Page 1: User Guide
R3000 | Enterprise Filter USER GUIDE for Authentication Model: R3000 Release 1.10.20 / Version No.: 1.01...
Page 2 , R3000 E ECHNOLOGIES NTERPRISE ILTER UTHENTICATION UIDE...
Page 3 8e6 Technologies shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the exam- ples herein.
Page 4 , R3000 E ECHNOLOGIES NTERPRISE ILTER UTHENTICATION UIDE...
Page 5: Table Of Contents
ONTENTS 1: I HAPTER NTRODUCTION About this User Guide ... 1 How to Use this User Guide ... 2 Conventions ... 2 Terminology ... 3 Filtering Elements ... 8 Group Types ... 8 Global Group ... 8 IP Groups ..9 NT Domain Groups ...
Page 6 ONTENTS R3000 Authentication Tiers ... 23 Tier 1: Single Sign-On Authentication ... 25 Net use based authentication process ... 25 Authentication methods ... 27 Name resolution methods ... 29 Authentication setup procedures ..30 Configuring the authentication server ..31 LDAP server setup rules ...
Page 7 Authentication Solution Compatibility ... 53 Configuring the R3000 for Authentication ... 54 Configuration procedures ... 54 System section... 54 Group section ... 57 2: N HAPTER ETWORK Environment Requirements ... 58 Workstation Requirements ... 58 Administrator ... 58 End User ... 58 Network Requirements ...
Page 8 ONTENTS Authentication Form Customization ... 93 Block Page Customization ... 97 3: NT A HAPTER Join the NT Domain ... 101 Create an NT Domain ... 103 Add an NT domain ... 103 Refresh the NT branch ... 104 View or modify NT domain details ... 105 Domain Settings ...
Page 9 User Objects ..130 Address Info ... 131 Account Info ... 134 SSL Settings ..135 Alias List ..137 Default Rule ..139 Default Rule for Novell eDirectory ... 141 Configure a backup server... 141 Modify a backup server’s configuration ...
Page 10 ONTENTS Step 7: Disable filter options ..170 Step 8: Attempt to access Web content ..171 Test net use based authentication settings ... 173 Activate Authentication on the Network ... 174 Activate Web-based authentication for an IP Group ... 175 Step 1: Create a new IP Group, “webauth”...
Page 11 User/Group File Format and Rules ... 209 Username Formats ... 209 Rule Criteria ... 210 File Format: Rules and Examples ... 212 NT User List Format and Rules ..213 NT Group List Format and Rules ... 214 LDAP User List Format and Rules ... 215 LDAP Group List Format and Rules .
Page 12 ONTENTS If pop-up blocking is enabled ... 237 Add override account to the white list ... 237 Google Toolbar Pop-up Blocker ... 239 If pop-up blocking is enabled ... 239 Add override account to the white list ... 239 AdwareSafe Pop-up Blocker ... 240 If pop-up blocking is enabled ...
Page 13: Hapter Ntroduction
1: I HAPTER The R3000 Authentication User Guide contains information about setting up authentication on the network. About this User Guide This user guide addresses the network administrator desig- nated to configure and manage the R3000 server on the network. Chapter 1 provides information on how to use this user guide, and also includes an overview of filtering compo- nents and authentication operations.
Page 14: How To Use This User Guide
1: I HAPTER NTRODUCTION OW TO blocker software installed; a glossary on authentication terms, and an index. How to Use this User Guide Conventions The following icons are used throughout this user guide: NOTE: The “note” icon is followed by italicized text providing additional information about the current subject.
Page 15: Terminology
Terminology The following terms are used throughout this user guide. Sample images (not to scale) are included for each item. • alert box - a message box that opens in response to an entry you made in a dialog box, window, or screen.
Page 16 1: I HAPTER NTRODUCTION OW TO • dialog box - a box that • field - an area in a dialog box, • frame - a boxed-in area in a dialog • grid - an area in • list box - an area in a dialog box, SE THIS UIDE opens in response to a...
Page 17 • pop-up box or pop-up window - a box or window that opens after you click a button in a dialog box, window, or screen. This box or window may display infor- mation, or may require you to make one or more entries. Unlike a dialog box, you do not need to choose between options.
Page 18: Control Panel
1: I HAPTER NTRODUCTION OW TO • sub-topic - a • text box - an area in a dialog box, window, or screen that • topic - a topic SE THIS UIDE subset of a main topic that displays as a menu item for the topic.
Page 19 • tree - a tree displays in the control panel of a screen, and is comprised of a hierarchical list of items. An entity associated with a branch of the tree is preceded by a plus (+) sign when the branch is collapsed. By double-clicking the item, a minus (-) sign replaces the plus sign, and any entity within that branch of the tree...
Page 20: Filtering Elements
1: I HAPTER NTRODUCTION ILTERING Filtering Elements Filtering operations include the following elements: groups, filtering profiles and their components, and rules for filtering. Group Types In the Group section of the Administrator console, group types are structured in a tree format in the control panel. There are four group types in the tree list: •...
Page 21: Ip Groups
1: I HAPTER NTRODUCTION ILTERING LEMENTS IP Groups The IP group type is represented in the tree by the IP icon . A master IP group is comprised of sub-group members and/or individual IP members The global administrator adds master IP groups, adds and maintains override accounts at the global level, and estab- lishes and maintains the minimum filtering level.
Page 22: Nt Domain Groups
1: I HAPTER NTRODUCTION ILTERING NT Domain Groups An NT domain on a network server is comprised of Windows NT groups and their associated members (users), derived from profiles on the network’s domain controller. The NT group type is represented in the tree by the NT icon enabled.
Page 23: Ldap Domain Groups
1: I HAPTER NTRODUCTION ILTERING LEMENTS LDAP Domain Groups An LDAP (Lightweight Directory Access Protocol) domain on a network server is comprised of LDAP groups and their associated members (users), derived from profiles on the network’s authentication server. The LDAP group type is represented in the tree by the LDAP icon .
Page 24: Filtering Profile Types
1: I HAPTER NTRODUCTION ILTERING Filtering Profile Types A filtering profile is used by all users who are set up to be filtered on the network. This profile consists of rules that dictate whether a user has access to a specified Web site or service on the Internet.
Page 25: Static Filtering Profiles
Other filtering profiles • override account profile - set up in either the global group section or the master group section of the console. NOTE: An override account set up in the master IP group section of the R3000 console takes precedence over an override account set up in the global group section of the console.
Page 26: Active Filtering Profiles
1: I HAPTER NTRODUCTION ILTERING Active Filtering Profiles Active filtering profiles include the global group profile, NT/ LDAP authentication profile, override account profile, time profile, and lock profile. Global Filtering Profile The global filtering profile is created by the global adminis- trator.
Page 27: Override Account Profile
Override Account Profile If any user needs access to a specified URL that is set up to be blocked, the global administrator or group administrator can create an override account for that user. This account grants the user access to areas set up to be blocked on the Internet.
Page 28: Filtering Profile Components
1: I HAPTER NTRODUCTION ILTERING Filtering Profile Components Filtering profiles are comprised of the following compo- nents: • library categories - used when creating a rule, minimum • service ports - used when setting up filter segments on • rules - specify which library categories should be •...
Page 29: Library Categories
Library Categories A library category contains a list of Web site addresses and keywords for search engines and URLs that have been set up to be blocked or white listed. Library categories are used when creating a rule, the minimum filtering level, or a filtering profile.
Page 30: Service Ports
1: I HAPTER NTRODUCTION ILTERING Service Ports Service ports are used when setting up filter segments on the network (the range of IP addresses/netmasks to be detected by the R3000), the global (default) filtering profile, and the minimum filtering level. When setting up the range of IP addresses/netmasks to be detected, service ports can be set up to be open (ignored).
Page 31: Filter Settings
NOTE: If the minimum filtering level is not set up, global (default) filtering settings will apply instead. Filter Settings Categories and service ports use the following settings to specify how filtering will be executed: • block - if a category or a service port is given a block setting, users will be denied access to the item set up as “blocked”...
Page 32: Filtering Rules
1: I HAPTER NTRODUCTION ILTERING Filtering Rules Individual User Profiles - A user in an NT or LDAP domain can have only one individual profile set up per domain. Filtering Levels Applied: 1. The global (default) filtering profile applies to any user 2.
Page 33 6. For NT/LDAP users, if a user is authenticated, settings for the user’s group or individual profile from the NT/ LDAP domain are applied and take precedence over any IP profile. a. If the user belongs to more than one group in an authentication domain, the profile for the user is deter- mined by the order in which the groups are listed in the Group Priority list set by the global administrator.
Page 34 1: I HAPTER NTRODUCTION ILTERING LEMENTS Fig. 1-4 Sample filtering hierarchy diagram , R3000 E ECHNOLOGIES NTERPRISE ILTER UTHENTICATION UIDE...
Page 35: Authentication Operations
Authentication Operations R3000 Authentication Protocols The R3000 supports two types of authentication protocols: Windows NT LAN Manager (NTLM), and Lightweight Direc- tory Access Protocol (LDAP). • NTLM authentication supports NTLM authentication running on any of the following servers: Windows NT 4.0, Windows 2000 Mixed Mode, and Windows 2003 Mixed Mode.
Page 36 1: I HAPTER NTRODUCTION UTHENTICATION tory server, the Novell eDirectory Agent can be used instead to authenticate end users. NOTE: See 8e6 Authenticator and Novell eDirectory Agent for information on setting up these types of authentication on the network. PERATIONS , R3000 E ECHNOLOGIES NTERPRISE...
Page 37: Tier 1: Single Sign-On Authentication
Tier 1: Single Sign-On Authentication Net use based authentication process The following diagram and steps describe the operations of the net use based user authentication process: Fig. 1-5 Net use based authentication module diagram 1. The user logs on the network from a Windows worksta- tion (also known as “client”...
Page 38: Re-Authentication Process
1: I HAPTER NTRODUCTION UTHENTICATION 4. Upon creating the IPC share, the software in the R3000 5. Once the user is successfully authenticated, the R3000 6. The matched profile is set for the user's IP address. The 7. When the user logs off, changes IP addresses, loses the WARNING: Authentication will fail if a Network Address Transla- tion (NAT) device is set up between the authentication server and end user clients.
Page 39: Authentication Methods
Authentication methods Tier 1 supports two server authentication methods: Server Message Block (SMB) and LDAP. SMB protocol SMB is a client/server protocol that requires the client to send a request to the server and receive an authentication response from the server, in order for the client to access resources on the network.
Page 40: Ldap Protocol
1: I HAPTER NTRODUCTION UTHENTICATION NOTE: For information on SMB Signing compatibility with the R3000, refer to the chart in Appendix D: Disable SMB Signing Requirements. LDAP protocol LDAP is a directory service protocol that stores entries (Distinguished Names) in a domain’s directory using a hier- archical tree structure.
