Administration - Smoothwall: Product Documentation

Transcription

Secure Web Gateway
Network Guardian Administration Guide
For future reference
Network Guardian serial number:
Date installed:
Smoothwall contact:
Smoothwall® Network Guardian, Administration Guide, February 2015
Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other
guides delivered with earlier versions of Network Guardian.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of Smoothwall.
For more information, contact: [email protected]
© 2001 – 2015 Smoothwall Ltd. All rights reserved.
Trademark notice
Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd.
Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC.
DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95,
Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered
trademark of Netscape Communications Corporation in the United States and other countries. Apple and
Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation.
Core is a trademark of Intel Corporation.
All other products, services, companies, events and publications mentioned in this document, associated
documents and in Smoothwall software may be trademarks, registered trademarks or service marks of
their respective owners in the UK, US and/or other countries.
Acknowledgements
Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team:
Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley,
Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan
Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S.
Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves
Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul
Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez
Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc
Wormgoor.
Network Guardian contains graphics taken from the Open Icon Library project
http://openiconlibrary.sourceforge.net/
Address
Smoothwall Limited
1 John Charles Way
Leeds. LS12 6QA
United Kingdom
Email
[email protected]
Web
www.smoothwall.net
Telephone
USA and Canada:
United Kingdom:
All other countries:
1 800 959 3760
0870 1 999 500
+44 870 1 999 500
Fax
USA and Canada:
United Kingdom:
All other countries:
1 888 899 9164
0870 1 991 399
+44 870 1 991 399
Contents
About This Guide ...................................................... 1
Audience and Scope ......................................................................... 1
Organization and Use ....................................................................... 1
Conventions....................................................................................... 2
Related Documentation.................................................................... 2
Chapter 1
Introduction ............................................................... 3
Overview of Network Guardian........................................................ 3
Annual Renewal................................................................................. 3
Chapter 2
Network Guardian Overview .................................... 5
Accessing Network Guardian .......................................................... 5
Dashboard ......................................................................................... 6
Logs and reports ............................................................................... 6
Reports ..................................................................................... 7
Alerts......................................................................................... 7
Realtime.................................................................................... 8
Logs .......................................................................................... 8
Settings..................................................................................... 9
Networking ........................................................................................ 9
Filtering ..................................................................................... 9
Routing ..................................................................................... 9
Interfaces................................................................................ 10
Settings................................................................................... 10
Services............................................................................................ 10
Authentication........................................................................ 11
User Portal.............................................................................. 11
Proxies ................................................................................... 12
SNMP ...................................................................................... 12
Message Censor .................................................................... 12
System ............................................................................................. 13
Maintenance........................................................................... 13
Central Management............................................................. 13
iii
Contents
Preferences ............................................................................ 14
Administration........................................................................ 14
Hardware ................................................................................ 14
Diagnostics............................................................................. 15
Certificates ............................................................................. 15
Guardian........................................................................................... 15
Quick Links............................................................................. 16
Web Filter Policies ................................................................. 16
HTTPS Inspection Policies.................................................... 17
Content Modification Policies .............................................. 17
Anti-malware Policies ........................................................... 18
Block Page Policies ............................................................... 18
Policy Objects ........................................................................ 18
Swurl ................................................................................................ 19
Web Proxy........................................................................................ 19
Web Proxy .............................................................................. 19
Upstream Proxy ..................................................................... 19
Authentication........................................................................ 20
MobileProxy............................................................................ 20
Configuration Guidelines................................................................ 20
Specifying Networks, Hosts and Ports ................................ 20
Using Comments ................................................................... 21
Creating, Editing and Removing Rules ................................ 21
Connecting via the Console ........................................................... 22
Connecting Using a Client .................................................... 22
Secure Communication .................................................................. 23
Unknown Entity Warning....................................................... 23
Inconsistent Site Address ..................................................... 24
Chapter 3
Working with Interfaces ......................................... 25
Configuring Global Settings for Interfaces ................................... 26
Working with Bridges ..................................................................... 27
Creating Bridges .................................................................... 27
Editing Bridges....................................................................... 27
Deleting Bridges .................................................................... 27
Working with Bonded Interfaces ................................................... 28
Creating Bonds ...................................................................... 28
Editing Bonds ......................................................................... 28
Deleting Bonds....................................................................... 28
Configuring IP Addresses .............................................................. 29
Adding an IP Address ............................................................ 29
Editing an IP Address ............................................................ 29
Deleting an IP Address.......................................................... 29
Chapter 4
Deploying Web Filtering ......................................... 31
Getting Up and Running ................................................................. 31
Blocking and Allowing Content Immediately ...................... 32
Blocking Locations ................................................................ 33
Excepting Computers from Web Filtering ........................... 33
About Shortcuts ..................................................................... 35
iv
Smoothwall Ltd
Contents
About Network Guardian’s Default Policies ................................. 36
About the Default Web Filter Policies .................................. 36
About the Default Authentication Policies .......................... 36
Chapter 5
Working with Policies ............................................. 37
An Overview of Policies.................................................................. 38
Types of Policies.................................................................... 38
How Policies are Applied ...................................................... 38
Guardian Getting Started ...................................................... 40
Working with Category Group Objects ......................................... 41
Creating Category Group Objects ....................................... 41
Creating Custom Categories ................................................ 42
Editing Category Group Objects .......................................... 43
Deleting Category Group Objects ........................................ 44
Working with Time Slot Objects .................................................... 45
Creating a Time Slot .............................................................. 45
Editing a Time Slot................................................................. 46
Deleting a Time Slot .............................................................. 46
Working with Location Objects ..................................................... 46
Creating a Location Object................................................... 47
Editing Location Objects....................................................... 48
Deleting Location Objects .................................................... 48
Working with Quota Objects.......................................................... 48
About the Default Quota Object ........................................... 48
Creating Quota Objects ........................................................ 49
Editing Quota Objects ........................................................... 50
Deleting Quota Objects......................................................... 50
Managing Web Filter Policies ........................................................ 50
Creating Web Filter Policies ................................................. 51
Editing Web Filter Policies .................................................... 53
Deleting Web Filter Policies.................................................. 54
Managing HTTPS Inspection Policies ........................................... 54
Enabling HTTPS Inspection Policies.................................... 55
Creating an HTTPS Inspection Policy.................................. 55
Editing HTTPS Inspection Policies....................................... 58
Deleting HTTPS Inspection Policies .................................... 58
Configuring HTTPS Inspection Policy Settings .................. 58
Clearing the Generated Certificate Cache .......................... 60
Managing Content Modification Policies...................................... 60
Creating a Content Modification Policy............................... 61
Editing Content Modification Policies ................................. 63
Deleting Content Modification Policies ............................... 63
Creating Custom Content Modification Policies ................ 64
Managing Anti-malware Policies................................................... 65
Creating an Anti-malware Policy.......................................... 65
Configuring Anti-malware Protection .................................. 67
Configuring Anti-malware Status Information .................... 68
Editing Anti-malware Policies............................................... 69
Deleting Anti-malware Policies ............................................ 69
v
Contents
Using the Policy Tester................................................................... 69
Other Ways of Accessing the Policy Tester ........................ 71
Working with Policy Folders .......................................................... 71
Creating a Policy Folder........................................................ 72
Editing Policy Folders............................................................ 72
Deleting Policy Folders ......................................................... 72
Censoring Web Form Content ....................................................... 73
Configuring Organization Accounts.............................................. 75
Chapter 6
Managing Authentication Policies......................... 77
About Authentication Policies ....................................................... 77
Creating Authentication Policies ................................................... 78
Creating Non-transparent Authentication Policies ............ 78
Creating Transparent Authentication Policies.................... 83
Managing Authentication Policies................................................. 87
Editing Authentication Policies ............................................ 87
Deleting Policies .................................................................... 88
Managing Authentication Exceptions ........................................... 89
Identification by Location............................................................... 89
Connecting to Network Guardian.................................................. 90
About Non-transparent Connections................................... 90
About Transparent Connections .......................................... 92
Authentication Scenarios ............................................................... 93
New Content Filtering – Changing the Listening Port........ 93
Providing Filtered Web Access to the Public ...................... 93
Requiring Authentication to Browse the Web..................... 93
Using Multiple Authentication Methods .............................. 94
Controlling an Unruly Class .................................................. 94
Chapter 7
Managing Web Security ......................................... 95
Overview of the Web Proxy ............................................................ 96
Global Options ....................................................................... 96
Advanced Web Proxy Settings ............................................. 96
Using PAC Scripts......................................................................... 100
Using a Built-in Script ......................................................... 100
Using a Custom Script ........................................................ 101
Managing the Configuration Script.................................... 102
Limiting Bandwidth Use ............................................................... 102
Ordering Bandwidth Limiting Policies ............................... 104
Editing Bandwidth Limiting Policies .................................. 104
Deleting Bandwidth Limiting Policies ................................ 104
Configuring WCCP ........................................................................ 104
Managing Upstream Proxies ....................................................... 106
Overview ............................................................................... 106
Configuring an Upstream Proxy ......................................... 107
Configuring Source and Destination Filters ...................... 109
Using a Single Upstream Proxy.......................................... 111
Working with Multiple Upstream Proxies .......................... 112
Managing Blocklists ..................................................................... 114
Viewing Blocklist Information............................................. 115
vi
Smoothwall Ltd
Contents
Manually Updating Blocklists ............................................. 115
Managing Block Pages................................................................. 116
About the Default Block Page ............................................ 116
Customizing the Default Block Page ................................. 117
Using a Custom HTML Template ....................................... 119
Using an External Block Page ............................................ 120
Configuring a Block Page Policy........................................ 120
Managing Block Page Policies ........................................... 121
Working with Block Pages.................................................. 122
Chapter 8
Managing Your Network Infrastructure .............. 123
Creating Subnets .......................................................................... 123
Editing and Removing Subnet Rules ................................. 124
Using RIP ....................................................................................... 124
Chapter 9
General Network Security Settings ..................... 127
Blocking by IP................................................................................ 127
Creating IP Blocking Rules ................................................. 127
Editing and Removing IP Block Rules ............................... 129
Configuring Advanced Networking Features ............................. 129
Working with Port Groups............................................................ 132
Creating a Port Group ......................................................... 132
Adding Ports to Existing Port Groups................................ 133
Editing Port Groups ............................................................. 133
Deleting a Port Group.......................................................... 133
Chapter 10
Configuring Inter-Zone Security.......................... 135
About Zone Bridging Rules .......................................................... 135
Creating a Zone Bridging Rule .................................................... 136
Editing and Removing Zone Bridge Rules .................................. 138
A Zone Bridging Tutorial .............................................................. 138
Creating the Zone Bridging Rule........................................ 138
Allowing Access to the Web Server ................................... 139
Accessing a Database on the Protected Network ........... 139
Group Bridging .............................................................................. 140
Group Bridging and Authentication ................................... 140
Creating Group Bridging Rules .......................................... 141
Editing and Removing Group Bridges ............................... 142
Chapter 11
Authentication and User Management ............... 143
About User Authentication........................................................... 143
Configuring Global Authentication Settings............................... 144
About Directory Services ............................................................. 145
Configuring a Microsoft Active Directory Connection ..... 146
Configuring an LDAP Connection ...................................... 147
Configuring a RADIUS Connection .................................... 150
Configuring an Active Directory Connection – Legacy Method .......................................................................................... 151
vii
Contents
Configuring a Local Users Directory ................................. 154
Reordering Directory Servers............................................. 154
Editing a Directory Server................................................... 154
Deleting a Directory Server................................................. 155
Diagnosing Directories........................................................ 155
Managing Local Users.................................................................. 155
Adding Users........................................................................ 155
Editing Local Users.............................................................. 156
Deleting Users...................................................................... 156
Managing Groups of Users .......................................................... 156
About Groups ....................................................................... 156
Adding Groups ..................................................................... 157
Editing Groups ..................................................................... 157
Deleting Groups ................................................................... 158
Mapping Groups............................................................................ 158
Remapping Groups.............................................................. 158
Deleting Group Mappings ................................................... 159
Managing Temporarily Banned Users......................................... 159
Creating a Temporary Ban.................................................. 159
Removing Temporary Bans ................................................ 160
Removing Expired Bans ...................................................... 160
Managing User Activity ................................................................ 161
Viewing User Activity........................................................... 161
Logging Users Out............................................................... 161
Banning Users...................................................................... 161
About SSL Authentication ............................................................ 162
Customizing the SSL Login Page....................................... 162
Reviewing SSL Login Pages ............................................... 164
Managing Kerberos Keytabs ....................................................... 164
Prerequisites ........................................................................ 164
Adding Keytabs.................................................................... 164
Managing Keytabs ............................................................... 165
Troubleshooting a Kerberos Service ................................. 166
Authenticating Chromebook Users............................................. 167
Creating a Google Client ID and Client Secret (Web Application) ....................................................................................... 167
Restricting Accepted Google Accounts by Domain......... 168
Customizing the Client Login Page.................................... 169
Managing Chromebooks..................................................... 170
Chapter 12
Centrally Managing Smoothwall Systems .......... 175
About Centrally Managing Smoothwall Systems....................... 175
Pre-requirements................................................................. 176
Setting up a Centrally Managed Smoothwall System ............... 176
Configuring the Parent Node.............................................. 176
Configuring Child Nodes ..................................................... 177
Adding Child Nodes to the System .................................... 178
Editing Child Node Settings................................................ 181
Deleting Nodes in the System ............................................ 181
viii
Smoothwall Ltd
Contents
Managing Nodes in a Smoothwall System ................................. 181
Monitoring Node Status ...................................................... 182
Accessing the Node Details Page ...................................... 183
Working with Updates ......................................................... 183
Rebooting Nodes ................................................................. 184
Disabling Nodes................................................................... 185
Using BYOD in a Centrally Managed System............................. 185
Glossary ................................................................. 187
Index....................................................................... 197
ix
About This Guide
Smoothwall’s Network Guardian is a licenced feature of your Smoothwall System.
This supplement provides guidance for configuring Network Guardian.
Audience and Scope
This guide is aimed at system administrators maintaining and deploying Network Guardian.
This guide assumes the following prerequisite knowledge:
•
An overall understanding of the functionality of the Smoothwall System
•
An overall understanding of networking concepts
Note: We strongly recommend that everyone working with Smoothwall products attend
Smoothwall training. For information on our current training courses, contact your Smoothwall
representative.
Organization and Use
This guide is made up of the following chapters and appendices:
•
Chapter 1, Introduction on page 3
•
Chapter 2, Network Guardian Overview on page 5
•
Chapter 3, Working with Interfaces on page 25
•
Chapter 4, Deploying Web Filtering on page 31
•
Chapter 5, Working with Policies on page 37
•
Chapter 6, Managing Authentication Policies on page 77
•
Chapter 7, Managing Web Security on page 95
•
Chapter 8, Managing Your Network Infrastructure on page 123
1
About This Guide
•
Chapter 9, General Network Security Settings on page 127
•
Chapter 10, Configuring Inter-Zone Security on page 135
•
Chapter 11, Authentication and User Management on page 143
•
Chapter 12, Centrally Managing Smoothwall Systems on page 175
•
Appendix 3:User Authentication on page 13
•
Glossary on page 187
•
Index on page 197
Conventions
The following typographical conventions are used in this guide:
Item
Convention
Example
Key product terms
Initial Capitals
Network Guardian
Smoothwall System
Menu flow, and screen objects
Bold
System > Maintenance > Shutdown
Click Save
Cross-references
Blue text
References to other guides
Italics
See Chapter 1, Introduction on page 3
Refer to the Network Guardian Administration
Guide
Filenames and paths
Courier
The portal.xml file
Variables that users replace
Courier Italics
http://<my_ip>/portal
Links to external websites
Blue text, underlined
Refer to http://www.smoothwall.net/support
This guide is written in such a way as to be printed on both sides of the paper.
Related Documentation
The following guides provide additional information relating to Network Guardian:
•
Network Guardian Installation Guide, which describes how to install Network Guardian
•
Network Guardian Operations Guide, which describes how to maintain Network Guardian
•
Network Guardian Upgrade Guide, which describes how to upgrade Network Guardian
•
Network Guardian User Portal Guide, which describes how to use the Network Guardian user
portal
•
2
http://www.smoothwall.net/support contains the Smoothwall support portal, knowledge base
and the latest product manuals.
Smoothwall Ltd
1 Introduction
This chapter introduces Network Guardian, including:
•
Overview of Network Guardian on page 3
•
Annual Renewal on page 3
Overview of Network Guardian
Welcome to Network Guardian, the intelligent web content filter that dynamically analyses,
understands and categorizes all web content requested by your users.
Network Guardian provides:
•
Protection from pornography and objectionable content
•
Controlled access to non work-related sites, such as news, sport, travel and auctions.
•
Protection from web-borne spyware, malware and browser exploits
•
Reporting on Internet behavior and resource utilization
•
Email security: anti-spam, anti-malware, mail relay and control.
Annual Renewal
To ensure that you have all the functionality documented in this guide, we recommend that you
purchase annual renewal. For more information, contact your Smoothwall representative.
3
2 Network Guardian
Overview
In this chapter:
•
How to access Network Guardian
•
An overview of the pages used to configure and manage Network Guardian.
Accessing Network Guardian
To access Network Guardian:
1.
In a web browser, enter the address of your Network Guardian, for example:
https://192.168.72.141:441
Note: The example address above uses HTTPS to ensure secure communication with your
Network Guardian. It is possible to use HTTP on port 81 if you are satisfied with less security.
Note: The following sections assume that you have registered and configured Network Guardian as
described in the Network Guardian Installation and Setup Guide.
2.
Accept Network Guardian’s certificate.The login screen is displayed.
5
3.
4.
Network Guardian Overview
Enter the following information:
Field
Information
Username
Enter admin This is the default Network Guardian administrator
account.
Password
Enter the password you specified for the admin account when installing
Network Guardian.
Click Login. The Dashboard opens.
The following sections give an overview of Network Guardian’s default sections and pages.
Dashboard
The dashboard is the default home page of your Network Guardian system. It displays service
information and customizable summary reports.
Logs and reports
The Logs and reports section contains the following sub-sections and pages:
6
Smoothwall Ltd
Reports
Pages
Description
Summary
Displays a number of generated reports. For more information, refer to the
Network Guardian Operations Guide.
Reports
Where you generate and organize reports. For more information, refer to the
Recent and saved
Lists recently-generated and previously saved reports. For more information,
refer to the Network Guardian Operations Guide.
Scheduled
Sets which reports are automatically generated and delivered. For more
information, refer to the Network Guardian Operations Guide.
Custom
Enables you to create and view custom reports. For more information, refer to
the Network Guardian Operations Guide.
Alerts
Pages
Description
Alerts
Determine which alerts are sent to which groups of users and in what format.
For more information, refer to the Network Guardian Operations Guide.
Alert settings
Settings to enable the alert system and customize alerts with configurable
thresholds and trigger criteria. For more information, refer to the Network
Guardian Operations Guide.
7
Realtime
Pages
Description
System
A real time view of the system log with some filtering options. For more
Firewall
A real time view of the firewall log with some filtering options. For more
Email
Displays the email log viewer running in real time mode. For more information,
see Email Logs.
Portal
A real time view of activity on user portals. For more information, refer to the
IM proxy
A real time view of recent instant messaging conversations. For more
information, see Realtime Instant Messaging on page 370.
Web filter
Displays the web filter log viewer running in real time mode. For more
information, see Web Filter Logs on page 209.
Traffic graphs
Displays a real time bar graph of the bandwidth being used. For more
Logs
8
Pages
Description
System
Simple logging information for the internal system services. For more
Firewall
Displays all data packets that have been dropped or rejected by the firewall. For
more information, refer to the Network Guardian Operations Guide.
Email
Displays sender, recipient, subject and other email message information. For
more information, see Email Logs.
IM proxy
Displays information on instant messaging conversations. For more
information, see IM Proxy Logs on page 378.
Web filter
Displays time, username, source IP and other web filtering information. For
more information, see Web Filter Logs on page 209.
Log settings
Settings to configure the logs you want to keep, an external syslog server,
automated log deletion and rotation options. For more information, refer to the
Smoothwall Ltd
Settings
Pages
Description
Datastore settings
Contains settings to manage the storing of log files. For more information, refer
to the Network Guardian Operations Guide.
Groups
Where you create groups of users which can be configured to receive
automated alerts and reports. For more information, refer to the Network
Guardian Operations Guide
Output settings
Settings to configure the Email to SMS Gateway and SMTP settings used for
delivery of alerts and reports. For more information, refer to the Network
Networking
The Networking section contains the following sub-sections and pages:
Filtering
Pages
Description
Zone bridging
Used to define permissible communication between pairs of network zones.
For more information, see About Zone Bridging Rules on page 135.
Group bridging
Used to define the network zones that are accessible to authenticated groups
of users. For more information, see Group Bridging on page 140.
IP block
Used to create rules that drop or reject traffic originating from or destined for
single or multiple IP addresses. For more information, see Creating IP Blocking
Rules on page 127.
Routing
Pages
Description
Subnets
Used to generate additional routing information so that the system can route
traffic to other subnets via a specified gateway. For more information, see
Creating Subnets on page 123.
RIP
Used to enable and configure the Routing Information Protocol (RIP) service on
the system. For more information, see Using RIP on page 124.
9
Interfaces
Pages
Description
Interfaces
Configure and display information on your Network Guardian’s internal
interfaces. For more information, see Configuring Global Settings for Interfaces
on page 26.
Internal aliases
Used to create aliases on internal network interfaces, thus enabling a single
physical interface to route packets between IP addresses on a virtual subnet –
without the need for physical switches. For more information, see on
page 126.
Settings
Pages
Description
Port groups
Create and edit groups of ports for use throughout Network Guardian. For
more information, see Working with Port Groups on page 132.
Advanced
Used to configure advanced network and traffic auditing parameters. For more
information, see Configuring Advanced Networking Features on page 129.
Services
The Services section contains the following sub-sections and pages:
10
Smoothwall Ltd
Authentication
Pages
Description
Settings
Used to set global login time settings. For more information, see Configuring
Global Authentication Settings on page 144.
Directories
Used to connect to directory servers in order to retrieve groups and apply
network and web filtering permissions and verify the identity of users trying to
access network or Internet resources. For more information, see About
Directory Services on page 145.
Groups
Used to customize group names. For more information, see Managing Groups
of Users on page 156.
Temporary bans
Enables you to manage temporarily banned user accounts. For more
information, see Managing Temporarily Banned Users on page 159.
User activity
Displays the login times, usernames, group membership and IP address details
of recently authenticated users. For more information, see Managing User
Activity on page 161.
SSL login
Used to customize the end-user SSL login page. For more information, see
About SSL Authentication on page 162.
Kerberos keytabs
This is where Kerberos keytabs are imported and managed. For more
information, see Managing Kerberos Keytabs on page 164.
BYOD
Enables you to authenticate users with their own devices and allow them to
connect to the network. For more information, refer to the Network Guardian
Operations Guide.
User Portal
Pages
Description
Portals
This page enables you to configure and manage user portals. For more
Group access
This page enables you to assign groups of users to portals. For more
User access
This page enables you to override group settings and assign a user directly to
a portal. For more information, refer to the Network Guardian Operations
Guide.
11
Proxies
Pages
Description
Instant messenger
Used to configure and enable instant messaging proxying. For more
FTP
Used to configure and enable a proxy to manage FTP traffic. For more
SNMP
Pages
Description
SNMP
Used to activate Network Guardian’s Simple Network Management Protocol
(SNMP) agent. For more information, refer to the Network Guardian Operations
Guide.
Message Censor
12
Pages
Description
Policies
Enables you to create and manage filtering policies by assigning actions to
matched content. For more information, refer to the Network Guardian
Operations Guide.
Filters
This is where you create and manage filters for matching particular types of
message content. For more information, refer to the Network Guardian
Operations Guide.
Time
This is where you create and manage time periods for limiting the time of day
during which filtering policies are enforced. For more information, refer to the
Custom categories
Enables you to create and manage custom content categories for inclusion in
filters. For more information, refer to the Network Guardian Operations Guide.
Smoothwall Ltd
System
The System section contains the following sub-sections and pages:
Maintenance
Pages
Description
Updates
Used to display and install available product updates, in addition to listing
currently installed updates. For more information, refer to the Network Guardian
Operations Guide.
Modules
Used to upload, view, check, install and remove Network Guardian modules.
Licenses
Used to display and update license information for the licensable components
of the system. For more information, refer to the Network Guardian Operations
Guide.
Archives
Used to create and restore archives of system configuration information. For
Scheduler
Used to automatically discover new system updates, modules and licenses. It
is also possible to schedule automatic downloads of system updates and
create local and remote backup archives. For more information, refer to the
Shutdown
Used to shutdown or reboot the system. For more information, refer to the
Central Management
Pages
Description
Overview
This is where you monitor nodes and schedule updates in a Smoothwall
system. For more information, see Managing Nodes in a Smoothwall System
on page 181.
Child nodes
This is where you add and configure nodes in a Smoothwall system. For more
information, see Configuring Child Nodes on page 177.
Local node settings
This is where you configure a node to be a parent or child in a Smoothwall
system and manage central management keys for use in the system. For more
information, see Setting up a Centrally Managed Smoothwall System on
page 176.
13
Preferences
Pages
Description
User interface
Used to manage Network Guardian’s dashboard settings. For more
Time
Used to manage Network Guardian’s time zone, date and time settings. For
Registration options
Used to configure a web proxy if your ISP requires you use one. Also, enables
you configure sending extended registration information to Smoothwall. For
Hostname
Used to configure Network Guardian’s hostname. For more information, refer
Administration
Pages
Description
Admin options
Used to enable secure access to Network Guardian using SSH, and to enable
referral checking. For more information, refer to the Network Guardian
Operations Guide.
External access
Used to create rules that determine which interfaces, services, networks and
hosts can be used to administer Network Guardian. For more information, refer
Administrative users
Used to manage user accounts and set or edit user passwords on the system.
Hardware
14
Pages
Description
UPS
Used to configure the system's behavior when it is using battery power from
an Uninterruptible Power Supply (UPS) device. For more information, refer to
the Network Guardian Operations Guide.
Modem
Used to create up to five different modem profiles, typically used when creating
external dial-up connections. For more information, refer to the Network
Smoothwall Ltd
Diagnostics
Pages
Description
Functionality tests
Used to ensure that your current Network Guardian settings are not likely to
cause problems. For more information, refer to the Network Guardian
Operations Guide.
Configuration report
Used to create diagnostic files for support purposes. For more information,
refer to the Network Guardian Operations Guide.
IP tools
Contains the ping and trace route IP tools. For more information, refer to the
Whois
Used to find and display ownership information for a specified IP address or
domain name. For more information, refer to the Network Guardian Operations
Guide.
Traffic analysis
Used to generate and display detailed information on current traffic. For more
Certificates
Page
Description
Certificate
authorities
Provides certification authority (CA) certificates and enables you to manage
them for clients and gateways. For more information, refer to the Network
Guardian
The Guardian section contains the following sub-sections and pages:
15
Quick Links
Page
Description
Getting started
This page provides an overview of what comprises a web filter policy, a link to
the default policies and an introduction to policy wizards. For more information,
see Guardian Getting Started on page 40.
Shortcuts
This page provides direct links to tasks you might do on a daily basis, such as
blocking and allowing sites and running reports. For more information, see
About Shortcuts on page 35.
Quick block/allow
This page enables you to block or allow content immediately. For more
information, see Blocking and Allowing Content Immediately on page 32.
Policy tester
The policy tester enables you to test whether a URL is available to a specific
person at a specific location and time. For more information, see Using the
Policy Tester on page 69.
Web Filter Policies
16
Pages
Description
Manage policies
This is where you manage how web filtering policies are applied. For more
information, see Managing Web Filter Policies on page 50.
Policy wizard
This is where you can configure a custom web filtering policy. For more
information, see Creating Web Filter Policies on page 51.
Location blocking
Enables you to block computers at a specific location from accessing web
content. For more information, see Blocking Locations on page 33.
Exceptions
Here you can exempt computers from any web filtering. For more information,
see Excepting Computers from Web Filtering on page 33.
Outgoing
This is where you configure outgoing settings for a censor policy for content
and/or files posted using web forms. For more information, see Censoring Web
Form Content on page 73.
Smoothwall Ltd
HTTPS Inspection Policies
Pages
Description
Manage policies
This is where you manage HTTPS inspection policies that decrypt and inspect
encrypted communications. For more information, see Managing HTTPS
Inspection Policies on page 54.
Policy wizard
This is where you create custom policies for managing encrypted
communications. For more information, see Creating an HTTPS Inspection
Policy on page 55.
Settings
This is where you manage CA security certificates and configure HTTPS
interception messages. For more information, see Configuring HTTPS
Inspection Policy Settings on page 58.
Content Modification Policies
Pages
Description
Manage policies
This is where you manage content modification policies that apply
recommended security rules and enforce SafeSearch in browsers. For more
information, see Managing Content Modification Policies on page 60.
Policy wizard
Enables you to create custom policies for applying security rules and enforcing
SafeSearch in browsers. For more information, see Creating a Content
Modification Policy on page 61.
17
Anti-malware Policies
Pages
Description
Manage policies
This is where you manage policies that protect against malware. For more
information, see Managing Anti-malware Policies on page 65.
Policy wizard
This is where you can create custom policies to protect against malware. For
more information, see Creating an Anti-malware Policy on page 65.
Status page
Enables you to customize anti-malware information shown when downloading
files. For more information, see Configuring Anti-malware Status Information on
page 68.
Settings
This is where you enable malware protection. For more information, see
Creating an Anti-malware Policy on page 65.
Block Page Policies
Pages
Description
Manage policies
This is where you manage block page policies. For more information, see
Managing Block Page Policies on page 121.
Policy wizard
This is where you create and edit block page policies. For more information, see
Configuring a Block Page Policy on page 120.
Block pages
This is where you create and edit block pages. For more information, see
Managing Block Pages on page 116.
Policy Objects
18
Pages
Description
Category groups
This is where you manage content categories used when applying a web
filtering policy. For more information, see Working with Category Group Objects
on page 41.
User defined
This is where you manage custom content categories. For more information,
see Creating Custom Categories on page 42.
Time slots
This is where you create and manage time slot policy objects for use in content
filtering policies. For more information, see Working with Time Slot Objects on
page 45.
Locations
This is where you create and manage location policy objects for use in content
filtering policies. For more information, see Working with Location Objects on
page 46.
Quotas
This is where you create and manage quota policy objects for use in content
filtering policies. For more information, see Working with Quota Objects on
page 48.
Smoothwall Ltd
Swurl
Pages
Description
Settings
This is where you configure your organization’s Swurl account. For more
information, see Configuring Organization Accounts on page 75.
Web Proxy
The Web proxy section contains the following sub-sections and pages:
Web Proxy
Pages
Description
Settings
This is where you configure and manage web proxy settings. For more
information, see Overview of the Web Proxy on page 96.
Automatic
configuration
This is where you create and make available proxy auto-configuration (PAC)
scripts. For more information, see Using PAC Scripts on page 100.
Bandwidth limiting
This is where you can manage how much bandwidth is made available to
clients. For more information, see Limiting Bandwidth Use on page 102.
WCCP
This is where you can configure Network Guardian to join a Web Cache
Coordination Protocol (WCCP) cache engine cluster. For more information, see
Configuring WCCP on page 104.
Upstream Proxy
Pages
Description
Manage policies
This is where you manage upstream proxy policies. For more information, see
Working with Multiple Upstream Proxies on page 112.
Proxies
This is where you configure upstream proxy settings. For more information, see
Configuring an Upstream Proxy on page 107.
Filters
This is where you manage upstream proxy source and destination filters. For
more information, see Configuring Source and Destination Filters on page 109.
19
Authentication
Pages
Description
Manage polices
This is where you manage authentication policies which determine which web
filter policies are applied. For more information, see Chapter 6, Managing
Authentication Policies on page 77.
Policy wizard
This is where you create and edit authentication policies. For more information,
see Creating Authentication Policies on page 78.
Exceptions
This is where you can exempt content from authentication. For more
information, see Managing Authentication Exceptions on page 89.
Ident by location
This is where you configure identification of groups and/or users by their
location. For more information, see Identification by Location on page 89.
MobileProxy
Pages
Description
Settings
On this page, you configure global MobileProxy server settings. For more
Proxies
On this page, you manage MobileProxyservers for use with mobile devices. For
Exceptions
On this page, you specify proxy exceptions. For more information, refer to the
Configuration Guidelines
This section provides guidance about how to enter suitable values for frequently required
configuration settings.
Specifying Networks, Hosts and Ports
IP Address
An IP address defines the network location of a single network host. The following format is used:
192.168.10.1
IP Address Range
An IP address range defines a sequential range of network hosts, from low to high. IP address ranges
can span subnets. For example:
20
Smoothwall Ltd
192.168.10.1-192.168.10.20
192.168.10.1-192.168.12.255
Subnet Addresses
A network or subnet range defines a range of IP addresses that belong to the same network. The
format combines an arbitrary IP address and a network mask, and can be entered in two ways:
192.168.10.0/255.255.255.0
192.168.10.0/24
Netmasks
A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address.
Some pages allow a network mask to be entered separately for ease of use. Examples:
255.255.255.0
255.255.0.0
255.255.248.0
Service and Ports
A Service or Port identifies a particular communication port in numeric format. For ease of use, a
number of well known services and ports are provided in Service drop-down lists. To use a custom
port number, choose the User defined option from the drop-down list and enter the numeric port
number into the adjacent User defined field. Examples:
21
7070
Port Range
A 'Port range' can be entered into most User defined port fields, in order to describe a sequential
range of communication ports from low to high. The following format is used:
137:139
Using Comments
Almost every configurable aspect of Network Guardian can be assigned a descriptive text comment.
This feature is provided so that administrators can record human-friendly notes against configuration
settings they implement.
Comments are entered in the Comment fields and displayed alongside saved configuration
information.
Creating, Editing and Removing Rules
Much of Network Guardian is configured by creating rules – for example, IP block rules and
administration access rules.
21
Creating a Rule
To create a rule:
1.
Enter configuration details in the Add a new rule area.
2.
Click Add to create the rule and add it to the appropriate Current rules area.
Editing a Rule
To edit a rule:
1.
Find the rule in the Current rules area and select its adjacent Mark option.
2.
Click Edit to populate the configuration controls in the Add a new rule area with the rule’s
current configuration values.
3.
Change the configuration values as necessary.
4.
Click Add to re-create the edited rule and add it to the Current rules area.
Removing a Rule
To remove one or more rules:
1.
Select the rule(s) to be removed in the Current rules area.
2.
Click Remove to remove the selected rule(s).
Note: The same processes for creating, editing and removing rules also apply to a number of pages
where hosts and users are the configuration elements being created. On such pages, the Add a new
rule and Current rules area will be Add a new host and Current users etc.
Connecting via the Console
You can access Network Guardian via a console using the Secure Shell (SSH) protocol.
Note: By default, Network Guardian only allows SSH access if it has been specifically configured.
See Configuring Administration Access Options on page 328 for more information.
Connecting Using a Client
When SSH access is enabled, you can connect to Network Guardian via a secure shell application,
such as PuTTY.
To connect using an SSH client:
1.
22
Check SSH access is enabled on Network Guardian. See Configuring Administration Access
Options on page 328 for more information.
Smoothwall Ltd
2.
Start PuTTY or an equivalent client.
3.
Enter the following information:
4.
Field
Description
Host Name (or IP
address)
Enter Network Guardian’s host name or IP address.
Port
Enter 222
Protocol
Select SSH.
Click Open. When prompted, enter root, and the password associated with it. You are given
access to the Network Guardian command line.
Secure Communication
When you connect your web browser to Network Guardian’s web-based interface on a HTTPS port
for the first time, your browser will display a warning that Network Guardian’s certificate is invalid. The
reason given is usually that the certificate was signed by an unknown entity or because you are
connecting to a site pretending to be another site.
Unknown Entity Warning
This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which
is signed by a trusted third party. However, Network Guardian’s certificate is a self-signed certificate.
Note: The data traveling between your browser and Network Guardian is secure and encrypted.
To remove this warning, your web browser needs to be told to trust certificates generated by
Network Guardian.
To do this, import the certificate into your web browser. The details of how this are done vary
between browsers and operating systems. See your browser’s documentation for information on
how to import the certificate.
23
Inconsistent Site Address
Your browser will generate a warning if Network Guardian’s certificate contains the accepted site
name for the secure site in question and your browser is accessing the site via a different address.
A certificate can only contain a single site name, and in Network Guardian’s case, the hostname is
used. If you try to access the site using its IP address, for example, the names will not match.
To remove this warning, access Network Guardian using the hostname. If this is not possible, and
you are accessing the site by some other name, then this warning will always be generated.
In most cases, browsers have an option you can select to ignore this warning and which will ignore
these security checks in the future.
Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate
that HTTPS is also about identity as well encryption.
24
Smoothwall Ltd
3 Working with Interfaces
This chapter describes how to configure the interfaces (network interface cards) on your Network
Guardian, including:
•
Configuring Global Settings for Interfaces on page 26
•
Working with Bridges on page 27
•
Working with Bonded Interfaces on page 28
•
Configuring IP Addresses on page 29
25
Working with Interfaces
Configuring Global Settings for Interfaces
Global settings determine Network Guardian’s primary and secondary DNS addresses.
To configure global settings:
1.
Browse to the Networking > Interfaces > Interfaces page.
The following settings global interface settings are available:
Setting
Description
Default gateway
A drop-down list of the current gateways available.
Primary DNS
If Network Guardian is to be integrated as part of an existing DNS
infrastructure, enter the appropriate DNS server information within the existing
infrastructure.
For more information, see Secure Web Gateway and DNS on page 15.
Secondary DNS
26
Enter the IP address of the secondary DNS server, if one is available.
Smoothwall Ltd
Working with Bridges
It is possible to deploy Network Guardian in-line using two or more NICs to create a transparent
bridge on which Deep Packet Inspection is possible.
The following sections explain how to create, edit and delete bridges.
Creating Bridges
To create a bridge:
1.
On the Networking > Interfaces > Interfaces page, click Add new interface.
2.
In the Add new interface dialog box, configure the following settings:
Setting
Description
Name
Enter a name for the bridge.
Type
Select Bridge.
Ports
From the ports listed as available, select the ports to be used as bridge
members.
Use as
Select one of the following:
External – Select to use the bridge as an external interface.
Basic interface – Select to use the bridge as an interface with one or
more IP addresses on it.
MAC
3.
Accept the displayed MAC address or enter a new one.
Click Add. Network Guardian adds the bridge to the list on the Networking > Interfaces >
Interfaces page.
Editing Bridges
To edit a bridge:
1.
On the Networking > Interfaces > Interfaces page, point to the bridge and click Edit.
2.
In the Edit interface dialog box, make the changes needed. See Creating Bridges on page 27
for information on the settings available.
3.
Click Save changes. Network Guardian applies the changes.
Deleting Bridges
To delete a bridge:
1.
On the Networking > Interfaces > Interfaces page, point to the bridge and click Delete.
2.
When prompted, click Delete to confirm you want to delete the bridge. Network Guardian
deletes the bridge.
27
Working with Bonded Interfaces
Network Guardian enables you to bind two or more NICs into a single bond. Bonding enables the
NICs to act as one thus providing high availability.
Creating Bonds
To create a bond:
1.
On the Networking > Interfaces > Interfaces page, click Add new interface.
2.
In the Add new interface dialog box, configure the following settings:
Setting
Description
Name
Enter a name for the bond.
Type
Select Bonding.
Ports
From the ports listed as available, select the ports to be used as bond
members.
Use as
Select one of the following:
External – Select to use the bond as an external interface.
Basic interface – Select to use the bond as an interface with one or
more IP addresses on it.
Bridge member – Select to use the bond as a member of a bridge.
For more information, see Working with Bridges on page 27.
MAC
3.
Accept the displayed MAC address or enter a new one.
Click Add. Network Guardian adds the bond to the list on the Networking > Interfaces >
Interfaces page.
Editing Bonds
To edit a bond:
1.
On the Networking > Interfaces > Interfaces page, point to the bond and click Edit.
2.
In the Edit interface dialog box, make the changes needed. See Creating Bonds on page 28 for
information on the settings available.
3.
Deleting Bonds
To delete a bond:
28
1.
On the Networking > Interfaces > Interfaces page, point to the bond and click Delete.
2.
When prompted, click Delete to confirm you want to delete the bond. Network Guardian
deletes the bond.
Smoothwall Ltd
Configuring IP Addresses
The following sections explain how to add, edit and delete IP addresses used by interfaces.
Adding an IP Address
To add an IP address:
1.
On the Networking > Interfaces > Interfaces page, click on the interface you want to add an
IP address to.
2.
In the IP addresses dialog box, click Add new address. In the Add new address dialog box,
configure the following settings:
3.
Setting
Description
Status
Select Enabled to enable the IP address for the NIC.
IP address
Enter an IP address.
Subnet mask
Enter the subnet mask.
Gateway
Optionally, enter a gateway.
Click Add. Network Guardian adds the IP address to the interface.
Editing an IP Address
To edit an IP address:
1.
On the Networking > Interfaces > Interfaces page, click on the interface whose IP address
you want to edit.
2.
In the IP addresses dialog box, point to the address and click Edit.
3.
In the Edit address dialog box, make the changes needed and click Save changes. Network
Guardian applies the changes.
Deleting an IP Address
To edit an IP address:
1.
On the Networking > Interfaces > Interfaces page, click on the interface whose IP address
you want to delete.
2.
In the IP addresses dialog box, point to the address and click Delete.
3.
When prompted, click Delete. Network Guardian deletes the address.
29
4 Deploying Web Filtering
This chapter describes how to deploy Guardian’s web filter, including:
•
Getting Up and Running on page 31
•
About Network Guardian’s Default Policies on page 36
Getting Up and Running
By default, Network Guardian comes with a comprehensive set of web filter policies and an
authentication policy which you can use immediately in order to protect your users and your
organization.
The following section explains how to use these policies to get web filtering up and running quickly.
Tip: Log in to our support portal and read about initial setup considerations, testing and refining filter
settings and tips on content filtering.
To get up and running:
1.
On users’ computers, configure the web browser to use port 800 on Network Guardian as the
web proxy, that is, non-transparent proxying.
31
Deploying Web Filtering
2.
Navigate to the Web proxy > Web proxy > Settings page.
3.
Check that the Guardian option is enabled.
4.
Scroll to the bottom of the page and click Save and Restart. Network Guardian starts to
provide web security.
5.
On a user’s computer, browse to http://thepiratebay.se/ Network Guardian blocks
access to the site and displays a block page
You can edit the default policies and create new policies to suit you organization. For more
information, see Chapter 5, Working with Policies on page 37.
Blocking and Allowing Content Immediately
Network Guardian enables you to block or allow content immediately without having to create or edit
a web filter policy.
To block or allow content immediately:
32
1.
Browse to the Guardian > Quick links > Quick block/allow page.
2.
Enter the URL to the content you want to block or allow.
Smoothwall Ltd
3.
Click Block or Allow depending on what you want. Network Guardian immediately blocks or
allows the content and adds the URL to the appropriate custom blocked or allowed content
lists.
Blocking Locations
Network Guardian enables you to block web-enabled resources at a specific location from accessing
content.
To block a location:
1.
Browse to the Guardian > Web filter > Location blocking page.
2.
Locate the location and click Block. Network Guardian blocks any web-enabled resources at
that location from accessing web content. For more information on locations, see Chapter 5,
Working with Location Objects on page 46.
Excepting Computers from Web Filtering
Network Guardian enables you to exempt specific computers from any web filtering. You can
configure exceptions based on the source IP address or the destination IP address.
Configuring Source Exceptions
A source exception IP using a non-transparent connection will have unfiltered access to the Internet
if configured to use port 801. A source exception IP going through an interface where transparent
proxy is enabled will not have outgoing HTTP or HTTPS traffic redirected to Network Guardian.
A source exception IP using a transparent connection requires no client browser configuration.
33
To configure a source exception:
34
1.
Browse to the Guardian > Web filter > Exceptions page.
2.
In the Manage source exceptions area, enter the IP addresses, IP ranges or IP addresses with
CIDR notation of the computers to be exempted and click Save. Network Guardian exempts
the computer(s) from any web filtering.
Smoothwall Ltd
Configuring Destination Exceptions
A destination exception IP which goes through an interface where transparent proxy is enabled will
not have outgoing HTTP or HTTPS traffic redirected to Network Guardian.
To configure a destination exception:
1.
Browse to the Guardian > Web filter > Exceptions page.
2.
In the Manage destination exceptions area, enter the IP addresses, IP ranges or IP addresses
with CIDR notation of the computers to be exempted and click Save. Network Guardian
exempts the computer(s) from any web filtering.
About Shortcuts
Network Guardian provides a number of shortcuts to tasks you might carry out on a daily basis.
To access the shortcuts:
1.
Browse to the Guardian > Quick links > Shortcuts page.
2.
Click on a link to be taken to the task’s page.
35
About Network Guardian’s Default Policies
The following sections discuss Network Guardian’s default web filtering and authentication policies.
About the Default Web Filter Policies
Network Guardian’s default web filtering default policies are:
•
Web filter policies – these policies allow users access to custom specified content, access to
specific web sites at lunch time and Microsoft Windows updates. They also block core and
custom specified undesirable content and adverts and enforce file security. To review this
policy, browse to the Guardian > Web filter > Manage policies page. For information on
customizing web filter policies, see Managing Web Filter Policies on page 50.
•
HTTPS inspection policies – these policies can be enabled to allow users to access online
banking sites securely while inspecting encrypted traffic and checking security certificates. To
review these policies, browse to the Guardian > HTTPS inspection > Manage policies page. For
information on customizing HTTPS inspection policies, see Managing HTTPS Inspection
Policies on page 54.
•
Content modification policies – these policies apply recommended security rules and force
search engines to use SafeSearch functionality. To review these policies, browse to the
Guardian > Content modification policies > Policy page. For information on customizing content
modification policies, see Managing Content Modification Policies on page 60.
•
Anti-malware policy – this policy protects against malware and viruses. To review this policy,
browse to the Guardian > Anti-malware > Manage policies page. For information on
customizing anti-malware policies, see Managing Anti-malware Policies on page 65.
About the Default Authentication Policies
Network Guardian comes with the following authentication policy ready for use:
•
36
Non-transparent authentication policy – any user’s browser configured to use Network
Guardian on port 800 as its web proxy will have this authentication policy applied to it. For
information on creating more authentication policies, see Chapter 6, About Authentication
Policies on page 77.
Smoothwall Ltd
5 Working with Policies
This chapter describes how to configure, and maintain, Guardian policies, including:
•
An Overview of Policies on page 38
•
Working with Category Group Objects on page 41
•
Working with Time Slot Objects on page 45
•
Working with Location Objects on page 46
•
Working with Quota Objects on page 48
•
Managing Web Filter Policies on page 50
•
Managing HTTPS Inspection Policies on page 54
•
Managing Content Modification Policies on page 60
•
Managing Anti-malware Policies on page 65
•
Using the Policy Tester on page 69
•
Working with Policy Folders on page 71
•
Censoring Web Form Content on page 73
•
Configuring Organization Accounts on page 75
37
Working with Policies
An Overview of Policies
Policies determine how Network Guardian handles web content to best protect your users and your
organization. You can create and deploy custom policies to fit your organization. Deploying custom
policies entails:
•
Configuring custom policies based on your organization’s Acceptable Usage Policies (AUPs);
for more information, see Types of Policies on page 38
•
Configuring authentication policies; for more information, refer to the Network Guardian
Operations Guide
•
Configuring users’ browsers or network connections to use Network Guardian as their web
proxy or default gateway; for more information, see Connecting to Network Guardian on
page 90.
Types of Policies
Network Guardian enables you to create the following types of policies:
•
Web filter policies – Web filter policies determine whether to allow, block, soft block or
whitelist web content that a user has requested. For more information, see Managing Web Filter
Policies on page 50
•
HTTPS inspection policies – when enabled, HTTPS inspection policies determine whether to
decrypt and inspect encrypted content in order to determine to handle the content based on
web filter policies. HTTPS inspection policies can also be used to validate web site certificates.
For more information, see Managing HTTPS Inspection Policies on page 54
•
Content modification policies – Content modification policies can be used to identify and
stop malicious content embedded in web pages from being accessed. For information, see
Managing Content Modification Policies on page 60.
•
Anti-malware policies – Anti-malware policies are used to against malware and viruses. For
information on customizing anti-malware policies, see Managing Anti-malware Policies on
page 65.
How Policies are Applied
How Network Guardian applies policies depends on the original web request from a user. The
following diagrams give a high-level view of what happens when a user makes a non-encrypted
(HTTP) web request and an encrypted (HTTPS) web request.
38
Smoothwall Ltd
Applying Policies to a HTTP Web Request
39
Guardian Getting Started
The Getting started page explains policies and policy objects.
40
Smoothwall Ltd
Working with Category Group Objects
A category group object is a collection of URLs, domains, phrases, lists of file types and/or security
rules. Network Guardian uses category group objects in policies to determine if a user should be
allowed access to the content they have requested using their web browser.
Creating Category Group Objects
The following section explains how to create a category group object to be used in a web filter policy.
To create a category group object:
1.
Browse to the Guardian > Policy objects > Category groups page.
2.
In the Manage category groups area, configure the following settings:
Setting
Description
Name
Enter a name for the category group.
Comment
Optionally, enter a comment to make it easier to remember what the
category contains.
41
Setting
Description
Content categories
Select the content you want to include in the category group object. Click
[ + ] to access and view any sub-categories available.
Tip:
3.
Click the Advanced view option to access more detailed
information on the content.
Click Save. The category group object is saved and added to the list of groups of content
available.
Creating Custom Categories
You can define new categories of content for use in category group objects to suit you organizations
requirements.
To create custom categories, do the following:
1.
Browse to the Guardian > Policy objects > Categories page.
2.
From the Manage categories panel, configure the following parameters:

