S W G U s e r G u i d e Table of Contents About This Guide ......... . . 8 PART 1: Initial Management Console Tasks .
Page 4
S W G U s e r G u i d e Editing a Message Template......26 Chapter 4.
Page 5
S W G U s e r G u i d e Defining a Caching Policy ......52 Defining a Rule in a Caching Policy .
Page 6
Chapter 15.Implementing ICAP ......77 Configuring SWG To Provide ICAP Services ... 77 Configuring SWG To Use External ICAP Services .
Page 7
S W G U s e r G u i d e Configuring A Device To Use An NTP Server ..105 Configuring Administrative Settings ....106 Importing Digital Certificates .
BOUT UIDE The SWG User Guide provides the procedures that you perform on the Management Console to implement, use, and maintain Secure Web Gateway (SWG) in your organization. The Management Console is your interface to SWG. It is important to note that this guide is not a reference guide. It does not provide a detailed description of all screens and fields. Nor does it provide a detailed description of concepts that apply to SWG and the Management Console. For that information, you should see the Management Console Reference Guide. This guide assumes that: • you have already installed the Secure Web Gateway in your organization. For installation instruc‐ tions, see the Secure Web Gateway Installation Guide. • you have set up the SWG using the Limited Shell, For setup instructions, see the Secure Web Gateway Setup Guide. • you have already planned out your security needs. This guide is divided into Parts and Chapters. These parts and chapters are organized in the sequence in which you are likely to use them when first implementing SWG. You can, of course, use any procedure at any time that you need. SWG Documentation Set The SWG documentation set includes the following guides: • Secure Web Gateway Installation Guide • Secure Web Gateway Setup Guide • Management Console Reference Guide • Management Console User Guide • Secure Web Gateway User Security Policies InDepth Guide • Secure Web Gateway User Identification Guide About This Guide...
S W G U s e r G u i d e PART 1: I NITIAL ANAGEMENT ONSOLE ASKS This part contains the following chapters and procedures: • Chapter 1: Getting Started • Performing Preliminary Tasks • Performing First Time Login, Password Change, and License Installation • Configuring The Mail Server • Performing Basic Tasks in the Management Console • Logging In and Logging Out • Changing Your Password • Committing Changes • Working in Multiple Windows • Relocating an Item in a Tree •...
TARTED HAPTER 1: This chapter contains the following topics: • Performing Preliminary Tasks • Performing Basic Tasks in the Management Console Performing Preliminary Tasks NOTES: This guide instructions for procedures that you perform on the Management Console. It does not provide detailed descriptions of Management Console concepts, screens, or fields. For that information, refer to the Management Console Reference Guide. Before performing the preliminary tasks listed here, ensure that: • SWG has been installed. For installation instructions, see the Secure Web Gateway Installation Guide. • Limited shell setup has been performed. For setup instructions, see the Secure Web Gateway Setup Guide. • You have the License key for SWG. • You have added the Policy Server IP to the Proxy Server Exceptions in your internet settings. Adding the Policy Server IP is optional but it will ensure optimum performance. This section contains the following topics: • Performing First Time Login, Password Change, and License Installation • Configuring The Mail Server Performing First Time Login, Password Change, and License Installation When logging onto the Management Console for the first time:...
S W G U s e r G u i d e 3. Enter the administrator user name (default: admin) and password (default: finjan). NOTE: When logon to SWG is performed for the first time, the Change Password window is displayed; the password must be changed. 4. In the displayed Change Password window, do the following: a. Enter the current password for this administrator user. b. Enter a new password. Then reenter the new password in the Confirm Password field. c. Click Change Password. 5. In the displayed License window enter the License key, and then click Continue. The Management Console GUI is displayed. Configuring The Mail Server The Mail Server controls the sending of emails for system events, application events, and software updates. The server uses Simple Mail Transfer Protocol (SMTP). You need to define the settings for the Mail Server. You do this in the Mail Server Setting Screen. To configure the Mail Server 1. Select Administration System Settings Mail Server.
S W G U s e r G u i d e Performing Basic Tasks in the Management Console This section describes the following tasks: • Logging In and Logging Out • Changing Your Password • Committing Changes • Working in Multiple Windows • Relocating an Item in a Tree • Customizing the Management Console Toolbar • Using Keyboard Shortcuts Logging In and Logging Out To log into the Management Console 1.
S W G U s e r G u i d e you can wait and then click the icon only when it is convenient to distribute and implement the changes. Working in Multiple Windows If you are working in a window and need to access another window, you do not need to close your current window. You can open multiple tabs, each acting as a self‐contained window. To open and work in multiple windows 1. To open a tab that contains a window, click the icon. Another tab containing a window opens. By default, it says Management Wizard. 2. Navigate to the desired location in the new window. 3. To move to a different window, click the tab of that window. 4. To close a tab, click in the right corner of the tab. Relocating an Item in a Tree Depending on the item and tree, you can sometimes move an item to a different location in a tree.
S W G U s e r G u i d e Using Keyboard Shortcuts Table 1 indicates the keyboard shortcuts that you can use to perform various actions in the Management Console. Table 1: Keyboard Shortcuts Keyboard Shortcut What it does Activates (same as clicking) Edit Activates (same as clicking) Cancel Alt+u Opens the Users menu Alt+p Opens the Policies menu Alt+s Opens the Logs and Reports menu Alt+n Opens the Administration menu Alt+l Opens the Help menu Keyboard arrows • When used in a menu, navigates inside the menu • When used in a tree, navigates inside the tree Chapter 1: Getting Started...
ONFIGURING DDING CANNING ERVERS HAPTER 2: SWG comes with default device settings. You can modify these defaults. Default settings are automatically applied to all new devices that you add. You can then modify the values for specific devices. IMPORTANT: To ensure that optimal defaults values will be applied to new devices, you should modify the default values before adding new devices. SWG also comes with a default Scanning Server device group, Default Devices Group. You can create other device groups, and add scanning servers to any scanning server device group. For each Scanning Server device group, you can define schedules for automatic configuration and update of the devices in the group. You can also move devices from one group to another. This chapter contains the following procedures: • Configuring Device General Settings • Adding Devices and Device Groups • Moving Scanning Servers To a Different Group Configuring Device General Settings Use the procedure to modify default settings, and later after you have added devices, to configure settings for specific devices. NOTE: You can also: • configure default and devicespecific access lists, which can limit access to specific IPs or IP ranges. For instructions, see Configuring Default and Device‐Specific Access Lists. You c • select Scanning Servers for automatic update. For instructions, see If you are ready to distribute and implement the changes in your system devices, click .. To configure Device General settings 1.
Page 16
S W G U s e r G u i d e • To configure the settings for a specific Scanning Server, select <device_group> <device_ip> Scanning Server General. The main window displays tabs for configuring the following: Downloads, Timeout, Trans parent Proxy Mode, and Device Policy. 3. Click Edit. 4. In the Downloads tab, specify in megabytes the maximum scannable sizes for files download or upload via the proxy. 5. In the Timeout tab, you can specify the following timeout values: IMPORTANT: It is highly recommended that you NOT modify the default timeout values in the Timeout tab. • Client Side Timeout — maximum lapse time between consecutive requests within the client‐ proxy connection before a timeout is declared. • Server Side Timeout — maximum lapse time between reception of consecutive pieces of data from the server before a timeout is declared. To enable and configure Transparent Proxy Mode, follow the instructions in Configuring Trans‐ parent Proxy Mode. 7. In the Device Policies tab, you can assign existing policies Identification, Device Logging, Upstream Proxy, and Caching policies, as defaults or to the specific device. If the needed policies are not yet defined, you can perform the policy assignments later. For instructions, see Chapter 9: ...
S W G U s e r G u i d e Adding Devices and Device Groups SWG comes with a default group, Default Devices Group, for adding Scanning Servers, but you can add additional groups for holding scanning servers. This section contains the following procedures: • To add a Scanning Server Device Group • To add a Scanning Server Device To add a Scanning Server Device Group 1. Select Administration System Settings M86 Devices. 2. In the Device tree that is displayed in the left pane, right‐click the Devices root and click Add Group. The New Group window displays two tabs for defining the group. 3. Specify a mandatory group name and optionally add a description.
S W G U s e r G u i d e To add a Scanning Server Device You should perform this procedure when you add devices for either local Scanning Servers or cloud Scanning Servers. You can identify the device by a specific IP or a range of IPs. NOTE: Before you can add a scanner, you must ensure that the device is accessible and that you have its IP address. 1. Select Administration System Settings M86 Devices. 2. In the Device tree, right‐click the Scanning Server Device Group to which the device should be added, and choose either of the following: a. If you will associate the device with a specific IP, choose Add Device. b. If you add multiple devices within a specific IP range, choose Add Device By Range. The New Device screen is displayed in the main window. It contains several fields and tabs for configuring the device. The Status tab is informational; you do not define any values in this tab. 3. Specify the device IP, or device IP range after specifying the initial IP in the range, specify the last 3‐digit set in the range in the field on the right. 4. Select the Device type. You can choose between Scanning Server (local) or Cloud Scanning Server. The AllinOne option is not available because the Policy server is on a different device.
S W G U s e r G u i d e PART 2: I MPLEMENTING ECURITY OLICIES This part contains the following chapters and procedures: • Chapter 3: Defining and Customizing Security Policies • Editing a Pre‐supplied Security Policy in Simplified Mode • Defining a Security Policy in Advanced Mode • Defining a Rule in a Security Policy • Defining Conditions in a Security Policy Rule • Creating a Block/Warn Message • Editing a Message Template. • Chapter 4: Defining and Managing Users • Setting Default User Policy Assignments • Defining and Managing LDAP Users • Adding and Configuring LDAP Directories •...
EFINING AND USTOMIZING ECURITY HAPTER 3: OLICIES NOTE: The process of implementing security for users at your site involves performing the following tasks: • Defining Security Policy, as described in this chapter. • Defining User Groups and Users, and assigning them security policies. For instructions, see Chapter 4: Defining and Managing Users. • Defining Identification policy. For instructions, see Chapter 5: Implementing Identification Policy. SWG provides a number of pre‐defined policies for different purposes. A main purpose is setting security ‐‐ determining how content is handled. Policies consist of three basic components: the Policy itself, rules which determine how to handle the content (for example, block or allow), and conditions which determine whether a particular rule is activated (for example, if a particular type of content is detected). NOTE: Because of the order in which security policies are implemented, some policies might not be implemented due the nature of a preceding policy, which can effect subsequent policies. SWG provides two modes for defining and customizing Security Policy: • Simplified — in Simplified mode, you can check or uncheck pre‐supplied, customizable content items appearing in lists, to set whether those items, if detected, should activate the policy rule. • Advanced — in Advanced mode, you edit actual policies, rules and conditions. Note that you cannot directly edit pre‐supplied policies, but you can duplicate policies and edit the duplicates, or you can create policies from scratch. Pre‐supplied security policies come in three security levels — Basic, Medium, and Strict. M86 also provides special purpose advanced Security policies for different users and situations. These include: • Xray policy —allows the potential effect of the policy on the system to be evaluated without implementing its security actions. For non‐X‐ray policies, you can define rules as X‐ray rules, also for purposes of evaluation. You can make a policy an X‐ray policy by selecting the Xray checkbox in the policy definition.
S W G U s e r G u i d e • M86 Emergency Policy — allows immediate site‐wide implementation of special emergency measures. You can also create Block/Warn messages for use in Conditions, and edit Message templates. This chapter contains the following procedures: • Editing a Pre‐supplied Security Policy in Simplified Mode • Defining a Security Policy in Advanced Mode • Defining a Rule in a Security Policy • Defining Conditions in a Security Policy Rule • Creating a Block/Warn Message • Editing a Message Template. Editing a Pre-supplied Security Policy in Simplified Mode To edit a Security policy in Simplified mode 1.
S W G U s e r G u i d e 6. Click Save. 7. If you are ready to distribute and implement the changes in your system devices, click Defining a Security Policy in Advanced Mode NOTE: This procedure does not apply to edits that you can perform on the actual predefined M86 Basic, Medium, and Strict Security Policies. For instructions on directly editing those predefined policies, see Editing a Pre‐supplied Security Policy in Simplified Mode. You cannot edit a presupplied Advanced Security Policy. However, you can duplicate a pre supplied Advanced Security Policy and edit the duplicate; you can also create an Advanced Security policy from scratch. To define a Security Policy in Advanced mode 1. Select Policies Security Advanced. 2.