Page 41: Name Resolution Methods
1: I HAPTER NTRODUCTION UTHENTICATION PERATIONS Name resolution methods The name resolution process occurs when the R3000 attempts to resolve the IP address of the authentication server with the machine name of that server. This contin- uous and regulated automated procedure ensures the connection between the two servers is maintained.
Page 42: Authentication Setup Procedures
1: I HAPTER NTRODUCTION UTHENTICATION Authentication setup procedures Server setup types R3000 authentication is designed to support the following server types for the specified tier(s): Tier 1: Net use based authentication NOTE: Login scripts must be used for net use based authentica- tion.
Page 43: Configuring The Authentication Server
1: I HAPTER NTRODUCTION UTHENTICATION PERATIONS Configuring the authentication server When configuring authentication, you must first go to the authentication server and make all necessary entries before configuring the R3000. The following authentication components must be set up or entered on the console of the authentication server: •...
Page 44: Login Scripts
1: I HAPTER NTRODUCTION UTHENTICATION Login scripts Login (or logon) scripts are used by the R3000 server for reauthenticating users on the network. The following syntax must be entered in the appropriate directory on the authentication server console: Enter net use syntax in the login script The virtual IP address is used by the R3000 to communicate with all users who log on to that server.
Page 45: View Login Script On The Server Console
View login script on the server console The login script can be viewed on the authentication server console. This script resides in a different location on the server, depending on the version of the server: • Windows 2000 or Windows 2003 Server \\servername.suffix\sysvol\domainname.suffix\ policies\{guid}\user\scripts\logon c:\winnt\sysvol\sysvol\domainname.suffix\scripts...
Page 46: Block Page Authentication Login Scripts
1: I HAPTER NTRODUCTION UTHENTICATION Block page authentication login scripts In addition to the use of login scripts in the console of the authentication server, a login script path must be entered in the Block Page window of the R3000 Administrator console. This script is used for reauthenticating users on the network.
Page 47: Ldap Server Setup Rules
LDAP server setup rules WARNING: The instructions in this user guide have been docu- mented based on standard default settings in LDAP for Microsoft Active Directory Services. The use of other server types, or any changes made to these default settings, must be considered when configuring the R3000 server for authentication.
Page 48: Tier 2: Time-Based, Web Authentication
1: I HAPTER NTRODUCTION UTHENTICATION Tier 2: Time-based, Web Authentication The following diagram and steps describe the operations of the time-based authentication process: Fig. 1-6 Web-based authentication module diagram 1. The user makes a Web request by entering a URL in his/ 2.
Page 49: Tier 2 Implementation In An Environment
1: I HAPTER NTRODUCTION UTHENTICATION PERATIONS Tier 2 implementation in an environment In an environment where Tier 2 time-based profiles have been implemented, end users receive filtering profiles after correctly entering their credentials into a Web-based Authentication Request Form. A profile remains active for a configurable amount of time even if the user logs out of the workstation, changes IP addresses, etc.
Page 50: Tier 2 Script
1: I HAPTER NTRODUCTION UTHENTICATION Tier 2 Script If using Tier 2 only, this script should be inserted into the network’s login script. If the network also uses a logoff script, 8e6’s script should be inserted there as well. The inclusion of this script ensures that the previous end user’s profile is completely removed, in the event the end user did not log out successfully.
Page 51: Tier 1 And Tier 2 Script
Tier 1 and Tier 2 Script In an environment in which both Tier 1 and Tier 2 are used, this version of 8e6’s script should be inserted into the network’s login script. 8e6’s script attempts to remove the previous end user’s profile, and then lets the new user log in with his/her assigned profile.
Page 52 1: I HAPTER NTRODUCTION UTHENTICATION in environments that use both Tier 1 and Tier 2, if a logoff script is used on the network, the Tier 2 Script should be inserted into the network’s logoff script. PERATIONS :try1 NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :try2 if errorlevel 0 echo code 0: Success goto :end...
Page 53: Tier 3: Session-Based, Web Authentication
Tier 3: Session-based, Web Authentication The diagram on the previous page (Fig. 1-6) and steps below describe the operations of the session-based authen- tication process: 1. The user makes a Web request by entering a URL in his/ her browser window. 2.
Page 54: 8E6 Authenticator
1: I HAPTER NTRODUCTION UTHENTICATION 8e6 Authenticator The 8e6 Authenticator ensures the end user is authenti- cated on his/her workstation, via an executable file that launches during the login process. To use this option, the 8e6 Authenticator client (authenticat.exe) should be placed in a network share accessible by the domain controller or a Novell eDirectory server such as NetWare eDirectory server 6.5.
Page 55: Recommended System Requirements
Recommended system requirements The following server components are recommended for optimal performance when using NetWare eDirectory server 6.5: • Server-class PC with two-way Pentium III, IV, or Xeon 700 MHz or higher processors • 1 GB of RAM • VESA compliant 1.2 or higher display adapter •...
Page 56: Work Flow In A Windows Environment
1: I HAPTER NTRODUCTION UTHENTICATION Work flow in a Windows environment 1. The administrator stores the 8e6 Authenticator client 2. Using a Windows machine, an end user logs on the 3. The end user’s login script evokes authenticat.exe. 4. The 8e6 Authenticator client determines the authentica- 5.
Page 57: 8E6 Authenticator Configuration Priority
8e6 Authenticator configuration priority The source and order in which parameters are received and override one another are described below. NOTE: Any parameter set at the end of the list will override any parameter that was previously set. 1. Compiled Defaults: Given no parameters at all, the client will try to execute using the default compilation.
Page 58: 8E6 Authenticator Configuration Syntax
1: I HAPTER NTRODUCTION UTHENTICATION 8e6 Authenticator configuration syntax All configuration parameters, regardless of their source, will use the following format/syntax: Sample command line parameters Sample configuration file Sample R3000 configuration update packet ‘PCFG’ After decryption, with protocol headers removed: PERATIONS wAA[B]w{C}w {Parameter ‘AA’...
Page 59: Table Of Parameters
You only need to change the options you do not wish to remain as default. Often the IP address of the R3000 (RA) and the log file (LF) are the most desired options to change. Note that full network paths are allowed. Table of parameters The following table contains the different parameters, their meanings, and possible values.
Page 60 1: I HAPTER NTRODUCTION UTHENTICATION + If UT[0] is set, then the Novell environment will be * Special Interest. Values most likely to change during ++ Alternate configuration file is only valid when specified on • For each IP address where “:PORT” is omitted from the PERATIONS ignored, if present, and only the Windows environment information will be retrieved and sent to the R3000.
Page 61 RP[] affects port-less addresses specified in the RV[] command as well. • For RA[], each IP address is separated by a semi-colon ‘;’ and the first IP address will be tried for each new connection attempt. When the main IP address fails to respond, the next IP address in the list will be tried, and so on, if it fails.
Page 62: Novell Edirectory Agent
1: I HAPTER NTRODUCTION UTHENTICATION Novell eDirectory Agent Novell eDirectory Agent provides Single Sign-On (SSO) authentication for an R3000 set up in a Novell eDirectory environment. Using Novell eDirectory Agent, the R3000 is notified by the eDirectory server when an end user logs on or off the network, and adds/removes his/her network IP address, thus setting the end user’s filtering profile accord- ingly.
Page 63: Client Workstations
Client workstations To use this option, all end users must log in the network. The following OS have been tested: • Windows 2000 Professional • Windows XP • Macintosh Novell clients The following Novell clients have been tested: • Windows: Version 4.91 SP2 •...
Page 64: R3000 Setup And Event Logs
1: I HAPTER NTRODUCTION UTHENTICATION R3000 setup and event logs When using a Novell eDirectory server and choosing to use the Novell eDirectory Agent option in the R3000: • Enable Novell eDirectory Agent in the Enable/Disable NOTES: If using an SSO authentication solution, Tier 2 or Tier 3 should be selected as a fallback authentication operation.
Page 65: Authentication Solution Compatibility
Authentication Solution Compatibility Below is a chart representing the authentication solution compatibility for a single user: Tier1 Tier 1 Tier 2 Tier 3 Authenticator eDirectory Agent KEY: • N/A = Not Applicable • N/R = Not Recommended , R3000 E ECHNOLOGIES NTERPRISE 1: I...
Page 66: Configuring The R3000 For Authentication
1: I HAPTER NTRODUCTION UTHENTICATION Configuring the R3000 for Authentication Configuration procedures When configuring the R3000 server for authentication, settings must be made in System and Group windows in the Administrator console. NOTES: If the network has more than one domain, the first you add should be the domain on which the R3000 resides.
Page 67 The entries made in this window will vary depending on whether you are using the invisible mode, or the router or firewall mode. The LAN 1 and LAN 2 IP addresses should usually be in a different subnet. • If using the invisible mode: For the LAN1 IP (eth0) address, select 255.255.255.255 for the subnet mask.
Page 68 1: I HAPTER NTRODUCTION UTHENTICATION 5. Select “Authentication” from the control panel, and then 6. Select “Control” from the control panel, and then select PERATIONS In the Settings frame, enter general configuration settings for the R3000 server such as IP address entries. In the NIC Device to Use for Authentication field: •...
Page 69: Group Section
Group section In the Group section of the Administrator console, choose NT or LDAP, and then do the following: 1. Add a domain from the network to the list of domains that will have users authenticated by the R3000. NOTE: If the network has more than one domain, the first one you add should be the domain on which the R3000 resides.
Page 70: Hapter Etwork Etup
2: N HAPTER ETWORK ETUP HAPTER Environment Requirements Workstation Requirements Administrator Minimum system requirements for the administrator include the following: • Windows 98 or later operating system (not compatible • Internet Explorer (IE) 5.5 or later • JavaScript enabled • Java Virtual Machine •...
Page 71: Network Requirements
Network Requirements • High speed connection from the R3000 server to the client workstations • FTP or HTTPS connection to 8e6’s patch server • Internet connectivity for downloading Java Virtual Machine—and Java Runtime Environment, if neces- sary—if not already installed , R3000 E ECHNOLOGIES NTERPRISE...
Page 72: Set Up The Network For Authentication
2: N HAPTER ETWORK ETUP Set up the Network for Authentication The first settings for authentication must be made in the System section of the console in the following windows: Operation Mode, LAN Settings, Enable/Disable Authentica- tion, Authentication Settings, Authentication SSL Certificate (if Web-based authentication will be used), View Log File (for troubleshooting authentication setup), and Block Page Authentication.
Page 73 HAPTER The entries made in this window will vary depending on whether you will be using the invisible mode, or the router or firewall mode. 1. In the Mode frame, select the mode to be used: “Invis- ible”, “Router”, or “Firewall”. 2.