Name — The name of the category.

Comment — Enter an optional description for this category.

Domain/URL filtering — Enter the domains and or URLs for this category.
Only one entry is allowed per line. Note that www. is not needed for URLs.
42
Smoothwall Ltd
3.
Optionally, click Advanced to access the following settings:
Setting
Description
Search term filtering
Enter one search term, surrounded by delimiters, per line for example:
( hardcore )
(xxx)
Spaces before and after a term are not removed, thus simplifying
searching for whole words.
Parenthesis are required.
You can use the following delimiters: [] () {} <> ||
URL patterns
Enter a URL pattern per line, for example:
( adultsite|sexdream )
The example above looks for URLs containing either the word
adultsite or the word sexdream.
You can use the following delimiters: [] () {} <> ||
Note: If the URL pattern you enter contains a delimiter, you must use a
different delimiter to contain the whole pattern. For example:
[ mysearchwith(abracket) ]
File extensions
4.
Enter one file extension, e.g. .doc, or MIME type, e.g.
application/octet-stream per line. You must include the dot
(.) when entering file extensions.
Click Save. Network Guardian creates the content category and makes it available on the
Guardian > Policy objects > Category groups page.
Searching for URLs in User-defined Categories
You can search in user-defined categories to determine which ones match a particular URL.
Note: A search can take up to a minute to complete.
To search for a URL in a category:
1.
Browse to the Guardian > Policy objects > User defined page.
2.
In the Enter URL field, enter the URL you want to search for.
3.
Click Find categories. Network Guardian displays the names and components of any
categories in which the URL was found.
Editing Category Group Objects
You can edit category group objects to suit you organizations requirements.
To edit a category group object:
1.
2.
From the Category groups list, select the object you want to edit and click Edit category
group. Network Guardian displays the object in the Manage category groups area. Click [ + ]
to access and view any sub-categories available.
43
Tip: Click the advanced view option to access more detailed information on the content and subcategories.
3.
Select any new content you want to add to the object and de-select any content you want to
remove from the object.
4.
Click Save. Network Guardian saves and applies the changes.
Deleting Category Group Objects
You can delete category group objects you no longer require.
To delete a category group object:
1.
2.
From the Category groups list, select the content category object you want to delete and click
Delete category group. Network Guardian deletes the object.
Note: You cannot delete a category group object if it is in use in a policy. You must first remove the
object from the policy.
44
Smoothwall Ltd
Working with Time Slot Objects
You can configure Network Guardian to allow or stop users accessing the Internet during certain time
periods depending on the time and day.
Creating a Time Slot
The following section explains how to create a time slot for use in a web filter policy.
To create a time slot:
1.
Navigate to the Guardian > Policy objects > Time slots page.
2.
Configure the following settings:
Setting
Description
Name
Enter a name for the time slot.
Comment
Optionally, enter a comment to help identify when the period is used
3.
In the time-table, click and drag to select the periods of time you want to include in the time slot.
4.
Click Save. Network Guardian creates the time slot and adds it to the list of time slots. It also
makes the time slot available where applicable on the policy wizard pages for inclusion in
policies.
45
Editing a Time Slot
The following section explains how to edit a time slot.
To edit a time slot:
1.
Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area,
locate the time slot you want to edit.
2.
Click the Edit time button. Network Guardian displays the time slot in the time-table.
Tip: You can use the Clear and Edit in full-text mode options to make changes the time slot.
3.
Make the changes you require and click Save. Network Guardian makes the changes and saves
the time slot.
Deleting a Time Slot
The following section explains how to delete a time slot.
To edit a time slot:
1.
Navigate to the Guardian > Policy objects > Time slots page and, in the Time slots area,
locate the time slot you want to delete.
2.
Click the Delete time button. Network Guardian deletes the time slot.
Working with Location Objects
Network Guardian enables you to create locations into which you can place resources such as
desktop and laptop computers. You can use a location to block the resources at the location from
accessing external networks or the Internet.
46
Smoothwall Ltd
Creating a Location Object
To create a location object:
1.
Browse to the Guardian > Policy objects > Locations page.
2.
In the Manage location area, configure the following settings:
Setting
Description
Name
Enter a name for the location object.
Addresses
Enter an IP address, hostname, IP range or a subnet of the resource(s),
for example:
For a computer, enter: 192.168.0.58
For a range of computers, enter: 192.168.0.61-192.168.0.71
For content identified by a hostname, enter: roaming_laptop
3.
Optionally, click Advanced and configure the following settings to define exceptions to any
address ranges you specified in the previous step:
Setting
Description
Exceptions
Enter an individual IP, hostname, IP range or a subnet of the resource(s),
for example:
To make an exception for a computer, enter: 192.168.0.53
To make an exception for a range of computers, enter:
192.168.0.65-192.168.0.67
4.
Click Save. Network Guardian adds the resources to the location object and lists it in the
Locations list.
47
Editing Location Objects
You can edit a location object.
To edit a location object:
1.
On the Guardian > Policy objects > Locations page, in the Locations area, select the
location and click the Edit location button.
2.
Make the changes you require and click Save, Network Guardian displays the settings.
3.
Click Save. Network Guardian updates the resources in the location object and lists it in the
Locations list.
Deleting Location Objects
You can delete location objects you no longer require.
Note: You cannot delete a location object if it is in use in a policy. You must first remove the object
from the policy.
To delete a location object:
1.
Browse to the Guardian > Policy objects > Locations page.
2.
In the Locations list, locate the location object you want to delete and click the Delete location
button. Network Guardian deletes the location object.
Working with Quota Objects
Network Guardian’s quota objects enable you to limit user access to content on a daily basis. When
a quota is used in a web filter policy, users to whom the policy is applied are prompted to confirm
that they want to access the content and are told how long their quota is and how much of the quota
they have left.
About the Default Quota Object
Network Guardian comes with a default quota object which is ready for use in a web filtering policy.
When used, the default quota limits access to the relevant content to 60 minutes per 24 hours. Users
will be prompted every 10 minutes to confirm that they want to continue using their quota. Default
quotas are reset daily at 04:00. You can edit the default quota but you cannot remove it – there must
always be a default in case the quota action is used in a web filtering policy.
For more information on using quotas and web filtering policies, see Creating Web Filter Policies on
page 51.
48
Smoothwall Ltd
Creating Quota Objects
Creating a quota object entails specifying who the quota applies to, how long the quota is, how often
to prompt the user to confirm that they want to continue using their quota and when the quota is
reset.
To create a quota object:
1.
Browse to the Guardian > Policy objects > Quotas page.
2.
Click Create a new quota and configure the following settings:
Setting
Description
Available users or
groups
From the list, select the user(s) and/or group(s) to whom the quota will
apply.
Tip:
Enter a name or part of a name and Network Guardian will search
for names of users and groups that match.
Click Add.
Duration
Move the slider to set the duration of the quota.
Prompt every
From the drop-down list, select how often users will be prompted to
confirm that they want to use more of their quota.
Reset at
From the drop-down list, select when to rest the quota.
Enable quota
Select to enable the quota.
3.
Click Save. Network Guardian creates the quota and lists it on the Guardian > Policy objects >
Quotas page.
4.
Drag and drop the quota object to the correct position.
49
Note:Quotas are applied as listed on the Guardian > Policy objects > Quotas. You must consider
their position when using them. Take, for example Bob. Bob is a member of the Staff group. The Staff
group has a quota of 60 minutes. However, because of Bob’s responsibilities, he needs a quota of
120 minutes.
To ensure Bob gets the quota he needs, create a quota object that applies to Bob and, on the
Guardian > Policy objects > Quotas page, list it above the Staff quota object. When Network
Guardian applies the web filtering policy to the Staff group, it will check for quotas and allow Bob 120
minutes while other people in the Staff group will get 60 minutes. If Bob’s quota object is listed below
the Staff group’s quota object, Bob will get 60 minutes just like everyone else.
For more information on using quotas and web filtering policies, see Creating Web Filter Policies on
page 51.
Editing Quota Objects
It is possible to edit a quota object’s settings.
To edit a quota object:
1.
On the Guardian > Policy objects > Quotas page, locate the quota you want to change and
click its Edit quota button. Network Guardian displays the settings.
2.
Make the changes required. See Working with Quota Objects on page 48 for more information
on the settings available.
3.
Click Save. Network Guardian edits and updates the quota and lists it on the Guardian > Policy
objects > Quotas page.
Deleting Quota Objects
You can delete a quota object when it is no longer required.
To delete a quota object:
1.
On the Guardian > Policy objects > Quotas page, locate the quota you want to change and
click its Delete quota button. Network Guardian deletes the quota and removes it from the
Guardian > Policy objects > Quotas page.
Managing Web Filter Policies
Network Guardian processes web filter policies in order of priority, from top to bottom, until it finds
content that matches. When it finds a match, Network Guardian applies the action, block, allow,
whitelist, soft block or limit to quota as configured in the policy.
You can review the default web filter policies on the Guardian > Web filter > Manage policies page
and you can change the order by dragging and dropping policies in the list.
The following sections discuss how to create, edit and delete web filter policies.
50
Smoothwall Ltd
Creating Web Filter Policies
You can create custom web filter policies to allow or block specific content, allow access to specific
web sites at certain times or apply an acceptable usage policy (AUP) to meet your organization’s
requirements.
To create a web filter policy:
1.
Browse to the Guardian > Web filter > Policy wizard page.
2.
Complete the following steps:
Step
Description
Step 1: Who
From the Available users or groups list, select the user(s) and/or group(s)
to whom the policy will apply.
Tip:
Click Add and, when you have added all the users and/or groups, click
Next to continue.
Step 2: What
From the Available categories or category groups list, select what is to be
filtered.
Tip:
Enter the name or part of the name and Network Guardian will
search for content that matches.
Click Add and, when you have selected all the content, click Next to
continue.
Step 3: Where
From the Available locations list, select where the policy will apply.
Tip:
search for locations that match.
Click Add and, when you have added the location(s), click Next to
continue.
51
Step
Description
Step 4: When
From the Available time slots list, select when the policy will apply.
Tip:
search for time slots that match.
Click Add and, when you have added the time slot(s), click Next to
continue.
Step 5: Action
Select one of the following actions to use when applying this policy:
Create policy folder – Select this action when configuring a policy at
a central installation where you need to create policy folders for multiple
locations or groups.
Block – Select this action to block the selected content.
Allow – Select this action to allow the content.
Content will be scanned for anti-malware if an anti-malware policy is in
place.
Network Guardian may also categorize the content and apply any
content modification policies in place. You can use this option to create
specific exceptions to broad blocking policies.
Another possible use is to prevent over-blocking of diverse content such
as news articles, which may fall under a variety of categorizations
depending on the type of news article.
Whitelist – Select this action to whitelist the selected content.
When content is whitelisted, Network Guardian does not examine it any
further. Whitelisting is applied early on when Network Guardian is
checking URLs. Content which is whitelisted will not be subjected to
outgoing filtering or dynamic content analysis. Content modification
policies may still be applied, unless the categorization of the original,
unmodified URL matches the whitelist.
Whitelisting content may help to conserve system resources and prevent
unintentional blocking when dealing with trusted content, such as online
banking sites or Windows updates.
Note: Whitelisted content will not be scanned for potential malware.
Soft block – Select this action to soft block the selected content.
Anyone trying to access the content will be prompted by Network
Guardian to confirm that they want to access content.
Limit to quota – Select this action to apply a quota when applying the
policy. When the policy is applied, Network Guardian will check the
quotas defined on the Guardian > Policy objects > Quotas page and limit
access to the requested content based on the quota object’s settings.
Note: Any content being streamed or downloaded by a user will not be
stopped when the user’s quota runs out.
Note: Each step must be completed in order to create the policy. If you skip a step, Network
Guardian creates a policy folder in which you can store policies. For more information on policy
folders, see Working with Policy Folders on page 71.
52
3.
Select Enable policy to enable the policy and click Confirm.
4.
Network Guardian displays the settings you have selected. Review them and click Save to
create the policy. Network Guardian creates the policy and makes it available on the Guardian
> Web filter > Manage policies page. You must now specify in what order Network Guardian
should apply the policy.
Smoothwall Ltd
5.
Browse to the Guardian > Web filter > Manage policies page.
6.
Locate the policy in the Filtering policies area. Drag and drop the policy to where you want
Network Guardian to apply it. For example, if you have created a policy which allows media
students to access advertising content during their lunch break, drag the policy to the top of the
list of policies.
7.
Click Save. Network Guardian re-orders and applies the filtering policies and allows all users in
the media student group to access adverts during their lunch break.
Editing Web Filter Policies
You can edit an existing web filter policy to suit your organization’s requirements.
To edit a web filter policy:
1.
Browse to the Guardian > Web filter > Manage policies page and locate the policy you want
to edit.
2.
Click the Edit policy button. Network Guardian displays the policy settings on the Guardian >
Web filter > Policy wizard page.
3.
Make the changes necessary, see Creating Web Filter Policies on page 51 for more information
on working with policies.
4.
Click Confirm. Network Guardian displays the settings you have selected. Review them and
click Save to save the changes to the policy. Network Guardian updates the policy and makes
it available on the Guardian > Web filter > Manage policies page.
53
Deleting Web Filter Policies
You can delete a web filter policy you no longer require.
To delete a web filter policy:
1.
Browse to the Guardian > Web filter > Manage policies page and locate the policy you want
to delete.
2.
Click the Delete policy button. Network Guardian prompts you to confirm that you want to
delete the policy. Click Remove. Network Guardian deletes the policy.
Managing HTTPS Inspection Policies
The following sections discuss how to create, edit and delete HTTPS inspection policies.
HTTPS inspection policies enable you to inspect and manage communication between users on your
network and web sites which use HTTPS by configuring an inspection method for different user
groups, destinations and locations.
Network Guardian processes HTTPS inspection policies in order of priority as listed on the Guardian
> HTTPS inspection > Manage policies page, from top to bottom, until a match is found. You can
change the order by dragging and dropping policies in new positions.
Network Guardian comes with three pre-configured HTTPS inspection policies which handle the
following content:
54
•
Online banking – when enabled, this policy allows users to do online banking without
communications being decrypted and inspected
•
All encrypted content accessed by unauthenticated IPs – when enabled, this policy
decrypts and inspects all encrypted content that users at unauthenticated IPs try to access
•
Certificate validation – enabled by default, this policy check secure certificates on web sites.
Any sites whose certificates are self-signed, out of date or otherwise invalid will be blocked.
Smoothwall Ltd
Enabling HTTPS Inspection Policies
The following section explains how to enable HTTPS inspection policies that are listed on the
Guardian > HTTPS inspection > Manage policies page.
To enable HTTPS inspection policies:
1.
Browse to the Guardian > HTTPS inspection > Manage policies page.
2.
Locate the policy you want to enable, click on the Enabled button and select Enable.
3.
Repeat the step above for any other policies you want to enable and then click Save. Network
Guardian enables the policies.
Note:When, for the first time, you enable a HTTP inspection policy which decrypts and inspects
content Network Guardian informs you that users’ browsers must have the Network Guardian CA
certificate in order for the policy to work.
You can click on Guardian CA certificate in the text displayed and download the certificate ready
for import into browsers. See Managing Certificates on page 59 for more information on how to
import the certificate.
Creating an HTTPS Inspection Policy
When an HTTPS inspection policy is in place, Network Guardian displays a warning page informing
users who try to access a HTTPS web site that their communication with the site is being monitored.
Users must actively accept the monitoring by clicking Yes in order to continue to the site, or click No
to end the communication.
Note: You must configure HTTPS settings and certificates in order for an HTTPS inspection policy
to work. For more information, see Configuring HTTPS Inspection Policy Settings on page 58.
55
To create an HTTPS inspection policy:
1.
Browse to the Guardian > HTTPS inspection > Policy wizard page.
2.
Step
Description
Step 1: Who
From the Available users or groups list, select who the policy will apply to.
Tip:
Next to continue.
Step 2: What
inspected.
Tip:
Click Add and, when you have added all the categories or category
groups, click Next to continue.
Step 3: Where
From the Available locations list, select where the policy will apply.
Tip:
continue.
Step 4: When
From the Available time slots list, select when the policy will apply.
Tip:
continue.
56
Smoothwall Ltd
Step
Description
Step 5: Action
Select one of the following actions to apply:
Create policy folder – Select this action when configuring Network
Guardian at a central installation where you need to create policy folders
for multiple locations or groups.
Decrypt and inspect – Select this action to decrypt and inspect the
encrypted content.
Validate certificate only – Select this action to check secure
certificates on web sites. Any sites whose certificates are self-signed, out
of date or otherwise invalid will be blocked.
Do not inspect – Select this action to not inspect the communication.
An example of using this would be to not intercept communication with
banking sites if a blanket policy of inspecting all HTTPS communication
was in place.
3.
Select Enable policy to enable the policy and then click Confirm.
4.
> HTTPS Inspection > Manage policies page. You must now specify in what order Network
Guardian should apply the policy.
5.
Browse to the Guardian > HTTPS Inspection > Manage policies page.
6.
Locate the policy in the HTTPS policies area. Drag and drop the policy to where you want
Network Guardian to apply it. For example, if you have created a policy which does not inspect
the Google HTTPS AdSense site when accessed by marketing students, drag the policy to the
top of the list of policies.
7.
Click Save. Network Guardian re-orders and applies the HTTPS inspection policies and allows
all users in the marketing student group to access the Google AdSense site.
57
Editing HTTPS Inspection Policies
You can edit an existing HTTPS inspection policy to suit your organization’s requirements.
To edit a HTTPS inspection policy:
1.
Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy
you want to edit.
2.
HTTPS inspection > Policy wizard page.
3.
Make the changes necessary, see Creating an HTTPS Inspection Policy on page 55 for more
information on working with policies.
4.
it available on the Guardian > HTTPS inspection policies > Manage policies page.
Deleting HTTPS Inspection Policies
You can delete a HTTPS inspection policy you no longer require.
To delete a HTTPS inspection policy:
1.
Browse to the Guardian > HTTPS inspection > Manage policies page and locate the policy
you want to delete.
2.
Configuring HTTPS Inspection Policy Settings
For HTTPS inspection policies to work, you must configure HTTPS inspection policy settings.
Configuring these settings entails exporting certificate authority certificates, import them into the list
of trusted CA certificates on the computers in your network and configuring warning and confirmation
messages that are displayed to users when communications are being decrypted and inspected.
58
Smoothwall Ltd
Managing Certificates
Managing certificate authority (CA) certificates entails exporting them and then installing them on
users’ computers. Without certificates on users’ computers, HTTPS inspection policies cannot work.
To export a certificate:
1.
Browse to the Guardian > HTTPS inspection > Settings page.
2.
Click Export. Network Guardian generates the Guardian CA Cert.crt file. Save the
certificate and import it into the list of trusted CA certificates on the computers in your network
on which you want to implement HTTPS filtering. Refer to your browser, or directory service for
a detailed description of how to do this.
Configuring Warning Information
When implemented, Network Guardian displays a warning page informing users who try to access
HTTPS web sites that their communication with the site is being decrypted and inspected. Users
must actively accept the decryption and inspection in order to continue to the site.
To configure a warning message, do the following:
1.
Browse to the Guardian > HTTPS inspection > Settings page.
2.
In the Manage HTTPS interception warning panel, configure the following:

