Table of Contents
Advertisement
Advertisement
Table of Contents
Troubleshooting
Subscribe to Our Youtube Channel
Related Manuals for Sophos WS100
Summary of Contents for Sophos WS100
- Page 1 Sophos Web Appliance User Guide Product Version 4.3.2 Sophos Limited 2017...
-
Page 2: Table Of Contents
| Contents | Sophos Web Appliance Contents Chapter 1: About Your Appliance..................8 1.1 Sophos Web Appliance Features..............8 1.2 Sophos Management Appliance Features............9 1.3 Common Features..................9 Chapter 2: Getting Started....................11 2.1 Appliance Hardware..................11 2.1.1 Replacing an SM5000 or WS5000 Hard Drive.........15 2.1.2 Replacing an SM5000 Power Supply..........18... - Page 3 Sophos Web Appliance | Contents | iii 2.10 Product Documentation................56 Chapter 3: Dashboard....................57 Chapter 4: Configuration....................60 4.1 Accounts.......................61 4.1.1 Administrators..................61 4.1.2 Notification Page Options..............65 4.2 Group Policy....................74 4.2.1 Default Policy...................75 4.2.2 Default Groups.................84 4.2.3 Special Hours...................87 4.2.4 Additional Policies................89 4.2.5 Configuring the Local Site List............97 4.2.6 Testing Policy Applied to a URL.............100...
- Page 4 | Contents | Sophos Web Appliance 4.4.9 Time Zone..................141 4.4.10 Central Management..............141 4.4.11 Certificates...................144 4.4.12 Endpoint Web Control..............144 4.5 Network.......................146 4.5.1 Configuring the Network Interface..........147 4.5.2 Hostname and Other Network Settings.........150 4.5.3 Configuring WCCP.................153 4.5.4 Load Balancing with the Management Appliance......155 4.5.5 Testing Network Connectivity............155...
- Page 5 Sophos Web Appliance | Contents | v 5.1.20 Policy & Content: Warned Sites ..........165 5.1.21 Policy & Content: Blocked Sites ..........165 5.1.22 Policy & Content: Categories ............165 5.1.23 Policy & Content: Downloads ............166 5.1.24 Policy & Content: Sandstorm Usage ...........166 5.1.25 Policy &...
- Page 6 Appendix A: Configuring Ports..................196 Appendix B: Configuring Your Browser...............198 B.1 Adding the Sophos Root Certificate............198 B.1.1 Adding the Sophos Root Certificate in Internet Explorer....198 B.1.2 Adding the Sophos Root Certificate in Firefox.......199 B.2 Configuring Proxy Settings.................199 B.2.1 Internet Explorer Proxy Configuration..........200 B.2.2 Firefox Proxy Configuration............200...
- Page 7 Sophos Web Appliance | Contents | vii C.2.15 Server error.................207 C.2.16 Subdomain failed to authenticate..........208 C.2.17 Could not join the Secondary Domain Controller......208 C.3 eDirectory Troubleshooting.................208 C.3.1 Invalid credentials................209 C.3.2 Could not connect to server............209 C.3.3 Unable to establish Secure LDAP connection.......209 C.3.4 No users or groups returned from LDAP server......209...
-
Page 8: Chapter 1: About Your Appliance
Special Hours web access policies. The Web Appliances use the proven Sophos Anti-Virus engine, regularly updated with the latest ™ internet threats every 5 to 30 minutes by SophosLabs , our global threat detection network. -
Page 9: Sophos Management Appliance Features
5 minutes. remote "heartbeat" monitoring that proactively ensures up-to-date protection and optimal hardware and software performance. industry-leading 24/7/365 live support directly from Sophos. on-demand remote assistance that provides easy, direct access to Sophos Technical Support. - Page 10 Sophos specifications. a hardened Linux operating system optimized for Sophos software.
-
Page 11: Chapter 2: Getting Started
URLs is recorded. Also, as the administrator, you can extend or override the Sophos site list by adding URLs to a local site list. In the case of sites already in the Sophos site list, you can override the default handling by changing the risk class or site category. -
Page 12: Front Panel Leds
Indicators on the front of each appliance provide status information and warnings.The arrangement of the front panel LEDs are the same for the WS100, WS500, WS1000, WS1100, and the SM2000. The indicators on the front of the SM5000 are slightly different, and the indicators on the front of the WS5000 are also slightly different. - Page 13 (and to the right of the Unit ID button on the SM5000). Important: Sophos strongly suggests that you use the software shutdown and restart options as documented on the System Status on page 188 page. Although a quick press and release of the appliance s power button will perform an elegant shutdown, if the power button is held down for four seconds or more, an inelegant, immediate shutdown is performed.
- Page 14 14 | Getting Started | Sophos Web Appliance is always a bridge card in a WS1000. Bridge cards are optional for the WS500 and WS1100. There is never a bridge card in a WS100, SM2000, or SM5000. For appliances with no bridge card:...
-
Page 15: Replacing An Sm5000 Or Ws5000 Hard Drive
Depending on the severity of the issue, the appliances will raise an alert in the administrative web interface or via email, or both. Alerts advise that devices are not working normally or draw attention to potential problems. In most cases, the alert will instruct you to contact Sophos Technical Support. - Page 16 16 | Getting Started | Sophos Web Appliance SM5000, front view showing the four hard disk drive bays Hardware Configuration On the SM5000 and WS5000, the disks are mirrored using RAID 10, so only one disk can be replaced or not be working at a time.
- Page 17 Sophos Web Appliance | Getting Started | 17 1. Press the colored release button beside the drive s LEDs on the failed drive to unlatch the handle. 2. Swing the handle fully out to disengage the drive. 3. Slide the drive halfway out of the drive bay and wait for it to spin down. Allow 10-20 seconds before removing the drive from the drive bay.
-
Page 18: Replacing An Sm5000 Power Supply
18 | Getting Started | Sophos Web Appliance 6. Press firmly on the both the left and right edges of the drive with both thumbs. Applying this pressure ensures that the drive is fully engaged, even if no movement of the drive is felt. - Page 19 Sophos Web Appliance | Getting Started | 19 Failure Identification Case 1: If either of the two power supplies completely fails, the "Power Indicator" LED on the front panel turns yellow, and an alarm sounds until the power supply is replaced. On the back of the unit, the "Power Supply Status"...
-
Page 20: Replacing A Ws5000 Power Supply
20 | Getting Started | Sophos Web Appliance 3. Carefully push the replacement power supply module straight into the appliance until you hear the release tab click into place. 4. Plug the AC power cord back into the new power supply module. The "Power Supply Status"... - Page 21 Sophos Web Appliance | Getting Started | 21 Case 2: If either of the two power supplies partially fails, the "Power Indicator" LED on the front panel is green and no alarm sounds. On the back of the unit, the "Power Supply Status" LED for the unit that has partially failed is yellow.
-
Page 22: Virtual Appliances
“Grouping Web Appliances” and “Central Management”. Virtual appliances integrate seamlessly with hardware-based appliances as well as other virtual appliances. Replacing a Stand-Alone Web Appliance If you have a single hardware-based Sophos Web Appliance that you want to replace with a virtual Web Appliance:... -
Page 23: Network Deployment
4. When restoration is complete, power off and decommission the hardware-based appliance. Replacing a Management Appliance If you have a hardware-based Sophos Management Appliance that you want to replace with a virtual Management Appliance: 1. Configure the virtual appliance according to the instructions in the Virtual Management Appliance Setup Guide. - Page 24 This means that it could allow people from outside of your organization to use your Web Appliance as a proxy, consuming your bandwidth and creating traffic that appears to come from your organization. Sophos strongly advises that you take the following steps to prevent this: 1.
-
Page 25: Explicit Deployment
Sophos Web Appliance | Getting Started | 25 Configure your firewall to allow email with attachments from the Web Appliance to wsasupport@sophos.com.This is necessary information for Sophos, which uses system status snapshots that you submit as email attachments to ensure that your Web Appliance is operating within acceptable thresholds. - Page 26 26 | Getting Started | Sophos Web Appliance Users HTTP, HTTPS, and FTP over HTTP requests are passed to the Web Appliance The Web Appliance assesses URLs, blocks disallowed requests, checks if allowed URL requests are currently cached, and passes URL requests that are not cached through the...
