SurfControl Web Filter for Cisco CE Installation Guide

Transcription

Web Filter
SurfControl Web Filter for Cisco CE
Installation Guide
www.surfcontrol.com
The World’s #1 Web & E-mail Filtering Company
Notices
NOTICES
Updates to the SurfControl documentation and software, as well as Support
information are available at www.SurfControl.com/support.
Copyright ©1998-2004 SurfControl plc. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior permission of the copyright owner.
SurfControl is a registered trademark and SurfControl and the SurfControl logo
are trademarks of SurfControl plc. All other trademarks are property of their
respective owners.
Version 4.5 printed June 10, 2004
Installation Guide
i
TABLE OF CONTENTS
Table of Contents
NOTICES ........................................................................................................................................................ I
INTRODUCTION ........................................................................................................................................... 3
Pass-through filtering technology ........................................................................................................ 3
REQUIREMENTS ........................................................................................................................................... 4
Web Filter System Requirements ......................................................................................................... 4
Proxy Server Requirements................................................................................................................... 5
System Requirements for the Cisco CE running ACNS .................................................................. 5
Sample Deployment of Locally Managed Content Engines* .......................................................... 6
WHERE TO INSTALL .................................................................................................................................... 7
Installation decisions .............................................................................................................................. 7
Network considerations......................................................................................................................... 8
Installation considerations..................................................................................................................... 9
USER NAME RESOLUTION .......................................................................................................................... 10
EUM ......................................................................................................................................................... 11
Installing EUM........................................................................................................................................ 12
DATABASE OPTIONS .................................................................................................................................... 14
MSDE Database ..................................................................................................................................... 14
SQL Server............................................................................................................................................... 15
Database authentication......................................................................................................................... 16
Other considerations.............................................................................................................................. 17
E-mail notifications ................................................................................................................................ 17
INSTALLATION ORDER ................................................................................................................................ 21
Installation procedures........................................................................................................................... 21
INSTALLING WEB FILTER .......................................................................................................................... 23
Flow chart ................................................................................................................................................ 24
CONFIGURING SERVICES ........................................................................................................................... 40
DATABASE CREATION ................................................................................................................................. 41
Creating a SQL Server Database .......................................................................................................... 41
Installation Guide
ii
TABLE OF CONTENTS
VIRTUAL CONTROL AGENT ...................................................................................................................... 45
Installation ............................................................................................................................................... 45
Configuring the VCA ............................................................................................................................. 46
Upgrading the VCA................................................................................................................................ 47
PERFORMANCE TUNING ............................................................................................................................ 48
System Workload Issues ........................................................................................................................ 48
Distributing Services and Multiple Collectors.................................................................................... 50
TROUBLESHOOTING .................................................................................................................................... 51
Troubleshooting EUM Issues............................................................................................................... 51
SPECIFICS ...................................................................................................................................................... 55
Installation of the Cisco CE running ACNS* .................................................................................... 55
Setting Up the Rules on the Content Engine for the Joint Solution** .......................................... 55
Types of Content Served in an ACNS Network** ........................................................................... 56
Content Caching Service with Filtering and Access Control*** ..................................................... 57
CISCO CE RUNNING ACNS ....................................................................................................................... 60
ACNS Network Overview * ................................................................................................................. 60
SAMPLE DEPLOYMENT * ............................................................................................................................ 61
Locally Managed Content Engines ...................................................................................................... 61
Customer Expectations.......................................................................................................................... 61
iii
Installation Guide
Chapter 1
Pre-installation
Introduction
page 3
Requirements
page 4
Where to install
page 7
User name resolution
page 10
Database options
page 14
PRE-INSTALLATION
2
Installation Guide
PRE-INSTALLATION
Introduction
INTRODUCTION
SurfControl Web Filter for Cisco CE:
•
uses pass-through technology.
•
filters HTTP.
PASS-THROUGH
FILTERING TECHNOLOGY
Historically, pass-through technology was the first technology developed for
Internet filtering. Filtering software is installed on a device at the choke point for
all outbound and inbound traffic. The application works like customs: all packets
are stopped and inspected before being allowed to enter the country. Only
approved HTTP requests are allowed to continue.
The inspection can be based on source or destination address, source or
destination TCP ports and others. Because this technology inspects every HTTP
request, you may see network latency. In most cases, the optimization of modern
software and the availability of high performance hardware makes this latency
negligible.
Installation Guide
3
PRE-INSTALLATION
Requirements
REQUIREMENTS
WEB FILTER SYSTEM REQUIREMENTS
You should check that the machines you will be using meet the minimum system
requirements outlined in the table below:
Table 1
System Requirements
Component
Requirement
Operating System
Microsoft Windows 2000 Server (SP3) or
Microsoft Windows 2000 Advanced Server (SP3)
Windows 2003 Server
Processor
Pentium III or above
Memory
512 MB minimum
Disk space
1 Gbyte free space
Network
1 Ethernet Card
Optional Netware
user name
support
If you plan to monitor traffic based on Netware user
information, you must have the latest version of the
Novell Client installed on the SurfControl machine prior to
installing the SurfControl software.
Optional
Windows user
name support
If you plan to monitor users based on Windows
usernames, then you must be using MS NT 4 or
ActiveDirectory domain controllers.
Web Reporting
Microsoft Internet Explorer 5.0 or later
OR
Netscape Communicator 4.75 or later
The requirements above represent the minimum system requirements for
SurfControl. If you are deploying SurfControl into a network that has a high
volume of Internet traffic, you can see performance improvements by installing
the software onto a server with a faster CPU, additional RAM, and a SCSI drive
system.
4
Installation Guide
PRE-INSTALLATION
Requirements
PROXY SERVER REQUIREMENTS
Before installation, make sure the Proxy server meets the minimum requirements
listed in Table 1.
Table 2
Proxy Server Requirements
Component
Requirement
Proxy Server
Cisco CE 500 or 7300 series
Operating
System
ACNS version 5.1.5.2 or later
SYSTEM REQUIREMENTS FOR THE CISCO CE RUNNING
ACNS
(taken from the Cisco documentation)
ACNS Network Overview *
The Cisco ACNS network consists of at least one Content Distribution Manager,
one or more Content Engines, and one or more optional Content Routers, as
described below.
Types of ACNS Network Devices*
Device - Performs centralized content and device management. In the ACNS 5.1
network, the Content Distribution Manager manages both content acquisition
and distribution and also manages policy settings and configurations on
individual Content Engines that are centrally managed.
Content Distribution Manager - Through the Content Distribution Manager
GUI, the network administrator can specify what content is to be distributed and
to whom. The Content Distribution Manager also allows the administrator to
monitor network nodes and apply changes, such as software upgrades, to
groupings of nodes from a central location. Content Engines also play a major
role in content request routing and in channel distribution of content and as they
serve client requests for content.
The ACNS network deploys Content Engines in these ways:
•
Inside an enterprise firewall on an internal network or
•
At the edge of the enterprise network
Content Engines - Content Engines can be managed centrally through the
Content Distribution Manager, or locally as separate standalone content caches.
To locally manage a Content Engine, the ACNS software CLI or the Content
Engine GUI is used instead of the Content Distribution Manager.
Content Routers - Redirect client requests for content to the closest Content
Engine containing that content.
Installation Guide
5
PRE-INSTALLATION
Requirements
Note: The ACNS
software device
mode determines
whether the device is
functioning as a Content
Distribution Manager, Content
Engine, or Content Router.
SAMPLE DEPLOYMENT
CONTENT ENGINES*
OF
LOCALLY MANAGED
Figure 1-2 shows a typical enterprise deployment of locally managed Content
Engines that have ACNS 5.1.5 software installed on them. In this example, three
Content Engines (Content Engine A, B, and C) have been deployed as local
caching engines at the central site, regional site, and the small branch office. All
Content Engines are locally managed through the Content Engine GUI or CLI.
*Reference: Cisco Documentation: Cisco ACNS Caching & Streaming
Configuration Guide, Release 5.1, chapter 1
6
Installation Guide
PRE-INSTALLATION
Where to install
WHERE TO INSTALL
INSTALLATION DECISIONS
This section discusses the decisions you must make before installing SurfControl
and is divided into the following sections:
Section 2.1: Network considerations
Section 2.2: Installation considerations
•
Do you want to automatically monitor new users?
•
Do you want to enable user name support?
•
Where do you want to install VCA?
Section 2.3: User name resolution
•
How do you want SurfControl to handle user-name resolution?
•
How do you want to monitor users (IP address, workstation name, EUM,
NetwareEUM)?
Section 2.4: Database options
•
What database do you plan to use (MSDE or SQL)?
