background image

 C

HAPTER

 2: N

ETWORK

 S

ETUP

  

S

ET

 

UP

 

THE

 N

ETWORK

 

FOR

 A

UTHENTICATION

M86 S

ECURITY

 U

SER

 G

UIDE

69

By default, the following standard links are included in 
the Authentication Request Form:

• 

HELP 

- Clicking this link takes the user to M86’s Tech-

nical Support page that explains why access to the site 
or service may have been denied.

• 

M86 Security 

- Clicking this link takes the user to 

M86’s Web site.

2. Click the “X” in the upper right corner of the window to 

close the sample Authentication Request Form.

TIP

: If necessary, make edits in the Authentication Form Custom-

ization window or the Common Customization window, and then 
click 

Preview

 in this window again to view a sample Authentica-

tion Request Form.

Summary of Contents for M86 Web Filter

Page 1: ...M86 Web Filter USER GUIDE for Authentication Software Version 4 0 10 Document Version 06 08 10...

Page 2: ...this documentation and disclaims any implied war ranties of merchantability and fitness for a particular purpose M86 Security shall not be liable for any error or for incidental or consequential damag...

Page 3: ...ering Profile 13 Individual IP Member Filtering Profile 13 Active Filtering Profiles 14 Global Filtering Profile 14 LDAP Filtering Profiles 14 Override Account Profile 15 Time Profile 15 Lock Profile...

Page 4: ...tication 35 Specify the operation mode 36 Specify the subnet mask IP address es 38 Invisible mode 38 Router or firewall mode 39 Enable authentication specify criteria 40 Net use based authentication 4...

Page 5: ...76 View Log Results 77 CHAPTER 3 LDAP AUTHENTICATION SETUP 79 Create an LDAP Domain 79 Add the LDAP domain 79 Refresh the LDAP branch 80 View modify enter LDAP domain details 80 LDAP Server Type 81 G...

Page 6: ...L 124 Filter Options 125 Add an Exception URL to the profile 126 Valid URL entries 127 Add URLs to Block URL or ByPass URL frame 128 Remove URLs from Block URL or ByPass URL frame 130 Apply settings 1...

Page 7: ...ion for the Global Group 163 Step 1 Exclude filtering critical equipment 163 Step 1A Block Web access logging via Range to Detect 164 Range to Detect Settings 164 Range to Detect Setup Wizard 165 Step...

Page 8: ...Tier 2 implementation in an environment 191 Tier 2 Script 192 Tier 1 and Tier 2 Script 193 Tier 3 Session based Web Authentication 195 M86 Authenticator 196 Environment requirements 197 Windows minimu...

Page 9: ...stallation setup 216 Step 3C Run AD Agent configuration wizard 219 Use the Active Directory Agent console 224 Activity tab 224 Sessions tab 227 Session table spreadsheet 229 Session Properties window...

Page 10: ...mat 264 User profile list format 265 Group profile list format 266 Container profile list format 266 LDAP Quota Format and Rules 267 APPENDIX E OVERRIDE POP UP BLOCKERS 268 Yahoo Toolbar Pop up Blocke...

Page 11: ...dialog box 275 Use the IE toolbar 276 Temporarily disable pop up blocking 276 Add override account to the white list 277 Use the IE toolbar 277 Use the Information Bar 278 Set up the Information Bar...

Page 12: ...CONTENTS xii M86 SECURITY USER GUIDE...

Page 13: ...nstallation Guide or M86 WFR Installation Guide for information on installing the unit on the network This document also provides information on how to access the Web Filter Admin istrator console to...

Page 14: ...o Use this User Guide Conventions The following icons are used throughout this user guide NOTE The note icon is followed by italicized text providing additional information about the current subject T...

Page 15: ...dow or screen used for indi cating whether or not you wish to select an option This object allows you to toggle between two choices By clicking in this box a check mark or an X is placed indi cating t...

Page 16: ...rows and columns of data as a result of various processes This data can be reorganized in the Administrator console by changing the order of the columns list box an area in a dialog box window or scr...

Page 17: ...contains a down arrow to the right When you click the arrow a menu of items displays from which you make a selection radio button a small circular object in a dialog box window or screen used for sele...

Page 18: ...pic is selected the window for that sub topic displays in the right panel of the screen or a pop up window or an alert box opens as appro priate text box an area in a dialog box window or screen that...

Page 19: ...ouble clicking the item a minus sign replaces the plus sign and any entity within that branch of the tree displays An item in the tree is selected by clicking it window a window displays on a screen a...

Page 20: ...ntication is enabled the global administrator who has all rights and permissions on the Web Filter will see all branches of the tree Global Group IP and LDAP If authentica tion is disabled only the Gl...

Page 21: ...The global administrator adds master IP groups adds and maintains override accounts at the global level and estab lishes and maintains the minimum filtering level The group administrator of a master I...

Page 22: ...ains LDAP domains and assigns designated group administrators Sub Admins access to specific entities nodes within that domain The group administrator creates and maintains filtering profiles for nodes...

Page 23: ...rarchical tree structure used by end users who do not belong to a group IP group Master Group master group filtering profile used by end users who belong to the master group master time profile used b...

Page 24: ...ide account set up in the master IP group section of the Web Filter Administrator console takes precedence over an override account set up in the global group section of the console lock profile set u...

Page 25: ...ndividual IP group members and is customized to allow deny users access to URLs or warn users about accessing specified URLs to redirect users to another URL instead of having a block page display and...

Page 26: ...s that are configured to be blocked A URL can be specified for use instead of the standard block page when users attempt to access material set up to be blocked Various filter options can be enabled L...

Page 27: ...ustomized filtering profile set up to be effective at a specified time period for designated users Lock Profile This filtering profile blocks the end user from Internet access for a set period of time...

Page 28: ...vel rules specify which library categories should be blocked left open assigned a warn setting or white listed filter options specify which features will be enabled X Strikes Blocking Google Bing Yaho...

Page 29: ...Category Groups excluding the Custom Categories group Updates to these categories are provided by M86 on an ongoing basis and administra tors also can add or delete individual URLs within a speci fied...

Page 30: ...smission HTTPS and Secure Shell SSH Rules A rule is comprised of library categories to block leave open assign a warn setting or include in a white list Access to an open library category can be restr...

Page 31: ...lock if a category or a service port is given a block setting users will be denied access to the item set up as blocked open if a category or the filter segment detected on the network is given an ope...

Page 32: ...ilter setting that port will use filter settings created for library categories block or open settings to determine whether users should be denied or allowed access to that port ignore if the filter s...

Page 33: ...after authenti cating The minimum filtering level combines with the user s profile to guarantee that categories blocked in the minimum filtering level are blocked in the user s profile 3 For master I...

Page 34: ...user The user can have only one individual profile in each domain c A profile for a workstation takes precedence over a user s individual profile d If the user has a time profile that profile takes p...

Page 35: ...counts to bypass the minimum filtering level or if the override account was set up in the global group tree NOTE An override account set up in the master IP group section of the Web Filter Administrat...

Page 36: ...and Options Web Filter authentication tiers The Web Filter authentication architecture for the LDAP authentication protocol is comprised of three tiers When using LDAP authentication with the Web Fil...

