M86 Web Filter USER GUIDE for Authentication Software Version: 4.0.10 Document Version: 06.08.10...
Page 2
M86 Security shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein.
ONTENTS 1: I ..........1 HAPTER NTRODUCTION About this User Guide ..............1 How to Use this User Guide ............2 Conventions ..................2 Terminology ..................3 Filtering Elements ............... 8 Group Types ..................8 Global Group ................8 IP Groups ................... 9 LDAP Domain Groups .
Page 4
ONTENTS Web Filter authentication options ..........25 Authentication Solution Compatibility ..........26 Authentication System Deployment Options ........27 Ports for Authentication System Access ......... 28 Configuring Web Filter for Authentication ........29 Configuration procedures ............29 System section..............29 Policy section ..............
Page 5
ONTENTS Option 3 ................ 62 Common Customization ............63 Enable, disable features ............. 64 Authentication Form Customization .......... 66 Preview sample Authentication Request Form ....68 Block Page Customization ............70 Preview sample block page ..........72 Set up Group Administrator Accounts ........74 Add Sub Admins to manage nodes ..........
Page 6
ONTENTS Apply a filtering rule to a profile ..........104 Delete a rule ................105 Specify a group’s filtering profile priority ........106 Manually add a workstation name to the tree ....... 107 Manually add a user’s name to the tree ........108 Manually add a group’s name to the tree ........
Page 7
ONTENTS Step 8: Attempt to access Web content ......... 149 Test net use based authentication settings ........151 Activate Authentication on the Network ....... 152 Activate Web-based authentication for an IP Group ..... 153 Step 1: Create a new IP Group, “webauth” ......153 Step 2: Set “webauth”...
Page 8
ONTENTS Tier 2, Tier 3: Web-based authentication ........183 Tier 1: Single Sign-On Authentication ........184 Net use based authentication process .......... 184 Re-authentication process ............185 Tier 1 authentication method ............186 Name resolution methods ............. 186 Configuring the authentication server ........... 187 Login scripts ................
Page 9
ONTENTS Novell eDirectory servers ............208 Client workstations ..............209 Novell clients ................209 Novell eDirectory setup ..............209 Web Filter setup and event logs ............ 210 Active Directory Agent ............211 Product feature overview .............. 211 Windows server requirements ..........212 Work flow in a Windows environment ........
Page 10
ONTENTS Export a Novell SSL Certficate ..........255 Obtain a Sun One SSL Certificate ......... 257 C: LDAP S ..... 258 PPENDIX ERVER USTOMIZATIONS OpenLDAP Server Scenario ........... 258 Not all users returned in LDAP Browser window ......258 D: P ....
Page 11
ONTENTS Set up pop-up blocking ..............275 Use the Internet Options dialog box ........275 Use the IE toolbar ..............276 Temporarily disable pop-up blocking ..........276 Add override account to the white list ........... 277 Use the IE toolbar ..............277 Use the Information Bar ............
LDAP domains. NOTE: Refer to the M86 Web Filter Installation Guide, M86 IR Web Filter Installation Guide, or M86 WFR Installation Guide for information on installing the unit on the network.
1: I HAPTER NTRODUCTION OW TO SE THIS UIDE izations to make on specified LDAP servers; filtering profile file components and setup; tips on how to override pop-up windows with pop-up blocker software installed; a glossary on authentication terms, and an index. How to Use this User Guide Conventions The following icons are used throughout this user guide:...
1: I HAPTER NTRODUCTION OW TO SE THIS UIDE Terminology The following terms are used throughout this user guide. Sample images (not to scale) are included for each item. • alert box - a message box that opens in response to an entry you made in a dialog box, window, or screen.
Page 16
1: I HAPTER NTRODUCTION OW TO SE THIS UIDE • frame - a boxed-in area in a dialog box, window, or screen that includes a group of objects such as fields, text boxes, list boxes, buttons, radio buttons, check- boxes, and/or tables. Objects within a frame belong to a specific function or group.
Page 17
1: I HAPTER NTRODUCTION OW TO SE THIS UIDE • pop-up box or pop-up window - a box or window that opens after you click a button in a dialog box, window, or screen. This box or window may display infor- mation, or may require you to make one or more entries.
Page 18
1: I HAPTER NTRODUCTION OW TO SE THIS UIDE • sub-topic - a subset of a main topic that displays as a menu item for the topic. The menu of sub-topics opens when a perti- nent topic link in the left panel—the navigation panel—of a screen is clicked.
Page 19
1: I HAPTER NTRODUCTION OW TO SE THIS UIDE • tree - a tree displays in the naviga- tion panel of a screen, and is comprised of a hierarchical list of items. An entity associated with a branch of the tree is preceded by a plus (+) sign when the branch is collapsed.
1: I HAPTER NTRODUCTION ILTERING LEMENTS Filtering Elements Filtering operations include the following elements: groups, filtering profiles and their components, and rules for filtering. Group Types In the Policy section of the Administrator console, group types are structured in a tree format in the navigation panel. There are four group types in the tree list: •...
1: I HAPTER NTRODUCTION ILTERING LEMENTS IP Groups The IP group type is represented in the tree by the IP icon . A master IP group is comprised of sub-group members and/or individual IP members The global administrator adds master IP groups, adds and maintains override accounts at the global level, and estab- lishes and maintains the minimum filtering level.
1: I HAPTER NTRODUCTION ILTERING LEMENTS LDAP Domain Groups An LDAP (Lightweight Directory Access Protocol) domain on a network server is comprised of LDAP groups and their associated members (users), derived from profiles on the network’s authentication server. The LDAP group type is represented in the tree by the LDAP icon .
1: I HAPTER NTRODUCTION ILTERING LEMENTS Filtering Profile Types A filtering profile is used by all users who are set up to be filtered on the network. This profile consists of rules that dictate whether a user has access to a specified Web site or service on the Internet.
Page 24
1: I HAPTER NTRODUCTION ILTERING LEMENTS • LDAP member filtering profile - used by an LDAP group member. • LDAP container filtering profile - used by an LDAP container in an LDAP domain. • LDAP time profile - used by an LDAP entity at a speci- fied time.
1: I HAPTER NTRODUCTION ILTERING LEMENTS Static Filtering Profiles Static filtering profiles are based on fixed IP addresses and include profiles for master IP groups and their members. Master IP Group Filtering Profile The master IP group filtering profile is created by the global administrator and is maintained by the group administrator.
1: I HAPTER NTRODUCTION ILTERING LEMENTS Active Filtering Profiles Active filtering profiles include the global group profile, LDAP authentication profile, override account profile, time profile, and lock profile. Global Filtering Profile The global filtering profile is created by the global adminis- trator.
Internet usage. NOTE: Refer to the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for additional information on the Override Account Profile, Time Profile, and Lock Profile.
1: I HAPTER NTRODUCTION ILTERING LEMENTS Filtering Profile Components Filtering profiles are comprised of the following compo- nents: • library categories - used when creating a rule, minimum filtering level, or filtering profile for the global group or any entity •...
1: I HAPTER NTRODUCTION ILTERING LEMENTS Library Categories A library category contains a list of Web site addresses and keywords for search engines and URLs that have been set up to be blocked or white listed. Library categories are used when creating a rule, the minimum filtering level, or a filtering profile.
1: I HAPTER NTRODUCTION ILTERING LEMENTS Service Ports Service ports are used when setting up filter segments on the network (the range of IP addresses/netmasks to be detected by the Web Filter), the global (default) filtering profile, and the minimum filtering level. When setting up the range of IP addresses/netmasks to be detected, service ports can be set up to be open (ignored).
1: I HAPTER NTRODUCTION ILTERING LEMENTS NOTE: If the minimum filtering level is not set up, global (default) filtering settings will apply instead. If an override account is established at the IP group level for a member of a master IP group, filtering settings made for that end user will override the minimum filtering level if the global administrator sets the option to allow the minimum filtering level to be bypassed.
Page 32
1: I HAPTER NTRODUCTION ILTERING LEMENTS • filter - if a service port is given a filter setting, that port will use filter settings created for library categories (block or open settings) to determine whether users should be denied or allowed access to that port •...
1: I HAPTER NTRODUCTION ILTERING LEMENTS Filtering Rules Individual User Profiles - A user in an LDAP domain can have only one individual profile set up per domain. Filtering Levels Applied: 1. The global (default) filtering profile applies to any user under the following circumstances: •...
Page 34
1: I HAPTER NTRODUCTION ILTERING LEMENTS 6. For LDAP users, if a user is authenticated, settings for the user’s group or individual profile from the LDAP domain are applied and take precedence over any IP profile. a. If the user belongs to more than one group in an authentication domain, the profile for the user is deter- mined by the order in which the groups are listed in the Group Priority list set by the global administrator.