•
How do you want SurfControl to connect to the database (Windows
authentication or SQL authentication)?
Section 2.5: Other considerations
•
Content information
•
Which e-mail notifications should SurfControl send?
•
What administrative privileges do you need to set up?
Installation Guide
7
PRE-INSTALLATION
Where to install
NETWORK
CONSIDERATIONS
When the Cisco CE receives an HTTP request (over port 8080), it sends an
ICAP request to the SurfControl Web Filter(over port 1344).
SurfControl WF checks the category or the site and writes the relevant data to
the database.
Figure 4 shows a SurfControl WF deployment.
8
Installation Guide
PRE-INSTALLATION
Where to install
INSTALLATION CONSIDERATIONS
During installation, you can set the following options for SurfControl’s basic
behavior:
•
Automatically Monitor New Users
•
Enable User name Support
•
Install Virtual Control Agent
Automatically monitor new users
Each time SurfControl detects a request from a workstation it hasnít seen before,
it adds the workstationís data to the database and attempts to identify the real
name of the workstation and the name of the user logged into that PC.
Note: SurfControl
can not monitor new
users until the ICAP
client is configured.
See procedure 7 for information
on how to do this.
By choosing the Automatically Monitor New Users option during installation
and configuring the ICAP client, SurfControl automatically monitors HTTP
traffic for all users. If unchecked, SurfControl builds a user list (for use in
creating rules), but does not monitor any users..
Enable user name support
Note: You must
enable user name
support if you plan
to install EUM.
SurfControl monitors Internet usage based on user name, workstation name, or
IP address. Checking Enable User Name Support option enables monitoring by
user name rather than workstation name or IP address.
Install Virtual Control Agent
Note: SurfControl
recommends
installing VCA onto a
computer other than
the SurfControl server
SurfControl offers an adaptive reasoning technology called the Virtual Control
Agent (VCA). VCA uses artificial intelligence to categorize None sites into one
of SurfControl’s 40 categories. Before installation, make sure the server where
VCA is installed meets the minimum requirements for VCA (listed in Table 3).
Table 3
Minimum VCA system requirements
Component
Requirement
Operating
System
Microsoft Windows 2000 Server (SP3) or
Microsoft Windows 2000 Advanced Server (SP3)
Windows 2003 Server
Processor
Pentium III or above
Memory
512 MB minimum
Disk space
1 Gbyte free space
Applications
SurfControl Web Filter for Cisco CE 2000 v4.5 or later
During installation, you can choose to install and register VCA or install it for a
30-day evaluation period.
Installation Guide
9
PRE-INSTALLATION
USER NAME RESOLUTION
By default, SurfControl monitors users by IP address. However, if you want to
monitor users by user name, SurfControl includes the Enterprise User Monitor
(EUM) utility for resolving IP addresses to user names. Alternatively, you may
choose to monitor on Novell user names.
Note: SurfControl
supports three
monitoring
methods: user name,
workstation name, or IP
address.
SurfControl recommends monitoring by user because:
•
monitoring by workstation name only identifies the machine requesting the
data, not the user who originated the request.
•
monitoring by user names is more convenient in a workplace where
employees share or swap machines frequently.
•
monitoring by user names allows you to filter users based on NT or
NetWare Users and Groups.
•
monitoring by user name makes it easier to track users that frequently login
to multiple machines.
SurfControl places data on the Monitor with the following precedence:
10
Installation Guide
1
User name resolved with EUM or NetwareEUM.
2
Workstation ID.
3
IP address.
PRE-INSTALLATION
EUM
Note: SurfControl
recommends using
EUM for user name
resolution.
By accessing Windows NT and Windows 2000 security auditing data to resolve
user names, EUM gives SurfControl the ability to monitor traffic on a routed
network by user name. EUM provides SurfControl with continuous, accurate
reporting of logon activity by user name.
For example, when jsmith attempts to access http://www.cnn.com, SurfControl
sees jsmith’s IP address in the HTTP request. EUM provides the missing link by
receiving data from the domain controllers regarding jsmith’s identity.
EUM on Windows NT domain controllers
SurfControl installs the EUM agent onto Windows NT domain controllers as a
service (SurfControl User Agent service; ScUserAgent.exe). During EUM
installation, SurfControl configures NT domain controllers to record Successful
Logons to the security log (event 528). If you make changes to this audit policy
and disable event 528 logs (Successful Logon), EUM will no longer operate
properly.
Confirm that event 528 logs are enabled by performing the following:
Note: Ensure
security logs are set
to overwrite as
needed. Do no
manually clear the security logs.
1
From the SurfControl server, select Programs/Administrative Tools/User
Manager for Domains from the Start menu.
2
Select Policies then Audit. Make sure that Audit these Events is checked.
Before installation. Prior to installing the EUM UA onto an NT domain
controller, ensure the trust relationships are set up for multiple domain
environments (in this case, SurfControl is Trusted, all other domains are
Trusting).
EUM on Windows 2000 domain controllers
The EUM agent installs onto Windows 2000/3 domain controllers as a dll
(ScSubAuth.dll).
When EUM is installed onto a Windows 2000 server, SurfControl uses
Microsoft’s Sub-Authentication to resolve user names. After installing EUM on a
Windows 2000 domain controller, you must reboot the domain controller.
Installation Guide 11
PRE-INSTALLATION
INSTALLING EUM
Install EUM from the SurfControl server. During installation, SurfControl
installs the EUM UA onto each domain controller. Before installing EUM,
ensure the following:
•
The SurfControl server must have a static IP address.
•
The installer must be logged into the SurfControl server as a user with
domain administration rights.
•
In order for a successful automatic installation, SurfControl must be able to
see the domains that require EUM. Make sure the SurfControl is located in
the appropriate domain.
–
In a two-way trusted environment, the SurfControl server can be
located in any domain.
–
If a one-way model is in use, the SurfControl server should be located in
the master domain (this allows SurfControl to see all other domains).
•
For Windows NT domain controllers, make sure the security logs of all
domain controllers are set to overwrite events as needed.
•
By default, EUM uses port 61695 to communicate with the SurfControl
server. Perform the following steps to change the port:
P ro ce d u re 1: I ns t a ll i ng EU M
Step
Action
1
Add the following key to the SurfControl registry:
HKEY_LOCAL_MACHINE\SOFTWARE\JSB\SurfControlScout\ UserAgentPort
2
Add the key as a DWORD, specify a decimal value (default is 61695).
3
Stop and start the Web Filter service.
4
Update the scua.ini file on the domain controllers to reflect the port changes.
Note: Ignoring valid
user accounts will
result in misidentification.
12
Installation Guide
•
SurfControl recommends installing EUM when there are few or no users on
the network or when a forced logoff can be scheduled.
•
During installation, you’ll be prompted to specify specific user accounts that
UA should ignore; you should only use the ignore option for accounts
similar to SMS.
PRE-INSTALLATION
Netware EUM
SurfControl also provides the ability to monitor users by their Novell Netware
user name. The Novell version of EUM is called NetwareEUM. NetwareEUM
works in the same way as EUM. SurfControl installs a User Agent onto each
Novell NDS Tree Server.
Note: SurfControl
does not support
Novell 4.x. If you
need to resolve
Novell4.x users, authenticate all
users on an NT or 2000 domain
controller and use EUM to
resolve the user names.
Before installing NetwareEUM, ensure the following:
•
Before installing SurfControl, install the latest Novell Client (with TCP/IP
as the preferred protocol) onto the server.
•
Network must be using Novell 5 or 6 over IP.
•
The SurfControl server must have a static IP address.
•
By default, NetwareEUM uses port 61696 to communicate with the
SurfControl server. Perform the following steps to change the port:
P ro c e d u re 2: I ns t a ll i ng N e t w a r e E U M
Step
Action
1
Add the following key to the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\JSB\SurfControl Scout\NWUserAgentPort
2
Add the key as a DWORD, specify a decimal value (default is 61696).
3
Stop and start the Web Filter service.
4
Update the scua.ini file on the NetWare server to reflect the port changes. For details about
installing the NetWare EUM User Agent (UA) see Procedure 3 ‘Install NetWare EUM’ in the Installation
section.
•
SurfControl recommends installing NetwareEUM when there are few or no
users on the network or when a forced logoff can be scheduled.
PRE-INSTALLATION
Database options
DATABASE OPTIONS
SurfControl ships with Microsoft SQL Server 2000 Desktop Engine (MSDE
2000), but can also create the data structure in a fully-licensed version of
Microsoft SQL7.0 or SQL 2000. If you plan to use a fully-licensed version of
SQL, make sure the software is installed and running before attempting to install
SurfControl.