- Page 27 ISA or TMG server, then clients (users) can be seen as usernames. Allows you to use multiple Web Appliances in a simple load-balancing deployment. If the Sophos ISA/TMG plug-in is not installed, all traffic will be identified as coming from one user: the ISA/TMG server.
- Page 28 28 | Getting Started | Sophos Web Appliance Users HTTP and HTTPS requests are passed through an ISA/TMG server that uses NTLM or IWA Authentication. The ISA/TMG server passes URL requests to the Web Appliance The Web Appliance assesses the URL.
-
Page 29: Transparent Deployment
Sophos Web Appliance | Getting Started | 29 Follow the configuration instructions for the Explicit Deployment scenario, but with the following differences: Ensure that your ISA/TMG server is between the clients and your Web Appliance. Ensure that your ISA/TMG server is configured to pass traffic through the Web Appliance if it is configured in an Explicit Deployment. - Page 30 30 | Getting Started | Sophos Web Appliance Users make HTTP/HTTPS requests from their clients that are sent out to the LAN. The router receives all network traffic and bounces all HTTP/HTTPS requests to the Web Appliance The Web Appliance assesses URLs, blocks disallowed requests, checks if allowed URL requests are currently cached, and passes URL requests that are not cached out to the LAN.
-
Page 31: Bridged Deployment
Note: Configuring all users browsers to use the Web Appliance as a web proxy can be done centrally in Windows networks by using one of several methods. See the Sophos Knowledgebase pages for instructions on how to do this by: Creating, Testing, and Deploying a proxy.pac File... - Page 32 32 | Getting Started | Sophos Web Appliance There are two ports on the bridge card in the upper-right corner of the back of the appliance. Immediately to the left of these is a small group of six LEDs that indicate LAN connection status, as described in the "Appliance Hardware"...
-
Page 33: Bypassing For Internal Servers
Note: Configuring all user s browsers to use the Web Appliance as a web proxy can be done centrally in Windows networks by using one of several methods. See the Sophos Knowledgebase pages for instructions on how to do this by: Creating, Testing, and Deploying a proxy.pac File... - Page 34 34 | Getting Started | Sophos Web Appliance If it fails, all clients must be reconfigured, although clients can be configured to bypass the Web Appliance should it fail. Operation Users HTTP, HTTPS, and FTP requests are examined by the...
-
Page 35: Existing Cache Deployment
Sophos Web Appliance | Getting Started | 35 Related information Disabling Automatic Proxy Caching 2.3.5 Existing Cache Deployment This option allows the Web Appliance to work in conjunction with an existing web-caching server. Operation The operation will vary according to the deployment scenario that you choose. As an example, the deployment shown in the diagram above and described in the points below is based on a Bridged Deployment. -
Page 36: Upstream Isa/Tmg Server Deployment
36 | Getting Started | Sophos Web Appliance Follow the configuration instructions for the basic network deployment scenario that you want to use (Explicit Deployment, Transparent Deployment, or Bridged Deployment), but with the following differences: Ensure that your existing cache server is between your Web Appliance and your firewall. -
Page 37: Integrating With Sophos Email Products
Microsoft Forefront TMG Deployment 2.3.7 Integrating with Sophos Email Products The appliance can be configured to work with Sophos s email products, such as the Sophos Email Appliances or PureMessage for UNIX. The instructions for doing so are listed below. - Page 38 Hostname page, enter the IP address of your PureMessage server in the Outgoing SMTP mail server text box. b) On your Sophos PureMessage server, on the Policy > Internal Hosts page, enter the IP address of your Web or Management Appliance.
-
Page 39: Grouping Web Appliances
Sophos Email Security and Control site 2.3.8 Grouping Web Appliances The Sophos Web Appliance is available in a variety of models, each capable of providing web browsing security and control features for different numbers of end users. As indicated in the table below, appliances differ in their processing capacity and memory. - Page 40 40 | Getting Started | Sophos Web Appliance there is also the option of the Management Appliance extracting configuration and policy data from the first Web Appliance to join. Scenario 1: Your growing organization now requires more than one appliance...
- Page 41 Appliances to the Management Appliance, providing centralized reporting (red smooth lines). Appliance Mode and Model Differences Sophos Web Appliances can operate in standalone or joined mode. You can also join a Sophos Management Appliance to one or more Web Appliances for centralized management.
-
Page 42: Network Deployment Troubleshooting
Appliance-generated email Background: The Web Appliance provides a managed appliance experience that is enabled in part by sending system status snapshots as email attachments to Sophos to ensure that your Web Appliance is operating within acceptable thresholds. Problem: Firewalls can strip attachments from Web Appliance-generated email. -
Page 43: Understanding Mode And Model Differences
Sophos Web Appliance | Getting Started | 43 2.4 Understanding Mode and Model Differences The Sophos Web Appliance is available in a variety of models, each capable of providing web browsing security and control features for different numbers of end users. - Page 44 44 | Getting Started | Sophos Web Appliance administrative Standalone Joined Web Appliance Sophos Management Appliance web interface page(s) Appliance Dashboard Yes, but no report links Yes; additional Select View option to see only information for a specific appliance; for All appliances option,...
- Page 45 Sophos Web Appliance | Getting Started | 45 administrative Standalone Joined Web Appliance Sophos Management Appliance web interface page(s) Appliance System > Join Revert to standalone Set "Join" options Central Management Management Appliance (each unique) Network > Yes; no Deployment mode menu, no Configure button...
-
Page 46: Platforms And User Interface
46 | Getting Started | Sophos Web Appliance 2.5 Platforms and User Interface Supported Platforms End-User Browser Internet Explorer 8.0 and newer, recent versions of Chrome and Firefox Administrator Internet Explorer 8.0 and newer, recent versions of Firefox Browser Directory Services... - Page 47 Remote Assistance session established is displayed while an outbound SSH connection to Sophos Technical Support is open. Sophos proactive monitoring is off is displayed when the Activate appliance support alerts are turned off on the System: Alerts page. v#.#.# shows the version number of the current appliance software. Click the version number to open the release notes in a new window.
-
Page 48: Policy
Trojans, worms, other malware, and potentially unwanted applications (PUAs). The Web Appliance does this by using site lists. Sophos provides a basic and an enhanced list of URLs—the Sophos Basic Categorization Data and the Sophos Enhanced Categorization Data—each of which assigns a risk classification (high, medium, low, or trusted) and a site category... -
Page 49: Https Scanning
Sophos Web Appliance | Getting Started | 49 reclassification or re-categorization of the site. The message that users see on these pages can also be modified. Default actions are as follows: Content from sites classified as being high-risk is always blocked... -
Page 50: Endpoint Web Control
Policies, you can set what action is taken in response to a tag. Dynamic Categorization Sophos provides the ability to block attempts by your users to evade policy controls through anonymizing proxies and caching websites by automatically detecting such sites with the Dynamic Categorization feature. - Page 51 When a web control policy is configured and enabled solely through Enterprise Console, rules for 14 essential categories are applied for each user through Sophos Endpoint Security and Control. The policy, defined on Enterprise Console as “Potentially Unwanted Website Control,”...
- Page 52 52 | Getting Started | Sophos Web Appliance Method 2: Enterprise Console and Appliance When a full web control policy is applied using either a Sophos Web Appliance or Sophos Management Appliance, Enterprise Console supplies the hostname of the corresponding appliance so that endpoints can communicate with it.
- Page 53 With the combination of Sophos Enterprise Console and a Sophos Web Appliance it is possible to extend your Full Web Policy to endpoint machines, providing more than 50 site categories, highly flexible policy configuration, and detailed reporting on threats and usage.
-
Page 54: Appliance Features Not Supported By Endpoint Web Control
24 hours a day, seven days a week. The appliance constantly updates anti-virus definitions and Sophos website categorization data throughout the day. It also downloads "Critical" and "Maintenance" software updates. Critical updates are security-related and protect against anything that can compromise the appliance. -
Page 55: Getting Support
If a hardware component or entire appliance requires replacement at any time during the first three years, Sophos will cover the costs of the new appliance and delivery. The customer is responsible for returned unit delivery charges. -
Page 56: Product Documentation
Knowledge Base is a collection of articles that address the following issues: Common questions received by Sophos Support about the appliance. Technical issues that are not commonly encountered by appliance administrators. Technical issues that involve third-party hardware or software products that affect Web... -
Page 57: Chapter 3: Dashboard
You must use Sophos Enterprise Console together with an appliance to deploy web filtering by way of Endpoint Security and Control. Click to view details of any connected endpoints. If you are not filtering at the endpoints, the number shown is always zero. - Page 58 URL of a file, and click Submit. To view the progress of the test, click Search and go to Sandstorm > Sandbox Activity. Note: This option is available only to licensed users of Sophos Sandstorm. Advanced Threat Protection Information on the number of machines on your network that are potentially infected. If no threats have been detected for a given time interval, a green checkmark will be displayed.