Page 35
1: I HAPTER NTRODUCTION ILTERING LEMENTS 8. An override account profile takes precedence over a TAR lockout profile. This account may override the minimum filtering level—if the override account was set up in the master IP group tree, and the global adminis- trator allows override accounts to bypass the minimum filtering level, or if the override account was set up in the global group tree.
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Authentication Solutions LDAP Authentication Protocol The Web Filter supports the authentication protocol Light- weight Directory Access Protocol (LDAP). LDAP authentication supports all versions of LDAP, such as Microsoft Active Directory, Novell eDirectory, Sun One, OpenLDAP, and Open Directory.
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Web Filter authentication options Depending on the setup of your network, any of the following authentication options can be enabled to ensure the end user is authenticated when logging into his/her workstation: M86 Authenticator, Active Directory Agent, and Novell eDirectory Agent.
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Authentication Solution Compatibility Below is a chart representing the authentication solution compatibility for a single user: Tier1 Tier 2 Tier 3 eDirec- Active time session Authen- tory Directory based based ticator Agent Agent Tier 1 Tier 2 Tier 3 Authen-...
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Authentication System Deployment Options Below is a chart representing authentication system deploy- ment options on a network: Authentication Force Single Sign-On (SSO) System Authentication Sun One None Tier 2 or Tier 3 OpenLDAP CommuniGate Pro (Stalker) Windows 2000/2003 Server Tier 1 “net use”...
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Ports for Authentication System Access The following ports should be used for authentication system access: Type Function 8081 Used between the Web Filter’s transmitting interface and the SSL block page for Tier 2 or Tier 3 authentication.
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Configuring Web Filter for Authentication Configuration procedures When configuring the Web Filter for authentication, settings must be made in System and Policy windows in the Admin- istrator console. NOTES: If the network has more than one domain, the first you add should be the domain on which the Web Filter resides.
Page 42
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS The entries made in this window will vary depending on whether you are using the invisible mode, or the router or firewall mode. The LAN1 and LAN2 IP addresses usually should be in a different subnet. •...
Page 43
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS 4. Select “Authentication” from the navigation panel, and then select “Authentication Settings” from the pop-up menu. In the Settings frame, enter general configuration settings for the Web Filter such as IP address entries. From the NIC Device to Use for Authentication pull-down menu: •...
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS group administrators will later be assigned to manage entities (nodes) in the LDAP branch of the Policy tree. Policy section In the Policy section of the Administrator console, choose LDAP, and then do the following: 1.
2: N HAPTER ETWORK ETUP NVIRONMENT EQUIREMENTS 2: N HAPTER ETWORK ETUP Environment Requirements Workstation Requirements Administrator System requirements for the administrator include the following: • Windows XP, Vista, or 7 operating system running: • Internet Explorer (IE) 7.0 or 8.0 •...
2: N HAPTER ETWORK ETUP NVIRONMENT EQUIREMENTS End User System requirements for the end user include the following: • Windows XP, Vista, or 7 operating system running: • Internet Explorer (IE) 7.0 or 8.0 • Firefox 3.5 • Macintosh OS X Version 10.5 or 10.6 running: •...
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Set up the Network for Authentication The first settings for authentication must be made in the System section of the console in the following windows: Operation Mode, LAN Settings, Enable/Disable Authentica- tion, Authentication Settings, Authentication SSL Certificate (if Web-based authentication will be used), and Block Page Authentication.
1. In the Mode frame, select the mode to be used: “Invis- ible”, “Router”, or “Firewall”. NOTE: See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information about configuring and using the mobile mode options.
Page 49
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 3. In the Block Page Device frame: • If using the invisible mode, select “LAN2”. • If using the router or firewall mode, select “LAN1”. If using the invisible mode, the Block Page Delivery Method frame displays.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Specify the subnet mask, IP address(es) Click Network and select LAN Settings from the pop-up menu to display the LAN Settings window: Fig. 2-2 LAN Settings window The entries made in this window will vary depending on whether you are using the invisible mode, or the router or firewall mode.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Router or firewall mode 1. Enter the following information: • In the LAN1 IP field of the IP/Mask Setting frame, enter the IP address and specify the corresponding subnet of the “LAN1”...
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Enable authentication, specify criteria 1. Click Authentication and select Enable/Disable Authenti- cation from the pop-up menu to display the Enable/ Disable Authentication window: 2. Click Enable to enable authentication. 3.
Page 53
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 4. Enable any of the following authentication options, as pertinent to your environment: • If using LDAP authentication and workstation profiles, click “On” in the Map Workstation Name Across All Domain Labels frame to enable the Web Filter to search other domain labels if it can’t find the worksta- tion’s NetBIOS name under a specified domain label,...
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION feature, turn “On” the AD Agent, and then specify settings for administrator computers authorized to configure the AD Agent via the Active Directory Agent console. Download and install the AD Agent (DCAgent.msi) on the administrator workstation.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Web-based authentication Choose either Tier 2 or Tier 3 if Web-based authentication will be used. NOTE: If selecting either Tier 2 or Tier 3, please be informed that in an organization with more than 5000 users, slowness may be experienced during the authentication process.
Page 56
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Tier 3: Use persistent logins via a Java Applet – Choose this option if using LDAP authentication, and you want the user to maintain a persistent network connection. This option opens a profile window that uses a Java applet: Fig.
Page 57
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 3. To ensure that end-users are using the most current version of JRE, choose the method for distributing the current version to their workstations: “M86 automatically distributes JRE during user login” or the default selection, “Administrator manually distributes JRE to user worksta- tions”.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Enter network settings for authentication 1. Click Authentication and select Authentication Settings from the pop-up menu to display the Authentication Settings window: Fig. 2-6 Authentication Settings window In the Settings frame, at the Web Filter NetBIOS Name field the NetBIOS name of the Web Filter displays.
Page 59
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION WARNING: If the IP address entered here is not in the same subnet as this Web Filter, the net use connection will fail. 4. From the NIC Device to Use for Authentication pull- down menu: •...
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Create an SSL certificate Authentication SSL Certificate should be used if Web-based authentication will be deployed on the Web Filter. Using this feature, a Secured Sockets Layer (SSL) self-signed certifi- cate is created and placed on client machines so that the Web Filter will be recognized as a valid server with which they can communicate.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Create, Download a Self-Signed Certificate 1. On the Self Signed Certificate tab, click Create Self Signed Certificate to generate the SSL certificate. 2. Click the Download/View/Delete Certificate tab: Fig. 2-8 Download/View/Delete Certificate tab 3.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Once the certificate is saved to your workstation, it can be distributed to client workstations for users who need to be authenticated. TIP: Click Delete Certificate to remove the certificate from the server.
Page 63
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Fig. 2-10 Create CSR pop-up window The Common Name (Host Name) field should automat- ically be populated with the host name. This field can be edited, if necessary. 3. Enter your Email Address. 4.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Upload a Third Party Certificate 1. In the Third Party Certificate tab, click Upload Certifi- cate to open the Upload Signed SSL Certificate for Web Filter pop-up window: Fig. 2-11 Upload Signed SSL Certificate box The Message dialog box also opens with the message: "Click OK when upload completes."...
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 3. Select the file to be uploaded. 4. Click Upload File to upload this file to the Web Filter. 5. Click OK in the Message dialog box to confirm the upload and to close the dialog box.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Specify block page settings Click Control and select Block Page Authentication from the pop-up menu to display the Block Page Authentication window: Fig. 2-13 Block Page Authentication window Block Page Authentication In the Re-authentication Options field of the Details frame, all block page options are selected by default, except for Web-based Authentication.
Page 67
TIP: Multiple options can be selected by clicking each option while pressing the Ctrl key on your keyboard. NOTE: See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information about the Override Account feature.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Block page When a user attempts to access Internet content set up to be blocked, the block page displays on the user’s screen: Fig. 2-14 Block page NOTES: See Block Page Customization for information on adding free form text and a hyperlink at the top of the block page.
• HELP - Clicking this link takes the user to M86’s Tech- nical Support page that explains why access to the site or service may have been denied. • M86 Security - Clicking this link takes the user to M86’s Web site. M86 S...
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Optional Links By default, these links are included in the block page under the following conditions: • For further options, click here. - This phrase and link is included if any option was selected at the Re-authentica- tion Options field in the Block Page Authentication window.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Options page The Options page displays when the user clicks the following link in the block page: For further options, click here. Fig. 2-15 Options page The following items previously described for the Block page display in the upper half of the Options page: •...