Using a fully-licensed version of SQL (rather than MSDE) allows more flexibility
and the ability to fine-tune database performance. SurfControl performs
extremely well in either case.
SurfControl connects to the database using a fully-qualified connection string.
This string contains all the details required to connect to a database including
database type, name of the server, user id, password, and database name. Using a
connection string does not require the creation of DSNs. Therefore, any
SurfControl client or server on the network can access the database without
creating a link through the ODBC.
MSDE DATABASE
If you are not using a SQL Server database, you have the option of installing
MSDE during the installation process. MSDE allows a seamless upgrade to a
SQL database in the future. Access MSDE data tables using the OSQL utility.
Note: Microsoft
states that the
maximum size of an
MSDE database is 2
If you install MSDE onto the SurfControl server, make sure the server
meets the minimum resources listed in Table 4.
GB.
Table 4
14
Installation Guide
Minimum requirements for MSDE on SurfControl server
# Users
Machine Specification
<500
Pentium IV, 2 GB RAM, 1.2 GHz processor, 10 GB hard drive
500-1000
1000-3000
SurfControl recommends a full SQL installation on a
dedicated SQL server.
3000-5000
5000-10000
10000+
PRE-INSTALLATION
Database options
SQL SERVER
Note: SurfControl
recommends
installing SQL onto a
dedicated server.
If you have a Microsoft SQL Server database on your network, you should plan
to create the database on that server (you can create and configure the database
during the installation process).
If you plan to use a SQL database, but have not installed it, complete the
following tasks before installing SurfControl:
Note: Install SQL
server with the
default setting of
case insensitivity,
including case insensitivity for
Dictionary Order. Choosing case
sensitivity may cause problems
when installing SurfControl.
1
Install the SQL Server Client Connectivity Pack onto the server where you
install SurfControl.
2
Install SQL Server on the designated server; this can be the same machine as
SurfControl server.
3
Make sure your server has the minimum resources listed in Table 6.
Table 5
Note: There should
only be one
database owner
(db_owner) per
4
Minimum requirements for SQL server on SurfControl server
# Users
<500
500-1000
1000-3000
3000-5000
5000-10000
10000+
Configure SQL to limit memory and processors when running both
SurfControl and SQL on the same computer.
database
Note: If you need to
have multiple user
accounts with
database access, the
other users should only have
db_datareader and
db_datawriter permissions.
Reasons to install SQL Server onto a dedicated server
SurfControl supports SQL7.0 and SQL2000. Use a fully-licensed version of SQL
on a dedicated server if your company:
•
plans to store large amounts of data (i.e., you have a large number of users,
high Internet activity, or need to retain data for an extended period of time)
•
requires SurfControl to write data to a database that is not resident on the
SurfControl server.
•
requires more than one SurfControl server (collectors) to consolidate data in
a single database.
•
plans to store SurfControl IM Filter, SurfControl Web Filter, and
SurfControl E-mail Filter data on the same SQL installation.
PRE-INSTALLATION
Database options
Considerations for large environments
Note: The Monitor
only shows data that
has been written to
the database.
Therefore, the Monitor won’t
show the data written to flat
files until it has been
transferred to the database.
In large environments with a high volume of Internet traffic, real-time updates to
the database can take up valuable bandwidth resources. Therefore, you can
configure SurfControl to write data to a flat-file and schedule automatic updates.
Make sure your dedicated SQL server has the minimum resources listed in
Table 6.
Table 6
Minimum SQL system requirements for large environments
# Users
<500
500-1000
1000-3000
3000-5000
5000-10000
10000+
DATABASE AUTHENTICATION
SurfControl supports both Windows Authentication and SQL Authentication.
Windows authentication
If you choose to use Windows Authentication, make sure domain rights are
correctly configured between the SurfControl server and the SQL server. Also,
the SurfControl installer account requires SQL Server database creator rights.
SQL authentication
If you choose to use SQL Authentication, you’ll need to create a SQL Server
login specifically for SurfControl. This login is required for creating the database
and should be used for all SurfControl database activities.
If you choose to connect to the SQL database using SQL authentication, make
sure the SQL server is configured to support SQL Server and Windows NT
authentication.
16
Installation Guide
PRE-INSTALLATION
Database options
OTHER
CONSIDERATIONS
This section contains general information that you should be aware of when
installing SurfControl.
Content
SurfControl’s Category List is the premier category database in the filtering
industry and provides the most accurate, current, and relevant content listing
available. The Category List includes:
Note: Use the
Scheduler to create
recurring Category
Database Update
events.
•
40 well-organized categories, with 130 subtopics.
•
6.1 million sites, including more than 1.2 billion web pages.
•
international content, including 65 languages and over 200 countries.
•
daily updates (more than 35,000 new sites a week).
The Category List is stored in an encrypted, size-optimized Aura file called
SurfControl Categories.csf. Incremental updates (up to 60 MB) are stored in an
encrypted file called SurfControl Categories.cdb. With SurfControl, you can recategorize sites; these updates are managed by the SurfControl Manual
Categories.cdb file. SurfControl checks the categorization files in the following
order:
1
Manually-categorized (includes VCA, managed by the SurfControl Manual
Categories.cdb file)
2
Incremental updates (SurfControl Categories.cdb)
3
Category List (SurfControl Categories.csf)
E-MAIL NOTIFICATIONS
SurfControl includes the ability to automatically notify the system administrator
when any of the following events occur:
•
Service running status change - if one of the SurfControl services stops
running. This is an optional notification.
•
Catch up mode notifications - if SurfControl enter catch-up mode due to the
volume of Internet traffic received. This is an optional notification.
•
Scheduled task failures - if a scheduled task fails to run. This is an optional
notification.
•
Category list license reminders - when the Category List license is close to
expiring. This is an optional notification.
•
Unregistered product reminders - when you haven’t registered the product.
This is a default reminder and will be sent if you choose to enable the feature
(by identifying a mail server and recipient).
PRE-INSTALLATION
Database options
•
Loss of database connectivity - when SurfControl loses communication with
the database. This is a default reminder and will be sent if you choose to
enable the feature (by identifying a mail server and recipient).
If you decide to enable this feature, you will need to know the IP address of your
mail server and will need to identify an administrator that will receive the
notifications.
If you choose not to enable this feature, then SurfControl will not send
notifications for any of the events listed above.
Administrative privileges
System administrators can remotely administer SurfControl by installing the
Remote Administration Client. From the Client installation you can:
•
view monitored traffic.
•
create and edit rules.
•
run reports.
•
start and stop the Web Filter Service.
•
set up scheduled events.
You will not be able to use the real-time monitor.
Before installation, make sure the administrator computer meets the minimum
requirements listed in Table 7.
Table 7
Minimum system requirements
# Users
Processor
Intel Pentium III
Memory
256 Mbytes RAM
512 Mbytes RAM recommended if you plan to install VCA or to
use the Web Reporting feature.
OS
Windows 2000 Professional or Server or
Windows 2000 Advanced Server (SP1) or
Windows XP or Windows 2003 Server
18
Installation Guide
Network
Ethernet card
Disk space
5 Gbyte free
Web
Reporting
Microsoft Internet Explorer 5.0 or higher
Chapter 2
Installation
Installation order
page 21
Installing Web Filter
page 23
INSTALLATION
Installation order
INSTALLATION ORDER
SurfControl recommends installing in the following order:
1
If you plan to monitor Netware user names, install the Novell client onto the
SurfControl server.
2
If you are using MSDE 2000 as your database, SurfControl recommends
installing MSDE prior to installing SurfControl.
3
If you are using SQL7.0 or SQL2000 as your database, install the SQL client
onto the SurfControl server.
4
Install the Complete Product onto the SurfControl server
5
If you plan to monitor Windows users by user name, install EUM onto all
domain controllers.
6
If you plan to monitor Netware user names, install NetwareEUM onto all
NDS servers.
7
Configure the ICAP Client on the Cisco CE.
8
Install Remote Administration software and VCA, if required
INSTALLATION PROCEDURES
This sections contains the following procedures:
1
Installing MSDE (optional)
2
Installing SurfControl Web Filter for Cisco CE
3
Installing EUM (optional)
4
Installing NetwareEUM (optional)
5
Automatically loading NLM (optional)
6
Unloading NLM (optional)
7
Enabling the ICAP Client on a Cisco CE
8
Installing SurfControl Administration client and VCA
9
Serializing SurfControl
10 Serializing VCA Cisco CE
INSTALLATION
Installation order
Changes to the server
Installing SurfControl makes the following changes to your server:
22
Installation Guide
•
SurfControl places an icon in the system tray at startup.
•
From this icon, you can start and stop the Web Filter service, the Scheduler
service, and the Report Service. You can also serialize the product.
