings 152 Authentication Form Customization 69 authentication method, definition 298 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 320 3 category custom categories 18 library 18 category codes 278 Category Profile domain 136 Category tab domain 136 checkbox, terminology 3 Common Customization 66 common name (cn), definition 298 container 11 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 321 55 eDirectory 216 edirEvent.log 55 Enable/Disable Authentication window 40 entry, definition 299 environment requirements 33 eth0, eth1 36 Exception URL window 141 field, terminology 3 file formats 280 filter option codes 279 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 322 8 IP 9 LDAP 11 NT 10 types of 8 group administrator, definition 300 group name, definition 300 group objects 100 Group tab 99 Group/Member Details window 134 HTTPS 34 IANA 202 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 323 LDAP domain add 95 add groups, users 120 LDAP domain window 97 LDAP host, definition 301 LDAP Query Base 104 LDAP Server Type 98 LDAP User/Group Browser window 121 library categories 18 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 324 201 name resolution 203 Microsoft Active Directory Mixed Mode 98 Native Mode 98 minimum filtering level 19 definition 301 name resolution definition 301 methods 203 WINS Server 203 definition 302 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 325 275 Operation Mode window 36 Options page 62 organizational unit (ou), definition 302 override account AdwareSafe popup blocking 291 block page authentication 58 definition 302 Google Toolbar popup blocking 290 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 326 5 quota 93 definition 303 format 279 radio button, terminology 5 Radius profile 13 re-authentication block page authentication 58 net use based process 201 Redirect URL tab domain 139 requirements , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 327 Signing 201 SMB/NT name resolution method 203 SSL certificate 49 Active Directory 264 Novell 272 obtain, export from LDAP server 264 Sun ONE 274 SSL settings 107 SSL tab 107 SSO 225 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 328 304 Web-based authentication 162 time profile add 144 definition 304 profile type 16 time-based authentication (Tier 2) 24 time-based profile 43 topic, terminology 6 tree, terminology 7 Type tab 97 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...
Page 329 58 SSL certificate 31 Web-based, definition 304 white list, definition 304 window, terminology 7 Windows 2003 SMB Signing 201 WINS Server 46 name resolution usage 203 workstation requirements 33 , R3000 I ECHNOLOGIES NTERNET ILTER UTHENTICATION UIDE...

8e6 Technologies R3000 User Manual

Chapter 1 : Introduction

Chapter 2: Network Setup

Chapter 3: Nt Authentication Setup

Chapter 5: Assign /Set up Groups , Members

Chapter 6 : Authenticationdeployment

Chapter 7: Technical Support

Appendix A: Authentication Operations

Appendix B: Obtain , Export an Ssl Certificate

Appendix C: Ldap Server Customizations

Appendix D: User /Group File Format and Rules

Appendix E: Override Pop up Blockers

Quick Links

Related Manuals for 8e6 Technologies R3000

Summary of Contents for 8e6 Technologies R3000