Page 74: Specify The Subnet Mask, Ip Address(Es)
2: N HAPTER ETWORK ETUP Specify the subnet mask, IP address(es) Click Network and select LAN Settings from the pop-up menu to display the LAN Settings window: Fig. 2-2 LAN Settings window The entries made in this window will vary depending on whether you are using the invisible mode, or the router or firewall mode.
Page 75: Invisible Mode
HAPTER Invisible mode For the LAN1 IP (eth0) address, select 255.255.255.255 for the subnet mask, and click Apply. Router or firewall mode 1. Enter the following information: • In the LAN1 IP (eth0) field of the IP/Mask Setting frame, enter the IP address and specify the corre- sponding subnet of the “eth0”...
Page 76: Enable Authentication, Specify Criteria
2: N HAPTER ETWORK ETUP Enable authentication, specify criteria 1. Click Authentication and select Enable/Disable Authenti- 2. Click Enable to enable authentication. 3. Select one of three tiers in the Web-based Authentication NOTE: See the information on the next pages for details about each of the tiers, and for the steps that must be executed to enable your tier selection.
Page 77 HAPTER 4. In the 8e6 Authenticator frame, be sure the 8e6 Authen- ticator is “On”—unless the Novell eDirectory Agent option will be used instead. When enabling the 8e6 Authenticator option, and then downloading and installing the 8e6 Authenticator (authenticat.exe) on a network share accessible by the domain controller or a Novell eDirectory server, the 8e6 Authenticator automat- ically authenticates the end user when he/she logs into...
Page 78: Net Use Based Authentication
2: N HAPTER ETWORK ETUP Net use based authentication Tier 1: Web-based Authentication disabled (Net Use enabled) – Choose this option if you will be using net use based authentication for NT or Active Directory. 1. Click “Tier 1”. 2. In the Sending Keep Alive frame, click the radio button 3.
Page 79: Web-Based Authentication
HAPTER Web-based authentication Choose either Tier 2 or Tier 3 if Web-based authentication will be used. NOTE: If selecting either Tier 2 or Tier 3, please be informed that in an organization with more than 5000 users, slowness may be experienced during the authentication process.
Page 80 2: N HAPTER ETWORK ETUP Tier 3: Use persistent logins via a Java Applet – Choose this option if using NT and/or LDAP authentication, and you want the user to maintain a persistent network connection. This option—the preferred method for NT authentication— opens a profile window that uses a Java applet: Fig.
Page 81 HAPTER Fig. 2-5 Tier 3 dialog box 3. To ensure that end-users are using the most current version of JRE, choose the method for distributing the current version to their workstations: “8e6 automatically distributes JRE during user login” or the default selection, “Administrator manually distributes JRE to user worksta- tions”.
Page 82: Enter Network Settings For Authentication
2: N HAPTER ETWORK ETUP Enter network settings for authentication 1. Click Authentication and select Authentication Settings 2. In the IP Address of WINS Server field, if using a WINS ET UP THE ETWORK FOR UTHENTICATION from the pop-up menu to display the Authentication Settings window: Fig.
Page 83 HAPTER 3. In the Virtual IP Address to Use for Authentication field,1.2.3.5 displays by default. If using Tier 1 or Tier 3, enter the IP address that from now on will be used for communicating authentication information between the R3000 and the PDC. This must be an IP address that is not being used, on the same segment of the network as the R3000.
Page 84: Create An Ssl Certificate
2: N HAPTER ETWORK ETUP Create an SSL certificate Authentication SSL Certificate should be used if Web-based authentication will be deployed on the R3000 server. Using this feature, a Secured Sockets Layer (SSL) self-signed certificate is created and placed on client machines so that the R3000 will be recognized as a valid server with which they can communicate.
Page 85: Create, Download A Self-Signed Certificate
HAPTER Create, Download a Self-Signed Certificate 1. On the Self Signed Certificate tab, click Create Self Signed Certificate to generate the SSL certificate. 2. Click the Download/View/Delete Certificate tab: Fig. 2-8 Download/View/Delete Certificate tab 3. Click Download/View Certificate to open the File Down- load dialog box where you indicate whether you wish to Open and view the file, or open the Save As window so that you can Save the SSL certificate to a specified folder...
Page 86: Create, Upload A Third Party Certificate
2: N HAPTER ETWORK ETUP TIP: Click Delete Certificate to remove the certificate from the server. Create, Upload a Third Party Certificate Create a Third Party Certificate 1. Click the Third Party Certificate tab: NOTE: If a third party certificate has not yet been created, the Create CSR button is the only button activated on this tab.
Page 87 HAPTER 2. Click Create CSR to open the Create CSR pop-up window: Fig. 2-10 Create CSR pop-up window The Common Name (Host Name) field should automat- ically be populated with the host name. This field can be edited, if necessary. 3.
Page 88: Upload A Third Party Certificate
2: N HAPTER ETWORK ETUP Upload a Third Party Certificate 1. Click Upload Certificate to open the Upload Signed SSL TIP: Click Cancel in the dialog box to cancel the procedure. 2. In the Upload Signed SSL Certficate for R3000 pop-up 3.
Page 89: Download A Third Party Certificate
HAPTER Download a Third Party Certificate 1. In the Authentication SSL Certificate window, click Download/View CSR to open a pop-up window containing the contents of the certificate request: Fig. 2-12 Download CSR pop-up window 2. Click the “X” in the upper right corner of the window to close it.
Page 90: View Log Results
2: N HAPTER ETWORK ETUP View log results Use the View Log File window if you need to troubleshoot any problems with the authentication setup process. 1. Click Diagnostics and select View Log File from the pop- NOTE: In this user guide, only authentication options will be addressed.
Page 91 HAPTER • “Wbwatch Log (wbwatch.log)” - used for viewing messages on attempts to join the domain via the Authentication Settings window. • “Authentication Log (AuthenticationServer.log)” - used for viewing information about the authentication process for users, including SEVERE and WARNING error messages.
Page 92 2: N HAPTER ETWORK ETUP 4. Click View to display results in the Result pop-up 5. Click the “X” in the upper right corner of the pop-up ET UP THE ETWORK FOR UTHENTICATION window: Fig. 2-14 View Log File Result pop-up window window to close it.
Page 93: Specify Block Page Settings
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Specify block page settings Click Control and select Block Page Authentication from the pop-up menu to display the Block Page Authentication window: Fig. 2-15 Block Page Authentication window , R3000 E ECHNOLOGIES NTERPRISE ILTER...
Page 94: Block Page Authentication
2: N HAPTER ETWORK ETUP Block Page Authentication TIP: Multiple options can be selected by clicking each option while pressing the Ctrl key on your keyboard. NOTE: See the R3000 User Guide for information about the Override Account feature. 2. If the “Re-authentication” option was selected, in the ET UP THE ETWORK FOR UTHENTICATION...
Page 95: Block Page
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Block page When a user attempts to access Internet content set up to be blocked, the block page displays on the user’s screen: Fig. 2-16 Block page NOTES: See Block Page Customization for information on adding free form text and a hyperlink at the top of the block page.
Page 96: User/Machine Frame
By default, the following standard links are included in the block page: • HELP - Clicking this link takes the user to 8e6’s Technical • 8e6 Technologies - Clicking this link takes the user to ET UP THE ETWORK FOR UTHENTICATION LDAP user.
Page 97: Optional Links
HAPTER Optional Links By default, these links are included in the block page under the following conditions: • For further options, click here. - This phrase and link is included if any option was selected at the Re-authentica- tion Options field in the Block Page Authentication window.
Page 98: Options Page
2: N HAPTER ETWORK ETUP Options page The Options page displays when the user clicks the following link in the block page: For further options, click here. Fig. 2-17 Options page The following items previously described for the Block page display in the upper half of the Options page: •...
Page 99: Option 1
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Option 1 Option 1 is included in the Options page if “Web-based Authentication” was selected at the Re-authentication Options field in the Block Page Authentication window. The following phrase/link displays: Click here for secure Web-based authentication.
Page 100: Option 2
2: N HAPTER ETWORK ETUP Option 2 The following phrase/link displays, based on options selected at the Re-authentication Options field in the Block Page Authentication window: • Re-start your system and re-login - This phrase • Try re-authenticating your user profile - This link ET UP THE ETWORK FOR UTHENTICATION...
Page 101: Option 3
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Option 3 Option 3 is included in the Options page, if “Override Account” was selected at the Re-authentication Options field in the Block Page Authentication window. This option is used by any user who has an override account set up for him/her by the global group administrator or the group administrator.
Page 102: Common Customization
2: N HAPTER ETWORK ETUP Common Customization Common Customization lets you specify elements to be included in block pages and/or the authentication request form end users will see. Click Customization and then select Common Customiza- tion from ization window: Fig. 2-20 Common Customization window By default, in the Details frame all elements are selected to display in the HTML pages, the Help link points to the FAQs page on 8e6's public site that explains why access was...
Page 103: Echnologies , R3000 Enterprise Ilter Uthentication Ser Uide
HAPTER Enable, Disable Features 1. Click “On” or “Off” to enable or disable the following elements in the HTML pages, and make entries in fields to display customized text, if necessary: • Username Display - if enabled, displays “User/ Machine” followed by the end user’s username in block pages •...
Page 104 2: N HAPTER ETWORK ETUP NOTE: If enabling the Submission Review Display feature, an email address entry of the designated administrator in your orga- nization must be made in the Submission Email Address field. 2. Click Apply to save your entries. TIP: Click Restore Default to revert to the default settings.
Page 105: Authentication Form Customization
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Authentication Form Customization To customize the Authentication Request Form, click Customization and select Authentication Form from the pop-up menu: Fig. 2-21 Authentication Form Customization window NOTE: This window is activated only if Authentication is enabled via System >...
Page 106 2: N HAPTER ETWORK ETUP 1. Make an entry in any of the following fields: 2. Click Apply. TIP: Click Restore Default to revert to the default text in this window. ET UP THE ETWORK FOR UTHENTICATION • In the Header field, enter a static header to be displayed at the top of the Authentication Request Form.
Page 107: Preview Sample Authentication Request Form
HAPTER Preview Sample Authentication Request Form 1. Click Preview to launch a separate browser window containing a sample Authentication Request Form, based on entries saved in this window and in the Common Customization window: Fig. 2-22 Sample Customized Authentication Request Form By default, the following data displays in the frame: •...
Page 108 • HELP - Clicking this link takes the user to 8e6’s Tech- nical Support page that explains why access to the site or service may have been denied. • 8e6 Technologies - Clicking this link takes the user to 8e6’s Web site. close the sample Authentication Request Form.