•
Adds SurfControl executables to the Start menu (Programs>SurfControl
Web Filter)
•
Adds necessary registry entries
•
Creates the SurfControl_WebFilter database
•
Adds the following services:
–
Web Filter service
–
Scheduler service
–
Report service
–
Remote Administration service
–
SurfControl Web Filter ICAP Service
INSTALLATION
INSTALLING WEB FILTER
This section contains instructions for a successful installation of SurfControl
Web Filter for Cisco CE. The flowchart and descriptions explain what you
should do at each stage of the installation process.
P ro ce d u re 1: I ns t a ll i ng M SD E ( op t i on a l )
Step
Action
1
If you plan to use an MSDE database. SurfControl recommends installing MSDE prior to performing
the SurfControl WF installation. You can download MSDE at http://
www.microsoft.com/downloads/details.aspx?familyid=413744d1-a0bc-479fbafae4b278eb9147&displaylang=en.
2
Locate the downloaded file (setup.exe).
3
Double-click setup.exe to start the installation process.
4
When prompted, make sure to enter a password for the SA account.
5
You will need to restart the server before installing the SurfControl Web Filter.
INSTALLATION
FLOW CHART
The following flowchart shows the processes involved when installing
SurfControl Web Filter.:
Welcome
Information screen
(where applicable)
License
Agreement
1
Installation
continues
2
No
Display Readme?
Yes
Readme file displays and
installation continues
3
Select SQL Database Installation Option
Complete Install
with MSDE 2000
Complete Install using an
existing copy of SQL Server
MSDE Download
and installation follow on screen
instructions
4
Remote Administration
(needs SQL Server)
Enter Customer
information
Choose destination
location
5A
5B
5
Complete product
Choose setup type
Select server
installation options
Remote Administration
(you must install complete
product first)
Select client installation
options
Select Network Card
(if applicable)
Select server type
Install Summary
Transfer of files
6A
6
Windows
Authentication
6B
Select MSDE / SQL Server Database and
authentication type
SQL
Authentication
Enter name of
database
Enter name of
database
Log on as other
account
Select account for Web
Filter Service
Log on as local
system account
7
8
24
Installation Guide
Systems
Administrator
notifications
Register for
category updates
INSTALLATION
P ro ce d u re 2: I ns t a ll S u rf C on t r ol W F I C A P
Step
Action
1
2
Run the setup.exe from the command line /p icap parameters. Example: D:>setup.exe/p icap
This will start the installation process and load the InstallShield Wizard.
Su r f C o nt r o l W e b Fi l t e r S e t u p s c re e n
3
Welcome to SurfControl Web Filter.
4
Click Next to continue.
L ic e n s e Ag r e e m e nt s c r ee n
5
Read the License Agreement.
6
Do you agree to the terms?
•
Yes - click Yes to continue. Go to the next step.
•
No - click No to exit the installation process.
D i sp l a y R e a d m e F il e
7
If you want to view the readme file, click Yes. The readme
file opens.
INSTALLATION
Step
Action
C u st o m e r I n f o rm a t io n s cr e e n
8
Enter a name into the User Name field.
9
Enter your company’s name into the Company Name Field.
10
Enter the Serial Number for SurfControl and VCA, if
available.
Leave these fields empty if you are evaluting SurfControl.
11
C h oo s e D e st in a t i on L o c at i o n sc r e e n
12
Select the folder where Setup will install files. The default is C:\Program Files\SurfControl\Web Filter.
Choose another location by pressing the Browse button and browsing to a different location.
13
Se t u p T y pe s c re e n
14
Highlight Complete Product.
15
Se l e c t S e rv e r I n st a l l a t io n O p t i on s sc r e e n
26
16
If you want SurfControl to automatically monitor new
users, check Automatically Monitor New Users.
17
If you want SurfControl to attempt to resolve user names
based on the requesting IP address, check Enable User
Name Support.
18
If you want to install VCA onto the SurfControl server,
check Install Virtual Control Agent. SurfControl
recommends installing VCA onto a computer other than
the SurfControl WF server.
19
Installation Guide
INSTALLATION
Step
Action
St a r t C o py i ng F i l e s s c re e n
20
Review settings before starting the installation.
21
Se t u p St a t u s s c r e e n
22
SurfControl Web Filter Setup is performing the requested operations.
23
Se l e c t M S D E / S Q L Se r ve r D a t a ba s e sc r e e n
24
Choose the server where the database is located.
25
Select the authentication method.
Note:
26
SurfControl recommends using Windows
authentication. If you choose Windows
Authentication, both the SurfControl server
and the SQL server must be members of the
same domain.
27
Choose the database you want to create.
Note:
In most cases, you should use the default
database (SurfControl_WebFilter); you can
enter a new name, if necessary.
28
29
Did you choose Windows authentication in step 26?
•
Yes - go to step 31.
•
No - go to step 33.
INSTALLATION
Step
Action
Se l e c t a c c ou n t f o r W e b F i l t e r s e rv i c e
30
Choose the account you want to SurfControl to use when
connecting to the database.
If the database is stored on the SurfControl server, you can
use the Local System Account to connect to the database.
If the database is stored on a remote server, you should use
a domain account to connect to the database.
31
Sy s t e m A dm i n is t r at or N o t i f i c at i o n s s c r ee n
32
Enter the e-mail server name or IP address.
33
Enter the recipientís e-mail address.
34
Enter the from e-mail address (using the default is fine).
35
Choose the types of notification you want to receive.
36
Note:
These settings can be changed from the
SurfControl Web Filter Service Settings.
I ns t a l lS h ie l d W i z ar d C om pl e t e s c r e en
37
Click Finish.
I nf or m a t i o n
28
38
You will now be asked to complete your registration details for Category Database updates.
39
Click OK.
Installation Guide
INSTALLATION
Step
Action
Su r f C o nt r o l P r od u ct Re g i s t r at i o n sc r e e n
40
Complete the form. You must fill in the required fields (marked by an *).
41
Click Register.
This registers your software with SurfControl and creates a scheduled event for automatically
updating the Category Database.
42
You have successfully installed SurfControl Web Filter.
INSTALLATION
Step
Action
1
Make sure that the SurfControl WF server has a static IP address.
2
Make sure you have administrative privileges on all domain controllers where the UserAgent will be
installed.
3
Make sure the SurfControl WF server is located in the correct domain.
4
Make sure the firewall or router allows traffic through the provisioned port (default is 61695).
5
For Windows NT domain controllers, make sure the security logs of the domain controllers are set to
overwrite events, as needed.
6
Try to perform this procedure when there are few or no users on the network, or when a forced logoff
can be scheduled. This ensure the fastest, most accurate detection of users.
B e g i n In s t a ll a t i o n
7
From the Start menu, launch EUM installation (Start Programs SurfControl Web Filter Enterprise
UserMonitoring Install Enterprise User Monitoring).
Su r f C o nt r o l E nt er p ri s e U s e r M on i t o ri n g I ns t a l la t i o n s c r e e n
Click the Next button to start the installation.
8
H os t n a m e s c re e n
9
Enter the IP address of the SurfControl WF server.
Note:
SurfControl recommends entering the IP address instead of the hostname.
10
Enter the port the User Agent and SurfControl WF service should use to communicate (default is
61695).
11
D o m a i n Li s t s c re e n
12
Select the domains you want to receive user data from.
13
Click Next to continue
I g no r e U s er A c c ou n t s s c r e e n
14
Select the user accounts whose logon/logoffs do not need to be reported to SurfControl WF (ie, SMS
accounts).
15
16
Select the domain controllers whose userís logon/logoff activity SurfControl needs to monitor (this
identifies the domain controllers where the UA will be installed).
Note:
30
Installation Guide
Failure to install EUM on all domain controllers can compromise the accuracy of user
name resolution. If a domain controller is authenticating users, but not passing that
data to SurfControl, user activity may be recorded under another user name.
INSTALLATION
Step
Action
17
18
Installation onto Microsoft Windows 2000 domain controllers requires a reboot; SurfControl
recommends performing a manual reboot.
19
You have successfully installed Enterprise User Monitoring.
P ro c e d u re 4: I ns t a ll N e t w a re EU M
Step
Action
1
Ensure Novell Client was installed on the SurfControl server prior to Web Filter installation.
2
From SurfControl server, log on to the Novell server with administrative rights.
3
Go to the SYS volume and create a directory (for example, nweum)
Note:
When creating the directory, use DOS8.3 naming conventions.
4
Under this directory, copy the files nweum.nlm and scua.ini from the SurfControl server to the Novell
server.
5
From the Netware Server console, load the NLM by typing:
Load sys:\nweum\nweum.nlm
and pressing enter
Note:
The system will not allow you to load the NLM if a copy is already running.
