Page 1: User Guide
M86 Web Filter USER GUIDE for Authentication Software Version: 4.0.10 Document Version: 06.08.10...
Page 2 M86 Security shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein.
Page 3: Table Of Contents
ONTENTS 1: I ..........1 HAPTER NTRODUCTION About this User Guide ..............1 How to Use this User Guide ............2 Conventions ..................2 Terminology ..................3 Filtering Elements ............... 8 Group Types ..................8 Global Group ................8 IP Groups ................... 9 LDAP Domain Groups .
Page 4 ONTENTS Web Filter authentication options ..........25 Authentication Solution Compatibility ..........26 Authentication System Deployment Options ........27 Ports for Authentication System Access ......... 28 Configuring Web Filter for Authentication ........29 Configuration procedures ............29 System section..............29 Policy section ..............
Page 5 ONTENTS Option 3 ................ 62 Common Customization ............63 Enable, disable features ............. 64 Authentication Form Customization .......... 66 Preview sample Authentication Request Form ....68 Block Page Customization ............70 Preview sample block page ..........72 Set up Group Administrator Accounts ........74 Add Sub Admins to manage nodes ..........
Page 6 ONTENTS Apply a filtering rule to a profile ..........104 Delete a rule ................105 Specify a group’s filtering profile priority ........106 Manually add a workstation name to the tree ....... 107 Manually add a user’s name to the tree ........108 Manually add a group’s name to the tree ........
Page 7 ONTENTS Step 8: Attempt to access Web content ......... 149 Test net use based authentication settings ........151 Activate Authentication on the Network ....... 152 Activate Web-based authentication for an IP Group ..... 153 Step 1: Create a new IP Group, “webauth” ......153 Step 2: Set “webauth”...
Page 8 ONTENTS Tier 2, Tier 3: Web-based authentication ........183 Tier 1: Single Sign-On Authentication ........184 Net use based authentication process .......... 184 Re-authentication process ............185 Tier 1 authentication method ............186 Name resolution methods ............. 186 Configuring the authentication server ........... 187 Login scripts ................
Page 9 ONTENTS Novell eDirectory servers ............208 Client workstations ..............209 Novell clients ................209 Novell eDirectory setup ..............209 Web Filter setup and event logs ............ 210 Active Directory Agent ............211 Product feature overview .............. 211 Windows server requirements ..........212 Work flow in a Windows environment ........
Page 10 ONTENTS Export a Novell SSL Certficate ..........255 Obtain a Sun One SSL Certificate ......... 257 C: LDAP S ..... 258 PPENDIX ERVER USTOMIZATIONS OpenLDAP Server Scenario ........... 258 Not all users returned in LDAP Browser window ......258 D: P ....
Page 11 ONTENTS Set up pop-up blocking ..............275 Use the Internet Options dialog box ........275 Use the IE toolbar ..............276 Temporarily disable pop-up blocking ..........276 Add override account to the white list ........... 277 Use the IE toolbar ..............277 Use the Information Bar ............
Page 12 ONTENTS M86 S ECURITY UIDE...
Page 13: Hapter Ntroduction
LDAP domains. NOTE: Refer to the M86 Web Filter Installation Guide, M86 IR Web Filter Installation Guide, or M86 WFR Installation Guide for information on installing the unit on the network.
Page 14: How To Use This User Guide
1: I HAPTER NTRODUCTION OW TO SE THIS UIDE izations to make on specified LDAP servers; filtering profile file components and setup; tips on how to override pop-up windows with pop-up blocker software installed; a glossary on authentication terms, and an index. How to Use this User Guide Conventions The following icons are used throughout this user guide:...
Page 15: Terminology
1: I HAPTER NTRODUCTION OW TO SE THIS UIDE Terminology The following terms are used throughout this user guide. Sample images (not to scale) are included for each item. • alert box - a message box that opens in response to an entry you made in a dialog box, window, or screen.
Page 16 1: I HAPTER NTRODUCTION OW TO SE THIS UIDE • frame - a boxed-in area in a dialog box, window, or screen that includes a group of objects such as fields, text boxes, list boxes, buttons, radio buttons, check- boxes, and/or tables. Objects within a frame belong to a specific function or group.
Page 17 1: I HAPTER NTRODUCTION OW TO SE THIS UIDE • pop-up box or pop-up window - a box or window that opens after you click a button in a dialog box, window, or screen. This box or window may display infor- mation, or may require you to make one or more entries.
Page 18 1: I HAPTER NTRODUCTION OW TO SE THIS UIDE • sub-topic - a subset of a main topic that displays as a menu item for the topic. The menu of sub-topics opens when a perti- nent topic link in the left panel—the navigation panel—of a screen is clicked.
Page 19 1: I HAPTER NTRODUCTION OW TO SE THIS UIDE • tree - a tree displays in the naviga- tion panel of a screen, and is comprised of a hierarchical list of items. An entity associated with a branch of the tree is preceded by a plus (+) sign when the branch is collapsed.
Page 20: Filtering Elements
1: I HAPTER NTRODUCTION ILTERING LEMENTS Filtering Elements Filtering operations include the following elements: groups, filtering profiles and their components, and rules for filtering. Group Types In the Policy section of the Administrator console, group types are structured in a tree format in the navigation panel. There are four group types in the tree list: •...
Page 21: Ip Groups
1: I HAPTER NTRODUCTION ILTERING LEMENTS IP Groups The IP group type is represented in the tree by the IP icon . A master IP group is comprised of sub-group members and/or individual IP members The global administrator adds master IP groups, adds and maintains override accounts at the global level, and estab- lishes and maintains the minimum filtering level.
Page 22: Ldap Domain Groups
1: I HAPTER NTRODUCTION ILTERING LEMENTS LDAP Domain Groups An LDAP (Lightweight Directory Access Protocol) domain on a network server is comprised of LDAP groups and their associated members (users), derived from profiles on the network’s authentication server. The LDAP group type is represented in the tree by the LDAP icon .
Page 23: Filtering Profile Types
1: I HAPTER NTRODUCTION ILTERING LEMENTS Filtering Profile Types A filtering profile is used by all users who are set up to be filtered on the network. This profile consists of rules that dictate whether a user has access to a specified Web site or service on the Internet.
Page 24 1: I HAPTER NTRODUCTION ILTERING LEMENTS • LDAP member filtering profile - used by an LDAP group member. • LDAP container filtering profile - used by an LDAP container in an LDAP domain. • LDAP time profile - used by an LDAP entity at a speci- fied time.
Page 25: Static Filtering Profiles
1: I HAPTER NTRODUCTION ILTERING LEMENTS Static Filtering Profiles Static filtering profiles are based on fixed IP addresses and include profiles for master IP groups and their members. Master IP Group Filtering Profile The master IP group filtering profile is created by the global administrator and is maintained by the group administrator.
Page 26: Active Filtering Profiles
1: I HAPTER NTRODUCTION ILTERING LEMENTS Active Filtering Profiles Active filtering profiles include the global group profile, LDAP authentication profile, override account profile, time profile, and lock profile. Global Filtering Profile The global filtering profile is created by the global adminis- trator.
Page 27: Override Account Profile
Internet usage. NOTE: Refer to the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for additional information on the Override Account Profile, Time Profile, and Lock Profile.
Page 28: Filtering Profile Components
1: I HAPTER NTRODUCTION ILTERING LEMENTS Filtering Profile Components Filtering profiles are comprised of the following compo- nents: • library categories - used when creating a rule, minimum filtering level, or filtering profile for the global group or any entity •...
Page 29: Library Categories
1: I HAPTER NTRODUCTION ILTERING LEMENTS Library Categories A library category contains a list of Web site addresses and keywords for search engines and URLs that have been set up to be blocked or white listed. Library categories are used when creating a rule, the minimum filtering level, or a filtering profile.
Page 30: Service Ports
1: I HAPTER NTRODUCTION ILTERING LEMENTS Service Ports Service ports are used when setting up filter segments on the network (the range of IP addresses/netmasks to be detected by the Web Filter), the global (default) filtering profile, and the minimum filtering level. When setting up the range of IP addresses/netmasks to be detected, service ports can be set up to be open (ignored).
Page 31: Filter Settings
1: I HAPTER NTRODUCTION ILTERING LEMENTS NOTE: If the minimum filtering level is not set up, global (default) filtering settings will apply instead. If an override account is established at the IP group level for a member of a master IP group, filtering settings made for that end user will override the minimum filtering level if the global administrator sets the option to allow the minimum filtering level to be bypassed.
Page 32 1: I HAPTER NTRODUCTION ILTERING LEMENTS • filter - if a service port is given a filter setting, that port will use filter settings created for library categories (block or open settings) to determine whether users should be denied or allowed access to that port •...
Page 33: Filtering Rules
1: I HAPTER NTRODUCTION ILTERING LEMENTS Filtering Rules Individual User Profiles - A user in an LDAP domain can have only one individual profile set up per domain. Filtering Levels Applied: 1. The global (default) filtering profile applies to any user under the following circumstances: •...
Page 34 1: I HAPTER NTRODUCTION ILTERING LEMENTS 6. For LDAP users, if a user is authenticated, settings for the user’s group or individual profile from the LDAP domain are applied and take precedence over any IP profile. a. If the user belongs to more than one group in an authentication domain, the profile for the user is deter- mined by the order in which the groups are listed in the Group Priority list set by the global administrator.
Page 35 1: I HAPTER NTRODUCTION ILTERING LEMENTS 8. An override account profile takes precedence over a TAR lockout profile. This account may override the minimum filtering level—if the override account was set up in the master IP group tree, and the global adminis- trator allows override accounts to bypass the minimum filtering level, or if the override account was set up in the global group tree.
Page 36: Authentication Solutions
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Authentication Solutions LDAP Authentication Protocol The Web Filter supports the authentication protocol Light- weight Directory Access Protocol (LDAP). LDAP authentication supports all versions of LDAP, such as Microsoft Active Directory, Novell eDirectory, Sun One, OpenLDAP, and Open Directory.
Page 37: Web Filter Authentication Options
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Web Filter authentication options Depending on the setup of your network, any of the following authentication options can be enabled to ensure the end user is authenticated when logging into his/her workstation: M86 Authenticator, Active Directory Agent, and Novell eDirectory Agent.
Page 38: Authentication Solution Compatibility
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Authentication Solution Compatibility Below is a chart representing the authentication solution compatibility for a single user: Tier1 Tier 2 Tier 3 eDirec- Active time session Authen- tory Directory based based ticator Agent Agent Tier 1 Tier 2 Tier 3 Authen-...