Page 37: ...ication options can be enabled to ensure the end user is authenticated when logging into his her workstation M86 Authenticator Active Directory Agent and Novell eDirectory Agent NOTE See Appendix A Au...

Page 38: ...ility for a single user KEY N A Not Applicable N R Not Recommended Tier1 net use Tier 2 time based Tier 3 session based M86 Authen ticator eDirec tory Agent Active Directory Agent Tier 1 Yes Yes N R N...

Page 39: ...o Stalker None Tier 2 or Tier 3 Windows 2000 2003 Server both Mixed and Native modes Tier 1 net use M86 Authenticator for Windows AD Agent Tier 2 or Tier 3 Novell eDirectory M86 Authenticator for Wind...

Page 40: ...the Web Filter s Virtual IP address and Java applet for Tier 3 authentica tion TCP 139 Used between the Web Filter and workstations requiring Tier 1 or Tier 3 authentication TCP UDP 137 Used between t...

Page 41: ...m section of the Administrator console in the following windows Operation Mode LAN Settings Enable Disable Authentication Authentication Settings Authentication SSL Certificate if Web based authentica...

Page 42: ...tion if you will only be using net use based authentication for Active Directory servers Tier 2 Choose this option if you wish to use timed Web based authentication for LDAP domains This option gives...

Page 43: ...g this option you create either a self signed certifi cate or a Certificate Request CSR for use by the Secure Sockets Layer SSL The certificate should be placed on client machines so that these machin...

Page 44: ...more than one domain the first one you add should be the domain on which the Web Filter resides 2 Do either of the following as necessary Assign a group administrator to oversee the newly added domai...

Page 45: ...erating system running Internet Explorer IE 7 0 or 8 0 Firefox 3 5 Macintosh OS X Version 10 5 or 10 6 running Safari 4 0 Firefox 3 5 JavaScript enabled Java Virtual Machine Java Plug in use the versi...

Page 46: ...Version 10 5 or 10 6 running Safari 4 0 Firefox 3 5 JavaScript enabled Java Runtime Environment if using Tier 3 authentication Pop up blocking software if installed must be disabled Network Requireme...

Page 47: ...ws Operation Mode LAN Settings Enable Disable Authentica tion Authentication Settings Authentication SSL Certificate if Web based authentication will be used and Block Page Authentication Entries for...

Page 48: ...The entries made in this window will vary depending on whether you will be using the invisible router or firewall mode 1 In the Mode frame select the mode to be used Invis ible Router or Firewall NOT...

Page 49: ...find the best possible destination MAC address of a specified host usually the Web Filter gateway Send Block to Specified Host MAC Address using this preferred method the block page will always be se...

Page 50: ...play the LAN Settings window Fig 2 2 LAN Settings window The entries made in this window will vary depending on whether you are using the invisible mode or the router or firewall mode NOTE If the gate...

Page 51: ...be placed in different subnets In the Primary IP field of the DNS frame enter the IP address of the first DNS server to be used for resolving the IP address of the authentication server with the mach...

Page 52: ...thentication window 2 Click Enable to enable authentication 3 Select one of three tiers in the Web based Authentication frame Fig 2 3 Enable Disable Authentication window NOTES See information on the...

Page 53: ...ntroller or a Novell eDirectory server the M86 Authenticator automatically authenticates the end user when he she logs into his her workstation If down loading the M86 Authenticator for Apple Authenti...

Page 54: ...umber of minutes entered in the text box 6 Click Apply Net use based authentication Tier 1 Web based Authentication disabled Net Use enabled Choose this option if you will be using net use based authe...

Page 55: ...eb Filter with an SSL accelerator card installed Please contact M86 for more information Tier 2 Use time based profiles with time out in minutes Choose this option if using LDAP authentica tion and yo...

Page 56: ...order for the user to have continued access to the Internet NOTE Tier 3 Authentication requires a current version of Java Runtime Environment JRE on end users PCs In some cases a JRE will need to be d...

Page 57: ...using the most current version of JRE choose the method for distributing the current version to their workstations M86 automatically distributes JRE during user login or the default selection Administ...

Page 58: ...from the entry made in the Host Name field of the LAN Settings window 2 In the IP Address of WINS Server field if using a WINS server for name resolution enter the IP address of each Windows DNS serve...

Page 59: ...e same subnet as this Web Filter the net use connection will fail 4 From the NIC Device to Use for Authentication pull down menu if using the invisible mode select LAN2 for sending traffic on the netw...

Page 60: ...n client machines so that the Web Filter will be recognized as a valid server with which they can communicate Click Authentication and select Authentication SSL Certifi cate from the pop up menu to di...

Page 61: ...or Intermediate Certificate An inter mediate certificate is a signing certificate for an SSL certificate 4 Click Download View Certificate to open the File Down load dialog box where you indicate whet...

Page 62: ...uthenticated TIP Click Delete Certificate to remove the certificate from the server Create Upload a Third Party Certificate Create a Third Party Certificate 1 Click the Third Party Certificate tab Fig...

Page 63: ...s M86 Security 5 Enter an Organizational Unit code set up on your server such as Corp 6 Enter Locality information such as the name of your city or principality 7 Enter the State or Province name in i...

Page 64: ...Do not click this button until performing the actions in the following steps TIP Click Cancel in the dialog box to cancel the procedure 2 In the Upload Signed SSL Certficate for Web Filter pop up win...

Page 65: ...upload and to close the dialog box Download a Third Party Certificate 1 In the Third Party Certificate tab choose either SSL Certificate or Intermediate Certificate 2 Click Download View CSR to open...

Page 66: ...Options field of the Details frame all block page options are selected by default except for Web based Authentication Choose from the following options by clicking your selection Web based Authentica...

Page 67: ...er portion of the M86 WFR User Guide for information about the Override Account feature 2 If the Re authentication option was selected in the Logon Script Path field PDCSHARE scripts displays by defau...

Page 68: ...s on the user s screen Fig 2 14 Block page NOTES See Block Page Customization for information on adding free form text and a hyperlink at the top of the block page Appendix B Create a Custom Block Pag...

Page 69: ...ry category that blocked the user s access to the URL displays If the content the user attempted to access is blocked by an Exception URL Exception displays instead of the library category name Blocke...

Page 70: ...ntication window Clicking this link takes the user to the Options window described in the Options page sub section that follows To submit this blocked site for review click here This phrase and link i...

Page 71: ...he block page For further options click here Fig 2 15 Options page The following items previously described for the Block page display in the upper half of the Options page BACK and HELP links User Ma...

Page 72: ...tication Options field in the Block Page Authentication window The following phrase link displays Click here for secure Web based authentication When the user clicks the link the Authentication Reques...

Page 73: ...ed Authentication was selected in the Block Page Authentication window If the user believes he she was incorrectly blocked from a specified site or service he she should re start his her machine and l...

Page 74: ...ternet content blocked at the global or IP sub group level The user should enter his her Username and Password and then click Override to open the Profile Control window This window must be left open...

Page 75: ...tomization and then select Common Customiza tion from the pop up menu to display the Common Custom ization window Fig 2 18 Common Customization window By default in the Details frame all elements are...

Page 76: ...bled displays Blocked URL followed by the blocked URL in block pages Copyright Display if enabled displays M86 Web Filter copyright information at the footer of block pages and the authentication requ...