- Page 59 Depending on how you have configured Sandstorm, some of these may not be sent to the Sophos Active Sandbox for analysis. Sent for Analysis: The total number of downloaded items sent to the Sophos Active Sandbox today. Awaiting result: The number of downloaded items that were sent to the Sophos Active Sandbox, and that are currently waiting to be analyzed.
-
Page 60: Chapter 4: Configuration
60 | Configuration | Sophos Web Appliance 4 Configuration The Configuration tab provides an interface for setting web security, browsing policy options, and performing appliance network configuration and administrative tasks. Note The post-installation tasks do not appear on a Web Appliance that is joined to a Management Appliance, and the only item on the Quick Tasks sidebar is Configure Central Management The Configuration tab sidebar lists all of the available configuration pages. -
Page 61: Accounts
Sophos Web Appliance | Configuration | 61 malware, blocked sites, when they download large files that take a long time to scan, or warning pages that are displayed when users attempt to access a URL that violates policy. When the above changes are made, or if no changes are desired, these items can be removed by clicking the Remove button to the right of each link. - Page 62 Note: To reset the default administrator s password, you will need the product activation code that you received when you purchased your appliance. This allows you to enable Sophos Remote Assistance, after which Sophos Technical Support is able to reset the password.
- Page 63 Sophos Web Appliance | Configuration | 63 4.1.1.1.1 Administrator Access Rights Access rights for Full Access and Limited Access Administrators Administrators may have different access rights, depending on what Roles they have been granted. The following table provides a summary of what each role is able to access.
- Page 64 64 | Configuration | Sophos Web Appliance Page Full Access Helpdesk Policy Reporting User Activity Admin Reports > Options > Report Exemptions Reports > Options > Search Terms (read-only) Search > Recent Activity Search Search > User Submissions > Sites Search >...
-
Page 65: Notification
Sophos Web Appliance | Configuration | 65 Note: If there are scheduled reports that have been created by a Limited Access Administrator account, that role cannot be removed from that account until any associated reports have first been deleted. The Reporting Groups page is enabled only for Limited Access Administrators with one or both of the Reporting or User Activity roles selected. - Page 66 Browse to find the graphic on your local system, and then copy it to the appliance by clicking Upload. If you do not upload your own graphic, the default Sophos logo will be used. Note: It is suggested that you use .jpeg files because the appliance assigns the graphic a default name of image.jpg.
- Page 67 Sophos Web Appliance | Configuration | 67 4.1.2.3 Advanced Notification Page Options Use the Advanced tab to download, edit, and upload notification page templates that allow you to extensively customize the notification pages displayed to your users. There are three different...
- Page 68 68 | Configuration | Sophos Web Appliance The selected notification page template is deleted from the appliance and the appliance reverts to using the relevant default notification pages. c) Click Apply. To upload an image for use in a template: a) Click Browse in the Images section of the Advanced tab.
- Page 69 Important: If you plan to use a custom template, it is strongly recommended that you download the Sophos template, available from the preceding link rather than using a template from another source. Sophos cannot be held responsible for any malicious or problematic code included in other templates or introduced in added code.
- Page 70 (FQDN) of the Web Appliance. It is an essential initial part of the URL for any of the Sophos-supplied graphics, but the use of these is optional. If you continue to use any of these graphics, you must retain this page element key, as well as the rest of the URL for the graphic, /resources/images/[filename.ext].
- Page 71 Important: If you plan to use a custom template, it is strongly recommended that you download the Sophos template, available from the preceding link, rather than using a template from another source. It is required that the patience page use CSS that includes all of the elements from the sample patience template CSS for the page to be rendered properly.
- Page 72 (FQDN) of the Web Appliance. It is an essential initial part of the URL for any of the Sophos-supplied graphics, but the use of these is optional. If you continue to use any of these graphics, you must retain this page element key, as well as the rest of the URL for the graphic, /resources/images/[filename.ext].
- Page 73 %%server_address%%: This page element key provides the fully qualified domain name (FQDN) of the Web Appliance. It is an essential initial part of the URL for any of the Sophos-supplied graphics, but the use of these is optional. If you continue to use any of these...
-
Page 74: Group Policy
... </div> tags of the template. It gets replaced with a string in the form <p id= error_text >the error text is here</p> that displays the explanatory text for the appropriate server error provided by Sophos, and it appends any additional text sent by the server that originates the error. -
Page 75: Default Policy
Use the Local Site List page to view all of the URLs that have been added to the list and to manage that list. URLs are added to the list to extend the filtering provided by the Web Appliance to URLs not included in the Sophos site list or to override the default filtering specified in the Sophos site list. - Page 76 Do not send suspicious files for analysis: do not send any downloaded items for analysis, even if they are suspicious. Note: The Sandstorm option is not available if you do not have a Sophos Sandstorm license. 5. Block PUA Downloads from being downloaded by users by selecting this check box, or allow PUA downloads by clearing it.
- Page 77 URL. In blocking these pages, the content that is behind them is also blocked. Note: Sophos s advanced categorization data uses the most current technical definition for Adware, and thus recognizes the difference between non-malicious adware, such as "cookies"...
- Page 78 78 | Configuration | Sophos Web Appliance 4.2.1.1.1.8 Computing and Internet This category includes sites of reviews, information, buyer s guides of computers, computer parts and accessories, computer software and internet companies, industry news and magazines, and pay-to-surf sites. 4.2.1.1.1.9 Criminal Activity This category includes sites for advocating, instructing, or giving advice on performing illegal acts;...
- Page 79 Sophos Web Appliance | Configuration | 79 4.2.1.1.1.17 Gambling This category includes sites of online gambling or lottery web sites that invite the use of real or virtual money; information or advice for placing wagers, participating in lotteries, gambling, or running numbers;...
- Page 80 This category includes sites for content delivery networks, XML reference schemas, web analytics and statistics services, transaction servers, and corporate image servers. Note: Sophos recommends that this category of its enhanced categorization data be used for monitoring and reporting purposes only.
- Page 81 Sophos Web Appliance | Configuration | 81 4.2.1.1.1.31 News This category includes online newspapers, headline news sites, newswire services, personalized news services, and weather sites. 4.2.1.1.1.32 Peer-to-Peer This category includes peer-to-peer file sharing clients and peer-to-peer file sharing servers. 4.2.1.1.1.33 Personals and Dating This category includes singles listings, matchmaking and dating services, advice for dating or relationships, and romance tips and suggestions sites.
- Page 82 Note: The technical definition of Spyware used for this category may not exactly match the definition used elsewhere by Sophos. This category focuses on filtering malicious and tracking content, not simply adware and cookies. For non-malicious adware filtering, please block the Advertisements and Pop-ups category.
- Page 83 Sophos Web Appliance | Configuration | 83 4.2.1.1.1.52 Travel This category includes sites of airlines and flight booking agencies, accommodation information, travel package listings, city guides and tourist information, and car rentals. 4.2.1.1.1.53 Uncategorized This category includes all sites that have not been categorized. This means that these sites have not come to the attention of SophosLabs.
-
Page 84: Default Groups
84 | Configuration | Sophos Web Appliance 3. For web applications that are set to Allow you can also configure Enabled features: a) Click on the row for an application. b) Ensure that only the features you want enabled are selected. - Page 85 1. Click the name of the custom group that you want to edit. Note: Custom groups, which can be edited, are indicated by a Sophos icon ( ); Active Directory and eDirectory groups, which cannot be edited, are indicated by a directory icon ( ).
- Page 86 The custom group that you want to delete must not be in the Selected Entries list. Note: Custom groups, which can be deleted, are indicated by a Sophos icon ( ); Active Directory and eDirectory groups, which cannot be deleted, are indicated by a directory icon ( ).
