SurfControl Web Filter for Cisco CE Installation Guide

Transcription

Web Filter
SurfControl Web Filter for Cisco CE
Installation Guide
www.surfcontrol.com
The World’s #1 Web & E-mail Filtering Company
NOTICES
NOTICES
Updates to the SurfControl documentation and software, as well as Support information are available at
www.SurfControl.com/support.
Copyright ©1998-2005 SurfControl plc. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by
any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the
copyright owner.
SurfControl is a registered trademark and SurfControl and the SurfControl logo are trademarks of SurfControl
plc. All other trademarks are property of their respective owners.
Version 5 printed May 2006.
Installation Guide
i
NOTICES
ii
Installation Guide
CONTENTS
CONTENTS
Notices.......................................................................................................................................................................................i
PRE-INSTALLATION ................................................................................................... 1
Introduction ..............................................................................................................................................................................2
Pass-through filtering technology ........................................................................................................................2
Requirements ............................................................................................................................................................................3
Web Filter System Requirements .........................................................................................................................3
Before you install Web Filter ................................................................................................................................4
Cisco CE Requirements .........................................................................................................................................4
Where to install.........................................................................................................................................................................5
Installation decisions ..............................................................................................................................................5
Network considerations .........................................................................................................................................6
Installation considerations .....................................................................................................................................7
User name resolution...............................................................................................................................................................9
EUM .........................................................................................................................................................................10
Installing EUM ........................................................................................................................................................11
X-Authenticated-User ............................................................................................................................................12
Database options......................................................................................................................................................................13
MSDE Database .....................................................................................................................................................13
SQL Server ..............................................................................................................................................................14
Database authentication ........................................................................................................................................15
Other considerations ...............................................................................................................................................................17
E-mail notifications ................................................................................................................................................17
INSTALLATION ......................................................................................................... 19
Installation order ......................................................................................................................................................................20
Installation procedures ..........................................................................................................................................20
Installing Web Filter ................................................................................................................................................................22
Flow chart ................................................................................................................................................................23
FURTHER CONFIGURATION ......................................................................................... 39
Configuring Services................................................................................................................................................................40
Database creation.....................................................................................................................................................................41
Creating a SQL Server Database ..........................................................................................................................41
Virtual Control Agent..............................................................................................................................................................45
Installation ...............................................................................................................................................................45
Configuring the VCA .............................................................................................................................................46
Upgrading the VCA ...............................................................................................................................................47
Performance Tuning................................................................................................................................................................48
System Workload Issues ........................................................................................................................................48
Distributing Services and Multiple Collectors ....................................................................................................49
Troubleshooting .......................................................................................................................................................................50
Troubleshooting EUM Issues ..............................................................................................................................50
Installation Guide
ii
CONTENTS
CISCO CONFIGURATION ............................................................................................. 51
Specifics .....................................................................................................................................................................................52
Installation of the Cisco CE running ACNS* ....................................................................................................52
Setting Up the Rules on the Content Engine for the Joint Solution** ..........................................................52
Types of Content Served in an ACNS Network** ...........................................................................................53
Content Caching Service with Filtering and Access Control*** .....................................................................53
Sample Deployments...............................................................................................................................................................57
Customer Expectations .........................................................................................................................................57
Content Engine Local Deployment Scenarios ***** ........................................................................................57
iii
Installation Guide
Chapter 1
Pre-Installation
Introduction
Requirements
Where to install
User name resolution
Database options
Other considerations
page 2
page 3
page 5
page 9
page 13
page 17
1
PRE-INSTALLATION
Introduction
Introduction
SurfControl Web Filter for Cisco CE:
•
uses pass-through technology.
•
filters HTTP.
PASS-THROUGH FILTERING TECHNOLOGY
Historically, pass-through technology was the first technology developed for Internet filtering. Filtering
software is installed on a device at the choke point for all outbound and inbound traffic. The application works
like customs: all packets are stopped and inspected before being allowed to enter the country. Only approved
HTTP requests are allowed to continue.
The inspection can be based on source or destination address, source or destination TCP ports and others.
Because this technology inspects every HTTP request, you may see network latency. In most cases, the
optimization of modern software and the availability of high performance hardware makes this latency
negligible.
2
Installation Guide
PRE-INSTALLATION
Requirements
1
Requirements
WEB FILTER SYSTEM REQUIREMENTS
You should check that the machines you will be using meet the minimum system requirements outlined in the
table below:
Table 1-1
System Requirements
Component
Requirement
Operating System
Microsoft Windows 2000 Server (SP3) or
Microsoft Windows 2000 Advanced Server (SP3)
Microsoft Windows Server 2003
Processor
Pentium III or above
Memory
512 MB minimum
Disk space
1 Gbyte free space
Network
1 Ethernet Card
Optional Netware
user name
support
If you plan to monitor traffic based on Netware user information, you must have the
latest version of the Novell Client installed on the SurfControl machine prior to
installing the SurfControl software.
Optional
Windows user
name support
If you plan to monitor users based on Windows user names, then you must be using
MS NT 4 or Active Directory domain controllers.
Web Reporting
Microsoft Internet Explorer 5.0 or later
OR
Netscape Communicator 4.75 or later
The requirements above represent the minimum system requirements for SurfControl. If you are deploying
SurfControl into a network that has a high volume of Internet traffic, you can see performance improvements
by installing the software onto a server with a faster CPU, additional RAM, and a SCSI drive system.
We also recommend that you run ACNS v5.2.3 for the best performance.
Installation Guide
3
1
PRE-INSTALLATION
Requirements
BEFORE YOU INSTALL WEB FILTER
In order to use the X-Authenticated-User header for User Name Resolution, which is recommended, you
should configure the following before installing Web Filter:
•
Authentication on the Content Engine - this must be configured and tested before you install Web
Filter. The following simple sample configuration shows how this might be done using an example domain
name of ‘surfqa’ and an example domain controller IP address of: 10.1.0.1:
1
Log in to the Content Engine’s CLI.
2
Execute the following commands:
CiscoCE# config
CiscoCE(config)# ntlm
CiscoCE(config)# exit
CiscoCE# write memory
server enable
server domain surfqa
server host 10.1.0.1
allow-domain enable
allow-domain domain surfqa
The CE should now be able to send user name information to SurfControl in the x-authenticated-user header
once it is configured to do so. Once you confirm that authentication with the CE is working, then you can
install Web Filter. After the Web Filter is installed, you can go through the steps of configuring the ICAP client
on the CE as you have documented.
(See section 11-5 of the ‘Cisco ACNS Software Configuration Guide for Locally Managed Deployments’ for
more information on X-Authenticated-User configuration in ACNS v5.2.3).
•
HTTP request authentication - Cisco support four types of HTTP request authentication but currently
only NTLM is supported by Web Filter. Information on configuring NTLM authentication of HTTP
Requests can be found in Chapter 9 of the ‘Cisco ACNS Software Configuration Guide for Locally
Managed Deployments’.
CISCO CE REQUIREMENTS
Before installation, make sure the Cisco Content Engine meets the minimum requirements listed in Table 1-2.
Table 1-2
4
Cisco CE Requirements
Component
Requirement
Cisco CE
Cisco CE 500 or 7300 series
Supported
ACNS Branch
Versions
5.2.7 or later
Installation Guide
5.3.5 or later
5.4.1 or later
PRE-INSTALLATION
Where to install
1
Where to install
INSTALLATION DECISIONS
This section discusses the decisions you must make before installing SurfControl and is divided into the
following sections:
Network considerations
Installation considerations:
•
Do you want to automatically monitor new users?
•
Do you want to enable user name support?
•
Where do you want to install VCA?
User name resolution:
•
How do you want SurfControl to handle user-name resolution?
•
How do you want to monitor users (IP address, workstation name, EUM, NetwareEUM, XAuthenticated-User)?
Database options:
•
What database do you plan to use (MSDE or SQL)?
•
How do you want SurfControl to connect to the database (Windows authentication or SQL
authentication)?
Other considerations:
•
Content information
•
Which e-mail notifications should SurfControl send?
•
What administrative privileges do you need to set up?
Installation Guide
5
1
PRE-INSTALLATION
Where to install
NETWORK CONSIDERATIONS
When the Cisco CE receives an HTTP request (over port 8080), it sends an ICAP request to the SurfControl
Web Filter (over port 1344).
SurfControl WF checks the category or the site and writes the relevant data to the database.
Figure 1-1 shows a SurfControl Web Filter deployment.