Page 77: ...The associated email address specified in the Submission Email Address field described below is accessible to the end user by clicking the click here link NOTE If enabling the Submission Review Displa...

Page 78: ...on Form from the pop up menu Fig 2 19 Authentication Form Customization window NOTE This window is activated only if Authentication is enabled via System Authentication Enable Disable Authentication a...

Page 79: ...layed beneath the Authentication Request Form header In the Link Text field enter text for the link s URL to be displayed beneath the Description in the Authentica tion Request Form and in the Link UR...

Page 80: ...n Customization window Fig 2 20 Sample Customized Authentication Request Form By default the following data displays in the frame Username field The username displays Password field The user s IP addr...

Page 81: ...page that explains why access to the site or service may have been denied M86 Security Clicking this link takes the user to M86 s Web site 2 Click the X in the upper right corner of the window to clo...

Page 82: ...ustomization window NOTE See Appendix B Create a Custom Block Page from the M86 Web Filter User Guide M86 IR Web Filter User Guide or the Web Filter portion of the M86 WFR User Guide for information o...

Page 83: ...e to be displayed beneath the block page header In the Link Text field enter text for the link s URL to be displayed beneath the Description in the block page and in the Link URL field enter the corre...

Page 84: ...Block Page By default the following data displays in the User Machine frame User Machine field The username displays for the LDAP user This field is blank for the IP group user IP field The user s IP...

Page 85: ...en tication window Clicking this link takes the user to the Options window described in the Options page sub section To submit this blocked site for review click here This phrase and link is included...

Page 86: ...r accounts are set up in the Administrator window from the System section of the console NOTE IP group administrator accounts are set up in the IP branch of the Policy tree when new IP groups are crea...

Page 87: ...he same entry again in the Confirm Password field 4 Select Sub Admin from the Type pull down menu 5 Click Add to include the username and account type in the Current User list box Update the group adm...

Page 88: ...me from the Current User list box 2 Click Delete to remove the account NOTE If a group administrator assigned to an LDAP node is deleted that group administrator must be removed from assign ment to th...

Page 89: ...options will be addressed For information about all other options see the View Log File window in the M86 Web Filter User Guide M86 IR Web Filter User Guide or the Web Filter portion of the M86 WFR U...

Page 90: ...irectory Agent Event Log edirEvent log used for viewing the event log if using eDirectory LDAP authentication Authentication Module Log authmodule log used for viewing information about SEVERE error m...

Page 91: ...me field enter either the IP address or the hostname of the authentication server 3 In the LDAP Server Port field enter the LDAP server port number By default enter 389 4 In the LDAP Domain Label fiel...

Page 92: ...y tree Select the LDAP domain you added and choose Domain Details from the pop up menu to display the default Type tab of the LDAP Domain Details window Fig 3 2 Domain Details window Type tab The LDAP...

Page 93: ...ully detected the appro priate LDAP Server Type radio button will be pre selected on the Type tab 1 If making a selection on this tab the following options are available Microsoft Active Directory Mix...

Page 94: ...ings do not alter anything in these tabs The only action you need to execute on these tabs is to confirm the settings by clicking the Next button at the bottom of the window until you reach the Addres...

Page 95: ...Use Primary Group checkbox displays on this tab You may wish to check this box to indicate that profiles based on user groups should be assigned to users If using Novell eDirectory or Sun One the Use...

Page 96: ...Include List and Exclude List are populated with appropriate user objects based on the server type 1 Generally no action needs to be performed on this tab However under special circumstances the follo...

Page 97: ...2 If any modifications were made on this tab click Save 3 Click Next to go to the Workstation tab Workstation Objects The Workstation tab is used for including or excluding work station objects in th...

Page 98: ...n clicking the Edit button A workstation object can be removed by selecting the workstation object and then clicking Remove 2 If any modifications were made on this tab click Save 3 Click Next to go t...

Page 99: ...SL certificate that will be uploaded to the server The Server IP Address that displays by default is the one that was entered in the LDAP Server IP field of the Create LDAP Domain dialog box The DNS D...

Page 100: ...edited if necessary If this field is not populated enter the LDAP query base 2 If any modifications were made on this tab click Save 3 Click Next to go to the Account tab Account Info The Account Info...

Page 101: ...inistrator cn Users dc qc2domain dc local or cn admin o logo org Then enter the password in the Password and Confirm Password fields For an Active Directory LDAP server type if you do not know the aut...

Page 102: ...ly saved on this tab the Distinguished Name Auto Discovery frame will no longer display at the bottom of this tab 2 Click Save to save your entries 3 Click Next to go to the SSL tab SSL Settings SSL s...

Page 103: ...nd do the following a In the Wait __ seconds for certificate field by default 3 displays Enter the number of seconds to wait before the certificate is automatically uploaded b Click Upload to upload t...

Page 104: ...o to the Alias List tab Alias List The Alias List will be automatically populated if the Account Name was entered in the Account tab This list includes all alias names for the domain that will be incl...

Page 105: ...ons If an Organizational Unit OU has been deleted from the LDAP directory but has already been added to the alias list the list can be reloaded by clicking the Reload OU List button When clicking this...

Page 106: ...Default Rule tab 1 This tab is comprised of the following components that can be modified By default Rule0 is the default rule This rule can be changed by making another selection from the pull down...

Page 107: ...ns in LDAP Backup Server Configuration NOTE If Novell eDirectory was selected for the LDAP Server Type and the Novell eDirectory Agent option was enabled in the Enable Disable Authentication window in...

Page 108: ...buttons can be clicked at any time during the wizard setup process Click Close to close the wizard pop up window 2 Enter edit or verify the following criteria Server DNS Name DNS name of the LDAP serv...

Page 109: ...at will be uploaded to the server NETBIOS Domain Name an entry in this field is optional Server LDAPS Port by default 636 displays in this field Server LDAP Port by default the value that was entered...

Page 110: ...hed Name in the LDAP Account Name field For example cn Administrator cn Users dc qc2domain dc local or cn admin o logo org b Enter the password in the Password and Confirm Password fields If the LDAP...

Page 111: ...e bottom of this tab 6 Click Save to save your entries 7 Click Next to go to the SSL tab Fig 3 16 Backup Server Configuration SSL Settings SSL settings should be made if your network requires a secure...

Page 112: ...load SSL Certificate for LDAPS pop up window see Fig 3 9 Click Browse to open the Choose file window and select the Web Filter s SSL certificate Click Upload File to upload the SSL certificate to the...

Page 113: ...ITY USER GUIDE 101 Delete a backup server s configuration On the Default Rule tab click Delete to remove the backup server s configuration Delete a domain To delete a domain profile choose Delete from...

Page 114: ...lly Add Worksta tion Manually Add Member Manually Add Group and Upload Profile Add nodes to the domain tree list Before you can create filtering profiles for groups worksta tions users and or containe...

Page 115: ...clicking the Workstation User Group or Container radio button 2 If User or Group was selected choose either cn common name or uid user ID from the pull down menu for the attribute type used in the LD...

Page 116: ...grid click Mark Unmark All To select or deselect all highlighted records in the grid click Mark Unmark Selected This feature works only if records are first selected in the grid by clicking on them M...