Page 109: Block Page Customization
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Block Page Customization To customize the block page, click Customization and select Block Page from the pop-up menu: Fig. 2-23 Block Page Customization window NOTE: See Appendix D: Create a Custom Block Page from the R3000 User Guide for information on creating a customized block page using your own design.
Page 110 2: N HAPTER ETWORK ETUP 1. Make an entry in any of the following fields: 2. Click Apply. TIP: Click Restore Default to revert to the default text in this window. ET UP THE ETWORK FOR UTHENTICATION • In the Header field, enter a static header to be displayed at the top of the block page.
Page 111: Preview Sample Block Page
HAPTER Preview Sample Block Page 1. Click Preview to launch a separate browser window containing a sample customized block page, based on entries saved in this window and in the Common Customization window: Fig. 2-24 Sample Customized Block Page By default, the following data displays in the User/ Machine frame: •...
Page 112 Support page that explains why access to the site or service may have been denied. • 8e6 Technologies - Clicking this link takes the user to 8e6’s Web site. By default, these links are included in the block page under the following conditions: •...
Page 113: Chapter 3: Nt Authentication Setup
3: NT A HAPTER ETUP NOTE: If you are running a Windows 2000 or Windows 2003 Server and are using the NTLM authentication protocol, then you need to make SMB Signing “not required.” See Appendix D: Disable SMB Signing Requirements for steps on how to disable SMB Signing restrictions.
Page 114 3: NT A HAPTER UTHENTICATION Information should only be entered in the NT Authentication Server Details frame if the R3000 will use the NT Authenti- cation method to authenticate users. NOTE: The following Windows servers are supported by the current version of authentication: NT 4.0 SP4 or later, Mixed Mode 2000, and 2003.
Page 115: Create An Nt Domain
Create an NT Domain After joining the domain, go to the Group section of the console and add an NT domain that contains entities to be authenticated. Add an NT domain 1. Click NT in the control panel to open the pop-up menu, and select Add Domain to open the Create Domain Controller dialog box: Fig.
Page 116: Refresh The Nt Branch
3: NT A HAPTER UTHENTICATION 7. Click Apply to add the domain to the tree. Refresh the NT branch Click NT in the control panel to open the pop-up menu, and select Refresh whenever changes have been made in this branch of the tree.
Page 117: View Or Modify Nt Domain Details
View or modify NT domain details Domain Settings 1. Double-click NT in the control panel to open the NT branch of the Group tree. Select the NT domain you added, and choose Domain Details from the pop-up menu to display the default Settings tab of the NT Domain Details window: Fig.
Page 118 3: NT A HAPTER UTHENTICATION 2. For the Domain Settings: NT D ETUP REATE AN OMAIN • The Domain Name entered in the Create Domain Controller dialog box displays greyed-out and cannot be modified. • The following fields can be modified: name of the domain Controller, IP Address, User Name, Pass- word, and Confirm Password.
Page 119: Default Rule
Default Rule 1. Click the Default Rule tab to display the Default Rule settings of the NT Domain Details window: Fig. 3-4 NT Domain Details window, Default Rule tab 2. For the Default Rule: • “Rule0, the Minimum Filtering Level” displays by default as the Default Rule.
Page 120: Delete An Nt Domain
3: NT A HAPTER UTHENTICATION Delete an NT domain To delete a domain profile, choose Delete from the NT domain menu. This action removes the domain from the tree. NT D ETUP REATE AN OMAIN • Filter Options that have been selected display check marks in corresponding checkboxes for “X Strikes Blocking”, “Google/Yahoo! Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL...
Page 121: Set Up Nt Domain Groups, Members
3: NT A NT D HAPTER UTHENTICATION ETUP ET UP OMAIN ROUPS EMBERS Set up NT Domain Groups, Members In the control panel, the NT domain branch of the tree menu includes options for setting up groups and/or members in the domain so that filtering profiles can later be created.
Page 122 3: NT A HAPTER UTHENTICATION Select the NT domain, and choose Select Group/Member from Domain from the pop-up menu to display the Select Groups/Members from Domain window (see Figure 3-5). To add groups—that need filtering profiles—to the tree list: 1. Choose a group from the Available Groups list box. 2.
Page 123: Specify A Group's Filtering Profile Priority
HAPTER WARNING: When adding an NT group or member to the tree list, the group/member will be blocked from Internet access if the minimum filtering level has not been defined via the Minimum Filtering Level window. If you have just established the minimum filtering level, filter settings will not be effective until the group member/user logs off and back on the server.
Page 124 3: NT A HAPTER UTHENTICATION NOTES: Groups automatically populate the Profile Group(s) list box, if these groups have one or more identical users and were added to the tree list via the Select Groups/Members from Domain window. An entry for the Group Priority list is added to the end of the list when the group profile for that group is added to the R3000, and is removed automatically when you delete the profile.
Page 125: Manually Add A User's Name To The Tree
HAPTER Manually add a user’s name to the tree 1. Select the NT domain, and choose Manually Add Member from the pop-up menu to open the Manually Add Member dialog box: Fig. 3-7 Manually Add Member box This dialog box is used for adding a username to the tree list, so that a filtering profile can be defined for that user.
Page 126: Manually Add A Group's Name To The Tree
3: NT A HAPTER UTHENTICATION Manually add a group’s name to the tree 1. Select the NT domain, and choose Manually Add Group 2. Enter the group’s name in the text box. 3. Click OK to add the group name to the domain’s section NOTE: See Add or maintain an entity’s profile under Create and Maintain NT Profiles for information on defining the filtering profile for the group.
Page 127: Upload A File Of Filtering Profiles To The Tree
HAPTER Upload a file of filtering profiles to the tree 1. Select the NT domain, and choose Upload User/Group Profile from the pop-up menu to display the Upload User/ Group Profile window: Fig. 3-9 Upload User/Group Profile window This window is used for uploading a file to the tree with user or group names and their associated filtering profiles.
Page 128 3: NT A HAPTER UTHENTICATION 3. Click Browse to open the Choose file window. 4. Select the file to be uploaded. WARNING: Any file uploaded to the server will overwrite the existing user/group profile file. NOTE: See Appendix A: User/Group File Format and Rules for examples of valid filtering profile formats to use when creating a list of profiles to be uploaded to the server.
Page 129 HAPTER 5. Click Upload File to upload this file to the server. The Upload Successful pop-up window informs you to click Reload in order for these changes to be effective. 6. Click Reload. 7. Go to the NT branch of the tree, and choose Refresh from the NT group menu.
Page 130: Create And Maintain Nt Profiles
3: NT A HAPTER UTHENTICATION Create and Maintain NT Profiles Once an NT group or member has been added to the tree, a filtering profile can be created and maintained for that entity. For groups, the following options are available for filtering profile creation and maintenance: Group Member Details, Profile, and Remove.
Page 131 3: NT A NT P HAPTER UTHENTICATION ETUP REATE AND AINTAIN ROFILES This window is used for viewing profile information about a group, and for adding members to a group. In the Group Details frame, the following details display: Group name, Domain name, and Domain Type. Members that belong to the group display in the Members list box in the Add Member to Profile frame.
Page 132: Add Or Maintain An Entity's Profile
3: NT A HAPTER UTHENTICATION Add or maintain an entity’s profile Select the NT domain, and choose Profile from the pop-up menu to display the default Category tab of the Profile window: Fig. 3-12 Group Profile window, Category tab The Profile window is used for viewing/creating the filtering profile of the defined entity (group or member).
Page 133: Category Profile
HAPTER Category Profile Category Profile is used for creating the categories portion of the filtering profile for the entity. NOTE: In order to use this tab, filtering rules should already have been set up via the Rules window, accessible from the Global Group options, and the minimum filtering level should already be established.
Page 134: Redirect Url
3: NT A HAPTER UTHENTICATION TIP: Multiple categories can be selected by clicking each gory while pressing the Ctrl key on your keyboard. Blocks of cate- gories can be selected by clicking the first category, and then pressing the Shift key on your keyboard while clicking the last category.
Page 135: Filter Options
HAPTER Redirect URL is used for specifying the URL to be used for redirecting users who attempt to access a site or service set up to be blocked. 1. Specify the type of redirect URL to be used: “Default Block Page”, or “Custom URL”. If “Custom URL”...
Page 136: Remove An Entity's Profile From The Tree
3: NT A HAPTER UTHENTICATION Filter Options is used for specifying which filter option(s) will be applied to the entity’s filtering profile. 1. Click the checkbox(es) corresponding to the option(s) to NOTE: See the R3000 User Guide for information about Filter Options.
Page 137: Chapter 4: Ldap Authentication Setup
4: LDAP A HAPTER ETUP Create an LDAP Domain In the Group section of the console, add an LDAP domain that contains entities to be authenticated. Add the LDAP domain 1. Click LDAP in the control panel to open the pop-up menu, and select Add Domain to open the Create LDAP Domain dialog box: Fig.
Page 138: Refresh The Ldap Branch
4: LDAP A HAPTER UTHENTICATION Refresh the LDAP branch Click LDAP in the control panel to open the pop-up menu, and select Refresh whenever changes have been made in this branch of the tree. View, modify, enter LDAP domain details Double-click LDAP in the control panel to open the LDAP branch of the Group tree.
Page 139: Ldap Server Type
The LDAP domain window is comprised of the following wizard tabs: Type, Group, User, Address, Account, SSL, Alias List, and Default Rule. By going through the entire wizard, domain details are established for the LDAP domain, preparing the LDAP domain for group and user filtering profile setup.
Page 140: Group Objects
4: LDAP A HAPTER UTHENTICATION • Click Next to go to the Group tab. WARNING: The contents of the tabs for User and Group do not normally need to be changed. The settings on these tabs are made automatically when you select the server type at the begin- ning of the setup process.
Page 141 By default, the Include List will be populated with appro- priate group objects, based on the server type. • Generally, no action needs to be performed on this tab. However, under special circumstances, a group object can be added or excluded by making an entry in the appropriate field, and then clicking the Include or Exclude button.
Page 142: User Objects
4: LDAP A HAPTER UTHENTICATION User Objects The User tab is used for including or excluding user objects in the LDAP domain. Fig. 4-4 Domain Details window, User tab By default, the Include List and Exclude List will be popu- lated with appropriate user objects, based on the server type.
Page 143: Address Info
• A user object name can be edited by selecting the user object from the appropriate list box, editing the name in the field, and then clicking the Edit button. • A user object can be removed by selecting the user object and then clicking Remove.
Page 144 4: LDAP A HAPTER UTHENTICATION NOTE: If the DNS settings are not published in the LDAP direc- tory, the Server DNS Name, DNS Domain Name, and LDAP Query Base fields will not be populated automatically. Func- tioning forward and reverse DNS name resolution is one of the requirements for LDAP authentication.