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Option 1 Option 1 is included in the Options page if “Web-based Authentication” was selected at the Re-authentication Options field in the Block Page Authentication window. The following phrase/link displays: Click here for secure Web-based authentication.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Option 2 The following phrase/link displays, based on options selected at the Re-authentication Options field in the Block Page Authentication window: • Re-start your system and re-login - This phrase displays for Option 1, whether or not either of the Re- authentication Options (Re-authentication, or Web- based Authentication) was selected in the Block Page...
See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information about the Override Account feature.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Common Customization Common Customization lets you specify elements to be included in block pages and/or the authentication request form end users will see. Click Customization and then select Common Customiza- tion from the pop-up menu to display the Common Custom- ization window:...
• Blocked URL Display - if enabled, displays “Blocked URL” followed by the blocked URL in block pages • Copyright Display - if enabled, displays M86 Web Filter copyright information at the footer of block pages and the authentication request form •...
Page 77
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION • Help Link URL - By default, http:// www.m86security.com/support/r3000/accessde- nied.asp displays as the help link URL. Enter the URL to be used when the end user clicks the help link text (specified in the Help Link Text field).
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Authentication Form Customization To customize the Authentication Request Form, click Customization and select Authentication Form from the pop-up menu: Fig. 2-19 Authentication Form Customization window NOTE: This window is activated only if Authentication is enabled via System >...
Page 79
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 1. Make an entry in any of the following fields: • In the Header field, enter a static header to be displayed at the top of the Authentication Request Form.
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Preview sample Authentication Request Form 1. Click Preview to launch a separate browser window containing a sample Authentication Request Form, based on entries saved in this window and in the Common Customization window: Fig.
Page 81
Support page that explains why access to the site or service may have been denied. • M86 Security - Clicking this link takes the user to M86’s Web site. 2. Click the “X” in the upper right corner of the window to close the sample Authentication Request Form.
Fig. 2-21 Block Page Customization window NOTE: See Appendix B: Create a Custom Block Page from the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information on creating a customized block page using your own design.
Page 83
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 1. Make an entry in any of the following fields: • In the Header field, enter a static header to be displayed at the top of the block page. •...
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Preview sample block page 1. Click Preview to launch a separate browser window containing a sample customized block page, based on entries saved in this window and in the Common Customization window: Fig.
Page 85
Support page that explains why access to the site or service may have been denied. • M86 Security - Clicking this link takes the user to M86’s Web site. By default, these links are included in the block page under the following conditions: •...
Policy tree when new IP groups are created. See Chapter 2: Policy screen from the Global Administrator Section of the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information on creating IP groups.
2: N HAPTER ETWORK ETUP ET UP ROUP DMINISTRATOR CCOUNTS Add a group administrator account To add an LDAP group administrator (Sub Admin) account: 1. In the Account Details frame, enter the username in the Username field. 2. In the Password field, enter eight to 20 characters— including at least one alpha character, one numeric char- acter, and one special character.
2: N HAPTER ETWORK ETUP ET UP ROUP DMINISTRATOR CCOUNTS Delete a group administrator account To delete an administrator account: 1. Select the username from the Current User list box. 2. Click Delete to remove the account. NOTE: If a group administrator assigned to an LDAP node is deleted, that group administrator must be removed from assign- ment to that node and another group administrator set up for assignment to manage that node.
NOTE: In this user guide, only authentication-related options will be addressed. For information about all other options, see the View Log File window in the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide.
Page 90
2: N HAPTER ETWORK ETUP ESULTS • “Admin GUI Server Log (AdminGUIServer.log)” - used for viewing information on entries made by the admin- istrator in the console. • “eDirectory Agent Debug Log (edirAgent.log)” - used for viewing the debug log, if using eDirectory LDAP authentication.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN 3: LDAP A HAPTER UTHENTICATION ETUP Create an LDAP Domain In the Policy section of the console, add an LDAP domain that contains entities to be authenticated. Add the LDAP domain 1.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN Refresh the LDAP branch Click LDAP in the navigation panel to open the pop-up menu, and select Refresh whenever changes have been made in this branch of the tree. View, modify, enter LDAP domain details Double-click LDAP in the navigation panel to open the LDAP...
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN WARNING: The instructions in this user guide have been docu- mented based on standard default settings in LDAP for Microsoft Active Directory Services. The suggested entries and examples may not be applicable to all other server types, or if any changes have made to default settings on the LDAP Active Directory server.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN WARNING: The contents of the tabs for User and Group do not normally need to be changed. The settings on these tabs are made automatically when you select the server type at the begin- ning of the setup process.
Page 95
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN 1. Generally, no action needs to be performed on this tab. However, under special circumstances, the following actions can be performed: • A group object can be added or excluded by making an entry in the appropriate field, and then clicking the Include or Exclude button.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN 3. If any modifications were made on this tab, click Save. 4. Next to go to the User tab. User Objects The User tab is used for including or excluding user objects in the LDAP domain.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • A user object can be removed by selecting the user object and then clicking Remove. • If the user DN cannot be auto-detected during the profile setup process, click “Use Case-Sensitive Comparison”...
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • A workstation object can be added or excluded by making an entry in the appropriate field, and then clicking the Include or Exclude button. • A workstation object name can be edited by selecting the workstation object from the appropriate list box, editing the name in the field, and then clicking the Edit button.
Page 99
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN requirements for LDAP authentication. Please ensure the correct DNS settings are set. 1. This tab includes the following fields, some pre-popu- lated by default, and some that you may wish to edit: •...
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • By default, the LDAP Query Base displays the root of the LDAP database to query using the LDAP Syntax, e.g. DC=domain,DC=com, or o=server-org. The entry in this field is case sensitive and should be edited, if necessary.
Page 101
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • If your LDAP database does not require a username to be provided in order to bind to the LDAP database, click the “Use Anonymous Bind” checkbox to grey out the fields—and Find Distinguished Name button, if it displays—in this tab.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN Click Find Distinguished Name to perform the search for the LDAP Distinguished Name. If the adminis- trator’s user name and password are successfully retrieved, the pop-up box closes and the fields on this tab become populated with appropriate data.
Page 103
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN 1. If applicable, click in the “Enable Secure LDAP over SSL” checkbox. This action activates the Upload buttons in the Manually Upload SSL Certificate for LDAPS frame and the Automatically Upload SSL Certificate for LDAPS frame.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN WARNING: If using a Novell server, be sure the name on the SSL certificate (to be uploaded to the server) matches the Server DNS Name entered in the Address Info tab. 3.
Page 105
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN After the search is completed, the Search in Progress box closes, and the list displays the Alias Name and the corre- sponding LDAP Container Name. NOTE: If the alias list does not display, double-check the settings on the other tabs and verify that all of your settings are correct.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN Default Rule The Default Rule applies to any authenticated user in the LDAP domain who does not have a filtering profile. Fig. 3-13 Domain Details window, Default Rule tab 1.
Page 107
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • Click the checkbox(es) corresponding to the option(s) to be applied to the filtering profile: “X Strikes Blocking”, “Google/Bing/Yahoo!/Youtube/Ask/AOL Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”. If URL Keyword Filter Control is selected, the “Extend URL Keyword Filter Control”...
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN LDAP Backup Server Configuration Configure a backup server To add a backup server’s settings: 1. Click Add to open the Backup Server Configuration wizard pop-up window: Fig. 3-14 Backup Server Configuration, Address Info NOTE: The Back and Save buttons can be clicked at any time during the wizard setup process.
Page 109
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • DNS Domain Name - DNS name of the LDAP domain, such as logo.local NOTES: If your LDAP server’s name is not a resolvable, fully qualified DNS name, you may be able to enter the domain name. Be sure the DNS Domain Name exactly matches the name on the SSL certificate that will be uploaded to the server.
Page 110
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN NOTE: The Distinguished Name Auto Discovery frame only displays if the type of LDAP server is Microsoft Active Directory. 5. Enter, edit, or verify the following criteria: • “Use Anonymous Bind” - click this checkbox to grey out the fields in this tab, if your LDAP database does not require a username to be provided in order to bind to the LDAP database...
Page 111
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN search for the LDAP Distinguished Name. If the administrator’s user name and password are successfully retrieved, the pop-up box closes and the fields on this tab become populated with appropriate data.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN b. To automatically upload an SSL certificate, go to the Automatically Upload SSL Certificate for LDAPS frame and do the following: • In the Wait __ seconds for certificate field, by default 3 displays.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN Delete a backup server’s configuration On the Default Rule tab, click Delete to remove the backup server’s configuration. Delete a domain To delete a domain profile, choose Delete from the LDAP domain menu.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Set up LDAP Domain Nodes In the navigation panel, the LDAP domain branch of the tree menu includes options for setting up entities (nodes) in the domain so that filtering profiles can later be created. The following options are used in this setup process: Manage Profile Objects, Set Group Priority, Manually Add Worksta- tion, Manually Add Member, Manually Add Group, and...