Page 39: Authentication System Deployment Options
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Authentication System Deployment Options Below is a chart representing authentication system deploy- ment options on a network: Authentication Force Single Sign-On (SSO) System Authentication Sun One None Tier 2 or Tier 3 OpenLDAP CommuniGate Pro (Stalker) Windows 2000/2003 Server Tier 1 “net use”...
Page 40: Ports For Authentication System Access
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Ports for Authentication System Access The following ports should be used for authentication system access: Type Function 8081 Used between the Web Filter’s transmitting interface and the SSL block page for Tier 2 or Tier 3 authentication.
Page 41: Configuring Web Filter For Authentication
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS Configuring Web Filter for Authentication Configuration procedures When configuring the Web Filter for authentication, settings must be made in System and Policy windows in the Admin- istrator console. NOTES: If the network has more than one domain, the first you add should be the domain on which the Web Filter resides.
Page 42 1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS The entries made in this window will vary depending on whether you are using the invisible mode, or the router or firewall mode. The LAN1 and LAN2 IP addresses usually should be in a different subnet. •...
Page 43 1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS 4. Select “Authentication” from the navigation panel, and then select “Authentication Settings” from the pop-up menu. In the Settings frame, enter general configuration settings for the Web Filter such as IP address entries. From the NIC Device to Use for Authentication pull-down menu: •...
Page 44: Policy Section
1: I HAPTER NTRODUCTION UTHENTICATION OLUTIONS group administrators will later be assigned to manage entities (nodes) in the LDAP branch of the Policy tree. Policy section In the Policy section of the Administrator console, choose LDAP, and then do the following: 1.
Page 45: Chapter 2: Network Setup
2: N HAPTER ETWORK ETUP NVIRONMENT EQUIREMENTS 2: N HAPTER ETWORK ETUP Environment Requirements Workstation Requirements Administrator System requirements for the administrator include the following: • Windows XP, Vista, or 7 operating system running: • Internet Explorer (IE) 7.0 or 8.0 •...
Page 46: End User
2: N HAPTER ETWORK ETUP NVIRONMENT EQUIREMENTS End User System requirements for the end user include the following: • Windows XP, Vista, or 7 operating system running: • Internet Explorer (IE) 7.0 or 8.0 • Firefox 3.5 • Macintosh OS X Version 10.5 or 10.6 running: •...
Page 47: Set Up The Network For Authentication
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Set up the Network for Authentication The first settings for authentication must be made in the System section of the console in the following windows: Operation Mode, LAN Settings, Enable/Disable Authentica- tion, Authentication Settings, Authentication SSL Certificate (if Web-based authentication will be used), and Block Page Authentication.
Page 48: Specify The Operation Mode
1. In the Mode frame, select the mode to be used: “Invis- ible”, “Router”, or “Firewall”. NOTE: See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information about configuring and using the mobile mode options.
Page 49 2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 3. In the Block Page Device frame: • If using the invisible mode, select “LAN2”. • If using the router or firewall mode, select “LAN1”. If using the invisible mode, the Block Page Delivery Method frame displays.
Page 50: Specify The Subnet Mask, Ip Address(Es)
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Specify the subnet mask, IP address(es) Click Network and select LAN Settings from the pop-up menu to display the LAN Settings window: Fig. 2-2 LAN Settings window The entries made in this window will vary depending on whether you are using the invisible mode, or the router or firewall mode.
Page 51: Router Or Firewall Mode
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Router or firewall mode 1. Enter the following information: • In the LAN1 IP field of the IP/Mask Setting frame, enter the IP address and specify the corresponding subnet of the “LAN1”...
Page 52: Enable Authentication, Specify Criteria
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Enable authentication, specify criteria 1. Click Authentication and select Enable/Disable Authenti- cation from the pop-up menu to display the Enable/ Disable Authentication window: 2. Click Enable to enable authentication. 3.
Page 53 2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 4. Enable any of the following authentication options, as pertinent to your environment: • If using LDAP authentication and workstation profiles, click “On” in the Map Workstation Name Across All Domain Labels frame to enable the Web Filter to search other domain labels if it can’t find the worksta- tion’s NetBIOS name under a specified domain label,...
Page 54: Net Use Based Authentication
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION feature, turn “On” the AD Agent, and then specify settings for administrator computers authorized to configure the AD Agent via the Active Directory Agent console. Download and install the AD Agent (DCAgent.msi) on the administrator workstation.
Page 55: Web-Based Authentication
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Web-based authentication Choose either Tier 2 or Tier 3 if Web-based authentication will be used. NOTE: If selecting either Tier 2 or Tier 3, please be informed that in an organization with more than 5000 users, slowness may be experienced during the authentication process.
Page 56 2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Tier 3: Use persistent logins via a Java Applet – Choose this option if using LDAP authentication, and you want the user to maintain a persistent network connection. This option opens a profile window that uses a Java applet: Fig.
Page 57 2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 3. To ensure that end-users are using the most current version of JRE, choose the method for distributing the current version to their workstations: “M86 automatically distributes JRE during user login” or the default selection, “Administrator manually distributes JRE to user worksta- tions”.
Page 58: Enter Network Settings For Authentication
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Enter network settings for authentication 1. Click Authentication and select Authentication Settings from the pop-up menu to display the Authentication Settings window: Fig. 2-6 Authentication Settings window In the Settings frame, at the Web Filter NetBIOS Name field the NetBIOS name of the Web Filter displays.
Page 59 2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION WARNING: If the IP address entered here is not in the same subnet as this Web Filter, the net use connection will fail. 4. From the NIC Device to Use for Authentication pull- down menu: •...
Page 60: Create An Ssl Certificate
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Create an SSL certificate Authentication SSL Certificate should be used if Web-based authentication will be deployed on the Web Filter. Using this feature, a Secured Sockets Layer (SSL) self-signed certifi- cate is created and placed on client machines so that the Web Filter will be recognized as a valid server with which they can communicate.
Page 61: Create, Download A Self-Signed Certificate
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Create, Download a Self-Signed Certificate 1. On the Self Signed Certificate tab, click Create Self Signed Certificate to generate the SSL certificate. 2. Click the Download/View/Delete Certificate tab: Fig. 2-8 Download/View/Delete Certificate tab 3.
Page 62: Create, Upload A Third Party Certificate
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Once the certificate is saved to your workstation, it can be distributed to client workstations for users who need to be authenticated. TIP: Click Delete Certificate to remove the certificate from the server.
Page 63 2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Fig. 2-10 Create CSR pop-up window The Common Name (Host Name) field should automat- ically be populated with the host name. This field can be edited, if necessary. 3. Enter your Email Address. 4.
Page 64: Upload A Third Party Certificate
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Upload a Third Party Certificate 1. In the Third Party Certificate tab, click Upload Certifi- cate to open the Upload Signed SSL Certificate for Web Filter pop-up window: Fig. 2-11 Upload Signed SSL Certificate box The Message dialog box also opens with the message: "Click OK when upload completes."...
Page 65: Download A Third Party Certificate
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 3. Select the file to be uploaded. 4. Click Upload File to upload this file to the Web Filter. 5. Click OK in the Message dialog box to confirm the upload and to close the dialog box.
Page 66: Specify Block Page Settings
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Specify block page settings Click Control and select Block Page Authentication from the pop-up menu to display the Block Page Authentication window: Fig. 2-13 Block Page Authentication window Block Page Authentication In the Re-authentication Options field of the Details frame, all block page options are selected by default, except for Web-based Authentication.
Page 67 TIP: Multiple options can be selected by clicking each option while pressing the Ctrl key on your keyboard. NOTE: See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information about the Override Account feature.
Page 68: Block Page
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Block page When a user attempts to access Internet content set up to be blocked, the block page displays on the user’s screen: Fig. 2-14 Block page NOTES: See Block Page Customization for information on adding free form text and a hyperlink at the top of the block page.
Page 69: User/Machine Frame
• HELP - Clicking this link takes the user to M86’s Tech- nical Support page that explains why access to the site or service may have been denied. • M86 Security - Clicking this link takes the user to M86’s Web site. M86 S...
Page 70: Optional Links
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Optional Links By default, these links are included in the block page under the following conditions: • For further options, click here. - This phrase and link is included if any option was selected at the Re-authentica- tion Options field in the Block Page Authentication window.
Page 71: Options Page
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Options page The Options page displays when the user clicks the following link in the block page: For further options, click here. Fig. 2-15 Options page The following items previously described for the Block page display in the upper half of the Options page: •...
Page 72: Option 1
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Option 1 Option 1 is included in the Options page if “Web-based Authentication” was selected at the Re-authentication Options field in the Block Page Authentication window. The following phrase/link displays: Click here for secure Web-based authentication.
Page 73: Option 2
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Option 2 The following phrase/link displays, based on options selected at the Re-authentication Options field in the Block Page Authentication window: • Re-start your system and re-login - This phrase displays for Option 1, whether or not either of the Re- authentication Options (Re-authentication, or Web- based Authentication) was selected in the Block Page...
Page 74: Option 3
See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information about the Override Account feature.
Page 75: Common Customization
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Common Customization Common Customization lets you specify elements to be included in block pages and/or the authentication request form end users will see. Click Customization and then select Common Customiza- tion from the pop-up menu to display the Common Custom- ization window:...
Page 76: Enable, Disable Features
• Blocked URL Display - if enabled, displays “Blocked URL” followed by the blocked URL in block pages • Copyright Display - if enabled, displays M86 Web Filter copyright information at the footer of block pages and the authentication request form •...
Page 77 2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION • Help Link URL - By default, http:// www.m86security.com/support/r3000/accessde- nied.asp displays as the help link URL. Enter the URL to be used when the end user clicks the help link text (specified in the Help Link Text field).
Page 78: Authentication Form Customization
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Authentication Form Customization To customize the Authentication Request Form, click Customization and select Authentication Form from the pop-up menu: Fig. 2-19 Authentication Form Customization window NOTE: This window is activated only if Authentication is enabled via System >...
Page 79 2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 1. Make an entry in any of the following fields: • In the Header field, enter a static header to be displayed at the top of the Authentication Request Form.
Page 80: Preview Sample Authentication Request Form
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Preview sample Authentication Request Form 1. Click Preview to launch a separate browser window containing a sample Authentication Request Form, based on entries saved in this window and in the Common Customization window: Fig.
Page 81 Support page that explains why access to the site or service may have been denied. • M86 Security - Clicking this link takes the user to M86’s Web site. 2. Click the “X” in the upper right corner of the window to close the sample Authentication Request Form.