Page 117: ...he tree is refreshed all nodes with rules applied to them appear in the tree Delete a rule To delete a rule from a profile the entity must currently display in the grid and have a rule assigned to the...

Page 118: ...the one that is positioned highest in the list is applied NOTES Groups automatically populate the Profile Group s list box if these groups have one or more identical users and were added to the tree l...

Page 119: ...the tree list so that a filtering profile can be defined for that workstation 2 Enter the workstation name in the text box using the entire Distinguished Name For example cn engi neering cn tester dc...

Page 120: ...profile can be defined for that user 2 Enter the username in the text box TIP LDAP usernames should be input exactly as entered as entered for the LDAP Distinguished Name Examples CN Jane Doe CN User...

Page 121: ...ually Add Group box This dialog box is used for adding a group name to the tree list so that a filtering profile can be defined for that group 2 Enter the group s name in the text box using the entire...

Page 122: ...pop up menu to open the Upload User Group Profile window Fig 3 22 Upload User Group Profile window This window is used for uploading a file to the tree with workstation user group or container names a...

Page 123: ...sed on the type of file format used the file should have the following name ldapwrkstnprofile conf if the file contains LDAP workstation profiles ldapuserprofile conf if the file contains LDAP user pr...

Page 124: ...ngs will not be effective until the user logs off and back on the server 5 Click Upload File to upload this file to the server The Upload Successful pop up window informs you to click Reload in order...

Page 125: ...y tree the global administrator assigns Sub Admin group administrators the following entities nodes to manage domain group s workstations members and or containers NOTE See Set up Group Administrator...

Page 126: ...her assignment 1 Click Assign to at any level of the LDAP Policy tree domain group workstation member or container to open the Assign Access pop up window see Fig 4 1 In the Assign Access to selected...

Page 127: ...u topics sub topics and tree nodes currently available to that Sub Admin 5 Click the X in the upper right corner of that pop up window to close it TIP If necessary another Sub Admin from the Assign to...

Page 128: ...orner of the Assign Access pop up window to close it TIP To unassign the Sub Admin from that node click the Unas signed Access checkbox and then click Apply To re assign the node to another Sub Admin...

Page 129: ...profile creation and maintenance Group Member Details Profile Exception URL Time Profile Remove and Assign to For LDAP containers the Container Details option is avail able for viewing information ab...

Page 130: ...LDAP group This window is used for viewing profile information about a group and for adding members to a group In the Group Details frame the following details display Group name Full Name Distinguis...

Page 131: ...oose Container Details from the pop up menu to display the Container Details window Fig 4 5 Container Details window This view only window provides the following information about the container Contai...

Page 132: ...p up menu to display the default Category tab of the Profile window Fig 4 6 Group Profile window Category tab LDAP group The Profile option is used for viewing creating the filtering profile of the de...

Page 133: ...ering Level displays in the Available Filter Levels pull down menu and the Minimum Filtering Level box displays Child Pornography and Pornography Adult Content By default Uncategorized Sites are allow...

Page 134: ...lumn Pass URLs in this category will pass to the end user Allow URLs in this category will be added to the end user s white list Warn URLs in this category will warn the end user that the URL he she r...

Page 135: ...ota minutes NOTE See the Quota Settings window in Chapter 1 System screen of the M86 Web Filter User Guide M86 IR Web Filter User Guide or the Web Filter portion of the M86 WFR User Guide for more inf...

Page 136: ...LDAP group Redirect URL is used for specifying the URL to be used for redirecting users who attempt to access a site or service set up to be blocked 1 Specify the type of redirect URL to be used Defa...

Page 137: ...l be applied to the entity s filtering profile 1 Click the checkbox es corresponding to the option s to be applied to the filtering profile X Strikes Blocking Google Bing Yahoo Youtube Ask AOL Safe Se...

Page 138: ...indow is used for blocking group members access to specified URLs and or for letting group members access specified URLs blocked at the minimum filtering level NOTE Settings in this window work in con...

Page 139: ...decimal long format e g http 0x46 0x55 0x96 0xd2 decimal value format e g http 1180014290 escaped hexadecimal format e g http 57 57 57 41 44 44 49 43 54 49 4E 47 47 41 4D 45 53 43 4F 4D query string e...

Page 140: ...URL found by the query Uncheck any checkbox corresponding to a URL you do not want to include in your list Click the Check uncheck all checkbox at the bottom of this window to toggle between selecting...

Page 141: ...ckbox for the ignore warnings and add URL field activates the Add Selected button Clicking Add Selected closes the pop up window and moves the selected URLs to the opposite frame in the Exception URL...

Page 142: ...P address URL to maximize results to be returned by the URL query 2 Click Remove to open the Remove Block URLs Remove ByPass URLs pop up window to view all corre sponding URLs found by the query Fig 4...

Page 143: ...Apply to apply your settings after adding or removing a URL Create a Time Profile for the node From the domain select the node and choose Time Profile from the pop up menu to display the Time Profile...

Page 144: ...ime Profile 2 Type in three to 20 alphanumeric characters the under score _ character can be used for the profile name 3 Click OK to close the pop up box and to open the Adding Time Profile pop up win...

Page 145: ...row in the date drop down menu to open the calendar pop up box In this pop up box you can do the following Click the left or right arrow at the top of this box to navigate to the prior month or the ne...

Page 146: ...y is chosen select from 1 31 If a non specific day is chosen make selections from the two pull down menus for the following week of the month First Fourth or Last day of the month Sunday Saturday Day...

Page 147: ...e first Monday in June For example if the current month and year are May 2010 the first Monday in June this year would be the 7th The next time this profile would be used will be in June 2012 6 In the...

Page 148: ...shows the Name and Description of the time profile that was just added WARNING If there is an error in a time profile the Description for that time profile displays in red text Select that time profi...

Page 149: ...indow NOTE Only filtering profile lookups for LDAP nodes will be addressed in this sub section Please refer to the M86 Web Filter User Guide M86 IR Web Filter User Guide or the Web Filter portion of t...

Page 150: ...LDAP profile User login name path of the LDAP profile on the domain For a workstation profile this path includes the workstation name Rule name if this profile uses a non custom rule the rule number d...

Page 151: ...egory will be blocked Quota If a number displays in this column the corresponding category group library category was set up as passed but with a time limit as defined by the number of minutes in that...

Page 152: ...ctively in which a quota is specified Blocked Ports optional ports that have been set up to be blocked if established Redirect URL optional the URL that will be used for redirecting the user away from...

Page 153: ...ntication Settings Before deploying authentication on the network you should test your settings to be sure the Authentication Request Form login page can be accessed If properly set up the Authenticat...

Page 154: ...hentication SSL Certificate window in Chapter 2 is placed on all workstations of users who will be authenticated This ensures that users will not receive the Security Alert warning message from the se...

Page 155: ...p test 1 Click the IP branch of the tree 2 Select Add Group from the pop up menu to open the Create New Group dialog box Fig 5 2 Create New Group box 3 Enter test as the Group Name 4 Enter the passwor...

Page 156: ...up test with a 32 bit net mask 1 Select the IP Group named test from the tree 2 Click Members in the pop up menu to display the Members window Fig 5 4 Group Members window 3 Click the radio button co...