Figure 1-1
6
Sample Web Filter Deployment
Installation Guide
PRE-INSTALLATION
Where to install
1
INSTALLATION CONSIDERATIONS
During installation, you can set the following options for SurfControl’s basic behavior:
•
Automatically Monitor New Users
•
Enable User name Support
•
Install Virtual Control Agent
Automatically monitor new users
Each time SurfControl detects a request from a workstation it hasn’t seen before, it adds the workstation data
to the database and attempts to identify the real name of the workstation and the name of the user logged into
that PC.
Note: SurfControl can not monitor new users until the ICAP client is configured. See
procedure 7 for information on how to do this.
By choosing the Automatically Monitor New Users option during installation and configuring the ICAP client,
SurfControl automatically monitors HTTP traffic for all users. If unchecked, SurfControl builds a user list (for
use in creating rules), but does not monitor any users.
Enable user name support
Note: You must enable user name support if you plan to install EUM.
SurfControl monitors Internet usage based on user name, workstation name, or IP address. Checking Enable
User Name Support option enables monitoring by user name rather than workstation name or IP address.
Install Virtual Control Agent
Note: SurfControl recommends installing VCA onto a computer other than the SurfControl
server
Installation Guide
7
1
PRE-INSTALLATION
Where to install
SurfControl offers an adaptive reasoning technology called the Virtual Control Agent (VCA). VCA uses
artificial intelligence to categorize None sites into one of SurfControl’s categories. Before installation, make
sure the server where VCA is installed meets the minimum requirements for VCA (listed in Table 1-3).
Table 1-3
Minimum VCA system requirements
Component
Requirement
Operating
System
Microsoft Windows 2000 Server (SP3) or
Microsoft Windows 2000 Advanced Server (SP3)
Windows 2003 Server
Processor
Pentium III or above
Memory
512 MB minimum
Disk space
1 Gbyte free space
Applications
SurfControl Web Filter for Cisco CE v5.0 or later
During installation, you can choose to install and register VCA or install it for a 30-day evaluation period.
8
Installation Guide
PRE-INSTALLATION
1
By default, SurfControl monitors users by IP address. However, if you want to monitor users by user name,
SurfControl includes the Enterprise User Monitor (EUM) utility for resolving IP addresses to user names.
Alternatively, you may choose to monitor on Novell user names.
Note: SurfControl supports three monitoring methods: user name, workstation name, or IP
address.
SurfControl recommends monitoring by user because:
•
monitoring by workstation name only identifies the machine requesting the data, not the user who
originated the request.
•
monitoring by user names is more convenient in a workplace where employees share or swap machines
frequently.
•
monitoring by user names allows you to filter users based on NT or NetWare Users and Groups.
•
monitoring by user name makes it easier to track users that frequently login to multiple machines.
SurfControl places data on the Monitor with the following precedence:
1
User name based on X-Authenticated-User.
Note: If Web Filter receives an ICAP request that contains the X-Authenticated-User header,
it will decode and use the user name even if the Username Resolution setting is set to ‘None’.
If you do not wish to use usernames, though this is not recommended, you must not append
the X-Authenticated-User header.
2
User name resolved with EUM or NetwareEUM.
3
Workstation ID.
4
IP address.
Installation Guide
9
1
PRE-INSTALLATION
EUM
Note: SurfControl recommends using X-Authenticated-User for user name resolution unless
you are using Novell Netware. If you ARE using Netware then X-Authenticated user will NOT
work.
By accessing Windows NT and Windows 2000 security auditing data to resolve user names, EUM gives
SurfControl the ability to monitor traffic on a routed network by user name. EUM provides SurfControl with
continuous, accurate reporting of logon activity by user name.
For example, when jsmith attempts to access http://www.cnn.com, SurfControl sees jsmith’s IP address in the
HTTP request. EUM provides the missing link by receiving data from the domain controllers regarding
jsmith’s identity.
EUM on Windows NT domain controllers
SurfControl installs the EUM agent onto Windows NT domain controllers as a service (SurfControl User
Agent service; ScUserAgent.exe). During EUM installation, SurfControl configures NT domain controllers to
record Successful Logons to the security log (event 528). If you make changes to this audit policy and disable
event 528 logs (Successful Logon), EUM will no longer operate properly.
Confirm that event 528 logs are enabled by performing the following:
Note: Ensure security logs are set to overwrite as needed. Do not manually clear the security
logs.
1
From the SurfControl server, select Programs/Administrative Tools/User Manager for Domains from the
Start menu.
2
Select Policies then Audit. Make sure that Audit these Events is checked.
Before installation
Prior to installing the EUM UA onto an NT domain controller, ensure the trust relationships are set up for
multiple domain environments (in this case, SurfControl is Trusted, all other domains are Trusting).
EUM on Windows 2000 domain controllers
The EUM agent installs onto Windows 2000/3 domain controllers as a dll (ScSubAuth.dll).
When EUM is installed onto a Windows 2000 server, SurfControl uses Microsoft’s Sub-Authentication to
resolve user names. After installing EUM on a Windows 2000 domain controller, you must reboot the domain
controller.
10
Installation Guide
PRE-INSTALLATION
1
INSTALLING EUM
Install EUM from the SurfControl server. During installation, SurfControl installs the EUM UA onto each
domain controller. Before installing EUM, ensure the following:
•
The SurfControl server must have a static IP address.
•
The installer must be logged into the SurfControl server as a user with domain administration rights.
•
In order for a successful automatic installation, SurfControl must be able to see the domains that require
EUM. Make sure the SurfControl is located in the appropriate domain.
–
In a two-way trusted environment, the SurfControl server can be located in any domain.
–
If a one-way model is in use, the SurfControl server should be located in the master domain (this
allows SurfControl to see all other domains).
•
For Windows NT domain controllers, make sure the security logs of all domain controllers are set to
overwrite events as needed.
•
By default, EUM uses port 61695 to communicate with the SurfControl server. Perform the following
steps to change the port:
Procedure 1-1: Installi ng EUM
Step
Action
1
Add the following key to the SurfControl registry:
HKEY_LOCAL_MACHINE\SOFTWARE\JSB\SurfControlScout\ UserAgentPort
•
2
Add the key as a DWORD, specify a decimal value (default is 61695).
3
Stop and start the Web Filter service.
4
Update the scua.ini file on the domain controllers to reflect the port changes.
SurfControl recommends installing EUM when there are few or no users on the network or when a forced
logoff can be scheduled.
Note: Ignoring valid user accounts will result in incorrect identification.
•
During installation, you’ll be prompted to specify specific user accounts that UA should ignore; you should
only use the ignore option for accounts similar to SMS.
Installation Guide
11
1
PRE-INSTALLATION
Netware EUM
SurfControl also provides the ability to monitor users by their Novell Netware user name. The Novell version
of EUM is called NetwareEUM. NetwareEUM works in the same way as EUM. SurfControl installs a User
Agent onto each Novell NDS Tree Server.
Note: SurfControl does not support Novell 4.x. If you need to resolve Novell4.x users,
authenticate all users on an NT or 2000 domain controller and use EUM to resolve the user
names.
Before installing NetwareEUM, ensure the following:
•
Before installing SurfControl, install the latest Novell Client (with TCP/IP as the preferred protocol) onto
the server.
•
Network must be using Novell 5 or 6 over IP.
•
The SurfControl server must have a static IP address.
•
By default, NetwareEUM uses port 61696 to communicate with the SurfControl server. Perform the
following steps to change the port:
Procedure 1-2: Installi ng Netware EUM
Step
Action
1
Add the following key to the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\JSB\SurfControl Scout\NWUserAgentPort
•
2
Add the key as a DWORD, specify a decimal value (default is 61696).
3
Stop and start the Web Filter service.
4
Update the scua.ini file on the NetWare server to reflect the port changes. For details about
installing the NetWare EUM User Agent (UA) see Procedure 3 ‘Install NetWare EUM’ in the Installation
section.
SurfControl recommends installing NetwareEUM when there are few or no users on the network or when
a forced logoff can be scheduled.
X-AUTHENTICATED-USER
The x-authenticated-user ICAP header is a way for the ICAP client to pass user name information to the ICAP
server. This option is disabled by default. The icap append-x-headers x-authenticated-user option enables this
option, and inserts the x-authenticated-user information into the ICAP request to the ICAP server.
For more information on the configuration of the x-authenticated-user header see 11-5 of the ‘Cisco ACNS
Software Configuration Guide for Locally Managed Deployments’.
12
Installation Guide
PRE-INSTALLATION
Database options
1
Database options
SurfControl ships with Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), but can also create the
data structure in a fully-licensed version of Microsoft SQL7.0 or SQL 2000. If you plan to use a fully-licensed
version of SQL, make sure the software is installed and running before attempting to install SurfControl.