Page 145 • By default, the LDAP Query Base displays the root of the LDAP database to query using the LDAP Syntax, i.e. DC=domain,DC=com. The entry in this field is case sensitive and should be edited, if necessary. If this field is not populated, enter the LDAP query base. Click Next to go to the Account tab.
Page 146: Account Info
4: LDAP A HAPTER UTHENTICATION Account Info Fig. 4-6 Domain Details window, Account tab 1. If your LDAP database does not require a username to 2. Click Next to go to the SSL tab. LDAP D ETUP REATE AN be provided in order to bind to the LDAP database, click the “Use Anonymous Bind”...
Page 147: Ssl Settings
SSL Settings SSL settings should be made if your network requires a secure connection from the R3000 to the LDAP server. Fig. 4-7 Domain Details window, SSL tab NOTE: See Appendix E: Obtain or Export an SSL Certificate for information on how to obtain a Sun ONE server’s SSL certificate, or how to export an Active Directory or Novell server’s SSL certfi- cate to your desktop and then upload it to the R3000.
Page 148 4: LDAP A HAPTER UTHENTICATION 3. Click Browse to open the Choose file window and select 4. Click Upload File to upload the SSL certificate to the WARNING: If using a Novell server, be sure the name on the SSL certificate (to be uploaded to the server) matches the Server DNS Name entered in the Address Info tab.
Page 149: Alias List
4: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN Alias List The Alias List will be automatically populated if the Account Name was entered in the Account tab. This list includes all alias names for the domain that will be included in the Alias pull-down menu in the Authentication Request Form.
Page 150 4: LDAP A HAPTER UTHENTICATION After the search is completed, the Search in Progress box closes, and sponding LDAP Container Name. NOTE: If the alias list does not display, double-check the settings on the other tabs and verify that all of your settings are correct. The following actions can be performed on this tab: •...
Page 151: Default Rule
Default Rule The Default Rule applies to any authenticated user in the LDAP domain who does not have a filtering profile. Fig. 4-11 Domain Details window, Default Rule tab NOTE: If using Novell eDirectory, see Default Rule for Novell eDirectory. The tab is comprised of the following components that can be modified: •...
Page 152 4: LDAP A HAPTER UTHENTICATION • Click the checkbox(es) corresponding to the option(s) to After all entries have been made in the tabs, click Activate to activate the domain. NOTE: To enter profile information for LDAP groups and users, see Create, Maintain LDAP Profiles. LDAP D ETUP REATE AN...
Page 153: Default Rule For Novell Edirectory
4: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN Default Rule for Novell eDirectory If “Novell eDirectory” was selected for the LDAP Server Type, and the Novell eDirectory Agent option was enabled in the Enable/Disable Authentication window in the System section of the console, the Default Rule tab includes buttons for configuring a backup server to be used in the event the primary server cannot be accessed.
Page 154 4: LDAP A HAPTER UTHENTICATION NOTE: The Back and Save buttons can be clicked at any time during the wizard setup process. Click Close to close the wizard pop-up window. 2. Enter, edit, or verify the following criteria: NOTES: If your LDAP server’s name is not a resolvable, fully qualified DNS name, you may be able to enter the domain name.
Page 155 • NETBIOS Domain Name - an entry in this field is optional • Server LDAPS Port - by default, 636 displays in this field • Server LDAP Port - by default, the value that was entered in the LDAP Server Port field of the Create LDAP Domain dialog box displays in the field •...
Page 156 4: LDAP A HAPTER UTHENTICATION 5. Click Next to go to the SSL tab: NOTE: See Appendix E: Obtain or Export an SSL Certificate for information on how to export a Novell server’s SSL certficate to your desktop and then upload it to the R3000. LDAP D ETUP REATE AN...
Page 157: Modify A Backup Server's Configuration
c. Click Browse to open the Choose file window and select the R3000 server’s SSL certificate. d. Click Upload File to upload the SSL certificate to the R3000 server. WARNING: Be sure the name on the SSL certificate (to be uploaded to the server) matches the Server DNS Name entered in the Address Info tab.
Page 158: Set Up Ldap Domain Groups, Members
4: LDAP A HAPTER UTHENTICATION Set up LDAP Domain Groups, Members In the control panel, the LDAP domain branch of the tree menu includes options for setting up groups and/or members in the domain so that filtering profiles can later be created.
Page 159: Perform A Basic Search
4: LDAP A HAPTER Select the LDAP domain, and choose Select Group/ Member from Domain from the pop-up menu to display the LDAP User/Group Browser window (see Figure 4-12). This window is used for retrieving the names of groups or users from an LDAP domain so that a filtering profile can be assigned.
Page 160: Apply A Filtering Rule To A Profile
4: LDAP A HAPTER UTHENTICATION • Search within existing results – To search within the list of The View button in the Members column is used for either querying the list of groups in which a user is a member, or the list of users who are members of a Group Record.
Page 161: Delete A Rule
4: LDAP A HAPTER Delete a rule To delete a rule from a profile, the entity must currently display in the grid and have a rule assigned to the profile. 1. Click the Mark checkbox for the entity. 2. Click Delete Rule to remove the entity’s profile from the tree.
Page 162: Manually Add A User's Name To The Tree
4: LDAP A HAPTER UTHENTICATION NOTES: Groups automatically populate the Profile Group(s) list box, if these groups have one or more identical users and were added to the tree list via the Select Groups/Members from Domain window. An entry for the Group Priority list is added to the end of the list when the group profile for that group is added to the R3000, and is removed automatically when you delete the profile.
Page 163: Manually Add A Group's Name To The Tree
4: LDAP A HAPTER TIP: LDAP usernames should be input exactly as entered as entered for the LDAP Distinguished Name. Examples: CN=Jane Doe, CN=Users, DC=qc, DC=local CN=Public\, Joe Q., OU=Users, OU=Sales, DC=qc, DC=local CN=Doe\, John, CN=Users, DC=qc, DC=local 3. Click OK to add the username to the domain’s section of the tree.
Page 164: Upload A File Of Filtering Profiles To The Tree
4: LDAP A HAPTER UTHENTICATION NOTE: See Add or maintain the entity’s profile under Create Maintain LDAP Profiles for information on defining the filtering profile for the group. Upload a file of filtering profiles to the tree 1. Select the LDAP domain, and choose Upload User/ 2.
Page 165 4: LDAP A HAPTER Fig. 4-21 Upload Member Profile File window 3. Click Browse to open the Choose file window. 4. Select the file to be uploaded. WARNING: Any file uploaded to the server will overwrite the existing user/group profile file. Each user/group profile in the file uploaded to the server must be set up in a specified format in order for the profile to be activated on the server.
Page 166 4: LDAP A HAPTER UTHENTICATION 5. Click Upload File to upload this file to the server. The 6. Click Reload. 7. Go to the LDAP branch of the tree, and choose Refresh LDAP D ETUP ET UP OMAIN Upload Successful pop-up window informs you to click Reload in order for these changes to be effective.
Page 167: Create, Maintain Ldap Profiles
4: LDAP A LDAP P HAPTER UTHENTICATION ETUP REATE AINTAIN ROFILES Create, Maintain LDAP Profiles Once an LDAP group or member has been added to the tree, a filtering profile can be created and maintained for that entity. For groups, the following options are available for filtering profile creation and maintenance: Group Member Details, Profile, and Remove.
Page 168 4: LDAP A HAPTER UTHENTICATION This window is used for viewing profile information about a group, and for adding members to a group. In the Group Details frame, the following details display: Group name, Full Name (Distinguished Name) of the group, Domain name, and Domain Type.
Page 169: Add Or Maintain An Entity's Profile
4: LDAP A LDAP P HAPTER UTHENTICATION ETUP REATE AINTAIN ROFILES Add or maintain an entity’s profile Select the LDAP domain, and choose Profile from the pop- up menu to display the default Category tab of the Profile window: Fig. 4-23 Group Profile window, Category tab The Profile option is used for viewing/creating the filtering profile of the defined entity (group or member).
Page 170: Category Profile
4: LDAP A HAPTER UTHENTICATION Category Profile Category Profile is used for creating the categories portion of the filtering profile for the entity. NOTE: In order to use this tab, filtering rules should already have been set up via the Rules window, accessible from the Global Group options, and the minimum filtering level should already be established.
Page 171: Redirect Url
HAPTER TIP: Multiple categories can be selected by clicking each cate- gory while pressing the Ctrl key on your keyboard. Blocks of cate- gories can be selected by clicking the first category, and then pressing the Shift key on your keyboard while clicking the last category.
Page 172: Filter Options
4: LDAP A HAPTER UTHENTICATION Redirect URL is used for specifying the URL to be used for redirecting users who attempt to access a site or service set up to be blocked. 1. Specify the type of redirect URL to be used: “Default 2.
Page 173: Remove An Entity's Profile From The Tree
HAPTER Filter Options is used for specifying which filter option(s) will be applied to the entity’s filtering profile. 1. Click the checkbox(es) corresponding to the option(s) to be applied to the filtering profile: “X Strikes Blocking”, “Google/Yahoo! Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”, and “Extend URL Keyword Filter Control”.
Page 174: Chapter 5: Authentication Deployment
5: A HAPTER UTHENTICATION HAPTER EPLOYMENT This final step of the authentication setup process includes testing authentication settings and activating authentication on the network. Test Authentication Settings Before deploying authentication on the network, you should test your settings to be sure the Authentication Request Form login page can be accessed.
Page 175 HAPTER NOTE: In order to complete the test process, you should be you have your own filtering profile set up. To verify that authentication is working, do either of the following, based on the Tier you selected: • If Tier 2 or Tier 3 Web-based authentication will be used: Go to the Test Web-based authentication settings sub-section for instructions on testing the Authentication Request Form login page from a single workstation.
Page 176: Test Web-Based Authentication Settings
5: A HAPTER UTHENTICATION Test Web-based authentication settings To verify that authentication is working properly, make the following settings in the Group section of the console: Step 1: Create an IP Group, “test” 1. Click the IP branch of the tree. 2.
Page 177: Step 2: Create A Sub-Group, "Workstation
HAPTER Step 2: Create a Sub-Group, “workstation” 1. Select the IP Group from the tree. 2. Click Add Sub Group in the pop-up menu to open the Create Sub Group dialog box: Fig. 5-3 Create Sub Group box 3. Enter workstation as the Group Name. 4.
Page 178: Step 3: Set Up "Test" With A 32-Bit Net Mask
5: A HAPTER UTHENTICATION Step 3: Set up “test” with a 32-bit net mask 1. Select the IP Group named “test” from the tree. 2. Click Members in the pop-up menu to display the 3. Click the radio button corresponding to “Source IP”. 4.