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES NOTES: If the “Use Dynamic Group” option was specified in the Group tab of Domain Details, “Dynamic Group Enabled” displays towards the bottom left of this window. If the “Use Nested Group” option was available in the Group tab of Domain Details, “Nested Group Enabled”...
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Options for search results The following actions can be performed on search results: • To narrow the number of records returned by your initial query, click the “Within Results” checkbox, modify your search criteria in the input field, and then click Search.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES When the LDAP branch of the tree is refreshed, all nodes with rules applied to them appear in the tree. Delete a rule To delete a rule from a profile, the entity must currently display in the grid and have a rule assigned to the profile.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Specify a group’s filtering profile priority 1. Select the LDAP domain, and choose Set Group Priority from the pop-up menu to display the Set Group Priority window: Fig. 3-18 Set Group Priority window This window is used for designating which group profile will be assigned to a user when he/she logs in.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Manually add a workstation name to the tree 1. Select the LDAP domain, and choose Manually Add Workstation from the pop-up menu to open the Manually Add Workstation dialog box: Fig.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Manually add a user’s name to the tree 1. Select the LDAP domain, and choose Manually Add Member from the pop-up menu to open the Manually Add Member dialog box: Fig.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Manually add a group’s name to the tree 1. Select the LDAP domain, and choose Manually Add Group from the pop-up menu to open the Manually Add Group dialog box: Fig.
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Upload a file of filtering profiles to the tree 1. Select the LDAP domain, and choose Upload Profile from the pop-up menu to open the Upload User/Group Profile window: Fig.
Page 123
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES NOTE: Leave the refresh page open until the file containing the profile has been uploaded. 3. Click Browse... to open the Choose file window. 4. Select the file to be uploaded. WARNING: Any file uploaded to the server will overwrite the existing profile file.
Page 124
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES WARNING: When uploading a list of profiles to the tree, the user will be blocked from Internet access if the minimum filtering level has not been defined via the Minimum Filtering Level window. If you have just established the minimum filtering level, filter settings will not be effective until the user logs off and back on the server.
4: M HAPTER ANAGE ODES 4: M HAPTER ANAGE ODES Once LDAP domains are set up in the Policy tree, the global administrator assigns Sub Admin group administrators the following entities (nodes) to manage: domain, group(s), workstations, members, and/or containers. NOTE: See Set up Group Administrator Accounts in Chapter 2: Network Setup for information on creating and managing Sub Admin group administrator accounts.
4: M LDAP N HAPTER ANAGE ODES SSIGN DMIN TO AN Assign Sub Admin to an LDAP Node A group administrator assigned to an LDAP node (domain, group, workstation, member, or container) has the privileges to add, edit, or delete entities to/from that node to which he/ she is assigned.
Page 127
4: M LDAP N HAPTER ANAGE ODES SSIGN DMIN TO AN Fig. 4-2 Assign Access View window 4. Click the Policy, Library, and Help tabs to view the menu topics, sub-topics, and tree nodes currently available to that Sub Admin. 5.
Page 128
4: M LDAP N HAPTER ANAGE ODES SSIGN DMIN TO AN Fig. 4-3 Assign Access window with node assigned 7. Click the “X” in the upper right corner of the Assign Access pop-up window to close it. TIP: To unassign the Sub Admin from that node, click the Unas- signed Access checkbox and then click Apply.
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Create and Maintain Filtering Profiles If a Sub Admin group administrator is assigned to an LDAP domain, he/she can add groups and members to that domain. A Sub Admin group administrator assigned to an LDAP group can add members and filtering profiles for all nodes he/she oversees.
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Add a group member to the tree list From the domain, select the group and choose Group Member Details from the pop-up menu to display the Group/ Member Details window: , LDAP group Fig.
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES View Container Details From the Policy tree, select the domain and choose Container Details from the pop-up menu to display the Container Details window: Fig. 4-5 Container Details window This view only window provides the following information about the container: •...
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Add or maintain a node’s profile From the domain, select the node and choose Profile from the pop-up menu to display the default Category tab of the Profile window: Fig. 4-6 Group Profile window, Category tab, LDAP group The Profile option is used for viewing/creating the filtering profile of the defined node (LDAP static or dynamic group, workstation, user member, or container).
The minimum filtering level is set up in the Minimum Filtering Level window, accessible from the Global Group options. See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for more information about these windows.
Page 134
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES NOTE: If a category group does not display any filter setting (i.e. the check mark does not display in any column for the category group), one or more library categories within that group has a setting in a column other than the filter setting designated for all collective library categories within that group.
Page 135
NOTE: See the Quota Settings window in Chapter 1: System screen of the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for more information on configuring quota settings and resetting quotas for end users currently blocked by quotas.
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Redirect URL Click the Redirect URL tab to display the Redirect URL page of the Profile window: , LDAP group Fig. 4-7 Group Profile window, Redirect URL tab Redirect URL is used for specifying the URL to be used for redirecting users who attempt to access a site or service set up to be blocked.
“URL Keyword Filter Control”, and “Extend URL Keyword Filter Control”. NOTE: See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information about Filter Options.
NOTE: Settings in this window work in conjunction with those made in the Minimum Filtering Level window maintained by the global administrator. See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information on configuring and using the minimum filtering level.
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Valid URL entries The following types of URL entries are accepted in this window: • formats such as: http://www.coors.com, www.coors.com, or coors.com • IP address - e.g. "209.247.228.221" in http:// 209.247.228.221 •...
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Add URLs to Block URL or ByPass URL frame To block or bypass specified URLs, in the Block URL or the ByPass URL frame: 1. Type the URL to be blocked in the Block URLs field, or the URL to be bypassed in the ByPass URLs field.
Page 141
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES The message “URL can be added, but conflicting URLs will be removed” applies to any URL that the query found included in the opposite frame of the Exception URL window. When this scenario occurs, for each conflicting URL a yellow warning triangle icon displays in the Status column of the pop-up window.
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Remove URLs from Block URL or ByPass URL frame To remove URLs from the Block URL or the ByPass URL frame: 1. Select a URL to be removed from the Block URL / ByPass URL list box;...
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES TIP: Click Cancel to close this pop-up window without making any selections. 3. Click Remove Selected to close the pop-up window and to remove your selection(s) from the appropriate URL list box.
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Add a Time Profile To create a time profile: 1. Click Add to open the Adding Time Profile pop-up box: Fig. 4-14 Adding Time Profile 2. Type in three to 20 alphanumeric characters—the under- score ( _ ) character can be used—for the profile name.
Page 145
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES a. Select from a list of time slots incremented by 15 minutes: “12:00” to “11:45”. By default, the Start field displays the closest 15-minute future time, and the End field displays a time that is one hour ahead of that time. For example, if the time is currently 11:12, “11:15”...
Page 146
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES • Weekly - If this selection is made, enter the interval for the weeks this time profile will be used, and specify the day(s) of the week (“Sunday” - “Saturday”). By default, “1”...
Page 147
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Next, choose from one of two options to specify the day of the month for the interval: • The first option lets you choose a specific month (“January” - “December”) and day (“1” - “31”). By default the current month and day are selected.
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES 9. Click Close to close the Adding Time Profile pop-up window and to return to the Time Profile window. In this window, the Current Time Profiles list box now shows the Name and Description of the time profile that was just added.
Fig. 4-16 Active Profile Lookup window NOTE: Only filtering profile lookups for LDAP nodes will be addressed in this sub-section. Please refer to the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information about other looking up other types of filtering profiles.
Page 150
4: M LDAP P HAPTER ANAGE ODES ERIFY THAT AN ROFILE IS CTIVE If an LDAP filtering profile is active, a pop-up box opens containing the Result frame that displays profile settings applied to the profile: Fig. 4-17 Active Profile Lookup results The default Login Summary tab displays the following information: •...
Page 151
4: M LDAP P HAPTER ANAGE ODES ERIFY THAT AN ROFILE IS CTIVE TIP: In the Category Groups tree, double-click the group enve- lope to open that segment of the tree and to view library catego- ries belonging to that group. A check mark inside a green circle displays in the Pass, Allow, Warn, Block column for the filter setting assigned to the category group/library category for the...