-
Page 87: Special Hours
Sophos Web Appliance | Configuration | 87 Only the users/groups selected below This will apply the default policy for internet access for users in the selected groups and block access to all others. 2. In the Available Groups list, select the groups that will be blocked (if you chose the first option in step 1) or that will have the default policy applied to their browsing (if you chose the second option in step 2). - Page 88 Do not send suspicious files for analysis: do not send any downloaded items for analysis, even if they are suspicious. Note: The Sandstorm option is not available if you do not have a Sophos Sandstorm license. c) Allow user feedback from the notification pages by selecting this check box or remove this option by clearing it.
-
Page 89: Additional Policies
Sophos Web Appliance | Configuration | 89 Related tasks Configuring Tags on page 94 Configuring Sandstorm on page 103 4.2.3.2 Disabling a Special Hours Policy 1. Ensure that the Daily from, And from, and And all day on weekends check boxes are all cleared. - Page 90 Name and Schedule page of the Additional Policy Wizard. Note: Sophos Endpoint Web Control cannot enforce quota time. If you use Endpoint Web control you can configure an alternate action on the Configuration > System > Endpoint Web Control page.
- Page 91 Sophos Web Appliance | Configuration | 91 Related tasks Controlling Web Applications on page 93 Endpoint Web Control on page 144 4.2.4.2 Selecting Users On the Select Users page of the Additional Policy wizard: Set the users or groups to which you want the additional policy to apply: In the Groups list, select the groups that you want, and click the right arrow button to move them to the Selected groups list.
- Page 92 92 | Configuration | Sophos Web Appliance Note: The current option, whether it is Allow, Warn, or Block, is shown as Use default, indicating the state as set in the default or special hours policy at the time that the additional policy is first created.
- Page 93 Sophos Web Appliance | Configuration | 93 4.2.4.4 Configuring Download Types On the Download Types page of the Additional Policy wizard, you can modify any of the default policy settings or leave them unchanged to accept the default. Modify the settings or accept the default settings for any of the Download Types that you want to change by selecting: —...
- Page 94 94 | Configuration | Sophos Web Appliance 3. Click Next or Save. Related concepts Quota Time on page 90 Default Policy on page 75 Related tasks Configuring Site Categories on page 91 Configuring Tags on page 94 Configuring the Local Site List on page 97 4.2.4.6 Configuring Tags...
- Page 95 Sophos Web Appliance | Configuration | 95 6. Move to the next page of the wizard by clicking either the Name and Schedule icon or the Next button. Related concepts Using Tags on page 95 Quota Time on page 90...
- Page 96 Do not send suspicious files for analysis: do not send any downloaded items for analysis, even if they are suspicious. Note: The Sandstorm option is not available if you do not have a Sophos Sandstorm license. 2. Under Quotas select the number of quota minutes allowed for this policy.
-
Page 97: Configuring The Local Site List
URLs are added to the list to extend the filtering provided by the Web Appliance to URLs not included in the Sophos site list or to override the default filtering specified in the Sophos site list. The URLs listed in the Local Site List can be edited to change their Tags, Risk class, or Site category, or they can be deleted from the list. - Page 98 98 | Configuration | Sophos Web Appliance The default display of the list, if you accessed it by clicking Local Site List on the Configuration tab s sidebar, is to show all Local Site List entries. If you accessed this page from the Security Filter page, the list is limited to showing only entries that match the Risk class option from which you accessed this page.
- Page 99 Sophos Web Appliance | Configuration | 99 4.2.5.1 Using the Local Site List Editor 1. On the Configuration > Group Policy > Local Site List page, click Add Site. 2. In the Specify the site to add text box, enter the URL, domain, top-level domain (TLD), IP...
-
Page 100: Testing Policy Applied To A Url
100 | Configuration | Sophos Web Appliance wizard you can apply one or more tags to a URL. For tags to work, you must perform the configuration steps in both places. There are, however, three system tags: Globally allowed sites, Globally blocked sites, and Never send to Sandstorm. -
Page 101: Quota Status
Sophos Web Appliance | Configuration | 101 This option allows you to check the time periods that a time-specific Additional Policy will affect the specified site for the specified user. 4. Click Test. The security risk level, category, and the policy rules for the default, special hours, and additional policies that are applied to that URL or user, as well as any tags that are applied to it, are displayed in the Results section. -
Page 102: Configuring Security Filtering
102 | Configuration | Sophos Web Appliance Use the Certificate Validation page to set whether HTTPS certificates are automatically validated, and to add certificates not in the Sophos certificate list to the Custom certificate list for automatic validation. Use the Download Options page to allow or block access to specific types of downloads. -
Page 103: Configuring Sandstorm
If medium risk sites are set to Scan, all files on unclassified sites are scanned, regardless of file type. Sophos recommends setting unclassified sties to Low risk to ensure an optimal balance between scanning and user experience. -
Page 104: Configuring Dynamic Categorization
104 | Configuration | Sophos Web Appliance You can override the default behavior by selecting a data center in the Sandstorm data center list. Note: Changing data centers may affect any analysis that is currently in progress. Related concepts Default Policy... -
Page 105: Configuring Https Scanning
Sophos-generated certificate authority. This replaces the original certificate, which requires that you download and install the Sophos-generated certificate authority into your users browsers, which can be done as a centralized system administration operation using Active Directory Group Policy... - Page 106 Apply. To create and manage a list of sites exempted from scanning, see the "Managing HTTPS Scanning Exemptions" page. To download a copy of the Sophos certificate authority, see the "Downloading the Certificate Authority" page. Related concepts...
- Page 107 Sophos Web Appliance | Configuration | 107 — a specific URL, such as host.example.com/page.html Optionally, you can append a port number (for example, example.com:443). If a port number is not appended, a port number of 443 is assumed. Note: The sites that typically require exemption are software activation and update sites, software that validates the site certificate (such as some instant messaging clients and banking software), and any specific HTTPS sites you do not want scanned.
-
Page 108: Configuring Certificate Validation
If Certificate Validation is enabled, your users will only be able to access HTTPS sites that use a certificate listed in the Sophos certificate list or the Custom certificate list. If your users attempt to access HTTPS sites that use certificates from sources that are not in these lists, the Invalid certificate page is displayed and access to the requested site is blocked. - Page 109 Delete, and then click Apply. To view Sophos root authorities, at the bottom of the custom certificates list, click View Sophos root authorities, and browse the list of the root certificate authorities supplied by Sophos in the Root Authorities pop-up dialog box.
-
Page 110: Setting Download Options
110 | Configuration | Sophos Web Appliance to download any certificate other than the Sophos-generated certificate. Be sure to turn HTTPS scanning back on once you are done. 1. Click Browse, and navigate to the certificate file that you want to add. -
Page 111: Setting General Options
Web Appliance. SophosLabs To share data with Sophos that will help improve the protection provided by your Web Appliance, select the SophosLabs check box, and click Apply. Note: No data shared with Sophos will contain information in which user identities are shown or can be deduced. - Page 112 112 | Configuration | Sophos Web Appliance Note: If the Logging mode check box is cleared, several reports will always show "No Data": Reports > Policy & Content > Suspect Machines and reports in the Reports > Users section. All searches will show "No Data" as well.
-
Page 113: System
Use the Time Zone page to set the local time that is used to indicate the time in appliance transaction log files, and reports. Use the Central Management page to join this Web Appliance to a Sophos Management Appliance for centralized configuration, centralized policy control, and for consolidated reporting. - Page 114 Important: Sophos recommends you select Enable automatic updates. If you choose to only update manually, you should still apply updates in a timely manner. If Enable automatic updates...
-
Page 115: Alerts & Monitoring
Sophos Web Appliance | Configuration | 115 Related tasks Restore on page 122 4.4.1.2 Checking Update Status Read the information in the Threat definitions and the Software engine tables. The Last updated column shows the date and time of the most recent update. - Page 116 Set the contact information for the person in your organization who administers the appliance. This information is added to any system status alerts that are submitted to Sophos as part of the managed Web Appliance and Management Appliance support program.
- Page 117 Sophos Web Appliance | Configuration | 117 4.4.2.3 Adding a Search Term Alerts Recipient You can create a list of recipients who receive an email notification any time that a user query contains a term that has been specified in the Search Terms list.
- Page 118 117 4.4.2.5 Turning Off/On Sophos Support Alerts You can turn the alerts that are sent to Sophos Technical Support off or back on. This option is disabled by default, although the current setting is preserved during upgrades. Turning Sophos support alerts off is typically done during testing to avoid unnecessary contact from Sophos Technical Support .