Page 179: Step 4: Give "Workstation" A 32-Bit Net Mask
HAPTER Step 4: Give “workstation” a 32-bit net mask 1. Select the IP Sub-Group “workstation” from the tree. 2. Click Members in the pop-up menu to display the Members window: Fig. 5-5 Sub Group Members window 3. Click the radio button corresponding to “Member”. 4.
Page 180: Step 5: Block Everything For The Sub-Group
5: A HAPTER UTHENTICATION Step 5: Block everything for the Sub-Group 1. Select the IP Sub-Group “workstation” from the tree. 2. Click Sub Group Profile in the pop-up menu to display the 3. In the Category Profile page, move all categories to the TIP: Blocks of categories can be selected by clicking the first category, and then pressing the Shift key on your keyboard while clicking the last category.
Page 181: Step 6: Use Authentication Request Page For Redirect Url
HAPTER 5. Click Apply. Step 6: Use Authentication Request Page for redirect URL 1. Click the Redirect URL tab to display the Redirect URL page: Fig. 5-7 Sub Group Profile window, Redirect URL tab 2. Select “Authentication Request Form”. NOTE: The host name of the R3000 will be used in the redirect URL of the Authentication Request Form, not the IP address.
Page 182: Step 7: Disable Filter Options
5: A HAPTER UTHENTICATION Step 7: Disable filter options 1. Click the Filter Options tab to display the Filter options 2. Uncheck all the checkboxes: “X Strikes Blocking”, 3. Click Apply. EPLOYMENT UTHENTICATION page: Fig. 5-8 Sub Group Profile window, Filter Options tab “Google/Yahoo! Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”, and “Extend URL Keyword Filter Control”.
Page 183: Step 8: Attempt To Access Web Content
HAPTER Step 8: Attempt to access Web content NOTE: For this step, you must have your own profile set up in order to complete the test process. 1. Launch Internet Explorer: Fig. 5-9 Internet Explorer browser 2. Enter a URL in the Address field of the browser window. NOTE: The URL should be one that begins with “http”—not “https”.
Page 184 5: A HAPTER UTHENTICATION 4. Enter the following information: 5. Click Log In to authenticate or re-authenticate yourself The test process has been completed successfully if you are now able to access the content for the URL you entered at step 2 in this section. EPLOYMENT UTHENTICATION Fig.
Page 185: Test Net Use Based Authentication Settings
HAPTER Test net use based authentication settings 1. From the test workstation, go to the NET USE command line and enter the NET USE command using the following format: NET USE \\virtualip\R3000$ For example: NET USE \\192.168.0.20\R3000$ The entry you make should initiate a connection with Tier TIP: The virtual IP address should be the same as the one entered in the Virtual IP Address to Use for Authentication field in the Authentication Settings window (see Chapter 2: Network...
Page 186: Activate Authentication On The Network
5: A HAPTER UTHENTICATION Activate Authentication on the Network After successfully testing authentication settings, you are now ready to activate authentication on the network. To verify that authentication is ready to be activated on the network, do either of the following, based on the Tier you selected: •...
Page 187: Activate Web-Based Authentication For An Ip Group
5: A HAPTER UTHENTICATION Activate Web-based authentication for an IP Group IP Group authentication is the preferred selection for Web- based authentication—over the Global Group Profile authentication option—as it decreases the load on the R3000. Step 1: Create a new IP Group, “webauth” 1.
Page 188: Step 2: Set "Webauth" To Cover Users In Range
5: A HAPTER UTHENTICATION Step 2: Set “webauth” to cover users in range 1. Select the IP group “webauth” from the tree. 2. Click Members in the pop-up menu to display the 3. Click the radio button corresponding to “Source IP”. 4.
Page 189: Step 3: Create An Ip Sub-Group
5: A HAPTER UTHENTICATION Step 3: Create an IP Sub-Group 1. Select the IP Group “webauth” from the tree. 2. Click Add Sub Group in the pop-up menu to open the Create Sub Group dialog box: Fig. 5-13 Create Sub Group box 3.
Page 190 5: A HAPTER UTHENTICATION 7. Click the radio button corresponding to “Member”. 8. In the Member fields, enter the IP address range for 9. Click Modify. EPLOYMENT CTIVATE UTHENTICATION ON THE Fig. 5-14 Sub Group Members window members of the Sub-Group, and specify the subnet mask.
Page 191: Step 4: Block Everything For The Sub-Group
5: A HAPTER UTHENTICATION Step 4: Block everything for the Sub-Group 1. Select the IP Sub-Group from the tree. 2. Click Sub Group Profile in the pop-up menu to display the Sub Group Profile window: Fig. 5-15 Sub Group Profile window, Category tab 3.
Page 192: Step 5: Use Authentication Request Page For Redirect Url
5: A HAPTER UTHENTICATION 5. Click Apply. Step 5: Use Authentication Request Page for redirect URL 1. Click the Redirect URL tab to display the Redirect URL 2. Select “Authentication Request Form”. NOTE: Since the Authentication Request Form radio button selection uses the host name of the server—not the IP address—...
Page 193: Step 6: Disable Filter Options
5: A HAPTER UTHENTICATION sent to the Authentication Request Form if he/she attempts to access content on the Internet. After filling out this form and being authenticated, the user will be able to access Internet content based on his/her filtering profile. Step 6: Disable filter options 1.
Page 194: Step 7: Set Global Group To Filter Unknown Traffic
5: A HAPTER UTHENTICATION Step 7: Set Global Group to filter unknown traffic 1. Click Global Group in the tree to open the pop-up menu. 2. Select Global Group Profile to display the Category tab of 3. Click the Port tab to display the Port page: EPLOYMENT CTIVATE UTHENTICATION ON THE...
Page 195 5: A HAPTER UTHENTICATION Fig. 5-19 Global Group Profile window, Port tab a. In the Port page, enter the Port number to be blocked. b. Click Add to include the port number in the Block Port(s) list box. c. After entering all port numbers to be blocked, click Apply.
Page 196 5: A HAPTER UTHENTICATION 4. Click the Default Redirect URL tab to display the Default EPLOYMENT CTIVATE UTHENTICATION ON THE Redirect URL page: Fig. 5-20 Global Group Profile window, Default Redirect URL tab a. Select “Default Block Page”. b. Click Apply. , R3000 E ECHNOLOGIES ETWORK...
Page 197 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 5. Click the Filter Options tab to display the Filter Options page: Fig. 5-21 Global Group Profile window, Filter Options tab a. Select filter options to be enabled. b. Click Apply. , R3000 E ECHNOLOGIES NTERPRISE...
Page 198 5: A HAPTER UTHENTICATION As a result of these entries, the standard block page will display—instead of the Authentication Request Form— when any user in this Sub-Group is blocked from accessing Internet content. Fig. 5-22 Default Block Page EPLOYMENT CTIVATE UTHENTICATION ON THE , R3000 E ECHNOLOGIES...
Page 199: Activate Web-Based Authentication For The Global Group
5: A HAPTER UTHENTICATION Activate Web-based authentication for the Global Group This selection of Web-based authentication creates more of load on the R3000 than the IP Group selection, and should only be used as an alternative to IP Group authenti- cation.
Page 200: Step 1A: Block Web Access, Logging Via Range To Detect
5: A HAPTER UTHENTICATION Step 1A: Block Web access, logging via Range to Detect NOTE: Segments of network traffic should not be defined if the firewall mode. Range to Detect Settings 1. Click Global Group in the tree to open the pop-up menu. 2.
Page 201 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Fig. 5-24 Range to Detect Settings window, main window 4. Click Start the Setup Wizard to display Step 1 of the Range to Detect Setup Wizard: , R3000 E ECHNOLOGIES NTERPRISE ILTER UTHENTICATION...
Page 202: Range To Detect Setup Wizard
5: A HAPTER UTHENTICATION Range to Detect Setup Wizard 1. Enter the IP address and specify the Netmask, or enter 2. Click Next to go to Step 2 of the Wizard: EPLOYMENT CTIVATE UTHENTICATION ON THE Fig. 5-25 Range to Detect Setup Wizard, Step 1 the Individual IP address of the source IP address(es) to be filtered.
Page 203 5: A HAPTER UTHENTICATION Fig. 5-26 Range to Detect Setup Wizard, Step 2 3. An entry for this step of the Wizard is optional. If there are destination IP address(es) to be filtered, enter the IP address and specify the Netmask, or enter the Indi- vidual IP address.
Page 204 5: A HAPTER UTHENTICATION 5. An entry for this step of the Wizard is optional. If there are 6. Click Next to go to Step 4 of the Wizard: EPLOYMENT CTIVATE UTHENTICATION ON THE Fig. 5-27 Range to Detect Setup Wizard, Step 3 source IP address(es) to be ignored, enter the IP address and specify the Netmask, or enter the Indi- vidual IP address.
Page 205 5: A HAPTER UTHENTICATION Fig. 5-28 Range to Detect Setup Wizard, Step 4 7. An entry for this step of the Wizard is optional. If there are destination IP address(es) to be ignored, enter the IP address and specify the Netmask, or enter the Indi- vidual IP address.
Page 206 5: A HAPTER UTHENTICATION 9. An entry for this step of the Wizard is optional. If there are 10. Click Next to go to the final step of the Wizard: EPLOYMENT CTIVATE UTHENTICATION ON THE Fig. 5-29 Range to Detect Setup Wizard, Step 5 ports to be excluded from filtering, enter each port number in the Individual Port field, and click Add.
Page 207 5: A HAPTER UTHENTICATION Fig. 5-30 Range to Detect Setup Wizard, Step 6 11. After review the contents in all list boxes, click Finish to accept all your entries. As a result of these entries, the IP address(es) specified to excluded will not be logged or filtered on the network.
Page 208: Step 1B: Block Web Access Via Ip Sub-Group Profile
5: A HAPTER UTHENTICATION Step 1B: Block Web access via IP Sub-Group profile NOTE: This step assumes that the IP Group and Sub-Group have already been created. 1. Select the IP Sub-Group from the tree. 2. Click Sub Group Profile in the pop-up menu to display the 3.
Page 209 5: A HAPTER UTHENTICATION 5. Click the Redirect URL tab to display the Redirect URL page: Fig. 5-32 Sub Group Profile window, Redirect URL tab 6. Select “Default Block Page”, and then click Apply. , R3000 E ECHNOLOGIES NTERPRISE EPLOYMENT CTIVATE ILTER UTHENTICATION...
Page 210 5: A HAPTER UTHENTICATION 7. Click the Filter Options tab to display the Filter Options 8. Select filter options to be enabled, and click Apply. As a result of these entries, the machine will not be served the Authentication Request Form, and will use the default block page instead.
Page 211: Step 2: Modify The Global Group Profile
5: A HAPTER UTHENTICATION Step 2: Modify the Global Group Profile 1. Click Global Group in the tree to open the pop-up menu. 2. Select Global Group Profile to display the Category tab of the Profile window: Fig. 5-34 Global Group Profile window, Category tab a.