Warning message — Either accept the default message, or enter a custom message
informing users that their HTTPS connections will be decrypted and filtered if they continue
to the site they have requested

Confirmation button label — Either accept the default label, or enter new text to display
on the button that users must click to confirm that they accept that their HTTPS connections
will be decrypted and filtered. Once they have clicked on the button, they will be able to
continue to the site they requested.
59

3.
Warning frequency — Choose how often the warning message is displayed to the user:
Warning Frequency
Description
Daily
Select to display the warning daily.
Weekly
Select to display the warning weekly
Never
Select to never display a warning. Typically, you would not use this
option, however, if you are using the Smoothwall Connect Filter for
Windows client, it is recommended you disable the warning
message to ensure correct operations. For more information, refer
to the Smoothwall Connect Filter for Windows Installation and
Administration Guide.
Click Save.
The URL used to present the warning page, refers to the Network Guardian IP address. However, if
a system redirection to hostname setting is in place, you can force the hostname to be used instead.
You do this as follows:
1.
Using the command line interface (CLI) of Network Guardian, log in and change directory to:
2.
/settings/main
Using a text editor, edit the settings file.
You may want to create a backup of this file first.
3.
Add the following line:
4.
USE_HOSTNAME_IN_REDIRECTS=on
Save the file, and exit your text editor.
5.
Reboot Network Guardian.
Clearing the Generated Certificate Cache
It is possible to clear Network Guardian’s cache of certificates generated for use with HTTPS
inspection policies.
To clear the cache:
1.
Browse to the Guardian > HTTPS inspection > Settings page and click Clear. Network
Guardian clears the cache.
Managing Content Modification Policies
The following sections discuss how to create, edit and delete content modification policies.
A content modification policy can apply recommended security rules, determine if Internet searches
should use SafeSearch functionality, warn about address spoofing and more. It can also ignore
content thus making it possible to exempt content from modification for specific users or locations.
60
Smoothwall Ltd
Creating a Content Modification Policy
You can create a content modification policy that enforces or ignores security rules and/or
SafeSearch for specific users at certain locations.
To create a content modification policy:
1.
Browse to the Guardian > Content modification > Policy wizard page.
2.
Step
Description
Step 1: Who
From the Available users or groups list, select who the policy applies to.
Tip:
Next to continue.
Step 2: What to target
From the Available categories or category groups list, select what the
policy applies to.
Tip:
search for matches.
Click Add and, when you have selected the categories or category
groups, click Next to continue.
Step 3: Where
From the Available locations list where the policy will apply.
Tip:
Click Add and, when you have selected the location(s), click Next to
continue.
61
Step
Description
Step 4: Action
Select one of the following options:
Create policy folder – Select this action to group related rules in a
policy folder. You can then use Apply or Ignore actions within this folder.
For more information on policy folders, see Working with Policy
Folders on page 71.
Apply – Select this action to modify the categories and category groups
selected.
Ignore – Select this action to exempt the categories and category
groups from being modified.
Note: Usually creating a policy which ignores content implies that there
is another policy which modifies content. For example, there
might be an Apply policy which enforces SafeSearch for
everyone, and another Ignore policy which exempts certain users
who need unrestricted search. In such a case, on the Guardian >
Content modification > Manage policies page, the Ignore policy
which creates the exception must be placed before the Apply
policy which modifies the content.
From the Available categories or category groups list, select the content
modification to apply and click Add.
Note: If you are creating a policy that ignores content, the options here
are disabled.
3.
4.
> Content modification > Manage policies page.
Network Guardian applies all content modification policies in the order found. You must specify in
what order Network Guardian should apply the content modification policies.
You do this as follows:
1.
62
Browse to the Guardian > Content modification > Manage policies page.
Smoothwall Ltd
2.
Using the drag and drop method, reorder the list of policies according to the how you want
Network Guardian to apply them.
For example, if you have created a policy which exempts search results from modification for
users in the teachers group, and another policy which exempts particular terms from allowed
searches, drag the latter policy to the top of the list of policies.
Editing Content Modification Policies
You can edit an existing content modification policy to suit your organization’s requirements.
To edit a content modification policy:
1.
Browse to the Guardian > Content modification > Manage policies page and locate the
policy you want to edit.
2.
Content modification > policy wizard page.
3.
Make the changes necessary, see Creating a Content Modification Policy on page 61 for more
4.
it available on the Guardian > Content modification > Manage policies page.
Deleting Content Modification Policies
You can delete a content modification policy you no longer require.
To delete a content modification policy:
1.
Browse to the Guardian > Content modification > Manage policies page and locate the
policy you want to delete.
2.
63
Creating Custom Content Modification Policies
You can define new content modification policies for use to suit your organizations’ requirements.
To create a content modification policy, do the following:
1.
Browse to Guardian > Content modification > Content modifications.
2.
Configure the following parameters:

Name — The name of the content modification policy.

Comment — Enter an optional description for this policy.

Request headers to override — Enter the algorithm to use the requested website’s
capability to override HTTP headers sent to it, and redirect users to other content.
Only one entry is allowed per line.
For example:
A redirect to YouTube Education would be configured as:
X-YouTube-Edu-Filter: Abc_dEf
where Abc_dEf is the search term or phrase which causes the redirect. Note that an
account and key must be setup on YouTube for this to work — for more information, refer
to http://www.youtube.com/schools.
A restriction on available Google Apps to only allow access to Google Calendar and Google
Drive would be configured as:
X-GoogApps-Allowed-Domains: https://www.google.com/calendar/render,
https://drive.google.com
Note that for a Google Apps restriction, HTTPS interception is required as Google Apps uses
HTTPS throughout.
3.
64
Click Save.
Smoothwall Ltd
Managing Anti-malware Policies
The following sections discuss how to create, edit and delete anti-malware policies.
Anti-malware policies provide protection against many malware threats, including viruses, worms,
spyware and trojans by scanning content passing through Network Guardian.
Creating an Anti-malware Policy
An anti-malware policy provides protection by scanning content requested by users. The following
section explains how to create an anti-malware policy and configure anti-malware settings.
Note: Anti-malware scanning is not enabled by default. You must enable anti-malware scanning in
order to apply any anti-malware policies you have created and enabled. For more information,
seeConfiguring Anti-malware Protection on page 67.
To create an anti-malware policy:
1.
Browse to the Guardian > Anti-malware > Policy wizard page.
2.
Step
Description
Step 1: Who
From the Available users or groups list, select who the policy will apply to.
Tip:
for names of users and groups that match. To select more than
one user or group, hold the CTRL button down while selecting
them.
Next to continue.
65
Step
Description
Step 2: What
scanned.
Tip:
Step 3: Where
From the list of locations, select where the policy will apply.
Tip:
Click Add and when you have added the location(s), click Next to
continue.
Step 4: Action
Create policy folder – Select this action when configuring Network
Guardian at a central installation where you need to create policy folders
for multiple locations or groups.
Scan – Select this action to scan the content specified for malware.
Do not scan – Select this action to allow the user to access the content
without scanning it for malware.
folders, seeWorking with Policy Folders on page 71.
66
3.
4.
> Anti-malware > Manage policies page. You must now specify in what order Network Guardian
should apply the policy.
5.
Browse to the Guardian > Anti-malware > Manage policies page.
6.
Locate the policy. Drag and drop the policy to where you want Network Guardian to apply it.
For example, if you have created a policy which does not scan archives that system
administrators want to download, drag the policy to the top of the list of policies.
Smoothwall Ltd
Configuring Anti-malware Protection
The following section explains how to enable anti-malware scanning and set a maximum size for files
to be scanned.
To configure anti-malware protection:
1.
Navigate to the Guardian > Anti-malware > Settings page.
2.
Setting
Description
Anti-malware
scanning
Select Enable to activate malware scanning.
Max file size to scan
Enter the maximum file size to scan in megabytes. The value can be
between 1 MB and 100 MB.
Note: To download files larger than 100 MB with malware scanning
enabled, you may need to create an anti-malware policy which
never scans files from these sites. Sites which stream audio/video
over HTTP may also experience problems when malware
scanning is enabled.
File uploads
3.
Select Scan or Do not scan as required.
Click Save to apply the malware protection.
67
Configuring Anti-malware Status Information
You can configure Network Guardian to display information on files being scanned for malware.
To configure the information displayed:
1.
Navigate to the Guardian > Anti-malware > Status page page.
2.
Setting
Description
Status page title
This text displays information on the name and size of the file being
downloaded.
Accept the default or enter new text.
The keywords %%FILENAME%% and %%FILESIZE%% can be used to
provide file-specific information.
After download
This information is displayed after the file has been downloaded and while
it is being scanned.
After scan
This text is a message displayed when the file has been scanned. Users
are provided with a link to save the file to their computer following a
successful scan.
Auto-start
downloads
3.
Select to automatically download the file after it has been scanned and
approved for download.
Click Save to apply any changes.
Note:If requested content fails the malware scan, Network Guardian will deny the download.
To allow such downloads, you should first be confident that the requested content is safe before
creating a policy which allows the content to be downloaded.
68
Smoothwall Ltd
Editing Anti-malware Policies
You can edit an existing anti-malware policy to suit your organization’s requirements.
To edit an anti-malware policy:
1.
Browse to the Guardian > Anti-malware > Manage policies page and locate the policy you
want to edit.
2.
Anti-malware > Policy wizard page.
3.
Make the changes necessary, seeCreating an Anti-malware Policy on page 65 for more
4.
it available on the Guardian > Anti-malware > Manage policies page.
Deleting Anti-malware Policies
You can delete an anti-malware policy you no longer require.
To delete an anti-malware policy:
1.
Browse to the Guardian > Anti-malware > Manage policies page and locate the policy you
want to delete.
2.
Using the Policy Tester
Network Guardian’s policy tester enables you to determine what policy actions would apply for a
given URL and, optionally, a specific user or group at a specific location and/or time. This is done by
the policy tester sending an impersonated request for access to a URL.
Tip: Use the policy tester to check possible negative side effects of adding a user/group, time slot
or location to a Guardian policy.
69
To use the policy tester:
1.
Browse to the Guardian > Quick links > Policy tester page.
2.
Setting
Description
URL
Enter the URL to be requested. If the URL contains www, enter that too.
Who
Optionally, select the group(s) or user who would make the request.
Group – From the drop-down list, select the group(s) who would make
the request.
User – Enter the name of the user making the request.
Where
Optionally, select the location(s) or IP address from which the content
would be requested.
Location – From the drop-down list, select the location(s) from which
the request would be made.
IP address – Enter the IP address from which the request would be
made.
When
Optionally, select at what time or during which time slot(s) the content
would be requested.
Time – Enter the time at which the content would be requested.
Time slot – Specify the time slot(s) during which the content would be
requested.
Tip:
70
It is possible to impersonate a request made in the past. For
example, you can check if someone could have accessed a URL
previously.
Smoothwall Ltd
Setting
Description
Detailed diagnostics
Optionally, select this to determine what policy actions would apply to
resources such as images, javascript, CSS tags, HTML5 multimedia tags
and other resources at the URL.
Note: Hyperlinks to other pages are not tested.
3.
Click Test. For each Guardian policy enabled at that time, Network Guardian displays what
action has been applied regarding the URL and the options you specified.
When testing a URL which results in a redirect, the URL to which the original is redirected and
its status are displayed. This enables you to policy test the redirect URL. For information on
URL statuses, see: http://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html#sec6.1.1.
Note: The policy tester can impersonate a user or group(s) attempting to access web content.
Network Guardian does not log impersonated requests. However, an upstream proxy may capture
and log the request as coming from the user or group(s) being impersonated.
Other Ways of Accessing the Policy Tester
The policy tester is also available:
•
On the Dashboard page. If the Web filter option is enabled on the System > Preferences >
User interface page, you can run quick policy tests.
•
On user portals. If the policy tester has been enabled for a user portal, it will be available when
users access the portal. For more information, refer to the Network Guardian Operations Guide.
Working with Policy Folders
Policy folders enable you to organize and apply policies according to whatever criteria are most
appropriate to your organization.
For example, by default, Network Guardian blocks all adverts for all users all the time in every
location. If you want to allow some users and/or groups to access adverts sometimes and others to
access them always at specific locations, you can accomplish this by creating a policy folder which
contains a general web filter policy allowing access to adverts. You can then add policies to the folder
specifying which groups are allowed access, at what times and in which locations.
Using policy folders makes it easier to understand the policy table on the manage policies page and
more accurately reflects how a policy is applied to specific groups.
71
Creating a Policy Folder
You create a policy folder by using a policy wizard.
To create a policy folder:
1.
When running a policy wizard, do not add a policy object for the criterion you want to use to
determine the type of policy folder. For example, if you want to create a web filter policy folder
to contain policies that can be applied to specific groups and/or users, do not add any users or
groups to the policy.
2.
When configuring the policy action, select Create policy folder. After you have completed the
policy wizard, Network Guardian makes the policy folder available on the manage policies page.
3.
To add a policy to a folder, browse to the relevant manage policies page, locate the policies
folder and click Add policy to folder. Network Guardian opens the folder and displays it on the
policy wizard page.
4.
Add the policy object, for example a group to which you want to apply the policy and click
Confirm. Network Guardian displays the policy settings. Review the settings and then click
Save. Network Guardian creates the policy, places it in the policy folder and makes it available
on the manage policies page.
Editing Policy Folders
You can edit policy folders by changing the policy objects it contains.
To edit a policy folder:
1.
On the relevant manage policies page, locate the policy folder and click Edit policy folder.
Network Guardian opens the folder and displays it on the policy wizard page.
2.
Make changes to the policy object(s) included in the folder by adding or removing them as
required.
3.
Click Confirm, review the changes and click Save to apply the changes and update the folder.
Deleting Policy Folders
You can delete policy folders you no longer require.
To delete a policy folder:
1.
72
On the relevant manage policies page, locate the policy folder and click Delete policy folder.
Click Remove when prompted to confirm that you want to delete the folder. Network Guardian
deletes the folder and removes it from the relevant manage policies page.
Smoothwall Ltd
Censoring Web Form Content
The following section explains how to create and apply a censor policy for content and/or files posted
using web forms. A censor policy consists of a filter, an action and a time period.
To create and apply a censor policy:
1.
Browse to the Services > Message censor > Policies page.
2.
Setting
Description
Service
From the drop-down menu, select one of the following options:
Web filter outgoing – Select to apply the policy to content and/or files
being posted in web forms, such as to message boards or Wikipedia,
using HTTP.
Web filter secure outgoing (HTTPS) – Select to apply the policy
to content and/or files being posted in web forms, such as to message
boards or Wikipedia, using HTTPS.
Note: A HTTPS inspection policy must be deployed for this to work. See
Managing HTTPS Inspection Policies on page 54 for more
information.
Click Select to update the policy settings available.
Filter
From the drop-down menu, select a filter to use. For more information on
filters, .
Time period
From the drop-down menu, select a time period to use, or accept the
default setting. For more information on time settings, .
Action
From the drop-down menu, select one of the following actions:
Block - Content which is matched by the filter is blocked.
Allow - Content which is matched by the filter is allowed and is not
processed by any other filters.
73
Setting
Description
Log severity level
Network Guardian enables you to store all blocked content, no blocked
content or only blocked content above a certain severity level.
If you want Network Guardian to only store blocked content above a
certain severity level, you must assign severity levels to the content.
The Log severity level option enables you to this.
From the drop-down list, select the severity level to assign to content that
has been blocked by this policy.
Note: You must also configure the options for storing blocked content
on the Guardian > Web filter > Outgoing page. See below for
more information.
Group
From the drop-down list, select the group to which you want to apply the
policy.
Comment
Optionally, enter a description of the policy.
Enabled
Select to enable the policy.
3.
Click Add and, at the top of the page, click Restart to apply the policy.
4.
Browse to the Guardian > Web filter > Outgoing page.
5.
Setting
Description
MessageCensor
filtering and logging
Select Enable to enable censoring of content and/or files posted using
web forms.
Store blocked
content
Select this option if you want Network Guardian to store content it blocks.
Store blocked
content above
severity level
If you have selected to store blocked content, from the drop-down list,
select one of the following options:
Note: This option does not apply to content posted using HTTPS.
Always store – Network Guardian stores all blocked content and
makes it available for review in the web filter log.
–4 to 5 – Select a severity level above which Network Guardian stores
the blocked content and makes it available for review in the web filter log.
For more information, see the Log severity option above.
Note: This option does not apply to content posted using HTTPS.
74
Smoothwall Ltd
6.
Click Save. Network Guardian applies the policy.
Configuring Organization Accounts
Before your organization can deploy Swurl, the organization account must be configured on Network
Guardian.
To configure the organization’s account:
1.
On the Swurl home page, click View account. The Organization account screen opens.
2.
Make a note of the information displayed.
3.
On Network Guardian, browse to Guardian > Swurl > Settings page.
4.
Setting
Description
Swurl
Select Enable.
75
Setting
Description
Fetch lists when
centrally managed
Select this setting if Swurl is managed centrally. See your Network
Guardian Administrator’s Guide for more information on centrally
managed systems.
5.
76
Organization
Enter the name of your organization as shown on the Organization
account screen.
User ID
Enter your user ID as shown on the Organization account screen.
Password
Enter your password as shown on the Organization account screen.
Click Save. Network Guardian saves the information and enables Swurl.
Smoothwall Ltd
6 Managing
Authentication Policies
This chapter introduces authentication policies, including:
•
About Authentication Policies on page 77
•
Creating Authentication Policies on page 78
•
Managing Authentication Policies on page 87
•
Managing Authentication Exceptions on page 89
•
Identification by Location on page 89
•
Connecting to Network Guardian on page 90
•
Authentication Scenarios on page 93
About Authentication Policies
Note: By default, Network Guardian comes with an authentication policy in place. To use it, you
configure your users’ web browsers to use Network Guardian as their web proxy. For more
information, see Creating a Non-transparent Connection Manually on page 91.
Network Guardian uses authentication to:
•
Identify users and assign them to groups, so that Network Guardian can apply different policies
to each group
•
Allow access to registered users or trusted workstations
•
Provide logging and auditing facilities in case of misuse
•
Show in real time which users are accessing content
An authentication policy is comprised of a connection type, an authentication method, port
information and a location.
77
Managing Authentication Policies
Network Guardian can use several different authentication methods to identify a user or group, with
different requirements and restrictions. Authentication policies determine which method is used.
They also determine which interfaces and ports Network Guardian listens on for web requests.
Creating Authentication Policies
Network Guardian enables you to create the following types of authentication policies:
•
Non-transparent authentication policies – this type of policy is applied to users whose web
browsers are configured to connect to the Internet using Network Guardian as their web proxy.
For more information, see Creating Non-transparent Authentication Policies on page 78
•
Transparent authentication policies – this type of policy is applied to users whose computers’
network connection uses Network GuardianFor more information, see Creating Transparent
Creating Non-transparent Authentication Policies
Non-transparent authentication policies enable you to apply a web filter policy and authentication
requirements to a user or group of users.
To create a non-transparent authentication policy:
78
1.
Browse to the Web proxy > Authentication > Policy wizard page.
2.
Select Non-Transparent and from the Method drop-down list, select one of the following
authentication methods:
Method
Setting
No authentication
Identify users by their IP address only. All requests are assigned to the
Unauthenticated IPs group.
Kerberos
Identify users by using the Kerberos keytab stored on Network Guardian.
For more information, see About Kerberos.
Smoothwall Ltd
Method
Setting
Kerberos (Terminal
Services
compatibility mode)
Identify users by using the Kerberos keytab stored on Network Guardian.
For more information.
For information on Kerberos pre-requisites and troubleshooting, see
About Kerberos.
This method is designed to work with network clients using Microsoft
Terminal Services, including Microsoft Windows NT 4.0 Terminal
Services Edition, Microsoft Windows 2000 Server, and Microsoft
Windows Server 2003.
Proxy authentication
Identify users by requesting a username and password from the user’s
browser.
This authentication method prompts users to enter a username and
password when they try to web browse. The username and password
details are encoded in all future requests made by the user’s browser.
Proxy authentication
(Terminal Services
compatibility mode)
Identify users by requesting a username and password from the user’s
browser.
NTLM identification
Identify users according to the username logged into their Microsoft
Windows workstation.
This method is designed to work with network clients using Microsoft
Terminal Services, including Microsoft Windows NT 4.0 Terminal
Services Edition, Microsoft Windows 2000 Server, and Microsoft
Windows Server 2003.
Note: NTLM identification does not verify a user's credentials. It should
only be used where all client workstations are secured and
members of a Microsoft Windows domain. Unsecured clients can
spoof their credentials.
Note: Network Guardian supports NTLM on Microsoft operating system
software and browsers only. NTLM should not be used with any
other browser or platform, even if the platform claims to support
NTLM.
NTLM should only be used on single domain networks because
the protocol does not support the transmission of domain
information with usernames.
NTLM identification
(Terminal Services
compatibility mode)
Windows workstation.
Can be used in conjunction with Microsoft Terminal Services.
Note: NTLM identification does not verify a user’s credentials. It should
software and browsers only. NTLM mode should not be used with
any other browser or platform, even if the platform claims to
support NTLM.
Note: NTLM should only be used on single domain networks because
This method works with network clients using Microsoft Terminal
Services, including Microsoft Windows NT 4.0 Terminal Services Edition,
Microsoft Windows 2000 Server, and Microsoft Windows Server 2003.
79
Method
Setting
NTLM authentication
Windows workstation, and validate their credentials with the domain
controller.
Prerequisites:
•
There must be a computer account for Network Guardian in Active
Directory
•
The account specified on the Services > Authentication > Settings
page must have permission to join the computer to the domain.
support NTLM.
information with usernames
NTLM authentication
(Terminal Services
compatibility mode)
Windows workstation, and validate their credentials with the domain
controller.
Can be used in conjunction with Microsoft Terminal Services.
Prerequisites:
•
There must be a computer account for Network Guardian in Active
Directory
•
The account specified on the Services > Authentication > Settings
page must have permission to join the computer to the domain.
support NTLM.
This method works with network clients using Microsoft Terminal
Services, including Microsoft Windows NT 4.0 Terminal Services Edition,
Microsoft Windows 2000 Server, and Microsoft Windows Server 2003.
Redirect users to
SSL Login page (with
background tab)
Identify users with the Network Guardian authentication service. If no user
is logged in, redirect web requests to the SSL Login page which checks
their username and password.
The Network Guardian authentication service supports only one user per
client IP address.
Using this method, the SSL Login page automatically refreshes itself so
that the authentication time-out period does not elapse; because of this,
the user must leave the SSL Login page open at all times.
Select this method if a user’s browser cannot accept cookies. This
method is also suitable if a user’s browser plugins or applications require
the authenticated session to remain active.
SSL login is more secure than Ident or web proxy authentication because
the authentication process between the user’s workstation and the
Network Guardian system is encrypted.
To securely logout, the user must click Logout on the SSL Login page —
see About SSL Authentication on page 162..
80
Smoothwall Ltd
Method
Setting
Redirect users to
session cookie)
client IP address.
Using this method, Network Guardian stores a session cookie on the
user’s browser. The cookie removes the need for the user to
reauthenticate.
This method is useful for users of tablet PCs and other mobile devices
which have problems keeping tabs in browsers open in the background.
To securely logout, the user must click Logout from the SSL Login page
— see About SSL Authentication on page 162.
Core authentication
is logged in, identify the user by their IP address and assign the request
to the Unauthenticated IPs group.
client IP address.
Core authentication is typically used with the SSL Login page. For
example, anonymous users can be allowed to certain sites only, but
users can optionally log in to gain a higher level of access.
Ident
Identify users according to the username returned by an Ident server
running on their workstation.
Network Guardian supports Ident for compatibility with any Identenabled networks your organization may already be using. Networks
supporting Ident authentication require an Ident server application to be
installed on all workstations that can be queried by Ident-enabled
systems.
The user does not need to enter their username as it is automatically
supplied by the Ident server application.
Once a user’s Ident server has identified the user, the user’s web
activities will be filtered according to their authentication group
membership.
For details of how to configure this with your choice of Ident server,
please refer to the ident server’s administrator's guide.
Note: Ident does not verify a user’s credentials. It should only be used
where all client workstations are secured and running an Ident
server controlled by the network administrator. Unsecured clients
can spoof their credentials.
Identification by
Location
Identify users by their IP address. Assign a group based on the
identification by location policy configured for their location.
Identification by location is typically used where certain clients do not
support the authentication method used by the rest of the network.
For more information, see Identification by Location on page 89.
For information on locations, see Working with Location Objects on
page 46.
81
Method
Setting
Kerberos (via
redirect)
is logged in, redirect Web requests to the Kerberos login page, which
obtains the username logged into their Microsoft Windows workstation.
About Kerberos.
client IP address.
Smart redirect
Identify the user’s device in order to redirect them to an NTLM
authentication service, or an SSL login service. This redirect is based on
the User-Agent data received in the browser’s HTTP header packet. This
is a best-guess scenario, based on pattern-matching and compatibility.
Note that within the user activity screen (see Managing User Activity on
page 161), smart redirected users will show the authentication method
used, not Smart redirect.
NTLM identification
(via redirect)
is logged in, redirect Web requests to the NTLM login page, which
The Network Guardianauthentication service supports only one user per
client IP address.
Note: This option is for backwards compatibility with earlier versions of
Guardian.
NTLM authentication
(via redirect)
Identify users with the Network Guardianauthentication service. If no user
obtains the username logged into their Microsoft Windows workstation
and validates their credentials with the domain controller.
The Network Guardianauthentication service supports only one user per
client IP address.
Note: This option is for backwards compatibility with earlier versions of
Guardian.
Global Proxy using
NTLM
Identify users using the Secure Global Proxy service. Users must be
logged in using NTLM credentials.
Note: Note that even if your Smoothwall System has multiple internal
interfaces, you can only create one Global Proxy using
NTLM authentication policy. Enabling this policy automatically
adds firewall rules to allow external access to the proxy port. If
your Smoothwall System uses primary and secondary external
connections, Secure Global Proxy will listen on the primary
connection.
Device authentication can be implemented using client-side certificates.
For a detailed description of how to configure these, see Connecting to
Network Guardian on page 90.
For more information about Secure Global Proxy, refer to the Secure
Global Proxy Installation and Administration Guide.
3.
82
Setting
Description
Interface
From the drop-down list, select the interface on which to apply the
authentication policy.
Smoothwall Ltd
Setting
Description
Port
From the drop-down list, select the port on which to apply the
Enabled
4.
Click Next and add the location at which the policy will apply.
5.
Click Next and review the options for handling unauthenticated requests. When requests are
permitted without requiring authentication, for example, entries on the Web proxy >
Authentication > Exceptions page, Network Guardian assigns them to the Unauthenticated IPs
group. If you want to assign them to a different group, add the group to the Included groups list.
6.
Click Next, select Enabled and click Confirm. Network Guardian displays the policy settings.
7.
Review the settings and click Save to make the policy available for use.
Creating Transparent Authentication Policies
Transparent authentication policies enable you to apply a web filter policy and authentication
requirements to a user or group of users.
To create a transparent authentication policy:
1.
Browse to the Web proxy > Authentication > Policy wizard page.
2.
Select Transparent and, from the Method drop-down list, select one of the following
authentication methods:
Method
Setting
No authentication
Identify users by their IP address only. All requests are assigned to the
Unauthenticated IPs group.
83
Method
Setting
Redirect users to
background tab)
client IP address.
Using this method, the SSL Login page automatically refreshes itself so
that the authentication time-out period does not elapse; because of this,
the user must leave the SSL Login page open at all times.
Select this method if a user’s browser cannot accept cookies. This
method is also suitable if a user’s browser plugins or applications require
the authenticated session to remain active.
To securely logout, the user must click Logout on the SSL Login page —
see About SSL Authentication on page 162.
Redirect users to
session cookie)
Identify users with the Network Guardianauthentication service. If no user
client IP address.
Using this method, Network Guardian stores a session cookie on the
user’s browser. The cookie removes the need for the user to
reauthenticate.
This method is useful for users of tablet PCs and other mobile devices
which have problems keeping tabs in browsers open in the background.
To securely logout, the user must click Logout from the SSL Login page
— see About SSL Authentication on page 162.
Core authentication
is logged in, identify the user by their IP address and assign the request
to the Unauthenticated IPs group.
client IP address.
Core authentication is typically used with the SSL Login page. For
example, anonymous users can be allowed to certain sites only, but
users can optionally log in to gain a higher level of access.
Identification by
location
Identify users by their IP address. Assign a group based on the
identification by location policy configured for their location.
Identification by location is typically used where certain clients do not
support the authentication method used by the rest of the network. For
more information, see Identification by Location on page 89.
page 46.
84
Smoothwall Ltd
Method
Setting
Kerberos (via
redirect)
is logged in, redirect Web requests to the Kerberos login page, which
About Kerberos.
client IP address.
Smart redirect
Identify the user’s device in order to redirect them to an NTLM
authentication service, or an SSL login service. This redirect is based on
the User-Agent data received in the browser’s HTTP header packet. This
is a best-guess scenario, based on pattern-matching and compatibility.
Note that within the user activity screen (see Managing User Activity on
page 161), smart redirected users will show the authentication method
used, not Smart redirect.
NTLM identification
(via redirect)
client IP address.
Note: NTLM identification does not verify a user's credentials. It should
NTLM authentication
(via redirect)
obtains the username logged into their Microsoft Windows workstation
and validates their credentials with the domain controller.
client IP address.
3.
Setting
Description
Interface
From the drop-down list, select the interface on which to apply the
Note: For more information on the WCCP interface option, see
Configuring WCCP on page 104.
85
Setting
Description
HTTPS
Filter HTTPS traffic – Select this option to transparently intercept
HTTPS connections.
Allow HTTPS traffic with no SNI header for the 'Transparent
HTTPS incompatible sites' category – Select this option to allow
HTTPS traffic without a server name indication (SNI) field in its header.
This allows access to content in the Transparent HTTPS incompatible
sites content category based on a best-guess of the destination host by
using DNS reverse lookup. For more information on content categories,
see Working with Category Group Objects on page 41.
Note: When enabled, web requests allowed by this option will bypass
any deployed HTTPS policies and will not be subjected to
inspection or certificate checking.
Note: This option is not applicable when configuring an authentication
policy folder. For more information on folders, see Working with
Policy Folders on page 71.
Spoofing
Select this option to allow upstream services to see network traffic as
coming from Network Guardian’s IP address rather than the originating
client’s IP address.
Note: This option is only available when configuring a policy which uses
a bridged interface.
Enabled
Select to enable the policy. When disabled, no filtering is performed on
HTTPS requests from clients without deployed proxy settings.
Note: Transparent HTTPS interception is not compatible with Internet
Explorer running on Windows XP or earlier.
86
4.
Click Next and add the location at which the policy will apply.
5.
Click Next and review the options for handling unauthenticated requests. When requests are
permitted without requiring authentication, for example, entries on the Web proxy >
Authentication > Exceptions page, Network Guardian assigns them to the Unauthenticated IPs
group. If you want to assign them to a different group, add the group to the Included groups list.
6.
Click Next, select Enabled and click Confirm. Network Guardian displays the policy settings.
7.
Review the settings and click Save to make the policy available for use.
Smoothwall Ltd
Network Guardian applies authentication policies in the order they are displayed on the Web proxy
> Authentication > Manage policies page. You can change the order the policies are applied by
dragging and dropping them in new positions.
To change the order of the authentication policies, do the following:
1.
Browse to the Web proxy > Authentication > Manage policies page.
Network Guardian displays the current authentication policies assigned to each interface
2.
To move an authentication policy, either:

Click and hold the policy number and drag it to its new position; or

Highlight the policy by clicking it, and use the Up or Down button to move the it to its new
position
3.
Click Save.
4.
You must restart Network Guardian‘s proxy service if any changes are made to the
authentication policies. Click Restart proxy when prompted.
Editing Authentication Policies
You can make changes to existing authentication policies, including disabling them for later use,
without removing the policy.
To edit an authentication policy, do the following:
1.
Browse to the Web proxy > Authentication > Manage policies page.
2.
Locate the policy you want to change.
3.
To enable or disable an existing policy, highlight the relevant one, and click the grey box in the
Enabled column.
87
4.
To edit the policy configuration, click the Edit policy button. Network Guardian displays the
policy on the Web proxy > Authentication > Policy wizard page.
5.
Adjust the policy as required. For more information, see Creating Authentication Policies on
page 78.
6.
Click Confirm.
7.
Review your changes and then click Save to save and apply the changes.
8.
Deleting Policies
You can delete authentication policies you no longer require.
Note: If you remove all authentication policies assigned to a policy folder, but do not remove the
folder assigned to an interface, the Guardian service stops responding to requests and appears as
stopped on the Dashboard. To prevent an interface from using authentication policies, it is
recommended you remove the folder as well.
To delete an authentication policy, do the following:
88
1.
On the to the Web proxy > Authentication > Manage policies page, locate the policy you
want to delete.
2.
delete the policy.
3.
Click Delete.
4.
Smoothwall Ltd
Managing Authentication Exceptions
You can configure Network Guardian to allow access to content without requiring authentication. For
example, automatic Windows updates can be accessed without user authentication.
Tip: Log in to our support portal and read more about applications known not to support
authenticated proxies and how to put an authentication exception in place for them.
To create an exception:
1.
Browse to the Web proxy > Authentication > Exceptions page.
2.
Select the content to be excepted from authentication and click Add.
3.
Click Save to create the exception.
Identification by Location
You can configure Network Guardian to identify groups and/or users by the location in which they
are situated. This ident by location status can be used to configure an identification by location
Note: The settings configured on this page are only used when Identification by Location is selected
as the method in an authentication policy. See Creating Authentication Policies on page 78 for more
information.
89
To configure identification by location:
1.
Browse to the Web proxy > Authentication > Ident by location page.
2.
From the Selected location drop-down list, select the location.
3.
Select the groups and/or users to include in the location and click Add.
4.
Click Confirm. Network Guardian lists the location in the Location to group mappings table.
Connecting to Network Guardian
The following sections explain how to connect non-transparently and transparently to Network
Guardian.
About Non-transparent Connections
Non-transparent connections from users’ web browsers to Network Guardian are suitable when
content is accessed using HTTPS or when using NTLM or proxy authentication or identification in
terminal services compatibility mode.
90
Smoothwall Ltd
Connecting to Network Guardian non-transparently entails configuring users’ web browsers to use
Network Guardian as the web proxy using one of the following methods:
•
Manually – Web browser LAN settings are manually configured, see Creating a Nontransparent Connection Manually on page 91 for more information
•
Automatic configuration script – Web browser LAN settings are configured to receive proxy
configuration settings from an automatic configuration script which is generated by Network
Guardian, see Configuring Non-transparent Connections Using a PAC Script on page 91 for
more information
•
WPAD automatic script – Web browser LAN settings are configured to detect proxy settings,
see Configuring a Non-transparent Connection Using a WPAD Automatic Script on page 92 for
more information.
Creating a Non-transparent Connection Manually
Note: The following instructions apply to Internet Explorer 7. For information on other browsers, see
the documentation delivered with the browsers.
To create a non-transparent connection manually:
1.
On users’ computers, start Internet Explorer, and from the Tools menu, select Internet
Options.
2.
On the Connections tab, click LAN settings.
3.
In the Automatic configuration area, check that Automatically detect settings and Use
automatic configuration script are not selected.
4.
In the Proxy server area, select Use a proxy server for your LAN …
5.
Enter Network Guardian's IP address and port number 800 and select Bypass proxy server
for local addresses.
6.
Click Advanced to access more settings. In the Exceptions area, enter Network Guardian’s IP
address and any other IP addresses to content that you do not want filtered, for example, your
intranet or local wiki.
7.
Click OK and OK to save the settings.
Configuring Non-transparent Connections Using a PAC Script
A proxy auto-config (PAC) script is a file generated by Network Guardian. Once configured, any
changes to connections are automatically retrieved by the user’s web browser. For information on
working with PAC scripts, see Using PAC Scripts on page 100.
Note: The following instructions apply to Internet Explorer 7. For information on other browsers, see
the documentation delivered with the browsers.
To configure a non-transparent connection using a PAC script:
1.
On the user’s computer, start Internet Explorer, and from the Tools menu, select Internet
Options.
2.
On the Connections tab, click LAN settings.
91
3.
Configure the settings as follows:
Setting
Description
Automatically detect settings
Deselect this option.
Use automatic configuration script
Select this option.
Address
Enter the address of the script.
Tip:
4.
To locate the address, navigate to the Web
proxy > Web proxy > Settings page. The
address is listed in the Automatic configuration
script address area.
Ensure that no other proxy settings are enabled or have entries.
Note: You may need to restart the web browser for the settings to take effect.
Configuring a Non-transparent Connection Using a WPAD Automatic Script
Note: This method is only for administrators familiar with configuring web and DNS servers. Enduser browsers must support WPAD – the latest versions of Microsoft Internet Explorer support this
method.
The WPAD method works by the web browser pre-pending the hostname wpad to the front of its
fully qualified domain name and looking for a web server on port 80 that can supply a wpad.dat file.
The file works in the same way as the automatic configuration script and tells the browser what web
security policy it should use.
To use WPAD:
1.
Configure your network to use Network Guardian as the network web proxy. Consult your
network documentation for more information on how to do this.
2.
Using a local DNS server or Network Guardian’s static DNS, add the host
'wpad.YOURDOMAINNAME' substituting your own domain name. The host must resolve to
Network Guardian’s IP address.
3.
Configure users’ browsers to automatically detect LAN settings.
Note: Users’ computers must be configured with the same domain name as the A record. However,
the Microsoft Knowledge Base article Q252898 suggests that WPAD does not work on Windows
2000. Microsoft suggests that you should use a DHCP auto-discovery method using a PAC script.
See the article for more information.
About Transparent Connections
You configure transparent connections from users’ computers Network Guardian by configuring
computers’ network connections to use Network Guardian as the default gateway.
92
Smoothwall Ltd
In order for a transparent policy to work, the following must be in place:
•
DNS must be set up correctly on your network so that user computers can resolve the short
form of Network Guardian’s hostname, for example: resolve mysystem for the hostname
mysystem.example.com
•
User computers and Network Guardian must be within the same DNS domain
•
Internet Explorer must be configured to authenticate automatically with intranet sites.
Authentication Scenarios
The following are high level examples of how you can configure Network Guardian to suit your
organization’s authentication requirements.
New Content Filtering – Changing the Listening Port
Anna runs an Internet cafe. She is replacing her current content filter with Network Guardian because
of its superior filtering. To avoid reconfiguring each workstation, she needs Network Guardian to
listen on the same port as before, which was port 3128.
Anna goes to the Web proxy > Authentication > Policy page which shows the default configuration
of no authentication on port 800. She clicks the Edit button on the entry displayed which takes her
to the Web proxy > Authentication > Policy wizard page. On this page, all fields apart from interface
and port are disabled. She changes the port to 3128 and saves her changes, and a message
prompts her to restart Network Guardian.
Providing Filtered Web Access to the Public
Brian is a network administrator for a university. Staff and student web access is unfiltered, but Brian
wants to provide filtered web access for a new conference centre open to the public. He does not
want delegates to need to configure a proxy in their browsers.
Brian configures Network Guardian to listen in transparent mode. On the Web proxy > Authentication
> Policy wizard page, he selects Transparent and No authentication and leaves the other options at
their defaults.
After adding this entry, on the Web proxy > Authentication > Policy page, he can see the new
transparent authentication policy so he removes the default entry for port 800.
He then configures the firewall and DHCP servers on the network to route traffic through Network
Guardian.
Requiring Authentication to Browse the Web
Charlotte is a hotel manager. The hotel provides Internet access to guests via their own laptops and
shared PCs in the lobby. The wireless network is secured but Charlotte needs to know which guest
is responsible for web traffic in case of misuse. She wants a simple system which doesn’t require
guests to register their wireless devices.
93
Charlotte creates a local user account for each room, with names like ‘room23’ and a random simple
password. Guests are told the password for their room when they check in if they request Internet
access, and the password is changed when they check out.
Charlotte then configures Network Guardian in transparent mode on the Web proxy > Authentication
> Policy page by adding a new entry for Transparent and Redirect to SSL Login, leaving the other
options at their defaults. She removes the entry for port 800 before restarting Network Guardian.
Using Multiple Authentication Methods
Donald is a college system administrator. His network contains Windows PCs, Macs, and network
points for student laptops. Donald wants to provide authentication across the network using single
sign on wherever possible.
For Macs, Donald creates a location on the Guardian > Location > Policy wizard page, which he
names ‘Macs’. This location contains the IP address ranges assigned to macs.
On the Web proxy > Authentication > Policy page, he edits the default entry for port 800, changing
the authentication method to NTLM authentication. Then he adds a new entry, choosing Ident
authentication for the location ‘Macs’. This is displayed above the entry for NTLM on the policy page.
Finally he adds an entry for the laptops for transparent connections and Redirect to SSL Login.
Using group policy and central admin tools, he configures the Windows PCs and Macs to use
Network Guardian, and installs an Ident server on the Macs. Windows and Mac users now
authenticate to Network Guardian using their desktop login session, but laptop users are presented
with the SSL Login screen when they browse.
Controlling an Unruly Class
Ellen is a secondary school teacher. Ellen’s students are supposed to be reading about the Civil War
but are inclined to waste time when her back is turned. Ellen needs to be able to ban students from
accessing the Internet as a punishment for misbehavior.
While the students are working, Ellen looks around the room and also monitors web usage on the
Logs and reports > Realtime > Web filter page. She sees that one of her students, Fred, is watching
videos on YouTube, so she goes to the Services > Authentication > User activity page, scrolls to his
login entry, and selects Ban. This takes her to the temporary bans page where she configures the
ban to expire at the end of the lesson. When Fred clicks on another video, he is shown the block
page.
94
Smoothwall Ltd
7 Managing Web Security
This chapter includes:
•
Overview of the Web Proxy on page 96
•
Using PAC Scripts on page 100
•
Limiting Bandwidth Use on page 102
•
Configuring WCCP on page 104
•
Managing Upstream Proxies on page 106
•
Managing Blocklists on page 114
•
Managing Block Pages on page 116
95
Managing Web Security
Overview of the Web Proxy
The following sections provide an overview of Network Guardian’s web proxy settings.
To access Network Guardian’s web proxy settings:
1.
Navigate to the Web proxy > Web proxy > Settings page.
Global Options
The following table lists Network Guardian’s global web proxy setting:
Setting
Description
Guardian
Select Enable to enable content filtering and Network Guardian’s web proxy.
1.
Click Advanced to access advanced web proxy settings which are documented in the following
sections.
Advanced Web Proxy Settings
The following advanced web proxy settings are available.
Web Filter Options
The following optional advanced web filter settings are available:
96
Settings
Description
HTTP strict mode
By default, this option is enabled. However, for certain client applications
going through Network Guardian you may need to disable this so as to handle
problems, for example, with headers that the applications send.
Smoothwall Ltd
Settings
Description
File upload policy
The following options are available:
Allow unlimited uploads – All file uploads are allowed.
Block all uploads – All file uploads are blocked.
Restrict upload size to – Files below the size specified are allowed.
Resume interrupted
NTLM connections
By default Network Guardian resumes interrupted NTLM connections caused
by non-standard web browser behavior.
Enable – This is the default setting. Select this setting to configure Network
Guardian to resume interrupted NTLM connections.
Disable – Select this setting to disable resumption of interrupted NTLM
connections when restrictive Active Directory account lockout policies are in
operation.
Resolve single
component
hostnames
By default, Network Guardian makes no attempt to interpret single
component hostnames which are not fully qualified.
Enable – Select this setting to enable Network Guardian to attempt to
interpret single component hostnames which are not fully qualified if single
component hostnames are being used.
Disable – Select this setting to stop Network Guardianfrom trying to interpret
single component hostnames which are not fully qualified.
Allow access to web
servers on these
additional ports
By default, Network Guardian only allows requests to servers running on a
certain subset of privileged ports, i.e. ports below 1024, such as HTTP (80),
HTTPS (443) and FTP (21).
If you require access to servers running on non-standard ports, enter them
here.
Logging Options
The following advanced logging settings are available:
Setting
Description
Proxy logging
We recommend that you disable this option when Filter logging mode is
enabled. This is because Network Guardian proxy logs are effectively
duplicated subsets of Network Guardian web filter logs.
Disabling proxy logging can lead to improved performance by reducing system
storage and processing requirements.
Organization name
Enter a name which can be used to identify Network Guardian in your
organization. Organization names are also referenced in certain web reports.
Filter logging mode
From the drop-down list, select one of the following logging modes:
Normal – Select this option to generate proxy logs with all recorded data.
Anonymized – Select this option to generate filter logs with anonymous
username and IP address information.
Disabled – Select this option to disable content filter logging.
97
Setting
Description
Client hostnames
Log – Select this option to record hostnames of computers using Network
Guardian. When enabled, filter logs and reports incorporating hostname
information can be generated. It is important that DNS servers exist on the local
network and are correctly configured with the reverse DNS of all machines if
this option is enabled, otherwise performance will suffer.
Do not log – Select this option to disable the logging of hostnames of
computers using Network Guardian.
Client user-agents
Log – Select to record the types of browsers used by users.
Do not log – Select to disable the logging of the types of browsers used by
users.
Advert blocks
Log – Select this option to log information on advert blocking.
Do not log – Select to disable the logging of information on advert blocking.
Cache Options
The following advanced, optional cache settings are available:
Setting
Description
Global cache size
The size entered here determines the amount of disk space allocated to
Network Guardian for caching web content. Web and FTP requests are
cached. HTTPS requests and pages including username and password
information are not cached.
The specified size must not exceed the amount of free disk space available. The
cache size should be configured to an approximate size of around 40% of the
system’s total storage capacity, up to a maximum of around 1.5 gigabytes.
Larger cache sizes can be specified, but may not be entirely beneficial and can
adversely affect page access times. This occurs when the system spends more
time managing the cache than it saves retrieving pages over a fast connection.
For slower external connections such as dial-up, the cache can dramatically
improve access to recently visited pages.
Max and min object
size that can be
stored in the cache
The values entered here determine the maximum and minimum sizes of objects
stored the cache.
Max object size – Enter the largest object size that will be stored in Network
Guardian’s cache. Any object larger than the specified size will not be cached.
This prevents large downloads filling the cache.
The default of 30720 bytes (30 MB) should be adjusted to suit the needs of your
users.
Min object size – Enter the smallest object size that will be stored in Network
Guardian’s cache. Any object smaller than the specified size will not be cached.
This can be useful for preventing large numbers of tiny objects filling the cache.
The default is no minimum – this should be suitable for most purposes.
98
Smoothwall Ltd
Setting
Description
Max object size that
can pass in and out
of proxy
The values entered here determine the maximum sizes of objects which can
pass through the web proxy.
Max outgoing size – Enter the maximum amount of outbound data that can
be sent by a browser in any one request. This can be used to prevent large
uploads or form submissions. The default no limit.
Max incoming size – Enter the maximum amount of inbound data that can
be received by a browser in any one request. This limit is independent of
whether the data is cached or not. This can be used to prevent excessive and
disruptive download activity. The default is no limit.
Do not cache these
domains
Used to specify domains that should be excluded from the web cache. This can
be used to ensure that old content of frequently updated web sites is not
cached.
Enter domain names without the www prefix, one entry per line.
To apply the option to any subdomains, enter a leading period, for example:
.example.com
Internet Cache Protocol
The following advanced, optional Internet Cache Protocol (ICP) settings are available:
Setting
Description
ICP server
Enable – Select to allow ICP compatible proxies to query Network Guardian's
cache. ICP is a technique employed by proxies to determine if an unfulfilled local
cache request can be fulfilled by another proxy’s cache. ICP-enabled proxies
work together as cache peers to improve cache performance across a LAN.
ICP is recommended for LANs with multiple Network Guardian proxy servers;
non-Smoothwall proxies must use port 801 for HTTP traffic.
Disable – Select to disable Network Guardian as an ICP server.
ICP server IP
addresses
Use this area to enter the IP addresses of other ICP-enabled proxies on the LAN
that Network Guardian should query. Use in conjunction with the ICP server
option enabled to allow two-way cache sharing.
Load Balancing
The following load balancing option is available:
Setting
Description
Direct Return Server
Virtual IP
Enables you to use a load balancing device which uses a virtual IP with Network
Guardian.
Enter the IP address on which Network Guardian can accept load balanced
connections.
Assuming a load balancer has been setup, Network Guardian will form part of
its cluster.
Note: This IP address must not respond to ARP queries, as ARP-ing behavior
is what sets this type of Virtual IP apart from a simple alias.
99
Using PAC Scripts
Network Guardian enables you to create and make available proxy auto-config (PAC) scripts which
determine which IP addresses and domains to access via Network Guardian and which to access
directly.
Network Guardian supports built-in PAC scripts and custom PAC script templates.
Using a Built-in Script
A built-in script is an auto configuration script which you can customize with additional settings such
as exceptions.
To use a built-in script:
1.
100
Browse to the Web proxy > Web proxy > Automatic configuration page.
Smoothwall Ltd
2.
Select Built-in and configure the following settings:
Setting
Description
Bypass proxy server
for local addresses
Select this option to not use Network Guardian when connecting to local
addresses.
When selected, this option makes users’ browsers bypass the Network
Guardian proxy if the address is a hostname only, for example:
myhostname.
Browsers will not bypass the Network Guardian proxy if the address is a
fully qualified domain name (FQDN) for example:
myhostname.example.local.
Refer to the proxy by
domain name
Select this option so that the Network Guardian proxy uses its domain
name instead of IP addresses in the configuration file.
Note: Before enabling this option, ensure that you have a valid DNS
configuration which resolves correctly for this hostname.
This option must be enabled when using Kerberos authentication
to use proxy automatic configuration.
Exception domains
and IP addresses
In this text box, enter an IP address, IP address range, network address
or hostname that users may access directly.
For example:
192.168.0.1
192.168.0.1-192.168.0.254
192.168.0.0/24
hostname.local
Exception regular
expression domains
Optionally, click Advanced to access the Exception regular expression
domains area. In the text box, enter one regular expression domain per
line that users may access directly.
For example:
^(.*\.)?youtube\.com$
^(.*\.)?ytimg\.com$
would disable usage of Network Guardian for youtube.com,
ytimg.com and subdomains such as www.youtube.com; but
not, for example, fakeyoutube.com.
3.
Click Save. Network Guardian creates the script and makes it available at:
http://Your_System_IP_address/proxy.pac
Using a Custom Script
A custom script provides advanced functionality by enabling you to use a script customized to suit
your organization.
Tip: You can use the built-in template as starting point for creating a custom script. On the Web
proxy > Web proxy > Automatic configuration page, click Download and save the default script
to a suitable location. Edit the file to suit your requirements and save it using a different name. See
below for how to upload it.
101
To use a custom script:
1.
After configuring the custom script, browse to the Web proxy > Web proxy > Automatic
configuration page.
2.
Select Custom script template and click Browse. Locate and select the script and click
Upload. Network Guardian uploads the script and makes it available at:
http://Your_System_IP_address/proxy.pac
Managing the Configuration Script
You define the policy for each interface, by configuring which proxy address the configuration script
should direct clients to.
To manage the configuration script:
1.
Browse to the Web proxy > Web proxy > Automatic configuration page.
2.
In the Manage configuration script area, from the Interface drop-down list, select the address
the configuration script should direct clients to.
3.
Click Save.
Limiting Bandwidth Use
By default, Network Guardian does not limit bandwidth use. However, it is possible to configure
bandwidth limiting policies which can, for example, stop a user or group of users from overloading
your Internet connection.
To create a bandwidth limiting policy:
1.
102
Navigate to the Web proxy > Web proxy > Bandwidth limiting page.
Smoothwall Ltd
2.
Click Create a new policy. The policy wizard is displayed. Complete the following steps:
Step
Description
Step 1: Who
From the Available users or groups list, select the user(s) and/or group(s)
to whom the policy will apply. For information on users and groups, .
Tip:
Next to continue.
Step 2: What
filtered. For information on categories, see Working with Category Group
Objects on page 41.
Tip:
Click Add and, when you have selected all the content, click Next to
continue.
Step 3: Where
From the Available locations list, select where the policy will apply. For
more information about locations, see Working with Location Objects on
page 46.
Tip:
continue.
Step 4: When
From the Available time slots list, select when the policy will apply. For
more information about time slots, see Working with Time Slot Objects
on page 45.
Tip:
continue.
Step 5: Action
Limit bandwidth to – Enter the number of kilobytes per second to
which bandwidth is limited when this policy is applied.
Shared between clients – Select this option to share the bandwidth
specified between all clients on the network. If this option is not selected
then the limit specified applies to each client, determined by IP, not by
user or group.
Note: A user or group may be able to draw on bandwidth from several
policies.
Guardian creates a policy folder in which you can store policies. For more information about policy
3.
Select Enable policy to enable the policy and then click Confirm. Network Guardian displays
the settings you have selected.
4.
Review the settings and click Save to create the policy. Network Guardian creates the policy
and makes it available on the Web proxy > Web proxy > Bandwidth limiting page.
103
Ordering Bandwidth Limiting Policies
It is possible to order bandwidth limiting policies. Ordering policies enables you, for example, to apply
one policy to a user and another policy to the group the user belongs to.
To order bandwidth limiting policies:
1.
Browse to the Web proxy > Web proxy > Bandwidth limiting page.
2.
Drag and drop the policy you want applied first to the top of the list and click Save. Network
Guardian applies the order specified when applying the policies.
Editing Bandwidth Limiting Policies
You can edit an existing bandwidth limiting policy to suit your organization’s requirements.
To edit a bandwidth limiting policy:
1.
Browse to the Web proxy > Web proxy > Bandwidth limiting page and locate the policy you
want to edit.
2.
Click the Edit policy button. Network Guardian displays the policy settings.
3.
Make the changes necessary, see Limiting Bandwidth Use on page 102 for more information
about working with policies.
4.
it available on the Web proxy > Web proxy > Bandwidth limiting page.
Deleting Bandwidth Limiting Policies
You can delete a bandwidth limiting policy you no longer require.
To delete a bandwidth limiting policy:
1.
Browse to the Web proxy > Web proxy > Bandwidth limiting page and locate the policy you
want to delete.
2.
delete the policy. Click Delete. Network Guardian deletes the policy.
Configuring WCCP
Network Guardian can be added to a Web Cache Communication Protocol (WCCP) cache engine
cluster. When enabled, Network Guardian broadcasts its availability to a nominated WCCPcompatible router.
The WCCP-compatible router can forward web traffic and perform load balancing across all the
WCCP capable proxies it is aware of. Both HTTP and HTTPS traffic can be transparently proxied via
WCCP.
104
Smoothwall Ltd
Note:WCCP-compatible routers forward web traffic in a transparent mode over a GRE tunnel,
therefore you must configure a transparent authentication policy for the interface which will receive
redirected traffic. For information on transparent authentication policies, see Chapter 6, Creating
Transparent Authentication Policies on page 83.
For more information about configuring WCCP on your router, refer to the documentation that
accompanies your router.
To configure WCCP:
1.
Browse to the Web proxy > Web proxy > WCCP page.
2.
Select the option you require and configure its settings:
Option
Description
No WCCP
Select to disable WCCP.
WCCP version 1
Select this option to enable WCCP version 1. Version 1 does not require
authentication for caches to join the cluster, and only supports a single
coordinating router.
WCCP router IP – Enter the WCCP router’s IP address.
105
Option
Description
WCCP version 2
Select this option to enable WCCP version 2. Version 2 can be more
secure than version 1, as it supports authentication for caches to join the
cluster, providing a level of protection against rogue proxies on the LAN.
In addition, it supports multiple coordinating routers.
Note: Currently, WCCP version 2 in Network Guardian only supports
routers configured to use the hash assignment method and GRE
for both the forwarding and return methods.
Password – Enter the password required to join the WCCP cluster.
WCCP passwords can be a maximum of 8 characters.
Cache weight – Enter a cache weight to provide a hint as to the
proportion of traffic which will be forwarded to this particular cache.
Caches with high weights relative to other caches in the cluster will
receive more redirected requests.
Device IP addresses – Enter the IP addresses of one or more WCCP
version 2 routers.
3.
Click Save. Network Guardian saves the settings.
4.
On the Web proxy > Authentication > Manage policies page, create a transparent
authentication policy using the authentication method you require and select WCCP as the
interface. For more information, see Creating Transparent Authentication Policies on page 83.
Network Guardian completes the WCCP configuration.
Managing Upstream Proxies
Network Guardian enables you to configure and deploy policies which manage access to upstream
proxies. The policies can:
•
Allow or deny access to upstream proxies based on network location
•
Direct web requests to a specific upstream proxy depending on the type of request
•
Provide load balancing and failover.
The following sections explain how to configure and deploy upstream proxy policies.
Overview
Managing upstream proxies entails:
106
•
Configuring upstream proxy settings, for more information see Configuring an Upstream Proxy
on page 107
•
Creating source and destination filters, for more information see Configuring Source and
Destination Filters on page 109
•
Configuring a single upstream proxy for all web requests, see Using a Single Upstream Proxy
on page 111, or deploying upstream proxy policies to combine multiple upstream proxies and
use load balancing and failover, for more information, see Working with Multiple Upstream
Proxies on page 112.
Smoothwall Ltd
Configuring an Upstream Proxy
The following section explains how to configure an upstream proxy.
To configure an upstream proxy:
1.
Browse to the Web proxy > Upstream proxy > Proxies page.
2.
Setting
Description
Name
Enter a name for the upstream proxy. Only the following characters and
numbers are allowed in a proxy name:
.,
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
The name Default is invalid as it is reserved as the name of the default
proxy.
IP/Hostname
Enter the IP address or the hostname of the upstream proxy.
Port
Enter the port number to use on the upstream proxy.
Comment
Optionally, enter a comment or description.
107
3.
Click Advanced to access the following, optional settings:
Setting
Description
Credential
forwarding
Select one of the following credential forwarding options:
Disabled – Select this option to use the static username and password
entered below when logging in to the upstream proxy.
Username only – Forward the username of the client making the
request with the password entered below when logging in to the
upstream proxy. This allows the upstream proxy to identify individual
users without revealing their passwords.
Note: This requires proxy authentication, NTLM authentication or NTLM
identification to be enabled, otherwise usernames cannot be
determined by Network Guardian.
Username and password – Forward the username and password
of the client making the request when logging in to the upstream proxy.
This could be used if both Network Guardian and the upstream proxy are
authenticating against the same directory server, but should be used with
caution as it reveals client credentials.
Note: This option requires proxy authentication to be used, not NTLM.
Otherwise, plaintext usernames and passwords cannot be
determined by Network Guardian.
Note: Network Guardian can only log in to upstream proxies which
require basic proxy authentication, not NTLM or any other
authentication scheme.
Username
Enter a static username for use when credential forwarding is disabled.
Password
Enter a static password for use when credential forwarding is disabled, or
when forwarding usernames only.
Load balance ratio
Enter a load balance ratio value.
Values are relative. For example, if one upstream proxy has the value: 2
and another upstream proxy has the value: 1 and both use the round
robin load balancing method, then the proxy with value: 2 will receive
twice as many web requests as the proxy with value:1.
For more information, see Configuring Multiple Upstream Proxy Policies
on page 112.
108
4.
Click Save. Network Guardian adds the upstream proxy to the list of current upstream proxies.
5.
Repeat the steps above to add other upstream proxies.
Smoothwall Ltd
Configuring Source and Destination Filters
Network Guardian enables you to create source and destination filters which are used when applying
upstream proxy policies.
Configuring a Destination Filter
Network Guardian uses destination filters to determine which upstream proxy policy to apply based
on the destination domain(s), IP(s) or destination URL regular expressions.
To create a destination filter:
1.
Browse to the Web proxy > Upstream proxy > Filters page.
2.
3.
Setting
Description
Type
Select Destination.
Name
Enter a name for the destination filter.
Comment
Optionally, enter a description or comment.
IPs/Hostnames
Enter a destination IP address or hostname.
Optionally, click Advanced and configure the following setting:
Setting
Description
Destination regular
expression URLs
Optionally, click Advanced. Enter one regular expression URL,
including the protocol, per line.
Note: The full URL is not available for HTTPS requests.
109
4.
Click Save. Network Guardian adds the filter and lists it in the Upstream proxy filters.
5.
Repeat the steps above to add more destination filters.
Configuring a Source Filter
Network Guardian uses source filters to determine which upstream proxy policy to apply based on
the source IP(s), subnet(s) or IP range(s) of the client machine(s).
To create a source filter:
1.
Browse to the Web proxy > Upstream proxy > Filters page.
2.
Setting
Description
Type
Select Source.
Name
Enter a name for the filter.
Comment
Optionally, enter a description or comment.
IPs/Hostnames
Enter a source IP address, IP address range, network address or
hostname.
For example: 192.168.0.1
192.168.0.1-192.168.0.254
192.168.0.0/24
hostname.local
Note: Hostnames require reverse DNS look-ups to be performed.
110
3.
Click Save. Network Guardian adds the filter and lists it in the Upstream proxy filters area.
4.
Repeat the steps above to add more source filters.
Smoothwall Ltd
Using a Single Upstream Proxy
After configuring upstream proxy settings, see Configuring an Upstream Proxy on page 107, you can
use a single upstream proxy for all web requests.
To use a single upstream proxy:
1.
Browse to the Web proxy > Upstream proxy > Manage policies page.
2.
In the Global options area, configure the following settings:
Setting
Description
Default upstream
proxy
This setting determines the default proxy which is used when upstream
proxies are not available, not configured or not allowed by policies.
From the drop-down list, select an upstream proxy.
Allow direct
connections
Select this option to allow direct connections to origin servers.
If allowed, direct connections will be made as a final fall-back if the default
proxy is unavailable or not configured.
For more information, see Enforcing Upstream Proxy Usage on
page 114.
Leak client IP with Xforwarded-For
header
3.
Select this option to send the originating IP addresses of client requests
upstream.
Click Save. Network Guardian starts using the single upstream proxy.
111
Working with Multiple Upstream Proxies
The following sections discuss general upstream proxy behavior, how to load balance using multiple
upstream proxy policies and how to enforce upstream proxy usage.
About Upstream Proxy Behavior
There are three potential destinations for a web request forwarded to an upstream proxy. These are
as follows, in order of precedence:
1.
A pool of one or more proxies which are allowed by the upstream proxy policies, to service the
request.
2.
The default proxy, if configured.
3.
Direct forwarding of requests to their origin servers, if allowed. An origin server is defined as the
target destination of web request, i.e. the server from which a requested resource originates.
Upstream proxy policies are additive. Network Guardian checks requests against all the policies, in
order. Any proxy which is allowed to service a particular request is added to the proxy pool in step
1. If the final pool for a request contains two or more proxies, load-balancing and fail-over rules
decide which one will be sent the request.
Note: The rules above only apply to requests serviced by Network Guardian. If a client behind
Network Guardian is able to obtain direct, unfiltered web access, the client’s requests will be treated
no differently from other Internet traffic.
Configuring Multiple Upstream Proxy Policies
By configuring multiple upstream proxy policies, you can balance the web request load across two
or more upstream proxies.
To load balance using upstream proxy policies:
112
1.
On the Web proxy > Upstream proxy > Proxies page, configure the upstream proxies you
will be using. See Configuring an Upstream Proxy on page 107 and Configuring Source and
Destination Filters on page 109 for more information.
2.
Browse to the Web proxy > Upstream proxy > Manage policies page and click Advanced.
Smoothwall Ltd
3.
Setting
Description
Load balancing
method
From the drop-down list, select the load balancing method you require.
The following methods are available:
Source IP – Based on the client’s IP address, Network
Guardian selects one proxy from the set of allowed proxies and
uses it as long as that proxy is available.
•
For example: three requests for example.com from one
machine might all go via proxy A; three requests from the
machine next to it might all go via proxy B.
Username – Based on the client’s username, Network
•
Guardian selects one proxy from the set of allowed proxies and
uses it as long as that proxy is available.
•
For example: three requests for example.com while logged in
as Alice might all go via proxy A; three requests while logged in as
Bob might go via proxy B, even if Bob has the same IP as Alice.
Round-robin – Network Guardian cycles through the proxies
•
one by one. Three requests for example.com, with three
proxies allowed to serve the request, would send one request via
each.
Note: This method requires Network Guardian to be configured for
username and password based authentication. See Chapter 6,
About Authentication Policies on page 77 for more information.
•
Upstream proxy
From the drop-down list, select the proxy for which you are configuring
the policy.
Source filter
From the drop-down list, select Everything.
Destination filter
From the drop-down list, select Everything.
Action
Select Allow.
Comment
Optionally, enter a comment describing the proxy.
Enabled
4.
Click Save. Network Guardian creates the policy and lists it in the Upstream proxy policies table.
5.
Configure policies for other upstream proxies by repeating steps 2 and 3 above.
Once you have configured policies for the upstream proxies you require, Network Guardian will
check any web requests against the policy table and each of the proxies will be allowed to
service the request, so load balancing and failover rules will be used to pick the most suitable
proxy. Network Guardian monitors availability of upstream proxies automatically and avoid
forwarding requests to unavailable proxies.
If none of the proxies permitted to service a request are available, Network Guardian will use
the default proxy. If the default proxy is not available, or if no default proxy is configured, the
request will be forwarded directly to its origin server.
113
Enforcing Upstream Proxy Usage
If you want to prevent web requests from being forwarded directly to their origin servers when other
permissible upstream proxies are unavailable, disable the Allow direct connections option.
Note: As the Allow direct connections option eliminates the last option for forwarding requests in
failure scenarios, only use it to implement strict requirements that all traffic go through an upstream
proxy.
For finer-grained control of direct connection behavior, you can configure policies using the dummy
upstream proxy option None. For example, to prevent only YouTube traffic from being sent directly,
enable the Allow direct connections option, then create a policy with upstream proxy None, action
Block, and a destination filter corresponding to the youtube.com domain.
Conversely, to allow direct access only for requests to certain sites, disable Allow direct connections
and create None, Allow policies matching those requests for which direct access is permissible. This
may be useful for bandwidth conservation, if direct access is routed over a slower link than access
to the upstream proxies.
Managing Blocklists
A blocklist is a group of pre-configured settings which is updated on a regular basis by Network
Guardian. A blocklist maintains Network Guardian’s list of undesirable, inappropriate or objectionable
content.
Network Guardian automatically checks for and installs blocklist updates. You can also check for and
install blocklist updates manually.
114
Smoothwall Ltd
Viewing Blocklist Information
To view blocklist information:
1.
Navigate to the System > Maintenance > Licenses page.
Note: The information displayed depends on the product you are using.
Blocklist subscription status is displayed.
By default, Network Guardian checks for updated blocklists hourly. When a new blocklist
becomes available, Network Guardian automatically downloads and installs it.
Note: As Network Guardian complies with Internet Watch Foundation (IWF) guidelines, this mode of
working is mandatory. Visit http://www.iwf.org.uk/ for more information.
Manually Updating Blocklists
To manually update blocklists:
1.
Navigate to the System > Maintenance > Licenses page.
2.
Click Update. The latest blocklists are installed and displayed in the Blocklists subscription
area.
Note: In order to download blocklists, you must have a valid blocklist subscription. To obtain a
blocklist subscription, please contact your Network Guardian reseller or Network Guardian directly.
115
Managing Block Pages
When a user’s web request is blocked, Network Guardian displays a block page advising the user
that they have been blocked from accessing the requested web content. A default web page is
supplied, showing information such as which group the user is in, what the blocked content is
categorized as, and the computer’s IP address, as well as the reason for the block.
You can choose to create and display multiple block pages. Which block page Network Guardian
displays is determined by the block page policies in use. You can configure Network Guardian to
display the following different types of block pages:
•
A block page which you have customized — see Customizing the Default Block Page on
page 117
•
A customized HTML page which you upload to Network Guardian — see Using a Custom
HTML Template on page 119
•
A block page located at a specified URL — see Using an External Block Page on page 120
About the Default Block Page
Below is an example of the default block page supplied with Network Guardian:
This block page will be shown if a user attempts to browse to a domain listed in the Web Search,
Image Hosting category (for more information about categories see Working with Category Group
Objects on page 41).
The following controls are used in this block page:
116
•
Administrator bypass — Users with bypass privileges can temporarily bypass Guardian for
the time specified
•
Custom allowed content — Users can choose to add the domain or URL to the Custom
allowed, or Custom blocked content categories
Smoothwall Ltd
•
Add URL to category — Users can choose to add the URL to a specified category
•
Add domain to category — Users can choose to add the domain to a specified category
For more information about Guardian content categories, see Working with Category Group Objects
on page 41.
You can add more controls to the block page, or change the text and images to suit your
organizational needs. For a detailed description of how to do this, see Customizing the Default Block
Page on page 117.
Customizing the Default Block Page
You can choose to customize the default block page, including the reason for the block, and
changing the images. The following instructions also apply if you are creating additional block pages
based on the same layout as the default block page.
To customize the default block page, or create additional ones, do the following:
1.
Navigate to the Guardian > Block page > Block pages page.
2.
Configure the following:
3.