Page 152
4: M LDAP P HAPTER ANAGE ODES ERIFY THAT AN ROFILE IS CTIVE At the bottom of the Rule Details frame, Uncategorized Sites are set to “Pass”, “Warn”, or “Block”, indicating that the selected setting applies to any non-classified URL. If the Overall Quota field is enabled, the user is restricted to the number of minutes shown here for visiting URLs in all groups/categories collectively in which a quota is specified.
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS 5: A HAPTER UTHENTICATION EPLOYMENT This final step of the authentication setup process includes testing authentication settings and activating authentication on the network. Test Authentication Settings Before deploying authentication on the network, you should test your settings to be sure the Authentication Request Form login page can be accessed.
Page 154
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS NOTE: In order to complete the test process, you should be sure you have your own filtering profile set up. To verify that authentication is working, do either of the following, based on the Tier you selected: •...
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Test Web-based authentication settings To verify that authentication is working properly, make the following settings in the Policy section of the console: Step 1: Create an IP Group, “test” 1. Click the IP branch of the tree. 2.
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS 3. Enter workstation as the Group Name. 4. Click OK to add the Sub-Group to the IP Group. Step 3: Set up “test” with a 32-bit net mask 1. Select the IP Group named “test” from the tree. 2.
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Step 4: Give “workstation” a 32-bit net mask 1. Select the IP Sub-Group “workstation” from the tree. 2. Click Members in the pop-up menu to display the Members window: Fig. 5-5 Sub Group Members window 3.
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Step 5: Block everything for the Sub-Group 1. Select the IP Sub-Group “workstation” from the tree. 2. Click Sub Group Profile in the pop-up menu to display the Sub Group Profile window: Fig. 5-6 Sub Group Profile window, Category tab 3.
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Step 6: Use Authentication Request Page for redirect URL 1. Click the Redirect URL tab to display the Redirect URL page: Fig. 5-7 Sub Group Profile window, Redirect URL tab 2. Select “Authentication Request Form”. NOTE: The host name of the Web Filter will be used in the redi- rect URL of the Authentication Request Form, not the IP address.
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Step 8: Attempt to access Web content NOTE: For this step, you must have your own profile set up in order to complete the test process. 1. Launch an Internet browser window supported by the Web Filter: Fig.
Page 162
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Fig. 5-10 Authentication Request Form 4. Enter the following information: • Username • Password If the Domain and Alias fields display, select the following information: • Domain you are using • Alias name for that domain (unless “Disabled” displays and the field is greyed-out) 5.
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Test net use based authentication settings 1. From the test workstation, go to the NET USE command line and enter the NET USE command using the following format: NET USE \\virtualip\R3000$ For example: NET USE \\192.168.0.20\R3000$ The entry you make should initiate a connection with Tier TIP: The virtual IP address should be the same as the one entered in the Virtual IP Address to Use for Authentication field in...
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Activate Authentication on the Network After successfully testing authentication settings, you are now ready to activate authentication on the network. To verify that authentication is ready to be activated on the network, do either of the following, based on the Tier you selected: •...
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Activate Web-based authentication for an IP Group IP Group authentication is the preferred selection for Web- based authentication—over the Global Group Profile authentication option—as it decreases the load on the Web Filter.
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 2: Set “webauth” to cover users in range 1. Select the IP group “webauth” from the tree. 2. Click Members in the pop-up menu to display the Members window: Fig.
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 3: Create an IP Sub-Group 1. Select the IP Group “webauth” from the tree. 2. Click Add Sub Group in the pop-up menu to open the Create Sub Group dialog box: Fig.
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 8. In the Member IP fields, enter the IP address range for members of the Sub-Group, and specify the subnet mask. 9. Click Modify. Step 4: Block everything for the Sub-Group 1.
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 5: Use Authentication Request Page for redirect URL 1. Click the Redirect URL tab to display the Redirect URL page: Fig. 5-16 Sub Group Profile window, Redirect URL tab 2.
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 7: Set Global Group to filter unknown traffic 1. Click Global Group in the tree to open the pop-up menu. 2. Select Global Group Profile to display the Category tab of the Profile window: Fig.
Page 172
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Fig. 5-19 Global Group Profile window, Port tab a. In the Port page, enter the Port number to be blocked. b. Click Add to include the port number in the Block Port(s) list box.
Page 173
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK a. Select “Default Block Page”. b. Click Apply. 5. Click the Filter Options tab to display the Filter Options page: Fig. 5-21 Global Group Profile window, Filter Options tab a. Select filter options to be enabled. b.
Page 174
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK As a result of these entries, the standard block page will display—instead of the Authentication Request Form— when any user in this Sub-Group is blocked from accessing Internet content. Fig. 5-22 Default Block Page M86 S ECURITY UIDE...
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Activate Web-based authentication for the Global Group This selection of Web-based authentication creates more of load on the Web Filter than the IP Group selection, and should only be used as an alternative to IP Group authenti- cation.
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 1A: Block Web access, logging via Range to Detect NOTE: Segments of network traffic should not be defined if using the firewall mode. Range to Detect Settings 1. Click Global Group in the tree to open the pop-up menu. 2.
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Fig. 5-24 Range to Detect Settings window, main window 4. Click Start the Setup Wizard to display Step 1 of the Range to Detect Setup Wizard: Range to Detect Setup Wizard Fig.
Page 178
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 2. Click Next to go to Step 2 of the Wizard: Fig. 5-26 Range to Detect Setup Wizard, Step 2 3. An entry for this step of the Wizard is optional. If there are destination IP address(es) to be filtered, enter the IP address and specify the Netmask, or enter the Indi- vidual IP address.
Page 179
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 5. An entry for this step of the Wizard is optional. If there are source IP address(es) to be ignored, enter the IP address and specify the Netmask, or enter the Indi- vidual IP address.
Page 180
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Fig. 5-29 Range to Detect Setup Wizard, Step 5 9. An entry for this step of the Wizard is optional. If there are ports to be excluded from filtering, enter each port number in the Individual Port field, and click Add.
Page 181
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK As a result of these entries, the IP address(es) specified to excluded will not be logged or filtered on the network. Bypass Step 1B and go on to Step 2 to complete this process.
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 1B: Block Web access via IP Sub-Group profile NOTE: This step assumes that the IP Group and Sub-Group have already been created. 1. Select the IP Sub-Group from the tree. 2.
Page 183
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Fig. 5-32 Sub Group Profile window, Redirect URL tab 6. Select “Default Block Page”, and then click Apply. 7. Click the Filter Options tab to display the Filter Options page: Fig.
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK As a result of these entries, the machine will not be served the Authentication Request Form, and will use the default block page instead. Go on to Step 2 to complete this process. Step 2: Modify the Global Group Profile 1.
Page 185
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 3. Click the Port tab to display the Port page: Fig. 5-35 Global Group Profile window, Port tab a. Enter the Port number to be blocked, and then click Add to include the port number in the Block Port(s) list box.
Page 186
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 4. Click the Default Redirect URL tab to display the Default Redirect URL page: Fig. 5-36 Global Group Profile window, Redirect URL tab a. Select “Authentication Request Form”. NOTE: Since the Authentication Request Form radio button selection uses the host name of the server—not the IP address—...
Page 187
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 5. Click the Filter Options tab to display the Filter Options page: Fig. 5-37 Global Group Profile window, Filter Options tab a. Select filter options to be enabled. b. Click Apply. As a result of these entries, a user who does not have a filtering profile will be served the Authentication Request Form so he/she can be authenticated.
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Add Net Use command to Login Scripts After testing the NET USE command, the next step is to add the NET USE command to users’ login scripts. We recom- mend that you add the 3-try login script to the existing domain login script.
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK if errorlevel 0 echo code 0: Success goto :end :try3 echo Running net use... net use \\192.168.0.20\r3000$ if errorlevel 1 goto :error if errorlevel 0 echo code 0: Success goto :end :error if errorlevel 1 echo code 1: Failed! :end...
Page 190
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 1. Click Global Group in the tree to open the pop-up menu. 2. Select Global Group Profile to display the Category tab of the Profile window. 3. In the Category Profile page, select categories to block, pass, white list, or assign a warn setting, and indicate whether uncategorized sites should pass, trigger a warn message for the end user, or be blocked.
UPPORT OURS 6: T HAPTER ECHNICAL UPPORT For technical support, visit M86 Security’s Technical Support Web page at http://www.m86security.com/ support/ or contact us by phone, by e-mail, or in writing. For troubleshooting tips, visit http://www.m86security.com/software/8e6/ts/wf.html Hours Regular office hours are from Monday through Friday, 8 a.m.