Using a fully-licensed version of SQL (rather than MSDE) allows more flexibility and the ability to fine-tune
database performance. SurfControl performs extremely well in either case.
SurfControl connects to the database using a fully-qualified connection string. This string contains all the
details required to connect to a database including database type, name of the server, user id, password, and
database name. Using a connection string does not require the creation of DSNs. Therefore, any SurfControl
client or server on the network can access the database without creating a link through the ODBC.
MSDE DATABASE
If you are not using a SQL Server database, you have the option of installing MSDE during the installation
process. MSDE allows a seamless upgrade to a SQL database in the future. Access MSDE data tables using the
OSQL utility.
Note: Microsoft states that the maximum size of an MSDE database is 2 GB.
If you install MSDE onto the SurfControl server, make sure the server meets the minimum resources listed in
Table 1-4.
Table 1-4
Minimum requirements for MSDE on SurfControl server
# Users
Machine Specification
<500
Pentium IV, 2 GB RAM, 1.2 GHz processor, 10 GB hard drive
500-1000
1000-3000
SurfControl recommends a full SQL installation on a dedicated SQL server.
3000-5000
5000-10000
10000+
Installation Guide
13
1
PRE-INSTALLATION
Database options
SQL SERVER
Note: SurfControl recommends installing SQL onto a dedicated server.
If you have a Microsoft SQL Server database on your network, you should plan to create the database on that
server (you can create and configure the database during the installation process).
If you plan to use a SQL database, but have not installed it, complete the following tasks before installing
SurfControl:
Note: Install SQL server with the default setting of case insensitivity, including case
insensitivity for Dictionary Order. Choosing case sensitivity may cause problems when
installing SurfControl.
1
Install the SQL Server Client Connectivity Pack onto the server where you install SurfControl.
2
Install SQL Server on the designated server; this can be the same machine as SurfControl server.
3
Make sure your server has the minimum resources listed in Table 1-5.
Table 1-5
Minimum requirements for SQL server on SurfControl server
# Users
<500
500-1000
1000-3000
3000-5000
5000-10000
10000+
Note: There should only be one database owner (db_owner) per database
4
Configure SQL to limit memory and processors when running both SurfControl and SQL on the same
computer.
Note: If you need to have multiple user accounts with database access, the other users
should only have db_datareader and db_datawriter permissions.
14
Installation Guide
PRE-INSTALLATION
Database options
1
Reasons to install SQL Server onto a dedicated server
SurfControl supports SQL7.0 and SQL2000. Use a fully-licensed version of SQL on a dedicated server if your
company:
•
plans to store large amounts of data (i.e., you have a large number of users, high Internet activity, or need
to retain data for an extended period of time)
•
requires SurfControl to write data to a database that is not resident on the SurfControl server.
•
requires more than one SurfControl server (collectors) to consolidate data in a single database.
•
plans to store SurfControl IM Filter, SurfControl Web Filter, and SurfControl E-mail Filter data on the
same SQL installation.
Considerations for large environments
Note: The Monitor only shows data that has been written to the database. Therefore, the
Monitor won’t show the data written to flat files until it has been transferred to the database.
In large environments with a high volume of Internet traffic, real-time updates to the database can take up
valuable bandwidth resources. Therefore, you can configure SurfControl to write data to a flat-file and
schedule automatic updates.
Make sure your dedicated SQL server has the minimum resources listed in Table 1-6.
Table 1-6
Minimum SQL system requirements for large environments
# Users
<500
500-1000
1000-3000
3000-5000
5000-10000
10000+
DATABASE AUTHENTICATION
SurfControl supports both Windows Authentication and SQL Authentication. For more information on
authentication see Chapter 9 of the ‘Cisco ACNS Software Configuration Guide for Locally Managed
Deployments’.
Windows authentication
If you choose to use Windows Authentication, make sure domain rights are correctly configured between the
SurfControl server and the SQL server. Also, the SurfControl installer account requires SQL Server database
creator rights.
Installation Guide
15
1
PRE-INSTALLATION
Database options
SQL authentication
If you choose to use SQL Authentication, you’ll need to create a SQL Server login specifically for SurfControl.
This login is required for creating the database and should be used for all SurfControl database activities.
If you choose to connect to the SQL database using SQL authentication, make sure the SQL server is
configured to support SQL Server and Windows NT authentication.
16
Installation Guide
PRE-INSTALLATION
1
This section contains general information that you should be aware of when installing SurfControl.
Content
SurfControl’s Category List is the premier category database in the filtering industry and provides the most
accurate, current, and relevant content listing available. The Category List includes:
•
47 well-organized categories.
•
over 9 million sites, including more than 1.2 billion web pages.
•
international content, including 65 languages and over 200 countries.
•
daily updates (more than 35,000 new sites a week).
Note: Use the Scheduler to create recurring Category Database Update events.
The Category List is stored in an encrypted, size-optimized Aura file called SurfControl Categories.csf.
Incremental updates (up to 60 MB) are stored in an encrypted file called SurfControl Categories.cdb. With
SurfControl, you can re-categorize sites; these updates are managed by the SurfControl Manual Categories.cdb
file. SurfControl checks the categorization files in the following order:
1
Manually-categorized (includes VCA, managed by the SurfControl Manual Categories.cdb file)
2
Incremental updates (SurfControl Categories.cdb)
3
Category List (SurfControl Categories.csf)
E-MAIL NOTIFICATIONS
SurfControl includes the ability to automatically notify the system administrator when any of the following
events occur:
•
Service running status change - if one of the SurfControl services stops running. This is an optional
notification.
•
Scheduled task failures - if a scheduled task fails to run. This is an optional notification.
•
Category list license reminders - when the Category List license is close to expiring. This is an optional
notification.
•
Unregistered product reminders - when you haven’t registered the product. This is a default reminder
and will be sent if you choose to enable the feature (by identifying a mail server and recipient).
•
Loss of database connectivity - when SurfControl loses communication with the database. This is a
default reminder and will be sent if you choose to enable the feature (by identifying a mail server and
recipient).
If you decide to enable this feature, you will need to know the IP address of your mail server and will need to
identify an administrator that will receive the notifications.
Installation Guide
17
1
PRE-INSTALLATION
If you choose not to enable this feature, then SurfControl will not send notifications for any of the events
listed above.
Administrative privileges
System administrators can remotely administer SurfControl by installing the Remote Administration Client.
From the Client installation you can:
•
view monitored traffic.
•
create and edit rules.
•
run reports.
•
start and stop the Web Filter Service.
•
set up scheduled events.
You will not be able to use the real-time monitor.
Before installation, make sure the administrator computer meets the minimum requirements listed in Table 17.
Table 1-7
Minimum system requirements
# Users
Processor
Intel Pentium III
Memory
256 Mbytes RAM
512 Mbytes RAM recommended if you plan to install VCA or to use the Web Reporting
feature.
OS
Windows 2000 Professional or Server or
Windows 2000 Advanced Server (SP1) or
Windows XP or Windows 2003 Server
18
Network
Ethernet card
Disk space
5 Gbyte free
Web Reporting
Microsoft Internet Explorer 5.0 or higher
Installation Guide
Chapter 2
Installation
Installation order
Installation procedures
Installing Web Filter
page 20
page 20
page 22
2
INSTALLATION
Installation order
Installation order
SurfControl recommends installing in the following order:
1
If you plan to monitor Netware user names, install the Novell client onto the SurfControl server.
2
If you are using MSDE 2000 as your database, SurfControl recommends installing MSDE prior to
installing SurfControl.
3
If you are using SQL7.0 or SQL2000 as your database, install the SQL client onto the SurfControl server.
4
Install the Complete Product onto the SurfControl server
5
If you plan to monitor Windows users by user name, install EUM onto all domain controllers.
6
If you plan to monitor Netware user names, install NetwareEUM onto all NDS servers.
7
Configure the ICAP Client on the Cisco CE.
8
Install Remote Administration software and VCA, if required
INSTALLATION PROCEDURES
This sections contains the following procedures:
1
Installing MSDE (optional)
2
Installing SurfControl Web Filter for Cisco CE
3
Installing EUM (optional)
4
Installing NetwareEUM (optional)
5
Automatically loading NLM (optional)
6
Unloading NLM (optional)
7
Enabling the ICAP Client on a Cisco CE
8
Installing SurfControl Administration client and VCA
9
Serializing SurfControl
10 Serializing VCA Cisco CE
20
Installation Guide
INSTALLATION
Installation order
2
Changes to the server
Installing SurfControl makes the following changes to your server:
•
SurfControl places an icon in the system tray at startup.
•
From this icon, you can start and stop the Web Filter service, the Scheduler service, and the Report
Service. You can also serialize the product.