Name — Enter a meaningful name for the block page

Comment — Enter an optional comment describing the block page
Select the Manually create contents for block page option and configure the following:

Block message — Either use the supplied text, or enter the default message explaining the
reason for the block.
117
4.

Quota message — Either use the supplied text, or enter the default message shown when
a user tries to access content which is time limited. For more information about quotas, see
“Working with Quota Objects” on page 142.

Quota button label — Either use the supplied text, or enter text used on the quota button
which users must click to start using their quota of time to access the content.

Sub message — Either use the supplied text, or enter a custom, secondary message
displayed under the red block banner.

Administrator’s email address — Optionally, enter the administrator’s email address who
will be contacted when a request is blocked.
To change the images on the block page, or add block page controls, click Advanced and
configure the following:

Custom title image — To replace the Smoothwall logo on the block page, click Choose
File, and browse to the location of the required file. Select the image, then click Upload.
installed will appear under Choose File when Network Guardian successfully uploads the
image.
Note that the default Smoothwall logo is 218 x 35 pixels. It is recommended you do not
exceed this depth otherwise the top of the background image may need adjusting. If the
supplied background image is retained, the white space at the top may also need adjusting.
Ensure you select Enable custom title image from the attributes list underneath.

Custom background image — To replace the supplied red motif on the block page, click
Choose File, and browse to the location of the required file. Select the image, then click
Upload. installed will appear under Choose File when Network Guardian successfully
uploads the image.
Note that the outlined box around the central text is 150 pixels from the top of the page. If
you are replacing the default image, you must ensure the new image has at last 150 pixels
of white space at the top to ensure it appears at the top of the outlined box. It is
recommended the image is 800 pixels wide, with the motif centralized within.
Ensure you select Enable custom background image from the attributes list underneath.

Show unblock request — Select to display a button on the block page which allows users
to request that a blocked page be unblocked. Clicking the button on the block page opens
a pop up form which when completed sends the request via the email server used for alerts.

Show client username — Select to display the blocked user’s username, if applicable.

Show email address — Select to display the administrator’s email address.

Show client IP — Select to display the IP address of the user’s workstation.

Show client hostname — Select to display the workstation’s hostname on the block page.

Show user group — Select to display the users group membership, if applicable.

Show unblock controls — Select to display controls on the block page which allow
administrators to add domains and URLS to the custom allowed or custom blocked content
categories. For more information, see Working with Block Pages on page 122.

Show reason for block — Select to display the reason why the web request was blocked.

Show bypass controls — Select to display temporary bypass controls on the block page.
These controls allow users with bypass privileges to temporarily bypass the Network
Guardian. For more information, see Working with Block Pages on page 122.
Note that when an HTTPS inspection policy is enabled (see About the Default Web Filter
Policies on page 36) and a user visits a site with an invalid certificate, Network Guardian’s
118
Smoothwall Ltd
temporary bypass will not work. This is because Network Guardian must check the
certificate before authentication information for bypass can be detected. In this case, bypass
controls will be visible on the block page if enabled, but will not work.
5.

Show URL of blocked page — Select to display the URL of the blocked web request.

Enable custom title image — Select if you have specified a custom title image, see above
for more information.

Show categories matched — Select to display the filter category that caused the page to
be blocked, if applicable.

Enable custom background image — Select if you have specified a custom background
image, see above for more information.
Click Save to save the block page and make it available for use in a block page policy.
Using a Custom HTML Template
You can create your own block page, created in HTML. Network Guardianprovides a custom block
page template for your use.
To use a custom HTML file as a block page, do the following:
1.
Browse to Guardian > Block page > Block pages.
2.
Download the block page template by clicking Download the custom block page example.
Network Guardian downloads a zip file for your use.
3.
Update the template as required, and save it in a zip file archive. Ensure all files needed by the
custom block page are included in the zip file, and that the archive’s location is accessible by
Network Guardian.
4.
Browse to Guardian > Block page > Block pages if you have navigated away.
5.

Name — Configure a meaningful name for the block page.

Comment — If required, configure a comment for the block page.
6.
Select Import HTML template from zip file.
7.
From Upload zip archive, click Choose file.
8.
Locate and select the custom block page archive.
9.
Click Upload.
Network Guardian unpacks the archive, and makes it available for use in a block page policy.
10. If required, enter your system administrator’s email address to receive unblock requests.
11. Click Save.
119
Using an External Block Page
Network Guardian enables you to specify an external page as a block page.
To use an external page as a block page:
1.
2.
Navigate to the Guardian > Block page > Block pages page and configure the following
settings:
Setting
Description
Name
Enter a name for the block page.
Comment
Enter a comment describing the block page.
Redirect to block
page
Select to enable Network Guardian to use an external block page.
Block page URL
Enter the block page’s URL.
Click Save to make it available for use in a block page policy.
Configuring a Block Page Policy
By default, Network Guardian displays a standard block page whenever it blocks a web request by
users. You can configure Network Guardian to display a specific block page when a web request is
blocked based on unsuitable or objectionable content, location or time.
To configure a block page policy:
1.
120
Browse to the Guardian > Block page > Policy wizard page.
Smoothwall Ltd
2.
Step
Description
Step 1: Who
From the Available users or groups list, select who will see the block
page when content is blocked. Click Next to continue.
Step 2: What
From the Available categories or category groups list, select what
categories or category groups will trigger the content being blocked.
Click Next to continue.
For information on categories, see Working with Category Group Objects
on page 41.
Step 3: Where
From the Available locations list, select where the policy applies. Click
Next to continue.
page 46.
Step 4: When
From the Available time slots list, select when the policy applies. Click
Next to continue.
For information on time slots, see Working with Time Slot Objects on
page 45.
Step 5: Action
Select which block page to use.
For information on the types of block pages you can use, see Managing
Block Pages on page 116.
3.
4.
Network Guardian displays the settings you have specified for the policy. Review the settings
and then click Save to save the policy and make it available on the manage policies page.
Managing Block Page Policies
Block page policies are managed on the manage policy page. Network Guardian processes policies
in order of priority, from top to bottom, until it finds a match. You can change the order by dragging
and dropping them on the page.
To manage block page policies:
1.
Browse to the Guardian > Block page > Manage policies page.
121
2.
To change the order of the policies displayed, select a policy and drag it to the position you
require.
3.
Click Save to save the change(s). Network Guardian re-orders the policies.
Working with Block Pages
Depending on how a block page is configured, there may be controls to add URLS and domains to
user-defined blocked or allowed categories as well as temporary bypass features to allow users with
the correct privileges to access the blocked content.
Adding to User-defined Categories
Note: The availability of these options depends on how the block page is configured. For more
information, see Customizing the Default Block Page on page 117.
To add to user-defined categories:
1.
Configure the following settings on the block page:
Setting
Description
Control
From the User-defined categories drop-down list, select one of the
following options:
•
•
Temporary Bypass
Custom blocked content – Add the blocked URL or domain
to the custom blocked category.
Custom allowed content – Add the blocked URL or domain
to the custom allowed category.
Enables temporary bypass of the block page if the user has the
necessary privileges. Select from the following options:
•
•
5 minutes – Temporarily bypass the block page for 5 minutes.
30 minutes – Temporarily bypass the block page for 30
minutes.
1 hour – Temporarily bypass the block page for 1 hour.
•
When prompted, enter the bypass password.
Note: The temporary bypass and control options use non-standard port 442. This is to enable
administrator access controls to be used without affecting these features.
122
Smoothwall Ltd
8 Managing Your Network
Infrastructure
This chapter describes how to manage various aspects of your Network Guardian network,
including:
•
Creating Subnets on page 123
•
Using RIP on page 124
Creating Subnets
Large organizations often find it advantageous to group computers from different departments, floors
and buildings into their own subnets, usually with network hubs and switches.
Note: This functionality only applies to subnets available via an internal gateway.
To create a subnet rule:
1.
Navigate to the Networking > Routing > Subnets page.
123
2.
Managing Your Network Infrastructure
Setting
Description
Network
Enter the IP address that specifies the network ID part of the subnet
definition when combined with a netmask value.
Netmask
Enter a network mask that specifies the size of the subnet when
combined with the network field.
Gateway
Enter the IP address of the gateway device by which the subnet can be
found.
This will be an address on a locally recognized network zone. It is
necessary for Network Guardian to be able to route to the gateway
device in order for the subnet to be successfully configured.
The gateway address must be a network that Network Guardian is
directly attached to.
3.
Metric
Enter a router metric to set the order in which the route is taken. This sets
the order in which the route is evaluated, with 0 being the highest priority
and the default for new routes.
Comment
Enter a description of the rule.
Enabled
Select to enable the rule.
Click Add. The rule is added to the Current rules table.
Editing and Removing Subnet Rules
To edit or remove existing subnet rules, use Edit and Remove in the Current rules area.
Using RIP
The Routing Information Protocol (RIP) service enables network-wide convergence of routing
information amongst gateways and routers. A RIP-enabled gateway passes its entire routing table to
its nearest neighbor, typically every 30 seconds.
Network Guardian’s RIP service can:
124
•
Operate in import, export or combined import/export mode
•
Support password and MD5 authentication
•
Export direct routes to the system’s internal interfaces.
Smoothwall Ltd
To configure the RIP service:
1.
Navigate to the Networking > Routing > RIP page.
2.
Setting
Description
Enabled
Select to enable the RIP service.
Scan interval
From the drop-down menu, select the time delay between routing table
imports and exports.
Select a frequent scan interval for networks with fewer hosts. For
networks with greater numbers of hosts, choose a less frequent scan
interval.
Note: There is a performance trade-off between the number of RIPenabled devices, network hosts and the scan frequency of the RIP
service. The periodic exchange of routing information between
RIP-enabled devices increases the ambient level of traffic on the
host network. Accordingly, administrators responsible for larger
networks should consider increasing the RIP scan interval or the
suitability of the RIP service for propagating routing information.
Direction
From the drop-down menu, select how to manage routing information.
The following options are available:
Import and Export
The RIP service will add and update its routing table from information
received from other RIP enabled gateways. The RIP service will also
broadcast its routing tables for use by other RIP enabled gateways.
Import
The RIP service will add and update its routing table from information
received from other RIP enabled gateways.
Export
The RIP service will only broadcast its routing tables for use by other RIP
enabled gateways.
Logging level
From the drop-down menu, select the level of logging.
125
Setting
Description
RIP interfaces
Select each interface that the RIP service should import/export routing
information to/from.
Authentication
Enabling RIP authentication ensures that routing information is only
imported and exported amongst trusted RIP-enabled devices.
Select one of the following options to manage authentication:
None
In this mode, routing information can be imported and exported between
any RIP device. We do not recommend this option from a security
standpoint.
Password
In this mode, a plain text password is specified which must match other
RIP devices.
MD5
In this mode, an MD5 hashed password is specified which must match
other RIP devices.
Password
If Password is selected as the authentication method, enter a password
for RIP authentication.
Again
If Password is selected as the authentication method, re-enter the
password to confirm it.
Direct routing
interfaces
Optionally, select interfaces whose information should also include routes
to the RIP service’s own interfaces when exporting RIP data.
This ensures that other RIP devices are able to route directly and
efficiently to each exported interface.
3.
126
Click Save.
Smoothwall Ltd
9 General Network
Security Settings
This chapter describes how to secure your Network Guardian network, including:
•
Blocking by IP on page 127
•
Configuring Advanced Networking Features on page 129
•
Working with Port Groups on page 132
Blocking by IP
IP block rules can be created to block network traffic originating from certain source IPs or network
addresses. IP block rules are primarily intended to block hostile hosts from the external network,
however, it is sometimes useful to use this feature to block internal hosts, for example, if an internal
system has been infected by malware.
IP block rules can also operate in an exception mode – allowing traffic from certain source IPs or
network addresses to always be allowed.
Creating IP Blocking Rules
IP block rules block all traffic to/from certain network hosts, or between certain parts of distinct
networks.
127
General Network Security Settings
To create an IP block rule:
1.
Navigate to the Networking > Filtering > IP block page.
2.
Control
Description
Source IP or network
Enter the source IP, IP range or subnet range of IP addresses to block or
exempt. To block or exempt:
•
An individual network host, enter its IP address, for example:
192.168.10.1.
•
•
Destination IP or
network
A range of network hosts, enter an appropriate IP address range,
for example: 192.168.10.1-192.168.10.15.
A subnet range of network hosts, enter an appropriate subnet
range, for example, 192.168.10.0/255.255.255.0 or
192.168.10.0/24.
Enter the destination IP, IP range or subnet range of IP addresses to
block or exempt. To block or exempt:
•
An individual network host, enter its IP address, for example:
192.168.10.1.
•
•
A range of network hosts, enter an appropriate IP address range,
for example: 192.168.10.1-192.168.10.15.
range, for example, 192.168.10.0/255.255.255.0 or 19
Drop packet
Select to ignore any request from the source IP or network. The effect is
similar to disconnecting the appropriate interface from the network.
Reject packet
Select to cause an ICMP Connection Refused message to be sent back
to the originating IP, and no communication will be possible.
Exception
Select to always allow the source IPs specified in the Source IP or
Network field to communicate, regardless of all other IP block rules.
Exception block rules are typically used in conjunction with other IP block
rules, for example, where one IP block rule drops traffic from a subnet
range of IP addresses, and another IP block rule creates exception IP
addresses against it.
128
Log
Select to log all activity from this IP.
Comment
Optionally, describe the IP block rule.
Smoothwall Ltd
3.
Control
Description
Enabled
Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share
the same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it.
Editing and Removing IP Block Rules
To edit or remove existing IP block rules, use Edit and Remove in the Current rules area.
Configuring Advanced Networking Features
Network Guardian’s advanced networking settings can help prevent denial of service (DoS) attacks
and enforce TCP/IP standards to restrict broken network devices from causing disruption.
To configure advance networking features:
1.
Navigate to the Networking > Settings > Advanced page.
129
2.
Configure the following feature settings:
Setting
Description
Block and ignore
ICMP ping broadcasts – Select to prevent the system responding to
broadcast ping messages from all network zones (including external).
This can prevent the effects of a broadcast ping-based DoS attack.
ICMP ping – Select to block all ICMP ping requests going to or through
Network Guardian.
This will effectively hide the machine from Internet Control Message
Protocol (ICMP) pings, but this can also make connectivity problems
more difficult to diagnose.
IGMP packets – Select this option to block and ignore multi-cast
reporting Internet Group Management Protocol (IGMP) packets.
IGMP packets are harmless and are most commonly observed when
using cable modems to provide external connectivity.
If your logs contain a high volume of IGMP entries, enable this option to
ignore IGMP packets without generating log entries.
Multicast traffic – Select this option to block multicast messages on
network address 224.0.0.0 from ISPs and prevent them generating large
volumes of spurious log entries.
SYN+FIN packets – Select to automatically discard packets used in
SYN+FIN scans used passively scan systems.
Generally, SYN+FIN scans result in large numbers of log entries being
generated. With this option enabled, the scan packets are automatically
discarded and are not logged.
Enable
SYN cookies – Select to defend the system against SYN flood attacks.
A SYN flood attack is where a huge number of connection requests, SYN
packets, are sent to a machine in the hope that it will be overwhelmed.
The use of SYN cookies is a standard defence mechanism against this
type of attack, the aim being to avoid a DoS attack.
TCP timestamps – Select this option to enable TCP timestamps
(RFC1323) to improve TCP performance on high speed links.
Selective ACKs – Select this option to enable selective ACKs
(RFC2018) to improve TCP performance when packet loss is high.
Window scaling – Select this option to enable TCP window scaling to
improve the performance of TCP on high speed links.
ECN – Select this option to enable Explicit Congestion Notification (ECN),
a mechanism for avoiding network congestion.
While effective, it requires communicating hosts to support it, and some
routers are known to drop packets marked with the ECN bit. For this
reason, this feature is disabled by default.
ARP filter – Select this option to enable the ARP filter. This option can
be enabled if your network is experiencing ARP flux.
130
Smoothwall Ltd
Setting
Description
ARP table size
You should increase the ARP table size if the number of directly
connected machines or IP addresses is more then the value shown in the
drop-down box.
In normal situations, the default value of 2048 will be adequate, but in very
big networks, select a bigger value.
Directly connected machines are those which are not behind a
intermediate router but are instead directly attached to one of Network
Guardian's network interfaces.
Connection tracking
table size
Select to store information about all connections known to the system.
This includes NATed sessions, and traffic passing through the firewall.
The value entered in this field determines the table’s maximum size. In
operation, the table is automatically scaled to an appropriate size within
this limit, according to the number of active connections and their
collective memory requirements.
Occasionally, the default size, which is set according to the amount of
memory, is insufficient – use this field to configure a larger size.
SYN backlog queue
size
Select this option to set the maximum number of requests which may be
waiting in a queue to be answered.
The default value for this setting is usually adequate, but increasing the
value may reduce connection problems for an extremely busy proxy
service.
Audit
Traffic auditing is a means of recording extended traffic logs for the
purpose of analyzing the different types of incoming, outgoing and
forwarded traffic.
Direct incoming traffic – Select to log all new connections to all
interfaces that are destined for the firewall.
Forwarded traffic – Select to log all new connections passing through
one interface to another.
Direct outgoing traffic – Select to log all new connections from any
interface.
Note: It is possible that auditing traffic generates vast amounts of
logging data. Ensure that the quantity of logs generated is
acceptable.
Traffic auditing logs are viewable on the Logs and reports > Logs >
Firewall page.
Drop all direct traffic
on internal
interfaces
3.
Select any internal interfaces which have hosts on them that do not
require direct access to the system but do require access to other
networks connected to Network Guardian.
Click Save to enable the settings you have selected.
131
Working with Port Groups
You can create and edit named groups of TCP/UDP ports for use throughout Network Guardian.
Creating port groups significantly reduces the number of rules needed and makes rules more flexible.
For example, you can create a port group to make a single port forward to multiple ports and modify
which ports are in the group without having to recreate the rules that use it. In this way you could
easily add a new service to all your DMZ servers.
Creating a Port Group
To create a port group:
1.
Navigate to the Networking > Settings > Port groups page.
2.
In the Port groups area, click New and configure the following settings:
Setting
Description
Group name
Enter a name for the port group and click Save.
Name
Enter a name for the port or range of ports you want to add to the group.
Port
Enter the port number or numbers.
For one port, enter the number.
For a range, enter the start and end numbers, separated by : for
example: 1024:65535
For non-consecutive ports, create a separate entry for each port number.
Comment
3.
132
Optionally, add a descriptive comment for the port or port range.
Click Add. The port, ports or port range is added to the group.
Smoothwall Ltd
Adding Ports to Existing Port Groups
To add a new port:
1.
2.
Setting
Description
Port groups
From the drop-down list, select the group you want to add a port to and
click Select.
Name
Enter a name for the port or range of ports you want to add to the group.
Port
Enter the port number or numbers.
For one port, enter the number.
For a range, enter the start and end numbers, separated by : for
example: 1024:65535
Comment
3.
Optionally, add a descriptive comment for the port or port range.
Click Add. The port, ports or range are added to the group.
Editing Port Groups
To edit a port group:
1.
2.
From the Port groups drop-down list, select the group you want to edit and click Select.
3.
In the Current ports area, select the port you want to change and click Edit.
4.
In the Add a new port, edit the port and click Add. The edited port, ports or range is updated.
Deleting a Port Group
To delete a Port group:
1.
2.
From the Port groups drop-down list, select the group you want to delete and click Select.
3.
Click Delete.
Note: Deleting a port group cannot be undone.
133
10 Configuring Inter-Zone
Security
This chapter describes how to configure bridging between network zones, including:
•
About Zone Bridging Rules on page 135
•
Creating a Zone Bridging Rule on page 136
•
Editing and Removing Zone Bridge Rules on page 138
•
A Zone Bridging Tutorial on page 138
•
Group Bridging on page 140
About Zone Bridging Rules
By default, all internal network zones are isolated by Network Guardian. Zone bridging is the process
of modifying this, in order to allow some kind of communication to take place between a pair of
network zones.
A zone bridging rule defines a bridge in the following terms:
Term
Description
Zones
Defines the two network zones between which the bridge exists.
Direction
Defines whether the bridge is accessible one-way or bi-directionally.
Source
Defines whether the bridge is accessible from an individual host, a range of
hosts, a network or any host.
Destination
Defines whether the bridge allows access to an individual host, a range of
hosts, a network or any hosts.
Service
Defines what ports and services can be used across the bridge.
135
Configuring Inter-Zone Security
Term
Description
Protocol
Defines what protocol can be used across the bridge.
It is possible to create a narrow bridge, e.g. a one-way, single-host to single-host bridge, using a
named port and protocol, or a wide or unrestricted bridge, for example, a bi-directional, any-host to
any-host bridge, using any port and protocol.
In general, make bridges as narrow as possible to prevent unnecessary or undesirable use.
Creating a Zone Bridging Rule
Zone bridging rules enable communications between specific parts of separate internal networks.
To create a zone bridging rule:
1.
Navigate to the Networking > Filtering > Zone bridging page.
2.
Setting
Description
Source interface
From the drop-down menu, select the source network zone.
Destination interface
From the drop-down menu, select the destination network zone.
Bi-directional
Select to create a two-way bridge where communication can be initiated
from either the source interface or the destination interface.
Note: To create a one-way bridge where communication can only be
initiated from the source interface to the destination interface and
not vice versa, ensure that this option is not selected.
Protocol
136
From the drop-down list, select a specific protocol to allow for
communication between the zones or select All to allow all protocols.
Smoothwall Ltd
Setting
Description
Source IP
Enter the source IP, IP range or subnet range from which access is
permitted.
To create a bridge from:
•
A single network host, enter its IP address, for example:
192.168.10.1.
•
•
•
Destination IP
A range of network hosts, enter an appropriate IP address range:
for example, 192.168.10.1-192.168.10.15.
range, for example: 192.168.10.0/255.255.255.0 or
192.168.10.0/24.
Any network host in the source network, leave the field blank.
Enter the destination IP, IP range or subnet range to which access is
permitted.
To create a bridge to:
•
A single network, enter its IP address, for example,
192.168.10.1.
•
A range of network hosts, enter an IP address range, for example,
192.168.10.1-192.168.10.15.
•
•
Service
A subnet range of network hosts, enter a subnet range, for
example: 192.168.10.0/255.255.255.0 or
192.168.10.0/24.
To create a bridge to any network host in the destination network,
leave the field blank.
From the drop-down list, select the services, port range or group of ports
to which access is permitted.
Or, select User defined and leave the Port field blank to permit access
to all ports for the relevant protocol.
Note: This is only applicable to TCP and UDP.
Port
If User defined is selected as the destination port, specify the port
number.
Or, leave the field blank to permit access to all ports for the relevant
protocol.
3.
Comment
Enter a description of the bridging rule.
Enabled
137
Editing and Removing Zone Bridge Rules
To edit or remove existing zone bridging rules, use Edit and Remove in the Current rules area.
A Zone Bridging Tutorial
In this tutorial, we will use the following two local network zones:
Network zone
Description
IP address
Protected network
Contains local user workstations and
confidential business data.
192.168.100.0/24
DMZ
Contains a web server.
192.168.200.0/24
Note: The DMZ network zone is a DMZ in name alone – until appropriate bridging rules are created,
neither zone can see or communicate with the other.
In this example, we will create a DMZ that:
•
Allows restricted external access to a web server in the DMZ, from the Internet.
•
Does not allow access to the protected network from the DMZ.
•
Allows unrestricted access to the DMZ from the protected network.
A single zone bridging rule will satisfy the bridging requirements, while a simple port forward will
forward HTTP requests from the Internet to the web server in the DMZ.
Creating the Zone Bridging Rule
To create the rule:
1.
2.
138
Navigate to the Networking > Filtering > Zone bridging page and configure the following
settings:
Settings
Description
Source interface
From the drop-down menu, select the protected network.
From the drop-down menu, select the DMZ.
Protocol
From the drop-down list, select All.
Comment
Enabled
Select to activate the bridging rule once it has been added.
Click Add. Hosts in the protected network will now be able to access any host or service in the
DMZ, but not vice versa.
Smoothwall Ltd
Allowing Access to the Web Server
To allow access to a web server in the DMZ from the Internet:
1.
2.
Navigate to the Networking > Firewall > Port forwarding page and configure the following
settings:
Setting
Description
Protocol
From the drop-down list, select TCP.
Destination IP
Enter the IP address of the web server 192.168.200.10.
Source
From the drop-down menu, select HTTP (80) to forward HTTP requests
to the web server.
Comment
Enter a description, such as Port forward to DMZ web server.
Enabled
Select to activate the port forward rule once it has been added.
Click Add.
Accessing a Database on the Protected Network
Multiple zone bridging rules can be used to further extend the communication allowed between the
zones. As a extension to the previous example, a further requirement might be to allow the web
server in the DMZ to communicate with a confidential database in the Protected Network.
To create the rule:
1.
2.
Navigate to the Networking > Filtering > Zone bridging page and configure the following
settings:
Setting
Description
Source interface
From the drop-down menu, select DMZ.
From the drop-down menu, select Protected Network.
Protocol
From the drop-down menu, select TCP.
Source IP
Enter the web server’s IP address: 192.168.200.10
Destination IP
Enter the database’s IP address: 192.168.100.50
Service
Select User defined.
Port
The database service is accessed on port 3306. Enter 3306.
Comment
Enter a comment: DMZ web server to Protected Network DB.
Enabled
Select Enabled to activate the bridging rule once the bridging rule has
been added.
Click Add.
139
Group Bridging
By default, authenticated users may only access network resources within their current network
zone, or that are allowed by any active zone bridging rules. Group bridging is the process of
modifying this default security policy, in order to allow authenticated users from any network zone to
access specific IP addresses, IP ranges, subnets and ports within a specified network zone.
Authenticated groups of users can be bridged to a particular network by creating group bridging
rules. A group bridging rule defines a bridge in the following terms:
•
Group – The group of users from the authentication sub-system that may access the bridge.
•
Zone – The destination network zone.
•
Destination – Defines whether the bridge allows access to an individual host, a range of hosts,
a subnet of hosts or any hosts.
•
Service – Defines what ports and services can be used across the bridge.
•
Protocol – Defines what protocol can be used across the bridge.
Like zone bridges, group bridges can be narrow (e.g. allow access to a single host, using a named
port and protocol) or wide (e.g. allow access to any host, using any port and protocol).
In general, bridges should be made as narrow as possible to prevent unnecessary or undesirable
use.
Group Bridging and Authentication
Group bridging uses the core authentication mechanism, meaning that users must be preauthenticated before group bridging rules can be enforced by Network Guardian.
Users can authenticate themselves using the authentication system’s Login mechanism, either
automatically when they try to initiate outbound web access or manually by browsing to the secure
SSL Login page.
Authentication can also be provided by any other mechanism used elsewhere in the system. For
further information about authentication, see Chapter 11, Authentication and User Management on
page 143.
140
Smoothwall Ltd
Creating Group Bridging Rules
Group bridging rules apply additional zone communication rules to authenticated users.
To create a group bridging rule:
1.
Navigate to the Networking > Filtering > Group bridging page.
2.
Setting
Description
Groups
From the drop-down menu, select the group of users that this rule will
apply to.
Select
Click to select the group.
Select the interface that the group will be permitted to access.
Destination IP
Enter the destination IP, IP range or subnet range that the group will be
permitted to access. To create a rule to allow access to:
•
•
•
•
Protocol
A single network host in the destination network, enter its IP
address, for example: 192.168.10.1.
A range of network hosts in the destination network, enter an
appropriate IP address range, for example: 192.168.10.1192.168.10.15.
A subnet range of network hosts in the destination network, enter
an appropriate subnet range, for example:
192.168.10.0/255.255.255.0 or
192.168.10.0/24.
Any network host in the destination network, leave the field blank.
From the drop-down list, select a specific protocol to allow for
communication between the zones or select All to allow all protocols.
141
Setting
Description
Service
From the drop-down list, select the service, port or port range to be used.
To restrict to a custom port, select User defined and enter a port
number in the Port field.
To allow any service or port to be used, select User defined and leave
the Port field empty.
3.
Port
If applicable, enter a destination port or range of ports. If this field is blank,
all ports for the relevant protocol will be permitted.
Comment
Enabled
Editing and Removing Group Bridges
To edit or remove existing group bridging rules, use the Edit and Remove buttons in the Current
rules region.
142
Smoothwall Ltd
11 Authentication and
User Management
This chapter describes how to configure authentication methods, and manage users, including:
•
About User Authentication on page 143
•
Configuring Global Authentication Settings on page 144
•
About Directory Services on page 145
•
Managing Local Users on page 155
•
Managing Groups of Users on page 156
•
Mapping Groups on page 158
•
Managing Temporarily Banned Users on page 159
•
Managing User Activity on page 161
•
About SSL Authentication on page 162
•
Managing Kerberos Keytabs on page 164
•
Authenticating Chromebook Users on page 167
About User Authentication
User authentication determines who the user is and their group membership, if configured or
received from an external source. This in turn determines the level of access available to
authentication-enabled services.
The majority of web filtering policies require mandatory user authentication. Typically,
unauthenticated users are prevented from accessing authentication-enabled services such as the
Internet.
143
Authentication and User Management
Firewall services typically classify unauthenticated users as Unauthenticated IPs (see Managing
Groups of Users on page 156). Unauthenticated users may only have limited access to
authentication-enabled services is available to this group, or even no access at all.
In any case, a failed authentication attempt results in either a request to retry authentication, or a
error.
Configuring Global Authentication Settings
Global authentication settings determine the common behavior, irrespective of the authentication
method used, such as, login timeout and debug level.
To configure global authentication settings, do the following:
1.
Browse to Services > Authentication > Settings.
2.

Login timeout (minutes) — Determines the inactivity period after which the user is logged
out. The default timeout is 10 (minutes).
Setting a short login timeout increases the load on the machine, SSL (see About SSL
Authentication on page 162) login methods. It also increases the rate of re-authentication
requests.
Setting a long login timeout may enable unauthorized users to access the network if users
leave computers without actively logging out.
The behavior of some authentication mechanisms is automatically adjusted by the timeout
period. For example, the SSL Login refresh rate updates to ensure that authenticated users
do not time-out — see Managing Authentication Policies on page 87.

Concurrent login sessions (per user) — Determines the number of log in attempts
allowed per user.
You can either choose to have No limit on the number of attempts, or enter the number of
attempts allowed.

Logging level — Determines the level of authentication logging. Valid choices are:
Normal – Logs user login and LDAP server information
Verbose – As Normal, but also request, response and result information. This is useful
when troubleshooting possible authentication issues.
144
Smoothwall Ltd

Normalize usernames — Determines whether all variations of username and domain are
normalized into the same format. For example, Active Directory prefers DOMAIN\user, but
can accept user, [email protected], DOMAIN.COM\user, DOMAIN\user, and so on.
Network Guardian stores the user-supplied username in the configured directory server’s
preferred format. This reduces the number of possible forms of a username to one,
preventing users circumventing temporary bans by using a different format of username for
example. For a detailed description of each preferred format, see About Directory Services
on page 145.
If you are migrating configuration from another Network Guardian installation (refer to the
Network Guardian Installation Guide), this setting will be disabled by default to prevent logsearches and username-based reports from not working, and ensuring any temporary bans
before the migration still apply. If required, this feature can then be enabled at a convenient
time.
3.
Click Save changes.
Tip: You should encourage users to proactively log out of the system to ensure that other users of
their workstation cannot assume their privileges if Login timeout (minutes) is yet to occur.
About Directory Services
The Network Guardian authentication service is designed to enable Network Guardian to connect to
multiple directory services in order to:
•
Retrieve groups configured in directories, and apply network and web filtering permissions to
users based on group membership within directories
•
Verify the identity of a user who is trying to access network or Internet resources.
Once the connection to a directory service has been configured, Network Guardian retrieves a list of
the groups configured in the directory and maps them to the groups available in Network Guardian.
When the groups have been mapped, permissions and network access permissions in the filtering
and outgoing sections can be granted on the basis of group membership.
Network Guardian supports the following directory services:
Directory
Description
Microsoft Active
Directory®
Microsoft’s directory service for Windows domain networks.
Preferred format for normalized usernames: DOMAIN\user
For more information, see Configuring a Microsoft Active Directory
Connection on page 146.
Microsoft Active
Directory® - Legacy
Method
Microsoft’s directory service for Windows domain networks, without the
use of Samba.
Preferred format for normalized usernames: LDAP distinguished name,
for example, cn=user,ou=users,dc=mydomain,dc=net
For information on using the legacy method to connect to Active
Directory, see Configuring an Active Directory Connection – Legacy
Method on page 151.
145
Directory
Description
Novell eDirectory™
Various directories which support the LDAP protocol.
Apple® / Open LDAP
Preferred format for normalized usernames: LDAP distinguished name,
for example, cn=user,ou=users,dc=mydomain,dc=net
389 Directory
For more information, see Configuring an LDAP Connection on
page 147
RADIUS
Remote Authentication Dial In User Service.
Preferred format for normalized usernames: None. For more
information, see Configuring a RADIUS Connection on page 150.
For more information, see Configuring a RADIUS Connection on
page 150.
Local users
A directory of Network Guardian local users.
Preferred format for normalized usernames: As configured in Network
Guardian
For more information, see Configuring a Local Users Directory on
page 154.
Configuring a Microsoft Active Directory Connection
The following sections explain the prerequisites for Microsoft Active Directory and how to configure
Network Guardian to work with Microsoft Active Directory.
Prerequisites for Active Directory
Before you configure any settings for use with Active Directory:
•
On the Networking > Interfaces > Interfaces page, check that the primary, and optionally
the secondary, DNS server containing the Active Directory information is specified correctly.
This DNS server is used by Network Guardian for name lookups. For more information, see
Secure Web Gateway and DNS on page 15.
•
In Active Directory, choose or configure a non-privileged user account to use for joining the
domain. Network Guardian stores this account’s credentials, for instance, when backing-up
and replicating settings.
Note: We strongly recommend that you do not use an administrator account.
The account that you use needs permission to modify the Computers container. To delegate
these permissions to a non-privileged user account, choose Delegate Control on the
Computers container, create a custom task to delegate and, for Computer objects, grant the
full control, create and delete privileges.
•
146
Ensure that the times set on Network Guardian and your Active Directory server are
synchronized using NTP. For more information, refer to the Network Guardian Operations
Guide.
Smoothwall Ltd
Configuring an Active Directory Connection
The following section explains what is required to configure a connection to Active Directory.
To configure the connection:
1.
On the Services > Authentication > Directories page, click Add new directory.
2.
In the Add new directory dialog box, select Active Directory and configure the following
settings:
Setting
Description
Status
Select Enabled to enable the connection.
Domain
Enter the full DNS domain name of the domain. Other trusted domains will
be accessible automatically.
Username
Enter the username of the user account.
Password
Enter the password for the user account.
Confirm
Re-enter the password to confirm it.
Cache timeout
(minutes)
Click Advanced. Accept the default or specify the length of time
Network Guardian keeps a record of directory-authenticated users in its
cache.
Network Guardian will not need to query the directory server for users
who log out and log back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory
server. Setting a long cache timeout means that old passwords
are valid for longer, i.e. until the cache timeout has been passed.
Comment
Optionally, enter a comment about the directory.
3.
Click Add. Network Guardian adds the directory to its list of directories and establishes the
connection.
4.
You must map Active Directory groups to Network Guardian groups. For a detailed description
of how to do this, see Mapping Groups on page 158.
Configuring an LDAP Connection
The following section explains what is required to configure a connection to an eDirectory, Apple
/OpenLDAP or 389 directory server.
To configure an LDAP connection:
1.
2.
In the Add new directory dialog box, select one of the following: eDirectory,
Apple/OpenLDAP Directory or 389 Directory and configure the following settings:
Setting
Description
Status
147
Setting
Description
LDAP server
Enter the directory’s IP address or hostname.
Note: If using Kerberos as the bind method, you must enter the
hostname.
Username
Enter the username of a valid account in the LDAP notation format
The format depends on the configuration of the LDAP directory. Normally
it should look something like this:
cn=user,ou=container,o=organization
This is what is referred to in the Novell eDirectory as tree and context. A
user part of the tree Organization and in the context Sales would
have the LDAP notation:
cn=user,ou=sales,o=organization
For Apple Open Directory, when not using Kerberos, the LDAP username
can be written as: uid=user,cn=users,dc=example,dc=org
Consult your directory documentation for more information.
Password
Enter the password of a valid account.
Note: A password is not required if using simple bind as the bind
method.
Confirm
Bind method
Accept the default bind method, or from the drop-down list, select one of
the following options:
TLS (with password) – Select to use Transport Layer Security (TLS).
Kerberos – Select to use Kerberos authentication.
Simple bind – Select to bind without encryption. This is frequently used
by directory servers that do not require a password for authentication.
Kerberos realm
If using Kerberos, enter the Kerberos realm. Use capital letters.
User search root
Enter where in the directory, Network Guardian should start looking for
user accounts. Usually, this is the top level of the directory.
For example: ou=myusers,dc=mydomain,dc=local
In LDAP form, this is seen in the directory as
dc=mycompany,dc=local.
OpenLDAP based directories will often use the form
o=myorganization
Apple Open Directory uses the form:
cn=users,dc=example,dc=org
A Novell eDirectory will refer to this as the tree, taking the same form
as the OpenLDAP-based directories o=myorganization.
Note: In larger directories, it may be a good idea to narrow down the
user search root so Network Guardian does not have to look
through the entire directory. For example, if all users that need to
be authenticated have been placed in an organizational unit, the
user search root can be narrowed down by adding
ou=userunit in front of the domain base.
Note: When working with multi domain environments, the user search
root must be set to the top level domain.
148
Smoothwall Ltd
Setting
Description
Group search roots
Enter where in the directory, Network Guardian should start looking for
user groups. Usually this will be the same location as configured in the
user search root field.
For example: ou=mygroups,dc=mydomain,dc=local
Apple Open Directory uses the form:
cn=groups,dc=example,dc=org
Note: With larger directories, it may be necessary to narrow down the
group search root. Some directories will not return more than
1000 results for a search, so if there are more than 1000 groups
in the directory, a more specific group search root needs to be
configured. The principle is the same as with the user search root
setting.
If there are multiple OUs containing groups that need to be mapped, add
the other locations in the advanced section.
Cache timeout
Accept the default or specify the length of time Network Guardian keeps
a record of directory-authenticated users in its cache.
Network Guardian does not query the directory server for users who log
out and log back in as long as their records are still in the cache.
LDAP port
Accept the default or enter the LDAP port to use.
Note: LDAPs (SSL) will be automatically used if you enter port number
636.
Extra user search
roots
This option enables you to enter directory-specific user search paths
when working with a large directory structure which contains multiple
OUs and many users.
Enter one search root per line.
Extra group search
roots
Optionally, enter where in the directory Network Guardian should start
looking for more user groups.
Enter one search roots per line.
For more information, see Working with Large Directories on page 16.
Extra realms
This setting enables you to configure subdomains manually using DNS.
Use the following format:
<realm><space><kdc server>
For example:
example.org kdc.example.org
Enter one realm per line.
Discover Kerberos
realms through DNS
Only available if you have selected Kerberos as the authentication
method, select this advanced option to use DNS to discover Kerberos
realms.
Using DNS to discover realms configures Network Guardian to try to find
all the domains in the directory server by querying the DNS server that
holds the directory information.
Comment
3.
connection.
4.
You must map LDAP groups to Network Guardian groups. For a detailed description of how to
do this, see Mapping Groups on page 158.
149
Configuring a RADIUS Connection
You can configure Network Guardian to use a Remote Authentication Dial In User Service (RADIUS)
as an authentication service.
About Normalizing Usernames in a RADIUS Configuration
It should be noted that Network Guardian is unable to differentiate between an unknown user, and
a valid user that has entered an incorrect password in a RADIUS configuration, as RADIUS servers
require a valid password to be able to provide user information to Network Guardian. If Normalize
usernames is enabled (see Configuring Global Authentication Settings on page 144), Network
Guardian assumes the supplied username is valid and stores it in a lower-case format.
Prerequisites
Before you configure any settings:
•
Configure the RADIUS server to accept queries from Network Guardian. Consult your RADIUS
server documentation for more information.
Configuring the Connection
1.
2.
In the Add new directory dialog box, select RADIUS and configure the following settings:
Setting
Description
Status
RADIUS server
Enter the hostname or IP address of the RADIUS server.
Secret
Enter the secret shared with the server.
Confirm
Re-enter the secret to confirm it.
Action on login
failure
Try next directory server – Select this option if users in RADIUS are
unrelated to users in any other directory server.
Deny access – Select this option if the RADIUS password should
override the password set in another directory server, for example when
using an authentication token.
Identifying IP
address
Enter the IP address to use to identify the caller connecting to the RADIUS
server, if it must be different to the internal IP address of the system.
Obtain groups from
RADIUS
If the RADIUS server can provide group information, select this option to
enable Network Guardian to use the group information in the RADIUS
Filter-Id attribute.
When not enabled, Network Guardian will use group information from the
next directory server in the list. If there are no other directories in the list,
Network Guardian will place all users in the Default Users group.
Cache timeout
(minutes)
Network Guardian does not query the directory server for users who log
out and log back in as long as their records are still in the cache.
150
Smoothwall Ltd
Setting
Description
Port
Accept the default port or specify a UDP port to use when communicating
with the RADIUS server. The default is port 1812.
Comment
3.
connection.
4.
You must map RADIUS groups to Network Guardian groups. For a detailed description of how
to do this, see Mapping Groups on page 158.
Note that you must use the same RADIUS group names as configured for the
group_attribute parameter in your RADIUS server. For more information, refer to your
RADIUS server documentation.
Configuring an Active Directory Connection – Legacy
Method
Note: This is the legacy method of configuring an Active Directory connection. For a simpler
method, we recommend that you use the latest method, see Configuring a Microsoft Active Directory
Connection on page 146 for more information.
The following sections explain the prerequisites for Microsoft Active Directory and how to use the
legacy method to configure Network Guardian to work with Microsoft Active Directory.
Prerequisites for Active Directory
Before you configure any settings for use with Active Directory:
•
Run the Network Guardian Setup program and check that the DNS server containing the Active
Directory information is specified correctly. This DNS server is used by Network Guardian for
name lookups. For more information, see Secure Web Gateway and DNS on page 15 and the
Network Guardian Getting Started Guide.
•
Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active
Directory servers.
•
Ensure that the times set on Network Guardian and your Active Directory server are
synchronized.
Note: Do not use the administrator account as the lookup user. Often the administrator account will
not have a Windows 2000 username, preventing the account from being used by the authentication
service.
Configuring an Active Directory Connection
Configuring an Active Directory connection entails specifying server details and optionally the
Kerberos realm to use, search roots and any advanced settings required.
1.
Navigate to the Services > Authentication > Directories page.
151
2.
In the Add directory server area, from the Directory server drop-down list, select Active
Directory and click Next. Network Guardian displays the settings for Active Directory.
3.
Setting
Description
Status
Active Directory
server
Enter the directory server’s full hostname.
Note: For Microsoft Active Directory, Network Guardian requires DNS
servers that can resolve the Active Directory server hostnames.
Often, these will be the same servers that hold the Active
Directory. The Active Directory DNS servers will need a reverse
lookup zone with pointer (PTR) records for the Active Directory
servers for a successful lookup to be able to take place.
Refer to the Microsoft DNS server help if you need assistance in
setting up a reverse lookup zone. See also, Secure Web Gateway
and DNS on page 15 for more information.
Username
Enter the username of a valid account.
Enter the username without the domain. The domain will be added
automatically by Network Guardian.
In a multi domain environment, the username must be a user in the top
level domain. For more information, see Active Directory on page 16.
Password
Enter the password of a valid account.
Confirm
Cache timeout
(minutes)
Network Guardian will not need to query the directory server for users
who log out and log back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory
server. Setting a long cache timeout means that old passwords
are valid for longer, i.e. until the cache timeout has been passed.
Kerberos realm
Optionally, select Automatic or enter the Kerberos realm.
User search root
Optionally, to configure Network Guardian to start looking for user
accounts at the top level of the directory, select Automatic.
Or enter the user search root to start looking in, for example:
ou=myusers,dc=mydomain,dc=local search root.
Note: When working with multi-domain environments, the user search
root must be set to the top level domain.
Group search root
Optionally, to configure Network Guardian to start looking for user groups
at the top level of the directory, select Automatic.
Or enter the group search root to start looking in, for example:
ou=mygroups,dc=mydomain,dc=local
Note: Some directories will not return more than 1 000 results for a
search, so if there are more than 1 000 groups in the directory, a
more specific group search root needs to be configured.
152
Comment
Optionally, enter a comment about the directory server and the settings
used.
Enabled
Select this option to enable the connection to the directory server.
Smoothwall Ltd
4.
Optionally, click Advanced to access and configure the following settings:
Setting
Description
LDAP port
Accept the default, or enter the LDAP port to use.
Discover Kerberos
realms through DNS
Select this option to use DNS to discover Kerberos realms.
Use
sAMAccountName
This setting applies when using Microsoft Windows NT4 or older
installations.
Using DNS to discover realms configures Network Guardian to try to find
all the domains in the directory server by querying the DNS server that
holds the directory information.
Enter the sAMAccountName to override the userPrincipleName.
NetBIOS workgroup
This setting applies when using NTLM authentication with Guardian.
Network Guardian cannot join domains required for NTLM authentication
where the workgroup, also known as NetBIOS domain name or preWindows 2000 domain name, is not the same as the Active Directory
domain.
Select Automatic or enter the NetBIOS domain name to use when
joining the workgroup.
Extra user search
roots
This option enables you to enter directory-specific user search paths
when working with a large directory structure which contains multiple
OUs and many users.
Enter search roots one per line.
Extra group search
roots
Optionally, enter where in the directory, Network Guardian should start
looking for more user groups.
Enter search roots one per line.
For more information, see Working with Large Directories on page 16.
Extra realms
This setting enables you to configure subdomains manually, as opposed
to automatically, using DNS. Use the following format:
<realm><space><kdc server>
For example:
example.org kdc.example.org
Enter one realm per line.
5.
connection.
6.
You must map Active Directory groups to Network Guardian groups. For a detailed description
of how to do this, see Mapping Groups on page 158.
153
Configuring a Local Users Directory
Network Guardian stores user account information comprised of usernames, passwords and group
membership in local user directories so as to provide a standalone authentication service for network
users.
To configure a local users directory:
1.
2.
In the Add new directory dialog box, select Local users and configure the following settings:
3.
Setting
Description
Status
Name
Accept the default name or enter a new name.
Comment
Click Add. Network Guardian adds the directory to its list of directories. For information on
adding and managing local users, see Managing Local Users on page 155.
Reordering Directory Servers
Tip: If most of your users are in one directory, list that directory first so as to reduce the number of
queries required. If user passwords are checked by a RADIUS server and group information is
obtained from LDAP, list the RADIUS server first.
To reorder directory servers:
1.
On the Services > Authentication > Directories page, select the directory server you want
to move and click Up or Down until the server is where you want it.
2.
Repeat the step above for any other directories you want to move.
3.
Click Save moves. Network Guardian applies the changes.
Tip: You can also drag and drop directories to where you want them. Just remember to click Save
moves.
Editing a Directory Server
To edit a directory server:
154
1.
On the Services > Authentication > Directories page, point to the directory server and click
Edit. The Edit directory dialog box opens,
2.
Make the changes required, see About Directory Services on page 145 for information on the
settings available.
3.
Smoothwall Ltd
Deleting a Directory Server
To delete a directory server:
1.
Delete. When prompted, confirm that you want to delete the directory. Network Guardian
deletes the server.
Diagnosing Directories
It is possible to review a directory’s status and run diagnostic tests on it.
To diagnose a directory:
1.
Diagnose. Network Guardian displays current directory connection, user account and status
information.
Tip: You can diagnose multiple directories at the same time. Select the directories and click
Diagnose.
Managing Local Users
Network Guardian stores user account information comprised of usernames, passwords and group
membership in local user directories so as to provide a standalone authentication service for network
users.
Adding Users
To add a user to a local user directory:
1.
On the Services > Authentication > Directories page, click on the local user directory you
want to add a user to. Network Guardian displays any current local users
2.
Click Add new user. In the Add new user dialog box, configure the following settings:
Setting
Description
Enabled
Select to enable the user account.
Username
Enter the user account name.
Password
Enter the password associated with the user account. Passwords must
be a minimum of six characters long.
Repeat password
Select group
From the drop-down menu, select a group to assign the user account to.
3.
Click Add. Network Guardian saves the information.
4.
Repeat the steps above to add more users.
155
Editing Local Users
To edit an existing user's details:
1.
On the Services > Authentication > Directories page, click on the local user directory
containing the user account you want to edit. Network Guardian displays current local users.
2.
Point to the user account and click Edit. In the Edit user dialog box, make the changes required.
See Adding Users on page 155 for more information on the settings available.
3.
Deleting Users
To delete users:
1.
On the Services > Authentication > Directories page, click on the local user directory
containing the user account(s) you want to delete. Network Guardian displays current local
users.
2.
Point to the user account and click Delete. When prompted, confirm that you want to delete
the account. Network Guardian deletes the account.
3.
Repeat the steps above to delete other accounts.
Managing Groups of Users
The following sections discuss groups of users and how to manage them.
About Groups
Network Guardian uses the concept of groups to provide a means of organizing and managing
similar user accounts. Authentication-enabled services can associate permissions and restrictions to
each group of user accounts, thus enabling them to dynamically apply rules on a per-user account
basis.
Local users can be added or imported to a particular group, with each group being organized to
mirror an organization’s structure. Groups can be renamed by administrators to describe the users
that they contain.
Currently, Network Guardian supports 1000 groups and by default, contains the following groups:
Group
Description
Unauthenticated IPs
The main purpose of this group is to allow certain authenticationenabled services to define permissions and restrictions for
unauthenticated users, i.e. users that are not logged in, currently
unauthenticated or cannot be authenticated.
Note: This group cannot be renamed or deleted.
156
Smoothwall Ltd
Group
Description
Default Users
Users can be mapped to Default Users. The main purpose of this group
is to allow certain authentication-enabled services to define permissions
and restrictions for users that are not specifically mapped to an Network
Guardian group, i.e. users that can be authenticated, but who are not
mapped to a specific Network Guardian authentication group.
Banned Users
This purpose of this group is to contain users who are banned from
using an authentication-enabled service.
Network Administrators
This group is a normal user group, configured with a preset name, and
setup for the purpose of granting network administrators access to an
authentication-enabled service.
Because the Network Administrators group is a normal group with a
preset configuration, it can be both renamed and used by
authentication-enabled services to enforce any kind of permissions or
restrictions.
Adding Groups
It is possible to add groups to Network Guardian. Currently, Network Guardian supports 1000
groups.
To add a group:
1.
On the Services > Authentication > Groups page, click Add new group.
2.
In the Add new group dialog box, enter the following information:
3.
Field
Description
Name
Enter a name for the group.
Comment
Optionally, enter a comment.
Click Add. Network Guardian creates the group and lists on the changes.
Editing Groups
Note: It is not possible to rename the Unauthenticated IPs, Default Users or Banned Users groups
To edit a group:
1.
On the Services > Authentication > Groups page, point to the group and click Edit.
2.
In the Edit group dialog box, enter the following information:
Field
Description
Name
When renaming a group, enter a new name.
Comment
Edit or enter a new comment.
157
3.
Deleting Groups
Note: It is not possible to delete the Unauthenticated IPs, Default Users or Banned Users groups
To delete a group or groups:
1.
On the Services > Authentication > Groups page, select the group(s) and click Delete.
2.
When prompted to confirm the deletion, click Delete. Network Guardian deletes the group(s).
Mapping Groups
Once you have successfully configured a connection to a directory, you can map the groups Network
Guardian retrieves from the directory in order to apply permissions and restrictions to the users in the
groups.
Note: These instructions are only for directories, not configured as Local users. For a detailed
description of how to map local users, see Managing Local Users on page 155.
To map directories to Network Guardian groups, do the following:
1.
Browse to Services > Authentication > Directories.
2.
Expand the relevant directory group, and click Add new group mapping.
3.
Configure the following parameters:
4.