Page 157: ...sk 1 Select the IP Sub Group workstation from the tree 2 Click Members in the pop up menu to display the Members window Fig 5 5 Sub Group Members window 3 Click the radio button corresponding to Membe...

Page 158: ...isplay the Sub Group Profile window Fig 5 6 Sub Group Profile window Category tab 3 In the Category Profile page select Block All from the Available Filter Levels pull down menu TIP Blocks of category...

Page 159: ...e Redirect URL tab to display the Redirect URL page Fig 5 7 Sub Group Profile window Redirect URL tab 2 Select Authentication Request Form NOTE The host name of the Web Filter will be used in the redi...

Page 160: ...the Filter Options tab to display the Filter options page Fig 5 8 Sub Group Profile window Filter Options tab 2 Uncheck all the checkboxes X Strikes Blocking Google Bing Yahoo Youtube Ask AOL Safe Sea...

Page 161: ...u must have your own profile set up in order to complete the test process 1 Launch an Internet browser window supported by the Web Filter Fig 5 9 Internet Explorer browser 2 Enter a URL in the Address...

Page 162: ...the Domain and Alias fields display select the following information Domain you are using Alias name for that domain unless Disabled displays and the field is greyed out 5 Click Log In to authenticate...

Page 163: ...00 The entry you make should initiate a connection with Tier 1 TIP The virtual IP address should be the same as the one entered in the Virtual IP Address to Use for Authentication field in the Authent...

Page 164: ...up authentication and Global Group Profile authentication Select the option you wish to use on your network Go to the Activate Web based authentication for an IP Group sub section for instructions on...

Page 165: ...tication over the Global Group Profile authentication option as it decreases the load on the Web Filter Step 1 Create a new IP Group webauth 1 Click the IP branch of the tree 2 Select Add Group from t...

Page 166: ...h from the tree 2 Click Members in the pop up menu to display the Members window Fig 5 12 Members window 3 Click the radio button corresponding to Source IP 4 Enter the Source IP address of the workst...

Page 167: ...ck Add Sub Group in the pop up menu to open the Create Sub Group dialog box Fig 5 13 Create Sub Group box 3 Enter the Group Name of your choice 4 Click OK to add the Sub Group to the IP Group 5 Select...

Page 168: ...om the tree 2 Click Sub Group Profile in the pop up menu to display the Sub Group Profile window Fig 5 15 Sub Group Profile window Category tab 3 In the Category Profile page select Block All from the...

Page 169: ...the Authentication Request Form radio button selection uses the host name of the server not the IP address be sure there is a DNS resolution for the host name 3 Click Apply As a result of these entrie...

Page 170: ...ick the Filter Options tab to display the Filter options page Fig 5 17 Sub Group Profile window Filter Options tab 2 Uncheck all the checkboxes X Strikes Blocking Google Bing Yahoo Youtube Ask AOL Saf...

Page 171: ...p menu 2 Select Global Group Profile to display the Category tab of the Profile window Fig 5 18 Global Group Profile window Category tab a In the Category Profile page select categories to block pass...

Page 172: ...dow Port tab a In the Port page enter the Port number to be blocked b Click Add to include the port number in the Block Port s list box c After entering all port numbers to be blocked click Apply 4 Cl...

Page 173: ...ON THE NETWORK M86 SECURITY USER GUIDE 161 a Select Default Block Page b Click Apply 5 Click the Filter Options tab to display the Filter Options page Fig 5 21 Global Group Profile window Filter Opti...

Page 174: ...ON ON THE NETWORK 162 M86 SECURITY USER GUIDE As a result of these entries the standard block page will display instead of the Authentication Request Form when any user in this Sub Group is blocked fr...

Page 175: ...cluded from being served the Authentication Request Form page For this step you must choose one of two options Block Web access only Select this option if you do not want to log traffic for a machine...

Page 176: ...TE Segments of network traffic should not be defined if using the firewall mode Range to Detect Settings 1 Click Global Group in the tree to open the pop up menu 2 Select Range to Detect to display th...

Page 177: ...Detect Settings window main window 4 Click Start the Setup Wizard to display Step 1 of the Range to Detect Setup Wizard Range to Detect Setup Wizard Fig 5 25 Range to Detect Setup Wizard Step 1 1 Ent...

Page 178: ...of the Wizard Fig 5 26 Range to Detect Setup Wizard Step 2 3 An entry for this step of the Wizard is optional If there are destination IP address es to be filtered enter the IP address and specify the...

Page 179: ...ed enter the IP address and specify the Netmask or enter the Indi vidual IP address 6 Click Next to go to Step 4 of the Wizard Fig 5 28 Range to Detect Setup Wizard Step 4 7 An entry for this step of...

Page 180: ...An entry for this step of the Wizard is optional If there are ports to be excluded from filtering enter each port number in the Individual Port field and click Add 10 Click Next to go to the final st...

Page 181: ...VATE AUTHENTICATION ON THE NETWORK M86 SECURITY USER GUIDE 169 As a result of these entries the IP address es specified to be excluded will not be logged or filtered on the network Bypass Step 1B and...

Page 182: ...from the tree 2 Click Sub Group Profile in the pop up menu to display the Sub Group Profile window Fig 5 31 Sub Group Profile window Category tab 3 In the Category Profile page create a custom profile...

Page 183: ...USER GUIDE 171 Fig 5 32 Sub Group Profile window Redirect URL tab 6 Select Default Block Page and then click Apply 7 Click the Filter Options tab to display the Filter Options page Fig 5 33 Sub Group...

Page 184: ...will use the default block page instead Go on to Step 2 to complete this process Step 2 Modify the Global Group Profile 1 Click Global Group in the tree to open the pop up menu 2 Select Global Group P...

Page 185: ...ITY USER GUIDE 173 3 Click the Port tab to display the Port page Fig 5 35 Global Group Profile window Port tab a Enter the Port number to be blocked and then click Add to include the port number in th...

Page 186: ...ect URL tab to display the Default Redirect URL page Fig 5 36 Global Group Profile window Redirect URL tab a Select Authentication Request Form NOTE Since the Authentication Request Form radio button...

Page 187: ...Filter Options tab to display the Filter Options page Fig 5 37 Global Group Profile window Filter Options tab a Select filter options to be enabled b Click Apply As a result of these entries a user w...

Page 188: ...ailure Step 1 Modify the 3 try login script Place a copy of the 3 try login script in the netlogon folder on your Domain Controller Note that this sample script should be modified to use your own Virt...

Page 189: ...domain Step 2 Modify the Global Group Profile The last step of the activation process is to adjust the Global Group Profile to set the policy for members of an IP based profile or for users who are n...

Page 190: ...or be blocked 4 Click Apply 5 Click the Port tab to display the Port page 6 Enter the Port number to be blocked and then click Add to include the port number in the Block Port s list box 7 After enter...

Page 191: ...curity com support or contact us by phone by e mail or in writing For troubleshooting tips visit http www m86security com software 8e6 ts wf html Hours Regular office hours are from Monday through Fri...

Page 192: ...TION 180 M86 SECURITY USER GUIDE Contact Information Domestic United States 1 Call 1 888 786 7999 2 Select option 3 International 1 Call 1 714 282 6111 2 Select option 3 E Mail For non emergency assis...