•
Adds SurfControl executables to the Start menu (Programs > SurfControl Web Filter)
•
Adds necessary registry entries
•
Creates the SurfControl_WebFilter database
•
Adds the following services:
–
Web Filter service
–
Scheduler service
–
Report service
–
Remote Administration service
–
SurfControl Web Filter ICAP Service
Installation Guide
21
2
INSTALLATION
This section contains instructions for a successful installation of SurfControl Web Filter for Cisco CE. The
flowchart and descriptions explain what you should do at each stage of the installation process.
Procedure 2-1: Installi ng MSDE (optional)
Step
Action
1
If you plan to use an MSDE database. SurfControl recommends installing MSDE prior to performing
the SurfControl WF installation. You can download our recommended version of MSDE at
www.surfcontrol.com from the Downloads > Free Trial of SurfControl > Web Filter menu. You will
need to register first to access this download.
2
Locate the downloaded file (setup.exe).
3
Double-click setup.exe to start the installation process.
22
4
When prompted, make sure to enter a password for the SA account.
5
You will need to restart the server before installing the SurfControl Web Filter.
Installation Guide
INSTALLATION
2
FLOW CHART
The following flowchart shows the processes involved when installing SurfControl Web Filter.:
Installation Guide
23
2
INSTALLATION
Procedure 2-2: Installi ng SurfControl Web Filter
Step
Action
1
Locate the downloaded SurfControl Web Filter executable file (setup.exe)
2
3
The InstallShield Wizard loads.
SurfControl We b Filter Setup screen
4
Welcome to SurfControl Web Filter
5
Click Next to continue.
Li cense Agreement scree n
6
Read the License Agreement
7
Do you agree to the terms?
•
Yes, select I accept...Click Next to continue.
•
No, select I disagree...Click Cancel to exit the
installation process.
Display Readme File
SurfControl recommends you view the readme file.
Click Yes to open the file. Click Next to continue after
viewing the readme.
Se tup Type
8
You have the option to install a version of Web Filter
that meets legislation in some European countries that
forbids user browsing details to be viewed without
express management and union permission. Select
this option if you wish to use this version of Web Filter.
For more details see Chapter 5 - Privacy Edition of the
Administrator’s Guide.
9
Click Next to Continue.
(Sheet 1 of 6)
24
Installation Guide
INSTALLATION
2
Step
Action
Customer I nformation screen
10
Enter a name into the User Name field.
11
Enter your company’s name in the Company Name
field.
12
Enter the Serial Number for Web Filter and VCA, if
available. If you are evaluating the product, leave
these blank. You have 30 days to evaluate the product.
13
Choose Destination Location scre en
14
Select the folder where setup will install files. The
default is:
C:\Program Files\SurfControl\Web Filter.
Choose another location by selecting Browse and
navigating to a different location.
15
Se tup Type scree n
16
Select Complete Product.
17
(Sheet 2 of 6)
Installation Guide
25
2
INSTALLATION
Step
Action
Se lect Server Installation Options screen
18
If you want Web Filter to automatically monitor new
users (recommended), select Automatically Monitor
New Users.
19
If you want Web Filter to attempt to resolve user
names based on the requesting IP address, select
Enable User Name Support.
20
If you want to install VCA onto the Web Filter server,
select Install Virtual Control Agent.
Note:
21
SurfControl recommends installing VCA onto
a different computer than the Web Filter
server.
Select SurfControl Mobile Filter Administrator, if you
want to be able to manage the Mobile Filter server
from this computer.
Note:
you must have the SurfControl Mobile Filter
server installed on your network for the
Administrator to work correctly.
22
If you want to install SurfControl Report Central, select
Install SurfControl Web Filter Report Central. The
installation of Report Central will start automatically
after Web Filter has installed.
23
St art Copying Files screen
24
Review your settings before starting the installation.
25
Se tup Stat us scree n
26
Web Filter Setup is performing the requested
operations.
(Sheet 3 of 6)
26
Installation Guide
INSTALLATION
2
Step
Action
Se lect MSDE/ SQL Server Dat abase screen
27
28
29
From the drop-down list, choose the server where the
SQL database is running. You can also enter the name
of a server here.
Select the Authentication method.
Note:
SurfControl recommends using Windows
authentication.
Note:
If you choose Windows authentication, both
the Web Filter server and the SQL server must
be members of the same domain.
30
Choose the database you want to create.
Note:
In most cases, you should use the default
database (SurfControl_WebFilter); you can
enter a new name, if necessary.
31
32
Did you choose Windows Authentication to connect to a remote SQL Server database?
If Yes go to Step 33
If No go to Step 35
Se lect Account for Web Filter Service
33
Choose the domain account you want Web Filter to
use when connecting to the remote SQL Server
database when using Windows Authentication.
34
(Sheet 4 of 6)
Installation Guide
27
2
INSTALLATION
Step
Action
Sy st em Administrat or Notifications screen
35
Enter the e-mail server name or IP address.
36
Enter the recipient’s e-mail address.
37
Enter the ‘from’ e-mail address (using the default
address supplied is suitable).
38
Choose the types of notification you want to receive.
39
Note:
You can change these settings following
installation from the Web Filter Service
Settings. See the Web Filter Service chapter
of the Administrator’s Guide for more details.
SurfControl Report Central installation
40
The installation of Report Central will now start.
SurfControl Report Central Report Administrator setup
41
You need to set up an initial Report Administrator level
user for Report Central. This user can then add other
users and configure Report Central to suit your
organization.
Enter a User name and a Password, which you need to
confirm.
42
Report Central Dat abase update
43
For Report Central to give accurate results, its
database needs to be updated before reports are run.
You can perform this as part of the installation
process, or from the Configuration > Database
Connections > Update Tasks tab from Report Central.
44
Se tup Stat us
45
Report Central is performing the requested
operations.
(Sheet 5 of 6)
28
Installation Guide
INSTALLATION
2
Step
Action
Ins tall Shield Wizard Comple te
46
The installation of Web Filter is complete.
47
Click Finish.
Inf ormat ion
48
You are now asked to complete your registration
details for URL Category List updates.
Click OK to continue.
SurfControl Product Registration Screen
49
Complete the fields in the form
50
Click Register.
SurfControl Scheduler
51
You will see a dialog box informing you that a
scheduled event has been created for your URL
Category List updates.
(Sheet 6 of 6)
Step
Action
1
Make sure that the SurfControl WF server has a static IP address.
2
Make sure you have administrative privileges on all domain controllers where the UserAgent will be
installed.
(Sheet 1 of 3)
Installation Guide
29
2
INSTALLATION
Step
Action
3
Make sure the SurfControl WF server is located in the correct domain.
4
Make sure the firewall or router allows traffic through the provisioned port (default is 61695).
5
For Windows NT domain controllers, make sure the security logs of the domain controllers are set to
overwrite events, as needed.
6
Try to perform this procedure when there are few or no users on the network, or when a forced logoff
can be scheduled. This ensures the fastest, most accurate detection of users.
Begin Installation
7
Launch the EUM installation ( Programs > SurfControl Web Filter > Enterprise User Monitoring >
Install Enterprise User Monitoring).
SurfControl Enterprise Us er Monitori ng I nstallation screen
Click the Next button to start the installation.
8
Hostname screen
9
Enter the IP address of the SurfControl WF server.
Note:
SurfControl recommends entering the IP address instead of the hostname.
10
Enter the port the User Agent and SurfControl WF service should use to communicate (default is
61695).
11
Domain List screen
12
Select the domains you want to receive user data from.
13
Click Next to continue
Ignore User Account s screen
14
Select the user accounts whose logon/logoffs do not need to be reported to SurfControl WF (i.e., SMS
accounts).
15
16
Select the domain controllers whose user’s logon/logoff activity SurfControl needs to monitor (this
identifies the domain controllers where the UA will be installed).
Note:
Failure to install EUM on all domain controllers can compromise the accuracy of user name
resolution. If a domain controller is authenticating users, but not passing that data to
SurfControl, user activity may be recorded under another user name.
17
18
Installation onto Microsoft Windows 2000 domain controllers requires a reboot; SurfControl
recommends performing a manual reboot.
(Sheet 2 of 3)
30
Installation Guide
INSTALLATION
2
Step
Action
19
You have successfully installed Enterprise User Monitoring.
(Sheet 3 of 3)
Procedure 2-4: Install Netware EUM
Step
Action
1
Ensure Novell Client was installed on the SurfControl server prior to Web Filter installation.
2
From SurfControl server, log on to the Novell server with administrative rights.
3
Go to the SYS volume and create a directory (for example, nweum)
Note:
When creating the directory, use DOS8.3 naming conventions.