- Page 119 6. Click Apply. 4.4.2.7 Setting a Support Contact You can set the contact information for the person Sophos should contact, if your appliance experiences a problem. This information is added to any system status alerts that are submitted to Sophos as part of the managed Web Appliance and Management Appliance support program.
-
Page 120: Backup
120 | Configuration | Sophos Web Appliance United Arab Emirates 97143754332 United Kingdom 441235465818 United States and Canada 17814945800 For other countries phone number formats, see International Telecommunication Union - Dialing Procedures. 4.4.3 Backup On the Configuration > System > Backup page, you can set the appliance to automatically upload system configuration data and log data to an FTP site at regular intervals as backup. - Page 121 Hostname, Connection Status, Referrer, and User-agent to help Sophos Technical Support troubleshoot potential issues. Sophos format logs may be viewed using a text editor. Squid format logs may be viewed using third party Squid log analysis tools, such as Kraken Reports. Sophos makes no guarantees, no warranties, accepts no responsibility, and offers no technical support for such third party programs.
-
Page 122: Restore
122 | Configuration | Sophos Web Appliance If you select this option, you can also save the data to a different location on your FTP server by selecting Use alternative FTP path and, in the adjacent text box, entering the path to the directory where you want the report data to be backed up. -
Page 123: Active Directory
We suggest that you use the network time protocol on your Active Directory server with 0.sophos.pool.ntp.org as the NTP server, which is the NTP server pool used by the appliance. If you use a different NTP server for your Active Directory server, you must... - Page 124 445 (raw SMB) and 139 (NetBIOS over TCP/IP) are open for TCP on that firewall in order to perform Active Directory authentication. Requirements for an Active Directory Forest: Sophos supports the integration of an Active Directory forest with the appliance only if the following conditions apply: Integrate with only a single Active Directory forest containing a single Active Directory tree.
- Page 125 Sophos Web Appliance | Configuration | 125 synchronize: your users may complain about authentication pop-ups that repeatedly fail, and the subdomain groups may disappear from the Configuration > Group Policy > Default Groups page. Although this situation may resolve itself automatically in certain circumstances, it will likely recur.
- Page 126 126 | Configuration | Sophos Web Appliance global catalog of an Active Directory forest with a single Active Directory tree, the user account must have permissions to authenticate users in multiple subdomains. Be sure to use an Active Directory account with only the privileges that are required.
- Page 127 Sophos Web Appliance | Configuration | 127 If you chose the Auto-detect advanced settings option, the remaining fields of the Active Directory settings are automatically filled. The appliance will first look for an Active Directory global catalog at port 3268. If it can't find that, it defaults to a single-domain Active Directory configuration using port 389.
-
Page 128: Edirectory
128 | Configuration | Sophos Web Appliance relationship with another domain, another.local. On Configuration > System > Active Directory, Enter the following: Active Directory domain: Enter the FQDN and not the NetBIOS domain name of the root parent domain. Username: Enter the username without any domain information. - Page 129 Sophos Web Appliance | Configuration | 129 On a joined Web Appliance, you must select the Configure eDirectory settings locally to make these text boxes editable. If you do not, your joined Web Appliance LDAP information is synchronized from your Management Appliance.
- Page 130 130 | Configuration | Sophos Web Appliance 7. To set which IP addresses and CIDR ranges are available for unauthenticated browsing: a) In the eDirectory Options section, select Do not associate eDirectory usernames with the following IP addresses. b) Click Add.
-
Page 131: Authentication
Sophos Web Appliance | Configuration | 131 improve performance of eDirectory identification on the Appliance. Reduce Root Server Load Properly configured connections to local replicas can greatly reduce the load on your root server. The Web Appliance regularly pulls identification information. Communicating with a local replica for the given organizational unit will reduce the load of your root eDirectory server. - Page 132 132 | Configuration | Sophos Web Appliance 4.4.7.1 About Authentication When configuring authentication, you have two main choices: bypass authentication or authenticate using selected options. If you choose to bypass authentication, web traffic is filtered by the appliance s Default Policy rules, or Additional Policies that are based on IP addresses and IP ranges.
- Page 133 Sophos Web Appliance | Configuration | 133 Related tasks Configuring Active Directory Access on page 124 Additional Policies on page 89 Configuring Active Directory to support Kerberos for Mac OS X on page 134 Adding a Connection Profile on page 139 4.4.7.2 Configuring Authentication...
-
Page 134: Related Tasks
134 | Configuration | Sophos Web Appliance failure (see the next step), users can gain entry to the network through a guest link on the portal page. — Enforce a timeout: Specify the number of hours and minutes for which the users will remain authenticated. -
Page 135: Configuring An Authentication Profile
Sophos Web Appliance | Configuration | 135 4.4.7.3 Configuring an Authentication Profile Select Configuration > System > Authentication > Profiles to configure an authentication profile based on a connection profile that you have created. You can also create authentication profiles that apply to specific destination sites. -
Page 136: Configuring Active Directory To Support Kerberos For Mac Os
136 | Configuration | Sophos Web Appliance Note: There is an "and" relationship between selected connections and destinations. 5. Click Next. 6. Choose an authentication method. Select Bypass authentication (Web traffic is filtered according to IP-based policy rules.) Select Authenticate using (Depending on the options selected, authentication can be performed for both Active Directory users and guest users.) -
Page 137: Configuring Active Directory To Support Kerberos For Mac Os X
Sophos Web Appliance | Configuration | 137 To change the priority of a profile, click the up or down arrow next to the profile name to increase or decrease its ranking. Click Save Order to preserve the re-arranged profile ranking, or click Reset Order to revert to the last saved order. - Page 138 138 | Configuration | Sophos Web Appliance 6. Click Save. The “Mobile Devices” profile is displayed in the Connection Profiles list. The In use status is No. Creating an Authentication Profile 1. Select Configuration > System > Authentication. 2. Select the Profiles tab.
-
Page 139: Connection Profiles
Sophos Web Appliance | Configuration | 139 Related tasks Adding a Connection Profile on page 139 Configuring an Authentication Profile on page 135 4.4.8 Connection Profiles Use the Configuration > System > Connection Profiles page to configure profiles based on IP address, device type, client application, or any combination of these. - Page 140 140 | Configuration | Sophos Web Appliance Select Include only the following IPs in this profile 1. In the IP Addresses or IP ranges text box, enter an address or range, and click Add. The new entry is displayed in the list below.
-
Page 141: Time Zone
Joining a Web Appliance to a Sophos Management Appliance will interrupt web browsing through that Web Appliance while LDAP user and group information is copied to the Sophos Management Appliance. You should plan to join during periods of low usage for your Web... - Page 142 142 | Configuration | Sophos Web Appliance In order to join a Web Appliance to a Sophos Management Appliance, both appliances must be running the same software engine versions. Check Configuration > System > Updates, and perform any necessary updates before joining.
- Page 143 The Configuration pages are increased in number, and some have expanded content. 4.4.10.3 On a Management Appliance: Configuring Joining Options Use the Configuration > System > Central Management page on a Sophos Management Appliance to configure central management options. To allow Web Appliances to join this Management Appliance, select Allow Web Appliances to join this Management Appliance, and click Apply.
-
Page 144: Certificates
Certificates and Certificate Authorities 4.4.12 Endpoint Web Control If you want to use an appliance together with Sophos Enterprise Console, you must provide Enterprise Console with an appliance hostname and an authentication key. Once this is configured, a web control policy can be applied to the endpoint machines by the designated appliance. - Page 145 Quota Time on page 90 4.4.12.1 Viewing Connected Endpoints If you are using an appliance together with Sophos Enterprise Console, you can view details of all connected user machines, or specific user machines, that are running Sophos Endpoint Security and Control.
-
Page 146: Network
146 | Configuration | Sophos Web Appliance Since this list of endpoints can be very large, you can click Show Filters, and use the available search features to narrow the endpoints that are displayed. On the Dashboard, click Connected endpoints. -
Page 147: Configuring The Network Interface
Note: The appliance uses 172.24.24.173 as the network address to access its initial configuration. This may cause routing conflicts if your local network also uses addresses in the range of 172.24.24.0-255. Contact Sophos Technical Support for a solution if this applies to your deployment. - Page 148 148 | Configuration | Sophos Web Appliance [Optional] From the Deployment Mode drop-down list, select the mode that you want to use. The options are: — Explicit proxy: Select this option if you have elected to use the explicit network deployment.