6: T HAPTER ECHNICAL UPPORT UPPORT ROCEDURES Support Procedures When you contact our technical support department: • You will be greeted by a technical professional who will request the details of the problem and attempt to resolve the issue directly. •...
A: A PPENDIX UTHENTICATION PERATIONS UTHENTICATION ELECTIONS A: A PPENDIX UTHENTICATION PERATIONS When enabling authentication in the interface, there are three tiers from which to select based on the type of server(s) used on the network, and various authentication options can be used with each of these tiers. Authentication Tier Selections Web Filter authentication is designed to support the following server types for the specified tier(s):...
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION Tier 1: Single Sign-On Authentication Net use based authentication process The following diagram and steps describe the operations of the net use based user authentication process: Fig. A-1 Net use based authentication module diagram 1.
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION 4. Upon creating the IPC share, the software in the Web Filter queries the network authentication server with the user's login name and password sent by the workstation. 5. Once the user is successfully authenticated, the Web Filter matches the user’s login name or group name with a stored list of profile settings in the Web Filter.
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION Tier 1 authentication method Tier 1 supports the LDAP authentication method. LDAP is a directory service protocol that stores entries (Distinguished Names) in a domain’s directory using a hierarchical tree structure. The LDAP directory service is based on a client/ server model protocol to give the client access to resources on the network.
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION must have a valid DNS entry or the IP address must be added to the Web Filter hosts file. Configuring the authentication server When configuring authentication, you must first go to the authentication server and make all necessary entries before configuring the Web Filter.
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION Example: NET USE \\192.168.0.20\R3000$/ user:LOGO\jsmith xyz579 • The command to disconnect a session is: NET USE \\virtualip\R3000$ /delete View login script on the server console The login script can be viewed on the authentication server console.
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION LDAP server setup rules WARNING: The instructions in this user guide have been docu- mented based on standard default settings in LDAP for Microsoft Active Directory Services. The use of other server types, or any changes made to these default settings, must be considered when configuring the Web Filter for authentication.
A: A 2: T PPENDIX UTHENTICATION PERATIONS BASED UTHENTICATION Tier 2: Time-based, Web Authentication The following diagram and steps describe the operations of the time-based authentication process: Fig. A-2 Web-based authentication module diagram 1. The user makes a Web request by entering a URL in his/ her browser window.
A: A 2: T PPENDIX UTHENTICATION PERATIONS BASED UTHENTICATION Tier 2 implementation in an environment In an environment where Tier 2 time-based profiles have been implemented, end users receive filtering profiles after correctly entering their credentials into a Web-based Authentication Request Form. A profile remains active for a configurable amount of time even if the user logs out of the workstation, changes IP addresses, etc.
A: A 2: T PPENDIX UTHENTICATION PERATIONS BASED UTHENTICATION Tier 2 Script If using Tier 2 only, this script should be inserted into the network’s login script. If the network also uses a logoff script, M86’s script should be inserted there as well. The inclusion of this script ensures that the previous end user’s profile is completely removed, in the event the end user did not log out successfully.
A: A 2: T PPENDIX UTHENTICATION PERATIONS BASED UTHENTICATION Tier 1 and Tier 2 Script In an environment in which both Tier 1 and Tier 2 are used, this version of M86’s script should be inserted into the network’s login script. M86’s script attempts to remove the previous end user’s profile, and then lets the new user log in with his/her assigned profile.
Page 206
A: A 2: T PPENDIX UTHENTICATION PERATIONS BASED UTHENTICATION :try1 NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :try2 if errorlevel 0 echo code 0: Success goto :end :try2 NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :try3 if errorlevel 0 echo code 0: Success goto :end :try3 NET USE \\10.10.10.10\R3000$...
A: A 3: S PPENDIX UTHENTICATION PERATIONS ESSION BASED UTHENTICATION Tier 3: Session-based, Web Authentication The diagram on the previous page (Fig. A-2) and steps below describe the operations of the session-based authen- tication process: 1. The user makes a Web request by entering a URL in his/ her browser window.
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR M86 Authenticator The M86 Authenticator ensures the end user is authenti- cated on his/her workstation, via an executable file that launches during the login process. To use this option, the M86 Authenticator client (authenticat.exe) should be placed in a network share accessible by the domain controller or a Novell eDirectory server such as NetWare eDirectory server 6.5.
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Environment requirements Windows minimum system requirements The following minimum server components are required when using NetWare eDirectory server 6.5: • Server-class PC with a Pentium II or AMD K7 processor • 512 MB of RAM •...
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR • Bootable CD drive that supports the El Torito specifica- tion • USB or PS/2* mouse Macintosh minimum system requirements The following minimum server components are required when using a Macintosh: • OS X 10.5 •...
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Work flow in environments Windows environment 1. The administrator stores the M86 Authenticator client (authenticat.exe) in a network-shared location that a login script can access. 2. Using a Windows machine, an end user logs on the domain, or logs on the eDirectory tree via a Novell client.
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Macintosh environment 1. The administrator installs a LaunchAgent on the client machine. 2. Using a Macintosh machine, an end user logs on the domain and launches the LaunchAgent. 3. The end user’s launchd process invokes Authenticator on login.
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR M86 Authenticator configuration priority The source and order in which parameters are received and override one another are described below. NOTES: The RA[] parameter for the Web Filter IP address is the only parameter that must be configured.
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Macintosh 1. Compiled Defaults: Given no parameters at all, the client will try to execute using the default compilation. 2. Configuration File (optional): The default configuration file name is “8e6Authenticator.conf”. The path can be specified on the command line with the CF[] parameter.
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR M86 Authenticator configuration syntax All configuration parameters, regardless of their source, will use the following format/syntax: wAA[B]w{C}w {Parameter ‘AA’ with Data ‘B’, and Comment ‘C’ ignored.} w;DD[E]w{C}w {The semicolon causes ‘DD[E]’ to be ignored, ‘C’ is also ignored.} Whereas ‘AA’...
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Sample configuration update packet ‘PCFG’ After decryption, with protocol headers removed: RH[30000]RC[1000]LE[1] You only need to change the options you do not wish to remain as default. Often the IP address of the Web Filter (RA) and the log file (LF) are the most desired options to change.
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Table of parameters The following table contains the different parameters, their meanings, and possible values. Param Parameter Release Values Meaning Default Default User’s Logon 1-256 (0 = Win32, 1 = Nov- 255 (auto) Environment ell) (auto)
Page 218
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR + If UT[0] is set, then the Novell environment will be ignored, if present, and only the Windows environment information will be retrieved and sent to the Web Filter. If UT[1] is set and the Novell environment is invalid or the user is not authenticated with its Novell server, then the results sent to the Web Filter are invalid (probably empty values).
Page 219
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR RP[] affects port-less addresses specified in the RV[] command as well. • For RA[], each IP address is separated by a semi-colon ‘;’ and the first IP address will be tried for each new connection attempt.
A: A PPENDIX UTHENTICATION PERATIONS OVELL E IRECTORY GENT Novell eDirectory Agent Novell eDirectory Agent provides Single Sign-On (SSO) authentication for an Web Filter set up in a Novell eDirectory environment. Using Novell eDirectory Agent, the Web Filter is notified by the eDirectory server when an end user logs on or off the network, and adds/removes his/her network IP address, thus setting the end user’s filtering profile accord- ingly.
A: A PPENDIX UTHENTICATION PERATIONS OVELL E IRECTORY GENT Client workstations To use this option, all end users must log in the network. The following OS have been tested: • Windows 2000 Professional • Windows XP • Macintosh Novell clients The following Novell clients have been tested: •...
A: A PPENDIX UTHENTICATION PERATIONS OVELL E IRECTORY GENT Web Filter setup and event logs When using a Novell eDirectory server and choosing to use the Novell eDirectory Agent option in the Web Filter: • Enable Novell eDirectory Agent in the Enable/Disable Authentication window.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Active Directory Agent Active Directory Agent is a Windows service that provides transparent user identification for Windows Active Directory- based networks. The Active Directory Agent (also called “AD Agent”) collects information from several sources simul- taneously and populates a single session table that identi- fies the current user for each active workstation on the network.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Windows server requirements • Windows 2000 or Windows 2003 server running on a 32- bit platform • Latest Microsoft patches/service packs applied • At least 512 MB RAM • 100 MB disk space •...
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Set up AD Agent Step 1: AD Agent settings on the Web Filter To set up Active Directory Agent on the Web Filter, go to System > Authentication > Enable/Disable Authentication window in the Web Filter user interface, and specify the following criteria: Fig.