4
Under this directory, copy the files nweum.nlm and scua.ini from the SurfControl server to the Novell
server.
5
From the Netware Server console, load the NLM by typing:
Load sys:\nweum\nweum.nlm
and pressing enter
Note:
The system will not allow you to load the NLM if a copy is already running.
Installation Guide
31
2
INSTALLATION
Procedure 2-5: Automatically loading NLM
Step
Action
1
To automatically load the NLM every time the server is rebooted edit the sys:\system\autoexec.ncf
file.
2
You can edit this file using any text editor from the workstation or from the Netware Server by
typing:
Load edit sys:\system\autoexec.ncf
3
Add the following line at the end of the file:
Load sys:\nweum\nweum.nlm
4
Save the file.
Procedure 2-6: Unloading NLM
Step
Action
1
From the Netware Server console, type:
unload nweum.nlm
32
Installation Guide
INSTALLATION
2
Procedure 2-7: Enabling the ICAP Client on the Cisco CE
Step
Action
1
Go to the command line interface of the Cisco CE.
2
Enter the configuration mode:
ContentEngine# config
3
Enable ICAP:
Content Engine (config)# icap apply all
4
Configure ICAP client to append the x-client-ip header:
ContentEngine(config)# icap append-x-headers x-client-ip
5
Configure ICAP client to append the x-server-ip header:
ContentEngine(config)# icap append-x-headers x-server-ip
6
Configure ICAP client to append the X-authenticated-User Header (optional):
ContentEngine(config)# icap append-x-headers x-authenticated-user
Note:
7
Your Content Engine must be configured to authenticate requests, if this is to work.
Enable ICAP logging (optional):
ContentEngine(config)# icap logging enable
8
Create the SurfControl ICAP Service:
ContentEngine(config)# icap service SurfControl
9
Enable the SurfControl ICAP Service:
ContentEngine(config-icap-service)# enable
10
Set the Cisco CE to return error on ICAP failure (optional):
ContentEngine(config-icap-service)# enable error-handling return-error
11
Set the ICAP vector point to reqmod-precache:
ContentEngine(config-icap-service)# vector-point reqmod-precache
12
Set the SurfControl ICAP Service Server:
ContentEngine(config-icap-service)# server
icap://<ip address>:<port number>/SWFICAP
Note:
where<ip address> is the ip address of the machine on which SurfControl Web Filter for
Cisco CE is installed, and <port number> is the port configured in the SurfControl Web
Filter for Cisco CE. Insert the correct information into these places. Example: icap://
192.168.1.10:1344/SWFICAP
13
Exit the configuration mode:
ContentEngine(config-icap-service)# exit
14
Write the configuration changes to memory:
ContentEngine# write memory
Installation Guide
33
2
INSTALLATION
Procedure 2-8: Installi ng the Web Filter Admi nistration Client
Step
Action
1
Locate the downloaded SurfControl Web Filter executable file (setup.exe)
2
3
The InstallShield Wizard loads.
SurfControl We b Filter Setup screen
4
Welcome to SurfControl Web Filter
5
Li cense Agreement scree n
6
7
Read the License Agreement
Do you agree to the terms?
•
Yes, select I accept...Click Next to continue.
•
No, select I disagree...Click Cancel to exit the
installation process.
Display Readme File
SurfControl recommends you view the readme file.
Click Yes to open the file. Click Next to continue after
viewing the readme.
Se tup Type
8
You have the option to install a version of Web Filter
that meets legislation in some European countries that
forbids user browsing details to be viewed without
express management and union permission. Select
this option if you wish to use this version of Web Filter.
For more details see Chapter 5 - Privacy Edition of the
Administrator’s Guide.
9
Click Next to Continue.
(Sheet 1 of 4)
34
Installation Guide
INSTALLATION
2
Step
Action
Customer I nformation screen
10
Enter a name into the User Name field.
11
Enter your company’s name in the Company Name
field.
12
Enter the Serial Number for Web Filter and VCA, if
available. If you are evaluating the product, leave
these blank. You have 30 days to evaluate the product.
13
Choose Destination Location scre en
14
Select the folder where setup will install files. The
default is:
C:\Program Files\SurfControl\Web Filter.
Choose another location by selecting Browse and
navigating to a different location.
15
Se tup Type scree n
16
Select Remote Administration.
17
(Sheet 2 of 4)
Installation Guide
35
2
INSTALLATION
Step
Action
Se lect Server Installation Options screen
18
If you want Web Filter to automatically monitor new
users (recommended), select Automatically Monitor
New Users.
19
If you want Web Filter to attempt to resolve user
names based on the requesting IP address, select
Enable User Name Support.
20
If you want to install VCA onto the Web Filter server,
select Install Virtual Control Agent.
Note:
21
SurfControl recommends installing VCA onto
a different computer than the Web Filter
server.
Select SurfControl Mobile Filter Administrator, if you
want to be able to manage the Mobile Filter server
from this computer.
Note:
you must have the SurfControl Mobile Filter
server installed on your network for the
Administrator to work correctly.
22
If you want to install SurfControl Report Central, select
Install SurfControl Web Filter Report Central. The
installation of Report Central will start automatically
after Web Filter has installed.
23
St art Copying Files screen
24
Review your settings before starting the installation.
25
Se tup Stat us scree n
26
Web Filter Setup is performing the requested
operations.
(Sheet 3 of 4)
36
Installation Guide
INSTALLATION
2
Step
Action
27
28
29
From the drop-down list, choose the server where the
SQL database is running. You can also enter the name
of a server here.
Select the Authentication method.
Note:
SurfControl recommends using Windows
authentication.
Note:
If you choose Windows authentication, both
the Web Filter server and the SQL server must
be members of the same domain.
30
Choose the database you want to create.
Note:
31
In most cases, you should use the default
database (SurfControl_WebFilter); you can
enter a new name, if necessary.
Ins tall Shield Wizard Comple te
32
The installation of Web Filter is complete.
33
Click Finish.
(Sheet 4 of 4)
Installation Guide
37
2
INSTALLATION
Procedure 2-9: Serializing SurfControl WF
Step
Action
1
From the system tray, right-click on the SurfControl WF icon and select About.
2
Click Serialize.
3
Enter the serial number.
4
5
6
You have successfully serialized SurfControl WF.
Procedure 2-10: Serializi ng VCA
38
Step
Action
1
Launch the VCA (Programs > SurfControl Web Filter > Virtual Control Agent).
2
From the title bar, right-click the VCA icon and select About SurfControl Virtual Control Agent.
3
Click Serialize.
4
Enter the serial number.
5
6
7
You have successfully serialized VCA.
Installation Guide
Chapter 3
Further Configuration
Configuring Services
Database creation
Virtual Control Agent
Performance Tuning
Troubleshooting
page 40
page 41
page 45
page 48
page 50
3
FURTHER CONFIGURATION
To enable the ICAP service for Cisco CE and SurfControl Web Filter to connect to each other, various settings
may need to be configured within SurfControl Web Filter. To change the default settings, access the Service
Settings dialog box in the following way:
Procedure 3-1: Setting up the ICAP Server
Step
Action
1
Right-click on the Web Filter icon in the system tray
2
Select the Advanced tab and select the ‘Monitor to flat file (manual update)’ option. This will optimize
network speed.
Note:
3
40
.
for detailed information about this and the other tabs on the Service Settings dialog, see the
Web Filter Services section of the Administrator’s guide
Stop and start the service for the changes to take effect
Installation Guide
Database creation
3
Database creation
This section explains how to set up a new SurfControl Web Filter Database.
CREATING A SQL SERVER DATABASE
In order to create a SQL Server database to be used by SurfControl you need a valid SQL account on the SQL
Server. You can create the database using the built in sa account, using the password that you specified during
installation (if you opted to change it) and in this instance you would create a database in the same way as you
would if creating a MSDE database (see section 3.2.2 Creating a MSDE Database for more details). If,
however, you are unable or unwilling to use the ‘sa’ account for whatever reason, then you must create a new
user account before creating the SQL database:
Procedure 3-2: Creating the Account
Step
Action
1
First stop the SurfControl Web Filter service and make sure that you have all of the SurfControl
components (Monitor, Rules Administrator etc.) closed.
2
Open the SQL Enterprise Manager from the Microsoft SQL Server Start menu.
3
Click on the ‘+’ sign in front of the SQL server name to expand the tree.
4
Click on the ‘+’ sign in front of Security and choose Logins from the expanded tree. Right-click on
‘Logins’ and select ‘New Login’.
5
In the dialog that follows:
6
-
Select the General tab and enter a name for your new account.