INSTALLATION
P ro ce d u re 5: A u t om a t ica ll y l oa di n g N L M
Step
Action
1
To automatically load the NLM every time the server is rebooted edit the sys:\system\autoexec.ncf
file.
2
You can edit this file using any text editor from the workstation or from the Netware Server by
typing:
Load edit sys:\system\autoexec.ncf
3
Add the following line at the end of the file:
Load sys:\nweum\nweum.nlm
4
Save the file.
P ro ce d u re 6: U n lo a d i ng N LM
Step
Action
1
From the Netware Server console, type:
unload nweum.nlm
32
Installation Guide
INSTALLATION
P ro ce d u re 7: E na b l in g t he I C A P C l ie n t o n t he Ci s co C E
Step
Action
1
Go to the command line interface of the Cisco CE.
2
Enter the configuration mode:
ContentEngine# config
3
Enable ICAP:
Content Engine (config)# icap apply all
4
Configure ICAP client to append the x-client-ip header:
ContentEngine(config)# icap append-x-headers x-client-ip
5
Configure ICAP client to append the x-server-ip header:
ContentEngine(config)# icap append-x-headers x-server-ip
6
Enable ICAP logging (optional):
ContentEngine(config)# icap logging enable
7
Create the SurfControl ICAP Service:
ContentEngine(config)# icap service SurfControl
8
Enable the SurfControl ICAP Service:
ContentEngine(config-icap-service)# enable
9
Set the Cisco CE to return error on ICAP failure (optional):
ContentEngine(config-icap-service)# enable error-handling return-error
10
Set the ICAP vector point to reqmod-precache:
ContentEngine(config-icap-service)# vector-point reqmod-precache
11
Set the SurfControl ICAP Service Server:
ContentEngine(config-icap-service)# server
icap://<ip address>:<port number>/SWFICAP
Note:
12
where<ip address> is the ip address of the machine on which SurfControl Web
Filter for Cisco CE is installed, and <port number> is the port configured in the
SurfControl Web Filter for Cisco CE. Insert the correct information into these places.
Example: icap://192.168.1.10:1344/SWFICAP
Exit the configuration mode:
ContentEngine(config-icap-service)# exit
13
Write the configuration changes to memory:
ContentEngine# write memory
INSTALLATION
P ro ce d u re 8: I ns t a ll S u rf C on t r ol W F A d m i ni s t r a t i on c li e nt
Step
Action
1
2
Double-click setup.exe to start the installation process. The InstallShield Wizard loads.
Su r f C o nt r o l W e b Fi l t e r S e t u p s c re e n
3
Welcome to SurfControl Web Filter.
4
I m p or t a n t In s t a ll a t i o n I n f o rm a t i on s c re e n
5
L ic e n s e Ag r e e m e nt s c r ee n
6
Read the License Agreement.
7
Do you agree to the terms?
•
Yes, click Yes to continue. Go to the next step.
•
No, click No to exit the installation process.
D i sp l a y R e a d m e F il e
If you want to view the readme file, click Yes. The readme file
opens.
8
C u st o m e r I n f o rm a t io n s cr e e n
9
Enter a name into the User Name field.
10
Enter your companyÌs name into the Company Name Field.
11
Enter the Serial Number for SurfControl and VCA, if available. Leave these fields empty if you are
evaluting SurfControl.
12
C h oo s e D e st in a t i on L o c at i o n sc r e e n
13
Select the folder where Setup will install files. The default is:
C:\Program Files\SurfControl\Web Filter.
Choose another location by pressing the Browse button and
browsing to a different location.
14
34
Installation Guide
INSTALLATION
Step
Action
Se t u p T y pe s c re e n
15
Highlight Remote Administration.
16
Se l e c t C l i e nt In s t a ll a t i o n O pt i o ns s c re e n
17
If you want to install VCA onto the SurfControl server, check Install Virtual Control Agent..
Note:
18
SurfControl recommends installing VCA onto a computer other than the SurfControl WF
server.
Se l e c t S e rv e r P la t f or m T yp e s c re e n
19
Select Windows 2000/2003 (Pass By).
20
St a r t C o py i ng F i l e s s c re e n
21
Review settings before starting the installation.
22
Se t u p St a t u s s c r e e n
23
SurfControl Web Filter Setup is performing the requested operations.
24
INSTALLATION
Step
Action
25
Choose the server where the database is located.
26
Select the authentication method.
Note:
27
SurfControl recommends using Windows
authentication. If you choose Windows
Authentication, both the SurfControl server and
the SQL server must be members of the same
domain.
28
Choose the database you want to access.
29
I ns t a l lS h ie l d W i z ar d C om pl e t e s c r e en
36
30
Click Finish.
31
You have successfully installed SurfControl Web Filter Administration client.
Installation Guide
INSTALLATION
P ro ce d u re 9: S e ri a li z in g S u rf C o nt r ol W F
Step
Action
1
From the system tray, right-click on the SurfControl WF icon and select About..
2
Click Serialize.
3
Enter the serial number.
4
Click OK to continue.
5
6
You have successfully serialized SurfControl WF.
P ro c e d u re 10 : S e r ia l i zi n g V C A
Step
Action
1
From the Start menu, launch VCA (Start Programs SurfControl Web Filter Virtual Control Agent).
2
From the title bar, right-click the VCA icon and select About SurfControl Virtual Control Agent.
3
Click Serialize.
4
Enter the serial number.
5
6
7
You have successfully serialized VCA.
INSTALLATION
38
Installation Guide
Chapter 3
Further Configuration
Configuring Services
page 40
Database creation
page 41
Virtual Control Agent
page 45
Performance Tuning
page 48
Troubleshooting
page 51
FURTHER CONFIGURATION
Configuring Services
CONFIGURING SERVICES
To enable the ICAP Proxy Server and SurfControl Web Filter to connect to each
other, various settings may need to be configured within SurfControl Web Filter.
To change the default settings, access the Service Settings dialog box in the
following way:
P ro c e d u re 1: S e t t in g up t h e I C A P S e r ve r
Step
Action
1
Right-click on the Web Filter icon in the system tray
2
Select the Advanced tab and select the ‘Monitor to flat file (manual update)’ option. This will optimize
network speed.
Note:
40
Action
.
for detailed information about this and the other tabs on the Service Settings dialog,
see the Web Filter Sevices section of the Administrator’s guide
3
Now select the Monitor tab and select the ‘auto categorisation on’ option.
4
Stop and start the service for the changes to take effect
Installation Guide
Database creation
DATABASE CREATION
This section explains how to set up a new SurfControl Web Filter Database.
CREATING
A
SQL SERVER DATABASE
In order to create a SQL Server database to be used by SurfControl you need a
valid SQL account on the SQL Server. You can create the database using the
built in sa account, using the password that you specified during installation (if
you opted to change it) and in this instance you would create a database in the
same way as you would if creating a MSDE database (see section 3.2.2 Creating a
MSDE Database for more details). If, however, you are unable or unwilling to
use the ‘sa’ account for whatever reason, then you must create a new user
account before creating the SQL database:
P ro c e d u re 2: Cr e a t i ng t h e A c c ou n t
Step
Action
1
First stop the SurfControl Web Filter service and make sure that you have all of the SurfControl
components (Monitor, Rules Administrator etc) closed.
2
Open the SQL Enterprise Manager from the Microsoft SQL Server Start menu.
3
Click on the ‘+’ sign in front of the SQL server name to expand the tree.
4
Click on the ‘+’ sign in front of Security and choose Logins from the expanded tree. Right-click on
‘Logins’ and select ‘New Login’.
5
In the dialog that follows:
6
-
Select the General tab and enter a name for your new account.
-
Select the ‘SQL Server authentication’ radio button and enter a password in the ‘Password’
edit field.
-
Select the ‘Server Roles’ tab. Check the Database Creators key.
Click OK.
P ro c e d u re 3: Cr e a t i ng t h e D a t a b a s e
Step
Action
1
Choose Database Tools/Create MSDE SQL Server Database from the SurfControl Start menu.
2
This will launch the Create SurfControl WebFilter Database Wizard that will guide you through the
steps involved in creating a SQL Server database for use with SurfControl Web Filter.
Database creation
P r o ce d u re 4: S e t t in g u p A c c e s s t o t h e D a t a b a s e
Step
Action
1
Open the SQL Enterprise Manager from the Microsoft SQL Server Start menu.
2
Click on the ‘+’ sign in front of the SQL Server name to expand the tree.
3
Click on the ‘+’ sign in front of Security and choose Logins from the expanded tree.
4
Right-click on your newly created login from the list of available logins and select Properties.