Page 226
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Fig. A-4 AD Agent Settings pop-up window 3. In the Computer Name field, enter the name of the primary AD Agent machine. 4. Enter from seven to 20 alphanumeric characters in the Passphrase field, and enter the same characters again in the Confirm field.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Step 2: Configure the domain, service account 1. Create a new group on the domain named dcagent_services. 2. Create a new domain user account named dcagent_service and make it a member of the dcagent_services group.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT d. Add the dcagent_services and Domain Admins groups to the list of permitted users. If installing the AD Agent on a domain controller only: • Double-click the “Allow Logon Locally” setting. • Add the dcagent_service account to the list of permitted users.
Page 229
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT NOTE: If prompted, install Microsoft .NET Framework 2.0. Framework may require updating other Windows components before installing the AD Agent. 2. Click Run to open the End User License Agreement (EULA) in the M86 AD Agent installation setup wizard: Fig.
Page 230
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT 4. After specifying the destination folder for installing the AD Agent, click Next to begin the installation setup process: Fig. A-8 AD Agent installation 5. When the AD Agent installation setup process has successfully finished, completion information displays: Fig.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Step 3C: Run AD Agent configuration wizard The AD Agent configuration wizard should be run when setting up AD Agent for the first time, and if the role of the AD Agent on the current machine changes (from primary to satellite, or vice versa).
Page 232
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Fig. A-11 Account and password information 2. By default, the Account field is populated with the path of the dcagent_service account. a. Enter the Password for this account, specified during Step 2. b.
Page 233
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Fig. A-12 Specify role of AD Agent on current machine 3. By default, the Role of the AD Agent on the current machine being configured is “Primary”—indicating that this is either the only machine running AD Agent, or this is the central machine among a team comprised of one or more “Satellite”...
Page 234
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT b. Enter the Primary agent computer name that will delegate to this machine the areas of the network to scan for end user logon/logoff events. This satellite machine running the AD Agent will send its logon/logoff event data to the primary machine running the AD Agent.
Page 235
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT d. Appliance passphrase - Enter the passphrase that was entered in the Passphrase field in the AD Agent Settings pop-up window (accessible via the Enable/ Disable Authentication window). e. (Repeat passphrase) - Re-enter the passphrase entered in the previous field.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT NOTE: Information about how to view and use the Activity log is explained in the Activity tab section of Use the Active Directory Agent console. Use the Active Directory Agent console The Active Directory Agent console is used for displaying results of workstation probe searches, for running or stop- ping the AD Agent service, and for configuring a primary AD Agent or Agent team.
Page 237
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT In this tab the activity log displays, comprised of rows of records for the most recent activity on the current machine running the AD Agent. The most recent activity displays at the bottom of the log. TIP: To stop the activity log from automatically scrolling, right- click in the table and de-select the “Auto-scroll”...
Page 238
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT The following actions can be performed via the Activity tab: • View/download the activity log in the text file format - Click the View as text button to launch a Notepad file containing the contents of the activity log.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Sessions tab Sessions displays by default when the Active Directory Agent console is launched on a machine running the AD Agent in the primary role, or whenever the Sessions tab is clicked in the console of a primary AD Agent: Fig.
Page 240
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • Login - Date and time the end user last logged in (using the MM/YY HH:MM military time format). If 01/01 00:00 displays, the end user has not logged on at that worksta- tion since the AD Agent service was installed on the network.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • View/modify primary AD Agent configuration, stop/start AD Agent service - Click the Configuration button to open a pop-up window containing AD Agent configura- tion tools and configured settings (see Active Directory Agent Configuration window).
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Session Properties window 1. To view detailed information about a record in the session table, do one of the following: • Double-click the record in the session table to open the Session Properties pop-up window •...
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Last error (an error code displays if the probe failed to successfully identify the end user); Last updated (shows the time data last changed for the end user’s workstation, using the M/D/YYYY H:M:SS AM/PM format).
Page 244
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT 2. Click either of the probe buttons to activate the probe search on demand: • Nwksta Probe - this is the default probe used for iden- tifying workstations. This probe requires the user’s domain account to have administrator permissions on the workstation if running on a Windows 2000 Profes- sional operating system.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Active Directory Agent Configuration window The Active Directory Agent Configuration window lets you modify settings for the AD Agent team, if there are changes to the AD Agent setup or to the Web Filter on your network. For satellite hosts, most of this information can only be viewed on the pages in this window, but the role of the AD Agent can be changed from satellite to primary, and the...
Page 246
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • Agent hosts - used for specifying the role (primary or satellite) the AD Agent will play on the current machine being configured. • Options - used for specifying configuration options for the primary host, or for viewing this information on a satellite host.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Service page 1. Click Service to display the Service page: Fig. A-20 Primary host Configuration, Service The Server status displays to indicate the status of AD Agent on the current machine: Running, StopPending, Stop, StartPending.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • Reset Team State - This button is activated if the AD Agent service is running on the primary host. Clicking this button flushes all accumulated session data for the entire team (primary and satellite hosts), except the configuration file, and newly rebuilds all data.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Agent hosts page 1. Click Agent Hosts to display the Agent hosts page: Fig. A-22 Primary host Configuration, Agent hosts By default, the fields in this page are populated with entries made during the configuration wizard setup process.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • Configuration - On a primary host server, selecting a satellite in the AD Agent servers list box and clicking this activated button opens a dialog box in which servers and/or workstations to be scanned by the satellite are specified.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Configure a satellite On a primary host server: 1. Select the satellite Machine in the AD Agent servers list box. 2. Click Configuration to open the Satellite Agent Configu- ration dialog box: Fig.
Page 252
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT If the satellite will not be manually assigned any machines on the network to scan, click OK to close the dialog box and to display any entries (if made) in the Assigned servers field of the Satellite Agent Configura- tion dialog box.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT a. Enter the Lowest IP address in the range. b. Enter the Highest IP address in the range. c. Click OK to close the dialog box and to display your entries in the IP Address Filters list box of the Satellite Agent Configuration dialog box.
Page 254
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • Period end - the time period (using the HH:MM military time format) of each 10-minute interval in which servers/machines were scanned. The most recent 10- minute interval displays as the first record among the rows of records.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Options page On a primary host server: 1. Click Options to display the Options page: Fig. A-28 Primary host Configuration, Options 2. Modify entries or make selections in this page as perti- nent to your AD Agent setup: •...
Page 256
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • “Enable NetWkstaUserEnum workstation probes”: By default, this probe process is selected to run. • Minimum probe interval: By default, 5 minutes displays as the interval of time in which the selected probe type(s) will probe workstations.
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Notifications page On a primary host server: 1. Click Notifications to display the Notifications page: Fig. A-29 Primary host Configuration, Notifications 2. If using an SMTP server, enter the following criteria to specify the email address to be used in the event of a crit- ical system error: •...
Page 258
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT 3. Click Send test message to test the email setup connec- tion. Make any necessary modifications to your entries if the sending mail connection fails. NOTE: The primary AD Agent sends an alert email message each day to the administrator’s email address designated in this page.
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE B: O PPENDIX BTAIN XPORT AN SSL C ERTIFICATE When using Web-based authentication, the LDAP server’s SSL certificate needs to be exported and saved to the hard drive, then uploaded to the Web Filter so that the Web Filter will recognize LDAP server as a trusted source.
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE 2. Verify that the certificate authority has been installed on this server and is up and running—indicated by a green check mark on the server icon (see circled item in Fig. B- Locate Certificates folder 1.
Page 261
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE 3. From the toolbar, click Console to open the pop-up menu. Select Add/Remove Snap-in to open the Add/ Remove Snap-in dialog box: Fig. B-4 Add/Remove Snap-in 4.
Page 262
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE Fig. B-6 Certificates snap-in dialog box 6. Choose “Computer account”, and click Next to go to the Select Computer wizard page: Fig. B-7 Select Computer dialog box 7.
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE Notice that the snap-in has now been added to the Console Root folder: Fig. B-8 Console Root with snap-in Export the master certificate for the domain 1.
Page 264
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE This action launches the Certificate Export Wizard: Fig. B-10 Certificate Export Wizard 3. Click Next to go to the Export Private Key page of the wizard: Fig.
Page 265
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE Fig. B-12 Export File Format 5. Select “Base-64 encoded X.509 (.CER)” and click Next to go to the File to Export page of the wizard: Fig.
Page 266
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE Fig. B-14 Settings 7. Notice that the specified settings display in the list box, indicating the certificate has been successfully copied from the console to your disk. Click Finish to close the wizard dialog box.