Page 82: Block Page Customization
Fig. 2-21 Block Page Customization window NOTE: See Appendix B: Create a Custom Block Page from the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information on creating a customized block page using your own design.
Page 83 2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION 1. Make an entry in any of the following fields: • In the Header field, enter a static header to be displayed at the top of the block page. •...
Page 84: Preview Sample Block Page
2: N HAPTER ETWORK ETUP ET UP THE ETWORK FOR UTHENTICATION Preview sample block page 1. Click Preview to launch a separate browser window containing a sample customized block page, based on entries saved in this window and in the Common Customization window: Fig.
Page 85 Support page that explains why access to the site or service may have been denied. • M86 Security - Clicking this link takes the user to M86’s Web site. By default, these links are included in the block page under the following conditions: •...
Page 86: Set Up Group Administrator Accounts
Policy tree when new IP groups are created. See Chapter 2: Policy screen from the Global Administrator Section of the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information on creating IP groups.
Page 87: Add A Group Administrator Account
2: N HAPTER ETWORK ETUP ET UP ROUP DMINISTRATOR CCOUNTS Add a group administrator account To add an LDAP group administrator (Sub Admin) account: 1. In the Account Details frame, enter the username in the Username field. 2. In the Password field, enter eight to 20 characters— including at least one alpha character, one numeric char- acter, and one special character.
Page 88: Delete A Group Administrator Account
2: N HAPTER ETWORK ETUP ET UP ROUP DMINISTRATOR CCOUNTS Delete a group administrator account To delete an administrator account: 1. Select the username from the Current User list box. 2. Click Delete to remove the account. NOTE: If a group administrator assigned to an LDAP node is deleted, that group administrator must be removed from assign- ment to that node and another group administrator set up for assignment to manage that node.
Page 89: View Log Results
NOTE: In this user guide, only authentication-related options will be addressed. For information about all other options, see the View Log File window in the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide.
Page 90 2: N HAPTER ETWORK ETUP ESULTS • “Admin GUI Server Log (AdminGUIServer.log)” - used for viewing information on entries made by the admin- istrator in the console. • “eDirectory Agent Debug Log (edirAgent.log)” - used for viewing the debug log, if using eDirectory LDAP authentication.
Page 91: Hapter 3: Ldap Authentication Etup
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN 3: LDAP A HAPTER UTHENTICATION ETUP Create an LDAP Domain In the Policy section of the console, add an LDAP domain that contains entities to be authenticated. Add the LDAP domain 1.
Page 92: Refresh The Ldap Branch
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN Refresh the LDAP branch Click LDAP in the navigation panel to open the pop-up menu, and select Refresh whenever changes have been made in this branch of the tree. View, modify, enter LDAP domain details Double-click LDAP in the navigation panel to open the LDAP...
Page 93: Ldap Server Type
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN WARNING: The instructions in this user guide have been docu- mented based on standard default settings in LDAP for Microsoft Active Directory Services. The suggested entries and examples may not be applicable to all other server types, or if any changes have made to default settings on the LDAP Active Directory server.
Page 94: Group Objects
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN WARNING: The contents of the tabs for User and Group do not normally need to be changed. The settings on these tabs are made automatically when you select the server type at the begin- ning of the setup process.
Page 95 3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN 1. Generally, no action needs to be performed on this tab. However, under special circumstances, the following actions can be performed: • A group object can be added or excluded by making an entry in the appropriate field, and then clicking the Include or Exclude button.
Page 96: User Objects
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN 3. If any modifications were made on this tab, click Save. 4. Next to go to the User tab. User Objects The User tab is used for including or excluding user objects in the LDAP domain.
Page 97: Workstation Objects
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • A user object can be removed by selecting the user object and then clicking Remove. • If the user DN cannot be auto-detected during the profile setup process, click “Use Case-Sensitive Comparison”...
Page 98: Address Info
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • A workstation object can be added or excluded by making an entry in the appropriate field, and then clicking the Include or Exclude button. • A workstation object name can be edited by selecting the workstation object from the appropriate list box, editing the name in the field, and then clicking the Edit button.
Page 99 3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN requirements for LDAP authentication. Please ensure the correct DNS settings are set. 1. This tab includes the following fields, some pre-popu- lated by default, and some that you may wish to edit: •...
Page 100: Account Info
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • By default, the LDAP Query Base displays the root of the LDAP database to query using the LDAP Syntax, e.g. DC=domain,DC=com, or o=server-org. The entry in this field is case sensitive and should be edited, if necessary.
Page 101 3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • If your LDAP database does not require a username to be provided in order to bind to the LDAP database, click the “Use Anonymous Bind” checkbox to grey out the fields—and Find Distinguished Name button, if it displays—in this tab.
Page 102: Ssl Settings
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN Click Find Distinguished Name to perform the search for the LDAP Distinguished Name. If the adminis- trator’s user name and password are successfully retrieved, the pop-up box closes and the fields on this tab become populated with appropriate data.
Page 103 3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN 1. If applicable, click in the “Enable Secure LDAP over SSL” checkbox. This action activates the Upload buttons in the Manually Upload SSL Certificate for LDAPS frame and the Automatically Upload SSL Certificate for LDAPS frame.
Page 104: Alias List
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN WARNING: If using a Novell server, be sure the name on the SSL certificate (to be uploaded to the server) matches the Server DNS Name entered in the Address Info tab. 3.
Page 105 3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN After the search is completed, the Search in Progress box closes, and the list displays the Alias Name and the corre- sponding LDAP Container Name. NOTE: If the alias list does not display, double-check the settings on the other tabs and verify that all of your settings are correct.
Page 106: Default Rule
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN Default Rule The Default Rule applies to any authenticated user in the LDAP domain who does not have a filtering profile. Fig. 3-13 Domain Details window, Default Rule tab 1.
Page 107 3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • Click the checkbox(es) corresponding to the option(s) to be applied to the filtering profile: “X Strikes Blocking”, “Google/Bing/Yahoo!/Youtube/Ask/AOL Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”. If URL Keyword Filter Control is selected, the “Extend URL Keyword Filter Control”...
Page 108: Ldap Backup Server Configuration
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN LDAP Backup Server Configuration Configure a backup server To add a backup server’s settings: 1. Click Add to open the Backup Server Configuration wizard pop-up window: Fig. 3-14 Backup Server Configuration, Address Info NOTE: The Back and Save buttons can be clicked at any time during the wizard setup process.
Page 109 3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN • DNS Domain Name - DNS name of the LDAP domain, such as logo.local NOTES: If your LDAP server’s name is not a resolvable, fully qualified DNS name, you may be able to enter the domain name. Be sure the DNS Domain Name exactly matches the name on the SSL certificate that will be uploaded to the server.
Page 110 3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN NOTE: The Distinguished Name Auto Discovery frame only displays if the type of LDAP server is Microsoft Active Directory. 5. Enter, edit, or verify the following criteria: • “Use Anonymous Bind” - click this checkbox to grey out the fields in this tab, if your LDAP database does not require a username to be provided in order to bind to the LDAP database...
Page 111 3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN search for the LDAP Distinguished Name. If the administrator’s user name and password are successfully retrieved, the pop-up box closes and the fields on this tab become populated with appropriate data.
Page 112: Modify A Backup Server's Configuration
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN b. To automatically upload an SSL certificate, go to the Automatically Upload SSL Certificate for LDAPS frame and do the following: • In the Wait __ seconds for certificate field, by default 3 displays.
Page 113: Delete A Backup Server's Configuration
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP REATE AN OMAIN Delete a backup server’s configuration On the Default Rule tab, click Delete to remove the backup server’s configuration. Delete a domain To delete a domain profile, choose Delete from the LDAP domain menu.
Page 114: Set Up Ldap Domain Nodes
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Set up LDAP Domain Nodes In the navigation panel, the LDAP domain branch of the tree menu includes options for setting up entities (nodes) in the domain so that filtering profiles can later be created. The following options are used in this setup process: Manage Profile Objects, Set Group Priority, Manually Add Worksta- tion, Manually Add Member, Manually Add Group, and...
Page 115: Perform A Basic Search
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES NOTES: If the “Use Dynamic Group” option was specified in the Group tab of Domain Details, “Dynamic Group Enabled” displays towards the bottom left of this window. If the “Use Nested Group” option was available in the Group tab of Domain Details, “Nested Group Enabled”...
Page 116: Options For Search Results
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Options for search results The following actions can be performed on search results: • To narrow the number of records returned by your initial query, click the “Within Results” checkbox, modify your search criteria in the input field, and then click Search.
Page 117: Delete A Rule
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES When the LDAP branch of the tree is refreshed, all nodes with rules applied to them appear in the tree. Delete a rule To delete a rule from a profile, the entity must currently display in the grid and have a rule assigned to the profile.
Page 118: Specify A Group's Filtering Profile Priority
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Specify a group’s filtering profile priority 1. Select the LDAP domain, and choose Set Group Priority from the pop-up menu to display the Set Group Priority window: Fig. 3-18 Set Group Priority window This window is used for designating which group profile will be assigned to a user when he/she logs in.
Page 119: Manually Add A Workstation Name To The Tree
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Manually add a workstation name to the tree 1. Select the LDAP domain, and choose Manually Add Workstation from the pop-up menu to open the Manually Add Workstation dialog box: Fig.
Page 120: Manually Add A User's Name To The Tree
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Manually add a user’s name to the tree 1. Select the LDAP domain, and choose Manually Add Member from the pop-up menu to open the Manually Add Member dialog box: Fig.
Page 121: Manually Add A Group's Name To The Tree
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Manually add a group’s name to the tree 1. Select the LDAP domain, and choose Manually Add Group from the pop-up menu to open the Manually Add Group dialog box: Fig.
Page 122: Upload A File Of Filtering Profiles To The Tree
3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES Upload a file of filtering profiles to the tree 1. Select the LDAP domain, and choose Upload Profile from the pop-up menu to open the Upload User/Group Profile window: Fig.
Page 123 3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES NOTE: Leave the refresh page open until the file containing the profile has been uploaded. 3. Click Browse... to open the Choose file window. 4. Select the file to be uploaded. WARNING: Any file uploaded to the server will overwrite the existing profile file.
Page 124 3: LDAP A LDAP D HAPTER UTHENTICATION ETUP ET UP OMAIN ODES WARNING: When uploading a list of profiles to the tree, the user will be blocked from Internet access if the minimum filtering level has not been defined via the Minimum Filtering Level window. If you have just established the minimum filtering level, filter settings will not be effective until the user logs off and back on the server.
Page 125: Chapter 4: Manage Nodes
4: M HAPTER ANAGE ODES 4: M HAPTER ANAGE ODES Once LDAP domains are set up in the Policy tree, the global administrator assigns Sub Admin group administrators the following entities (nodes) to manage: domain, group(s), workstations, members, and/or containers. NOTE: See Set up Group Administrator Accounts in Chapter 2: Network Setup for information on creating and managing Sub Admin group administrator accounts.
Page 126: Assign Sub Admin To An Ldap Node
4: M LDAP N HAPTER ANAGE ODES SSIGN DMIN TO AN Assign Sub Admin to an LDAP Node A group administrator assigned to an LDAP node (domain, group, workstation, member, or container) has the privileges to add, edit, or delete entities to/from that node to which he/ she is assigned.
Page 127 4: M LDAP N HAPTER ANAGE ODES SSIGN DMIN TO AN Fig. 4-2 Assign Access View window 4. Click the Policy, Library, and Help tabs to view the menu topics, sub-topics, and tree nodes currently available to that Sub Admin. 5.
Page 128 4: M LDAP N HAPTER ANAGE ODES SSIGN DMIN TO AN Fig. 4-3 Assign Access window with node assigned 7. Click the “X” in the upper right corner of the Assign Access pop-up window to close it. TIP: To unassign the Sub Admin from that node, click the Unas- signed Access checkbox and then click Apply.
Page 129: Create And Maintain Filtering Profiles
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Create and Maintain Filtering Profiles If a Sub Admin group administrator is assigned to an LDAP domain, he/she can add groups and members to that domain. A Sub Admin group administrator assigned to an LDAP group can add members and filtering profiles for all nodes he/she oversees.
Page 130: Add A Group Member To The Tree List
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Add a group member to the tree list From the domain, select the group and choose Group Member Details from the pop-up menu to display the Group/ Member Details window: , LDAP group Fig.
Page 131: View Container Details
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES View Container Details From the Policy tree, select the domain and choose Container Details from the pop-up menu to display the Container Details window: Fig. 4-5 Container Details window This view only window provides the following information about the container: •...
Page 132: Add Or Maintain A Node's Profile
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Add or maintain a node’s profile From the domain, select the node and choose Profile from the pop-up menu to display the default Category tab of the Profile window: Fig. 4-6 Group Profile window, Category tab, LDAP group The Profile option is used for viewing/creating the filtering profile of the defined node (LDAP static or dynamic group, workstation, user member, or container).
Page 133: Category Profile
The minimum filtering level is set up in the Minimum Filtering Level window, accessible from the Global Group options. See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for more information about these windows.
Page 134 4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES NOTE: If a category group does not display any filter setting (i.e. the check mark does not display in any column for the category group), one or more library categories within that group has a setting in a column other than the filter setting designated for all collective library categories within that group.
Page 135 NOTE: See the Quota Settings window in Chapter 1: System screen of the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for more information on configuring quota settings and resetting quotas for end users currently blocked by quotas.
Page 136: Redirect Url
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Redirect URL Click the Redirect URL tab to display the Redirect URL page of the Profile window: , LDAP group Fig. 4-7 Group Profile window, Redirect URL tab Redirect URL is used for specifying the URL to be used for redirecting users who attempt to access a site or service set up to be blocked.
Page 137: Filter Options
“URL Keyword Filter Control”, and “Extend URL Keyword Filter Control”. NOTE: See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information about Filter Options.
Page 138: Add An Exception Url To The Profile
NOTE: Settings in this window work in conjunction with those made in the Minimum Filtering Level window maintained by the global administrator. See the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information on configuring and using the minimum filtering level.
Page 139: Valid Url Entries
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Valid URL entries The following types of URL entries are accepted in this window: • formats such as: http://www.coors.com, www.coors.com, or coors.com • IP address - e.g. "209.247.228.221" in http:// 209.247.228.221 •...
Page 140: Add Urls To Block Url Or Bypass Url Frame
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Add URLs to Block URL or ByPass URL frame To block or bypass specified URLs, in the Block URL or the ByPass URL frame: 1. Type the URL to be blocked in the Block URLs field, or the URL to be bypassed in the ByPass URLs field.
Page 141 4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES The message “URL can be added, but conflicting URLs will be removed” applies to any URL that the query found included in the opposite frame of the Exception URL window. When this scenario occurs, for each conflicting URL a yellow warning triangle icon displays in the Status column of the pop-up window.
Page 142: Remove Urls From Block Url Or Bypass Url Frame
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Remove URLs from Block URL or ByPass URL frame To remove URLs from the Block URL or the ByPass URL frame: 1. Select a URL to be removed from the Block URL / ByPass URL list box;...
Page 143: Apply Settings
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES TIP: Click Cancel to close this pop-up window without making any selections. 3. Click Remove Selected to close the pop-up window and to remove your selection(s) from the appropriate URL list box.
Page 144: Add A Time Profile
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Add a Time Profile To create a time profile: 1. Click Add to open the Adding Time Profile pop-up box: Fig. 4-14 Adding Time Profile 2. Type in three to 20 alphanumeric characters—the under- score ( _ ) character can be used—for the profile name.
Page 145 4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES a. Select from a list of time slots incremented by 15 minutes: “12:00” to “11:45”. By default, the Start field displays the closest 15-minute future time, and the End field displays a time that is one hour ahead of that time. For example, if the time is currently 11:12, “11:15”...
Page 146 4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES • Weekly - If this selection is made, enter the interval for the weeks this time profile will be used, and specify the day(s) of the week (“Sunday” - “Saturday”). By default, “1”...
Page 147 4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES Next, choose from one of two options to specify the day of the month for the interval: • The first option lets you choose a specific month (“January” - “December”) and day (“1” - “31”). By default the current month and day are selected.
Page 148: Remove A Node's Profile From The Tree
4: M HAPTER ANAGE ODES REATE AND AINTAIN ILTERING ROFILES 9. Click Close to close the Adding Time Profile pop-up window and to return to the Time Profile window. In this window, the Current Time Profiles list box now shows the Name and Description of the time profile that was just added.
Page 149: Verify That An Ldap Profile Is Active
Fig. 4-16 Active Profile Lookup window NOTE: Only filtering profile lookups for LDAP nodes will be addressed in this sub-section. Please refer to the M86 Web Filter User Guide, M86 IR Web Filter User Guide, or the Web Filter portion of the M86 WFR User Guide for information about other looking up other types of filtering profiles.
Page 150 4: M LDAP P HAPTER ANAGE ODES ERIFY THAT AN ROFILE IS CTIVE If an LDAP filtering profile is active, a pop-up box opens containing the Result frame that displays profile settings applied to the profile: Fig. 4-17 Active Profile Lookup results The default Login Summary tab displays the following information: •...
Page 151 4: M LDAP P HAPTER ANAGE ODES ERIFY THAT AN ROFILE IS CTIVE TIP: In the Category Groups tree, double-click the group enve- lope to open that segment of the tree and to view library catego- ries belonging to that group. A check mark inside a green circle displays in the Pass, Allow, Warn, Block column for the filter setting assigned to the category group/library category for the...
Page 152 4: M LDAP P HAPTER ANAGE ODES ERIFY THAT AN ROFILE IS CTIVE At the bottom of the Rule Details frame, Uncategorized Sites are set to “Pass”, “Warn”, or “Block”, indicating that the selected setting applies to any non-classified URL. If the Overall Quota field is enabled, the user is restricted to the number of minutes shown here for visiting URLs in all groups/categories collectively in which a quota is specified.
Page 153: Chapter 5: Authentication Deployment
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS 5: A HAPTER UTHENTICATION EPLOYMENT This final step of the authentication setup process includes testing authentication settings and activating authentication on the network. Test Authentication Settings Before deploying authentication on the network, you should test your settings to be sure the Authentication Request Form login page can be accessed.
Page 154 5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS NOTE: In order to complete the test process, you should be sure you have your own filtering profile set up. To verify that authentication is working, do either of the following, based on the Tier you selected: •...
Page 155: Test Web-Based Authentication Settings
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Test Web-based authentication settings To verify that authentication is working properly, make the following settings in the Policy section of the console: Step 1: Create an IP Group, “test” 1. Click the IP branch of the tree. 2.
Page 156: Step 3: Set Up "Test" With A 32-Bit Net Mask
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS 3. Enter workstation as the Group Name. 4. Click OK to add the Sub-Group to the IP Group. Step 3: Set up “test” with a 32-bit net mask 1. Select the IP Group named “test” from the tree. 2.
Page 157: Step 4: Give "Workstation" A 32-Bit Net Mask
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Step 4: Give “workstation” a 32-bit net mask 1. Select the IP Sub-Group “workstation” from the tree. 2. Click Members in the pop-up menu to display the Members window: Fig. 5-5 Sub Group Members window 3.
Page 158: Step 5: Block Everything For The Sub-Group
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Step 5: Block everything for the Sub-Group 1. Select the IP Sub-Group “workstation” from the tree. 2. Click Sub Group Profile in the pop-up menu to display the Sub Group Profile window: Fig. 5-6 Sub Group Profile window, Category tab 3.
Page 159: Step 6: Use Authentication Request Page For Redirect Url
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Step 6: Use Authentication Request Page for redirect URL 1. Click the Redirect URL tab to display the Redirect URL page: Fig. 5-7 Sub Group Profile window, Redirect URL tab 2. Select “Authentication Request Form”. NOTE: The host name of the Web Filter will be used in the redi- rect URL of the Authentication Request Form, not the IP address.
Page 160: Step 7: Disable Filter Options
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Step 7: Disable filter options 1. Click the Filter Options tab to display the Filter options page: Fig. 5-8 Sub Group Profile window, Filter Options tab 2. Uncheck all the checkboxes: “X Strikes Blocking”, “Google/Bing/Yahoo!/Youtube/Ask/AOL Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”, and “Extend URL Keyword...
Page 161: Step 8: Attempt To Access Web Content
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Step 8: Attempt to access Web content NOTE: For this step, you must have your own profile set up in order to complete the test process. 1. Launch an Internet browser window supported by the Web Filter: Fig.
Page 162 5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Fig. 5-10 Authentication Request Form 4. Enter the following information: • Username • Password If the Domain and Alias fields display, select the following information: • Domain you are using • Alias name for that domain (unless “Disabled” displays and the field is greyed-out) 5.
Page 163: Test Net Use Based Authentication Settings
5: A HAPTER UTHENTICATION EPLOYMENT UTHENTICATION ETTINGS Test net use based authentication settings 1. From the test workstation, go to the NET USE command line and enter the NET USE command using the following format: NET USE \\virtualip\R3000$ For example: NET USE \\192.168.0.20\R3000$ The entry you make should initiate a connection with Tier TIP: The virtual IP address should be the same as the one entered in the Virtual IP Address to Use for Authentication field in...
Page 164: Activate Authentication On The Network
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Activate Authentication on the Network After successfully testing authentication settings, you are now ready to activate authentication on the network. To verify that authentication is ready to be activated on the network, do either of the following, based on the Tier you selected: •...
Page 165: Activate Web-Based Authentication For An Ip Group
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Activate Web-based authentication for an IP Group IP Group authentication is the preferred selection for Web- based authentication—over the Global Group Profile authentication option—as it decreases the load on the Web Filter.
Page 166: Step 2: Set "Webauth" To Cover Users In Range
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 2: Set “webauth” to cover users in range 1. Select the IP group “webauth” from the tree. 2. Click Members in the pop-up menu to display the Members window: Fig.
Page 167: Step 3: Create An Ip Sub-Group
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 3: Create an IP Sub-Group 1. Select the IP Group “webauth” from the tree. 2. Click Add Sub Group in the pop-up menu to open the Create Sub Group dialog box: Fig.
Page 168: Step 4: Block Everything For The Sub-Group
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 8. In the Member IP fields, enter the IP address range for members of the Sub-Group, and specify the subnet mask. 9. Click Modify. Step 4: Block everything for the Sub-Group 1.
Page 169: Step 5: Use Authentication Request Page For Redirect Url
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 5: Use Authentication Request Page for redirect URL 1. Click the Redirect URL tab to display the Redirect URL page: Fig. 5-16 Sub Group Profile window, Redirect URL tab 2.
Page 170: Step 6: Disable Filter Options
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 6: Disable filter options 1. Click the Filter Options tab to display the Filter options page: Fig. 5-17 Sub Group Profile window, Filter Options tab 2. Uncheck all the checkboxes: “X Strikes Blocking”, “Google/Bing/Yahoo!/Youtube/Ask/AOL Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”, and “Extend URL Keyword...
Page 171: Step 7: Set Global Group To Filter Unknown Traffic
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 7: Set Global Group to filter unknown traffic 1. Click Global Group in the tree to open the pop-up menu. 2. Select Global Group Profile to display the Category tab of the Profile window: Fig.
Page 172 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Fig. 5-19 Global Group Profile window, Port tab a. In the Port page, enter the Port number to be blocked. b. Click Add to include the port number in the Block Port(s) list box.
Page 173 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK a. Select “Default Block Page”. b. Click Apply. 5. Click the Filter Options tab to display the Filter Options page: Fig. 5-21 Global Group Profile window, Filter Options tab a. Select filter options to be enabled. b.
Page 174 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK As a result of these entries, the standard block page will display—instead of the Authentication Request Form— when any user in this Sub-Group is blocked from accessing Internet content. Fig. 5-22 Default Block Page M86 S ECURITY UIDE...
Page 175: Activate Web-Based Authentication For The Global Group
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Activate Web-based authentication for the Global Group This selection of Web-based authentication creates more of load on the Web Filter than the IP Group selection, and should only be used as an alternative to IP Group authenti- cation.
Page 176: Step 1A: Block Web Access, Logging Via Range To Detect
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 1A: Block Web access, logging via Range to Detect NOTE: Segments of network traffic should not be defined if using the firewall mode. Range to Detect Settings 1. Click Global Group in the tree to open the pop-up menu. 2.
Page 177: Range To Detect Setup Wizard
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Fig. 5-24 Range to Detect Settings window, main window 4. Click Start the Setup Wizard to display Step 1 of the Range to Detect Setup Wizard: Range to Detect Setup Wizard Fig.
Page 178 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 2. Click Next to go to Step 2 of the Wizard: Fig. 5-26 Range to Detect Setup Wizard, Step 2 3. An entry for this step of the Wizard is optional. If there are destination IP address(es) to be filtered, enter the IP address and specify the Netmask, or enter the Indi- vidual IP address.
Page 179 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 5. An entry for this step of the Wizard is optional. If there are source IP address(es) to be ignored, enter the IP address and specify the Netmask, or enter the Indi- vidual IP address.
Page 180 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Fig. 5-29 Range to Detect Setup Wizard, Step 5 9. An entry for this step of the Wizard is optional. If there are ports to be excluded from filtering, enter each port number in the Individual Port field, and click Add.
Page 181 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK As a result of these entries, the IP address(es) specified to excluded will not be logged or filtered on the network. Bypass Step 1B and go on to Step 2 to complete this process.
Page 182: Step 1B: Block Web Access Via Ip Sub-Group Profile
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Step 1B: Block Web access via IP Sub-Group profile NOTE: This step assumes that the IP Group and Sub-Group have already been created. 1. Select the IP Sub-Group from the tree. 2.
Page 183 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Fig. 5-32 Sub Group Profile window, Redirect URL tab 6. Select “Default Block Page”, and then click Apply. 7. Click the Filter Options tab to display the Filter Options page: Fig.
Page 184: Step 2: Modify The Global Group Profile
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK As a result of these entries, the machine will not be served the Authentication Request Form, and will use the default block page instead. Go on to Step 2 to complete this process. Step 2: Modify the Global Group Profile 1.
Page 185 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 3. Click the Port tab to display the Port page: Fig. 5-35 Global Group Profile window, Port tab a. Enter the Port number to be blocked, and then click Add to include the port number in the Block Port(s) list box.
Page 186 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 4. Click the Default Redirect URL tab to display the Default Redirect URL page: Fig. 5-36 Global Group Profile window, Redirect URL tab a. Select “Authentication Request Form”. NOTE: Since the Authentication Request Form radio button selection uses the host name of the server—not the IP address—...
Page 187 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 5. Click the Filter Options tab to display the Filter Options page: Fig. 5-37 Global Group Profile window, Filter Options tab a. Select filter options to be enabled. b. Click Apply. As a result of these entries, a user who does not have a filtering profile will be served the Authentication Request Form so he/she can be authenticated.
Page 188: Add Net Use Command To Login Scripts
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK Add Net Use command to Login Scripts After testing the NET USE command, the next step is to add the NET USE command to users’ login scripts. We recom- mend that you add the 3-try login script to the existing domain login script.
Page 189: Step 2: Modify The Global Group Profile
5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK if errorlevel 0 echo code 0: Success goto :end :try3 echo Running net use... net use \\192.168.0.20\r3000$ if errorlevel 1 goto :error if errorlevel 0 echo code 0: Success goto :end :error if errorlevel 1 echo code 1: Failed! :end...
Page 190 5: A HAPTER UTHENTICATION EPLOYMENT CTIVATE UTHENTICATION ON THE ETWORK 1. Click Global Group in the tree to open the pop-up menu. 2. Select Global Group Profile to display the Category tab of the Profile window. 3. In the Category Profile page, select categories to block, pass, white list, or assign a warn setting, and indicate whether uncategorized sites should pass, trigger a warn message for the end user, or be blocked.
Page 191: Chapter 6: Technical Support
UPPORT OURS 6: T HAPTER ECHNICAL UPPORT For technical support, visit M86 Security’s Technical Support Web page at http://www.m86security.com/ support/ or contact us by phone, by e-mail, or in writing. For troubleshooting tips, visit http://www.m86security.com/software/8e6/ts/wf.html Hours Regular office hours are from Monday through Friday, 8 a.m.
Page 192: Contact Information
6: T HAPTER ECHNICAL UPPORT ONTACT NFORMATION Contact Information Domestic (United States) 1. Call 1-888-786-7999 2. Select option 3 International 1. Call +1-714-282-6111 2. Select option 3 E-Mail For non-emergency assistance, e-mail us at support@m86security.com M86 S ECURITY UIDE...
Page 193: Office Locations And Phone Numbers
6: T HAPTER ECHNICAL UPPORT ONTACT NFORMATION Office Locations and Phone Numbers M86 Corporate Headquarters (USA) 828 West Taft Avenue Orange, CA 92865-4232 Local 714.282.6111 714.282.6116 Domestic US 1.888.786.7999 International +1.714.282.6111 M86 Taiwan 7 Fl., No. 1, Sec. 2, Ren-Ai Rd. Taipei 10055 Taiwan, R.O.C.
Page 194: Support Procedures
6: T HAPTER ECHNICAL UPPORT UPPORT ROCEDURES Support Procedures When you contact our technical support department: • You will be greeted by a technical professional who will request the details of the problem and attempt to resolve the issue directly. •...
Page 195: Appendix A: Authentication Operations
A: A PPENDIX UTHENTICATION PERATIONS UTHENTICATION ELECTIONS A: A PPENDIX UTHENTICATION PERATIONS When enabling authentication in the interface, there are three tiers from which to select based on the type of server(s) used on the network, and various authentication options can be used with each of these tiers. Authentication Tier Selections Web Filter authentication is designed to support the following server types for the specified tier(s):...
Page 196: Tier 1: Single Sign-On Authentication
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION Tier 1: Single Sign-On Authentication Net use based authentication process The following diagram and steps describe the operations of the net use based user authentication process: Fig. A-1 Net use based authentication module diagram 1.
Page 197: Re-Authentication Process
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION 4. Upon creating the IPC share, the software in the Web Filter queries the network authentication server with the user's login name and password sent by the workstation. 5. Once the user is successfully authenticated, the Web Filter matches the user’s login name or group name with a stored list of profile settings in the Web Filter.
Page 198: Tier 1 Authentication Method
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION Tier 1 authentication method Tier 1 supports the LDAP authentication method. LDAP is a directory service protocol that stores entries (Distinguished Names) in a domain’s directory using a hierarchical tree structure. The LDAP directory service is based on a client/ server model protocol to give the client access to resources on the network.
Page 199: Configuring The Authentication Server
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION must have a valid DNS entry or the IP address must be added to the Web Filter hosts file. Configuring the authentication server When configuring authentication, you must first go to the authentication server and make all necessary entries before configuring the Web Filter.
Page 200: View Login Script On The Server Console
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION Example: NET USE \\192.168.0.20\R3000$/ user:LOGO\jsmith xyz579 • The command to disconnect a session is: NET USE \\virtualip\R3000$ /delete View login script on the server console The login script can be viewed on the authentication server console.
Page 201: Ldap Server Setup Rules
A: A 1: S PPENDIX UTHENTICATION PERATIONS INGLE UTHENTICATION LDAP server setup rules WARNING: The instructions in this user guide have been docu- mented based on standard default settings in LDAP for Microsoft Active Directory Services. The use of other server types, or any changes made to these default settings, must be considered when configuring the Web Filter for authentication.
Page 202: Tier 2: Time-Based, Web Authentication
A: A 2: T PPENDIX UTHENTICATION PERATIONS BASED UTHENTICATION Tier 2: Time-based, Web Authentication The following diagram and steps describe the operations of the time-based authentication process: Fig. A-2 Web-based authentication module diagram 1. The user makes a Web request by entering a URL in his/ her browser window.
Page 203: Tier 2 Implementation In An Environment
A: A 2: T PPENDIX UTHENTICATION PERATIONS BASED UTHENTICATION Tier 2 implementation in an environment In an environment where Tier 2 time-based profiles have been implemented, end users receive filtering profiles after correctly entering their credentials into a Web-based Authentication Request Form. A profile remains active for a configurable amount of time even if the user logs out of the workstation, changes IP addresses, etc.
Page 204: Tier 2 Script
A: A 2: T PPENDIX UTHENTICATION PERATIONS BASED UTHENTICATION Tier 2 Script If using Tier 2 only, this script should be inserted into the network’s login script. If the network also uses a logoff script, M86’s script should be inserted there as well. The inclusion of this script ensures that the previous end user’s profile is completely removed, in the event the end user did not log out successfully.
Page 205: Tier 1 And Tier 2 Script
A: A 2: T PPENDIX UTHENTICATION PERATIONS BASED UTHENTICATION Tier 1 and Tier 2 Script In an environment in which both Tier 1 and Tier 2 are used, this version of M86’s script should be inserted into the network’s login script. M86’s script attempts to remove the previous end user’s profile, and then lets the new user log in with his/her assigned profile.
Page 206 A: A 2: T PPENDIX UTHENTICATION PERATIONS BASED UTHENTICATION :try1 NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :try2 if errorlevel 0 echo code 0: Success goto :end :try2 NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :try3 if errorlevel 0 echo code 0: Success goto :end :try3 NET USE \\10.10.10.10\R3000$...
Page 207: Tier 3: Session-Based, Web Authentication
A: A 3: S PPENDIX UTHENTICATION PERATIONS ESSION BASED UTHENTICATION Tier 3: Session-based, Web Authentication The diagram on the previous page (Fig. A-2) and steps below describe the operations of the session-based authen- tication process: 1. The user makes a Web request by entering a URL in his/ her browser window.
Page 208: M86 Authenticator
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR M86 Authenticator The M86 Authenticator ensures the end user is authenti- cated on his/her workstation, via an executable file that launches during the login process. To use this option, the M86 Authenticator client (authenticat.exe) should be placed in a network share accessible by the domain controller or a Novell eDirectory server such as NetWare eDirectory server 6.5.
Page 209: Environment Requirements
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Environment requirements Windows minimum system requirements The following minimum server components are required when using NetWare eDirectory server 6.5: • Server-class PC with a Pentium II or AMD K7 processor • 512 MB of RAM •...
Page 210: Macintosh Minimum System Requirements
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR • Bootable CD drive that supports the El Torito specifica- tion • USB or PS/2* mouse Macintosh minimum system requirements The following minimum server components are required when using a Macintosh: • OS X 10.5 •...
Page 211: Work Flow In Environments
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Work flow in environments Windows environment 1. The administrator stores the M86 Authenticator client (authenticat.exe) in a network-shared location that a login script can access. 2. Using a Windows machine, an end user logs on the domain, or logs on the eDirectory tree via a Novell client.
Page 212: Macintosh Environment
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Macintosh environment 1. The administrator installs a LaunchAgent on the client machine. 2. Using a Macintosh machine, an end user logs on the domain and launches the LaunchAgent. 3. The end user’s launchd process invokes Authenticator on login.
Page 213: M86 Authenticator Configuration Priority
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR M86 Authenticator configuration priority The source and order in which parameters are received and override one another are described below. NOTES: The RA[] parameter for the Web Filter IP address is the only parameter that must be configured.
Page 214: Macintosh
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Macintosh 1. Compiled Defaults: Given no parameters at all, the client will try to execute using the default compilation. 2. Configuration File (optional): The default configuration file name is “8e6Authenticator.conf”. The path can be specified on the command line with the CF[] parameter.
Page 215: M86 Authenticator Configuration Syntax
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR M86 Authenticator configuration syntax All configuration parameters, regardless of their source, will use the following format/syntax: wAA[B]w{C}w {Parameter ‘AA’ with Data ‘B’, and Comment ‘C’ ignored.} w;DD[E]w{C}w {The semicolon causes ‘DD[E]’ to be ignored, ‘C’ is also ignored.} Whereas ‘AA’...
Page 216: Sample Configuration Update Packet 'Pcfg
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Sample configuration update packet ‘PCFG’ After decryption, with protocol headers removed: RH[30000]RC[1000]LE[1] You only need to change the options you do not wish to remain as default. Often the IP address of the Web Filter (RA) and the log file (LF) are the most desired options to change.
Page 217: Table Of Parameters
A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR Table of parameters The following table contains the different parameters, their meanings, and possible values. Param Parameter Release Values Meaning Default Default User’s Logon 1-256 (0 = Win32, 1 = Nov- 255 (auto) Environment ell) (auto)
Page 218 A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR + If UT[0] is set, then the Novell environment will be ignored, if present, and only the Windows environment information will be retrieved and sent to the Web Filter. If UT[1] is set and the Novell environment is invalid or the user is not authenticated with its Novell server, then the results sent to the Web Filter are invalid (probably empty values).
Page 219 A: A M86 A PPENDIX UTHENTICATION PERATIONS UTHENTICATOR RP[] affects port-less addresses specified in the RV[] command as well. • For RA[], each IP address is separated by a semi-colon ‘;’ and the first IP address will be tried for each new connection attempt.
Page 220: Novell Edirectory Agent
A: A PPENDIX UTHENTICATION PERATIONS OVELL E IRECTORY GENT Novell eDirectory Agent Novell eDirectory Agent provides Single Sign-On (SSO) authentication for an Web Filter set up in a Novell eDirectory environment. Using Novell eDirectory Agent, the Web Filter is notified by the eDirectory server when an end user logs on or off the network, and adds/removes his/her network IP address, thus setting the end user’s filtering profile accord- ingly.
Page 221: Client Workstations
A: A PPENDIX UTHENTICATION PERATIONS OVELL E IRECTORY GENT Client workstations To use this option, all end users must log in the network. The following OS have been tested: • Windows 2000 Professional • Windows XP • Macintosh Novell clients The following Novell clients have been tested: •...
Page 222: Web Filter Setup And Event Logs
A: A PPENDIX UTHENTICATION PERATIONS OVELL E IRECTORY GENT Web Filter setup and event logs When using a Novell eDirectory server and choosing to use the Novell eDirectory Agent option in the Web Filter: • Enable Novell eDirectory Agent in the Enable/Disable Authentication window.
Page 223: Active Directory Agent
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Active Directory Agent Active Directory Agent is a Windows service that provides transparent user identification for Windows Active Directory- based networks. The Active Directory Agent (also called “AD Agent”) collects information from several sources simul- taneously and populates a single session table that identi- fies the current user for each active workstation on the network.
Page 224: Windows Server Requirements
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Windows server requirements • Windows 2000 or Windows 2003 server running on a 32- bit platform • Latest Microsoft patches/service packs applied • At least 512 MB RAM • 100 MB disk space •...
Page 225: Set Up Ad Agent
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Set up AD Agent Step 1: AD Agent settings on the Web Filter To set up Active Directory Agent on the Web Filter, go to System > Authentication > Enable/Disable Authentication window in the Web Filter user interface, and specify the following criteria: Fig.
Page 226 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Fig. A-4 AD Agent Settings pop-up window 3. In the Computer Name field, enter the name of the primary AD Agent machine. 4. Enter from seven to 20 alphanumeric characters in the Passphrase field, and enter the same characters again in the Confirm field.
Page 227: Step 2: Configure The Domain, Service Account
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Step 2: Configure the domain, service account 1. Create a new group on the domain named dcagent_services. 2. Create a new domain user account named dcagent_service and make it a member of the dcagent_services group.
Page 228: Step 3: Ad Agent Installation On Windows Server
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT d. Add the dcagent_services and Domain Admins groups to the list of permitted users. If installing the AD Agent on a domain controller only: • Double-click the “Allow Logon Locally” setting. • Add the dcagent_service account to the list of permitted users.
Page 229 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT NOTE: If prompted, install Microsoft .NET Framework 2.0. Framework may require updating other Windows components before installing the AD Agent. 2. Click Run to open the End User License Agreement (EULA) in the M86 AD Agent installation setup wizard: Fig.
Page 230 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT 4. After specifying the destination folder for installing the AD Agent, click Next to begin the installation setup process: Fig. A-8 AD Agent installation 5. When the AD Agent installation setup process has successfully finished, completion information displays: Fig.
Page 231: Step 3C: Run Ad Agent Configuration Wizard
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Step 3C: Run AD Agent configuration wizard The AD Agent configuration wizard should be run when setting up AD Agent for the first time, and if the role of the AD Agent on the current machine changes (from primary to satellite, or vice versa).
Page 232 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Fig. A-11 Account and password information 2. By default, the Account field is populated with the path of the dcagent_service account. a. Enter the Password for this account, specified during Step 2. b.
Page 233 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Fig. A-12 Specify role of AD Agent on current machine 3. By default, the Role of the AD Agent on the current machine being configured is “Primary”—indicating that this is either the only machine running AD Agent, or this is the central machine among a team comprised of one or more “Satellite”...
Page 234 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT b. Enter the Primary agent computer name that will delegate to this machine the areas of the network to scan for end user logon/logoff events. This satellite machine running the AD Agent will send its logon/logoff event data to the primary machine running the AD Agent.
Page 235 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT d. Appliance passphrase - Enter the passphrase that was entered in the Passphrase field in the AD Agent Settings pop-up window (accessible via the Enable/ Disable Authentication window). e. (Repeat passphrase) - Re-enter the passphrase entered in the previous field.
Page 236: Use The Active Directory Agent Console
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT NOTE: Information about how to view and use the Activity log is explained in the Activity tab section of Use the Active Directory Agent console. Use the Active Directory Agent console The Active Directory Agent console is used for displaying results of workstation probe searches, for running or stop- ping the AD Agent service, and for configuring a primary AD Agent or Agent team.
Page 237 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT In this tab the activity log displays, comprised of rows of records for the most recent activity on the current machine running the AD Agent. The most recent activity displays at the bottom of the log. TIP: To stop the activity log from automatically scrolling, right- click in the table and de-select the “Auto-scroll”...
Page 238 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT The following actions can be performed via the Activity tab: • View/download the activity log in the text file format - Click the View as text button to launch a Notepad file containing the contents of the activity log.
Page 239: Sessions Tab
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Sessions tab Sessions displays by default when the Active Directory Agent console is launched on a machine running the AD Agent in the primary role, or whenever the Sessions tab is clicked in the console of a primary AD Agent: Fig.
Page 240 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • Login - Date and time the end user last logged in (using the MM/YY HH:MM military time format). If 01/01 00:00 displays, the end user has not logged on at that worksta- tion since the AD Agent service was installed on the network.
Page 241: Session Table Spreadsheet
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • View/modify primary AD Agent configuration, stop/start AD Agent service - Click the Configuration button to open a pop-up window containing AD Agent configura- tion tools and configured settings (see Active Directory Agent Configuration window).
Page 242: Session Properties Window
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Session Properties window 1. To view detailed information about a record in the session table, do one of the following: • Double-click the record in the session table to open the Session Properties pop-up window •...
Page 243: Workstation Interactive Probe Window
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Last error (an error code displays if the probe failed to successfully identify the end user); Last updated (shows the time data last changed for the end user’s workstation, using the M/D/YYYY H:M:SS AM/PM format).
Page 244 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT 2. Click either of the probe buttons to activate the probe search on demand: • Nwksta Probe - this is the default probe used for iden- tifying workstations. This probe requires the user’s domain account to have administrator permissions on the workstation if running on a Windows 2000 Profes- sional operating system.
Page 245: Active Directory Agent Configuration Window
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Active Directory Agent Configuration window The Active Directory Agent Configuration window lets you modify settings for the AD Agent team, if there are changes to the AD Agent setup or to the Web Filter on your network. For satellite hosts, most of this information can only be viewed on the pages in this window, but the role of the AD Agent can be changed from satellite to primary, and the...
Page 246 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • Agent hosts - used for specifying the role (primary or satellite) the AD Agent will play on the current machine being configured. • Options - used for specifying configuration options for the primary host, or for viewing this information on a satellite host.
Page 247: Service Page
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Service page 1. Click Service to display the Service page: Fig. A-20 Primary host Configuration, Service The Server status displays to indicate the status of AD Agent on the current machine: Running, StopPending, Stop, StartPending.
Page 248: Appliance Page
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • Reset Team State - This button is activated if the AD Agent service is running on the primary host. Clicking this button flushes all accumulated session data for the entire team (primary and satellite hosts), except the configuration file, and newly rebuilds all data.
Page 249: Agent Hosts Page
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Agent hosts page 1. Click Agent Hosts to display the Agent hosts page: Fig. A-22 Primary host Configuration, Agent hosts By default, the fields in this page are populated with entries made during the configuration wizard setup process.
Page 250: Add A Satellite
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • Configuration - On a primary host server, selecting a satellite in the AD Agent servers list box and clicking this activated button opens a dialog box in which servers and/or workstations to be scanned by the satellite are specified.
Page 251: Configure A Satellite
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Configure a satellite On a primary host server: 1. Select the satellite Machine in the AD Agent servers list box. 2. Click Configuration to open the Satellite Agent Configu- ration dialog box: Fig.
Page 252 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT If the satellite will not be manually assigned any machines on the network to scan, click OK to close the dialog box and to display any entries (if made) in the Assigned servers field of the Satellite Agent Configura- tion dialog box.
Page 253: Check The Status Of A Satellite
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT a. Enter the Lowest IP address in the range. b. Enter the Highest IP address in the range. c. Click OK to close the dialog box and to display your entries in the IP Address Filters list box of the Satellite Agent Configuration dialog box.
Page 254 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • Period end - the time period (using the HH:MM military time format) of each 10-minute interval in which servers/machines were scanned. The most recent 10- minute interval displays as the first record among the rows of records.
Page 255: Options Page
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Options page On a primary host server: 1. Click Options to display the Options page: Fig. A-28 Primary host Configuration, Options 2. Modify entries or make selections in this page as perti- nent to your AD Agent setup: •...
Page 256 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT • “Enable NetWkstaUserEnum workstation probes”: By default, this probe process is selected to run. • Minimum probe interval: By default, 5 minutes displays as the interval of time in which the selected probe type(s) will probe workstations.
Page 257: Notifications Page
A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT Notifications page On a primary host server: 1. Click Notifications to display the Notifications page: Fig. A-29 Primary host Configuration, Notifications 2. If using an SMTP server, enter the following criteria to specify the email address to be used in the event of a crit- ical system error: •...
Page 258 A: A PPENDIX UTHENTICATION PERATIONS CTIVE IRECTORY GENT 3. Click Send test message to test the email setup connec- tion. Make any necessary modifications to your entries if the sending mail connection fails. NOTE: The primary AD Agent sends an alert email message each day to the administrator’s email address designated in this page.
Page 259: Appendix B: Obtain , Export An Ssl Certificate
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE B: O PPENDIX BTAIN XPORT AN SSL C ERTIFICATE When using Web-based authentication, the LDAP server’s SSL certificate needs to be exported and saved to the hard drive, then uploaded to the Web Filter so that the Web Filter will recognize LDAP server as a trusted source.
Page 260: Locate Certificates Folder
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE 2. Verify that the certificate authority has been installed on this server and is up and running—indicated by a green check mark on the server icon (see circled item in Fig. B- Locate Certificates folder 1.
Page 261 B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE 3. From the toolbar, click Console to open the pop-up menu. Select Add/Remove Snap-in to open the Add/ Remove Snap-in dialog box: Fig. B-4 Add/Remove Snap-in 4.
Page 262 B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE Fig. B-6 Certificates snap-in dialog box 6. Choose “Computer account”, and click Next to go to the Select Computer wizard page: Fig. B-7 Select Computer dialog box 7.
Page 263: Export The Master Certificate For The Domain
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE Notice that the snap-in has now been added to the Console Root folder: Fig. B-8 Console Root with snap-in Export the master certificate for the domain 1.
Page 264 B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE This action launches the Certificate Export Wizard: Fig. B-10 Certificate Export Wizard 3. Click Next to go to the Export Private Key page of the wizard: Fig.
Page 265 B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE Fig. B-12 Export File Format 5. Select “Base-64 encoded X.509 (.CER)” and click Next to go to the File to Export page of the wizard: Fig.
Page 266 B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT AN CTIVE IRECTORY ERTIFICATE Fig. B-14 Settings 7. Notice that the specified settings display in the list box, indicating the certificate has been successfully copied from the console to your disk. Click Finish to close the wizard dialog box.
Page 267: Export A Novell Ssl Certficate
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT A OVELL ERTFICATE Export a Novell SSL Certficate 1. From the console of the LDAP server, go to the tree in the left panel and open the Security folder to display the contents in the Console View (right panel): Fig.
Page 268 B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE XPORT A OVELL ERTFICATE 3. Click the Certificates tab to go to the Self Signed Certifi- cate page. 4. Click Export to open the Export A Certificate pop-up window: Fig.
Page 269: Obtain A Sun One Ssl Certificate
B: O SSL C SSL C PPENDIX BTAIN XPORT AN ERTIFICATE BTAIN A ERTIFICATE Obtain a Sun One SSL Certificate Unlike Microsoft or Novell, the Sun One LDAP directory does not have a tool for exporting an SSL certificate once it has been imported to the LDAP server.
Page 270: Appendix C: Ldap Server Customizations
C: LDAP S LDAP S PPENDIX ERVER USTOMIZATIONS ERVER CENARIO C: LDAP S PPENDIX ERVER USTOMIZATIONS The Web Filter has been tested on common types of stan- dard LDAP servers with default settings. However, due to the number of LDAP servers available, and the limitless ways in which any type of LDAP server can be configured, customizations may need to be made on such an LDAP server that fits either description.
Page 271: Ppendix D: Profile Ormat And Ules
D: P LDAP S PPENDIX ROFILE ORMAT AND ULES ERVER CENARIO D: P PPENDIX ROFILE ORMAT AND ULES The file with filtering profiles you upload to the server must be set up in a specified format, with one complete profile per line.
Page 272: Username Formats
D: P PPENDIX ROFILE ORMAT AND ULES SERNAME ORMATS Username Formats NOTE: For examples of valid username entries, see File Format: Rules and Examples in this appendix, or go to http://www.m86security.com/software/8e6/hlp/r3000/files/ 2group_textfile_user.html Rule Criteria Rule criteria consists of selections made from the following lists of codes that are used in profile strings: •...
Page 273: Category Codes
D: P PPENDIX ROFILE ORMAT AND ULES RITERIA • Category command codes: Category command codes must be entered in the following order: J, R, M, I. “PASSED” should either be entered after J, R, or M, or after a string of category codes following J, R, or M.
Page 274 D: P PPENDIX ROFILE ORMAT AND ULES RITERIA • Filter Option codes: • 0x1 = Exception URL Query (always enabled) • 0x2 = X Strikes Blocking • 0x4 = Google/Bing/Yahoo!/Youtube/Ask/AOL Safe Search Enforcement • 0x100 = Search Engine Keyword • 0x200 = URL Keyword •...
Page 275: File Format: Rules And Examples
D: P PPENDIX ROFILE ORMAT AND ULES ORMAT ULES AND XAMPLES File Format: Rules and Examples When setting up the file to upload to the server, the following items must be considered: • Each profile must be entered on a separate line in the file.
Page 276: Ldap Profile List Format And Rules
D: P PPENDIX ROFILE ORMAT AND ULES ORMAT ULES AND XAMPLES LDAP Profile List Format and Rules When setting up the “ldapwrkstnprofile.conf” file, “ldapuser- profile.conf” file, “ldapgroupprofile.conf” file, or “ldapcontain- erprofile.conf” file, each entry must consist of the Distin- guished Name (DN), with each part of the DN separated by commas (,).
Page 277: User Profile List Format
D: P PPENDIX ROFILE ORMAT AND ULES ORMAT ULES AND XAMPLES Pornography and Pornography/Adult Content, Warn on Uncategorized URLs, and Pass all other categories, use filter mode 1, use redirect URL http://www.cnn.com in place of the standard block page, no filter options enabled.
Page 278: Group Profile List Format
D: P PPENDIX ROFILE ORMAT AND ULES ORMAT ULES AND XAMPLES • profile for a user with username “Public\, Joe Q.”, organi- zational units “Users” and “Sales”, domain “qc”, DNS suffix “.local”: Block all ports, use minimum filtering level, use filter mode 1, use standard block page, enable all filter options.
Page 279: Ldap Quota Format And Rules
D: P PPENDIX ROFILE ORMAT AND ULES ORMAT ULES AND XAMPLES LDAP Quota Format and Rules When setting up the “quota.conf” file, each entry must consist of the Distinguished Name (DN), a Tab space, and quota criteria. A zero (0) should be used if no Overall Quota minutes are included.
Page 280: Appendix E: Override Pop - Up Blockers
E: O PPENDIX VERRIDE LOCKERS ORMAT ULES AND XAMPLES E: O PPENDIX VERRIDE LOCKERS An override account user with pop-up blocking software installed on his/her workstation will need to temporarily disable pop-up blocking in order to authenticate him/herself via the Options page: Fig.
Page 281: Yahoo! Toolbar Pop-Up Blocker
E: O PPENDIX VERRIDE LOCKERS AHOO OOLBAR LOCKER Yahoo! Toolbar Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. E-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window.
Page 282 E: O PPENDIX VERRIDE LOCKERS AHOO OOLBAR LOCKER Fig. E-3 Allow pop-ups from source 3. Select the source from the Sources of Recently Blocked Pop-Ups list box to activate the Allow button. 4. Click Allow to move the selected source to the Always Allow Pop-Ups From These Sources list box.
Page 283: Google Toolbar Pop-Up Blocker
E: O PPENDIX VERRIDE LOCKERS OOGLE OOLBAR LOCKER Google Toolbar Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. E-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window.
Page 284: Adwaresafe Pop-Up Blocker
E: O PPENDIX VERRIDE LOCKERS DWARE LOCKER AdwareSafe Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. E-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window.
Page 285: Mozilla Firefox Pop-Up Blocker
E: O PPENDIX VERRIDE LOCKERS OZILLA IREFOX LOCKER Mozilla Firefox Pop-up Blocker Add override account to the white list 1. From the Firefox browser, go to the toolbar and select Tools > Options to open the Options dialog box. 2. Click the Content tab at the top of this box to open the Content section: Fig.
Page 286 E: O PPENDIX VERRIDE LOCKERS OZILLA IREFOX LOCKER Fig. E-7 Mozilla Firefox Pop-up Window Exceptions 4. Enter the Address of the web site to let the override account window pass. 5. Click Allow to add the URL to the list box section below. 6.
Page 287: Windows Xp Sp2 Pop-Up Blocker
E: O XP SP2 P PPENDIX VERRIDE LOCKERS INDOWS LOCKER Windows XP SP2 Pop-up Blocker Set up pop-up blocking There are two ways to enable the pop-up blocking feature in the IE browser. Use the Internet Options dialog box 1. From the IE browser, go to the toolbar and select Tools > Internet Options to open the Internet Options dialog box.
Page 288: Use The Ie Toolbar
E: O XP SP2 P PPENDIX VERRIDE LOCKERS INDOWS LOCKER Use the IE toolbar In the IE browser, go to the toolbar and select Tools > Pop- up Blocker > Turn On Pop-up Blocker: Fig. E-9 Toolbar setup When you click Turn On Pop-up Blocker, this menu selec- tion changes to Turn Off Pop-up Blocker and activates the Pop-up Blocker Settings menu item.
Page 289: Add Override Account To The White List
E: O XP SP2 P PPENDIX VERRIDE LOCKERS INDOWS LOCKER Add override account to the white list There are two ways to disable pop-up blocking for the over- ride account and to add the override account to your white list. Use the IE toolbar 1.
Page 290: Use The Information Bar
E: O XP SP2 P PPENDIX VERRIDE LOCKERS INDOWS LOCKER Use the Information Bar With pop-up blocking enabled, the Information Bar can be set up and used for viewing information about blocked pop- ups or allowing pop-ups from a specified site. Set up the Information Bar 1.
Page 291 E: O XP SP2 P PPENDIX VERRIDE LOCKERS INDOWS LOCKER 3. Click the Information Bar for settings options: Fig. E-12 Information Bar menu options 4. Select Always Allow Pop-ups from This Site—this action opens the Allow pop-ups from this site? dialog box: Fig.
Page 292: Appendix F: Glossary
F: G PPENDIX LOSSARY EFINITIONS F: G PPENDIX LOSSARY Definitions This glossary includes definitions for terminology used in this user guide. ADS - Active Directory Services is a Windows 2000 direc- tory service that acts as the central authority for network security, by letting the operating system validate a user's identity and control his or her access to network resources.
Page 293 F: G PPENDIX LOSSARY EFINITIONS directory service - Uses a directory on a server to auto- mate administrative tasks for storing and managing objects on a network (such as users, passwords, and network resources users can access). ADS, DNS, and NDS (Novell Directory Services) are types of directory services.
Page 294 F: G PPENDIX LOSSARY EFINITIONS filter setting - A setting made for a service port. A service port with a filter setting uses filter settings created for library categories (block, open, or always allow settings) to deter- mine whether users should be denied or allowed access to that port.
Page 295 F: G PPENDIX LOSSARY EFINITIONS LDAP host - The LDAP domain name and DNS suffix. For example: “yahoo.com” or “server.local”. login (or logon) script - Consists of syntax that is used for re-authenticating a user if the network connection between the user’s machine and the server is lost.
Page 296 F: G PPENDIX LOSSARY EFINITIONS NetBIOS name lookup - An authentication method used for validating a client (machine) by its machine name. Network Address Translation (NAT) - Allows a single real IP address to be used by multiple PCs or servers. This is accomplished via a creative translation of inside “fake”...
Page 297 F: G PPENDIX LOSSARY EFINITIONS quota - The number of minutes configured for a passed library category in an end user’s profile that lets him/her access URLs for a specified time before being blocked from further access to that category. router mode - A Web Filter set up in the router mode will act as an Ethernet router, filtering IP packets as they pass from one card to another.
Page 298 F: G PPENDIX LOSSARY EFINITIONS time profile - A customized filtering profile set up to be effective at a specified time period for designated users. tiers - Levels of authentication methods. Tier 1 uses net use based authentication for LDAP. Tier 2 uses time-based profiles for the LDAP authentication method, and Tier 3 uses persistent login connections for the LDAP authentica-...
Page 299: Index
NDEX Numerics 3-try login script 176 Account tab 88 Active Directory Agent 25 active filtering profiles 14 Address tab 86 Administrator window 74 ADS, definition 280 alert box, terminology 3 Alias List tab 92 Alias Name 93 always allowed 19 Anonymous Bind 89 Assign to user 114 attribute, definition 280...
Page 300 NDEX login scripts 187 Authentication Settings window 46 authentication solution single user compatibility chart 26 system deployment options on a network 27 Authentication SSL Certificate window 48 authmodule.log 78 Backup Domain Controller (BDC) 281 backup server configuration 95 Backup Server Configuration wizard 96 Block page 56 block page 13 Block Page Authentication 54...
Page 301 NDEX Default Rule tab 94 dialog box, terminology 3 directory service, definition 281 directory, definition 280 Distinguished Name (DN) definition 281 LDAP protocol 186 Distinguished Name Auto Discovery 89 DNS, definition 281 domain definition 281 delete profile 101 domain component (dc), definition 281 domain controller, definition 281 Domain Name Service (DNS) 281 dynamic group 10...
Page 302 NDEX profile components 16 profile types 11 rules 21 static profiles 13 user, machine 14 Firefox 33 firewall mode 36 definition 282 frame, terminology 4 gateway IP address 38 global administrator, definition 282 global filtering profile 14 global group 8 grid, terminology 4 group global 8...
Page 303 NDEX IPC share 184 Java applet 44 Java Plug-in 33 Java Runtime Environment 33 Java Virtual Machine 33 JavaScript 33 LAN Settings window 38 LAN1, LAN2 38 LDAP Active Directory Service usage 189 authentication protocol 24 definition 282 domain diagram 10 domain groups 10 name resolution method 186 server customizations 258...
Page 304 NDEX examples 187 usage 184 M86 Authenticator 25 M86 supplied category 17 machine name, definition 283 Macintosh 33 Manually Add Group dialog box LDAP 109 Manually Add Member dialog box LDAP 108 Manually Add Workstation dialog box LDAP 107 master IP group 9 filtering profile 13 methods name resolution 186...
Page 305 NDEX name lookup, definition 284 NetBIOS Domain Name 87 NetBIOS name 46 Netscape Directory Server 81 Network Address Translation (NAT), definition 284 network requirements 34 NIC device 47 Novell 24 Novell eDirectory Agent 25 Open Directory 10 open setting 19 definition 284 OpenLDAP 24 server customizations 258...
Page 306 NDEX elements 260 Profile window 120 protocol definition 284 proxy server definition 284 pull-down menu, terminology 5 quota 111 definition 285 format 262 radio button, terminology 5 Radius profile 12 re-authentication block page authentication 54 net use based process 185 Redirect URL tab domain 124 requirements...
Page 307 NDEX Set Group Priority window LDAP domain 106 Single Sign-On Novell eDirectory authentication 208 Tier 1 authentication 184 single sign-on authentication (Tier 1) 24 SSL certificate 49 Active Directory 247 Novell 255 obtain, export from LDAP server 247 Sun One 257 SSL settings 90 SSL tab 90 SSO 208...
Page 308 NDEX session-based, Web-based authentication 195 tiers definition 286 Web-based authentication 152 time profile add 132 definition 286 profile type 15 time-based authentication (Tier 2) 24 time-based profile 43 topic terminology 6 tree terminology 7 troubleshooting tips 179 Type tab 80 Upload User/Group Profile window LDAP domain 110 URL, definition 286...
Page 309 NDEX white list, definition 286 window, terminology 7 WINS Server 46 workstation objects 85 workstation requirements 33 Workstation tab 85 M86 S ECURITY UIDE...

M86 Security M86 Web Filter User Manual

Chapter 2: Network Setup

Chapter 4: Manage Nodes

Chapter 5: Authentication Deployment

Chapter 6: Technical Support

Appendix A: Authentication Operations

Appendix B: Obtain , Export an Ssl Certificate

Appendix C: Ldap Server Customizations

Appendix E: Override Pop - up Blockers

Appendix F: Glossary

Quick Links

USER GUIDE

Related Manuals for M86 Security M86 Web Filter

Summary of Contents for M86 Security M86 Web Filter