Page 23
S W G U s e r G u i d e 2. Do any of the following: NOTE: Rules in a policy are checked sequentially from the top, and the first rule to be activated in a policy determines the handling of the content. Therefore, the sequential placement of rules in a policy is significant. For instructions on moving a rule within a policy, see Relocating an Item in a Tree. • To edit an existing rule, click the rule in the tree, and then in the main pane, click Edit. • To add a rule to a policy that has no rules, or to add a rule to the bottom of the rule list in the policy, right‐click the policy and choose Add Rule. • To add a rule directly above an existing rule, right click the existing rule, and select Insert Rule. The main window displays the Rule Definition screen. The screen contains three tabs: General, Applies, and Except. 3. Fill in the General tab as follows. a. Enter a name for the rule. b. Provide a description of the rule. the description is optional. c. For a rule that has an Enable Rule checkbox: Ensure that the checkbox is appropriately selected or cleared depending on whether or not the rule should be enabled after being committed. d. If the rule should be an X‐ray rule, but the policy is not an X ray policy, select the XRay checkbox. e.
S W G U s e r G u i d e Defining Conditions in a Security Policy Rule To define conditions in a Security Policy Rule 1. In the Policy tree, expand the relevant policy and rule. For instructions on displaying the Policy tree, see Step 1 in the procedure To define a Security Policy in Advanced mode. 2. Do either of the following: • To edit an existing condition, click the condition in the tree, and then in the main pane, click Edit. • To add a new condition to a rule, right‐click the rule and choose Add Condition. The main window displays the Condition Definition screen. 3. In the Condition Name field, select the type of condition in the drop‐down list. For any selected condition type, the window displays an appropriate checkbox list. For detailed ...
S W G U s e r G u i d e Creating a Block/Warn Message Block/Warn messages are sent to end users in the event that the URL site they are surfing to has been blocked by the Secure Web Gateway or designated as a site requiring user approval or coaching action. User approval and coaching messages are referred to collectively as Warn Messages. The messages include Place Holders which are replaced with real values when displayed to the end‐user. These messages are then selected for each Block/Coach/User Approval rule in the Security/HTTPS Policies as required. To create a new Block/Warn message 1. Select Policies End User Messages Block/Warn Messages. 2. Right‐click on the top level heading and select Add Message. 3. Type in the Message Name. This field is mandatory. 4. In the Message section, enter the required message text. 5. Use the PlaceHolders drop down menu to provide the end‐user with more information. For example, select Client IP, Malware Entrapment Profile Names, and Domain; be sure to click ...
S W G U s e r G u i d e Editing a Message Template WARNING: It is recommended that you do not change message templates. Editing the Block/ Warn pages may result in security vulnerabilities. If you do make changes, make them carefully and preview them before applying them. Also do not use nonM86 form elements or Java Script commands. To edit a Message page 1. Select Policies End User Messages Message Template. 2. In the main window, click Edit. 3. In the Rule Action drop‐down list, which displays the Select Rule Action to Edit instruction, select one of the listed block or warn rule actions. The Preview window displays the actual message as it will appear on the end‐user’s computer. 4. To add elements to the message display: a. Place the cursor at the location in the preview where you want the element added b. Select the element in the drop‐down list. Element options include: •...
EFINING AND ANAGING SERS HAPTER 4: NOTE: The process of implementing security for users at your site involves performing the following tasks: • Defining Security Policy. For instructions, see Chapter 3: Defining and Customizing Security Policies. • Defining User Groups and Users, and assigning them security policies, as described in this chapter. • Defining Identification policy. For instructions, see Chapter 5: Implementing Identification Policy. The process for bringing users into the system and assigning them policies, depends on the category to which users belong: • LDAP Users • M86 non‐LDAP Users Before bringing users into the system and assigning policies, you can alter which policies are set as the user defaults. The rules of certain policies Security, Logging, and HTTPS policies, allow you specify to which users the rule should apply, and which users should be excluded from the application of the rule. One of the methods for identifying these users is by defining User Lists, which can then be specified in the rule definitions. This chapter contains procedures for the following tasks: • Setting Default User Policy Assignments • Defining and Managing LDAP Users • Defining and Managing M86 (Non‐LDAP) Users • Defining User Lists Chapter 4: Defining and Managing Users...
S W G U s e r G u i d e Setting Default User Policy Assignments To change which policies are set as the User defaults NOTE: You can set default user policies for the following types of policies: Emergency, Master, Security, Logging, and HTTPS. Note the following points: • Security, Logging and HTTPS policies are automatically apply to all User Groups, LDAP Groups, and Unknown Users, except where you assign different policies of those types to specific groups or users. • HTTPS and HTTPS Emergency policies are relevant only if HTTPS be licensed. • Master Policy applies to Super Administrators. Most sites do not use this feature or policy. For information on Super Administrators, see Chapter 18: Defining Administrators. • Emergency Policies — Emergency, and HTTPS Emergency when licensed apply across the board. You cannot assign a different Emergency policy to different user groups or users.
S W G U s e r G u i d e Defining and Managing LDAP Users This section contains the following topics: • Adding and Configuring LDAP Directories • Importing LDAP Groups • Configuring LDAP Group Settings • Importing LDAP Users • Setting a Schedule For LDAP Directory Update • Assigning Policies to Unassigned LDAP Users Adding and Configuring LDAP Directories To add and configure an LDAP Directory 1.
Page 30
9. To enable the import of LDAP groups over SSL, select the Use secure connection checkbox. If you selected this checkbox: • If the Policy Server should not perform certificate validation before starting the SSL session, select the Ignore Certificate Validation checkbox. • If the Policy Server should validate the certificate on each connection, leave the Ignore Certif icate Validation checkbox cleared. In this case, if the certificate is invalid, user import fails and an event such as a log, trap, or email is created. 10. To use Kerberos Authentication: NOTE: You cannot use Kerberos authentication if you use SSL authentication. To use Kerberos authentication: • A DNS server must be present, and all directory servers must be resolved via the M86 SWG Appliance. • The times on the Policy Server and the directory machine must be synchronized. • You must have or create a Kerberos keytab file. a. Click the Do not check configuration settings on next save checkbox. b. Click Save and exit this window. c. Create the needed Kerberos keytab file if it is not already created. d. Import the Keytab file as follows: i. Right‐click this LDAP directory node in the LDAP directory configuration tree, and selecting Import Keytab. This displays the Kerberos Keytab Upload screen. ii. Upload the keytab file. e. Reopen this LDAP directory definition. f. Select the Use Kerberos Authentication checkbox. g. Clear the Do not check configuration settings on next save checkbox.
S W G U s e r G u i d e Importing LDAP Groups NOTE: This procedure assumes that the required LDAP directories are defined. To import LDAP Groups 1. Display the list of LDAP directories by selecting Users Authentication Directories LDAP. 2. If multiple LDAP directories have the same Base DN, to import the users from an LDAP directory in the set that was not created first, right‐click that directory and select Set Importable. 3. Right‐click the LDAP directory and choose Add Group. 4. In the main pane: a. If the list of LDAP Groups in the directory is not displayed, retrieve the list by clicking Retrieve LDAP Groups. b. Select the Select checkbox. c. In the list of LDAP Groups, click each group that should be imported. d. When done, click OK. 5.
S W G U s e r G u i d e Importing LDAP Users LDAP users can only be imported into LDAP directories that you have already created. This section describes how to manually import LDAP users. You can also define a schedule for automatically updating LDAP directories with users. For more information, see Setting a Schedule For LDAP Directory Update. NOTE: It is highly recommended that you import and configure relevant LDAP Groups before LDAP users are imported. When LDAP users are imported, those users belonging to groups that are already imported are placed in, and assigned the policies of, those groups. LDAP users whose groups are not already imported are treated as Unassigned LDAP users. You can import LDAP users at any of several levels. To import LDAP Users 1. Select Users Authentication Directories LDAP. 2. Do any of the following: • To import all LDAP Users into all LDAP directories, right‐click the Directories root note, and select Import Users. • To import LDAP Users into a specific LDAP directory, right click the LDAP directory and select Import Users. ...
6. Click Save. 7. If you are ready to distribute and implement the changes in your system devices, click Defining and Managing M86 (Non-LDAP) Users This section contains the following topics: • Creating/Configuring User Groups • Adding and Defining Users • Moving Users To a Different Group Creating/Configuring User Groups SWG comes with a number of predefined User Groups. However, you can create additional user groups according to need. This section contains the following tasks: • Defining and Assigning Policies to User‐Defined User Groups • Assigning Policies to M86‐Predefined User Groups Defining and Assigning Policies to User-Defined User Groups NOTE: Several userdefined User Group parameters are relevant only if your site supports a Cloud in Internal mode. In this case, you must configure the cloud, for instruction, see Configuring Cloud Settings in Internal Mode, before you configure the relevant userdefined User Group parameters. ...
Page 34
3. Specify or edit a name for the group. 4. To assign the group different Security, Logging, and/or HTTPS policies, select the desired policies in the drop down lists. 5. If in Internal mode, enable certification of new users in the group, and prevent disabling Mobile Security Client, see To enable automatic certification of all new users in a group, and to prevent disabling of the Mobile Security Client. 6. In the IP Ranges section displayed for all groups except the Unknown Users group, specify the IP address ranges, from/to values, for the group. Click to add a row. 7. Click Save. 8. If you are ready to distribute and implement the changes in your system devices, click Assigning Policies to M86-Predefined User Groups SWG comes with the following predefined User Groups • Cloud User Groups Blocked Cloud Users group and Revoked Cloud Users group do not hold users, but the policies you assign to these groups are applied to users whose certificates are blocked or revoked. • Independent Users group— this is where you create users who do not belong to a User Group. You can therefore assign Security, Logging, and HTTPS policies to each independent user. • Unknown Users group —used for assigning appropriate Security, Logging and HTTPS policies to unidentified users who are browsing through SWG. To assign policies to M86-predefined User Groups 1.
S W G U s e r G u i d e 5. For the predefined Unknown Users group only: If you want unidentified User IDs or IP addresses added to the Unknown Users group, select the checkbox in the New Users area. NOTE: In the Blocked Cloud Users and Revoked Cloud Users groups, the IP Ranges section is not relevant and should be ignored. 6. Click Save. 7. If you are ready to distribute and implement the changes in your system devices, click Adding and Defining Users You can create users in the relevant user‐defined User Groups, or in the pre‐supplied Independent Users group if the user should not belong to a group. Users in user‐defined User Groups are automatically assigned the group’s Security, Logging, and HTTPS policies; these assignments cannot be changes at the user level. Users in the Independent Users group are automatically assigned the site‐default Security, Logging, and/or HTTPS policies. You can, however, change these assignments individually for each user. To add/define a user 1. Select Users Users/User Groups. 2. In the tree, do either of the following: •...
S W G U s e r G u i d e Moving Users To a Different Group To move a user from one Group to another 1. If the User Group is not displayed, select Users Users/User Groups. 2. In the tree, right‐click on the node of the source User Group from which you want to move users, select Move Users. In the main window, the Move Users screen displays the Users in the selected group. 3. Select the checkbox of the users that should be moved. Note the following: • To select all the users, select the checkbox in the gray Name header line. • If the user list spans multiple pages, you can page through using the Next/Previous buttons. •...
Page 37
S W G U s e r G u i d e • If useful, you can select/clear the Select checkbox to select/clear all items in the list, and then adjust the selected items as needed. 5. When done, click Save. 6. If you are ready to distribute and implement the changes in your system devices, click Chapter 4: Defining and Managing Users...
S W G U s e r G u i d e PART 3: C ONFIGURING DVANCED ETWORK ETTINGS This part contains the following chapters and procedures: • Chapter 5: Implementing Identification Policy • Defining and Customizing Identification Policy • Defining an Active Directory • Chapter 6: Implementing Authentication • Configuring Default and Scanning Server Authentication • Chapter 7: Defining and Customizing Upstream Proxy Policy • Defining an Upstream Proxy Policy • Defining a Rule in an Upstream Proxy Policy • Defining Conditions in an Upstream Proxy Rule • Chapter 8: Enabling and Customizing Caching •...
MPLEMENTING DENTIFICATION OLICY HAPTER 5: NOTE: The process of implementing security for users at your site involves performing the following tasks: • Defining Security Policy. For instructions, see Chapter 3: Defining and Customizing Security Policies. • Defining User Groups and Users, and assigning them security policies. For instructions, see Chapter 4: Defining and Managing Users. • Defining Identification policy, as described in this chapter. Identification policies define whether and how Scanning Servers will identify end‐users who are browsing via the Secure Web Gateway system. SWG has a number of pre‐supplied Identification policies that use different mechanisms to perform Identification. If you choose an Authentication‐ type Identification policy, you must also define an Active Directory. Regardless of the type of Identification policy, as soon as the Secure Web Gateway identifies a user by confirming a matching identifier, the assigned Security policy is enforced. This chapter includes the following procedures: • Defining and Customizing Identification Policy • Defining an Active Directory Defining and Customizing Identification Policy M86 Security provides several predefined Identification Policies. NOTE: Unlike with other presupplied policies, you can directly edit a presupplied Identification Policy. To set and customize Identification Policy 1.