- Page 149 23 4.5.1.1 Configuring Advanced Settings Additional IP routes enable the Sophos Web Appliance to process requests from client machines with IP addresses that reside outside of the appliance s subnet by re-routing the requests from those IP ranges.
-
Page 150: Hostname And Other Network Settings
150 | Configuration | Sophos Web Appliance The Hostname to IP Address map feature allows you to map a hostname to an IP address. This feature is used to resolve hostnames or sites (for example, Active Directory servers) that the configured DNS server is not aware of. - Page 151 Important: Setting the outgoing SMTP mail server is essential if you want to receive emailed alerts or reports, or if you want the Sophos Managed Appliance Service. If you do not want these features or this service, do not configure the Outgoing SMTP mail server, and be sure to turn Sophos Technical Support alerts off on the Configuration >...
- Page 152 ISA/TMG servers section. 2. Install the ISA/TMG server plug-in. a) Click Download the Sophos ISA/TMG plug-in to download the plug-in for installation on your ISA/TMG server. The ISA/TMG plug-in is compatible with Microsoft ISA Server 2004 and 2006, and Microsoft Forefront TMG 2010.
-
Page 153: Configuring Wccp
Sophos Web Appliance | Configuration | 153 3. Click Apply. 4.5.3 Configuring WCCP To enable integration between your Sophos Web Appliance and WCCP routers, use the Configuration > Network > WCCP page. Your deployment can be in either Transparent Mode... - Page 154 154 | Configuration | Sophos Web Appliance 4. Enter the IP addresses for your routers. For routers using a multicast IP address, enter one IP address, and click Add. For a router with unicast IP addresses, enter one IP address, and click Add. Do the same for each router.
-
Page 155: Load Balancing With The Management Appliance
Use the Configuration > Network > Network Connectivity page to test the appliance s ability to access the Sophos site via the internet, which is required to receive regular security data and software updates, as well as to provide users with filtered access to the internet. -
Page 156: Running The Diagnostic Tools
4.5.6 Running the Diagnostic Tools The appliance offers a set of diagnostic tools that you can use to diagnose problems connecting to remote websites. Before trying these tools, you should ensure that you have checked the connection, using the Configuration > Group Policy > Policy Test page to confirm that access to the site is allowed by the policy. -
Page 157: Chapter 5: Reports
Sophos Web Appliance | Reports | 157 5 Reports The Reports tab provides graphical and textual data on a variety of aspects of Web Appliance activity and performance. On the left side of the tab is a navigation sidebar with links to the individual reports pages. -
Page 158: Traffic & Performance: Throughput
5.1.5 Users: Sandstorm Users By default, a pie chart of the top five users who have had the most files referred to Sophos Sandstorm, plus all others, each shown as a percentage of the total number of files flagged as suspicious today since midnight. -
Page 159: Users: Pua Downloaders
Sophos Web Appliance | Reports | 159 Excluded: files that were not sent for analysis due to policy settings. Total: the total number of files that were flagged as suspicious. Click on a username or IP address to view a Search > By User of all URLs blocked by the policy. -
Page 160: Users: Policy Violators
160 | Reports | Sophos Web Appliance 5.1.8 Users: Policy Violators By default, a pie chart of the top five policy violators, plus all others, each shown as a percentage of the total number of policy violations today since midnight. The data table shows the following: full list of users who violated policy during the reporting period. -
Page 161: Users: Top Users By Browse Time
Sophos Web Appliance | Reports | 161 Total bytes for each user, or bytes for the specified direction. Total bytes for each of the top 5 destinations for each user listed. Note: The Top Bandwidth Users report may not match Browse Summary By User reports, as the former includes all data, while the latter include only data from initial page hits, and do not include any content, such as images or CSS. -
Page 162: Users: Browse Summary By User
162 | Reports | Sophos Web Appliance Note: Usernames are specified in the format DOMAIN\User in the text box to the right of the report. Alternatively, if Active Directory integration is not enabled, an IP address may be specified. Usernames for eDirectory are specified in the form user.context. This report may also be generated for a specified user by clicking the username in the Top Users By Browse Time report. -
Page 163: Users: Category Visits By User
Sophos Web Appliance | Reports | 163 Click on a username to drill down to an Activity Search By User to view all the URL requests, filtered for the user you clicked on and the time period that you are currently viewing. -
Page 164: Users: Users By Search Queries
164 | Reports | Sophos Web Appliance 5.1.17 Users: Users By Search Queries A data table is displayed showing user queries that match keywords and phrases you have specified in the Search Terms list. No data is shown in this report unless you have added one or more entries to a Search Terms list that is turned on. -
Page 165: Policy & Content: Warned Sites
Sophos Web Appliance | Reports | 165 Clicking on a site in the list performs a Recent Activity Search: By Site. You can sort the results according to site visits, unique users, or the number of bytes consumed. The available search parameters vary from one report to another. See “Modifying Reports” for a description of each parameter. -
Page 166: Policy & Content: Downloads
Clean: files that have been analyzed and that exhibit no malicious behavior. Malicious: files that Sophos Sandstorm has determined are malicious. Analysis unsuccessful: files that could not be analyzed. Excluded by policy: files that were not sent for analysis due to policy settings. -
Page 167: Policy & Content: Web Application Usage
Details: The name or names of any detected threats. Clicking the name of a threat will open the webpage with the corresponding Sophos threat analysis. To block or unblock all listed machines, use the Block All or Unblock All buttons at the bottom of the page. - Page 168 168 | Reports | Sophos Web Appliance Last: From the drop-down list, select a time increment for the report. Then, in the text box, enter a number specifying the time period (for example, 7 days). Partial minutes, hours, weeks, days, and months count toward the total number specified. Time frames are defined as follows: —...
-
Page 169: Printing Reports
Sophos Web Appliance | Reports | 169 — Hits: Ranks the results according to the number of times a site was accessed, broken down by domain (for example, yahoo.com). — Matched terms: Ranks the results according to the number of times a string or substring is included in a user query. -
Page 170: Exporting Reports
170 | Reports | Sophos Web Appliance 5.4 Exporting Reports Report data is exported in comma separated value (CSV) format. 1. On the Reports sidebar, click the name of the report that you want to export. The report is displayed. - Page 171 Sophos Web Appliance | Reports | 171 Top Bandwidth Users Top Users By Browse Time Top Users By Category Users By Search Queries Allowed Sites Warned Sites Blocked Sites Categories Downloads Note: Reporting data is restricted based on choices made when creating reporting groups. A full administrator has access to all information.
- Page 172 1. Click the name of the custom group that you want to edit. Note: Custom groups, which can be edited, are indicated by a Sophos icon ( ); Active Directory and eDirectory groups, which cannot be edited, are indicated by a directory icon ( ).
-
Page 173: Report Scheduler
The custom group or groups that you want to delete must not be in the Reporting groups list. Note: Custom groups, which can be deleted, are indicated by a Sophos icon ( ); Active Directory and eDirectory groups, which cannot be deleted, are indicated by a directory icon ( ). - Page 174 174 | Reports | Sophos Web Appliance 5.5.2.1 Creating a Scheduled Report 1. At the top of the Scheduled reports table on the Reports > Options > Report Scheduler page, click Add. The Report Package page of the Report Scheduler wizard is displayed.
- Page 175 Sophos Web Appliance | Reports | 175 The example report may include only a fraction of the specified reporting period, depending on the day that you request the preview. 12. Click Save. Before saving, you can click Previous to return to the preceding pages of the wizard to review or change the settings in those pages.
- Page 176 176 | Reports | Sophos Web Appliance sent to the recipients. The report will cover the one-month period prior to the selected reporting day. 7. Optionally, in the Report scheduler name text box, change the name for the scheduled report.
-
Page 177: Report Exemptions
Sophos Web Appliance | Reports | 177 5.5.3 Report Exemptions The Reports > Options > Report Exemptions page allows you to exempt selected report categories and specified domains from report data. If report exemptions are enabled, and they apply to the report you are running, this is indicated in both the Reports status bar and the bottom left corner of the report. -
Page 178: Search Terms
178 | Reports | Sophos Web Appliance To exempt a domain: 1. On the Reports > Options > Report Exemptions page, select Exempt Domains. 2. Enter a single domain, and click Add. Or click Enter multiple domains, type each domain name on a new line, and click Add. - Page 179 Sophos Web Appliance | Reports | 179 4. [Optional] Select Include substring matches if you want your listed terms to also match within words and phrases in search queries. For example, if you specify the term “drug,” and enable substring matches, the appliance will report on queries that include the word “drug,” along with variants such as“drugs”...
- Page 180 1. In the Search terms list, click the name of the list that contains the term you want to remove. The Search Terms List dialog box is displayed. 2. Select the check box next to the term, and click Delete. To remove multiple terms at once, select the appropriate check boxes, and click Delete.
-
Page 181: Chapter 6: Search
Sophos Web Appliance | Search | 181 6 Search Use the search functionality to search user activity, sandbox activity, and user requests. The Search tab allows you to: Perform a Recent Activity Search (of users activity) By User (username or IP address), or By Site requested. - Page 182 182 | Search | Sophos Web Appliance — hours: Any complete hours within the specified span, plus the elapsed portion of the current hour. — days: Any complete days within the specified span, plus the elapsed portion of the current day.
-
Page 183: Exporting Search Results
Sophos Web Appliance | Search | 183 requests under Requests. Clicking a site will open the By User search for the user, using that site for the Filter by site option. c) Click Search. The results are displayed in the content pane. -
Page 184: Searching User Submissions
Use the File Type filter to select downloads by their file type. d) Use the Status filter so select downloads using their Sophos Sandstorm analysis result. e) Use the Released filter to select whether you want to filter for released files, unreleased files, or all files. -
Page 185: Viewing A User Submission Search
Sophos Web Appliance | Search | 185 6.3.1 Viewing a User Submission Search There are three user submission searches available for you to view: Sites: Lists the user requests for unblocking or recategorizing sites. PUAs: Lists the user requests for unblocking or recategorizing potentially unwanted applications. - Page 186 186 | Search | Sophos Web Appliance The User Submissions: Sites dialog box is displayed. b) See the Managing User Site Submissions on page 186 page for instructions on the use of this dialog box. To allow a user s request for access to a PUA: a) Click the URL of the PUA that the user wants to access.
-
Page 187: Deleting A User S Request
Sophos Web Appliance | Search | 187 2. If you chose the Add this URL to the Local Site List option, set one or more of the following by selecting the check box beside the option and taking the described action: Apply a tag to this URL: Select an available tag from the drop-down list or enter a new tag. -
Page 188: Chapter 7: System Status
Click Shutdown to restart or shut down the Web Appliance. A confirmation prompt is displayed. Click Shutdown or Restart to perform the operation of your choice. Note: Sophos strongly suggests that you use these software shutdown and restart options, as using the appliance s power button or reset button, as described on the Appliance Hardware on page 11 page, may lead to file corruption and data loss. - Page 189 Message: Provides details of the latest alert. Potential remedies: Describes possible solutions for the latest alert. For most warning and critical alerts, you are advised to contact Sophos Technical Support . Last exception at: Shows the date in MM/DD/YYYY format and the time in 12-hour, AM/PM format for the latest unacknowledged alert.
- Page 190 Sophos site to receive threat definitions or software updates. A critical alert is issued if the appliance is unable to connect to the Sophos site after six hours. — System updates: A critical alert is triggered when a system software update fails or if the software is out of date.
-
Page 191: System Status On The Management Appliance
Appliance will no longer be downloaded to the Joined Appliance. License: — Sophos license: A warning alert is triggered when there are less than 30 days left on a trial license, and it continues until 10 days after a trial license expires. A critical alert is triggered 10 days after a trial license expires, and the appliance stops categorizing sites. - Page 192 The Web Appliances section contains six columns of information: — Web Appliances: The name of the Web Appliance. Click the hostname or IP address of the Web Appliance to view the system status of that system. — Last contact: The time that has elapsed since the last contact with this appliance. —...
-
Page 193: Chapter 8: Using Help
Lists the appliance license information. Sophos Support: Provides a form for quick submission of a Sophos Technical Support request, as well as a mechanism for establishing a remote assistance session for Sophos support engineers. Online Help PDF: Opens an Adobe Acrobat version of the appliance help in US Letter page size. -
Page 194: Sophos Support
Help window titlebar provides two options for getting help from Sophos Support Services.You can either submit a support request via email, or you can enable remote assistance to your system via an outbound SSH (Secure SHell) connection to Sophos Support Services. -
Page 195: About
Sophos Web Appliance | Using Help | 195 8.4 About The About page displays the appliance license information. To display the "About" page information: 1. On the Help window sidebar, click About. The following information is displayed: number of users licensed to use the appliance... -
Page 196: Appendix A: Configuring Ports
196 | Configuring Ports | Sophos Web Appliance A Configuring Ports To ensure the functionality of the Sophos Web Appliance, configure your network to allow access on the ports listed below. Some ports are required only for specific situation, such as when you enable FTP backups or central management. - Page 197 Sophos Web Appliance | Configuring Ports | 197 Port Function Service Protocol Connection DNS queries Outbound from Appliance to LAN administrative web interface HTTP Inbound from LAN to appliance Kerberos authentication KERBEROS TCP/UDP Inbound/outbound between appliance and AD server MS NetBIOS session...
-
Page 198: Appendix B: Configuring Your Browser
This section contains information on adding the Sophos root certificate in different web browsers. B.1.1 Adding the Sophos Root Certificate in Internet Explorer The Install Root Certificate page of the setup wizard prompts you to install the Sophos root certificate. This page provides instructions for adding that root certificate in Internet Explorer. -
Page 199: Adding The Sophos Root Certificate In Firefox
Users Browsers B.1.2 Adding the Sophos Root Certificate in Firefox The Install Root Certificate page of the setup wizard prompts you to install the Sophos root certificate. This page provides instructions for adding that root certificate in Firefox. To install the Sophos root certificate in Firefox: 1. -
Page 200: Internet Explorer Proxy Configuration
200 | Configuring Your Browser | Sophos Web Appliance B.2.1 Internet Explorer Proxy Configuration 1. Select Tools > Internet Options. The Internet Options dialog box is displayed. 2. On the Connections tab, click LAN Settings. The Local Area Network (LAN) Settings dialog box is displayed. -
Page 201: Apple Safari Proxy Configuration
Sophos Web Appliance | Configuring Your Browser | 201 4. Select the Use this proxy server for all protocols check box. 5. In the No Proxy for text box, enter "localhost, 127.0.0.1". 6. Click OK. Your settings are saved and the Connection Settings dialog box closes. -
Page 202: Other Internet Explorer Settings
Internet Explorer (version 7 and earlier) limits the number of concurrent connections to a server to 2. This creates a performance bottleneck for the Sophos Web Appliance. In order to improve performance, you will need to increase the number of concurrent connections on your users systems to 10. - Page 203 Sophos Web Appliance | Configuring Your Browser | 203 Related concepts Active Directory on page 123 Related tasks Transparent Deployment on page 29...
-
Page 204: Appendix C: Appliance Behavior And Troubleshooting
Appliance-generated email Background: The Web Appliance provides a managed appliance experience that is enabled in part by sending system status snapshots as email attachments to Sophos to ensure that your Web Appliance is operating within acceptable thresholds. Problem: Firewalls can strip attachments from Web Appliance-generated email. -
Page 205: Active Directory Troubleshooting
Sophos Web Appliance | Appliance Behavior and Troubleshooting | 205 RealPlayer Content Appears to be Blocked Problem: RealPlayer content fails to play. This is typically a firewall configuration issue and not an Web Appliance problem. RealPlayer uses port 554, which is typically blocked in default firewall configurations. -
Page 206: Could Not Join The Domain
206 | Appliance Behavior and Troubleshooting | Sophos Web Appliance C.2.5 Could not join the domain The appliance could not join the specified Active Directory domain, possibly due to insufficient privileges for the given Username and Password. Check the Active Directory Domain Controller, update the required fields on the System: Active Directory page, and click Verify Settings again. -
Page 207: No Ipc Share Found
Sophos Web Appliance | Appliance Behavior and Troubleshooting | 207 C.2.12 No IPC share found The appliance could not detect an IPC share on your Active Directory Domain Controller. Check the Active Directory Domain Controller, update the required fields on the System: Active Directory page, and click Verify Settings again. -
Page 208: Subdomain Failed To Authenticate
Controller on the Configuration > System > Time Zone page. The network connection between the appliance and the Domain Controller is working. If the above checks fail to identify the problem, please contact Sophos Technical Support . C.2.16 Subdomain failed to authenticate The configuration detection for one or more of your subdomains did not complete successfully. -
Page 209: Invalid Credentials
Sophos Web Appliance | Appliance Behavior and Troubleshooting | 209 C.3.1 Invalid credentials The appliance could not authenticate with the given Authentication DN and Password. Update these fields on the Configuration > System > eDirectory page with the correct information, and click Verify Settings again. -
Page 210: Server Error
The network connection between the appliance and the eDirectory server is working. The eDirectory server s logs indicate that it is operating correctly. If the above checks fail to identify the problem, please contact Sophos Technical Support . C.3.9 Network is unreachable The appliance could not authenticate with the server as the network is unreachable. - Page 211 Sophos Web Appliance | Appliance Behavior and Troubleshooting | 211 Solution: After the replacement Management Appliance has had configuration data restored to it, and you have ensured that its fully qualified domain name and IP address are correct, each Web Appliance that was joined to the previous Management Appliance must be reverted to standalone mode, then be re-joined to the replacement Management Appliance.