5
Select the Database Access tab in the dialog that follows then select your newly created SurfControl
database.
6
In the ‘Database Roles’ section ensure that both ‘Public’ and ‘db_owner’ are checked.
7
Click OK.
P ro ce d u re 5: A cc e s s i ng y ou r ne w d a t a b a s e
42
Step
Action
1
On the machine that you wish to access the database select Database Tools/Select Database on the
SurfControl Start menu. You will now see the Select SurfControl Database dialog:
•
If you wish to set this as the default database to be used by the SurfControl Monitor select the
Monitor tab.
•
If you wish to set this as the default database to be used by the Surf Control Rules Administrator,
select the Rules Administrator tab.
2
Click the Browse button.
3
This will launch the SQL Server Login where you can navigate to your new database. Click Connect to
SQL Database to expand the dialog. The expanded dialog will enable you to enter details of the
machine where your database is located.
4
In the ‘Server’ edit field enter the name of the server where the database is installed. This name will be
saved in the list for ease of access next time. Up to ten names can be stored in this way.
5
Select your new database from the ‘Database’ list. Click OK.
Installation Guide
Database creation
Creating the SQL Server Account
Note: You must
use this SQL Server
login to create the
SQL database.
Furthermore if
users are to use the Select
Database utility then they must
again use this account rather
than the sa account. This is the
only account that should be
used with the Rules
Administrator.
After you install both SQL Server and SurfControl Web Filter, you must provide
a SQL Server login for SurfControl to use when connecting to the database.
:
P ro c e d u re 6: Cr e a t e a S ur f Co n t ro l W e b F il t e r U s e r A c c o un t
Step
Action
1
On the server that is running Microsoft SQL Server, choose Microsoft SQL Server Enterprise Manager
on the Start menu.
2
In the Management console, open the tree properties until you can select the icon for the server you
are working from. Under there should be a list of folders including two called Databases and Security.
3
Open the Security folder and select the Logins property. You should see in the right pane a list of the
current logins available for SQL Server.
4
Right-click in the space below and select New Login from the dialog box. From here you can create a
new user account for SurfControl to use when connecting to the database.
5
At the top of the first page add the new name for the login (e.g.: surfadmin). You will need to choose
a form of authentication. Select the SQL Server authentication and then you can either choose to add
a password or leave it blank. If you add a password you will be requested to confirm this later on.
From the third option on this page, 'Defaults', select from the database menu the SurfControl Web
Filter database. Leave the language option set to default. The second tab on this dialog, titled 'Server
Roles', should be left with no properties highlighted.
6
In the Database Access tab, select the SurfControl database and then in the menu below 'Permit in
Database Role' select the top two options: 'public' and 'db-owner'. No other properties need to be
selected. Click OK to create the new user account.
7
Next you will need to modify the SurfControl database. Right-click on the previously created database
in the databases folder and select properties.
8
Go to the 'Options’ tab and select the ‘Restrict Access' check box. Click OK. You will now be able to
open the SurfControl monitor using the new user login.
Database creation
P ro c e d u re 7: Cr e a t i ng a M S D E Da t a b a s e
Step
Action
1
Select Database Tools/Create MSDE SQL Server Database from the SurfControl Start menu.
2
This starts the Database Creation Wizard that will guide you through the steps involved in creating a
MSDE database for use with SurfControl.
3
The first information that you will be asked for is the server where you wish to create the database
and the type of authentication that this machine requires:
4
•
Use Trusted Authentication- selecting this check box will mean that your Window’s user name
and password will be used.
•
SQL authentication - if you don’t select the ‘Use Trusted Authentication’ check box’ you will need
to enter a valid SQL account name and password.
Enter a name for the new database then check the remaining options as required:
•
Use default file locations - this will store the database file and the transaction log file on the
server. If you wish to store these files elsewhere then you need to uncheck this option and specify
a location for these files in the dialog that follows.
•
Set as the Web Filter Service default database - the Web Filter Service will set this database as
the default for the Monitor and Rules Administrator applications.
•
Restart the Web Filter Service with this database - the Web Filter Service will automatically
start to write to this database once you have created it.
Populate with sample monitored data - shows a full database of sample data that can be used to
try out reports and Monitor settings. This is useful when you are getting to know the product and
either do not have or do not wish to use an existing full database.
5
44
The Finish dialog will indicate that you have created a new database.
Installation Guide
VIRTUAL CONTROL AGENT
INSTALLATION
Note: You should
stop the
SurfControl Web
Filter service and all
other applications
before installing or uninstalling
the VCA.
Note: you should
only have one VCA
installation per
Monitor database.
The default option
during a Remote Administrator
installation is to not install the
VCA.
If you did not install the Virtual Control Agent when installing Web Filter, or
wish to uninstall it, highlight the SurfControl WebFilter entry in the Add/
Remove Programs menu from the Windows Control Panel and clicking the
Change/Remove button. Choose the Modify option from the first screen. Click
Next and the VCA should be selected (to install). Clear the check box to
uninstall. Click Next and follow the prompts.
If you need to enter the VCA Serial Number, you can do so while the VCA
window is open.
P ro ce d u re 8: P os t I n s t a l la t i o n A ct i v a t io n
Step
Action
1
Select VCA from the SurfControl Web Filter group on the Start menu.
2
Right-click on the VCA icon in the upper-left corner of the VCA window, then select About
SurfControl Web Filter Virtual Control Agent from the pop-up menu.
3
Click Serialize in the About box.
4
Enter the serial number in the dialog, then click OK.
Note: SurfControl
Web Filter VCA
running in
evaluation mode
will not update the
SurfControl Web Filter
database. However, it will give
feedback on totals of sites that
would be categorized when
activated.
CONFIGURING THE VCA
Configuration of the VCA is carried out within the Settings tab of the
SurfControl VCA dialog. Within this dialog you can configure the following:
•
Spider Settings
•
Proxy Settings
The Spider Settings
The Settings tab enables you to control how the VCA will handle connections
and pages during classification runs.
Observe Robot Exclusion Policy - some sites contain a text file that describes
exactly what each spider (or robot) can access on the site. If you choose to ignore
this policy then the spider will try to access unauthorized areas on the site. This
may result in your IP address being banned by the site.
Impersonate Internet Explorer - if you select this item the VCA will identify
itself as Internet Explorer when making requests to servers. If you uncheck this
item then the VCA will identify itself as SurfControl Web Filter. Some sites are
inaccessible unless you impersonate Internet Explorer. Alternatively, sites can
also ignore requests that originate from SurfControl Web Filter.
Cache retrieved web pages - adds any pages directly retrieved during the VCA
run to the local web page cache, if available.
Retrieve pages from cache - enables VCA to use locally cached versions of pages
on a site, rather than having to go out and retrieve current versions directly from
the site to be classified.
The Proxy Settings
The Proxy Settings are available on the Settings tab of the VCA.
Note: If you want
the VCA to use NT
Authentication
when going
through the Proxy
Server, check the Use NT
Authentication box setting. If
you do not want to use NT
Authentication then supply a
User Name and Password.
If the VCA will be accessing the Internet through a Microsoft Proxy Server, you
should select the ‘Use Proxy’ setting check box.
The General Settings section
The General Settings section contains a check box entitled 'Submit details of
VCA categorized sites to SurfControl'. If you check this box then as VCA
categorizes 'None' sites it will send these sites with their new categorization to
SurfControl.
Research staff examine these sites to check that the categorization applied by
VCA is correct. Once these categorizations are verified the URLs are added to
the Category Database to ensure that it always contains the most comprehensive
and up-to-date information.
46
Installation Guide
UPGRADING
THE
VCA
If you did not have VCA installed on a previous version of SurfControl Web
Filter and you now wish to upgrade this version then VCA will not be installed
during the normal upgrade process. VCA will need to be installed manually.
To install the VCA manually:
P ro c e d u re 9: Ru n ni ng t h e U p g r a d e p r oc e s s
Step
Action
1
Navigate to the SurfControl Web Filter installation directory where you will find a folder containing
the VCA components.
2
Double-click the VCA setup.exe file.
3
Follow the on-screen prompts to install the VCA.
If you did install VCA on a version of SurfControl Web Filter that you now wish
to upgrade then VCA will be upgraded along with the rest of the Web Filter
product. However this will only happen if the version of VCA that you have is
the following: SurfControl Virtual Control Agent 4.0.2.2
Performance Tuning
PERFORMANCE TUNING
There are a number of factors to take into account when deploying SurfControl
Web Filter on your network, which relate to the choice of server, number and
locations of servers, and configuration options. The first thing to understand is
the components within a server that affect performance:
•
CPU - A faster CPU or multiple CPUs will improve processing throughput.