Directory group — Depending on the directory service configured, add or select the
directory group to map from.

Local group — From the drop-down menu, select the relevant Network Guardian group.

Enabled — Select this option to enable or disable the group mapping.
Click Add.
Remapping Groups
It is possible to change group mappings.
To remap groups, do the following:
158
1.
2.
Expand the relevant directory group, and select the relevant group mapping.
3.
C lick Edit.
4.
Change the Directory group and, or, the Local group as required.
5.
Click Save changes.
Smoothwall Ltd
Deleting Group Mappings
It is possible to delete group mappings.
To delete one or more group mappings, do the following:
1.
2.
Expand the relevant directory group, and select the relevant group mapping.
3.
Click Delete.
4.
Click Delete to confirm the deletion.
Managing Temporarily Banned Users
Network Guardian enables you to temporarily ban specific user accounts. When temporarily banned,
the user is added to the Banned users group.
Note: You can apply any web filtering policy to the Banned users group.
Creating a Temporary Ban
Note: Only administrators and accounts with Temp ban access can manage banned accounts. For
To ban an account temporarily:
1.
Navigate to the Services > Authentication > Temporary bans page.
2.
Click Add new temporary ban. In the Add new temporary ban dialog box, configure the
following settings:
Setting
Description
Status
Select Enabled to enable the ban immediately.
Username
Enter the user name of the account you want to ban.
159
3.
Setting
Description
Ban expires
Click and select when the ban expires.
Comment
Optionally, enter a comment explaining why the account has been
banned.
Click Add. Network Guardian enforces the ban immediately.
Tip: You can edit the block page displayed to banned users so that it gives them information on the
ban in force. For more information, refer to the Network Guardian Operations Guide.
Tip: There is also a ban option on the Services > Authentication > User activity page, for more
information, see Managing User Activity on page 161.
Removing Temporary Bans
To remove a ban:
1.
2.
In the Current rules area, select the ban and click Remove. Network Guardian removes the ban.
Removing Expired Bans
To remove bans which have expired:
160
1.
2.
In the Current rules area, click Remove all expired. Network Guardian removes all bans which
have expired.
Smoothwall Ltd
Managing User Activity
Network Guardian enables you to see who is logged in and who has recently logged out. You can
also log users out and/or ban them.
Viewing User Activity
To view activity:
1.
Navigate to the Services > Authentication > User activity page.
Network Guardian displays who is logged in, who recently logged out, the group(s) the user
belongs to their source IP and the method of user authentication.
Recently logged out users are listed for 15 minutes.
Logging Users Out
To log a user out:
1.
On the Services > Authentication > User activity page, point to the user you want to log out
and click Log user out. Network Guardian logs the user out immediately and lists them as
logged out.
Note: Logging a user out is not the same as blocking a user from accessing web content.
Connection-based authentication will automatically log the user back in. If the user is using SSL login,
they will be prompted to authenticate again.
Banning Users
To ban a user:
1.
On the Services > Authentication > User activity page, point to the user you want to ban
and click Ban user. Network Guardian copies the user’s information and displays it on the
Services > Authentication > Temporary bans page where you can configure the ban. For more
information, see Creating a Temporary Ban on page 159.
161
About SSL Authentication
Network Guardian provides SSL Login as a built-in authentication mechanism which can be used by
authentication-enabled services to apply permissions and restrictions on a customized, per-user
basis.
When SSL Login is configured, network users requesting port 80 for outbound web access will be
automatically redirected to a secure login page, the SSL Login page, and prompted for their user
credentials.
The SSL Login page can be manually accessed by users wishing to pro-actively authenticate
themselves, typically where they need to use a non-web authentication-enabled service, for example,
group bridging, or where only a small subset of users require authentication.
SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated
user, thus allowing SSL Login redirection to be bypassed for authenticated users. When an
authenticated user logs out or exceeds the time-out limit, the rule is removed and future outbound
requests on port 80 will again cause automatic redirection to the SSL Login.
For information about the authentication methods that can be used with SSL login, see Managing
Customizing the SSL Login Page
When using SSL as an authentication method, it is possible to customize the title image, background
image and message displayed on an SSL login page.
162
Smoothwall Ltd
Customizing the Title Image
It is possible to customize the title image displayed on the SSL login page.
To upload a custom title image:
1.
Browse to the Services > Authentication > SSL login page.
2.
Click the Title image Browse/Select file button. Using your browser’s controls, locate and
select the file.
3.
Click Save changes. Network Guardian uploads the file and makes it available on the SSL login
page.
Customizing the Background Image
It is possible to customize the background image used on an SSL login page.
To upload a background image:
1.
On the Services > Authentication > SSL login page, click the Background image
Browse/Select file button. Using your browser’s controls, locate and select the file.
2.
Click Save changes. Network Guardian uploads the file and makes it available on the SSL login
page.
Removing Custom Files
To remove a custom file:
1.
Browse to the Services > Authentication > SSL login page.
2.
To remove the title image, adjacent to Title image, click Delete.
3.
To remove the background image, adjacent to Background image, click Delete.
163
Customizing the Message
It is possible to provide users with a customized message.
To customize the login message:
1.
Navigate to the Services > Authentication > SSL login page.
2.
In the Customize SSL Login area, enter your custom message in the SSL login page text box.
3.
Click Save changes to apply the new message.
Reviewing SSL Login Pages
You can review SSL Login pages.
To review the SSL Login page:
1.
In the web browser of your choice, enter your Network Guardian system’s IP address and
/login. For example: http://192.168.72.141/login or, using HTTPS,
https://192.168.72.141:442/login. Network Guardian displays the SSL login page.
Managing Kerberos Keytabs
Note: When using Microsoft Active Directory for authentication, Kerberos keys are managed
automatically. For other directory servers, it is necessary to import keytabs manually, see the
following section for information on how to do this.
A Kerberos keytab is a file which contains pairs of Kerberos principals and encrypted keys. By
importing and using Kerberos keytabs, Network Guardian services, such as authentication, can use
the interoperability features provided by Kerberos.
For information on using Kerberos as the authentication method in authentication policies, refer to the
Prerequisites
The following are pre-requisites when using Kerberos as an authentication method:
•
Forward and reverse DNS must be working
•
All clocks must be in sync. More than 5 minutes clock drift will cause authentication to fail
Adding Keytabs
The following section explains how to add Kerberos keytabs into Network Guardian.
For information on generating keytabs, consult the documentation delivered with your directory
server. Also, available at the time of writing, see http://technet.microsoft.com/enus/library/cc753771%28v=WS.10%29.aspx which discusses how to get a keytab from Active
Directory.
164
Smoothwall Ltd
To add a keytab:
1.
Browse to the Services > Authentication > Kerberos keytabs page.
2.
Click Add new keytab and configure the following settings:
Setting
Description
Status
Accept the default setting to enable the keytab.
Name
Enter a descriptive name for the keytab.
File
Using your browser, locate and select the keytab.
Comment
Optionally, enter a comment to describe the keytab.
3.
Click Add. Network Guardian adds the keytab and lists it in the Kerberos keytabs area.
4.
Repeat the steps above for any other keytabs you need to import.
Managing Keytabs
The following sections explain how to enable, view, edit and delete Kerberos keytabs.
Disabling Keytabs
Kerberos keytabs are enabled by default. It is possible to disable a Kerberos keytab when required,
for example, when troubleshooting.
To disable a keytab:
1.
2.
In the Installed Kerberos keytabs area, point to the keytab and select Edit.
3.
In the Edit keytab dialog box, clear the Enabled option. Click Save changes to save the
setting. Network Guardian disables the keytab.
165
Viewing Keytab Content
It is possible to view the contents of a Kerberos keytab.
To view a Kerberos keytab:
1.
2.
3.
In the Edit keytab dialog box, click the keytab’s display arrow. Network Guardian displays the
content.
Editing Keytabs
It is possible to change the name of the Kerberos keytab file.
To change the name of the Kerberos keytab file:
1.
2.
3.
In the Edit keytab dialog box, change the name as required and click Save changes. Network
Guardian changes the name and lists the Kerberos keytab in the Installed Kerberos keytabs
area
Deleting Keytabs
It is possible to delete Kerberos keytabs that are no longer require.
To delete a Kerberos keytab:
1.
2.
In the Installed Kerberos keytabs area, point to the keytab and select Delete.
3.
When prompted to confirm the deletion, click Delete. Network Guardian deletes the keytab.
Troubleshooting a Kerberos Service
Check the following when troubleshooting a service that uses Kerberos:
166
•
Make sure all the prerequisites have been met, see Prerequisites on page 164
•
Try another browser for fault-finding
•
In a Safari browser, try the fully qualified domain name (FQDN) if the short form does not work
•
Check if the user logged on before the keytab was created. Try logging off then on again.
•
Check if the user logged on before Network Guardian joined the domain. Try logging off then
on again.
•
Double check you are logged on with a domain account
•
When exporting your own keytabs:

Make sure the keytab contains keys with the same type of cryptography as that used by the
client

The “HTTP” in the service principal name (SPN) must be in uppercase
Smoothwall Ltd

The keytab should contain SPNs containing the short and fully qualified forms of each
hostname.
Authenticating Chromebook Users
Network Guardian’s Chromebook authentication feature allows internal Chromebook users to
authenticate themselves using their Google credentials, whilst enforcing organizational web filtering
policies wherever they are located.
Network Guardian must be assigned a Client ID and Client Secret, provided through the Google
developer console (see Creating a Google Client ID and Client Secret (Web Application) on
page 167). This allows Network Guardian, and the Connect for Chromebooks to send authorization
requests to Google OpenAuth servers.
Note: Google Chromebooks allow multiple users to be signed into a single Chromebook device at
any one time. For Network Guardian’s Google App integration to work, this feature needs to be
disabled. For a detailed description of how to do this, refer to the Google Admin console,
http://admin.google.com.
Creating a Google Client ID and Client Secret (Web
Application)
Network Guardian must be assigned a Google Client ID and Client Secret to be able to communicate
successfully with Google.
To create and download the Client ID and Client Secret you must use the Google Developer console,
https://console.developers.google.com. For a detailed description of how to create the ID and
Secret, refer to your Google documentation.
Tip: The Client ID and Client Secret are created as a web application within the OAuth module of
the Google Developer console.
Uploading the Client ID and Client Secret
To assign the Client ID and Client Secret to Network Guardian, do the following:
1.
Log into the Network Guardian administration user interface.
167
2.
Browse to Services > Authentication > Chromebook.
3.
Scroll down to the Google web application settings panel.
4.
Copy and paste the Google Client ID into the Client ID text box.
5.
Copy and paste the Google Client Secret into the Client Secret text box.
6.
Scroll down to the bottom, and click Save changes.
Restricting Accepted Google Accounts by Domain
You can choose to only accept Google accounts from specified domains, that is, the @domain.com
part of the Google email address.
If this restriction is configured via the Google Admin console, users from restricted domains will not
be able to log onto their Chromebook.
Alternatively, you can configure a list of accepted domains in Network Guardian. This allows users to
log onto their Chromebook devices, but their subsequent authentication request from Connect for
Chromebooks will be rejected, leaving them unable to connect to the Internet.
168
Smoothwall Ltd
To configure a list of accepted domains, do the following:
1.
2.
Scroll down to the Google web application settings panel.
3.
Select Restrict logins to the following domains:.
4.
Within the Domains box list the accepted domains, with each one on a new line.
5.
Scroll down the bottom, and click Save changes.
Customizing the Client Login Page
You can customize the login page users see when they first log onto the network via a Chromebook,
to suit your organizational needs.
The following is an example of the expected layout of the login page:
You can change the logo, heading and main body of text. However, only static text and images can
be used. You cannot use links to other HTML pages. The Google Sign in button must remain in case
a manual login is required.
To customize the client login page, do the following:
1.
2.
Scroll down to the Client login page panel.
3.

Title — Enter a meaningful heading for the main body of text

Image — To change the logo, click Choose File. Locate the relevant image, and click
Open.
Click the black arrow to view the uploaded image. The Smoothwall logo is provided as the
default image if none has been uploaded.

Text — Enter the text that will appear in the main body.
169
4.
Click Save changes.
Tip: It is recommended you include text advising that by using this Client login page, the user is
granting permission for their login credentials to be sent to Google.
Managing Chromebooks
You can manage the network configuration of all your Chromebooks from the Google Admin
console, http://admin.google.com. Key areas needed to make Network Guardian Chromebook
authentication work are as follows:
•
Deploying the Connect for Chromebooks Extension on page 170
•
Diagnosing Connect for Chromebooks on page 171
•
Validating Network Guardian’s HTTPS Certificate on page 172
•
Routing Traffic to Network Guardian’s Proxy Server on page 173
Deploying the Connect for Chromebooks Extension
The Connect for Chromebooks extension is a custom utility that can be deployed to all Chromebooks
in your network. Once the user is logged into the Chromebook, Connect for Chromebooks performs
the additional Google authentication, and handles any subsequent authentication requests.
Connect for Chromebooks places an icon in the Chrome browser taskbar. It displays the extension
and user authentication status as follows:
Status Icon
Description
The user is logged into Connect for Chromebooks, and browsing is allowed.
Connect for Chromebooks is running but has an error.
Connect for Chromebooks has an error.
Clicking on the icon displays a pop-up window with a detailed description of the current status:
Status
Description
The user credentials of the logged in user are displayed.
Connect for Chromebooks is unable to connect to the Internet to authenticate
the user.
170
Smoothwall Ltd
Status
Description
There is a problem with Connect for Chromebooks.
Connect for Chromebooks is busy.
Connect for Chromebooks does not require you to install the extension on a server for deployment
to all Chromebooks. Instead, you must link to it from the Google Admin console, which then includes
it in the Chromebook configuration pushed out to all clients.
To deploy Connect for Chromebooks, do the following:
1.
Log into the Google Admin console.
2.
Under the Chrome Device Management, locate Manage pre-Installed apps.
3.
Click Specify a Custom App.
4.
Enter the following ID: ldmijmkolialklggnnlgaodhaemipjmn
5.
Enter the following URL: https://clients2.google.com/service/update2/crx
6.
Click Add.
Smoothwall Connect for Chromebooks should appear in the Total to pre-install panel.
7.
Click Save.
8.
Scroll down to the bottom of the page, and click Save changes.
Note: The above instructions are correct at the time of writing. Google feature names and links may
change over time.
Diagnosing Connect for Chromebooks
Connect for Chromebooks provides a log of the user activity from the Chromebook it is installed on,
namely which users have logged on, and the status of their login.
To view Connect for Chromebooks’s log, do the following:
1.
From the Chromebook, click Connect for Chromebooks icon.
2.
From the pop-up window, click Diagnostics.
171
Validating Network Guardian’s HTTPS Certificate
Network Guardian’s Client Login page is presented to the Chromebook over SSL. This requires the
HTTPS certificate presented by Network Guardian to be validated by the Chromebooks. To do this,
you must download the HTTPS certificate from your Network Guardian, and upload it to Google’s
Admin console.
Note: The Network Guardian appliance must be configured with a fully qualified hostname, for
example, my.smoothwall.com. For a detailed description of how to change the hostname, refer
Tip: Ensure the DNS server used by the Chromebooks maps Network Guardian’s fully qualified
hostname to the Network Guardian internal IP address used by the Chromebooks to connect to. All
references to the client login page (see Customizing the Client Login Page on page 169) must be
made using the fully qualified hostname.
You must first verify that the certificate uses the correct hostname, as follows:
1.
From a network machine, in a Chrome browser, browse to your Network Guardian appliance
using the fully qualified hostname on port 442, for example:
https://my.smoothwall.com:442
Note that HTTPS in the URL, and the SSL padlock icon are both crossed through.
2.
Click on the crossed SSL padlock icon in the URL bar.
3.
From the Connection tab, click Certificate information.
4.
Confirm that the hostname used in the certificate is the fully qualified hostname. This will be the
name listed against Issued to: and Issued By:.
5.
Click OK.
If the fully qualified hostname is not used by the certificate, refer to the Network Guardian Operations
Guide for a detailed description of how to change the hostname.
If the fully qualified hostname appears in the certificate, download the certificate as
follows:
1.
From the Network Guardian user interface, browse to Services > Authentication >
Chromebook.
2.
Scroll down to the HTTPS certificate panel.
3.
Click Download certificate.
4.
If you manage your Google directory from the same machine, click Open the Google Admin
console in a new window.
If not, copy the downloaded HTTPS certificate to the relevant machine, and browse to the
Google Admin console.
5.
Upload the certificate to the Google Admin console’s Manage Certificates module to deploy
it to all Chromebooks in your organization. For a detailed description of how to do this, refer to
your Google documentation.
Tip: Ensure Use this certificate as an HTTPS certificate authority is selected for Network
Guardian’s HTTPS certificate in the Manage certificates dialog.
172
Smoothwall Ltd
Routing Traffic to Network Guardian’s Proxy Server
Using the Google Admin console, you can have all Chromebooks redirect internet traffic to proxy
through Network Guardian’s proxy servers.
The following recommendations are made:
•
The DHCP server used by the Chromebooks should point to the DNS server which hosts the
client login page (see Customizing the Client Login Page on page 169).
•
The following domains should be whitelisted in Guardian:

gstatic.com

ajax.googleapis.com

accounts.google.com

plus.google.com

apis.google.com

ssl.gstatic.com

oauth.googleusercontent.com
For a detailed description of how to configure a whitelist, see Managing Web Filter Policies on
page 50
•
Within the Google Admin console, check the following:

The proxy server URL uses the fully qualified hostname of your Network Guardian appliance.

The proxy settings are locally applied for the appropriate network groups.

Proxy mode should be set to Always use the proxy specified below.

Include Network Guardian’s hostname in the proxy bypass list.

The startup homepage should be set to Homepage is always the homepage URL, set
below.

Set the URL for your startup homepage to:
https://Network Guardian_hostname:442/modules/auth/cgibin/google/login.fcgi
where Network Guardian_hostname is the fully qualified hostname assigned to
Network Guardian.

Enter the same URL for Pages to load on startup.
The above setup in the Google Admin console is for a non-transparent proxy method. Should
Connect for Chromebooks be unable to determine a proxy server, or your network is configured for
a transparent proxy method, the following recommendations are made:
•
An additional DNS entry should be added to your local DNS settings:
autodiscover.smoothwall.net mapped to the internal IP address of Network Guardian.
This is because Connect for Chromebooks uses the above domain name when attempting to
communicate directly with Network Guardian in the absence of a proxy setup.
173
12 Centrally Managing
Smoothwall Systems
This chapter describes how to configure, and maintain a centrally managed Smoothwall system,
including:
•
About Centrally Managing Smoothwall Systems on page 175
•
Setting up a Centrally Managed Smoothwall System on page 176
•
Managing Nodes in a Smoothwall System on page 181
•
Using BYOD in a Centrally Managed System on page 185
About Centrally Managing Smoothwall Systems
Network Guardian’s central management enables you to monitor and manage nodes in a
Smoothwall system.
A Smoothwall system is comprised of an instance of a Smoothwall product running as a parent node
and one or more compatible Smoothwall products running as child nodes being managed by the
parent node.
Configuring and managing a Smoothwall system entails:
•
Configuring a parent and the nodes in the system, for more information, see Setting up a
Centrally Managed Smoothwall System on page 176
•
Actively monitoring the nodes in the system, for more information, see Monitoring Node Status
on page 182
•
Applying updates, for more information, see Scheduling and Applying Updates to One or More
Nodes on page 183
•
Rebooting nodes as required, for more information, see Rebooting Nodes on page 184
•
Disabling nodes as required, for more information, see Disabling Nodes on page 185.
175
Centrally Managing Smoothwall Systems
Pre-requirements
Before you start to set up a centrally managed Smoothwall system:
•
Check that all the Smoothwall machines you intend to include in the system have the latest
updates applied. For more information, refer to the Network Guardian Operations Guide
•
Check that you have administrator access to all of the computers you want to include in the
system
•
Check that there is IP access from the computer that will be a the parent node to the computers
that will be child nodes in the system.
Setting up a Centrally Managed Smoothwall
System
Setting up a centrally managed Smoothwall system entails:
•
Configuring the parent node in the system
•
Configuring child nodes settings, installing the central management key and enabling SSH on
child nodes
•
Adding child nodes to the system.
Configuring the Parent Node
The first step when configuring a Smoothwall system is to configure the parent node in the system.
To configure the parent node:
176
1.
Log in to the instance of Network Guardian you want to function as the parent node.
2.
Browse to the System > Central management > Local node settings page.
Smoothwall Ltd
3.
Setting
Description
Local node options
Parent node – Select this option to enable central management and
configure this instance of Network Guardian as the parent node in the
Smoothwall system.
4.
Click Save. This instance of Network Guardian becomes the parent node and can be used to
centrally manage the Smoothwall system.
Configuring Child Nodes
Every child node in a Smoothwall system must have a central management key installed and SSH
enabled.
To configure a child node:
1.
On the system’s parent node, browse to the System > Central management > Local node
settings page.
2.
Setting
Description
Local node options
Parent node – Check that this option is selected so that you can
generate a central management key for installation on child nodes.
Manage central
management keys
Central management key – Click Download to download and
save the central management key in a secure, accessible location for
distribution to the child nodes in the system.
177
3.
On the Smoothwall system you want to add as a child node, browse to the System > Central
management > Local node settings page and configure the following settings:
Setting
Description
Local node options
Child node – Select this option to configure this machine as a child
node in the system. Click Save to save this setting.
Manage central
management keys
Upload central management key – Using your browser’s controls,
browse to and select the key. Click Save to upload the key to the child
node.
Note: If you are reconfiguring a child node to be the child of a new
parent, reboot the child node to apply the changes.
4.
On the System > Administration > Admin options page, select SSH and click Save.
5.
Repeat step 3. and step 4. above on any other machines you want to use as child nodes. When
finished, you are ready to add them the system. See Adding Child Nodes to the System on
page 178 for more information.
Adding Child Nodes to the System
When you have installed the central management key and enabled SSH on all child nodes, you are
ready to add them to the system.
You can add nodes:
•
Manually by adding each node separately, see Manually Adding Child Nodes on page 178
•
By importing node information from a CSV file, for more information, see Importing Nodes into
the System on page 179.
Manually Adding Child Nodes
Adding child nodes manually entails entering the information for each node separately.
To add child nodes manually:
1.
178
On the parent node, browse to the System > Central management > Child nodes page.
Smoothwall Ltd
2.
Click Add node and configure the following settings:
Setting
Description
Node details
Node name – Enter a unique name to identify the node. Node names
may only consist of letters, numbers, spaces, underscores and full stops.
Unicode is not supported.
IP/hostname – Enter the IP address or hostname of the child node.
Comment – Optionally, enter a comment describing the child node.
Node settings
Replication profile – From the drop-down list, select the replication
profile to be deployed on the child node. The replication profile enables
the sharing of system settings between nodes. For information on
configuring a replication profile, refer to the Network GuardianOperations
Guide.
Central logging – Select to enable central logging for the child node.
Note: Do not select this option if you want to access the child node’s
logs on the child node itself.
Allow parent to monitor status – Select to enable central
monitoring for the child node.
Allow parent to manage resources – Select to enable the parent
node in the group to manage child node resources such as quotas which
limit user access to web content.
When enabled and quotas have been used in a web filtering policy, the
parent ensures that users cannot access content for longer than allowed
by using different child nodes.
3.
Select Enable node and click Confirm. When prompted, review the node details and then click
Save to add the node.
4.
Repeat step 2. and step 3. for each node you want to add to the system.
5.
When you have added all of the nodes, browse to the System > Central management >
Overview page. The parent node lists the child nodes and displays their current status. For
more information, see Monitoring Node Status on page 182.
Importing Nodes into the System
If child node information is available in a comma separated format (CSV) file, you can import it directly
into the parent node.
About the CSV File
Each line in the CSV file must contain 8 fields. The fields must be separated by commas and ordered
as follows:
Name,IP/hostname,Centrallogging,Monitorstatus,Centralresources,
Replicationprofile,Enabled,Comment
179
The possible values for the fields are as follows:
Field
Value
Name
The node name. This field is required.
Note: If the name is the same as that of a child node already in the
system, the child node in the system will be overwritten.
A node name may consist of letters, numbers, spaces, underscores and
full stops. Unicode is not supported.
IP/hostname
The IP or hostname of the node. This field is required.
Central logging
Determines if central logging is enabled or disabled. This field is required.
Enabled – Enter: yes, on, or 1.
Disabled – Enter: no, off, or 0.
Note: Do not enable this option if you want to access the child node’s
logs on the child node itself.
Monitor status
Determines if central monitoring is enabled or disabled. This field is
required.
Central resources
Determines if resources are managed by the parent. This field is required.
Replication profile
The name of the replication profile used on the node. This field is optional
and may be empty.
Enabled
Determines if the node settings are enabled or disabled. This field is
required.
Comment
A comment. This field is optional.
It may consist of letters, numbers, spaces, underscores and full stops.
Unicode is not supported.
For full information on what the settings do, see Manually Adding Child Nodes on page 178.
Importing Node Information
The following steps explain how to import node information from a CSV file. For more information on
CSV files, see About the CSV File on page 179.
To import node information from a CSV file:
1.
2.
Click Import CSV, browse to the file and select it. Click Import to import the contents of the file.
3.
The parent node displays the contents of the file and notifies you of any errors in the file.
Note: Importing settings from a CSV file will overwrite existing nodes with the same name.
180
Smoothwall Ltd
4.
Click Confirm to import the information in the file. The parent node imports the node information
and displays it.
Editing Child Node Settings
When required, it is possible to edit child node settings.
To edit a child node’s settings:
1.
Browse to the System > Central management > Child nodes page, locate the node you
want to edit and click Edit node.
2.
Make the changes required, see Manually Adding Child Nodes on page 178 for full information
on the settings.
3.
Click Confirm, review the changes and then click Save to save and implement the changes.
Deleting Nodes in the System
It is possible to delete nodes that are no longer required in the system.
To delete a node:
1.
On the System > Central management > Child nodes page, locate the node you want to delete
and click Delete node. When prompted, click Delete to confirm the deletion.
2.
Repeat the step above for any other nodes you want to delete.
Managing Nodes in a Smoothwall System
Managing nodes in a Smoothwall system entails:
•
Monitoring node status
•
Applying updates to nodes
•
Scheduling updates for application at a specific time
•
Rebooting nodes when necessary
•
Disabling nodes when necessary
181
Monitoring Node Status
The central management node overview on the parent node displays a list of all of the nodes in the
Smoothwall system. It also displays the nodes’ current status and whether updates for the nodes are
available.
To monitor node status:
1.
On the parent node, browse to the System > Central management > Overview page. The
parent node displays current node status, for example:
Node information is contained in the following fields:
Field
Description
Name
The Name field displays the name of the node. Click on the name to log
in to the node.
Status
The Status field displays the current state of the node. Click on the Status
text to display detailed information on the node. For more information,
see Accessing the Node Details Page on page 183.
The following statuses are possible:
OK – the node is functioning and does not require attention.
Critical – the node requires immediate attention. Click on the node’s
status field for more information.
Warning – the node does not require immediate attention but should
be checked for problems. Click on the node’s status field for more
information.
Updates
The Updates field enables you to schedule the application of available
updates. For more information, see Scheduling and Applying Updates to
One or More Nodes on page 183.
Click on the Updates text to display detailed information on the node.
182
Smoothwall Ltd
Accessing the Node Details Page
It is possible to view detailed information on a node by accessing the node details page.
To access a node details page:
1.
On the parent node, browse to the System > Central management > Overview page.
2.
Locate the node you want more information on and click on its Status text. Network Guardian
displays the node details page.
3.
Click on the displayed headings for more information.
4.
Click Refresh node to refresh the information displayed.
5.
Click Reboot node to reboot the node.
Working with Updates
You can review and apply updates to a node as they become available. You can also apply updates
to one or more nodes immediately or at a later date.
Reviewing and Applying Available Updates to a Node
You can review and apply updates to a node as they become available.
To review and apply updates:
1.
2.
Click the Updates tab and then click the Status field of the node. The node details are
displayed.
3.
Click on the Updates line to review detailed information about the updates available. To apply
the updates to the node, click Schedule update. The Schedule node update page is displayed.
4.
In the Install updates area, select one of the following options:
5.
Option
Description
Now
Select to apply the updates to the node immediately.
Later
From the drop-down list, select when you want the updates applied to
the node.
Click Schedule update. The updates are applied to the node as specified in the previous step
and the node is rebooted.
Scheduling and Applying Updates to One or More Nodes
You can apply updates to one or more nodes immediately or schedule them for application later.
To apply updates:
1.
2.
Locate and select the node(s) that require updates and click Schedule update. The Schedule
node update page is displayed.
183
3.
4.
In the Install updates area, select one of the following options:
Option
Description
Now
Select to apply the update(s) to the node(s) immediately.
Later
From the drop-down list, select when you want the update(s) applied to
the node(s).
Click Schedule update. The updates are applied to the node(s) as specified in the previous
step and the node(s) are rebooted.
Clearing Schedule Updates
It is possible to clear any scheduled updates.
To clear scheduled updates:
1.
On the System > Central management > Overview page or the node details page, under
Updates, click Clear schedule.
2.
Network Guardian displays the updates that are currently scheduled. Click Clear schedule to
clear the updates.
Rebooting Nodes
When required, you can reboot a child node from the system’s parent node.
To reboot a child node:
1.
2.
Locate the node you want to reboot and click on the Status text. The node details are
displayed.
3.
Click Reboot node. The Schedule node reboot page opens. In the Reboot node area, select
one of the following options:
4.
184
Option
Description
Now
Select to reboot the node immediately.
Later
From the drop-down list, select when you want to reboot the node.
Click Schedule reboot. The node is rebooted.
Smoothwall Ltd
Disabling Nodes
It is possible to disable nodes locally and system-wide.
Disabling Nodes Locally
You may need to work on a child node in a system and, e.g. want to stop replication settings from
being applied by the parent. You can do this by disabling the child node locally.
To disable a node locally:
1.
On the node you want to disable, browse to the System > Central management > Local
node settings page.
2.
In the Local node options area, select Disable and click Save.
3.
Repeat the step above for any other nodes in the system that you want to disable.
Note: On the parent node, on the System > Central management > Overview page, nodes that have
been disabled locally will be listed as Node uncontactable.
Disabling Nodes System-wide
You may need to disable a child node in a system, e.g. in the case of hardware failure. You can do
this by disabling the child node system-wide.
To disable a node system-wide:
1.
2.
Locate the node you want to disable area, select Disable and click Save.
3.
Repeat the steps above for any other nodes in the system that you want to disable system-wide.
Using BYOD in a Centrally Managed System
It is possible to provide a “bring your own device” (BYOD) service in a centrally managed Smoothwall
System.
In such a configuration, you can choose to have a single node, typically the parent node, receive
RADIUS requests and forward them onto the other RADIUS servers, or have a number of nodes act
as the RADIUS server for the network access server (NAS) for authentication requests, authorization
requests, accounting packets, or a mixture of all three.
For a detailed description of how to configure Network Guardian to support a BYOD service,
including an example of a centrally managed implementation, refer to the Network Guardian
Operations Guide.
185
Glossary
Numeric
2-factor authentication
The password to a token used with the token. In other words: 2factor authentication is something you know, used together with
something you have. Access is only be granted when you use the
two together.
3DES
A triple strength version of the DES cryptographic standard, usually using a
168-bit key.
A
Acceptable Use Policy
See AUP
Access control
The process of preventing unauthorized access to computers, programs,
processes, or systems.
Active Directory
Microsoft directory service for organizations. It contains information about
organizational units, users and computers.
ActiveX*
A Microsoft reusable component technology used in many VPN solutions
to provide VPN client access in a road warrior's web browser.
AES
Advanced Encryption Standard
A method of encryption selected by NIST as a replacement for DES and
3DES. AES supports key lengths of 128-bit, 192-bit and 256-bit. AES
provides high security with fast performance across multiple platforms.
AH
Authentication Header
Forms part of the IPSec tunnelling protocol suite. AH sits between the IP
header and datagram payload to maintain information integrity, but not
secrecy.
Algorithm
Smoothwall products, an algorithm is a mathematical procedure that
manipulates data to encrypt and decrypt it.
187
Alias
Glossary
or External Alias
In Smoothwall terminology, an alias is an additional public IP that operates
as an alternative identifier of the red interface.
ARP
Address Resolution Protocol
A protocol that maps IP addresses to NIC MAC addresses.
ARP Cache
Used by ARP to maintain the correlation between IP addresses and MAC
addresses.
AUP
Acceptable Use Policy
An AUP is an official statement on how an organization expects its
employees to conduct messaging and Internet access on the
organization’s email and Internet systems. The policy explains the
organization’s position on how its users should conduct communication
within and outside of the organization both for business and personal use.
Authentication
The process of verifying identity or authorization.
B
Bandwidth
Bandwidth is the rate that data can be carried from one point to another.
Measured in Bps (Bytes per second) or Kbps.
BIN
A binary certificate format, 8-bit compatible version of PEM.
Buffer Overflow
An error caused when a program tries to store too much data in a
temporary storage area. This can be exploited by hackers to execute
malicious code.
C
CA
Certificate Authority
A trusted network entity, responsible for issuing and managing x509 digital
certificates.
Certificate
A digital certificate is a file that uniquely identifies its owner. A certificate
contains owner identity information and its owner's public key. Certificates
are created by CAs.
Cipher
A cryptographic algorithm.
Ciphertext
Encrypted data which cannot be understood by unauthorized parties.
Ciphertext is created from plain text using a cryptographic algorithm.
Client
Any computer or program connecting to, or requesting the services of,
another computer or program.
Cracker
A malicious hacker.
Cross-Over Cable
A network cable with TX and RX (transmit and receive) reversed at either
end to provide a direct peer-to-peer network connection.
Cryptography
The study and use of methods designed to make information unintelligible.
188
Smoothwall Ltd
Glossary
D
Default Gateway
The gateway in a network that will be used to access another network if a
gateway is not specified for use.
Denial of Service
Occurs when a network host is flooded with large numbers of automatically
generated data packets. The receiving host typically slows to a halt while it
attempts to respond to each request.
DER
Distinguished Encoding Rules
A certificate format typically used by Windows operating systems.
DES
Data Encryption Standard
A historical 64-bit encryption algorithm still widely used today. DES is
scheduled for official obsolescence by the US government agency NIST.
DHCP
Dynamic Host Control Protocol
A protocol for automatically assigning IP addresses to hosts joining a
network.
Dial-Up
A telephone based, non-permanent network connection, established using
a modem.
DMZ
Demilitarized Zone
An additional separate subnet, isolated as much as possible from protected
networks.
DNS
Domain Name Service
A name resolution service that translates a domain name to an IP address
and vice versa.
Domain Controller
A server on a Microsoft Windows network that is responsible for allowing
host access to a Windows domain's resources.
Dynamic IP
A non-permanent IP address automatically assigned to a host by a DHCP
server.
Dynamic token
A device which generates one-time passwords based on a
challenge/response procedure.
E
Egress filtering
The control of traffic leaving your network.
Encryption
The transformation of plaintext into a less readable form (called ciphertext)
through a mathematical process. A ciphertext may be read by anyone who
has the key to decrypt (undoes the encryption) it.
ESP
Encapsulating Security Payload
A protocol within the IPSec protocol suite that provides encryption services
for tunnelled data.
Exchange Server
A Microsoft messaging system including mail server, email client and
groupware applications (such as shared calendars).
Exploit
A hardware or software vulnerability that can be 'exploited' by a hacker to
gain access to a system or service.
189
Glossary
F
Filter
A filter is a collection of categories containing URLs, domains, phrases, lists
of file types and replacement rules. Filters are used in policies to determine
if a user should be allowed access to information or files he/she has
requested using their web browser.
FIPS
Federal Information Processing Standards. See NIST.
Firewall
A combination of hardware and software used to prevent access to private
network resources.
G
Gateway
A network point that acts as an entrance to another network.
Green
In Smoothwall terminology, green identifies the protected network.
H
Hacker
A highly proficient computer programmer who seeks to gain unauthorized
access to systems without malicious intent.
Host
A computer connected to a network.
Hostname
A name used to identify a network host.
HTTP
Hypertext Transfer Protocol
The set of rules for transferring files on the World Wide Web.
HTTPS
A secure version of HTTP using SSL.
Hub
A simple network device for connecting networks and network hosts.
ICMP
Internet Control Message Protocol
I
One of the core protocols of the Internet protocol suite. It is chiefly used by
networked computers' operating systems to send error messages
indicating, for example, that a requested service is not available or that a
host or router could not be reached.
IDS
Intrusion Detection System
IP
Internet Protocol
IPS
Intrusion Prevention System
IP Address
A 32-bit number that identifies each sender and receiver of network data.
190
Smoothwall Ltd
Glossary
IPtables
The Linux packet filtering tool used by Smoothwall to provide firewalling
capabilities.
IPSec
Internet Protocol Security
An internationally recognized VPN protocol suite developed by the Internet
Engineering Task Force (IETF).
IPSec Passthrough
A 'helper' application on NAT devices that allows IPSec VPN traffic to pass
through.
ISP
An Internet Service Provider provides Internet connectivity.
K
Key
A string of bits used with an algorithm to encrypt and decrypt data. Given
an algorithm, the key determines the mapping of plaintext to ciphertext.
Kernel
The core part of an operating system that provides services to all other
parts the operating system.
Key space
The name given to the range of possible values for a key. The key space is
the number of bits needed to count every distinct key. The longer the key
length (in bits), the greater the key space.
L
L2F
Layer 2 Forwarding
A VPN system, developed by Cisco Systems.
L2TP
Layer 2 Transport Protocol
A protocol based on IPSec which combines Microsoft PPTP and Cisco
Systems L2F tunnelling protocols.
LAN
Local Area Network
A network between hosts in a similar, localized geography.
Leased Lines
Or private circuits
A bespoke high-speed, high-capacity site-to-site network that is installed,
leased and managed by a telephone company.
Lockout
A method to stop an unauthorized attempt to gain access to a computer.
For example, a three try limit when entering a password. After three
attempts, the system locks out the user.
M
MAC Address
Media Access Control
An address which is the unique hardware identifier of a NIC.
191
MX Record
Glossary
Mail eXchange
An entry in a domain name database that specifies an email server to
handle a domain name's email.
N
NAT-T
Network Address Translation Traversal
A VPN Gateway feature that circumvents IPSec NATing problems. It is a
more effective solution than IPSec Passthrough
NIC
Network Interface Card
NIST
National Institute of Standards and Technology
NIST produces security and cryptography related standards and publishes
them as FIPS documents.
NTP
Network Time Protocol
A protocol for synchronizing a computer's system clock by querying NTP
Servers.
O
OU
An organizational unit (OU) is an object used to distinguish different
departments, sites or teams in your organization.
P
Password
A protected/private string of characters, known only to the authorized
user(s) and the system, used to authenticate a user as authorized to access
a computer or data.
PEM
Privacy Enhanced Mail
A popular certificate format.
Perfect Forward Secrecy
A key-establishment protocol, used to secure previous VPN
communications, should a key currently in use be compromised.
PFS
See Perfect Forward Secrecy
Phase 1
Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1
negotiates the security parameter agreement.
Phase 2
Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the
agreed parameters from Phase 1 to bring the tunnel up.
Ping
A program used to verify that a specific IP address can be seen from
another.
PKCS#12
Public Key Cryptography Standards # 12
A portable container file format for transporting certificates and private keys.
192
Smoothwall Ltd
PKI
Glossary
Public Key Infrastructure
A framework that provides for trusted third party vetting of, and vouching
for, user identities; and binding of public keys to users. The public keys are
typically in certificates.
Plaintext
Data that has not been encrypted, or ciphertext that has been decrypted.
Policy
Contains content filters and, optionally time settings and authentication
requirements, to determine how Network Guardian handles web content
and downloads to best protect your users and your organization.
Port
A service connection point on a computer system numerically identified
between 0 and 65536. Port 80 is the HTTP port.
Port Forward
A firewall rule that routes traffic from a receiving interface and port
combination to another interface and port combination. Port forwarding
(sometimes referred to as tunneling) is the act of forwarding a network port
from one network node to another. This technique can allow an external
user to reach a port on a private IP address (inside a LAN) from the outside
via a NAT-enabled router.
PPP
Point-to-Point Protocol
Used to communicate between two computers via a serial interface.
PPTP
Peer-to-Peer Tunnelling Protocol
A widely used Microsoft tunnelling standard deemed to be relatively
insecure.
Private Circuits
See Leased Lines.
Private Key
A secret encryption key known only by its owner. Only the corresponding
public key can decrypt messages encrypted using the private key.
Protocol
A formal specification of a means of computer communication.
Proxy
An intermediary server that mediates access to a service.
PSK
Pre-Shared Key
An authentication mechanism that uses a password exchange and
matching process to determine authenticity.
Public Key
A publicly available encryption key that can decrypt messages encrypted by
its owner's private key. A public key can be used to send a private message
to the public key owner.
PuTTY
A free Windows / SSH client.
Q
QOS
Quality of Service
In relation to leased lines, QOS is a contractual guarantee of uptime and
bandwidth.
193
Glossary
R
RAS
Remote Access Server
A server which can be attached to a LAN to allow dial-up connectivity from
other LANs or individual users. RAS has been largely superseded by VPNs.
Red
In Smoothwall, red is used to identify the Unprotected Network (typically the
Internet).
RIP
Routing Information Protocol
A routing protocol which helps routers dynamically adapt to changes in
network connections by communicating information about which networks
each router can reach and how far away those networks are.
Road Warrior
An individual remote network user, typically a travelling worker 'on the road'
requiring access to a organization’s network via a laptop. Usually has a
dynamic IP address.
Route
A path from one network point to another.
Routing Table
A table used to provide directions to other networks and hosts.
Rules
In firewall terminology, rules are used to determine what traffic is allowed to
move from one network endpoint to another.
S
Security policy
A security policy is a collection of procedures, standards and guidelines that
state in writing how an organization plans to protect its physical and
information technology (IT) assets. It should include password, account and
logging policies, administrator and user rights and define what behavior is
and is not permitted, by whom and under what circumstances.
Server
In general, a computer that provides shared resources to network users.
SIP
Session Initiation Protocol
A protocol for initiating, modifying, and terminating an interactive user
session that involves multimedia elements such as video, voice, instant
messaging, online games, and virtual reality. Commonly used in VOIP
applications.
Single Sign-On
(SSO) The ability to log-in to multiple computers or servers in a single action
by entering a single password.
Site-To-Site
A network connection between two LANs, typically between two business
sites. Usually uses a static IP address.
Smart card
A device which contains the credentials for authentication to any device that
is smart card-enabled.
Spam
Junk email, usually unsolicited.
SQL Injection
A type of exploit whereby hackers are able to execute SQL statements via
an Internet browser.
Squid
A high performance proxy caching server for web clients.
194
Smoothwall Ltd
SSH
Glossary
Secure Shell
A command line interface used to securely access a remote computer.
SSL
A cryptographic protocol which provides secure communications on the
Internet.
SSL VPN
A VPN accessed via HTTPS from any browser (theoretically). VPNs require
minimal client configuration.
Strong encryption
A term given to describe a cryptographic system that uses a key so long
that, in practice, it becomes impossible to break the system within a
meaningful time frame.
Subnet
An identifiably separate part of an organization’s network.
Switch
An intelligent cable junction device that links networks and network hosts
together.
Syslog
A server used by other hosts to remotely record logging information.
T
Triple DES (3-DES) Encryption
A method of data encryption which uses three encryption keys and runs
DES three times Triple-DES is substantially stronger than DES.
Tunneling
The transmission of data intended for use only within a private network
through a public network in such a way that the routing nodes in the public
network are unaware that the transmission is part of a private network.
U
User name / user ID
A unique name by which each user is known to the system.
V
VPN
Virtual Private Network
A network connected together via securely encrypted communication
tunnels over a public network, such as the global Internet.
VPN Gateway
An endpoint used to establish, manage and control VPN connections.
X
X509
An authentication method that uses the exchange of CA issued certificates
to guarantee authenticity.
195
Index
settings 7
A
accessing 6
active directory
cache timeout 147
domain 147
archives 13
arp filter 130
arp table size 131
audit 131
authentication 11, 20, 143, 144
core 81, 84
extra realm 153
diagnositics 144
password 147
global settings 144
status 147
identification by IP 81, 84
username 147
normalize usernames 144
NTLM 80
active directory legacy
cache timeout 152
SSL
discover kerberos realms through dns 153
background tab 80, 84
extra group search roots 153
session cookie 81, 84
extra realms 153
time-out 144
extra user search roots 153
timeout 144
kerberos realm 152
netbios domain name 153
password 152
port 153
sam account name 153
server 152
server username 152
status 152
B
bandwidth
limiting 102
banned users 157
bond 28
bridge 27
bridging
groups 140
rules 135
user search root 152
admin 6
admin options 14
administration 14
administrative users 14
advanced 10
alerts 7
zones 135
C
ca 15
central management 175
about 175
pre-requirements 176
197
central management key 177
centrally manage 175
certs
ca 15
child node 177
Chromebooks 167
Client ID 167
Index
ftp 12
G
group bridging 9, 140
groups 9, 11, 156
banned users 157
default users 157
Client Login page 169
mapping 158
Client Secret 167
network administrators 157
Connect for Chromebooks 167
renaming 157
cluster 175
Connect for Chromebooks 167, 170
connection tracking 131
connections 25
console
connecting via 22
control page 6
create 7
csv 179
importing nodes 179
csv files 179
custom categories 12
D
unauthenticated ips 156
H
hardware 14
hostname 14
https 6
https inspection policies 54
I
icmp 130
ICMP ping 130
ICMP ping broadcast 130
identification
NTLM 79
default
users 157
igmp 130
IGMP packets 130
im
proxy 8
denial of service 129
diagnostics 15
directories 11
directory settings 145
prerequisites 146, 150, 151
im proxy 8
information 6
instant messenger 12
interface
bond 28
database
settings 9
documentation 2
DoS 130
E
ECN 130
email 8
enable arp filter 130
enable filtering 32
external
access 14
bridge 27
interfaces 10
internal aliases 10
inter-zone security 135
ip
block 9
tools 15
K
kerberos keytabs 11
F
L
filtering 9
filters 12
about 51, 55, 61, 65
ldap directory
bind method 148
firewall 8
accessing
browser 6
connecting 22
198
cache timeout 149
discover kerberos realms through dns 149
extra group search root 149
extra realms 149
Smoothwall Ltd
Index
extra user search roots 149
disable 185
group search roots 149
edit 181
kerberos realm 148
import 179
password 148
local settings 13
port 149
manage 181
server 148
monitor 182
status 147
parent 176
user search root 148
reboot 184
username 148
review 182
leak client ip with x-forwarded-for header 111
licenses 13
load balancing 113
local users 154
activity 161
update 183
O
output settings 9
adding 155
P
configuring 154
pages
central management 13
deleting 156
editing 156
managing 155
status 154
log settings 8
logs 8
guardian
anti malware policies
manage policies 18
policy wizard 18
settings 18
status page 18
M
maintenance 13
message censor 12
custom categories 12
filters 12
time 12
message censor filtering
enable 74
modem 14
modules 13
multicast traffic 130
block page policies
block pages 18
manage policies 18
policy wizard 18
content modification policies
manage policies 17
policy wizard 17
https inspection policies
manage policies 17
policy wizard 17
settings 17
N
network
administrators 157
interface 26
networking 9, 10
node 181
add 178
child 177
child delete 181
child edit 181
configure child 13
csv 179
delete 181
policy objects
category groups 18
locations 18
quotas 18
time slots 18
user defined 18
quick links
getting started 16
quick block/allow 16
shortcuts 16
swurl
settings 19
199
Index
advanced 10
web filter policies
port groups 10
exceptions 16
location blocking 16
manage policies 16
services 10
authentication 11
outgoing 16
directories 11
policy wizard 16
groups 11
kerberos keytabs 11
info
settings 11
alerts 7
ssl login 11
alerts 7
temporary bans 11
custom 7
user activity 11
logs 8
firewall 8
message censor 12
im proxy 8
proxies 12
ftp 12
system 8
im proxy 12
realtime 8
firewall 8
snmp 12
portal 8
user portal 11
system 8
groups 11
traffic graphs 8
portals 11
user exceptions 11
reports
reports 7
saved 7
scheduled reports 7
settings
alert settings 7
database settings 9
system
administration 14
admin options 14
administrative users 14
external access 14
central management
groups 9
child nodes 13
log settings 8
local node settings 13
output settings 9
overview 13
information 6
diagnostics 15
main 6
configuration report 15
mobile 20
functionality test 15
networking 9, 10
ip tools 15
filtering 9
group bridging 9
ip block 9
zone bridging 9
interfaces 10
interfaces 10
internal aliases 10
whois 15
hardware 14
modem 14
ups 14
maintenance 13
archives 13
routing 9
licenses 13
rip 9
modules 13
subnets 9
scheduler 13
settings
200
traffic analysis 15
shutdown 13
Smoothwall Ltd
Index
updates 13
server 150
preferences 14
status 150
hostname 14
registration options 14
time 14
web proxy
authentication
realtime 8
email 8
reboot 184
registration options 14
reports 7
custom 7
exceptions 20
reports 7
ident by location 20
scheduled 7
manage polices 20
policy wizard 20
mobile proxy
exceptions 20
rip 9
routing 9
rules
group bridging 141
internal alias 126
proxies 20
ip blocking 127
settings 20
subnet 123
upstream proxy
zone bridging 136
filters 19
manage policies 19
S
proxies 19
scheduled reports 7
scheduler 13
secondary dns 26
selective ACK 130
services
authentication 11, 144
web proxy
automatic configuration 19
bandwidth limiting 19
settings 19
wccp 19
message censor 12
parent node 176
passwords 6
policies 12
https inspection 54
policy tester
port groups
portal 8, 11
portals 11
preferences
primary dns
proxies 12
69
10
14
26
Q
quotas 48
portal 11
rip 124
snmp 12
settings 9, 11
shutdown 13
site address 24
sni 86
snmp 12
snmp 12
ssh 22
client 22
ssl login 11
accessing the page 164
customizing 162
R
radius
action on login failure 150
cache timeout 150
identifying IP address 150
obtain groups from radius 150
port 151
secret 150
subnets 9
SYN backlog queue 131
SYN cookies 130
SYN+FIN packets 130
system 8
T
TCP timestamps 130
temporary ban 159
201
Index
temporary bans 11
time 14
time slots 12
traffic
analysis 15
graphs 8
training 1
tutorial
zone bridging 138
U
unauthenticated ips 156
unknown entity 23
updates 13
ups 14
upstream proxies 111
allow direct connections 111
default proxy 111
leak client ip with x-forwarded-for header 111
load balancing 113
user
activity 11, 161
user exceptions 11
users
banned 157
default 157
local 155
network administrators 157
temporary ban 159
unauthenticated IPs 156
W
web filter 8
web filtering
configuring
manual 91
whois 15
window scaling 130
Z
zone bridge
narrow 136
rule
create 136
settings 136
tutorial 138
wide 136
zone bridging 9, 135
202
Smoothwall Ltd

Administration - Smoothwall: Product Documentation

Transcription

Similar documents

Sports/Activity Physical Form

get these forms and fill them out

The Guardian

Registration form copy

APPLICATION FORM STUDENT

Narne of tre guardian and relatonqhip (if father/mother. is nol alive) 5

Represents all students

in the Grade 1-5 packet

DFarm emergency contact, waiver and medical

Business Academy - No Limit Empowerment