- Page 212 212 | Appliance Behavior and Troubleshooting | Sophos Web Appliance Port Function Service Protocol Connection Central configuration, status and Outbound from Web Appliance to reporting Management Appliance (if collocated) DNS queries Outbound from Appliance to LAN administrative web interface HTTP...
-
Page 213: Https Compatibility
To overcome this problem, the Web Appliance includes most reliable certificate authorities, and it can automatically validate certificate authorities from the Sophos certificate authority list.You can also add custom certificate authorities. This allows you to prevent users from accepting certificate authorities. - Page 214 However, because the traffic has been decrypted, the original site certificate cannot be used by the browser to authenticate the connection, so the original certificate is replaced by one generated automatically on the appliance using a Sophos-generated certificate authority. This replaces the original certificate, which requires that you download and install the Sophos-generated certificate authority into your users browsers.
- Page 215 Sophos Web Appliance | Appliance Behavior and Troubleshooting | 215 The Web Appliance creates a certificate for its secure session with the user. The returned page goes through the following process: The secure site sends an HTTPS page to the Web Appliance.
-
Page 216: Images Display As Gray
Some web services are incompatible with proxies that scan HTTPS content, and, therefore, it is recommended that you exempt them from HTTPS scanning. Of these, the Webex service webex.com is exempted from HTTPS scanning by default. Some software applications use HTTPS for registration and expect specific certificates from the systems that are registering. -
Page 217: Appendix D: Interpreting Log Files
Backup page, if you have the Transaction log files at least once daily at midnight option selected, and you have chosen to back up the logs in the Sophos format. If you have chosen to back up the logs in the Squid format, see the Squid log format page. - Page 218 218 | Interpreting Log Files | Sophos Web Appliance Data Fields The following table explains the keys used in the sophos_log file. Field Description This setting is optional and is only displayed if you are using Endpoint Web Control. A value of ep=1 means the browsing occurred on the endpoint computer, and that this entry was then uploaded to the appliance.
- Page 219 Sophos Web Appliance | Interpreting Log Files | 219 Field Description Matched URI category ID (e.g. 0x2n00000034). The n indicates the risk level: 0=unclassified, 1=trusted, 2=low, 3=medium, and 4=high. For a full listing of the values used with the cat key,...
- Page 220 HTTP request string (including request method, URL requested, and request protocol). Domain portion of the request URI. filetype Sophos filetype category (e.g. both ‘application/x-gzip & ‘application/x-bzip2 belong to the category ‘archive.compress ). rule Policy rule ID matched for this request. Local Site List categorization rules are prefixed with 'LSL-'.
- Page 221 This is configured in the Naming & Scheduling tab of the Additional Policy wizard: Configuration > Group Policy > Additional Policies. sandbox Identifies whether a download should be sent to the sandbox component of Sophos Sandstorm. Special Notes The basic format is [key]=[value] where there is no whitespace between the key, the equals character or the value.
-
Page 222: Category Codes
222 | Interpreting Log Files | Sophos Web Appliance n U+006E, Latin Small Letter N é U+00E9, Latin Small Letter E with Acute s U+0073, Latin Small Letter S The list of supported fields will change. Implementers are encouraged to silently ignore fields containing an unrecognized key. - Page 223 Sophos Web Appliance | Interpreting Log Files | 223 Category ID User-visible category name Category ID User-visible category name 0x2n0000000E Finance & Investment 0x2n0000002A Search Engines 0x2n0000000F Food & Dining 0x2n0000002B Sex Education 0x2n00000010 Gambling 0x2n0000002C Shopping 0x2n00000011 Games 0x2n0000002D Society &...
- Page 224 Sophos log Description sandbox=3 Sandbox fast response: file is clean. sandbox=4 Sandbox cloud response: file is clean. sandbox=-1 Sandbox fast response: file is malicious. sandbox=-2 Sandbox fast response: error occurred. sandbox=-3 Sandbox cloud response: file is malicious. sandbox=-4 Sandbox cloud response: error occurred.
-
Page 225: Appendix E: Copyrights And Trademarks
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited. The Sophos Web Appliance and Management Appliance are licensed in accordance with the terms of the Sophos Appliance License Agreement. A copy of this license agreement can be found at http://www.sophos.com/legal. - Page 226 For any such software covered under the GPL, the source code is available via mail order by submitting a request to Sophos; via email to wsasupport@sophos.com...
-
Page 227: Openldap Public License
Sophos Web Appliance | Copyrights and Trademarks | 227 A copy of the license agreement for any such included software can be found at http://www.gnu.org/licenses/lgpl.html. Other software programs whose copyright notices are included within the source code for such programs in accordance with their license terms. - Page 228 OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted.
-
Page 229: Appendix F: Contacting Sophos
Sophos Web Appliance | Contacting Sophos | 229 F Contacting Sophos Sophos Support If you encounter a problem with your Sophos product, or if it does not function as described in the documentation, contact Sophos Technical Support: http://www.sophos.com/support/ Corporate Contact Information To contact your local Sophos office, see: http://sophos.com/companyinfo/contacting/... -
Page 230: Appendix G: Glossary
230 | Glossary | Sophos Web Appliance G Glossary G.1 Active Directory Microsoft s implementation of LDAP (Lightweight Directory Access Protocol) on Windows. Active Directory provides LDAP-like directory services for managing identities and permissions of users throughout a network. Active Directory is a hierarchical, object-oriented database in which each object represents a single entity (for example, a user or group). - Page 231 Sophos Web Appliance | Glossary | 231 G.4 certificate authority Certificate authorities are trusted third parties. They can be root authorities (i.e. explicitly trusted). They can have identities that can be verified by checking with other trusted certificate authorities (such as the root authorities). Or you can choose to designate a CA as trusted (such as an authority within your organization).
- Page 232 The settings stored in Group Policy Objects reference Active Directory units such as sites and domains. G.10 group List of users to which differentiated policy settings can be applied. Lists of users that the Sophos email and URL filtering products use as a basis for the policy settings that determine which filtering actions are performed for which users.
- Page 233 The term phishing arises from the use of increasingly sophisticated lures to "fish" for users financial information and passwords. Sophos email and URL filtering products are configured by default to detect phishing schemes.
- Page 234 Sophos is an active member of the Anti Spyware Coalition (ASC). When classifying PUAs, SophosLabs uses the following broad definitions, which are derived from the ASC risk model.
- Page 235 Sophos Web Appliance | Glossary | 235 Usually installed and used with user interaction. Occasionally used legitimately in small businesses. Include Remote Control Software as defined by ASC that is not classified as malware. Dialers Any application whose primary function is to dial a premium rate phone number.
- Page 236 SophosLabs provides both proactive and rapid solutions for all Sophos customers. Our global network of threat analysis centers ensures Sophos is able to respond to new threats without compromise, achieving the highest levels of customer satisfaction and protection in the industry.
- Page 237 Sophos Web Appliance | Glossary | 237 G.25 Web Cache Communication Protocol WCCP provides a way to redirect web traffic in real time on networks that use Cisco routers and switches. WCCP allows for clustering, failover, load balancing and the transparent deployment of web proxy and security products without additional network configuration or hardware.
Need help?
Do you have a question about the WS100 and is the answer not in the manual?
Questions and answers