•
RAM - A Larger amount of memory will improve performance through
better buffering.
•
Disk Subsystem - Probably the most important factor, a faster disk system
(SCSI, SCSI II etc) will improve throughput.
•
Virus checkers and services - Disable any that are not needed.
SYSTEM WORKLOAD ISSUES
What size and strength of system your monitoring requires depends on the
amount of traffic (packets per second) that you need to monitor since the biggest
impact on performance is the recording of monitored packets to the SurfControl
database. Understanding the volume of network traffic, the mix of protocols, and
the level of detail you want to monitor will help in sizing the correct system.
As a hypothetical example, a network might have on average 600 packets a
second passing by the SurfControl Monitor. These could break down into the
following percentages:
•
HTTP (web access) - 70%
•
FTP - 15%
•
Telnet - 10%
•
SMTP - 5%
Monitoring Options
If you are not interested in monitoring telnet, you can disable this protocol in the
SurfControl Web Filter Monitor. Doing this reduces the workload for
SurfControl Web Filter.
You can further reduce the workload by deciding not to monitor certain
workstations (this does not stop your ability to control those workstations access
from the Rules Administrator). This can be done through the Monitor User
interface. For instance if you have a web server inside your firewall you may not
wish to see all the traffic associated with that system.
You can also reduce the amount of monitoring for each connection by recording
only the top-level domain and not individual graphics that typically get accessed.
48
Installation Guide
Performance Tuning
Other Performance Options
You can also control other performance factors, such as:
•
Disable the monitor all HTTP traffic setting (will only monitor top level
domain information).
•
Disable SmartScan.
•
Disable username support (if you have not implemented NT or NDS
usernames across your network you may only require a hostname).
•
Lengthen the time between checking if a new user has logged in on a
workstation.
If you have workstations on your network that don't have an entry in your DNS
Server, you will suffer a performance penalty. SurfControl Web Filter will
attempt to resolve the workstation name, which ultimately results in a timeout
from the DNS Server that will slow the service. This applies not only to internal
workstations, but also to external workstations that enter your network. You may
see a lot of external workstations registering in the Monitor if you have a Web
Server, FTP Server or E-mail Server on the monitored network. You can disable
the workstation name resolution to speed up performance by deselecting the
Enable Workstation name resolution option.
Performance Factors
There are other factors that come into play, and other options you can deploy in
tuning the system. The size of the monitored database can also impact
performance. Another factor is the demand for reporting as well as recording;
high reporting requirements can impact system performance.
Catch-Up Mode
When SurfControl Web Filter is unable to keep up with the volume of data it is
trying to record to the Monitor database, it will move into "catch-up mode",
where it starts to set monitoring priorities. First, SurfControl Web Filter will stop
recording non-HTTP data, and then it will stop recording HTTP data. A
warning will be written to the event log when catch-up mode is started and when
normal service is resumed. This does not affect the rules and blocking.
Catch-up mode is based on classic high and low water principles to prevent
constant stopping and starting of monitoring. However, if this happens
frequently, there are various solutions:
•
Use a more powerful PC for monitoring.
•
Archive the database frequently. This speeds up the committing of
information to the database.
•
Monitor less information. For example, only capture specific user details.
•
Monitor to flat file, and then update the database during non-peak hours.
•
Disable DNS resolution for either workstations and/or sites.
Performance Tuning
DISTRIBUTING SERVICES AND MULTIPLE COLLECTORS
Your network may have such a large volume of traffic that no one system can
handle it. In these instances you can deploy multiple Servers. These Servers can
be physically deployed on different segments if you have a switched network, or
they can be configured to only monitor certain subnets (using the SurfControl
Web Filter Service). You are then able to balance the load across Servers.
This will result in separate monitor databases on each Server. This may be a
good solution if you want to delegate control to departments or groups, as they
will be able to monitor and control their own Internet Access Policy.
However, if you wish to use a single database to view and produce reports, you
will need to consolidate the information. This can be done in one of two ways:
50
Installation Guide
•
Use flat files at each of the SurfControl Servers (in this case known as
collectors). Then use the SurfControl 'Database Updater' process to write
the flat files from each of the 'collectors' to a single database.
•
Configure both collectors to simultaneously write directly to the single
database.
Troubleshooting
TROUBLESHOOTING
This section covers some problems that may occur during or after
installation of SurfControl.
P r o ce d u re 10 : W h a t t o d o i f n o d a t a i s b e i n g c ol l e c t e d
Step
Action
1
Check that the Web Filter service is running. The SurfControl Web Filter icon in the System Tray should
appear in color. If it is grayed out, the service is not running.
2
To start the service, right-click on the SurfControl icon in the Windows taskbar status area and select
Start Web Filter Service on the popup menu.
3
If the service will still not start or you experience further problems, please contact SurfControl
Support.
TROUBLESHOOTING EUM ISSUES
If you are having difficulties making EUM work correctly, please check these
items before contacting SurfControl Support:
•
After installing the EUM agent, make sure that all domain users log out and
then back into the domain because the agent will not pick up previously
logged-in users.
•
Check the security logs on the domain controllers to ensure that the user has
indeed logged on.
•
Ensure that the agent is installed on all domain controllers that authenticate
users.
Troubleshooting
52
Installation Guide
Chapter 4
Cisco Configuration
Specifics
page 55
Cisco CE running ACNS
page 60
Sample Deployment *
page 61
CISCO CONFIGURATION
Specifics
SPECIFICS
The following sections have been taken from Cisco documentation.
INSTALLATION OF THE CISCO CE
RUNNING
ACNS*
The focus of the installation discussion is intended for administrators who want
to configure, manage, and monitor locally deployed Content Engines that are
running the Cisco Application and Content Networking System (ACNS) 5.1.5
software. The administrator should be familiar with Cisco router and switch
configuration. An understanding of caching concepts is also necessary.
Note: To initially
configure a
Content Engine as
a locally deployed
device, it is
necessary to turn off the
autoregistration feature so that
the Content Engine will not
automatically register with the
Content Distribution Manager,
and thereby can be individually
managed through the ACNS
software command-line
interface (CLI) or the Content
Engine graphical user interface
(GUI) as a locally deployed
device.
The Content Engine GUI allows an organization to remotely configure, manage,
and monitor locally deployed Content Engines through its browser. The
Content Engine CLI allows an organization to configure, manage, and monitor a
locally deployed Content Engine through a console connection or a terminal
emulation program. The Content Engine GUI or CLI can be used to configure
and manage a locally deployed Content Engine. The Content Engine GUI has
context-sensitive online help that can be accessed by clicking the Help button.
*Cisco Documentation: Cisco ACNS Caching & Streaming Configuration Guide
Release 5.1.
SETTING UP THE RULES ON THE CONTENT ENGINE FOR
THE JOINT SOLUTION**
From a Cisco perspective, content is the fundamental element of the ACNS
network as it represents all the data that the ACNS network handles. Content
can be static application data or a media stream and can be associated with a file
type and file extension. Categorically, content can also be on-demand, preloaded, pre-positioned or live.
Content caching with filtering and access control is defined as the saving and
storing of information locally. Copies of recently requested content are stored
temporarily on a Content Engine in locations topologically closer to the web
client (the end user who is requesting the content). The content is readily
available to be reused for subsequent client requests for the same content.
Content Engines that have ACNS 5.1.5 software installed support content
caching with filtering and access control. Content caching is also referred to as
“network caching”.
**Cisco Documentation: Cisco ACNS Caching & Streaming Configuration
Guide Release 5.1, chapter 1
CISCO CONFIGURATION
Specifics
TYPES OF CONTENT SERVED IN
NETWORK**
AN
ACNS
Cisco categorizes content served in an ACNS network as being one of the
following three choices:
On demand: - Content that is acquired, cached and delivered because of a user
request (client-triggered demand). When the first client request is made for the
content, the content is retrieved from the origin web server and is served to the
client by way of the best-suited Content Engine, which also stores or caches the
content.
Preloaded: - Content that is retrieved and stored on an individual Content
Engine because the administrator of that Content Engine scheduled a retrieval of
specific content in anticipation of user requests for that content. Content
Engines can be configured to preload specific content items using HTTP.
Websites are scanned several link levels down for content. The product scans for
content 10 levels down for the initial website link. Preloaded content can be
configured with specified bandwidth limits for better control of network usage.
Content that is retrieved and distributed through a network of centrally managed
Content Engines because the ACNS network administrator has configured
acquisition and distribution of content in anticipation of user requests. Used as a
means of distributing content to populate Content Engines in a centrally
managed ACNS network environment.