Page 193: ...orate Headquarters USA 828 West Taft Avenue Orange CA 92865 4232 USA Local 714 282 6111 Fax 714 282 6116 Domestic US 1 888 786 7999 International 1 714 282 6111 M86 Taiwan 7 Fl No 1 Sec 2 Ren Ai Rd Ta...

Page 194: ...t to resolve the issue directly If your issue needs to be escalated you will be given a ticket number for reference and a senior level technician will contact you to resolve the issue If your issue re...

Page 195: ...thentication Tier Selections Web Filter authentication is designed to support the following server types for the specified tier s Tier 1 Net use based authentication NOTE Login scripts must be used fo...

Page 196: ...A 1 Net use based authentication module diagram 1 The user logs on the network from a Windows worksta tion also known as client or machine 2 The authentication server on the network sends the user s...

Page 197: ...es 7 When the user logs off changes IP addresses loses the network connection or in any way causes the IPC connection to be altered or deactivated the Web Filter senses this change and returns the IP...

Page 198: ...ecification defines both the communication protocol and the structure or schema to a lesser degree There is an Internet Assigned Network Authority IANA standard set that all LDAP directories should co...

Page 199: ...tion server domain name usernames and passwords user groups login scripts Login scripts Login or logon scripts are used by the Web Filter for reau thenticating users on the network The following synta...

Page 200: ...logon c winnt sysvol sysvol domainname suffix scripts c winnt sysvol domainname scripts The login script must be specified either in the user s domain account or in the Active Directory Group Policy...

Page 201: ...r in charge of the LDAP server should create a user for the Web Filter in order to give that user full read access to the groups and users in the directory Since the LDAP directory is structured as a...

Page 202: ...agram 1 The user makes a Web request by entering a URL in his her browser window 2 The Web Filter intercepts this request and sends the user the Authentication Request Form requesting the user to log...

Page 203: ...ot call for the Web Filter to maintain a connection with the client machine so the Web Filter cannot detect when the user logs off of a workstation In order to remove the end user s profile one of two...

Page 204: ...s end user s profile is completely removed in the event the end user did not log out successfully echo off start cls net use 10 10 10 10 LOGOFF delete try1 NET USE 10 10 10 10 LOGOFF if errorlevel 1 g...

Page 205: ...h his her assigned profile echo off startremove cls NET USE 10 10 10 10 LOGOFF delete tryremove1 NET USE 10 10 10 10 LOGOFF if errorlevel 1 goto tryremove2 if errorlevel 0 echo code 0 Success goto end...

Page 206: ...2 NET USE 10 10 10 10 R3000 if errorlevel 1 goto try3 if errorlevel 0 echo code 0 Success goto end try3 NET USE 10 10 10 10 R3000 if errorlevel 1 goto error if errorlevel 0 echo code 0 Success goto en...

Page 207: ...ntering a URL in his her browser window 2 The Web Filter intercepts this request and sends the user the Authentication Request Form requesting the user to log in with his her login ID and password 3 T...

Page 208: ...e Authentication window See the Enable authentication specify criteria sub section in Chapter 2 Network Setup On a Macintosh the M86 Authenticator client Authenti cator should be installed on the clie...

Page 209: ...B available space 2 GB of available unpartitioned disk space outside the DOS partition for volume sys One network board CD drive Recommended system requirements The following Windows server components...

Page 210: ...display adapter One network board CD drive Workstation requirements The M86 Authenticator client works with the following oper ating systems Windows XP Pro SP1 and 2 Windows 2000 Pro SP4 Windows XP an...

Page 211: ...ername and domain name using either Windows or Novell APIs and sends this informa tion LOGON event to the Web Filter 5 The Web Filter looks up the groups to which the end user belongs Windows AD PDC o...

Page 212: ...trieves the username and domain name and sends this information LOGON event to the Web Filter 5 The Web Filter looks up the groups to which the end user belongs and determines the profile assignment 6...

Page 213: ...optional The default location of the configuration file is the same path name as the authen ticat exe client but with a cfg extension instead of exe The full path name can be specified on the command...

Page 214: ...rameter Review the comment following Table 1 for more infor mation If the path is not specified the following directo ries are searched in this order a current working directory i e the directory from...

Page 215: ...a comment A immediately preceding a param eter will cause that parameter and its data to be ignored which is convenient for temporarily reverting a parameter to default values during testing Sample c...

Page 216: ...update packet PCFG After decryption with protocol headers removed RH 30000 RC 1000 LE 1 You only need to change the options you do not wish to remain as default Often the IP address of the Web Filter...

Page 217: ...ORT 0 0 0 0 0 0 0 0 RV Web Filter VPN Support Table IP IP IP PORT RP Web Filter Port 1 65535 139 139 RH Web Filter Heart beat Timer MS 1 4 billion milliseconds 30000 30000 30 sec RR Web Filter Recon n...

Page 218: ...pt will be made to load the default configuration file If the alter nate configuration file is specified and is blank CF the M86 Authenticator will not attempt to load any config uration file this can...

Page 219: ...ed based on an IP range that matches the client s IP address multiple destination Web Filter addresses may be used in each set and will have the same functionality as multiple destinations specified i...

Page 220: ...end user logs on or off the network and adds removes his her network IP address thus setting the end user s filtering profile accord ingly Environment requirements Novell eDirectory servers The follo...

Page 221: ...ows Version 4 91 SP2 Macintosh Prosoft NetWare client Version 2 0 Novell eDirectory setup The eDirectory Agent uses the LDAP eDirectory domain configuration setup in the Web Filter Administrator conso...

Page 222: ...p server can be specified in the LDAP domain setup wizard in the event of a connection failure to the primary Novell eDirectory server Email alerts are sent to the administrator in such events NOTE Ba...

Page 223: ...table is forwarded to the Web Filter so the end user is given the appropriate filtering profile The AD Agent can be installed on any Windows 2000 or 2003 server on the domain and does not have to be i...

Page 224: ...Windows environment 1 AD Agent is installed in either a domain controller or on a separate Windows server that can talk to the domain controller via Windows APIs 2 End users log on off the network and...

Page 225: ...eb Filter go to System Authentication Enable Disable Authentication window in the Web Filter user interface and specify the following criteria Fig A 3 Enable Disable Authentication window AD Agent fra...

Page 226: ...howing the Computer Name in all upper case letters and asterisks for the Passphrase NOTES To modify any of the criteria for an existing Computer Name entry select the Computer Name from the list and t...

Page 227: ...ervices group NOTE Any users in the dcagent_services group have permission to manage the AD Agent 4 Open the Domain Security Policy console and do the following a Expand the Local Policies Audit Polic...

Page 228: ...main Controller Security Policy console Step 3 AD Agent installation on Windows server The steps in this section provide instructions for setting up and running AD Agent on a simple single domain netw...

Page 229: ...quire updating other Windows components before installing the AD Agent 2 Click Run to open the End User License Agreement EULA in the M86 AD Agent installation setup wizard Fig A 6 AD Agent EULA 3 Aft...

Page 230: ...installation setup process Fig A 8 AD Agent installation 5 When the AD Agent installation setup process has successfully finished completion information displays Fig A 9 Installation Complete Click Cl...