-
Select the ‘SQL Server authentication’ radio button and enter a password in the ‘Password’
edit field.
-
Select the ‘Server Roles’ tab. Check the Database Creators key.
Click OK.
Procedure 3-3: Creating the Database
Step
Action
1
Choose Database Tools/Create MSDE SQL Server Database from the SurfControl Start menu.
2
This will launch the Create SurfControl Web Filter Database Wizard that will guide you through the
steps involved in creating a SQL Server database for use with SurfControl Web Filter.
Installation Guide
41
3
Database creation
Procedure 3-4: Setting up Access to the Database
Step
Action
1
Open the SQL Enterprise Manager from the Microsoft SQL Server Start menu.
2
Click on the ‘+’ sign in front of the SQL Server name to expand the tree.
3
Click on the ‘+’ sign in front of Security and choose Logins from the expanded tree.
4
Right-click on your newly created login from the list of available logins and select Properties.
5
Select the Database Access tab in the dialog that follows then select your newly created SurfControl
database.
6
In the ‘Database Roles’ section ensure that both ‘Public’ and ‘db_owner’ are checked.
7
Click OK.
Procedure 3-5: Accessing your new database
42
Step
Action
1
On the machine that you wish to access the database select Database Tools/Select Database on the
SurfControl Start menu. You will now see the Select SurfControl Database dialog:
•
If you wish to set this as the default database to be used by the SurfControl Monitor select the
Monitor tab.
•
If you wish to set this as the default database to be used by the Surf Control Rules Administrator,
select the Rules Administrator tab.
2
Click the Browse button.
3
This will launch the SQL Server Login where you can navigate to your new database. Click Connect to
SQL Database to expand the dialog. The expanded dialog will enable you to enter details of the
machine where your database is located.
4
In the ‘Server’ edit field enter the name of the server where the database is installed. This name will be
saved in the list for ease of access next time. Up to ten names can be stored in this way.
5
Select your new database from the ‘Database’ list. Click OK.
Installation Guide
Database creation
3
Creating the SQL Server Account
Note: You must use this SQL Server login to create the SQL database. Furthermore if users are
to use the Select Database utility then they must again use this account rather than the sa
account. This is the only account that should be used with the Rules Administrator.
After you install both SQL Server and SurfControl Web Filter, you must provide a SQL Server login for
SurfControl to use when connecting to the database.
Procedure 3-6: Create a SurfControl Web Filter User Account
Step
Action
1
On the server that is running Microsoft SQL Server, choose Microsoft SQL Server Enterprise Manager
on the Start menu.
2
In the Management console, open the tree properties until you can select the icon for the server you
are working from. Under there should be a list of folders including two called Databases and Security.
3
Open the Security folder and select the Logins property. You should see in the right pane a list of the
current logins available for SQL Server.
4
Right-click in the space below and select New Login from the dialog box. From here you can create a
new user account for SurfControl to use when connecting to the database.
5
At the top of the first page add the new name for the login (e.g.: surfadmin). You will need to choose
a form of authentication. Select the SQL Server authentication and then you can either choose to add
a password or leave it blank. If you add a password you will be requested to confirm this later on.
From the third option on this page, 'Defaults', select from the database menu the SurfControl Web
Filter database. Leave the language option set to default. The second tab on this dialog, titled 'Server
Roles', should be left with no properties highlighted.
6
In the Database Access tab, select the SurfControl database and then in the menu below 'Permit in
Database Role' select the top two options: 'public' and 'db-owner'. No other properties need to be
selected. Click OK to create the new user account.
7
Next you will need to modify the SurfControl database. Right-click on the previously created database
in the databases folder and select properties.
8
Go to the 'Options’ tab and select the ‘Restrict Access' check box. Click OK. You will now be able to
open the SurfControl monitor using the new user login.
Procedure 3-7: Creating a MSDE Database
Step
Action
1
Select Database Tools/Create MSDE SQL Server Database from the SurfControl Start menu.
2
This starts the Database Creation Wizard that will guide you through the steps involved in creating a
MSDE database for use with SurfControl.
Installation Guide
43
3
Database creation
Procedure 3-7: Creating a MSDE Database
Step
Action
3
The first information that you will be asked for is the server where you wish to create the database
and the type of authentication that this machine requires:
4
•
Use Trusted Authentication- selecting this check box will mean that your Window’s user name
and password will be used.
•
SQL authentication - if you don’t select the ‘Use Trusted Authentication’ check box’ you will need
to enter a valid SQL account name and password.
Enter a name for the new database then check the remaining options as required:
•
Use default file locations - this will store the database file and the transaction log file on the
server. If you wish to store these files elsewhere then you need to uncheck this option and specify
a location for these files in the dialog that follows.
•
Set as the Web Filter Service default database - the Web Filter Service will set this database as the
default for the Monitor and Rules Administrator applications.
•
Restart the Web Filter Service with this database - the Web Filter Service will automatically start to
write to this database once you have created it.
Populate with sample monitored data - shows a full database of sample data that can be used to try
out reports and Monitor settings. This is useful when you are getting to know the product and either
do not have or do not wish to use an existing full database.
5
44
The Finish dialog will indicate that you have created a new database.
Installation Guide
3
INSTALLATION
The default option during a Remote Administrator installation is to not install the VCA as you should only
have one VCA installation per Monitor database. If you did not install the Virtual Control Agent when
installing Web Filter, or wish to uninstall it, highlight the SurfControl Web Filter entry in the Add/Remove
Programs menu from the Windows Control Panel and clicking the Change/Remove button. Choose the
Modify option from the first screen. Click Next and the VCA should be selected (to install). Clear the check
box to uninstall. Click Next and follow the prompts.
Note: You should stop the SurfControl Web Filter service and all other applications before
installing or uninstalling the VCA.
If you need to enter the VCA Serial Number, you can do so while the VCA window is open.
Procedure 3-8: Post Installation Activation
Step
Action
1
Select VCA from the SurfControl Web Filter group on the Start menu.
2
Right-click on the VCA icon in the upper-left corner of the VCA window, then select About SurfControl
Web Filter Virtual Control Agent from the pop-up menu.
3
Click Serialize in the About box.
4
Enter the serial number in the dialog, then click OK.
Note: SurfControl Web Filter VCA running in evaluation mode will not update the SurfControl
Web Filter database. However, it will give feedback on totals of sites that would be categorized when activated.
Installation Guide
45
3
CONFIGURING THE VCA
Configuration of the VCA is carried out within the Settings tab of the SurfControl VCA dialog. Within this
dialog you can configure the following:
•
Spider Settings
•
Proxy Settings
The Spider Settings
The Settings tab enables you to control how the VCA will handle connections and pages during classification
runs.
Observe Robot Exclusion Policy - some sites contain a text file that describes exactly what each spider (or
robot) can access on the site. If you choose to ignore this policy then the spider will try to access unauthorized
areas on the site. This may result in your IP address being banned by the site.
Impersonate Internet Explorer - if you select this item the VCA will identify itself as Internet Explorer
when making requests to servers. If you uncheck this item then the VCA will identify itself as SurfControl Web
Filter. Some sites are inaccessible unless you impersonate Internet Explorer. Alternatively, sites can also ignore
requests that originate from SurfControl Web Filter.
Cache retrieved web pages - adds any pages directly retrieved during the VCA run to the local web page
cache, if available.
Retrieve pages from cache - enables VCA to use locally cached versions of pages on a site, rather than
having to go out and retrieve current versions directly from the site to be classified.
The Proxy Settings
The Proxy Settings are available on the Settings tab of the VCA.
Note: If you want the VCA to use NT Authentication when going through the Proxy Server,
check the Use NT Authentication box setting. If you do not want to use NT Authentication
then supply a User Name and Password.
If the VCA will be accessing the Internet through a Microsoft Proxy Server, you should select the ‘Use Proxy’
setting check box.
The General Settings section
The General Settings section contains a check box entitled 'Submit details of VCA categorized sites to
SurfControl'. If you check this box then as VCA categorizes 'None' sites it will send these sites with their new
categorization to SurfControl.
Research staff examine these sites to check that the categorization applied by VCA is correct. Once these
categorizations are verified the URLs are added to the Category Database to ensure that it always contains the
most comprehensive and up-to-date information.
46
Installation Guide
3
UPGRADING THE VCA
If you did not have VCA installed on a previous version of SurfControl Web Filter and you now wish to
upgrade this version then VCA will not be installed during the normal upgrade process. VCA will need to be
installed manually.
To install the VCA manually:
Procedure 3-9: Running the Upgrade process
Step
Action
1
Navigate to the SurfControl Web Filter installation directory where you will find a folder containing
the VCA components.
2
Double-click the VCA setup.exe file.
3
Follow the on-screen prompts to install the VCA.
If you did install VCA on a version of SurfControl Web Filter that you now wish to upgrade then VCA will be
upgraded along with the rest of the Web Filter product. However this will only happen if the version of VCA
that you have is the following: SurfControl Virtual Control Agent 4.0.2.2
Installation Guide
47
3
Performance Tuning
Performance Tuning
There are a number of factors to take into account when deploying SurfControl Web Filter on your network,
which relate to the choice of server, number and locations of servers, and configuration options. The first thing
to understand is the components within a server that affect performance:
•
•
•
CPU - A faster CPU or multiple CPUs will improve processing throughput.
RAM - A Larger amount of memory will improve performance through better buffering.
Disk Subsystem - Probably the most important factor, a faster disk system (SCSI, SCSI II etc.) will
improve throughput.
•
Virus checkers and services - Disable any that are not needed.
SYSTEM WORKLOAD ISSUES
What size and strength of system your monitoring requires depends on the amount of traffic (packets per
second) that you need to monitor since the biggest impact on performance is the recording of monitored
packets to the SurfControl database. Understanding the volume of network traffic, the mix of protocols, and
the level of detail you want to monitor will help in sizing the correct system.
As a hypothetical example, a network might have on average 600 packets a second passing by the SurfControl
Monitor. These could break down into the following percentages:
•
HTTP (web access) - 70%
•
FTP - 15%
•
Telnet - 10%
•
SMTP - 5%
Monitoring Options
If you are not interested in monitoring telnet, you can disable this protocol in the SurfControl Web Filter
Monitor. Doing this reduces the workload for SurfControl Web Filter.
You can further reduce the workload by deciding not to monitor certain workstations (this does not stop your
ability to control those workstations access from the Rules Administrator). This can be done through the
Monitor User interface. For instance if you have a web server inside your firewall you may not wish to see all
the traffic associated with that system.
You can also reduce the amount of monitoring for each connection by recording only the top-level domain
and not individual graphics that typically get accessed.
Other Performance Options
You can also control other performance factors, such as:
•
Disable the monitor all HTTP traffic setting (will only monitor top level domain information).
•
Disable SmartScan.
48
Installation Guide
Performance Tuning
3
•
Disable username support (if you have not implemented NT or NDS user names across your network you
may only require a hostname).
•
Lengthen the time between checking if a new user has logged in on a workstation.
If you have workstations on your network that don't have an entry in your DNS Server, you will suffer a
performance penalty. SurfControl Web Filter will attempt to resolve the workstation name, which ultimately
results in a timeout from the DNS Server that will slow the service. This applies not only to internal
workstations, but also to external workstations that enter your network. You may see a lot of external
workstations registering in the Monitor if you have a Web Server, FTP Server or E-mail Server on the
monitored network. You can disable the workstation name resolution to speed up performance by deselecting
the Enable Workstation name resolution option.
Performance Factors
There are other factors that come into play, and other options you can deploy in tuning the system. The size of
the monitored database can also impact performance. Another factor is the demand for reporting as well as
recording; high reporting requirements can impact system performance.
DISTRIBUTING SERVICES AND MULTIPLE COLLECTORS
Your network may have such a large volume of traffic that no one system can handle it. In these instances you
can deploy multiple Servers. These Servers can be physically deployed on different segments if you have a
switched network, or they can be configured to only monitor certain subnets (using the SurfControl Web Filter
Service). You are then able to balance the load across Servers.
This will result in separate monitor databases on each Server. This may be a good solution if you want to
delegate control to departments or groups, as they will be able to monitor and control their own Internet
Access Policy.
However, if you wish to use a single database to view and produce reports, you will need to consolidate the
information. This can be done in one of two ways:
•
Use flat files at each of the SurfControl Servers (in this case known as collectors). Then use the
SurfControl 'Database Updater' process to write the flat files from each of the 'collectors' to a single
database.
•
Configure both collectors to simultaneously write directly to the single database.
Note: with SurfControl WF for Cisco CE you can load balance multiple Web Filter servers. See
“ICAP service Load balanced” on page 55 for an example on how to do this.
When you initially configured a standalone Content Engine, you chose an initial interface and either configured
it for DHCP, or gave it a static IP address. You can configure the Content Engine to load-balance ICAP
requests to multiple Web Filter servers. For information on how to do this see Chapter 15 of the ‘Cisco ACNS
Software Configuration Guide for Locally Managed Deployments.’
Installation Guide
49
3
Troubleshooting
Troubleshooting
This section covers some problems that may occur during or after installation of SurfControl.
Procedure 3-10: What to do i f no data is being collected
Step
Action
1
Check that the Web Filter service is running. The SurfControl Web Filter icon in the System Tray should
appear in color. If it is grayed out, the service is not running.
2
To start the service, right-click on the SurfControl icon in the Windows taskbar status area and select
Start Web Filter Service on the popup menu.
3
If the service will still not start or you experience further problems, please contact SurfControl
Support.
TROUBLESHOOTING EUM ISSUES
If you are having difficulties making EUM work correctly, please check these items before contacting
SurfControl Support:
•
After installing the EUM agent, make sure that all domain users log out and then back into the domain
because the agent will not pick up previously logged-in users.
•
Check the security logs on the domain controllers to ensure that the user has indeed logged on.
•
Ensure that the agent is installed on all domain controllers that authenticate users.
50
Installation Guide
Chapter 4
Cisco Configuration
Specifics
Sample Deployments
page 52
page 56
4
CISCO CONFIGURATION
Specifics
Specifics
The following sections have been taken from Cisco documentation.
INSTALLATION OF THE CISCO CE RUNNING ACNS*
The focus of the installation discussion is intended for administrators who want to configure, manage, and
monitor locally deployed Content Engines that are running the Cisco Application and Content Networking
System (ACNS) 5.2.3 software. The administrator should be familiar with Cisco router and switch
configuration. An understanding of caching concepts is also necessary.
Note: To initially configure a Content Engine as a locally deployed device, it is necessary to
turn off the autoregistration feature so that the Content Engine will not automatically register with the Content Distribution Manager, and thereby can be individually managed
through the ACNS software command-line interface (CLI) or the Content Engine graphical
user interface (GUI) as a locally deployed device.
The Content Engine GUI allows an organization to remotely configure, manage, and monitor locally deployed
Content Engines through its browser. The Content Engine CLI allows an organization to configure, manage,
and monitor a locally deployed Content Engine through a console connection or a terminal emulation
program. The Content Engine GUI or CLI can be used to configure and manage a locally deployed Content
Engine. The Content Engine GUI has context-sensitive online help that can be accessed by clicking the Help
button.
*Cisco Documentation: Cisco ACNS Caching & Streaming Configuration Guide Release 5.1
SETTING UP THE RULES ON THE CONTENT ENGINE FOR THE JOINT
SOLUTION**
From a Cisco perspective, content is the fundamental element of the ACNS network as it represents all the
data that the ACNS network handles. Content can be static application data or a media stream and can be
associated with a file type and file extension. Categorically, content can also be on-demand, pre-loaded, prepositioned or live.
Content caching with filtering and access control is defined as the saving and storing of information locally.
Copies of recently requested content are stored temporarily on a Content Engine in locations topologically
closer to the web client (the end user who is requesting the content). The content is readily available to be
reused for subsequent client requests for the same content. Content Engines that have ACNS 5.2.3 software
installed support content caching with filtering and access control. Content caching is also referred to as
“network caching”.
**Cisco Documentation: Cisco ACNS Caching & Streaming Configuration Guide Release 5.1, chapter 1
52
Installation Guide
CISCO CONFIGURATION
Specifics
4
TYPES OF CONTENT SERVED IN AN ACNS NETWORK**
Cisco categorizes content served in an ACNS network as being one of the following three choices:
On demand: - Content that is acquired, cached and delivered because of a user request (client-triggered
demand). When the first client request is made for the content, it is retrieved from the origin web server and is
served to the client by way of the best-suited Content Engine, which also stores or caches the content.
Preloaded: - Content that is retrieved and stored on an individual Content Engine because the administrator
of that Content Engine scheduled a retrieval of specific content in anticipation of user requests for that
content. Content Engines can be configured to preload specific content items using HTTP. Web sites are
scanned several link levels down for content. The product scans for content 10 levels down for the initial
website link. Preloaded content can be configured with specified bandwidth limits for better control of
network usage. Content that is retrieved and distributed through a network of centrally managed Content
Engines because the ACNS network administrator has configured acquisition and distribution of content in
anticipation of user requests. Used as a means of distributing content to populate Content Engines in a
centrally managed ACNS network environment.