Page 212 5: A HAPTER UTHENTICATION 3. Click the Port tab to display the Port page: EPLOYMENT CTIVATE UTHENTICATION ON THE Fig. 5-35 Global Group Profile window, Port tab a. Enter the Port number to be blocked, and then click Add to include the port number in the Block Port(s) list box.
Page 213 5: A HAPTER UTHENTICATION 4. Click the Default Redirect URL tab to display the Default Redirect URL page: Fig. 5-36 Global Group Profile window, Redirect URL tab a. Select “Authentication Request Form”. NOTE: Since the Authentication Request Form radio button selection uses the host name of the server—not the IP address—...
Page 214 5: A HAPTER UTHENTICATION 5. Click the Filter Options tab to display the Filter Options As a result of these entries, a user who does not have a filtering profile will be served the Authentication Request Form so he/she can be authenticated. EPLOYMENT CTIVATE UTHENTICATION ON THE...
Page 215: Activate Nt Authentication
5: A HAPTER UTHENTICATION Activate NT authentication After testing the NET USE command, the next step is to add the NET USE command to users’ login scripts. We recom- mend that you add the 3-try login script to the existing domain login script.
Page 216: Step 2: Modify The Global Group Profile
5: A HAPTER UTHENTICATION Once this updated login script has been added to the domain, each time in to the R3000. Users will be blocked according to the profiles set up on the domain. Step 2: Modify the Global Group Profile The last step of the activation process is to adjust the Global Group Profile to set the policy for members of an IP-based profile, or for users who are not authenticated.
Page 217 5: A HAPTER UTHENTICATION 1. Click Global Group in the tree to open the pop-up menu. 2. Select Global Group Profile to display the Category tab of the Profile window. 3. In the Category Profile page, select categories to block, pass, or white list, and indicate whether uncategorized sites should pass or be blocked.
Page 218: Chapter 6: Technical Support
6: T HAPTER ECHNICAL UPPORT HAPTER For technical support, visit 8e6 Technologies’s Technical Support Web page at http://www.8e6.com/support/ index.htm, or contact us by phone, by e-mail, or in writing. Hours Regular office hours are from Monday through Friday, 8 a.m. to 5 p.m. PST.
Page 219: Office Locations And Phone Numbers
Office Locations and Phone Numbers 8e6 Corporate Headquarters (USA) 828 West Taft Avenue Orange, CA 92865-4232 Local Domestic US International 8e6 Taiwan RM B2, 13F, No. 49, Sec. 3, Minsheng E. Rd. Taipei 104 Taiwan, R.O.C. Taipei Local Domestic Taiwan : International 8e6 China Beijing Room 909, 9 Floor...
Page 220: Support Procedures
6: T HAPTER ECHNICAL UPPORT Support Procedures When you contact our technical support department: • You will be greeted by a technical professional who will • If your issue needs to be escalated, you will be given a • If your issue requires immediate attention, such as your •...
Page 221: Appendixa
PPENDIX User/Group File Format and Rules The file with user/group profiles you upload to the server must be set up in a specified format, with one complete user/group profile per line. The format for the file will differ depending on whether the file contains a list of user or group profiles for an NT or LDAP server.
Page 222: Rule Criteria
PPENDIX ROUP Rule Criteria Rule criteria consists of selections made from the following lists of codes that are used in profile strings: • Port command codes: • Port Numbers: • Filter Mode Values: • Category command codes: ORMAT AND ULES Filter all ports Filter the defined port number(s) Open all ports...
Page 223: Filter Option Codes
• Category Codes: For the list of category codes (short names) and their corresponding descriptions (long names), go to http:// www.8e6.com/r3000help/files/ 2group_textfile_cat.html#cat NOTE: The list of library category codes and corresponding descriptions is subject to change due to the addition of new cate- gories and modification of current categories.
Page 224: File Format: Rules And Examples
PPENDIX ROUP File Format: Rules and Examples When setting up the file to upload to the server, the following items must be considered: • Each profile must be entered on a separate line in the • Category Codes must be entered in capital letters. •...
Page 225: Nt User List Format And Rules
NT User List Format and Rules When setting up the “ntuserprofile.conf” file, each entry must consist of the username, and either a rule number or rule criteria (port, category, and filter mode specifications). A redirect URL can be included, if a specific URL should be used in place of the standard block page.
Page 226: Nt Group List Format And Rules
PPENDIX ROUP NT Group List Format and Rules When setting up the “ntgroupprofile.conf” file, each entry must consist of the group name, and either a rule number or rule criteria (port, category, and filter mode specifications). A redirect URL can be included, if a specific URL should be used in place of the standard block page.
Page 227: Ldap User List Format And Rules
LDAP User List Format and Rules When setting up the “ldapuserprofile.conf” file, each entry must consist of the Distinguished Name (DN), with each part of the DN separated by commas (,). The DN should be followed by a semicolon (;), and then a rule number or rule criteria (port, category, and filter mode specifications).
Page 228 PPENDIX ROUP • LDAP profile for a user with username “Public\, Joe Q.”, ORMAT AND ULES organizational units “Users” and “Sales”, domain “qc”, DNS suffix “.local”: Block all ports, Block Automobile and Entertainment categories, use filter mode 1, use stan- dard block page, Google/Yahoo! Safe Search filter option enabled.
Page 229: Ldap Group List Format And Rules
LDAP Group List Format and Rules When setting up the “ldapgroupprofile.conf” file, each entry must consist of the Distinguished Name (DN), with each part of the DN separated by commas (,). The DN should be followed by a semicolon (;), and then a rule number or rule criteria (port, category, and filter mode specifications).
Page 230: Appendixb
PPENDIX ORTS FOR UTHENTICATION PPENDIX Ports for Authentication System Access The following ports should be used for authentication system access: Type TCP/ LDAP LDAPS YSTEM CCESS Function 8081 Used between the R3000’s transmitting inter- face and the SSL block page for Tier 2 or Tier 3 authentication.
Page 231: Appendixc
PPENDIX LDAP Server Customizations The R3000 has been tested on common types of standard LDAP servers with default settings. However, due to the number of LDAP servers available, and the limitless ways in which any type of LDAP server can be configured, customi- zations may need to be made on such an LDAP fits either description.
Page 232: Appendixd
SMB S PPENDIX ISABLE IGNING PPENDIX Disable SMB Signing Requirements SMB Signing is a Windows security feature that is not currently supported by the R3000. If you are running a Windows 2000 or Windows 2003 server and are using NTLM, then you need to make SMB Signing “not required.” SMB Signing Compatibility To find out whether SMB Signing on your Windows server is compatible with the R3000, refer to the chart below:...
Page 233: Disable Smb Signing Requirements In Windows 2003
Disable SMB Signing Requirements in Windows 2003 By default, the SMB protocol in Windows 2003 is set to “Not Defined = On”. To disable (turn “Off”) SMB Signing, do the following: 1. From your Windows 2003 workstation, go to Start > All Programs >...
Page 234 SMB S PPENDIX ISABLE IGNING 3. Select Properties to open the Domain Controllers Prop- 4. Click the Group Policy tab, choose the Default Domain EQUIREMENTS Fig. D-2 Select Properties in the Domain Controllers pop-up menu erties dialog box: Fig. D-3 Domain Controllers Properties Controllers Policy, and then click Edit to open the Group Policy Object Editor window: , R3000 E...
Page 235 Fig. D-4 Group Policy Object Editor window 5. In the left panel, go to the Computer Configuration branch of the tree and select the Windows Settings folder to display the Windows Settings contents in the right panel: Fig. D-5 Group Policy Object Editor window, Windows Settings 6.
Page 236 SMB S PPENDIX ISABLE IGNING 7. Select Local Policies to display the contents of this folder 8. Select Security Options to display the contents of this EQUIREMENTS Fig. D-6 Group Policy Object Editor window, Security Settings in the right panel: Fig.
Page 237 Scroll down and find “Microsoft network client: Digitally sign communications (always)”. 9. Right-click this item to open the pop-up menu, and select Properties to open the dialog box with the Security Policy Setting tab: Fig. D-9 Define this policy setting Click in the “Define this policy setting”...
Page 238: Appendixe
PPENDIX BTAIN OR XPORT AN PPENDIX Obtain or Export an SSL Certificate When using Web-based authentication, the LDAP server’s SSL certificate needs to be exported and saved to the hard drive, then uploaded to the R3000 so that the R3000 will recognize LDAP server as a trusted source.
Page 239: Locate Certificates Folder
2. Verify that the certificate authority has been installed on this server and is up and running—indicated by a green check mark on the server icon (see circled item in Fig. E- Locate Certificates folder 1. Go to Start > Run to open the Run dialog box. In the Open field, type in mmc.exe to specify that you wish to access the Microsoft Management Console: Fig.
Page 240 PPENDIX BTAIN OR XPORT AN 3. From the toolbar, click Console to open the pop-up 4. Click Add to open the Add Standalone Snap-in dialog 5. Select Certificates, and click Add to open the Certificates SSL C ERTIFICATE menu. Select Add/Remove Snap-in to open the Add/ Remove Snap-in dialog box: Fig.
Page 241 Fig. E-6 Certificates snap-in dialog box 6. Choose “Computer account”, and click Next to go to the Select Computer wizard page: Fig. E-7 Select Computer dialog box 7. Choose “Local computer: (the computer this console is running on)”, and click Finish to close the wizard dialog box.
Page 242: Export The Master Certificate For The Domain
PPENDIX BTAIN OR XPORT AN Export the master certificate for the domain 1. Go to the right panel of the Console and select the 2. Right-click the certificate to open the pop-up menu, and SSL C ERTIFICATE Notice that the snap-in has now been added to the Console Root folder: Fig.
Page 243 This action launches the Certificate Export Wizard: Fig. E-10 Certificate Export Wizard 3. Click Next to go to the Export Private Key page of the wizard: Fig. E-11 Export Private Key 4. Select “No, do not export the private key”, and click Next to go to the Export File Format page of the wizard: , R3000 E ECHNOLOGIES...
Page 244 PPENDIX BTAIN OR XPORT AN 5. Select “Base-64 encoded X.509 (.CER)” and click Next 6. Enter the File name of the file to be exported, followed by SSL C ERTIFICATE Fig. E-12 Export File Format to go to the File to Export page of the wizard: Fig.
Page 245 Fig. E-14 Settings 7. Notice that the specified settings display in the list box, indicating the certificate has been successfully copied from the console to your disk. Click Finish to close the wizard dialog box. 8. Close the Console. The certificate can now be uploaded to the R3000. , R3000 E ECHNOLOGIES NTERPRISE...
Page 246: Export A Novell Ssl Certficate
PPENDIX BTAIN OR XPORT AN Export a Novell SSL Certficate 1. From the console of the LDAP server, go to the tree in the 2. Find the tree’s folder and right-click it to open the pop-up SSL C ERTIFICATE left panel and open the Security folder to display the contents in the Console View (right panel): Fig.
Page 247: Obtain A Sun One Ssl Certificate
3. Click the Certificates tab to go to the Self Signed Certifi- cate page. 4. Click Export to open the Export A Certificate pop-up window: Fig. E-17 Export A Certificate pop-up window 5. Select “File in binary DER format” for the Output format. The path of the certificate displays in the Filename field.
Page 248: Appendixf
PPENDIX VERRIDE PPENDIX Override Pop-up Blockers An override account user with pop-up blocking software installed on his/her workstation will need to temporarily disable pop-up blocking in order to authenticate him/herself via the Options page: Fig. F-1 Options page This appendix provides instructions on how to use an over- ride account if typical pop-up blocking software is installed, as in the following products: Yahoo! Toolbar, Google Toolbar, AdwareSafe, Mozilla Firefox, and Windows XP...
Page 249: Yahoo! Toolbar Pop-Up Blocker
Yahoo! Toolbar Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. F-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window. Add override account to the white list If the override account window was previously blocked by the Yahoo! Toolbar, it can moved from the black list and...
Page 250 PPENDIX VERRIDE 3. Select the source from the Sources of Recently Blocked 4. Click Allow to move the selected source to the Always 5. Click Close to save your changes and to close the dialog LOCKERS Fig. F-3 Allow pop-ups from source Pop-Ups list box to activate the Allow button.
Page 251: Google Toolbar Pop-Up Blocker
Google Toolbar Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. F-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window. Add override account to the white list To add the override account window to the white list so that it will always be allowed to pass, go to the Google Toolbar...
Page 252: Adwaresafe Pop-Up Blocker
PPENDIX VERRIDE AdwareSafe Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. F-1), enter your Username 2. Press and hold the Ctrl key on your keyboard while Temporarily disable pop-up blocking AdwareSafe’s SearchSafe toolbar lets you toggle between enabling pop-up blocking (# popups blocked) and disabling pop-up blocking (Popup protection off) by clicking the pop- up icon.
Page 253: Mozilla Firefox Pop-Up Blocker
Mozilla Firefox Pop-up Blocker Add override account to the white list 1. From the browser, open the Preferences dialog box. 2. Go to the Category list box and select Privacy & Security > Popup Windows to display the Popup Windows page: Fig.
Page 254: Windows Xp Sp2 Pop-Up Blocker
PPENDIX VERRIDE Windows XP SP2 Pop-up Blocker Set up pop-up blocking There are two ways to enable the pop-up blocking feature in the IE browser. Use the Internet Options dialog box 1. From the IE browser, go to the toolbar and select Tools > 2.
Page 255: Use The Ie Toolbar
Use the IE toolbar In the IE browser, go to the toolbar and select Tools > Pop- up Blocker > Turn On Pop-up Blocker: Fig. F-8 Toolbar setup When you click Turn On Pop-up Blocker, this menu selec- tion changes to Turn Off Pop-up Blocker and activates the Pop-up Blocker Settings menu item.
Page 256: Add Override Account To The White List
PPENDIX VERRIDE Add override account to the white list There are two ways to disable pop-up blocking for the over- ride account and to add the override account to your white list. Use the IE toolbar 1. With pop-up blocking enabled, go to the toolbar and 2.
Page 257: Use The Information Bar
Use the Information Bar With pop-up blocking enabled, the Information Bar can be set up and used for viewing information about blocked pop- ups or allowing pop-ups from a specified site. Set up the Information Bar 1. Go to the toolbar and select Tools > Pop-up Blocker > Pop-up Blocker Settings to open the Pop-up Blocker Settings dialog box (see Fig.
Page 258 PPENDIX VERRIDE 3. Click the Information Bar for settings options: 4. Select Always Allow Pop-ups from This Site—this action 5. Click Yes to add the override account to your white list NOTE: To view your white list, go to the Pop-up Blocker Settings dialog box (see Fig.
Page 259: Appendixg
PPENDIX Glossary This glossary includes definitions for terminology used in this user guide. ADS - Active Directory Services is a Windows 2000 direc- tory service that acts as the central authority for network security, by letting the operating system validate a user's identity and control his or her access to network resources.
Page 260 PPENDIX LOSSARY directory service - Uses a directory on a server to auto- mate administrative tasks for storing and managing objects on a network (such as users, passwords, and network resources users can access). ADS, DNS, and NDS (Novell Directory Services) are types of directory services. Distinguished Name (DN) - A string of “cn”...
Page 261 PPENDIX LOSSARY firewall mode - An R3000 set up in the firewall mode will filter all requests. If the request is appropriate, the original packet will pass unchanged. If the request is inappropriate, the original packet will be blocked from being routed through.
Page 262 PPENDIX LOSSARY minimum filtering level - A set of library categories and service ports defined at the global level to be blocked or opened. If the minimum filtering level is established, it is applied in conjunction with a user’s filtering profile. If a user does not belong to a group, or the user’s group does not have a filtering profile, the default (global) filtering profile is used, and the minimum filtering level does not apply to that...
Page 263 PPENDIX LOSSARY organizational unit (ou) - An attribute type that can be entered in the LDAP Distinguished Name for a user group. override account - An account created by the global group administrator or the group administrator to give an autho- rized user the ability to access Internet content blocked at the global level or the group level.
Page 264 PPENDIX LOSSARY search engine - A program that searches Web pages for specified keywords and returns a list of the pages or services where the keywords were found. service port - Service ports can be set up to blocked. Examples of these ports include File Transfer Protocol (FTP), Hyper Text Transfer Protocol (HTTP), Network News Transfer Protocol (NNTP), Secured HTTP Transmission (HTTPS), and Other ports such as Secure Shell (SSH).
Page 265 PPENDIX LOSSARY Web-based - An authentication method that uses time- based profiles or persistent login connections. white list - A list of approved library categories for a speci- fied entity’s filtering profile. , R3000 E ECHNOLOGIES NTERPRISE ILTER UTHENTICATION UIDE...
Page 266 PPENDIX LOSSARY , R3000 E ECHNOLOGIES NTERPRISE ILTER UTHENTICATION UIDE...
Page 267: Index
NDEX Numerics 3-try login script 203 8e6 Authenticator 23 8e6 supplied category 17 Account tab 134 Address tab 131 ADS, definition 247 alert box, terminology 3 Alias List tab 137 Alias Name 138 always allowed 19 Anonymous Bind 134 attribute, definition 247 authentication activate NT 203 activate on network 174...
Page 268 NDEX function in net use based process 25 login scripts 32 Authentication Settings window 70 join the domain 101 authentication solution single user compatibility chart 53 Authentication SSL Certificate window 72 authmodule.log 79 Backup Domain Controller (BDC) 248 backup server Novell eDirectory 141 Backup Server Configuration wizard 141 Block page 83...
Page 269 Create LDAP Domain dialog box 125 custom categories 17 Default Rule tab 139 dialog box, terminology 4 directory service, definition 248 directory, definition 247 Distinguished Name (DN) definition 248 LDAP protocol 28 DNS, definition 248 domain definition 248 delete profile 145 domain component (dc), definition 248 domain controller, definition 248 Domain Name Service (DNS) 248...
Page 270 NDEX profile components 16 profile types 12 rules 20 static profiles 13 user, machine 14 firewall mode 61 definition 249 frame, terminology 4 FTP 59 gateway IP address 62 global administrator, definition 249 global filtering profile 14 global group 8 grid, terminology 4 group global 8...
Page 271 definition 249 IP group 9 diagram 9 IPC share 25 Java applet 68 Java Plug-in 58 Java Runtime Environment 58 Java Virtual Machine 58 JavaScript 58 join the domain 102 LAN Settings window 62 LDAP Active Directory Service usage 35 authentication protocol 23 definition 249 domain diagram 11...
Page 272 NDEX view files 78 login (or logon) script definition 249 examples 32 usage 25 machine name, definition 249 Manually Add Group dialog box LDAP 151 NT domain 114 Manually Add Member dialog box LDAP 150 NT domain 113 master IP group 9 filtering profile 13 methods authentication 27...
Page 273 name lookup, definition 250 NetBIOS Domain Name 132 NetBIOS name 70 Netscape Directory Server 127 Network Address Translation (NAT), definition 250 network requirements 59 NIC device 71 Novell 23 Novell eDirectory Agent 50 domain diagram 10 domain groups 10 profile file format 116 NT domain add 103 Default Rule 107...
Page 274 NDEX PDC 102 definition 251 pop-up blocking, disable 236 pop-up box/window, terminology 5 primary IP address 63 Primary Domain Controller (PDC) 248 profile string definition 251 elements 210 Profile window 120 LDAP domain 157 protocol definition 251 LDAP 28 SMB 27 proxy server definition 251 pull-down menu, terminology 5...
Page 275 screen, terminology 5 search engine, definition 252 secondary IP address 63 Select Groups/Members from Domain window 110 Server Message Block (SMB), definition 252 service port 18 definition 252 session-based authentication (Tier 3) 23 Set Group Priority window LDAP domain 149 NT domain 111 Single Sign-On Novell eDirectory authentication 50...
Page 276 NDEX technical support 206 text box, terminology 6 Tier 1 net use based authentication 25 Tier 1 and Tier 2 Script 39 Tier 2 time-based, Web-based authentication 36 Tier 2 Script 38 Tier 2, Tier 3 Web-based authentication 55 Tier 3 session-based, Web-based authentication 41 tiers definition 252...
Page 277 wbwatch.log 79 Web-based authentication 54 block page authentication 82 SSL certificate 56 Web-based, definition 253 white list, definition 253 window, terminology 7 Windows 2003 SMB Signing 27 WINS Server 70 name resolution usage 29 workstation requirements 58 , R3000 E ECHNOLOGIES NTERPRISE ILTER...

8e6 Technologies Enterprise Filter Authentication R3000 User Manual

Chapter 3: Nt Authentication Setup

Chapter 4: Ldap Authentication Setup

Chapter 5: Authentication Deployment

Chapter 6: Technical Support

APPENDIX B Ports for Authentication System Access

APPENDIX C LDAP Server Customizations

APPENDIX D Disable SMB Signing Requirements

APPENDIX E Obtain or Export an SSL Certificate

APPENDIX F Override Pop-Up Blockers

APPENDIX G Glossary

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for 8e6 Technologies Enterprise Filter Authentication R3000

Summary of Contents for 8e6 Technologies Enterprise Filter Authentication R3000