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT A OVELL ERTFICATE Export a Novell SSL Certficate 1. From the console of the LDAP server, go to the tree in the left panel and open the Security folder to display the contents in the Console View (right panel): Fig.
Page 268
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT A OVELL ERTFICATE 3. Click the Certificates tab to go to the Self Signed Certifi- cate page. 4. Click Export to open the Export A Certificate pop-up window: Fig.
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE BTAIN A ERTIFICATE Obtain a Sun One SSL Certificate Unlike Microsoft or Novell, the Sun One LDAP directory does not have a tool for exporting an SSL certificate once it has been imported to the LDAP server.
C: LDAP S LDAP S PPENDIX ERVER USTOMIZATIONS ERVER CENARIO C: LDAP S PPENDIX ERVER USTOMIZATIONS The Web Filter has been tested on common types of stan- dard LDAP servers with default settings. However, due to the number of LDAP servers available, and the limitless ways in which any type of LDAP server can be configured, customizations may need to be made on such an LDAP server that fits either description.
D: P LDAP S PPENDIX ROFILE ORMAT AND ULES ERVER CENARIO D: P PPENDIX ROFILE ORMAT AND ULES The file with filtering profiles you upload to the server must be set up in a specified format, with one complete profile per line.
D: P PPENDIX ROFILE ORMAT AND ULES SERNAME ORMATS Username Formats NOTE: For examples of valid username entries, see File Format: Rules and Examples in this appendix, or go to http://www.m86security.com/software/8e6/hlp/r3000/files/ 2group_textfile_user.html Rule Criteria Rule criteria consists of selections made from the following lists of codes that are used in profile strings: •...
D: P PPENDIX ROFILE ORMAT AND ULES RITERIA • Category command codes: Category command codes must be entered in the following order: J, R, M, I. “PASSED” should either be entered after J, R, or M, or after a string of category codes following J, R, or M.
D: P PPENDIX ROFILE ORMAT AND ULES ORMAT ULES AND XAMPLES File Format: Rules and Examples When setting up the file to upload to the server, the following items must be considered: • Each profile must be entered on a separate line in the file.
D: P PPENDIX ROFILE ORMAT AND ULES ORMAT ULES AND XAMPLES LDAP Profile List Format and Rules When setting up the “ldapwrkstnprofile.conf” file, “ldapuser- profile.conf” file, “ldapgroupprofile.conf” file, or “ldapcontain- erprofile.conf” file, each entry must consist of the Distin- guished Name (DN), with each part of the DN separated by commas (,).
D: P PPENDIX ROFILE ORMAT AND ULES ORMAT ULES AND XAMPLES Pornography and Pornography/Adult Content, Warn on Uncategorized URLs, and Pass all other categories, use filter mode 1, use redirect URL http://www.cnn.com in place of the standard block page, no filter options enabled.
D: P PPENDIX ROFILE ORMAT AND ULES ORMAT ULES AND XAMPLES • profile for a user with username “Public\, Joe Q.”, organi- zational units “Users” and “Sales”, domain “qc”, DNS suffix “.local”: Block all ports, use minimum filtering level, use filter mode 1, use standard block page, enable all filter options.
D: P PPENDIX ROFILE ORMAT AND ULES ORMAT ULES AND XAMPLES LDAP Quota Format and Rules When setting up the “quota.conf” file, each entry must consist of the Distinguished Name (DN), a Tab space, and quota criteria. A zero (0) should be used if no Overall Quota minutes are included.
E: O PPENDIX VERRIDE LOCKERS ORMAT ULES AND XAMPLES E: O PPENDIX VERRIDE LOCKERS An override account user with pop-up blocking software installed on his/her workstation will need to temporarily disable pop-up blocking in order to authenticate him/herself via the Options page: Fig.
E: O PPENDIX VERRIDE LOCKERS AHOO OOLBAR LOCKER Yahoo! Toolbar Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. E-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window.
Page 282
E: O PPENDIX VERRIDE LOCKERS AHOO OOLBAR LOCKER Fig. E-3 Allow pop-ups from source 3. Select the source from the Sources of Recently Blocked Pop-Ups list box to activate the Allow button. 4. Click Allow to move the selected source to the Always Allow Pop-Ups From These Sources list box.
E: O PPENDIX VERRIDE LOCKERS OOGLE OOLBAR LOCKER Google Toolbar Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. E-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window.
E: O PPENDIX VERRIDE LOCKERS DWARE LOCKER AdwareSafe Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. E-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window.
E: O PPENDIX VERRIDE LOCKERS OZILLA IREFOX LOCKER Mozilla Firefox Pop-up Blocker Add override account to the white list 1. From the Firefox browser, go to the toolbar and select Tools > Options to open the Options dialog box. 2. Click the Content tab at the top of this box to open the Content section: Fig.
Page 286
E: O PPENDIX VERRIDE LOCKERS OZILLA IREFOX LOCKER Fig. E-7 Mozilla Firefox Pop-up Window Exceptions 4. Enter the Address of the web site to let the override account window pass. 5. Click Allow to add the URL to the list box section below. 6.
E: O XP SP2 P PPENDIX VERRIDE LOCKERS INDOWS LOCKER Windows XP SP2 Pop-up Blocker Set up pop-up blocking There are two ways to enable the pop-up blocking feature in the IE browser. Use the Internet Options dialog box 1. From the IE browser, go to the toolbar and select Tools > Internet Options to open the Internet Options dialog box.
E: O XP SP2 P PPENDIX VERRIDE LOCKERS INDOWS LOCKER Use the IE toolbar In the IE browser, go to the toolbar and select Tools > Pop- up Blocker > Turn On Pop-up Blocker: Fig. E-9 Toolbar setup When you click Turn On Pop-up Blocker, this menu selec- tion changes to Turn Off Pop-up Blocker and activates the Pop-up Blocker Settings menu item.
E: O XP SP2 P PPENDIX VERRIDE LOCKERS INDOWS LOCKER Add override account to the white list There are two ways to disable pop-up blocking for the over- ride account and to add the override account to your white list. Use the IE toolbar 1.
E: O XP SP2 P PPENDIX VERRIDE LOCKERS INDOWS LOCKER Use the Information Bar With pop-up blocking enabled, the Information Bar can be set up and used for viewing information about blocked pop- ups or allowing pop-ups from a specified site. Set up the Information Bar 1.
Page 291
E: O XP SP2 P PPENDIX VERRIDE LOCKERS INDOWS LOCKER 3. Click the Information Bar for settings options: Fig. E-12 Information Bar menu options 4. Select Always Allow Pop-ups from This Site—this action opens the Allow pop-ups from this site? dialog box: Fig.
F: G PPENDIX LOSSARY EFINITIONS F: G PPENDIX LOSSARY Definitions This glossary includes definitions for terminology used in this user guide. ADS - Active Directory Services is a Windows 2000 direc- tory service that acts as the central authority for network security, by letting the operating system validate a user's identity and control his or her access to network resources.
Page 293
F: G PPENDIX LOSSARY EFINITIONS directory service - Uses a directory on a server to auto- mate administrative tasks for storing and managing objects on a network (such as users, passwords, and network resources users can access). ADS, DNS, and NDS (Novell Directory Services) are types of directory services.
Page 294
F: G PPENDIX LOSSARY EFINITIONS filter setting - A setting made for a service port. A service port with a filter setting uses filter settings created for library categories (block, open, or always allow settings) to deter- mine whether users should be denied or allowed access to that port.
Page 295
F: G PPENDIX LOSSARY EFINITIONS LDAP host - The LDAP domain name and DNS suffix. For example: “yahoo.com” or “server.local”. login (or logon) script - Consists of syntax that is used for re-authenticating a user if the network connection between the user’s machine and the server is lost.
Page 296
F: G PPENDIX LOSSARY EFINITIONS NetBIOS name lookup - An authentication method used for validating a client (machine) by its machine name. Network Address Translation (NAT) - Allows a single real IP address to be used by multiple PCs or servers. This is accomplished via a creative translation of inside “fake”...
Page 297
F: G PPENDIX LOSSARY EFINITIONS quota - The number of minutes configured for a passed library category in an end user’s profile that lets him/her access URLs for a specified time before being blocked from further access to that category. router mode - A Web Filter set up in the router mode will act as an Ethernet router, filtering IP packets as they pass from one card to another.
Page 298
F: G PPENDIX LOSSARY EFINITIONS time profile - A customized filtering profile set up to be effective at a specified time period for designated users. tiers - Levels of authentication methods. Tier 1 uses net use based authentication for LDAP. Tier 2 uses time-based profiles for the LDAP authentication method, and Tier 3 uses persistent login connections for the LDAP authentica-...