Pre-positioned: - Bandwidth-intensive content objects, such as Java applets, Macromedia Flash animations,
Shockwave programs, and other file formats can be managed and scheduled for distribution to Content
Engines during off-peak hours.
**Cisco Documentation: Cisco ACNS Caching & Streaming Configuration Guide. Release 5.1, chapter 1
CONTENT CACHING SERVICE WITH FILTERING AND ACCESS CONTROL***
Nothing is more frustrating to Internet users than waiting for a web page to load in their browser. A number
of factors contribute to slow delivery of web content, including Internet congestion, web server overload, and
slow-speed WAN access lines. One cost-effective solution to reduce slow web access and latency is to “push”
content out to the edges of the Internet and closer to the end users.
Because of its special position as an “in-line” device between the end user (web clients) and the Internet,
Content Engines can be easily configured for network caching. Bandwidth usage and web latency is
significantly reduced because frequently accessed Internet content is being locally cached and served by the
Content Engine at each location. Content Engines can be configured to provide network caching with filtering
and access control.
User Authentication and Content Filtering
Content Engines can be configured to perform a number of content filtering services. Once the Content
Engine receives a request, it performs the following tasks:
•
Passes the IP address of the client to SurfControl Web Filter for Cisco CE. If it is configured to do so,
SurfControl Web Filter uses its Enterprise User Monitor (EUM) to correlate the IP address and the user
name for windows-based user authentication. The EUM needs to be installed on the Active Directory
Server or Netware server in order to communicate with SurfControl Web Filter.
•
Passes the request through SurfControl Web Filter for Cisco CE for content filtering
•
Compares content against configured rules and either blocks the page or sends back the unmanipulated
request.
***Cisco Documentation: Cisco ACNS Caching & Streaming Configuration Guide, Release 5.1, chapter 13
Installation Guide
53
4
CISCO CONFIGURATION
Specifics
Sample Workflow of Configuring ICAP Services on a Content Engine****
ICAP can be configured using a telnet connection to the Content Engine.
The following is a sample workflow of how to define and enable ICAP services for SurfControl Web Filter for
Cisco Content Engine on a locally deployed Content Engine:
1
Use the icap apply {all | rules-template} command to specify which ICAP services should be performed
on which requests that are received by the Content Engine. To configure ICAP service for SurfControl
configure icap apply all command to instruct the Content Engine to run all of the ICAP services on all of
the HTTP requests that it receives.
2
Use the icap logging enable command to turn on the ICAP-related transaction logging, which is available
in the local1/logs/icap/ directory
3
Use the icap append-x-headers command to specify the ICAP extension headers that are passed to the
ICAP server with every REQMOD request. Use the x-header x-client-ip to enable sending the source IP
address of each HTTP request to the ICAP server (SurfControl Web Filter for Cisco CE).
ContentEngine(config)# append-x-headers x-client-ip
4
Use the x-header x-server-ip to enable the sending of the destination IP address of each HTTP request to
the ICAP server (SurfControl Web Filter for Cisco CE).
ContentEngine(config)# append-x-headers x-server-ip
5
Configure the ICAP client to append the X-Authenticated-User header (this step is optional):
ContentEngine(config)# append-x-headers x-authenticated-user
6
Use the icap service service-id command to configure and enable various ICAP services on this Content
Engine.
#config
(config)# icap service
(config-icap-service)#
(config-icap-service)#
(config-icap-Service)#
(config-icap-Service)#
(config)# exit
54
Installation Guide
surfcontrol
enable
vector-point reqmod-precache
Server icap//172.19.227.150:1344/SWFICAP
exit
CISCO CONFIGURATION
Specifics
7
4
The following is a sample workflow of how to define and enable ICAP services for SurfControl Web Filter
for Cisco CE on a locally deployed Content Engine:
#config
(config)# icap apply all
(config)# logging enable
(config)# icap append-x-headers x-client-ip
(config)# icap append-x-headers x-server-ip
(config)# icap append-x-headers x-authenticated-user
(config)# icap service surfcontrol
(config-icap-service)# enable
(config-icap-service)# vector-point reqmod-precache
(config-icap-service)# server icap://172.19.227.150:1344/SWFICAP
(config-icap-Service)# exit
(config)# exit
ICAP service Load balanced
There are different configuration options available for load balancing for the Cisco CE.
•
Client IP hash - Uses a hash-based algorithm based on the client IP address for load balancing the ICAP
servers in the cluster.
•
Round-robin - Uses the round-robin method in which ICAP servers take turns processing HTTP
requests.
•
Server IP hash - Uses a hash-based algorithm based on the server IP address for load balancing among
the ICAP servers in the cluster.
•
Weighted - Uses a farm of ICAP servers with different load capacities.
The following shows the configuration of load balancing using round robin method:
1
#config
(config)# icap apply all
(config)# logging enable
(config)# icap append-x-headers x-client-ip
(config)# icap append-x-headers x-server-ip
(config)# icap append-x-headers x-authenticated-user
(config)# icap service surfcontrol
(config-icap-service)# enable
(config-icap-service)# load-balancing round-robin
(config-icap-service)# vector-point reqmod-precache
(config-icap-Service)# exit
(config)# exit
****Reference: Cisco Documentation: Cisco ACNS Caching & Streaming Configuration Guide, Release 5.2,chapter 11
Installation Guide
55
4
CISCO CONFIGURATION
Sample Deployments
Sample Deployments
CUSTOMER EXPECTATIONS
The combination of SurfControl Web Filter for Cisco CE and the Cisco CE running ACNS 5.2.3. accelerates
the availability of appropriate Internet content by incorporating value-added Web services at the edge of an
organization’s network with speed, accuracy, reliability and through a standards-based process. This standard
form of communication between edge devices and network-based applications provides customers with the
efficiency, bandwidth, information system asset protection and communications infrastructure required for the
dynamic business climate in which they are involved.
CONTENT ENGINE LOCAL DEPLOYMENT SCENARIOS *****
Transparent Caching
In transparent caching, the user is not aware of the presence of the Content Engine. The user (web client)
requests content (web objects) directly from the source (origin web server) by entering the URL of the origin
server in a browser. This request is intercepted by a WCCP-enabled router or a Layer 4 CCS switch.
By supporting WCCP Version 2 or by interoperating with Cisco Content Services Switch (CSS) 11000 series
switches, a Content Engine can achieve a basic level of transparency that includes:
•
Transparent receipt of content traffic
•
Fault tolerance
•
Scalable clustering
Figure 4-1 shows how transparent caching through a WCCP-enabled router and Content Engine works.
1
A user (web client) requests a web page from a browser.
2
The WCCP-enabled router analyzes the request, and based on the TCP destination port number,
determines whether it should transparently redirect the request to the Content Engine.
3
If the request is transparently redirected to the Content Engine, the following occur:
–
If the Content Engine does not have the requested content, it sets up a separate TCP connection to
the origin web server to retrieve the content.
–
The content returns to, and is stored on, the Content Engine.
4
The Content Engine sends the requested content to the web client. Upon subsequent requests for the
same content, the Content Engine transparently fulfills the request from its local storage (cache).
56
Installation Guide
CISCO CONFIGURATION
Sample Deployments
Figure 4-1
4
Transparent Caching Through WCCP-Enabled Router
Proxy (nontransparent) Caching
In nontransparent (proxy-style) caching, the user (web client) specifically sends all requests to the Content
Engine, which acts as a proxy for the web client.
Figure 4-2 shows how the Content Engine caches content in proxy mode.
1
A user (web client) requests a web page from a browser.
2
If the Content Engine does not have the requested content (cache miss) the following occur:
–
It sets up a connection to the origin web server to retrieve the content.
–
The content returns to, and is stored on, the Content Engine.
3
The Content Engine sends the content to the user.
4
Upon subsequent requests for the same content by the same user or a different user, the Content Engine
transparently fulfills the request from its local storage (cache hit).
Installation Guide
57
4
CISCO CONFIGURATION
Sample Deployments
Figure 4-2
Web Caching with the Content Engine in Proxy Mode
Note: SurfControl Web Filter has not been tested with Cisco CE in Reverse Proxy mode.
***** Reference:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/uce/acns51/cache51/overview.htm
58
Installation Guide

SurfControl Web Filter for Cisco CE Installation Guide

Transcription

Similar documents

Cisco Recruitment Session* When

Hydro-Filter™ - Phoenix Truckmounts

ecopure® dual stage filter

Atlantis Energy Systems Inc.

MADE IN THE USA - FreshWaterSystems.com

MADE IN THE USA - FreshWaterSystems.com

Brochure - Linis Pure Water Systems