Page 40
S W G U s e r G u i d e • Read Headers — identifies users based on pre‐authenticated HTTP headers for regular scan‐ ners only. • Source IP only — identifies users by Source IP. This is the default policy. For more information, see the SWG User Identification Guide. 2. If you are choosing Authentication as the policy, before proceeding with the rest of the steps in this procedure, define the Active Directory. For instructions, see Defining an Active Directory. 3. Select Policies Identification. 4. In the tree, expand the Policies root, and select and expand the policy that you are implementing. 5. To edit the rules in the policy, do the following: NOTE: Rules in a policy are checked sequentially from the top, and the first rule to be activated in a policy determines the handling of the content. Therefore, the sequential placement of rules in a policy is significant. For instructions on moving a rule within a policy, see Relocating an Item in a Tree. a. Select the rule and click Edit. b. Choose the Action, and fill in the accompanying fields which vary according to the chosen action. The following instructions will help you choose the appropriate action and fill in the accompa‐ nying fields. For more information, see the Management Console Reference Guide. •...
S W G U s e r G u i d e Edit. • To add a new condition to a rule: i. Right‐click the rule and choose Add Condition. The main window displays the Condition Definition screen. ii. In the Condition Name field, select the type of condition in the drop‐down list. The list contains the following Condition types: • Destination Port Range — distinguishes client application connecting to M86 SWG by the target destination port. The default rule allows the administrator to exclude a list of Port ranges. • Header Fields — limits direct internet access according to header name and value. • IP Range — limits direct internet access according to IP ranges. • Location — limits direct internet access according to location of the scanning server both for Cloud or Local. • URL Lists — limits direct internet access according to the target URL. For any selected condition type, the window displays an appropriate checkbox list. For detailed information on condition types and the particular items in a condition list, see the Management Console Reference Guide. b. Click Save. 8. Set the defined policy as the Identification Policy, as follows: a.
Page 42
S W G U s e r G u i d e b. Ensure that the Active checkbox is selected unless there is a reason why you would not want it active. c. Specify the Domain Name. d. In the Domain Controller Selection Method, select the appropriate value PrimaryBackup or Load Balancer. e. For each Domain Controller, do the following: i. Click the icon. ii. Fill in the Controller Name. iii. If the Authentication Server requires it, select the Force NTLM v2 checkbox. f. For each Trusted Domain, do the following: i. Click the icon. ii. Fill in the domain name. 4. Click Save. 5. If you are ready to distribute and implement the changes in your system devices, click Chapter 5: Implementing Identification Policy...
This chapter contains the following procedure: • Configuring Default and Scanning Server Authentication NOTE: Before performing the following procedures, ensure that you: • Created an Active Directory. For instructions, see Defining an Active Directory. • Defined/customized an Authenticationtype Identification Policy. For instructions, see Defining and Customizing Identification Policy. Configuring Default and Scanning Server Authentication NOTE: For instructions on configuring NTLM Authentication on Windows 7, 2008 Server, and Vista, see the SWG Identification Guide. To configure Authentication Settings 1. Select Administration System Settings M86 Devices. 2. Do either of the following in the configuration tree at the right: • To configure Default Authentication settings, choose Devices Default Values Device Settings Authentication. • To configure Authentication settings for a specific Scanning Server, choose <device_group> <device_ip> Scanning Server Authentication. ...
Page 44
• If during the session the Scanning server should perform authentication for different Web sites: i. Click Cookie. ii. If the cookie should be encrypted, select the Use Encryption checkbox. iii. If the cookie should be retained for the duration of the time‐out interval, select the Persistent checkbox and set the time‐out interval. iv. Continue with Step 5. 5. In the Advanced tab, configure the Advanced Authentication Settings, as follows: a. To enable token reuse: i. Select the Enabled Challenge Token Reuse (NTLM Settings) checkbox. ii. In the Random Challenge Token Reuse Number field, specify the number of times a Challenge Token can be reused. iii. In the Challenge Token Lifetime field, specify the time in seconds before SWG generates a new Challenge Token. NOTE: Using this option, and increasing the token usage number and time interval, saves authentication time and proxy resources, but decreases the system security level. b. In the Active Directory Connection to Authentication Servers area, set the time‐out and retry values for situations where the Active Directory does not respond to the Scanning Server requests for authentication: i. In the Connection Timeout field, set the time‐out, in seconds, before the Scanning Server considers the Active Directory as not in service. ii. In the Try Reconnect After field, set the time‐out, in seconds, before the Scanning Server re‐tries to connect to the Active Directory. c. If the Secure Web Gateway should work in Transparent Proxy mode, do the following in the Transparent Authentication area: i. In the Virtual Redirection Hostname field, specify the host name to which browsers in ...
Page 45
S W G U s e r G u i d e d. In the Replace Domain With field, specify the correct domain that should be used to replace erroneously‐specified “domains” by the user (for example, if the user specified a computer name instead of a domain name). e. If an upstream proxy can and should authenticate users through the Secure Web Gateway system, select the Forward Upstream Proxy Authentication checkbox. In this case, Secure Web Gateway will not perform authentication, but will instead forward proxy authentication from the downstream client. 6. Click Save. 7. If you are ready to distribute and implement the changes in your system devices, click Chapter 6: Implementing Authentication...
EFINING AND USTOMIZING PSTREAM HAPTER 7: ROXY OLICY By default, that is when using the only pre‐supplied Upstream Proxy policy, Scanning servers are allowed direct access to the internet in every situation. To limit Scanning server direct access in certain situations, and instead direct the Scanning server to an Upstream Proxy, you need to define and assign it an appropriate Upstream Proxy policy. This chapter contains the following procedures: • Defining an Upstream Proxy Policy • Defining a Rule in an Upstream Proxy Policy • Defining Conditions in an Upstream Proxy Rule Defining an Upstream Proxy Policy NOTE: You cannot edit a presupplied Upstream Proxy Policy. However, you can duplicate such a policy and edit the duplicate; you can also create an Upstream Proxy policy from scratch. To define an Upstream Proxy Policy 1. Select Policies Upstream Proxy. 2. Do one of the following: • To create a policy from scratch, right click the Policies root node in the tree, and choose Add Policy. ...
Page 47
S W G U s e r G u i d e 6. Continue with Defining a Rule in an Upstream Proxy Policy. Chapter 7: Defining and Customizing Upstream Proxy Policy...
S W G U s e r G u i d e Defining a Rule in an Upstream Proxy Policy If you duplicated a policy, it already has the same rules as were found in the original policy. You can edit these rules. You can also create new rules from scratch. NOTE: Rules in a policy are checked sequentially from the top, and the first rule to be activated in a policy determines the handling of the content. Therefore, the sequential placement of rules in a policy is significant. For instructions on moving a rule within a policy, see Relocating an Item in a Tree. To define a rule in an Upstream Proxy policy 1. In the Policy tree, expand the policy so that you display its existing rules. For instructions on displaying the Policy tree, see Step 1 in the procedure Defining an Upstream Proxy Policy. 2. Do any of the following: •...
S W G U s e r G u i d e Defining Conditions in an Upstream Proxy Rule To define conditions in an Upstream Proxy Rule 1. In the Policy tree, expand the relevant policy and rule. For instructions on displaying the Policy tree, see Step 1 in the procedure To define an Upstream Proxy Policy. 2. Do either of the following: • To edit an existing condition, click the condition in the tree, and in the main pane, click Edit. • To add a new condition to a rule: a. Right‐click the rule and choose Add Condition. The main window displays the Condition Definition screen. b. In the Condition Name field, select the type of condition in the drop‐down list. The list contains the following Condition types: •...
NABLING AND USTOMIZING ACHING HAPTER 8: You can enable caching as the device defaults or enable caching for specific Scanning Servers. When caching is enabled, content is stored in the Server for future use, thereby speeding up performance time. Before enabling cache the pre‐requisites of installing the Caching Kit with the relevant licenses must be completed. NOTE: Only HTTP responses are cached. If you do enable caching, you must then ensure that appropriate caching policy is set. By default, when caching is enabled, all content is cached. But you can use Caching policies to bypass caching or to determine which URLS or File extensions are cached. This chapter contains the following procedures: • Enabling Caching • Defining a Caching Policy • Defining a Rule in a Caching Policy • Defining Conditions in a Caching Rule Enabling Caching To enable caching 1. Select Administration System Settings M86 Devices. 2. In the Device configuration tree, do either of the following: • To configure caching as the device default, select Devices Default Values Device Settings Cache. •...
Page 51
S W G U s e r G u i d e 6. If you are ready to distribute and implement the changes in your system devices, click Chapter 8: Enabling and Customizing Caching...
S W G U s e r G u i d e Defining a Caching Policy NOTE: You cannot edit a presupplied Caching Policy. However, you can duplicate such a policy and edit the duplicate; you can also create a Caching policy from scratch. To define or duplicate and edit a Caching Policy 1. Select Policies Caching. 2. Do one of the following: • To create a policy from scratch, right click the Policies root node in the tree, and choose Add Policy. • To duplicate a Caching policy, right click the policy in the tree that you want to duplicate, and choose Duplicate Policy. • To edit a policy that you previously created from scratch or created by duplicating, select the policy in the tree, and then in the main window, click the Edit button.
S W G U s e r G u i d e 5. If the rule has an Enable Rule checkbox, ensure that the checkbox is appropriately selected or cleared, depending on whether or not the rule should be enabled after being committed. 6. Choose the Rule Action, as follows: • If web content should be cached, choose Cache. • If web content should not be cached, choose Bypass Cache. 7. Click Save. 8. To make triggering of the rule conditional, continue with Defining Conditions in a Caching Rule. 9. To define additional rules in this policy, repeat this procedure. 10. If you are ready to distribute and implement the changes in your system devices, click . Defining Conditions in a Caching Rule To define conditions in a Caching Rule 1.
SSIGNING OLICIES EVICES HAPTER 9: The following types of policies are relevant at the device level: Identification, Device Logging (described in Chapter 19), Upstream Proxy, Caching, and ICAP clients. NOTE: Some policy types (for example, Caching) require that relevant functionality be enabled and defined. For details, see the Management Console Reference Guide. SWG comes with specific policies of the above types assigned as the device defaults. You can set different policies of the above types as defaults, and you can assign other policies of the above types to specific devices. This chapter contains the following procedures: • Setting Device Policy Defaults • Assigning Policies to Specific Devices Setting Device Policy Defaults To assign device default policies 1. Select Administration System Settings M86 Devices. 2. In the M86 Devices tree, expand the Devices root note, and select Devices Default Values Device Settings General. 3. In the main window, click Edit. 4. In the Device Policies tab, set which policy will be the default for the particular policy types.
S W G U s e r G u i d e Assigning Policies to Specific Devices To assign policies for specific devices 1. Select Administration System Settings M86 Devices. 2. In the M86 Devices tree, expand the Devices root note, and select <devices_group> <device_ip> Scanning Server General. 3. In the main window, click Edit. 4. In the Device Policies tab, set which policy will be the default for the particular policy types. 5. When done, click Save. 6. If you are ready to distribute and implement the changes in your system devices, click Chapter 9: Assigning Policies To Devices...
S W G U s e r G u i d e PART 4: C ONFIGURING OGGING AND LERT ETTINGS This part contains the following chapters and procedures: • Chapter 10: Defining and Customizing Logging Policy • Defining a Logging Policy • Defining a Rule in a Logging Policy • Defining Conditions in a Logging Rule • Chapter 11: Configuring the Log Server • Configuring Log Server Settings • Chapter 12: Configuring Alerts • Assigning Alert Channels to Event Types • Configuring SNMP Settings • Setting Thresholds For Security Alert Notification PART 4: Configuring Logging and Alert Settings...
EFINING AND USTOMIZING OGGING HAPTER 10: OLICY Logging policy determines, at the user level, what types of user transaction events, either blocked, allowed or all, will be logged, and to where the information is sent (logs, archives, reports, etc.). The only action that a Logging Policy rule can perform is to log the transaction or not log it. You can set different logging policies for different user groups and independent users. This chapter contains the following procedures: • Defining a Logging Policy • Defining a Rule in a Logging Policy • Defining Conditions in a Logging Rule Defining a Logging Policy NOTE: You cannot edit a presupplied Logging Policy. However, you can duplicate such a policy and edit the duplicate; you can also create a Logging policy from scratch. To define a Logging Policy 1. Select Policies Logging. 2. Do one of the following: • To create a policy from scratch, right click the Policies root node in the tree, and choose Add Policy. • To duplicate a Logging policy, right click the policy in the tree that you want to duplicate, and choose Duplicate Policy. •...
S W G U s e r G u i d e Defining a Rule in a Logging Policy If you duplicated a policy, it already has the same rules as were found in the original policy. You can edit these rules. You can also create new rules from scratch. You can specify if the rule should be applied to specific users and/or if specific users should be excluded. One method is by specifying User Lists to which the rule should or should not apply. NOTE: If you will be using User Lists to identify users to which the rule should or should not apply, be sure to define those lists. For instructions, see Defining User Lists. To define a rule in a Logging policy 1. In the Policy tree, expand the policy so that you display its existing rules. For instructions on displaying the Policy tree, see Step 1 in the procedure Defining a Logging Policy. 2. Do any of the following: NOTE: Rules in a policy are checked sequentially from the top, and the first rule to be activated in a policy determines the handling of the content. Therefore, the sequential placement of rules in a policy is significant. ...
S W G U s e r G u i d e • If you chose Select User Lists, select the checkboxes of the User Lists that contain the users to which the rule should apply. 5. To exclude specific users from application of the rule, select the Except tab, and select the check‐ boxes of the User Lists which contain the users who should be excluded. 6. Click Save. 7. To make triggering of the rule conditional, continue with Defining Conditions in a Logging Rule. 8. To define additional rules in this policy, repeat this procedure. 9. If you are ready to distribute and implement the changes in your system devices, click Defining Conditions in a Logging Rule To define conditions in a Logging Rule 1. In the Policy tree, expand the relevant policy and rule. For instructions on displaying the Policy tree, see Step 1 in the procedure To define a Logging Policy.
Page 60
S W G U s e r G u i d e 7. Perform this step only if the condition name is Malware Entrapment Profile. The window displays a Security level setting line with the default setting; None. Depending on the policy type, it might also display an HTML repair checkbox. Do the following: a. To change the Security level setting, slide the sliding button to the appropriate value (for example, Basic or Strict). For information about the level, click the relevant level link (for example, Medium). The Secure Web Gateway Rule Updates window opens. This window allows you access relevant informa‐ tion. b. If HTML pages should be repaired if needed, and the HTML Repair checkbox is displayed, select the checkbox. 8. Click Save. 9. If you are ready to distribute and implement the changes in your system devices, click Chapter 10: Defining and Customizing Logging Policy...
ONFIGURING THE ERVER HAPTER 11: A lone Log Server always resides on the Policy Server machine. Log Relays resident on each device receive the following types information, which is then collected from the relays by the Log Server, and routed to appropriate locations: Web transaction information from the Scanner, system message information from the System log, and Audit message information. By default, the Log Server sends this information to the Log file and the Reports file, both of which are internal files. However, depending on the Logging Policy definition, the Log Server can also: • send Scanner, System log and/or Audit information to the Syslog file • and/or send Scanner information to an Archive (zip) file. This chapter contains the following topic: • Configuring Log Server Settings Configuring Log Server Settings This task consists of the following procedures: • Configuring the Log Server • Configuring Log Relays and their schedules • Having log messages sent to the Syslog • Configuring Scanner Messages sent to a Syslog • Having Web Log messages sent to Archive • Enabling and configuring log retention Configuring the Log Server 1.
Page 62
S W G U s e r G u i d e 4. Do either of the following: • To configure the Log Server, fill in the relevant tabs in sequence, as described below: • If your site has multiple scanners, configure their Log Relays and their schedules in the Collect Logs From tab. For instructions, see Configuring Log Relays and their schedules. • To have log messages sent to the Syslog, configure the target Syslog files in the Syslog Target tab. For instructions, see Having log messages sent to the Syslog. • If you are sending Scanning Server messages to a Syslog, define the configuration options for those messages in the Syslog Fields tab. For instructions, see Configuring Scanner Messages sent to a Syslog. • To have Scanner Web Log messages sent to the Archive, define the Archiving configuration in the Log Archiving tab. For instructions, see Having Web Log messages sent to Archive. • To enable log retention and configure how many weeks logs should be retained, define the configuration in the Log Retention tab. For instructions, see Enabling and configuring log retention. • To disable the Log server, clear the Enable Log checkbox. Then click Save. If you are ready to distribute and implement the changes in your system devices, click Configuring Log Relays and their schedules NOTE: This procedure is relevant only if your site is using multiple scanning servers.
Page 63
In the Syslog Fields tab of the Log Properties screen, do the following: 1. In the Syslog format, select the format that will be used to present information to the user: • Legacy — Empty fields will not be shown in Syslog messages. • Standard — Empty fields will be shown in Syslog messages • ArcSight — For sites using the external ArcSight sever. If you choose this option, you must configure the IP and Port fields in the Syslog Targets tab with the IP and Port of the ArcSight server. 2. Select the syslog transaction fields that should be logged. 3. Do either of the following: • To have log messages sent to Archive, continue with Having Web Log messages sent to Archive. • If you have completed Log Configuration, click Save, and then if you are ready to distribute and implement the changes in your system devices, click Having Web Log messages sent to Archive NOTE: Ensure that the Send To: Archive checkbox is selected in the Logging Policy rules for logging information to be sent to Archive, and that logging policy is assigned to users. If a rule’s Archive checkbox is not selected, its logging information will not be sent to archive. To verify that Send To: Syslog is selected, see To define a rule in a Logging policy. An additional archiving option is to integrate SWG to Security Reporter (SR). For more information on integrating SWG with SR see How to connect SWG to Security Reporter via archiving. Chapter 11: Configuring the Log Server...
Page 64
S W G U s e r G u i d e In the Log Archiving tab of the Log Properties screen, do the following: 1. Specify the Log Archiving Locations as follows. Repeat these steps for each Archive location: a. Click the icon. b. If archiving should be enabled to this Archive, select the Enable checkbox. c. In the Connection Method field, select the method that the Log Server uses to connect to the Archive location: • FTP — connect using regular File Transfer Protocol. • FTP Passive — connect using File Transfer Protocol. This is where there is a firewall located between the Policy Server and the remote FTP site. • Samba — connect using Server Message Block (SMB) communication protocol. • SFTP — connect using Secure File Transfer Protocol. d. Specify the Archive file Location, the User Name, and the Password. The format of these values that you specify depends on the connection method: Connection Method Archive Location Format, User Name and Password FTP, FTP Passive, or Archive Location format is: SFTP •...
Page 65
S W G U s e r G u i d e • If you have completed Log Configuration, click Save, and then if you are ready to distribute and implement the changes in your system devices, click How to connect SWG to Security Reporter via archiving In addition to the SWG Internal Reporting Tool, M86 Security provides support for integration with the Security Reporter. The Security Reporter (SR) is an advanced external reporter offering organizational, security, and productivity reports. To connect SWG to SR via archiving: 1. Select Administration System Settings M86 devices. 2. In the tree, under Devices, select Management Devices Group, then the default IP node, then Log Server, and then Log Properties. 3. Click Edit. The main window is opened for editing. 4. Click the Log Archiving tab. 5. In the Log Archiving Location area click ...
ONFIGURING LERTS HAPTER 12: Through the Alerts mechanism, SWG can notify you of system events, application events, update events, and security events. SWG can send alerts through two different communication channels, besides System Log messages: Email messages, and SNMP notification. If alerts notification will go through SNMP, you must configure SNMP settings. NOTE: Administrators can view Alerts sent via SNMP in the Dashboard, accessed via the icon. For more information, see the Management Console Reference Guide. You can also enable and configure alert notifications if certain security thresholds are passed by incoming or outgoing traffic. The task of configuring Alerts consists of the following procedures: • Assigning Alert Channels to Event Types • Configuring SNMP Settings • Setting Thresholds For Security Alert Notification Assigning Alert Channels to Event Types To Assign Alert Channels to Event Types 1. Select Administration Alerts Alert Settings. The Alert Settings window is displayed. 2. Click Edit. 3. For each type of Event, check the type of alert notification, either SNMP or Email, that should be ...
5. Click Save. 6. To distribute and implement the changes in your system devices, click Configuring SNMP Settings If you are sending SNMP alerts, you must configure SNMP settings. To configure the SNMP settings 1. Select Administration Alerts SNMP Settings. The General tab of the SNMP Settings window is displayed. In this tab, you configure the SNMP protocol for MIB Monitoring/Trap sending, as well as the ports. You also configure the Hostname/IP destination servers for receiving the SNMP traps. 2. Click Edit. 3. To enable SWG to perform MIB monitoring: a. Ensure that the Enable MIB monitoring checkbox is selected. b. In the Listening Port (input) field, specify the port against which SWG should perform SNMP queries. The default port is 161. 4. To enable SWG to send traps: a. Ensure that the Enable Trap Sending checkbox is selected. b. In the Trap Port (output) field, specify the corresponding Trap Port. The default port is 162. 5. If the Policy sever should be the Trap Destination Server, select the Set Policy sever as Trap Destination Servers checkbox. 6. In the three entry fields to the right of associated checkboxes, optionally specify up to three ...
Page 68
S W G U s e r G u i d e SNMP MIB Monitoring area as instructed in the following substeps. iv. In the Authentication Protocol field, select the Authentication Protocol — either verification checksums MD5 or SHA . v. In the Authentication Key field, specify the user’s authentication key, which signs the message being sent. There is a minimum 8 character requirement. vi. In the Encryption Key field, specify the user’s encryption key, which encrypts the data portion of the message being sent. There is a minimum 8 character requirement. NOTE: The encryption mode or privacy protocol used is DES encryption algorithm. b. Define the SNMP Traps parameters, by doing either of the following: NOTE: SNMPv3 mandates that trap messages are rejected unless the SNMPv3 user sending the trap already exists in the user database. The user database in a SNMPv3 application is referenced by a combination of the user's name or Security Name, and an automatically supplied identifier for the given SNMP application or engineID. • To supply the same Security parameters (name, level, etc.) for SNMP Traps that you used for MIB Monitoring, select the Use SNMP MIB Monitoring Information checkbox. • Otherwise, fill in a Security name, Security level, Authentication Protocol, Authentication key and Encryption key for SNMP Traps. The same as MIB Monitoring in Step 8a. 9. To test that the traps are successfully sent to the SNMP servers, click the Test button. A test message will be sent to the defined server with the SNMP name, IP and SWG Software Version. 10. Click Save. 11. If you are ready to distribute and implement the changes in your system devices, click Chapter 12: Configuring Alerts...
S W G U s e r G u i d e Setting Thresholds For Security Alert Notification You can have administrators alerted when blocked incoming events such as Malicious Activities, Viruses, Scripts, Binary Content, and/or blocked outgoing events such as URL Categorization, URL Lists, Blocked Files according to file types, reach certain thresholds. NOTE: An average percentage of blocked incoming events would be approximately 1%5%. Above 7% percent of blocked data might indicate that there is some kind of security breach. To set security thresholds for Alert Notification 1. Select Administration Alerts Security Settings. 2. In the Security Settings screen, click Edit. 3. Select the Enable Security Alerts When checkbox. 4. To enable alerts based on incoming traffic, select the checkbox dealing with incoming traffic noti‐ fication and specify the following blocked incoming traffic figures: •...
S W G U s e r G u i d e PART 5: P ERFORMING ONITORING AINTENANCE This part contains the following chapters and procedures: • Chapter 13: Viewing Security and Component Statuses at a Glance • Viewing Security Status Information (Dashboard) • Viewing Dynamic Component Information • Chapter 14: Viewing Logs • Viewing Logs • Creating, Editing, and Managing Log Profiles • Viewing Transaction Details (Web Log only) • Chapter 16: Viewing and Working With Reports • Running and Viewing Reports • Creating or Modifying Report Definitions • Managing Reports •...
To View Security Status Information At a Glance 1. Click in the Management Console toolbar to display the Dashboard. NOTE: If the Updates Available icon is lit, it means that there are Security or other updates for your system. You should download them from Administration Updates Updates Management. For more information, see Viewing and Installing Updates. 2. In the title bar of the Performance area, select the device and time period for which you want to display the information. The values you select affect the other graphs displayed in the window. Alternatively, you can adjust the time period by moving the period slider that appears in a number of graphs. The time period can range from as far back as the last 12 months, or as recently as the last 12 hours. 3. To display the details concerning the threat level, click the Threat Level link under the threat level gauge. 4. To display additional utilization details for a device, click the device in the Device Utilization area. Note: The button is red if alert messages are available for the device; otherwise, the button is green. For information about the gauges and graphs in the Dashboard, see the SWG Management Console Reference Guide. Chapter 13: Viewing Security and Component Statuses at a Glance...
S W G U s e r G u i d e Viewing Dynamic Component Information Table 1 lists the components for which you can view dynamic information, what information is displayed, and where and how to access it. For descriptions of the displayed information, see the SWG Management Console Reference Guide. Table 1: Dynamic Component Information Component Information Displayed How to Access Device — status Sync status, Connection Status, Select Administration System Settings Committing Status, Last M86 Devices. connection time, and Device Role In the configuration tree, click the device. and Activity Status Information is displayed in the Status tab. Logs —Web, System See Viewing Logs. See Viewing Logs. and Audit Scanning Engine Select Administration System Settings ...
When viewing a log, you can perform a search for relevant IDs. You can also create filters, and create, edit, and manage log profiles, for each log type. This chapter contains the following topics: • Viewing Logs • Creating, Editing, and Managing Log Profiless • Viewing Transaction Details (Web Log only) Viewing Logs To view a log 1. Choose Logs and Reports View <logtype>. The log is displayed with the default profile. The information displayed in each column for the log entries is generally self‐explanatory. For a detailed description of the data, see the SWG Manage ment Console Reference Guide. 2. Optionally, choose a different profile, which will adjust the columns displayed and the filtering of the display. 3. To edit the current profile, click ; to create a new profile, click . Then see Creating, Editing, and Managing Log Profiles for instructions. 4. To find a specific log entry, enter the ID in the Find <type> ID field and click . For System and Audit logs, specify a Log ID; for Web logs, specify a transaction ID. 5. To re‐display the full display, click Chapter 14: Viewing Logs...
To delete all current log entries in the Log table, click . Note: You cannot stop or reverse Log cleanup once you request it. d. To add a URL that appears in a Web log entry to the URL list, right‐click the icon for the particular entry, and choose Add to URL List. This will enable it to be blocked or allowed in the User policy. To display the details of a Web Log only transaction, see Viewing Transaction Details (Web Log only). Creating, Editing, and Managing Log Profiles A Profile is a definition that defines which columns to display in the Log view, and filtering specifications for each log entry. Each log type Web, System, and Audit, comes with a default profile and several have other profiles pre‐supplied with the SWG application, but you can define additional profiles. To create or edit a log profile 1. Select Logs and Reports Log Profiles View <logtype> Profiles. NOTE: If you are displaying a log, to create a profile, click Manage Profiles, and continue with the next step. To edit the profile being used in the log display, click Edit Profile and skip the next step. 2. Do either of the following: • To create a profile, right click the Profiles root in the tree and choose Add Profile. • To edit an existing profile, select the profile in the tree, and in the main panel, click Edit.
Page 75
S W G U s e r G u i d e 5. In the Filter tab, define filtering criteria as follows: NOTE: At the bottom of the Filter tab is a toggle button Switch To Advanced Mode | Switch To Simple Mode. • Simple Mode, which is the default mode, is useful when you define either a single filter, or when you define multiple filters that all have an AND relationship. This mode: • allows only AND relational operators; it does not allow OR operators. • does not display parentheses columns for defining complex relationships. • displays a Delete icon to the left of the Filter definition. • Advanced Mode is useful when you are defining multiple filters having at least one OR relationship. This mode: • allows specification of AND and OR operators. • display parentheses columns for defining complex relationships. The procedures for defining filters for Logs and for Reports are very similar. a. To add a new row, click . If a popup menu appears, select Add Filter. b. In the Field drop‐down list, select the required filter type. c. In the Operator drop‐down list that appears, select the relevant parameter (for example, Equals). Note that the Operator drop‐down list varies according to the selected filter type. ...
Viewing Transaction Details (Web Log only) You can view the transaction details of any displayed Web Log entry. To view the transaction details of an entry in the Web log 1. In the Web Logs display, click the icon or double‐click on the selected transaction for the particular entry, and choose Details or Open in a new window. The Transaction Entry Details window is displayed. The Transaction Entry details window contains a number of tabs, transaction, user, policy, and so on, that displays information related to the transaction. For an explanation of the information displayed in the tabs, see the SWG Management Console Reference Guide. The transaction is automatically scanned for Request and response details, and if found, the types request and/or response are displayed in the tree under the Detail root. 2. To display the details of a request or response, click the Request or Response entry that is in the tree. 3. If you opened the Details display in the same window as the Web log, to return to the log click Back. Chapter 14: Viewing Logs...
ICAP MPLEMENTING HAPTER 15: Beginning with SWG release 10.2.0, SWG can provide ICAP Services and can use external ICAP Services. Prior to this release, SWG could only provide ICAP Services. This chapter contains the following main topics: • Configuring SWG To Provide ICAP Services • Configuring SWG To Use External ICAP Services Configuring SWG To Provide ICAP Services To enable SWG to provide ICAP Services, you need to configure the ICAP Service module, previously called just “ICAP”, on the relevant scanning servers. NOTE: Cloud scanning servers do NOT have or need an ICAP Service module. To configure the ICAP Service module 1. Select Administration System Settings M86 Devices. 2. Do either of the following: • To configure ICAP Service module defaults, choose Devices Default Values Device Settings ICAP Service. • To configure ICAP Service settings for a specific non cloud scanning server, choose ...
• Blue Coat • NetApp • Generic c. Specify the Source IP — IP from which the ICAP client can use this scanner for the ICAP Services. Mandatory. d. In the Weight field, specify the percentage of resources allowed to this client. The weighted range is 1 to 100. NOTE: The sum of all weights specified for all clients must add up to 100. This is mandetory as the weighting is calcultated as a percentage of 100. 7. Click Save. 8. If you are ready to distribute and implement the changes in your system devices, click Configuring SWG To Use External ICAP Services To configure SWG to use external ICAP Services, that is, for SWG to act as an ICAP client, you must configure the ICAP Client module on the relevant scanning servers, and define ICAP Forward Policy. However, before you can define ICAP Forward Policy, you must define the ICAP Service Groups and their ICAP Services that will be identified in the ICAP Forward Policy rules. This section contains the following topics: • Configuring the ICAP Client • Defining ICAP Service Groups • Defining ICAP Services • Defining an ICAP Forward Policy Configuring the ICAP Client To enable SWG to receive ICAP Services, you need to configure the ICAP Client module.
• I/O Timeout — Maximum number of seconds to wait for completion of a message transmis‐ sion. Default: 120. • Connection Reuse Timeout — Maximum number of seconds that the connection will be alive on idle after its previous use. Default: 300. 6. In the Keep Alive tab, specify the number of seconds between each health check of ICAP Services. The health check determines if the service is up and running. The default is 180 seconds. 7. Click Save. 8. If you are ready to distribute and implement the changes in your system devices, click Defining ICAP Service Groups You must identify/define the ICAP Services that SWG as an ICAP client can request. However, each ICAP Service must belong to an ICAP Service Group; therefore, before you can define an ICAP Service, you must define the group to which it will belong. To define an ICAP Service Group 1. Select Policies Condition Settings ICAP Service Groups. 2. Do either of the following: • To create an ICAP Service Group, right click the ICAP Service Groups (root) node, and choose Add Group. The main window for defining the group is displayed. • To edit an existing group, select the group node, and in the main window click Edit. The ICAP Service Group window is displayed. This window contains two tabs: •...
Page 80
S W G U s e r G u i d e d. In the Health Check URL field, specify the URL to which the SWG scanner sends health check requests through the ICAP Service to ensure that the ICAP Service server is alive, or up and running. NOTE: These requests are sent at the interval defined in the Keep Alive tab in the ICAP Client module. e. Specify the In the Expected Return Code field, specify the return code expected from the Health Check URL. If this return code is received it is an indication that the ICAP Service is alive. 4. Fill in the Advanced tab, as follows: a. In the Connection Timeout field, specify the maximum number of seconds to wait for a health check connection to be established. Default: 60. b. In the I/O Timeout field, specify the maximum number of seconds to wait for completion of a health check transmission. Default: 30. 5. When done, click Save. 6. If you are ready to distribute and implement the changes in your system devices, click NOTE: You do NOT have to commit the ICAP Service Group before using it in an ICAP Forward policy rule. Defining ICAP Services To define an ICAP Service 1.
Preview Window — number of bytes the ICAP Service will preview when supported. The default is 4096 bytes. NOTES: • The values returned by discovery replace the current values, and if the returned values are different than the ones they replace, the field is marked with a green asterisk. • You can return the defaults by pressing the Cancel button, and you can override the returned values with your own. • The ICAP client and ICAP Discovery can even work through a scanner that is /not/ enabled as an ICAP client. This means that you can perform discovery through a scanner before defining the Scanner's ICAP Client module, and use the results to determine if you want the scanner to be an ICAP client. Defining an ICAP Forward Policy ICAP Forward Policy identifies the ICAP Service Groups from which SWG can request ICAP Services, and defines behavior in case of an error. NOTE: You cannot edit the presupplied ICAP Forward policy or Default ICAP Forward policy. However, you can duplicate the policy and edit the duplicate; you can also create an ICAP Forward policy from scratch. To define an ICAP Forward Policy 1. Select Policies ICAP Forward. 2. Do one of the following: • To create a policy from scratch, right click the Policies root node in the tree, and choose Add Policy. • To duplicate an ICAP Forward policy, right click the policy ti be duplicated, and choose Dupli...
Page 82
• To add a rule directly above an existing rule, right click the existing rule, and select Insert Rule. The main window displays the Rule Definition screen. 3. Enter a name for the rule. 4. Provide a description of the rule. The description is optional. 5. Ensure that the checkbox is appropriately selected or cleared depending on whether or not the rule should be enabled after being committed. 6. Select the ICAP Service Group that will provide the ICAP Services. 7. Select the action that SWG should take in case of error. Possible actions: • Fail open — In case of TCP failure, continue as if nothing happened. • Fail close — In case of any ICAP conversation failure, fail the HTTP transaction. 8. Click Save. 9. To make rule triggering conditional, continue with Defining Conditions in an ICAP Forward Rule. 10. To define additional rules in this policy, repeat this procedure. 11. If you are ready to distribute and implement the changes in your system devices, click Defining Conditions in an ICAP Forward Rule To define conditions in an ICAP Forward Rule 1.
Page 83
S W G U s e r G u i d e a. Right‐click the rule and choose Add Condition. The main window displays the Condition Definition screen. b. In the Condition Name field, select the type of condition in the drop‐down list. For any selected condition type, the window displays an appropriate checkbox list. For detailed information on condition types and the particular items in a condition list, see the Management Console Reference Guide. 3. If the condition has any other special fields or requirements to fill in, fill them in appropriately. 4. Click Save. 5. If you are ready to distribute and implement the changes in your system devices, click Chapter 15: Implementing ICAP...
IEWING AND ORKING EPORTS HAPTER 16: The M86 Security Reporting Tool come with a number of predefined reports, that is, report definitions, that enable enterprises to analyze the activity and performance of the SWG system based on data stored in the Reports database. This chapter contains the following topics: • Running and Viewing Reports • Creating or Modifying Report Definitions • Managing Reports Running and Viewing Reports You can run reports on demand — that is, at any time, as needed. You can also define regular schedules for running reports. For details, see Defining Report Schedules. To run a report on demand 1. Select Logs and Reports Reporting Tool Reports. 2. Expand the tree of report types as needed and display the report name in the tree; if you previ‐ ously added it to your Favorites folder in the tree, you can find it there. For instructions on adding a report to the Favorites folder, see Adding Report Shortcuts to the Favorites Folder. 3. Right click the report in the tree or Favorites folder, and choose Run Report. 4. In the main window, modify any parameters as needed. Pay special attention to the following: 5.
S W G U s e r G u i d e • If the Run in Background checkbox was selected, to view the report you must access the Report History. For instructions, see Viewing a Report’s History. Creating or Modifying Report Definitions SWG comes with a number of predefined reports, listed by category in the Report tree. You can, of course, run a report as is. But you also can edit the definition of any report before running it, or duplicate a report and edit the definition of the duplicate, enabling you to define as many versions of the report as will be useful. To create a report or modify an existing report 1. Select Logs and Reports Reporting Tool Reports. The reports tree displays the list of report categories. Under each category are the currently existing report of that type. 2. Do either of the following: •...
S W G U s e r G u i d e Depending on your selections, the Value field displays either a drop‐down list or a blank field. d. Select or specify a value in the Value field to complete your initial filter selection. e. To define multiple filter criteria: i. If an Or relationship is needed between any of the filters, click Switch to Advanced Mode. ii. Repeat steps Step a through Step d for each filter. If you are in Advanced mode, be sure to select the appropriate relationship operators, and add any needed parentheses. NOTE: A filter with parentheses cannot be switched back to Simple mode. f. To delete a filtering row, click the icon if it is displayed. Otherwise, right click the icon of the row, and choose Delete Filter. 6. Click Save. Managing Reports This topic include procedures for the following: • Defining Report Schedules • Adding Report Shortcuts to the Favorites Folder • Viewing a Report’s History •...
Page 87
S W G U s e r G u i d e • run the report once at a specified date and time • run the report daily, weekly, and/or monthly, at the specified times. 5. In the Report Target tab, which allows you to send the report to one or more targets, specify the following target information: a. If the report should be stored on the appliance and appear in the Available Reports screen, select the Enable Available Reports checkbox. Note that there is a space limitation of 1 GB for locally saved reports and that older reports will be erased once this limit is reached. b. If the report should be exported to the network location defined in Exported Reports Loca‐ tion, select the Export report checkbox. c. To email the report to specific addresses, select the Email to checkbox, and for each address, click the icon, and specify the email address. IMPORTANT: The icon is inactive, and emails cannot be sent, until mail server configuration is complete. You can navigate to Administration System Settings Mail Server to complete the configuration. 6. In the Columns tab, ensure that only the data items that should be in the report are selected. 7. In the Report Parameters tab, define the filtering criteria as follows. Note that this tab is very similar to the Filters tab in the Report definition, and works essentially the same: NOTE: At the bottom of the Filter tab is a toggle button Switch To Advanced Mode | Switch ...
S W G U s e r G u i d e f. To delete a filtering row, click the icon if it is displayed. Otherwise, right click the icon of the row, and choose Delete Filter. 8. Click Save. Adding Report Shortcuts to the Favorites Folder The Favorites folder serves as a repository for a selected group of reports created per Policy Server. It is designed to enable the administrator to view, schedule, or delete frequently used reports without scrolling through all Report Categories. To add a report shortcut to the Favorites folder 1. If you are not already there, navigate to Logs and Reports Reporting Tool Reports. 2.
Page 89
S W G U s e r G u i d e You can also define that scheduled reports be automatically exported. As part of this definition process, you must first define the Exported Reports Location. This requires that you choose a connection method. The chosen connection method, in turn, determines the content used to define your Report Location, User to connect with and Password fields This section contains the following procedures: • To manually export a currently‐opened HTML report • To define automatic export of a scheduled report • To define the Exported Reports Location To manually export a currently-opened HTML report 1. Place the cursor in the report area. A toolbar providing additional options is displayed. 2. Click . A standard Windows Explorer window opens. 3. Save the file as needed. To define automatic export of a scheduled report 1.
Page 90
S W G U s e r G u i d e Connection Method User Name and Password Format Samba Report Location must include the server IP address and directory for your selected location, in the following format: //<server_ip_address>/dir, (for example, //192.168.1.10/backup. User to connect with must include the workgroup name and the user name used when connecting to the Report Location, in the following format: workgroup/user, for example, marketing/nicole. Password should be the password used by the above user. 6. Click the Test button to verify the connection. 7. If it works, click Save. 8. If you are ready to distribute and implement the changes in your system devices, click Chapter 16: Viewing and Working With Reports...
AINTAINING YSTEM HAPTER 17: This section contains the following topics and procedures: • Performing Manual Backup and Restore • Viewing and Installing Updates • Importing From and Exporting Policy Databases Performing Manual Backup and Restore This section contains the following procedures: • To manually backup your system • To restore a System backup • To manually backup your Reports database • To restore a Reports database backup To manually backup your system NOTE: Before performing backup, ensure that the backup settings have been configured. For instructions, see Configuring Backup Settings. 1. Select Administration Rollback Backup Now. 2. In the Backup Now window, specify a name or description for the backup file. 3. Click Backup. To restore a System backup NOTE: If you have implemented the High Availability Policy Server feature, you must disable ...
S W G U s e r G u i d e To manually backup your Reports database 1. Select Administration Reports DB Backup Backup Settings. Ensure that the backup configuration parameters are set. For instructions, see Configuring Backup Settings. 3. Click Backup Now. To restore a Reports database backup 1. Select Administration Reports DB Backup Backup Restore. 2. In the Restore window, click Edit. 3. Click the icon adjacent to the backup that should be restored, and select Restore from the drop‐ down menu. ...
Page 93
S W G U s e r G u i d e To upload and/or install an update 1. Select Administration Updates Updates Management. The Updates Management window displays the list of available updates in the Available Updates tab. The following icons in the Status column indicates the retrieval status of the available updates: — indicates that an available update has been retrieved successfully. — indicates that an available update is in the process of being uploaded/installed. — indicates that an upload/install has failed. 2. To upload an update, do either of the following as appropriate: • If you are working remotely, click the Retrieve Updates button. It might take some time for the updates to be retrieved. • To upload local updates, do the following: i. Click Import Updates. ii. In the displayed Import Local Update dialog box click Browse and browse to the local location containing the updates provided by M86. iii.
S W G U s e r G u i d e Importing From and Exporting Policy Databases Administrators can export Security, HTTPS, Identification and Logging policy databases on a Policy Server to a file. They can then import policies, rules, conditions, and condition options from the exported database file into another Policy server. This only refers to administrator‐created Policies, Rules and Conditions, not to M86 default Policies, Rules and Conditions. When exporting, the exported files are encrypted and saved to a location specified by the administrator such as the local disk or network drive. NOTE: Items for which the administrator does not have write permissions will not be exported. When importing items that have the same name as existing items, to avoid potential conflicts, you can choose to leave the existing items in place. overwrite existing items, or save the imported items under different names. This task contains the following procedures: • To export a policy database to a file • To import policies, rules, and conditions from an exported database file • To import condition options from an exported database file To export a policy database to a file 1.
Page 95
S W G U s e r G u i d e c. For individual conditions that are displayed in the Conditions table, select the desired actions where the same actions available for the policy in Step b are available for conditions. d. If you chose to rename conditions, specify their new names in the New Component Name column. e. Click OK. NOTE: After importing any policy, be sure to check that it reflects the new licensed engine. 4. If you are ready to distribute and implement the changes in your system devices, click To import condition options from an exported database file The procedure is used to import sets of condition options such as appear under Policies Condi tion Settings; for example, File Extension Lists, URL Lists, from an exported database file. 1. Select Administration Export/Import Import. The Import window is displayed. 2.
Scheduling Configuration And Security Updates for Scanning Server Device Groups • Implementing High Availability • Modifying LDAP Directory Advanced Settings • Chapter 21: Implementing Cloud Security • Configuring Cloud Settings in PKI Mode • Configuring Cloud Settings in Internal Mode • Certifying and Managing Cloud Users • Defining a Private Cloud Scanner • Chapter 20: Enabling HTTPS Scanning • Defining an HTTPS Policy • Defining a Rule in an HTTPS Policy • Defining Conditions in an HTTPS Rule • Configuring and Certifying HTTPS • Chapter 15: Implementing ICAP • Configuring SWG To Provide ICAP Services • Configuring SWG To Use External ICAP Services • Configuring the ICAP Client • Defining ICAP Service Groups PART 6: Performing Advanced Configuration...
Page 97
S W G U s e r G u i d e • Defining an ICAP Forward Policy PART 6: Performing Advanced Configuration...
EFINING DMINISTRATORS HAPTER 18: SWG supports multiple administrators and administrator groups. All Administrator groups are characterized by the permissions that they are granted to access different items (for example, Alert Settings, or Block and Warn messages). All administrators are automatically assigned the permissions of the group to which they belong. At least one administrator must be designated a Super Administrator. A Super Administrator is authenticated locally in the system even when RADIUS authentication is enabled, and has maximum allowable permissions. Super Administrators must belong to a predefined Super Administrators group. If you are connected to a RADIUS Server, that server authenticates all administrators except Super Administrators. In this case, new administrators, that is, those not assigned to another group, are automatically placed in a group called the RADIUS Default Group. If your site has implemented Master Policy usage, you can also assign a Master Policy to the Administrator Group. This chapter contains the following sections: • Creating/Editing an Administrator Group • Creating/Editing an Administrator • Setting Access Permissions • Configuring RADIUS Server Authentication Creating/Editing an Administrator Group To create or edit an Administrator Group 1. Select Administration Administrators.
S W G U s e r G u i d e 4. Select the appropriate checkboxes for any desired password requirements and for expiration, set the number of days. Note that enforcing a secure password means that the password will have to satisfy at least 3 of the following criteria: • contains at least one uppercase alphabetic character (A‐Z). • contains at least one lowercase alphabetic character (a‐z). • contains at least one numeric character (0‐9). • contains at least one of the following characters !@#$%^&*(). 5. Edit the Permissions Definitions. For instructions, see Setting Access Permissions. 6. Click Save. 7. If you are ready to distribute and implement the changes in your system devices, click Creating/Editing an Administrator To create or edit an administrator NOTE: If you plan to assign privileges higher than View Only to a new administrator who ...
S W G U s e r G u i d e Setting Access Permissions You can assign access permissions using either the Categories View tab or the Grid View tab. The procedure is the same for both Administrator Group definitions and Administrator definitions. • Assigning permissions using the Categories View tab • Assigning permissions using the Grid View tab Assigning permissions using the Categories View tab IMPORTANT: It is recommended that the RADIUS Default Group be assigned View Only permissions, so that higher permissions are not granted to every administrator authenticated by the RADIUS sever. 1. If the Administration Group or Administrator definition screen is not displayed: a. Select Administration Administrators. b. In the tree pane, select the Administrator or Group for which you want to define access permissions. c. In the main window, click Edit. 2.
4. Where necessary, adjust the permission value, beginning with the highest data level, and then moving down data levels, by selecting the desired level in the Access column. 5. Repeat as necessary. NOTE: To allow Administrator Groups to view Web Logs for users belonging to other Administrator Groups, set View Access permission to those groups that should be granted permission, under the Class: Web Log Admin Group / Sub Class: Others. 6. Click Save. 7. If you are ready to distribute and implement the changes in your system devices, click Configuring RADIUS Server Authentication You configure RADIUS Server Authentication on the Policy Server. NOTE: To ensure that the process runs efficiently, it is highly recommended that your SWG use NTP synchronization. For more information refer to Limited Shell command in the SWG Setup Guide. To configure the RADIUS Server connection and authentication 1. Select Administration System Settings M86 Devices. 2. In the Device configuration tree, select Management Devices Group <device_ip> Policy Server RADIUS Authentication. 3. In the RADIUS Authentication window, click Edit.
Page 102
S W G U s e r G u i d e 7. In the accompanying Port field, enter the RADIUS authentication port. This is the port on which the servers will communicate. 8. Optionally, enter Secondary Authentication host and port values. 9. In the Shared Secret field, enter a password to define a shared string to authenticate the client and the server. 10. Select a number from the Retry Limit drop‐down menu. For example, retry limit is 6 times. 11. Select a number from the Retry Interval drop‐down menu to define the interval, in seconds, between each attempt. NOTE: If your browser, specifically in IE6, freezes during login, you should try solving the problem by reducing the number of seconds set in the Retry Interval field. 12. Click Save. 13. If you are ready to distribute and implement the changes in your system devices, click Chapter 18: Defining Administrators...
ERFORMING DDITIONAL ONFIGURATION HAPTER 19: ASKS This chapter includes the following configuration tasks and procedures: • Adjusting Network Settings For a Device • Configuring A Device To Use An NTP Server • Configuring Administrative Settings • Importing Digital Certificates • Configuring Backup Settings • Configuring Automatic Update Handling • Defining and Customizing Device Logging Policy • Defining a Device Logging Policy • Defining a Rule in a Device Logging Policy • Configuring Default and Device‐Specific Access Lists • Configuring Transparent Proxy Mode • If you are ready to distribute and implement the changes in your system devices, click . • Scheduling Configuration And Security Updates for Scanning Server Device Groups • Implementing High Availability • Modifying LDAP Directory Advanced Settings Adjusting Network Settings For a Device This procedure explains how to use the config_network Limited Shell command to modify a ...
Page 104
S W G U s e r G u i d e The Limited Shell works by prompting you to enter a value, often in response to displayed infor‐ mation. For example, it might display a numbered list and ask you enter the number of the item you want to choose; or it might request that you enter specific information. 2. At the prompt, enter the config_network command. The current network configuration is displayed. The following data is displayed: • interfaces, and the status Enabled or Disabled of each. • DNS cache status, DNS Search Domain, nameserver. A nameserver is a network server that provides a naming or directory service, and Hostname configuration. A prompt is asks if you would like to change the configuration. 3. Enter y to change the network configuration. The Limited Shell then displays several numbered options. Table 1 lists these option, and describes the edits that each of the options allows you to perform. Table 1: Main options of config_network Option Edits you can perform from this option: 1. View none 2. Interface Choose a particular interface, and then: • Change, Add, or Remove its IP Address • Add, Remove, or change its route. Format: <ip_address>/[<netmask>| <prefix>] via <prefix_ip>. For example: 1.1.1.1/32 via 10.0.3. •...
S W G U s e r G u i d e Configuring A Device To Use An NTP Server This procedure explains how to use the Limited Shell to configure the device to use an NTP server. To configure a device to use an NTP Server 1. Log in to the Limited Shell. You can connect using either SSH client, serial cable, connecting keyboard and monitor or, in case of VM, vSphere client. 2. Enter the config_time command. A prompt is displayed asking you if you would like to change the time configuration. 3. Enter y to change the time configuration. The screen displays a number of Time and Date config‐ uration options. 4. Enter 3, the option for NTP server. 5.
S W G U s e r G u i d e Configuring Administrative Settings This procedure explains how the administrator can: • Set the amount of idle time, in minutes, after which the current session times out and requires the user to re‐log in. • Force the administrator to provide a relevant comment to be sent to the Audit log whenever a configuration change is committed. • Enable the automatic sending of blocked transaction and browsing habit data to the M86 Secu‐ rity Labs Malware team, according to a specified schedule. • Determine which icons to show in the Management Console toolbar. To configure Administrative Settings 1. Select Administration System Settings Administrative Settings. 2. Click Edit. 3. In the Administrative Settings screen, ensure the General tab is displayed. 4. In the Console Timeout field, set the number of idle minutes that will result in the current session timing out. ...
S W G U s e r G u i d e Importing Digital Certificates This section explains how to import digital certificates, how to edit their details, and how to check to what rules and policies the certificates are applied. The m86 Certificate Store is used to maintain import digital certificates. Managing the m86 Certifi‐ cate Store includes adding root CAs, adding Certificate Revocation Lists (CRL) adding untrusted CA and then apply them to specified rules. This section contains the following procedures: • To import and edit a digital certificate To import and edit a digital certificate 1. Select Administration System Settings Digital Certificates. 2. In the tree pane, right‐click on the Digital Certificate, and select Import Certificate in the drop‐ down menu. The Import Digital Certificate screen is displayed in the main window. 3. Browse to the required file location and then Import the file, making sure that the file has the correct PEM extension. The imported certificate appears in the Digital Certificate list. 4.
• Reports DB backups — these backups save, to an external location, data in the Reports data‐ base. As part of configuration, you can enable automatic backup. Once backup is configured, you can also run backups manually as the need arises (for example, before applying updates, or before performing major configuration or setting changes to your system). To configure backup settings 1. Do either of the following: • To configure System Backup, select Administration Rollback Rollback Settings. • To configure Reports DB Backup, select Administration Reports DB Backup Backup Settings. 2. In the main window, click Edit. 3. In the Connection Method field, select the method that SWG should use to connect to the Backup file storage location: • FTP — connect using regular File Transfer Protocol. • FTP Passive — connect using File Transfer Protocol where there is a firewall located between the Policy Server and the remote FTP site. • Samba — connect using Server Message Block (SMB) communication protocol. • SFTP — connect using Secure File Transfer Protocol. This is available for System backups only. 4. Specify the Backup file location, User name and Password. The format of these values depends on the connection mode: Connection Method User Name and Password Format FTP, FTP Passive, or ...
Configuring Automatic Update Handling Using the Updates Configuration window, you can define: • When and how often the updates should be downloaded • Which types of updates should be automatically installed. Note that if the Internet connection is blocked for the SWG appliance, you can still receive updates by routing them through a proxy. To configure automatic Update Handling 1. Select Administration Updates Updates Configuration. 2. Click Edit. 3. To automatically install any of the following types of updates Security, Critical OS Update, OS Version Update, select the accompanying checkboxes. 4. To route the update information through a proxy, useful if SWG is blocked from Internet connec‐ tions, fill in the following details about the Next Proxy Server, in the Proxy Configuration area: • IP of the next proxy server • Port of the next proxy server • User Name and Password required to access that proxy server 5. To enable and schedule the download of updates, fill in the following details in the Retrieve Updates Automatically area: a. Select the Retrieve Updates Automatically checkbox. b. Specify the Start Date and Start Time of the download. c. In the Download Every fields, specify the frequency in days, hours, and minutes, that down‐...
S W G U s e r G u i d e Defining and Customizing Device Logging Policy Device Logging policy determines, at the device level, what types of transactions carried out by the Identification and Upstream Proxy Policies, will be logged. M86 Security provides a single, predefined Device Logging Policy having several rules. You can set different device logging policies for different devices. This task consists of the following procedures: • Defining a Device Logging Policy • Defining a Rule in a Device Logging Policy • Defining a Device Logging Policy NOTE: You cannot edit a presupplied Device Logging Policy. However, you can duplicate such a policy and edit the duplicate; you can also create a Device Logging policy from scratch. To define a Device Logging Policy 1.
Page 111
S W G U s e r G u i d e To define a rule in a Device Logging policy 1. In the Policy tree, expand the policy so that you display its existing rules. For instructions on displaying the Policy tree, see Step 1 in the procedure Defining a Device Logging Policy. 2. Do any of the following: • To edit an existing rule, click the rule in the tree, and then in the main pane, click Edit. • To add a rule to a policy that has no rules, or to add a rule to the bottom of the rule list in the policy, right‐click the policy and choose Add Rule. • To add a rule directly above an existing rule, right click the existing rule, and select Insert Rule. The main window displays the Rule Definition screen. 3. Enter a name for the rule. 4. Provide a description of the rule. The description is optional. 5. If the rule has an Enable Rule checkbox, ensure that the checkbox is appropriately selected or cleared, depending on whether or not the rule should be enabled after being committed.
S W G U s e r G u i d e 7. If you are ready to distribute and implement the changes in your system devices, click Configuring Default and Device-Specific Access Lists The Access List feature enables you to limit access to an swg device. The following Access List definitions provides three access limitation options: • Management Access List — Used for specifying the IPs of administrators who can access Management Console, SSH, and SNMP. For example, to block access to the Management Console for certain administrators, specify only the relevant IP addresses of authorized administrators. If Access Lists are enabled, that is, the User Access List checkbox is selected, at least one IP must be specified in this list, preferably the IP of the machine accessing the Management Console. This will ensure that access is not totally blocked to the Management appliances. • Users Access List — Used for controlling which Scanning Servers end‐users can browse through. You specify the IP ranges that are allowed to use the SWG Scanning Server. Users whose IPs are in the allowed range can browse; other users are blocked. • Access to M86 SWG system ports — Used for controlling which device IPs have access to the SWG system. It is recommended that you use the procedure to modify default settings, and later after you have added devices, to configure settings for specific devices. To limit IP access by defining Access Lists 1.
S W G U s e r G u i d e Configuring Transparent Proxy Mode By default, Explicit Proxy Mode is used. However, to enable FTP, HTTPS, and HTTP requests to be intercepted, you should enable and configure Transparent Proxy Mode. Working in transparent mode requires a network environment that can support transparent mode, for example an external switch/router redirects the traffic to swg or setting swg in bridge mode or as a default gateway. To configure Transparent Proxy Mode 1. Select Administration System Settings M86 Devices. 2. In the Device configuration tree, do either of the following: • To configure Default settings, select Devices Default Values Device Settings General. Values you define here will apply to all new devices that you create. • To configure the settings for a specific Scanning Server, select <device_group> <device_ip>...
S W G U s e r G u i d e Scheduling Configuration And Security Updates for Scanning Server Device Groups You can define schedules to apply configuration and security updates to the devices in Scanning Server Device Groups. NOTE: The schedules that you define goes according to the time of the Policy Server, not the local client time. To define configuration and security update schedules for the devices in a Scanning Server Device Group 1.
S W G U s e r G u i d e Passive Policy Server. NOTE: Implementation of High Availability requires that: • Your Active primary and secondary Policy Server be on its own device, NOT on an AllIn one device. • The device that will house the secondary Passive Policy Server is accessible and that you know its IP address. To be able to use a virtual IP address which will automatically route to the Active Policy Sever see Step 5, both Policy Servers must be on the same network. In the event of failure of the Active Policy Server, SWG automatically fails over to the secondary Policy Server, making it the primary Active Policy server. When the failed server can again be used, SWG designates it as the Passive Policy server. To switch it back to being the Active policy server, you must manually perform the change using the Limited Shell command failover. For more information on Limited Shell commands, see the Management Console Reference Guide. To implement High Availability 1. Select Administration System Settings M86 Devices. 2. In the Device tree that is displayed in the left pane, right‐click the Management Devices Group node and choose Add HA Device. 3. In the main window, fill in the mandatory Device IP, and optionally fill in a description. Note that ...
Page 116
S W G U s e r G u i d e 4. In the User Identifier Attribute field, specify the attribute that is used to indicate a user’s unique identifier. The value of this attribute will be compared to the user name provided by the proxy authentication. If left blank, users will be identified by their DNs. 5. In the Email Attribute, specify the attribute that is used to indicate a user’s email. 6. In the User Object Filter field, define in LDAP query syntax the filter that can be optionally used to identify user objects. 7. In the Group Identifier Attribute field, specify the attribute that is used to indicate a group’s unique identifier. The Management Console will use the value of this attribute when displaying group names and assigning policies. If left blank, users will be identified by their DNs. 8. In the Group Object Filters field, define in LDAP query syntax the filter that will be used to iden‐ tify group objects. 9. In the Connection Timeout field, set the maximum number of seconds for an unanswered LDAP query, after which, users will not be imported. If set to 0, it will use the system default, which is 120 seconds. 10. In the Group User Hierarchy Method area, select how the group‐user relationship is imple‐ mented in the LDAP directory. The attribute types are follows: • ImemberOf Attribute — Means that each user has zero or more memberOf attributes, each specifying a group to which the user belongs. •...
HTTPS S NABLING CANNING HAPTER 20: If your site will be using HTTPS scanning, you must perform the following tasks: IMPORTANT: HTTPS must be licensed at your site in order for you to enable HTTPS scanning. • Defining an HTTPS Policy • Defining a Rule in an HTTPS Policy • Defining Conditions in an HTTPS Rule • Configuring and Certifying HTTPS Defining an HTTPS Policy HTTP Policies define which HTTPS sites are fully bypassed, which are inspected, which request user approval to continue, and which are blocked. The blocking mechanism is based on Black Lists, URL categorization, and checking to see if Certificates have errors or comply with validation criteria. You can customize both a regular HTTPS policy and an HTTPS Emergency policy. NOTE: You cannot edit a presupplied HTTPS Policy. However, you can duplicate such a policy and edit the duplicate; you can also create an HTTPS policy from scratch. To define an HTTPS Policy 1. Select Policies HTTPS. 2. Do one of the following: • To create a policy from scratch, right click the Policies root node in the tree, and choose Add Policy. •...
S W G U s e r G u i d e 5. When done, click Save. 6. Continue with Defining a Rule in an HTTPS Policy. Defining a Rule in an HTTPS Policy If you duplicated a policy, it already has the same rules as were found in the original policy. You can edit these rules. You can also create new rules from scratch. You can specify if the rule should be applied to specific users and/or if specific users should be excluded. One method is by specifying User Lists to which the rule should or should not apply. NOTE: If you will be using User Lists to identify users to which the rule should or should not apply, be sure to define those lists. For instructions, see Defining User Lists. To define a rule in an HTTPS policy 1. In the Policy tree, expand the policy so that you display its existing rules. For instructions on displaying the Policy tree, see Step 1 in the procedure Defining an HTTPS Policy. 2.
S W G U s e r G u i d e f. For Block HTTPS rule action only: If the blocked page message should not be displayed to the end user, select the Do Not Display End User Message checkbox. 4. To apply the rule to specific users, select the Applies tab, and click the radio button for the cate‐ gory of users to which the rule should apply. Note the following: • All Users is the default. • All Recognized Users All users identified by the system. • All Unrecognized users are Unknown users and/or Unassigned LDAP users. For more infor‐ mation, see the Management Console Reference Guide. • If you chose Select User Lists, select the checkboxes of the User Lists that contain the users to which the rule should apply. 5. To exclude specific users from application of the rule, select the Except tab, and select the check‐ boxes of the User Lists which contain the users who should be excluded. 6. Click Save. 7. To make triggering of the rule conditional, continue with Defining Conditions in an HTTPS Rule. 8. To define additional rules in this policy, repeat this procedure. 9. If you are ready to distribute and implement the changes in your system devices, click Defining Conditions in an HTTPS Rule To define conditions in an HTTPS Rule 1.
S W G U s e r G u i d e Configuring and Certifying HTTPS Before HTTPS policy can be effective, you must: • ensure that HTTPS is enabled in the HTTPS module, • obtain a certificate, and ensure that it is propagated to the scanners and users. Scanning server devices have an HTTPS module with pre‐configured settings. You should also make any desired adjustments to the settings in the HTTPS module. It is recommended that you perform these HTTPS‐related tasks for Device Default settings, and then propagate them to the HTTP modules in all Scanning servers This section contains the following procedures: • To configure device HTTPS settings • To obtain and propagate an HTTPS certificates To configure device HTTPS settings 1. Select Administration System Settings M86 Devices. 2. Choose Devices Default Values Device Settings HTTPS. To alter settings for a specific device, choose <device_group> ...
Page 121
S W G U s e r G u i d e d. In the remaining fields, fill in all relevant data as needed. e. Click OK. f. Copy the entire certificate request, including the BEGIN ... and END ... lines, and provide them to the CA. g. When the CA provides the certificate, copy the certificate details. h. Right‐click Devices Default Values Device Settings HTTPS and choose Import Certificate. i. In the Certificate Type field, select CSR. j. In the Certificate field, paste the Certificate details. k. Click OK. Then continue with Step 3. • To import a Root CA certificate from an external CA without issuing a CSR, do the following: a. Right‐click Devices Default Values Device Settings HTTPS and choose Import Certificate.
MPLEMENTING LOUD ECURITY HAPTER 21: This chapter is relevant only if implementing a Hybrid SWG deployment. Hybrid deployment is an SWG feature providing web security for users when working off‐site, that is, connecting to the internet from hotels, airports, internet cafes, working from home or even working from remote offices. An SWG Hybrid deployment combines normal SWG Scanning Servers to protect internal network users, SWG Cloud Scanners to protect roaming/mobile/remote users and M86 Mobile Security Client software. The client software directs web traffic to the appropriate and optimal scanner, on‐ premise or cloud, depending on the user location and available scanners. The client also provides mutual certificate authentication between the user and the target Cloud Scanner. Multiple Cloud Scanners can be deployed to cover the geographic locations from which users work. Cloud Scanners are virtualized SWG Scanning Servers configured to support connections only from user computers running the M86 Mobile Security Client, or specifically defined proxy servers, for example in remote offices. Cloud Scanners can be run on a number of different platforms and although the platform set‐up varies, the Management Console configuration is the same for each server. Setting up details for the different platforms are as follows: Table 1: Cloud Scanner Platform Setup Procedures Cloud Scanner Platform Type Setup Procedure M86 Hardware Appliance Private Cloud This document M86 Virtual Appliance Private Cloud This document M86 Secure‐Web Services‐Hybrid M86 managed platform See Hybrid Deployment Guide Amazon Web Services EC2 Infrastructure as a Service See Hybrid Deployment Guide When one or more Cloud Scanners are deployed in a customer’s own data centre, or a business partners data centres using the M86 Hardware Appliance or M86 Virtual Appliance platform types, then this is termed a Private Cloud. Typically a Private Cloud is linked to the customer network by ...
Page 123
Implementing Cloud Security Outline This is to be read in conjunction with the overall hybrid deployment process. Outlining a Hybrid deployment requires the following: • Deployment decisions: • Certificate management method PKI Mode or Internal Mode? • Number of Cloud Scanners per region? • Client types to be used PC and/or Mac? • Cloud Scanner Platform set‐up • Private Cloud Scanner set‐up • Other Cloud Scanner set‐up • SWG Policy Service Configuration • Configure Cloud Settings in Internal Mode, or • Configure Cloud Settings in PKI Mode • Client Deployment • Certification and Management of Hybrid Users Cloud Scanning Servers can be implemented in either of two modes: • Internal Certification Mode — In this mode, the policy server acts as the Certificate Authority for all certificate management creation and signing. In Internal mode, you designate which users are cloud users, and manage users’ certificates and certification status. You can also designate specific User Groups and LDAP Groups as dedicated Cloud groups, that is, all users in such a group are cloud users, and configure how certain cloud/certification activities should be handled for the group. •...
S W G U s e r G u i d e Configuring Cloud Settings in Internal Mode NOTE: Before configuring cloud settings, ensure that you have: • added the needed cloud scanning servers. For instructions, see Chapter 2: Configuring / Adding Scanning Servers. • configured the Mail Server. For instructions, see Configuring The Mail Server. You can also configure a provisioning Email Template. For more information, see the Management Console Reference Guide. To configure Cloud Settings in Internal Mode 1. Select Administration Cloud Configuration. 2. Click Edit. 3. If the Cloud Configuration title bar does NOT end with (Internal Mode), change the mode as follows: WARNING: If you change the Certificate Management mode, your existing Certificate ...
Page 125
S W G U s e r G u i d e location. c) In the Address field, specify the IP Address or Hostname of the scanner/load balancer. d) In the Local Client HTTP Port field, specify the client‐side port number used to uniquely identify a specific cloud proxy or cloud‐based load balancer for HTTP. e) In the Local Client HTTPS Port field, specify the client‐side port number used to uniquely identify a specific cloud proxy or cloud‐based load balancer for HTTPS. 5. Configure On‐premise Proxies and On‐premise/Off‐premise indicators in the Proxies (On premise) tab, as follows: a. In the Onpremise Proxy Details area, for each explicit proxy server to which roaming users can connect while on premise, configure the details as follows: i. Click the icon. ii. In the Address field, specify the IP or Hostname of the on‐premise proxy server. iii. In the Proxy HTTP Port field, HTTP port to which roaming users will connect when on‐ premise. iv. In the Proxy HTTPS Port field, HTTPS port to which roaming users will connect when on‐premise. b. In the OnPremise.OffPremise Indicator area, do the following: i.
Page 126
S W G U s e r G u i d e i. Click the Generate CSR link that is under the Import CSRbased CA button. The window displays fields for defining the Certificate Authority. ii. In the Common Name field, specify a name for the CA. It is mandatory to specify a CA name. iii. Optionally, fill in relevant data in the other fields. iv. Click OK. A CA Certificate request is generated and displayed. v. Copy the Certificate request to provide to the trusted CA for signing. vi. Click OK. vii. Have the trusted CA sign the Certificate Request. viii.Click the Import CSRbased CA button. ix. In the displayed Certificate field paste the signed Certificate and click OK. • To import a CA i. Click the Import CA button. ii. Paste the certificate information into the appropriate entry fields in the window. Then click OK. Regardless of the method you chose to define the system CA, the CA Management tab is re‐ displayed, and all information provided is displayed in the appropriate column and fields.
S W G U s e r G u i d e 9. Configure Provisioning parameters, and perform downloads, in the Provisioning tab, as follows: a. In the Agent Installer URL field specify the address chosen by the administrator where the Agent Installation Package is saved. b. If the Policy Server should automatically send emails with needed enabling instructions to new cloud users, select the Automatically send an email with provision instructions to new cloud members checkbox. c. If the Policy Server should automatically send emails to existing cloud users notifying them that configuration changes have been committed, select the Send an email update upon configuration changes checkbox. d. In the Mobile User Private Key Password field, specify the password that the end user will use when installing the certificate. Specifying the password is mandatory. e. Confirm the password. f. Click Save. g. Click h. Download the appropriate Agent Installer, for Windows or Mac, so that you can later distribute it for installation. If you cleared the Enforce PAC file usage via the Mobile security Client checkbox in the Client Configuration tab, you can optionally download and modify the PAC file for later distribution. NOTE: Before you can download these files, you must ensure that you have saved and ...
Page 128
S W G U s e r G u i d e 4. Configure Cloud Proxies in the Proxies (Cloud) tab, as follows: a. In the Server Side area, define the following details: i. In the Cloud Proxy HTTP Port field, specify the server‐side HTTP port number on which all cloud proxies and cloud‐based load balancers will listen, and to which all clients will connect. ii. In the Cloud Proxy HTTPS Port field, specify the server‐side HTTPS port number on which all cloud proxies and cloud‐based load balancers will listen, and to which all clients will connect. b. In the Client Side area, do the following: NOTE: Be sure not to confuse the Local Client ports and Listening Server ports. i. In the Local Control Port field, specify the port to which the client uses to perform “control” activities, such as configuration updates. Note: It is recommended that you not change the port value from the default unless you use the default for a different application. ii. In the Client Side table under the Local Control Port field, for each Cloud Scanner or Load Balancer that the client can use, define the identifying details, as follows: a) Click the icon. b) In the Comment field, specify an internal label for this scanner/load balancer, for example a suggested name could include the scanner type, and/or the scanner’s ...
Page 129
S W G U s e r G u i d e hostname and display the results in the Internal Hostname IP field. • Manually specify the Internal Hostname IP. NOTE: Note the following points about the OnPremise Proxy: • If the Corporate Hostname is resolvable, the PAC file will include instructions to use the local, onpremise proxy, since it recognizes you are within the local network. • If the Corporate Hostname is not resolvable, it will use the nearest available Cloud proxy region. • The Onpremise Proxy Details area can be left empty in a situation where the administrator determines for users which proxy to use. 6. Import Certificates in the Certificate Management tab, as follows a. Import the CA Certificate as follows: i. Request a CA Certificate from the CA, and open the certificate in a text editor (for example, Notepad). ii. Copy the public Certificate Key including the Begin Certificate and End Certificate lines. iii. Click the Import Enterprise CA Certificate button, iv. In the displayed Certificate field, paste the Certificate key and click OK. The Certificate Management tab is re‐displayed, and all information provided by the CA is displayed in the appropriate fields under the CA Certificate column. Note that only the Common Name field is mandatory, that is, that the CA must provide the information ...
Page 130
S W G U s e r G u i d e 7. According to need, define NonRoutable Network Bypass and Trusted URL Bypass settings in the Bypass tab, as follows. a. For each network or domain to be bypassed while the Mobile Security Client agent is browsing in Cloud proxy or local proxy, add it to the bypass list, as follows: i. Click the icon. ii. In the opened detail line, edit the Network Address and Network Mask. iii. To delete a network bypass, right‐click the icon and choose Delete Row. b. To enable security to bypass the URLs appearing in a particular type of URL list (for example, Customer Defined White List), select the URL type in the Trusted URL’s drop‐down list. 8. Set Client Configuration in the Client Configuration tab, as follows: a. By default, users can only browse using an M86 client and PAC file. To eliminate either or both of these restrictions, do the following: i. To allow the user to disable the client and browse using a non‐M86 agent, clear the Prevent user from disabling client checkbox. WARNING: Disabling the Mobile Security Client agent might contravene your site’s Acceptable Use Policy. Therefore, consider carefully before clearing this checkbox which gives users the ability to disable the agent. ii.
S W G U s e r G u i d e Certifying and Managing Cloud Users NOTE: This section is relevant only when the cloud is configured to work in Internal mode. In PKI mode, cloud users are certified and managed externally. Furthermore, many of the options and features described in this section are nonoperational if the cloud is not configured to work in Internal mode. Cloud users must be properly certified. When the cloud is configured to work in Internal mode, it is the administrator that must ensure the issuance of certificates to cloud users. They must also manage cloud users — for example, if there are problems with specific users or certificates, the administrator must take appropriate action such as blocking or revoking a certificate. These actions are generally performed in the Cloud User Certificate Management screen. accessed under the Users main menu option. To simplify certificate issuance, administrators can dedicate specific User Groups and LDAP Groups to cloud use, and configure those groups so that certificates are automatically issued to all new users added to the group. This eliminates the need to issue certificates individually to each new user in the group. Such configuration, however, will not apply to any user who belonged to such a group before it was so configured. For these users, as an alternative to individual, manual requests for certification, you can make a group‐level request to issue certificates to all non‐provisioned users in the group. You can also, at the group level, download all certificates issued to provisioned users, and request that needed instructions be sent by email to all users. This section contains the following procedures: • To certify and manage cloud users •...
Page 132
S W G U s e r G u i d e Note that Pending status displays cloud users who will get certificates after you click as opposed to Nonissued status, which displays cloud users who have not been issued a certificate. b. Click the Filter button. This list of users, as filtered, is displayed below the filter row. 3. To manually issue a certificate to an uncertified user which makes the user a cloud user, click the icon for the user and choose Issue New Certificate. NOTE: This step is not necessary for new users added to a User Group or LDAP Group that automatically ensures issuance of certificates to new users. For more information, see To enable automatic certification of all new users in a group, and to prevent disabling of the Mobile Security Client. This step is necessary, however, for users who belonged to the group before it was so config ured, and for users in such a group whose certification has been revoked. 4. To manage the certificates of a particular user, click the icon for the user and choose the action to perform. Note the following points about possible actions: • Block certificate is a temporarily blocks, but does not revoke a certificate. It is intended for use where a certificate is suspected of being compromised. If the certificate proves not to be compromised, you can unblock it via the Allow certificate option; if the certificate has been compromised, you can permanently revoke it via the Revoke certificate option. • Revoke certificate is permanent; it cannot not be reversed. Instead a new certificate would have to be issued via the Issue new certificate option, as described in Step 3. •...
Page 133
S W G U s e r G u i d e 5. To ensure that new users cannot disable the Mobile Security Client agent installed on their machines, ensure that the Prevent user from disabling Mobile Security Client checkbox is selected. The selected checkbox is the default. NOTE: This option is only relevant if you selected the checkbox in Step 4. NOTE: The Prevent user from disabling Mobile Security Client option is only relevant if the site supports a Cloud in Internal mode. For more information, see Configuring Cloud Settings in Internal Mode). 6. Click Save. 7. If you are ready to distribute and implement the changes in your system devices, click To manually issue or download certificates or emails at the Group level You can use a single operation to perform any of the following operations: • manually issue certificates to all unprovisioned users in a User Group/LDAP group. • download the certificates for all provisioned users in a group •...
S W G U s e r G u i d e Defining a Private Cloud Scanner NOTE: Before defining a private cloud scanner, ensure that you have added and setup the needed device. To define a Private cloud scanner 1. Using the Limited Shell commands, define the device as a private cloud, as follows: a. Log in to the Limited Shell on the device that will be used for the private cloud. The default user name and password for the shell command line are admin and finjan respectively. b. Enter the setup command. The current configuration is displayed. c. Enter the line command config_cloud. d. When prompted whether to enable the cloud, enter Y. You will then get a completed message. 2. If the device that you are defining as a private cloud scanner is already defined in the system as a cloud scanner, skip the remaining steps. 3.