Page 231: ...chine changes from primary to satellite or vice versa TIP To access the configuration wizard after the initial setup process go to Start on the Windows machine and from the M86 AD Agent menu select Qu...

Page 232: ...er the Password for this account specified during Step 2 b Enter this same password again in the Confirm pass word field NOTE If modifying an existing AD Agent installation and no changes need to be m...

Page 233: ...imary indicating that this is either the only machine running AD Agent or this is the central machine among a team comprised of one or more Satellite machines running AD Agent If the role of this AD A...

Page 234: ...mation page see Fig A 14 4 If configuring a primary AD Agent make the following entries in the appropriate fields Fig A 13 Web Filter criteria a Enable transmissions to this appliance Click this check...

Page 235: ...After configuring the AD Agent in either a primary or satellite role click Next to display the confirmation page indicating whether the AD Agent started up successfully Fig A 14 Confirmation informat...

Page 236: ...or running or stop ping the AD Agent service and for configuring a primary AD Agent or Agent team TIP To access the Active Directory Agent console after the initial setup process go to Start on the Wi...

Page 237: ...ity was logged in local military time using the HH MM SS format Application program in AD Agent that produced the record e g Netscan Transmit Monitor Collector Logscan Level severity of the filter use...

Page 238: ...ning the contents of the activity log View download the activity log in the Excel spreadsheet format Click the View as spreadsheet button to launch a spreadsheet in Microsoft Excel containing the cont...

Page 239: ...does not display on machines config ured to run AD Agent in the satellite role In this tab the session table displays comprised of rows of end user login logout activity records retrieved by probes s...

Page 240: ...ick a column header to sort all rows in the table in descending order by that column Click the column header again to resort all rows in the table in ascending order by that column View download the s...

Page 241: ...iguration window Session table spreadsheet The session table spreadsheet contains the contents of the current session table plus these additional columns of data Record Type Logged in Y or N Login typ...

Page 242: ...n to open the Session Properties pop up window or Right click the record in the session table and then select Properties from the pop up menu to open the Session Properties pop up window Fig A 17 Sess...

Page 243: ...be a workstation on demand do one of the following Click the record in the session table and then click the Probe workstation button to open the Workstation Interactive Probe pop up window or Right cl...

Page 244: ...ing system WMI Probe this probe is disabled by default and can be enabled via the Options page in the Active Directory Agent Configuration window This probe which takes longer to identify an end user...

Page 245: ...te to primary and the service also can be stopped or started 1 Click Configuration on either the Session tab or Activity tab to open the Active Directory Agent Configuration window Fig A 19 Primary ho...

Page 246: ...d Cancel buttons at the bottom of this window are deactivated by default and become activated if entries are made in any of the pages For satellite hosts fields in all pages display greyed out The fol...

Page 247: ...m any of the following actions Start Service This button is activated if the AD Agent service is not running Clicking this button begins running the AD Agent service Stop Service This button is activa...

Page 248: ...A 21 Primary host Configuration Appliance By default the fields in this page are populated with entries made during the configuration wizard setup process If necessary changes can be made to any of th...

Page 249: ...s the name of the primary server greyed out on servers functioning as the primary host The AD Agent servers list box includes all AD Agent hosts that have been manually added to the list box on the pr...

Page 250: ...s a pop up window showing the current workload on the specified machine running the AD Agent Add a satellite On a primary host server 1 Click Add to open the Add New Satellite pop up window Fig A 23 A...

Page 251: ...IP Address Filters previously entered in this dialog box display indicating the servers and or machines this satellite has been manually assigned to scan If entries are not made here the primary host...

Page 252: ...dialog box Fig A 25 IP Filter Properties dialog box Netmask 4 In the IP Filter Properties dialog box go to Filter type and specify whether a subnet or IP address range will be used as criteria for de...

Page 253: ...ion dialog box click OK to close the dialog box Check the status of a satellite To check a specific host s current workload to determine whether or not the workload needs to be redistributed 1 Select...

Page 254: ...greater than the amount shown in this column may signify a problem in probing some work stations on the network Memory used the amount of memory used by the host during the specified time period CPU...

Page 255: ...r of hours of activity for scanning all domain controllers and including this infor mation in the newly built activity log The entry in this field applies only to scenarios in which the AD Agent conso...

Page 256: ...t this checkbox is checked indicating that any worksta tion a probe fails to find will be automatically logged off in the activity log Other servers By default this field is blank If there are servers...

Page 257: ...address to be used in the event of a crit ical system error Enable e mail notifications Click this checkbox to activate the fields in this page Recipient email address Enter the email address of the...

Page 258: ...age to test the email setup connec tion Make any necessary modifications to your entries if the sending mail connection fails NOTE The primary AD Agent sends an alert email message each day to the adm...

Page 259: ...gnize LDAP server as a trusted source This appendix provides steps on exporting an SSL certifi cate from a Microsoft Active Directory or Novell server the most common types of LDAP servers Also includ...

Page 260: ...is server and is up and running indicated by a green check mark on the server icon see circled item in Fig B 1 Locate Certificates folder 1 Go to Start Run to open the Run dialog box In the Open field...

Page 261: ...the toolbar click Console to open the pop up menu Select Add Remove Snap in to open the Add Remove Snap in dialog box Fig B 4 Add Remove Snap in 4 Click Add to open the Add Standalone Snap in dialog...

Page 262: ...og box 6 Choose Computer account and click Next to go to the Select Computer wizard page Fig B 7 Select Computer dialog box 7 Choose Local computer the computer this console is running on and click Fi...

Page 263: ...n added to the Console Root folder Fig B 8 Console Root with snap in Export the master certificate for the domain 1 Go to the right panel of the Console and select the master certificate for the domai...

Page 264: ...ITY USER GUIDE This action launches the Certificate Export Wizard Fig B 10 Certificate Export Wizard 3 Click Next to go to the Export Private Key page of the wizard Fig B 11 Export Private Key 4 Selec...

Page 265: ...ITY USER GUIDE 253 Fig B 12 Export File Format 5 Select Base 64 encoded X 509 CER and click Next to go to the File to Export page of the wizard Fig B 13 File to Export 6 Enter the File name of the fil...

Page 266: ...RITY USER GUIDE Fig B 14 Settings 7 Notice that the specified settings display in the list box indicating the certificate has been successfully copied from the console to your disk Click Finish to clo...

Page 267: ...From the console of the LDAP server go to the tree in the left panel and open the Security folder to display the contents in the Console View right panel Fig B 15 Novell Console window 2 Find the tree...

Page 268: ...he Export A Certificate pop up window Fig B 17 Export A Certificate pop up window 5 Select File in binary DER format for the Output format The path of the certificate displays in the Filename field 6...

Page 269: ...ting an SSL certificate once it has been imported to the LDAP server Therefore a copy of the root certificate in the cer or der format that was used to sign the LDAP server s certificate must be uploa...

Page 270: ...support for assistance in imple menting any of the changes described in this appendix OpenLDAP Server Scenario Not all users returned in LDAP Browser window In this scenario a query is performed in t...

Page 271: ...r or quota Each non quota filtering profile in the file must contain the following items 1 The workstation name username group name or container name 2 Filtering profile criteria Rule number Rule0 Rul...