Pre-positioned: - Bandwidth-intensive content objects, such as Java applets,
Macromedia Flash animations, Shockwave programs, and other file formats can
be managed and scheduled for distribution to Content Engines during off-peak
hours.
**Cisco Documentation: Cisco ACNS Caching & Streaming Configuration
Guide. Release 5.1, chapter 1
56
Installation Guide
CISCO CONFIGURATION
Specifics
CONTENT CACHING SERVICE WITH FILTERING
ACCESS CONTROL***
AND
Nothing is more frustrating to Internet users than waiting for a web page to load
in their browser. A number of factors contribute to slow delivery of web content,
including Internet congestion, web server overload, and slow-speed WAN access
lines. One cost-effective solution to reduce slow web access and latency is to
“push” content out to the edges of the Internet and closer to the end users.
Because of its special position as an “in-line” device between the end user (web
clients) and the Internet, Content Engines can be easily configured for network
caching. Bandwidth usage and web latency is significantly reduced because
frequently accessed Internet content is being locally cached and served by the
Content Engine at each location.
Content Engines can be configured to provide network caching with filtering
and access control.
User Authentication and Content Filtering
Content Engines can be configured to perform a number of content filtering
services. Once the Content Engine receives a request, it performs the following
tasks:
•
Authenticates the web client by passing the IP address to SurfControl Web
Filter for Cisco CE which, in turn, uses its Enterprise User Monitor (EUM)
to correlate the IP address and the user name for windows-based user
authentication. The EUM needs to be install on the Active Directory Server
or Netware server in order to communicate to the SurfControl Web Filter
•
Passes the request through SurfControl Web Filter for Cisco CE for content
filtering
•
Compares content against configured rules and either blocks the page or
sends back the unmanipulated request.
***Cisco Documentation: Cisco ACNS Caching & Streaming Configuration
Guide, Release 5.1, chapter 13
CISCO CONFIGURATION
Specifics
Sample Workflow of Configuring ICAP Services on a
Content Engine****
ICAP can be configured using a telnet connection to the Content Engine.
The following is a sample workflow of how to define and enable ICAP services
for SurfControl Web Filter for Cisco Content Engine on a locally deployed
Content Engine:
1
Use the icap apply {all | rules-template} command to specify which ICAP
services should be performed on which requests that are received by the
Content Engine. To configure ICAP service for SurfControl configure icap
apply all command to instruct the Content Engine to run all of the ICAP
services on all of the HTTP requests that it receives.
2
Use the icap logging enable command to turn on the ICAP-related
transaction logging, which is available in the local1/logs/icap/ directory
3
Use the icap append-x-headers command to specify the ICAP extension
headers that are passed to the ICAP server with every REQMOD request.
Use the x-header x-client-ip to enable sending the source IP address of each
HTTP request to the ICAP server (SurfControl Web Filter for Cisco CE).
ContentEngine(config)# append-x-headers x-client-ip
4
Use the x-header x-server-ip to enable the sending of the destination IP
address of each HTTP request to the ICAP server (SurfControl Web Filter
for Cisco CE).
ContentEngine(config)# append-x-headers x-server-ip
5
Use the icap service service-id command to configure and enable various
ICAP services on this Content Engine.
#config
(config)# icap service
(config-icap-service)#
(config-icap-service)#
(config-icap-Service)#
SWFICAP
# exit
58
Installation Guide
surfcontrol
enable
vector-point reqmod-precache
Server icap//172.19.227.150/
CISCO CONFIGURATION
Specifics
The following is a sample workflow of how to define and enable ICAP services
for SurfControl Web Filter for Cisco CE on a locally deployed Content Engine:
#config
(config)# icap apply all
(config)# logging enable
(config)# icap append-x-headers x-client-ip
(config)# icap append-x-headers x-server-ip
(config)# icap service surfcontrol
(config-icap-service)# enable
(config-icap-service)# vector-point reqmod-precache
(config-icap-service)# server icap://172.19.227.150/
SCWFICAP
# exit
ICAP service Load balanced
There are different configuration options available for load balancing for the
Cisco CE.
•
Client IP hash - Uses a hash-based algorithm based on the client IP address
for load balancing the ICAP servers in the cluster.
•
Round-robin - Uses the round-robin method in which ICAP servers take
turns processing HTTP requests.
•
Server IP hash - Uses a hash-based algorithm based on the server IP address
for load balancing among the ICAP servers in the cluster.
•
Weighted - Uses a farm of ICAP servers with different load capacities.
The following shows the configuration of load balancing using round robin
method:
#config
(config)# icap apply all
(config)# logging enable
(config)# icap append-x-headers x-client-ip
(config)# icap append-x-headers x-server-ip
(config)# icap service surfcontrol
(config-icap-service)# enable
(config-icap-service)# load-balancing round-robin
(config-icap-service)# vector-point reqmod-precache
SCWFICAP
SCWFICAP
# exit
****Reference: Cisco Documentation: Cisco ACNS Caching & Streaming
Configuration Guide, Release5.1,chapter11
CISCO CONFIGURATION
Cisco CE running ACNS
CISCO CE RUNNING ACNS
ACNS NETWORK OVERVIEW *
The Cisco ACNS network consists of at least one Content Distribution Manager,
one or more Content Engines, and one or more optional Content Routers, as
described below.
Types of ACNS Network Devices*
Device: Performs centralized content and device management. In the ACNS
5.1 network, the Content Distribution Manager manages both content
acquisition and distribution and also manages policy settings and configurations
on individual Content Engines that are centrally managed.
Content Distribution Manager: Through the Content Distribution
Manager GUI, the network administrator can specify what content is to be
distributed and to whom. The Content Distribution Manager also allows the
administrator to monitor network nodes and apply changes, such as software
upgrades, to groupings of nodes from a central location. Content Engines also
play a major role in content request routing and in channel distribution of
content and as they serve client requests for content.
The ACNS network deploys Content Engines in these ways:
Note: The ACNS
software device
mode determines
whether the device
is functioning as a Content
Distribution Manager, Content
Engine, or Content Router
•
Inside an enterprise firewall on an internal network or
•
At the edge of the enterprise network
Content Engines. Content Engines can be managed centrally through the
Content Distribution Manager, or locally as separate standalone content caches.
To locally manage a Content Engine, the ACNS software CLI or the Content
Engine GUI is used instead of the Content Distribution Manager.
Content Routers. Redirect client requests for content to the closest Content
Engine containing that content.
60
Installation Guide
CISCO CONFIGURATION
Sample Deployment *
SAMPLE DEPLOYMENT *
LOCALLY MANAGED CONTENT ENGINES
Figure 1-2 shows a typical enterprise deployment of locally managed Content
Engines that have ACNS 5.1.5 software installed on them. In this example, three
Content Engines (Content Engine A, B, and C) have been deployed as local
caching engines at the central site, regional site, and the small branch office. All
Content Engines are locally managed through the Content Engine GUI or CLI.
*Reference: Cisco Documentation: Cisco ACNS Caching & Streaming
Configuration Guide, Release 5.1, chapter 1
CUSTOMER EXPECTATIONS
The combination of SurfControl Web Filter for Cisco CE and the Cisco CE
running ACNS 5.1.5. accelerates the availability of appropriate Internet content
by incorporating value-added Web services at the edge of an organization’s
network with speed, accuracy, reliability and through a standards-based process.
This standard form of communication between edge devices and network-based
applications provides customers with the efficiency, bandwidth, information
system asset protection and communications infrastructure required for the
dynamic business climate in which they are involved.
CISCO CONFIGURATION
Sample Deployment *
62
Installation Guide
INDEX
INDEX
A
automatically monitor new users 9
O
observe robot exclusion policy 46
C
cache retrieved web pages 46
choke point 3
client ip hash 59
content distribution manager 5
60
content engine cli 55
content engine gui 55
content engines 5, 60
content routers 5, 60
P
performance options 49
preloaded content 56
proxy settings 46
D
deployment 8
device 5
60
E
enable user name support 9
eum issues 51
R
retrieve pages from cache 46
round-robin 59
S
sa account 41
server ip hash 59
spider settings 46
surfcontrol icon 22
W
weighted 59
G
general settings section 46
I
impersonate internet explorer 46
install virtual control agent 9
M
monitor netware user names 21
monitoring options 48
N
network latency 3
Administrator’s Guide, 63
INDEX
64 Administrator’s Guide,

SurfControl Web Filter for Cisco CE Installation Guide

Transcription

Similar documents

Cisco Recruitment Session* When

Atlantis Energy Systems Inc.

Hydro-Filter™ - Phoenix Truckmounts

Coffing EC3 Manual

ecopure® dual stage filter

Regions CD Check Viewer Installation Guide