Page 272: ...from the following lists of codes that are used in profile strings Port command codes A Filter all ports B Filter the defined port number s I Open all ports J Open the defined port number s M Set the...

Page 273: ...of a profile string indicating that all other categories should pass PASSED When positioned at the end of a string of categories or after a category command code this code indicates that unidentified...

Page 274: ...0x1 at the end of the profile string Quota format A separate file apart from the LDAP profile file must be used in order to include quotas in the LDAP group user profile In this file each quota profi...

Page 275: ...Each profile must be entered on a separate line in the file Category Codes must be entered in capital letters Port and category command codes must be entered in capital letters A redirect URL cannot...

Page 276: ...ile string following the semicolon for the DN should be separated by commas 0x1 should be placed at the end of a profile string without any filter options enabled Workstation profile list format Here...

Page 277: ...N Jane Doe CN Users DC qc DC local R 21 A J R KDPORN GPORN M PASSED I 1 0x1 CN Public Joe Q OU Users OU Sales DC qc DC local Rule0 0x1306 NOTE The DN format must contain the username and user group CN...

Page 278: ...n name attribute type and the domain and DNS suffix DC domain component attribute type The OU organizational unit attribute type also can be included Each attribute type should be followed by an equal...

Page 279: ...ain the group name and if applicable user group CN common name attribute type and the domain and DNS suffix DC domain component attribute type The OU organizational unit attribute type also can be inc...

Page 280: ...ed on his her workstation will need to temporarily disable pop up blocking in order to authenticate him herself via the Options page Fig E 1 Options page This appendix provides instructions on how to...

Page 281: ...erride button this action opens the override account pop up window Add override account to the white list If the override account window was previously blocked by the Yahoo Toolbar it can moved from t...

Page 282: ...g E 3 Allow pop ups from source 3 Select the source from the Sources of Recently Blocked Pop Ups list box to activate the Allow button 4 Click Allow to move the selected source to the Always Allow Pop...

Page 283: ...imultaneously clicking the Override button this action opens the override account pop up window Add override account to the white list To add the override account window to the white list so that it w...

Page 284: ...archSafe toolbar lets you toggle between enabling pop up blocking popups blocked and disabling pop up blocking Popup protection off by clicking the pop up icon 1 In the IE browser go to the SearchSafe...

Page 285: ...ite list 1 From the Firefox browser go to the toolbar and select Tools Options to open the Options dialog box 2 Click the Content tab at the top of this box to open the Content section Fig E 6 Mozilla...

Page 286: ...R GUIDE Fig E 7 Mozilla Firefox Pop up Window Exceptions 4 Enter the Address of the web site to let the override account window pass 5 Click Allow to add the URL to the list box section below 6 Click...

Page 287: ...able the pop up blocking feature in the IE browser Use the Internet Options dialog box 1 From the IE browser go to the toolbar and select Tools Internet Options to open the Internet Options dialog box...

Page 288: ...p Blocker this menu selec tion changes to Turn Off Pop up Blocker and activates the Pop up Blocker Settings menu item You can toggle between the On and Off settings to enable or disable pop up blockin...

Page 289: ...d go to the toolbar and select Tools Pop up Blocker Pop up Blocker Settings to open the Pop up Blocker Settings dialog box Fig E 10 Pop up Blocker Settings 2 Enter the Address of Web site to allow and...

Page 290: ...ker Pop up Blocker Settings to open the Pop up Blocker Settings dialog box see Fig E 10 2 In the Notifications and Filter Level frame click the checkbox for Show Information Bar when a pop up is block...

Page 291: ...This Site this action opens the Allow pop ups from this site dialog box Fig E 13 Allow pop ups dialog box 5 Click Yes to add the override account to your white list and to close the dialog box NOTE T...

Page 292: ...way to validate users on a network LDAP is the method used by the Web Filter authentication server The domain controller on a domain This server is used for authenticating users on the network block s...

Page 293: ...y for making translations between domain names and IP addresses domain An entity on a network comprised of servers workstations and peripherals domain component dc An attribute type entered for a doma...

Page 294: ...rator configures the Web Filter sets up master IP groups and LDAP domains and performs routine maintenance on the server group administrator An authorized administrator of the network who maintains a...

Page 295: ...mum filtering level is set up to block a library category this setting will override an always allowed setting for that category in a user s profile Minimum filtering level settings can be overridden...

Page 296: ...n autho rized user the ability to access Internet content blocked at the global level or the group level An override account will bypass settings made in the minimum filtering level PDC A Primary Doma...

Page 297: ...s theme Rules are used when creating filtering profiles for entities on the network search engine A program that searches Web pages for specified keywords and returns a list of the pages or services w...

Page 298: ...ttp The second part specifies the IP address or the domain name where the resource is located such as 203 15 47 23 or M86 com virtual IP address The IP address used for communi cating with all users w...

Page 299: ...finition 280 authentication activate on network 152 activate Web based for Global Group 163 activated Web based for IP group 153 configuration procedures 29 net use based module diagram 184 net use ba...

Page 300: ...5 Backup Server Configuration wizard 96 Block page 56 block page 13 14 Block Page Authentication 54 Block Page Customization 70 block setting 19 definition 280 button terminology 3 C category custom c...

Page 301: ...nent dc definition 281 domain controller definition 281 Domain Name Service DNS 281 dynamic group 10 dynamic group definition 281 E edirAgent log 78 eDirectory 199 208 edirEvent log 78 Enable Disable...

Page 302: ...s 38 global administrator definition 282 global filtering profile 14 global group 8 grid terminology 4 group global 8 IP 9 LDAP 10 types of 8 group administrator definition 282 group name definition 2...

Page 303: ...24 definition 282 domain diagram 10 domain groups 10 name resolution method 186 server customizations 258 server setup 189 LDAP Browser window 102 LDAP domain add 79 add groups users 102 LDAP domain...

Page 304: ...og box LDAP 108 Manually Add Workstation dialog box LDAP 107 master IP group 9 filtering profile 13 methods name resolution 186 Microsoft Active Directory Mixed Mode 81 183 Native Mode 81 183 minimum...

Page 305: ...DAP 24 103 server customizations 258 Operation Mode window 36 Options page 59 organizational unit ou definition 284 override account AdwareSafe popup blocking 272 block page authentication 55 definiti...

Page 306: ...logy 5 Radius profile 12 re authentication block page authentication 54 net use based process 185 Redirect URL tab domain 124 requirements environment 33 router mode 36 38 definition 285 rule 18 crite...

Page 307: ...gs 90 SSL tab 90 SSO 208 static filtering profiles 13 static group 10 static group definition 285 Sub Admin 285 sub group definition 285 sub topic terminology 6 Sun IPlanet 81 Sun One 24 81 system req...

Page 308: ...ic terminology 6 tree terminology 7 troubleshooting tips 179 Type tab 80 U Upload User Group Profile window LDAP domain 110 URL definition 286 Usage Graphs 142 usage logs 77 user objects 84 User tab 8...

Page 309: ...INDEX M86 SECURITY USER GUIDE 297 white list definition 286 window terminology 7 WINS Server 46 workstation objects 85 workstation requirements 33 Workstation tab 85...

Reviews: