manualshive.com logo in svg

Sophos SM2000, User Manual

Share
Download
Sophos SM2000 User Manual Download Page 218

Data Fields

The following table explains the keys used in the 

sophos_log

 file.

Description

Field

This setting is optional and is only displayed if you are using Endpoint Web Control. A value of

ep=1

 means the browsing occurred on the endpoint computer, and that this entry was then

uploaded to the appliance.

ep

This setting is optional. An entry of 

sxl=y

 or 

sxl=n

 indicates if an SXL lookup for a particular

transaction was successful or not.

sxl

Remote host (the IP address that sent the request).

h

Remote user who made the request (null if user authentication is off). Note that the second entry
example above shows how UTF-8 usernames are encoded in the log file.

u

HTTP status code sent back to the client.

s

The connection status when the response was completed:
X = connection aborted before the response completed,
+ = connection may be kept alive after the response is sent,
- = connection will be closed after the response is sent.

X

Timestamp (in seconds) of when the request was first received since the UNIX Epoch, i.e.
1970-01-01 00:00:00 UTC).

t

Time in microseconds required to serve this request.

T

Time required (in seconds) to serve this request.

Ts

Action code that identifies the outcome of the request:
-7 = User is shown a sandbox analysis page .
-6 = User attempted to proceed on a quota page, but the request was blocked.
-5 = Block page displayed: daily quota time exceeded.
-4 = Quota time warning displayed.
-3 = User proceeded but request was blocked.
-2 = Request was warned.
-1 = Request was blocked.
1 = Request was allowed.
2 = Request was warned and user decided to proceed.
3 = User proceeded.
4 = User accepts a quota time and proceeds.
5 = Requested proceeded after quota accepted.

act

218 | Interpreting Log Files | Sophos Web Appliance

Summary of Contents for SM2000

Page 1: ...Sophos Web Appliance User Guide Product Version 4 3 2 Sophos Limited 2017 ...

Page 2: ...2 3 Network Deployment 23 2 3 1 Explicit Deployment 25 2 3 2 Transparent Deployment 29 2 3 3 Bridged Deployment 31 2 3 4 Bypassing for Internal Servers 33 2 3 5 Existing Cache Deployment 35 2 3 6 Upstream ISA TMG Server Deployment 36 2 3 7 Integrating with Sophos Email Products 37 2 3 8 Grouping Web Appliances 39 2 3 9 Network Deployment Troubleshooting 42 2 4 Understanding Mode and Model Differen...

Page 3: ...us 101 4 3 Global Policy 101 4 3 1 Configuring Security Filtering 102 4 3 2 Configuring Sandstorm 103 4 3 3 Configuring Dynamic Categorization 104 4 3 4 Configuring Data Leakage Prevention 104 4 3 5 Configuring HTTPS Scanning 105 4 3 6 Configuring Certificate Validation 108 4 3 7 Setting Download Options 110 4 3 8 Setting General Options 111 4 4 System 113 4 4 1 Updates 113 4 4 2 Alerts Monitoring...

Page 4: ...tency 157 5 1 3 Traffic Performance Throughput 158 5 1 4 Users Virus Downloaders 158 5 1 5 Users Sandstorm Users 158 5 1 6 Users PUA Downloaders 159 5 1 7 Users High Risk Site Visitors 159 5 1 8 Users Policy Violators 160 5 1 9 Users Top Users By Quota 160 5 1 10 Users Top Bandwidth Users 160 5 1 11 Users Top Users By Browse Time 161 5 1 12 Users Browse Time By User 161 5 1 13 Users Browse Summary...

Page 5: ...3 Report Exemptions 177 5 5 4 Search Terms 178 Chapter 6 Search 181 6 1 Searching Recent Activity 181 6 1 1 Exporting Search Results 183 6 2 Searching Sandstorm 183 6 3 Searching User Submissions 184 6 3 1 Viewing a User Submission Search 185 6 3 2 Allowing a User s Request 185 6 3 3 Deleting a User s Request 187 Chapter 7 System Status 188 7 1 System Status on the Management Appliance 191 Chapter...

Page 6: ...02 B 4 1 Configuring Firefox for Active Directory in Transparent mode or Bridged mode 202 Appendix C Appliance Behavior and Troubleshooting 204 C 1 Network Deployment Troubleshooting 204 C 2 Active Directory Troubleshooting 205 C 2 1 Appliance and AD Domain have the same name 205 C 2 2 Clock skew is too large 205 C 2 3 Could not auto detect settings 205 C 2 4 Could not connect to Domain Controller...

Page 7: ...rver 209 C 3 5 Could not sync users from LDAP server 209 C 3 6 Invalid authentication DN 209 C 3 7 Unable to bind to LDAP server 209 C 3 8 Server error 210 C 3 9 Network is unreachable 210 C 3 10 Could not resolve hostname 210 C 4 Grouped Appliance Troubleshooting 210 C 5 HTTPS Compatibility 213 C 6 Images Display as Gray 216 Appendix D Interpreting Log Files 217 Appendix E Copyrights and Trademar...

Page 8: ... acceptable web access policies for your organization that are highly customizable and enforceable These policies can allow user access warn users that they will be violating policy if they continue to a requested site or block user access based on over fifty categories of URLs In addition to your default acceptable web access policy group based exceptions are available as differentiated Special H...

Page 9: ...ances storage for as many as 2 000 users on the SM2000 or 10 000 users on the SM5000 Three years of reporting data is available 1 3 Common Features Easy to use The appliances reduce administrative effort by providing quick access to relevant information The appliances offer an intuitive management console that enables optimal control with minimal time and effort a unified security policy that elim...

Page 10: ... a robust hardware platform designed specifically to Sophos specifications a hardened Linux operating system optimized for Sophos software ...

Page 11: ...r feedback form that allows them to request changes to the handling of the blocked URL or file type Similarly requests for large files can cause the Web Appliance to display a patience page if you have chosen to enable this option advising the user that downloading and scanning is in progress and will take some time This section introduces the role of the Sophos Web Appliance and the Sophos Manage...

Page 12: ...s centralized policy configuration and centralized reporting for grouped appliances thus minimizing system administration work while providing organization wide information without sacrificing security or customizable web use control The appliances have a number of ways to alert you if there is a problem with one of their hardware components In addition to status indicators in the administrative w...

Page 13: ...phos strongly suggests that you use the software shutdown and restart options as documented on the System Status on page 188 page Although a quick press and release of the appliance s power button will perform an elegant shutdown if the power button is held down for four seconds or more an inelegant immediate shutdown is performed Also the reset button on the appliance always triggers an inelegant...

Page 14: ...This is the port to which you make your LAN connection after the setup wizard has been completed The two LEDs at the top of these ports indicate the following Indicates Color LED Position 100 Mbps Green Left 1 Gbps Amber Left Port active Blinking Yellow Right For appliances with a bridge card There is one RJ45 network port along the bottom of the appliance to the right of the middle the Configurat...

Page 15: ...t cases the alert will instruct you to contact Sophos Technical Support Powering Down the Appliances Gracefully Power down the appliance gracefully by either pressing the power button briefly or by clicking Shutdown on the System Status page The appliance will safely shut down its software and the fans will stop Remove the power cord before servicing the unit Note You can also power down by holdin...

Page 16: ... following measures are generally sufficient to protect your equipment from ESD damage Be sure that the appliance chassis is properly grounded through the AC power cord or enclosure frame Touch a grounded metal object before removing the drive from the antistatic bag Put on the grounding wrist strap handle the drive by its edges only and do not touch components on the bottom Single Hard Drive Repl...

Page 17: ...it for it to spin down Allow 10 20 seconds before removing the drive from the drive bay 4 While the system is running insert the replacement disk in the empty slot Insert the replacement drive into the disk bay and slide the disk straight to the back of the bay 5 Swing the handle in toward the appliance Continue pushing the handle in until you feel it lock in place Sophos Web Appliance Getting Sta...

Page 18: ...dundant power supplies If a single power supply fails the redundant feature allows the other module to take over the full load and the system runs without interruption The failed power supply can be removed and a replacement power supply installed without removing the SM5000 from the rack powering down or even exiting the SM5000 s administrative web interface Hardware Configuration On the SM5000 t...

Page 19: ...rinted circuit boards it is important to handle them very carefully The following measures are generally sufficient to protect your equipment from ESD damage Be sure that the appliance chassis is properly grounded through the AC power cord or enclosure frame Touch a grounded metal object before removing the power supply from the anti static bag Put on the grounding wrist strap handle the power sup...

Page 20: ... removing the WS5000 from the rack powering down or exiting the WS5000 s administrative web interface Hardware Configuration On the WS5000 the two power supplies are located on the left side of the rear of the appliance In normal operation the Power Indicator LED on the front panel is green as are the Power Supply Status LEDs on the back of the WS5000 for each power supply which are shown in the g...

Page 21: ...wer cord or enclosure frame Touch a grounded metal object before removing the power supply from the anti static bag Put on the grounding wrist strap handle the power supply by its edges only and do not touch components on the bottom Single Power Supply Replacement 1 Ensure that the power cord is unplugged from the failed power supply module Then while holding onto the handle press the red locking ...

Page 22: ...rt Bridged Deployment which requires a bridge card Related concepts Understanding Mode and Model Differences on page 43 Grouping Web Appliances on page 39 2 2 1 Replacing Hardware Appliances with Virtual Appliances At some point you may decide to replace one or more of your hardware based appliances Replacing either a Web Appliance or Management Appliance with a virtual appliance should be done by...

Page 23: ... replace with a virtual Management Appliance 1 Configure the virtual appliance according to the instructions in theVirtual Management Appliance Setup Guide Take care when configuring the network settings to assign a network address that is different from the hardware based appliance it is replacing 2 Join the newly configured Management Appliance to a functioning Web Appliance in your deployment n...

Page 24: ...ing Cache Allows the Web Appliance to work in conjunction with a pre existing investment in a web caching server in any one of the three basic network deployments Explicit Transparent or Bridged Use with an ISA TMG Server Allows the Web Appliance to work with a downstream or upstream Microsoft Internet Security and Acceleration ISA or Microsoft Forefront Threat Management Gateway TMG Server in any...

Page 25: ...or router Configure all clients Post Failure Reconfiguration Note If you use the Transparent or Bridged deployment see Switching from Transparent Mode to Explicit Mode on page 31 or Switching from Bridged Mode to Explicit Mode on page 33 to learn about making the transition to Explicit Deployment Related tasks Configuring Authentication on page 133 Hostname and Other Network Settings on page 150 C...

Page 26: ...liance s LAN port 2 Configure each user s web browser to use the Web Appliance via port 8080 as their web proxy for HTTP HTTPS and FTP Ports 3128 and 8081 are also supported but their use is only suggested if the Web Appliance is replacing a previous proxy configuration that used one of these ports Note For information about adding support for HTTPS applications that use non standard ports see Usi...

Page 27: ...t it includes an ISA TMG server and optionally an Active Directory server between users and the Web Appliance Allows the Web Appliance to work with an ISA TMG Server If the Sophos ISA TMG plug in is installed and an Active Directory server is on the network side of the ISA or TMG server then clients users can be seen as usernames Allows you to use multiple Web Appliances in a simple load balancing...

Page 28: ...r a notification page Note If the Sophos ISA TMG plug in is installed clients users are identified individually otherwise all traffic is identified as coming from one user the ISA TMG server Note If the Sophos ISA TMG plug in is installed and an Active Directory server is on the network side of the ISA TMG server then clients users can be seen as usernames if the Active Directory server is not app...

Page 29: ...ing see the Microsoft Support article http support microsoft com kb 318803 You must ensure that you have a firewall with network address translation NAT but not an ISA or TMG server in firewall mode between the Web Appliances and the internet This firewall must be configured to present a single IP for the Web Appliances to the sites on the internet The NAT or IP masquerading prevents sites that ch...

Page 30: ... interface on the Configuration Network Network Interface page set the Deployment mode to Transparent 3 Configure your router so that it redirects all port 80 traffic to port 80 and port 443 traffic to port 443 on the Web Appliance In this case the destination of each packet remains unaltered but the packets are sent by the router to the Web Appliance Traffic on port 80 and 443 from the Web Applia...

Page 31: ...d ports see Add Local Classification Note Configuring all users browsers to use the Web Appliance as a web proxy can be done centrally in Windows networks by using one of several methods See the Sophos Knowledgebase pages for instructions on how to do this by Creating Testing and Deploying a proxy pac File Publishing Proxy Info as a wpad dat File Creating a GPO 2 3 3 Bridged Deployment This deploy...

Page 32: ... non web network traffic is passed through If the Web Appliance shuts down the bridge card will be shut down with the LAN circuit closed meaning that all LAN traffic will pass through All outbound network traffic passes through the Web Appliance Users URL requests are intercepted by the Web Appliance on their way to the firewall All other traffic passes through The Web Appliance assesses all URL r...

Page 33: ...ridged to Explicit 4 Configure each user s web browser to use the Web Appliance via port 8080 as their web proxy for HTTP HTTPS and FTP Ports 3128 and 8081 are also supported but their use is only suggested if the Web Appliance is replacing a previous proxy configuration that used one of these ports Note To add support for HTTPS applications that use non standard ports see Add Local Classification...

Page 34: ...e The Web Appliance receives any new pages or files and caches them it passes the pages or files of allowed requests back to the users The users receive only safe and allowed pages and files or a notification page Configuration 1 Connect your organization s LAN to the Web Appliance s LAN port 2 Configure each client with either a PAC file the more flexible method or by distributing the configurati...

Page 35: ...e requested pages or files cached or when the request is returned through the firewall the cache server passes the requested pages or files back to the Web Appliance Note Even with the presence of a cache server the Web Appliance will cache static content Note This configuration is not intended to work with Microsoft Internet Security and Acceleration ISA servers or Microsoft Forefront Threat Mana...

Page 36: ... allows the Web Appliance to work with an ISA TMG server although in this case one that is upstream in the network from the Web Appliance see diagram below Allows the Web Appliance to work with an ISA TMG server Allows you to use multiple Web Appliances in a simple load balancing deployment Does not support individual user opt out Operation The operation varies according to the basic deployment sc...

Page 37: ...the Web Appliances to external sites The NAT or IP masquerading prevents sites that check and record the IP address of visitors in cookies from encountering multiple IP addresses To disable Windows DNS caching see the Microsoft support article http support microsoft com kb 318803 Note Explaining how to configure an ISA TMG server is beyond the scope of this documentation For details on ISA TMG ser...

Page 38: ...n in the Web Appliance s main documentation c On your Sophos Email Appliance on the Configuration Network Hostname and Proxy page enter the following information in the Proxy server configuration section Server address enter the IP address of your Web Appliance Port 8080 Username and Password leave these blank d Click Apply To configure your Sophos PureMessage for UNIX server to access the interne...

Page 39: ... the product documentation For detailed instructions on joining and disconnecting appliances see Central Management in the System section of the product documentation Memory RAM Processors Model 2 GB dual core light capacity WS100 2 GB dual core medium capacity WS500 4 GB dual core high capacity WS1000 8 GB quad core high capacity WS1100 8 GB quad core high capacity SM2000 8 GB quad core high capa...

Page 40: ...you plan to join to a Management Appliance on the Configuration System Central Management page on the Management Appliance be sure to select the Copy configuration and policy data from the first web appliance to join before joining the established Web Appliance Ensure that the established Web Appliance is the first Web Appliance that you join to the Management Appliance Joining a Management Applia...

Page 41: ...iances Joined Appliances Scenarios 1 and 2 In both scenarios once all of the appliances are joined ongoing configuration changes are done on the Management Appliance and distributed to the Web Appliances thus providing centralized configuration blue dashed lines Also report data is sent from the Web Appliances to the Management Appliance providing centralized reporting red smooth lines Appliance M...

Page 42: ...r Web Appliance is operating within acceptable thresholds Problem Firewalls can strip attachments from Web Appliance generated email Solution To enable the Sophos managed appliance experience configure your firewall to allow email with attachments from the Web Appliance to wsasupport sophos com Long delays when loading web pages Problem If latency is significantly increased when browsing through t...

Page 43: ...that has been joined to a Sophos Management Appliance with Central Management options Sophos Management Appliance An appliance with the dedicated purpose of central management When joined to other appliances it is used for centralized reporting as well as centralization of configuration and policy data Modes and Models in the Documentation The administrative user interface varies slightly dependin...

Page 44: ... for the local system only Yes Accounts Administrators Yes None Yes Accounts Notification Pages Yes Policy Test only Yes Group Policy Yes the General Options page has no Cache settings Only General Options page which has only Cache settings Yes Global Policy Yes Status info Update button only Yes System Updates Yes added Report data backup option None Yes System Backup Yes None Yes System Restore ...

Page 45: ...s options Yes Yes Network Hostname Yes Yes Yes Network Network Connectivity Yes Yes Yes Network Diagnostic Tools Yes per appliance reports available for Volume Latency and Throughput None Yes Reports Yes None Yes Searches Yes a Remove button is available in the Web Appliance view on the Management Appliance for breaking the connection with that appliance Yes Yes System Status Related concepts Grou...

Page 46: ...x End User Browser Internet Explorer 8 0 and newer recent versions of Firefox Administrator Browser Active Directory 2000 2003 2008 2008R2 and 2012R2 Directory Services eDirectory 8 73 and 8 8 on Netware 6 5 SP3 eDirectory eDirectory 8 8 on SUSE eDirectory 8 8 on Windows Server 2003 46 Getting Started Sophos Web Appliance ...

Page 47: ...nitoring is off is displayed when the Activate appliance support alerts are turned off on the System Alerts page v shows the version number of the current appliance software Click the version number to open the release notes in a new window Logged in as username is displayed indicating the username of the current user To change the current user s password click on this Log out can be clicked to ex...

Page 48: ...adminstrative web interface The Quick Tasks sidebar only appears on the Configuration tab Click any of these links to perform common configuration tasks The Parameters sidebar not shown appears on the Reports tab and the Search tab Use this area to set date and display options 2 6 Policy The Sophos Web Appliance provides security and control for your users web browsing by preventing the loading of...

Page 49: ...ithout human eyes viewing the content Active Directory The Web Appliance allows you to view lists of user groups imported from your organization s Active Directory server and define custom groups On this page you either apply the default policy to a select list of groups or you apply the default policy to all groups except those in the select list Acceptable Use Policies The Web Appliance protects...

Page 50: ...rk gateway Sophos Enterprise Console allows you to extend some of this same capability via Sophos Endpoint Security and Control filtering 14 essential site categories on endpoint machines By combining a Sophos Web Appliance with Sophos Enterprise Console however your organization can take advantage of features that both products have to offer Once you have configured them to work together you can ...

Page 51: ... Security and Control The policy defined on Enterprise Console as Potentially Unwanted Website Control is published to users Users web activity data is sent back to Enterprise Console where they are displayed as web events If necessary the endpoint software performs URL classifications via SXL queries to Sophos SXL is the infrastructure that Sophos uses to submit real time DNS based queries to Sop...

Page 52: ...ce and obtains a complete web filtering policy Users web activity data is sent back to the designated appliance while web event data websites scanned and assessed by the live URL filtering feature is sent to Enterprise Console If necessary the endpoint software performs URL classifications via SXL queries to Sophos SXL is the infrastructure that Sophos uses to submit real time DNS based queries to...

Page 53: ... Endpoint Web Control While the Sophos Web Appliance provides security and productivity protection for systems browsing the web from within your corporate network Endpoint Web Control extends this protection to users machines This provides protection control and reporting for endpoint machines that are located or roam outside your corporate network Enterprise Console can deliver Web Control polici...

Page 54: ...ance is able to deal with these changes it automatically downloads and installs updated information from SophosLabs Website URL categorization data is also updated every 5 to 30 minutes for the standard categorization data and every hour for the enhanced categorization data SophosLabs is a global network of highly skilled analysts with more than 20 years experience in protecting businesses from kn...

Page 55: ... with Active Monitoring deliver a new height of gateway protection offering the control and efficiency of an appliance and the simplicity of a managed service To contact your local Sophos office see http sophos com companyinfo contacting Product Warranty Each unit comes with a three year advanced replacement warranty to help keep networks up and running even in the event of hardware failure If a h...

Page 56: ...entation and support resources are available from the Web Appliance Documentation page Release notes Setup guides Configuration guides The Knowledge Base is a collection of articles that address the following issues Common questions received by Sophos Support about the appliance Technical issues that are not commonly encountered by appliance administrators Technical issues that involve third party...

Page 57: ...e 12AM The total number of users that have used the Web Appliance s services since midnight Concurrent users The number of concurrent users in the last minute Concurrent users peak The peak number of concurrent users during the busiest minute today Connected endpoints The total number of active Sophos Endpoint Security and Control users whose web activity is currently filtered by an appliance base...

Page 58: ...obits or megabits per second of data passed to users throughout the current day in white and the same information over the preceding day in red Test URL Submit to Sandstorm To test the category and security risk of a URL click the Test URL tab type a URL or IP address and click Test To send a file to Sandstorm for analysis click the Submit to Sandstorm tab select a file or type the URL of a file a...

Page 59: ...place in the cloud your system is never exposed to potential threats The Sophos Sandstorm panel displays the following information Suspicious Downloads The total number of downloads that have been flagged as suspicious Depending on how you have configured Sandstorm some of these may not be sent to the Sophos Active Sandbox for analysis Sent for Analysis The total number of downloaded items sent to...

Page 60: ... post installation tasks that you should perform to ensure that the appliance performs optimally in your environment The title of each task links to the configuration page where these configuration tasks should be performed The post installation tasks are Set up Default Policy on page 75 Use this page to configure how URL requests to sites categorized by content type and download types are handled...

Page 61: ...n page messages or add logos Use the Administrators page to create modify and delete appliance administrator accounts Use the Notification Page Options page to configure the look text and behavior of the various notification pages that the Web Appliance shows to end users Note The Notification Page Options page is not available on a joined Web Appliance as this functionality has been shifted to th...

Page 62: ...ether the user should be a Full Access Administrator or a Limited Access Administrator For a Limited Access Administrator select one or more of the following roles Helpdesk Approves user submissions tests the policies and verifies network connectivity Policy Configures and tests global and group web browsing policies Reporting Views or schedules reports User Activity Has access to detailed web act...

Page 63: ...No No Yes Dashboard Block counts No No Yes read only Yes read only Yes Config Landing No No Yes read only Yes read only Yes Config Quicktasks No No Yes Yes read only Yes Config Group Policy No No Yes Yes read only Yes Config Global Policy No No No No Yes Config System No No No No Yes Config Network except Network connectivity and diagnostic tools No No Yes read only Yes read only Yes Config Networ...

Page 64: ...n for the existing account shown Use the Previous and Next buttons to move between pages of the wizard the Save button to close the wizard and save any changes you have made to the account or the Cancel button to close the wizard and discard any changes you have made to the account In the Administrator Accounts Wizard make any required changes On the Details page of the wizard you can modify the F...

Page 65: ...unt In the Administrators table select the check box beside the account or multiple accounts that you want to delete Note The initial default administrator account cannot be selected or deleted You cannot delete an account if you are logged in to that accont If there are scheduled reports that have been created by an account that account cannot be deleted until its associated reports have first be...

Page 66: ... file type but this might not work with all browsers The logo graphic must be no larger than 512 Kb 3 Click Apply 4 1 2 2 Modifying Notification Page Text 1 On the Notification page text panel from the Page drop down list select the notification page that you want to modify 2 From the Choose language drop down list select the language in which you want the notification page to be displayed Note Fo...

Page 67: ... 404 File not Found or the 500 Internal Server Error To upload a modified notification page template to the appliance a Click Browse in the Templates section of the Advanced tab The File Upload dialog box is displayed b Navigate to the directory in which you saved the modifications to the uploaded template files select one of the modified notification template files and click Open The file is uplo...

Page 68: ...he appearance of the various notification pages that the Web Appliance displays to users when they try to access virus infected files malware blocked sites sites or applications that violate policy sites which will use or exceed their quota time restricted sites unapproved secure sites This template affects neither the appearance of the patience page the page displayed when users request a large f...

Page 69: ...ages may be placed before this div tag sophos_blockpage_content This page element key must appear within the div id main class full mini div tags This content includes text entered in the Text explanation text box sophos_warn_proceed_content This page element key must appear within the div id main class full mini div tags if you wish to use the Warn option in any of the policy pages sophos_feedbac...

Page 70: ...h the request for the blocked page has been made user_workstation This page element key provides the hostname from which the request for the blocked page has been made If this cannot be determined the IP address will be displayed instead sophos_block_text This page element key provides the reason that a requested page has been blocked logo This page element key calls the logo set in the Global Opt...

Page 71: ...ate and therefore exercise caution Required Elements The following elements are required DOCTYPE Declaration The provided HTML DOCTYPE declaration of XHTML 1 0 Strict is required You should not change this div class alertTitle id heading It is required that you have a div with id heading It is recommended that you set its initial value as title for example div class alertTitle id heading title div...

Page 72: ... jpg logo This page element key calls the logo set in the Global Options tab of the Configuration Accounts Notification Page Options page Note that the Display logo on notification pages option must be enabled on the Global Options tab for this page element key to work 4 1 2 3 3 Error Page Template The error page template allows you to modify the appearance of the server error pages HTTP error mes...

Page 73: ...ed This tag must wrap the visible content of the notification page with the exception that banner or background images may be placed before this div tag sophos_error_content This page element key must appear after the div id main class full mini div tags and immediately before the closing body tag This content includes text entered in the Text explanation text box Note Server side scripting is not...

Page 74: ...ed with plain text you may choose to wrap it in a div or heading tag for example h1 heading h1 error_text This page element key may be used within the div id main class full mini div tags of the template It gets replaced with a string in the form p id error_text the error text is here p that displays the explanatory text for the appropriate server error provided by Sophos and it appends any additi...

Page 75: ...page 93 4 2 1 1 Categories Download Types The Configuration Group Policy Default Policy Categories Download Types page allows you to configure how URL requests to sites categorized by content type and files categorized by download type are handled by the Web Appliance 1 Set the behavior that you want the Web Appliance to apply to each category listed in the Site categories section Allow Lets users...

Page 76: ...t the Site category Streaming Media with Warn enabled Then set the Download type of QuickTime Video mov to Allow with Warn cleared When users request a streaming QuickTime video URL a warning page will be displayed and when they click Proceed the media stream will begin 4 Select the Sandstorm profile that you want to apply Send any suspicious files for analysis all suspicious downloaded items will...

Page 77: ...equested content URL In blocking these pages the content that is behind them is also blocked Note Sophos s advanced categorization data uses the most current technical definition for Adware and thus recognizes the difference between non malicious adware such as cookies and more serious Spyware 4 2 1 1 1 3 Alcohol and Tobacco This category includes sites that promote or distribute alcohol or tobacc...

Page 78: ...schools elementary secondary and high schools and universities educational sites at the pre school elementary secondary and high school and university levels distance education and trade schools including online courses and online teacher resources lesson plans etc 4 2 1 1 1 13 Entertainment This category includes sites about television movies music and video programming guides online magazines an...

Page 79: ...is category includes sites for prescription medicines medical information and reference about ailments conditions and drugs general health such as fitness and well being medical procedures including elective and cosmetic surgery dentistry optometry and other medical related sites general psychiatry and mental well being sites psychology self help books and organizations promoting self healing of p...

Page 80: ... 1 or cult 2 militancy and extremist sites and flagrantly insensitive or offensive material including those with a lack of recognition or respect for opposing opinions and beliefs Note We do not include news historical or press incidents that may include the above criteria except in graphic examples 1 A gang is defined as a group whose primary activities are the commission of felonious criminal ac...

Page 81: ...political debate canvassing election information and results and conspiracy theory and alternative government view sites that are not hate based 4 2 1 1 1 38 Proxies and Translators This category includes sites for remote proxies or anonymous surfing search engine caches that circumvent filtering and web based translation sites that circumvent filtering 4 2 1 1 1 39 Real Estate This category inclu...

Page 82: ...s shopping and travel 4 2 1 1 1 48 Sports This category includes sites for team or conference web sites national international college professional scores and schedules sports related online magazines or newsletters and fantasy sports and virtual sports leagues that are free or low cost 4 2 1 1 1 49 Spyware This category includes sites that provide or promote information gathering or tracking that...

Page 83: ...aining or providing links to content related to the sale of guns weapons ammunition or poisonous substances displaying or detailing the use of guns weapons ammunition or poisonous substances and clubs which offer training on machine guns automatics other assault weapons and sniper training Note Weapons are defined as something as a club knife or gun used to injure defeat or destroy 4 2 1 1 1 56 We...

Page 84: ... names are displayed in eDirectory format group context Alternatively and additionally you can create edit and delete custom groups Once the Available groups list is populated to meet your requirements you can select which groups are denied or allowed access to the internet depending upon which policy association option you have selected 4 2 2 1 Creating a Custom User Group 1 In the Available Grou...

Page 85: ...the newly created custom group shown in the Available Groups list 5 Click Apply 4 2 2 2 Editing a Custom User Group 1 Click the name of the custom group that you want to edit Note Custom groups which can be edited are indicated by a Sophos icon Active Directory and eDirectory groups which cannot be edited are indicated by a directory icon The Group Editor dialog box is displayed with the selected ...

Page 86: ...the Selected Entries and Manual Entries lists click Save The Group Editor dialog box closes and you are returned to the Configuration Group Policy Default Groups page with the modified custom group listed in the Available groups list 5 Click Apply 4 2 2 3 Deleting a Custom User Group 1 In the Available groups list select the check box to the right of the custom group s that you want to delete The ...

Page 87: ...policy to apply from the end of regular work hours to the beginning of regular work hours and during the lunch hour too Related tasks Configuring Sandstorm on page 103 4 2 3 1 Setting a Special Hours Policy 1 Set the schedule during which the special hours policy will apply a Set the main block of time during which the special hours policy will apply by selecting Daily from and setting the beginni...

Page 88: ...s Sandstorm Exclude suspicious PDFs and documents send all suspicious downloads for analysis in the Sophos Active Sandbox except PDFs and other documents Do not send suspicious files for analysis do not send any downloaded items for analysis even if they are suspicious Note The Sandstorm option is not available if you do not have a Sophos Sandstorm license c Allow user feedback from the notificati...

Page 89: ...chines connecting from inside your network To add a policy a Click Add The Additional Policy editor is displayed b Configure the new special policy on the seven tabs of the Additional Policy editor Selecting Users on page 91 specify the groups or users to which the additional policy will apply Configuring Site Categories on page 91 set overrides to both the Default and Special Hours policy s handl...

Page 90: ...n page 132 Policy Content Advanced Threat Protection on page 166 Related tasks Web Applications on page 83 Categories Download Types on page 75 Configuring the Local Site List on page 97 Using the Local Site List Editor on page 99 4 2 4 1 Quota Time Policies created under Configuration Group Policy Additional Policies can be configured using the quota time feature Quota time allows you to create a...

Page 91: ...tted quad notation X X X X X The entry is displayed in the Manual Entries list To delete an entry from the Manual Entries list select the check box beside the entry that you want to remove and click Delete Note If there are long lists of entries in the Groups Users or Selected Entries lists you can use the paging controls at the top of these lists to navigate through the lists or use the filtering...

Page 92: ...rent selection of quota time After they have consumed all of their available quota time they will be presented with a block page that informs them they have no quota time remaining Use default gray This is the current setting to which you can restore any changed category Note Rules that have been overridden are displayed with the background color associated with that setting Allow is green Warn is...

Page 93: ... or special hours policy setting it only indicates that this option is no longer drawn from the default or special hours policies settings Modify the settings or accept the default settings for the Block potentially unwanted applications option Once the category handling for this additional policy is set move to the next page of the wizard by clicking either the Tags icon or the Next button 4 2 4 ...

Page 94: ... List and that do not have an additional policy set are automatically removed every Sunday night at midnight 2 From the Action drop down list select the action that you want taken in response to the tag The available actions are Allow If selected allows access to the sites to which this tag has been applied Warn If selected presents a warning to users that they are at risk of violating their organ...

Page 95: ... the policy for a tag on the fourth tab of the Configuration Group Policy Additional Policy page s Additional Policy wizard on the Tags tab of the Additional Policy wizard you select the tag for which you want to set policy from a drop down list of all the available tags or enter the name for a new tag Then you select the action that you want applied to URLs marked with this tag Because additional...

Page 96: ...s policy The browse time for all categories and tags that have been set to quota will count toward the browse time selected here Note If you update the allowed browse time the new setting will not take effect until the next day If you need the new browse time to take effect immediately you can manually reset users quota times on the Configuration Group Policy Quota Status page 3 Optionally select ...

Page 97: ...t the Turn on this policy for machines connecting from check box and choose anywhere outside your network or inside your network If you do not select this check box the policy will not be immediately enabled For more information on how users can connect from outside your network see Endpoint Web Control on page 144 4 Optionally select the Automatically deactivate policy on check box and set the Da...

Page 98: ...t box below and click the icon to apply the filter Click the icon to clear the text box Category Select the category of the URLs that you want to view Risk Select the security risk level of the URLs that you want to view Only those URLs currently in the Local Site List that match your selected criteria are displayed Click Hide Filters to close the Filters toolbar which will reset all of the filter...

Page 99: ...and subdomains For instance if a country had a TLD of zz you could block all sites by blocking the zz top level domain and then selectively allow specific sites such as example zz You can add the URL of an HTTPS service that uses a non standard port other than port 443 which extends Web Appliance filtering support to that URL We suggest that you set such sites as Low Risk Important The Web Applian...

Page 100: ...dministrators 5 Click Save The Local Site List editor closes and the new local site list entry that you configured is viewable in the Local Site List Related concepts Using Tags on page 95 Related tasks Explicit Deployment on page 25 Configuring Sandstorm on page 103 Configuring Security Filtering on page 102 Configuring Tags on page 94 Additional Policies on page 89 4 2 6 Testing Policy Applied t...

Page 101: ...all matching results 2 Select entries Click the check box next to entries you would like to reset To select all items listed select the check box at the top 3 Click Reset to start the user and policy quota for the current time period Related concepts Quota Time on page 90 4 3 Global Policy Note Of the pages in this section only the General Options page is also available on a joined Web Appliance A...

Page 102: ...uests for Unclassified sites To set the actions for Medium risk sites and set the risk level for Unclassified sites 1 Configure the action for Medium risk sites all other classifications have a default action and are non configurable High risk These sites have been analyzed by SophosLabs and are know to host malicious content that may compromise network security These sites are always blocked Medi...

Page 103: ...torm Sophos Sandstorm is a cloud based service that provides enhanced protection against new and targeted attacks You can configure the appliance to send suspicious files to Sandstorm for analysis or submit suspicious files on an individual basis Sandstorm detonates the file to check for malware and sends the results to you Because the analysis takes place in the cloud your system is never exposed...

Page 104: ...similar sites are known new ones are created on an ongoing basis Web Appliance detection of such sites is based on both lists of identified anonymizing proxies and caching sites as well as URL characteristic analysis This helps catch previously unidentified sites thus greatly increasing our success in blocking users access to objectionable content through such sites Enable this option if preventin...

Page 105: ...llow your users to post on sites categorized as Blogs Forums Related concepts Appliance Features Not Supported by Endpoint Web Control on page 54 4 3 5 Configuring HTTPS Scanning Note HTTPS scanning is not supported for Endpoint Web Control To provide secure sessions between your users and commercial or banking sites HTTPS encrypts web content between the website server and the user s browser Whil...

Page 106: ...tions and then click Apply To create and manage a list of sites exempted from scanning see the Managing HTTPS Scanning Exemptions page To download a copy of the Sophos certificate authority see the Downloading the Certificate Authority page Related concepts HTTPS Compatibility on page 213 Appliance Features Not Supported by Endpoint Web Control on page 54 4 3 5 1 Managing HTTPS Scanning Exemptions...

Page 107: ...n used for remote assistance SWAorSMA_hostname your_domain toplevel_domain Sophos appliance administrative web interface surgient com Surgient web site webex com WebEx Communications Inc sls microsoft com Windows Vista activation loginnet passport com and login live com and msn com Windows Live Messenger No exemption is required for Windows Live Messenger 2009 login yahoo com Yahoo Messenger Note ...

Page 108: ...authorities without knowing if they are from trusted sources To overcome this problem the Web Appliance includes most of the reliable certificate authorities and it can automatically validate certificate authorities from the Sophos certificate authority list There is also the ability to add custom certificate authorities This allows you to deny users the ability to accept certificate authorities T...

Page 109: ...ding a Certificate from a Web Site Important Retrieving certificates from HTTPS sites can be difficult when HTTPS scanning is enabled as the Web Appliance will provide its own certificate in place of the remote one Turn HTTPS scanning off on the Configuration Global Policy HTTPS Scanning page to be able to download any certificate other than the Sophos generated certificate Be sure to turn HTTPS s...

Page 110: ... of large files and whether the appliance will allow or block downloading of unscannable files Unscannable files are downloaded files that cannot be scanned for viruses because of corruption or encryption You can also remove the authorization for users to download PUAs that had been previously allowed on the Search User Submissions PUAs page To set whether the appliance will allow or block downloa...

Page 111: ...the Maximum cacheable object size and the Minimum cacheable object size in the appropriate text boxes and click Apply Note The default cache settings maximum 100 000 000 bytes minimum 100 000 bytes are usually optimal Lowering the setting for Minimum cacheable object size will decrease the performance of your Web Appliance SophosLabs To share data with Sophos that will help improve the protection ...

Page 112: ... controls are not available for Endpoint web control Additional options To allow users to access external sites by entering IP addresses select the Allow public IP access check box and click Apply Important If this option is not enabled users will be unable to access any URL that uses an IP address from any web page flash script or other content For example youtube com flash videos commonly contai...

Page 113: ...uration backup file in the event of an undesirable configuration change Use the Active Directory page to configure access to your organization s Active Directory server so that the appliance can use existing user data Use the eDirectory page to configure access to your organization s eDirectory server so that the appliance can use existing user data Use the Time Zone page to set the local time tha...

Page 114: ... manually you should still apply updates in a timely manner If Enable automatic updates is not selected Critical updates which can include very important security enhancements will not be automatically installed Updating to the latest revision can be a lengthy process as each available update will be applied one at a time until the system is at the current revision including reboots for those that...

Page 115: ...o five minutes 2 Select or clear the days of the week check boxes to set the day s on which you want automatic software updates performed 3 Click Apply 4 4 1 4 Performing a Manual Update If there is a pending software update available you can manually install it at a time when network activity is low so that the installation is done when it is least disruptive 1 Check that there is a pending softw...

Page 116: ...ified by email when a system alert is raised 1 On the Configuration System Alerts Monitoring page select the System Alerts tab 2 In the Alert Recipients text box enter the full email address of the intended recipient and click Add The email address that you entered is added to the list 3 To include or exclude alerts when users submit requests select On or Off under Send email alerts when users sub...

Page 117: ... sent in clear text so the contents of the messages are not secure Sending these notifications may have an impact on performance especially if numerous search terms have been defined and there are many matches for the terms Related concepts Search Terms on page 178 Users Users By Search Queries on page 164 Related tasks Removing a Search Term Alerts Recipient on page 117 4 4 2 4 Removing a Search ...

Page 118: ...The appliance Syslog capability can send transaction logs to a Syslog server for auditing storage and analysis 1 On the Configuration System Alerts Monitoring page select the Syslog tab 2 Select the Enable syslog transfer of web traffic check box 3 In the Hostname IP text box enter the address of the Syslog server to which the appliance will send logs Note If the Syslog server becomes unavailable ...

Page 119: ...Note A non critical alert indicates a transient error that Sophos would like to investigate These alerts do not indicate a problem with web filtering 5 Click Apply Related tasks Turning Off On Sophos Support Alerts on page 118 4 4 2 7 1 Phone Number Format Follow these guidelines when you enter phone numbers Enter only the country code the area code and the phone number into the Phone field Do not...

Page 120: ...to the FTP server and directory location specified in the Automated upload section The progress of the manual reports data backup is displayed in the Reports backup status panel After completion this panel on the Management Appliance shows the date and time of the last reports data backup Please observe the following backup and restore considerations Appliance backups do not include network settin...

Page 121: ...d up The options are Daily at midnight Weekly on Friday at midnight or Monthly on the 1st at midnight Note Appliance backups do not include network settings Select Transaction log files at least once daily at midnight if you want your transaction log files backed up daily If you enable this option you must also select the format in which the logs are backed up Sophos format or Squid format Note Th...

Page 122: ...the FTP site This path should be entered using Unix style directory separators slashes as is required by the ftp protocol For example home admin swadata Username Required Enter the user account name that will be used to access the FTP site Password Enter the user account password that will be used to access the FTP site 3 Click Verify Save Settings to ensure that the values entered in the precedin...

Page 123: ... you must re enter your usernames and passwords for these connections and re enable FTP and directory services synchronization on the System Backup System Active Directory and System eDirectory pages You cannot restore system configuration data made from a Management Appliance to a Web Appliance and vice versa You can only restore from a backup that was made under the same major minor release For ...

Page 124: ...nce only if the following conditions apply Integrate with only a single Active Directory forest containing a single Active Directory tree The Active Directory server to which you configure access must be the root domain controller of the Active Directory forest The root domain of your Active Directory forest must have an explicit trust relationship with all subdomains within the forest If this con...

Page 125: ...on differences Once these steps are complete you must verify and apply the settings on the joined appliance as described in steps 5 and 6 When Configure Active Directory settings locally is selected only the Username and Password text boxes are functional allowing you to set a different Active Directory account for accessing Active Directory authentication LDAP user data is not synchronized on a j...

Page 126: ... be a fully qualified domain name Note If you have configured a Secondary Domain Controller your Active Directory Kerberos server must be the same as your Primary Domain Controller Active Directory LDAP server The FQDN of the desired LDAP server with the port number If uncertain use the same hostname as the Domain Controller with the port number The port number for a single Active Directory server...

Page 127: ...ns read the troubleshooting message then Close the Detect Settings dialog box correct the Active Directory Settings in the left column and click Verify Settings again When all Verify Settings operations are successful all of the required Active Directory text boxes are filled Important If the verification of a connection to an Active Directory subdomain fails because that server is down at the tim...

Page 128: ...Related tasks Restore on page 122 4 4 6 1 Configuring eDirectory Access On this page on a joined Web Appliance the Off On button is disabled Important Network Configuration All of the eDirectory servers that you want to work with must be reachable from your Web Appliance or Management Appliance If they are not you must configure static routes to them in the Advanced Settings of the Configuration N...

Page 129: ... the Replica designation Note Misconfiguring replicas can result in poor performance For recommendations see Configuring Connections to eDirectory Replicas on page 130 4 Click Verify Settings The Detect Settings dialog box is displayed showing the results of the connection attempt Successful operations are indicated with a green check mark icon warnings are indicated with a yellow exclamation mark...

Page 130: ... listed IP address or IP range select the check box beside the entry that you want to remove and click Delete The IP address or range of IP addresses is removed from the list e Click Save 4 4 6 1 1 Boosting eDirectory Performance via Custom Indexes The performance of the eDirectory server can improve significantly if two attributes objectClass and networkAddress are indexed Results will vary depen...

Page 131: ...tion see Configuring Active Directory Access Authentication allows the appliance to perform identification on the basis of an Active Directory username providing improved policy control and logging Without authentication users can only be identified by IP address As a result appliance policy decisions and logging are based solely on IP addresses Use the Configuration System Authentication page to ...

Page 132: ...ngle Sign On or Captive Portal The appliance does not permit you to save the settings unless one or both of the options is selected If both are enabled the appliance will first attempt to authenticate with Single Sign On In many cases it will be sufficient to accept the factory settings on the Default Settings tab of the System Authentication page On a newly installed appliance both Single Sign On...

Page 133: ...ials If the appliance is configured to allow access as a result of authentication failure see step 2 users can still gain entry to the network as guests Perform SSO for Mac When this option is selected the appliance can perform single sign on for Mac OS X systems using Kerberos In addition you must first configure your Active Directory server to support Kerberos authentication For instructions see...

Page 134: ...nfiguring an Authentication Profile on page 135 Configuring Active Directory to support Kerberos for Mac OS X on page 134 4 4 7 2 1 Configuring Active Directory to support Kerberos for Mac OS X If you want to support single sign on for Mac OS X clients you must configure your Active Directory server to use Kerberos Before selecting the Perform SSO for Mac check box on the System Authentication pag...

Page 135: ...d before ExemptApps then ExemptApps will never be used if a system is in that IP range In this example you would want to move ExemptApps up in precedence so that it is listed before SSOprofile 1 Click Add The Authentication Profile Editor is displayed 2 Choose a connection type Select Apply to all connections or Select Apply to only the following connection profiles 1 Select a connection profile f...

Page 136: ...uests from supported end user browsers against Active Directory and uses cached information to authenticate requests from client applications Captive Portal Select this option to allow access through a special web page If enabled users are automatically redirected to this page if single sign on fails or single sign on is turned off If the appliance is configured to allow access as a result of auth...

Page 137: ...hentication based on different connection sources The appliance uses two kinds of profiles connection profiles and authentication profiles to specify authentication for IP addresses devices or client applications This example demonstrates how to create an authentication profile that controls the way in which mobile devices are authenticated First you will create a connection profile that defines t...

Page 138: ...le and add it to this authentication profile 6 Click Add and then click Next 7 On the Destination page accept the default setting Apply to all destinations Click Next 8 On the Authentication page accept the default setting Bypass authentication Click Next 9 In the Authentication profile name text box enter Mobile 10 Click Save The Mobile profile is displayed on the Profiles tab Notice that there i...

Page 139: ...nection profile based on connection sources including IP addresses device types and client applications The Connection Profile Editor contains tabs for IP Addresses Devices and Client Applications Often you will configure options on just one of the tabs but you can configure a combination of options on two or three tabs For example you could specify a certain form of authentication for all Windows...

Page 140: ...plications in this profile or Select Include only the selected applications in this profile 1 In the Client Applications list select the client application s that you want to include 2 If the client application you wish to add is not listed enter it in the Application name text box Enter the product s User agent string The appliance performs prefix matching for this field If you enter a prefix of ...

Page 141: ...and click Apply 4 4 10 Central Management Scaling Sophos Web Appliances to handle large numbers of users is accomplished by using multiple Web Appliances that are centrally managed by a Sophos Management Appliance The Management Appliance provides centralized configuration centralized policy management and consolidated reporting The Configuration System Central Management page serves three differe...

Page 142: ...ent appliance to which you want this Sophos Web Appliance joined 5 Optionally if this Web Appliance has been in use for a significant period of time prior to joining to the Management Appliance and you want to save and use report data select Upload historical report data from this appliance to add this appliance s report data to the Management Appliance Note If you do not upload historical data it...

Page 143: ...ion and policy data from the first Web Appliance to join this Management Appliance see Using Web Appliance Configuration Data 4 4 10 3 1 On a Management Appliance Using Web Appliance Configuration Data This option allows you to download the configuration and policy data from your established Web Appliance allowing you to avoid repeating configuration work on your new Management Appliance The confi...

Page 144: ...use the new Regenerate Certificates button to switch the Sophos certificate to a more secure SHA 256 signature Related reference Certificates and Certificate Authorities 4 4 11 1 Custom Certificate When you select Custom Certificate controls will be displayed that allow you to upload a private key and a custom certificate To add a custom certificate For the Private key click the Choose file button...

Page 145: ... instructions If at any time you need to change the key click Regenerate and a new key will be displayed This new key must then be transferred to Enterprise Console replacing the original key 4 Optional Select Use Sophos LiveConnect Service When this check box is enabled policy updates are published to user machines even when users are not directly connected to the network Note Neither web traffic...

Page 146: ... home to the endpoint software IP Address Sorts the entries in numeric order from lowest to highest Username Sorts the entries alphanumerically by the username The username show is either the Active Directory username or the hostname of the connected machine Last Connected Sorts the entries chronologically by date and time Note If the text in any field is too long to view place your mouse pointer ...

Page 147: ... are not relevant Use the Configuration Network Network Interface page to configure your appliance s IP address and to configure access to your network s DNS servers Note The appliance uses 172 24 24 173 as the network address to access its initial configuration This may cause routing conflicts if your local network also uses addresses in the range of 172 24 24 0 255 Contact Sophos Technical Suppo...

Page 148: ...IP address followed by a numbered directory from 0 to 32 would be improperly treated as a CIDR range To avoid this possibility always enter URLs to numbered directories using fully qualified domain names rather than IP addresses Optional To configure Additional IP routes IP Address to hostname map or TCP listening ports click Advanced Settings see Configuring Advanced Settings on page 149 2 Auto i...

Page 149: ...ill cause routing conflicts Adding routes incorrectly can make the administrative web interface inaccessible See Adding Routes for more information To add a route a Enter a descriptive Route Name b Enter the requested Destination IP Range in CIDR format Important This range must not include the static IP address of the appliance It must also be outside of the appliance s subnet Always enter URLs t...

Page 150: ...ts feature allows you to configure additional ports on which the appliance will listen for web connections To add a TCP listening port 1 Enter comma separated port numbers in the TCP listening ports text box The port numbers must be between 1024 and 65535 Reserved ports that cannot be used include 8080 8443 8445 8777 10000 13128 and 18081 Port 8080 is always used by default You can enter spaces af...

Page 151: ...in the administrative web interface certificate If this occurs choose to proceed with the mismatched certificate After changing the hostname it is advised that you log out to avoid potential problems To set the search domain type in your organization s search domain in the DNS search suffix text box and click Apply This is typically your organization s domain which enables browsers to complete the...

Page 152: ...requests Note In Transparent or Bridged mode if a user requests an HTTPS page from a browser that does not support Server Name Identification SNI and you have specified a proxy by hostname or domain in Advanced Settings that alternative proxy will not be used Rather the request will go through the default upstream proxy that you entered in steps 1 and 2 To ensure that the alternative proxy is used...

Page 153: ...router use the command no ip wccp variable timers 2 Toggle the WCCP integration button to the On position 3 Under Forwarding method select GRE or L2 Important You must turn WCCP off on all appliances for a minimum of 30 seconds when you switch between the GRE and L2 forwarding methods For optimal performance choose L2 if there are no routers between the WCCP router and the Web Appliance In this ex...

Page 154: ...assword to ensure the Web Appliance only accepts requests from authorized WCCP routers 7 Click Apply If the initial setup is successful traffic will begin to flow through the Web Appliance However if the initial setup fails the System Status will display a critical error after three minutes Note When a Web Appliance with an incompatible forwarding method attempts to join a WCCP service group Cisco...

Page 155: ...lity to access the Sophos site via the internet which is required to receive regular security data and software updates as well as to provide users with filtered access to the internet To test your appliance s connection 1 Click Test The test results are shown as the test proceeds As each test is performed one of three icons is displayed to the left of the line describing the test A green check ma...

Page 156: ...ems you can use it to check whether a particular server is actually up and running Traceroute Identifies the hops the appliance has to go through to access a particular destination If the appliance is having trouble accessing a destination traceroute would show where the request is being routed and possibly identify the source of the problem for example you might find that a request is being route...

Page 157: ...eport the appliance will run a search on that username filtered by Blocked High Risk and the relevant username Note Search Recent Activity Search results only include page views and file downloads while Reports may include various other data and may not match the results of Recent Activity Search queries Similarly reports may list no hits while still reporting a byte count 5 1 Available Reports On...

Page 158: ...ers are displayed in the form domain username Usernames for eDirectory are specified in the form user context IP addresses to which the viruses were downloaded Count of the viruses downloaded The top five viruses downloaded maximum for each user Click on a username to view a Search By User of all URLs blocked due to viruses The available search parameters vary from one report to another See Modify...

Page 159: ...m downloaded by each user Click on a username or IP address to view a Search By User of all URLs blocked due to PUAs The available search parameters vary from one report to another See Modifying Reports for a description of each parameter 5 1 7 Users High Risk Site Visitors By default a pie chart of the top five high risk site visitors plus all others each shown as a percentage of the total number...

Page 160: ...ur Web Appliance is configured to access a single domain Active Directory server only the username of each user is displayed if the Web Appliance is configured to access the global catalog of a multidomain Active Directory forest users are displayed in the form domain username Quota used The number of minutes a user has consumed of their current quota allocation Top 5 categories The top five categ...

Page 161: ...during the specified time period The top five categories of sites that they visited and the time that they spent browsing in each of these top five site categories Click on a username link to view a more detailed browse time report for that user Clicking a username generates the Report Browse Time By User report filtered for the username that you clicked on and the time period that you are current...

Page 162: ...single day this will display the hour Visits The total number of visits to each site Bytes The total number of bytes downloaded from each site Browse time The total browse time for the date or hour if searching a single day Note Usernames are specified in the format DOMAIN User in the text box to the right of the report Alternatively an IP address may be specified Note The Top Bandwidth Users repo...

Page 163: ...es The list may be sorted by site visits or bytes consumed Usernames are specified in the format DOMAIN User in the text box to the right of the report Alternatively if Active Directory integration is not enabled an IP address may be specified Usernames for eDirectory are specified in the form user context The available search parameters vary from one report to another See Modifying Reports for a ...

Page 164: ...Recipient on page 117 5 1 18 Users Top Web Application Users By default a chart is displayed of the number of site visits for the top web application users The results displayed vary according to the parameters selected The text output shows the following Top web application users during the reporting period Top web applications for each user Specific features are displayed as separate items Items...

Page 165: ... by the number of visits today since midnight The text output also shows the number of unique users accessing the top listed blocked sites during the reporting period Note The Blocked Sites report may include accessible sites if file types that users attempted to download were blocked by the policy You can sort the results according to the number of site visits or the number of unique users The av...

Page 166: ...s Use the Graph by drop down to select whether the graph displays the number of files downloaded the number of bytes downloaded the number of files sent for analysis or the number of bytes sent for analysis See Modifying Reports for a description of the other search parameters 5 1 25 Policy Content Advanced Threat Protection The Advanced Threat Protection ATP report lists each unique IP address us...

Page 167: ... Chart parameter allows you to sort either by Top Applications or Top Features Top Applications shows a chart of the most used applications The table below summarizes each application as well as showing a breakdown of each feature Top Features shows a chart of the most used features The table below lists each feature with no grouping for their application The Status parameter allows you to filter ...

Page 168: ... Appliance Management Appliance Only This drop down list appears on the Latency and Throughput report pages You can generate the report on an individual joined appliance or All appliances Whether viewing the information for All appliances or for a specific Web Appliance the time period covered is always based on the Management Appliance s time zone Category Select a category on which to filter you...

Page 169: ... users received a warning about a specific site Proceeds Ranks the results according to the number of times users proceeded to a given site after receiving a warning User Generate user specific reports by either entering a user s name in the form Domain user or the user s IP address 2 Optionally select View Report as PDF for a PDF version of the report or leave this option blank to view the report...

Page 170: ...tions Reporting Groups page allows you to set the user groups on which a report can be generated If Active Directory or eDirectory access has been properly configured the Available groups list is populated with your organization s groups from that directory service If your Web Appliance is configured to access a single domain Active Directory server Active Directory group names are displayed in th...

Page 171: ...top text box enter a name for the group 3 Use at least one of the following methods to select the members of the new custom group Click the Groups tab highlight the groups that you want to include in your custom group and click the double right arrow to move the chosen groups into the Selected Entries list Click the Users tab to highlight the users that you want to include in your custom group and...

Page 172: ... groups that you want to add to your custom group and click the double right arrow to move the chosen groups into the Selected Entries list Click the Users tab highlight the users that you want to add to your custom group and click the double right arrow to move the chosen users into the Selected Entries list To remove a group or user from the Selected Entries list highlight the item s that you wa...

Page 173: ...debar on the various Reports pages allowing you to choose one of these groups as the group on which the report will be generated 5 5 1 4 Deleting a Custom Reporting Group 1 In the Available groups list select the check box to the right of the custom group or groups that you want to delete The custom group or groups that you want to delete must not be in the Reporting groups list Note Custom groups...

Page 174: ...at after midnight is actually slightly after 1 30 AM Report for the past n days sent weekly on x If you choose this option from the drop down lists you must select both the range of days 7 14 21 or 28 and the day of the week on which you want the report sent to the recipients The report will cover the selected number of days prior to the selected reporting day Report for the past month sent on the...

Page 175: ...he top users 1 to 5 on which the included detailed report is generated 4 Optionally change the groups that the reports will cover from the Group selection drop down list The default option is All Users The groups shown in this drop down list are created and set on the Reports Options Reporting Groups page 5 Click Create Schedule at the top of the page or Next at the bottom of the page to proceed t...

Page 176: ...e saving you can click Previous to return to the preceding pages of the wizard to review or change the settings in those pages The options that you set previously will be retained while you have the wizard open until you change them but they will not be saved for use until you click Save 5 5 2 3 Enabling Disabling a Scheduled Report To enable an inactive scheduled report In the Scheduled Reports t...

Page 177: ...that you exempt will not be included in all of the reports listed above To exempt a category 1 On the Reports Options Report Exemptions page select Exempt Categories 2 From the drop down list select a category to exempt and click Add Repeat steps 1 and 2 to exempt additional categories To delete a category select the check box beside the listed category and click Delete 5 5 3 2 Exempting a Report ...

Page 178: ...o that any specified recipients are notified if user web queries contain one or more of the listed words or phrases For more information see Adding a Search Term Alerts Recipient Related concepts Users Users By Search Queries on page 164 Related tasks Adding a Search Term Alerts Recipient on page 117 Removing a Search Term Alerts Recipient on page 117 5 5 4 1 Adding Search Terms You can enter word...

Page 179: ...ch Terms List dialog box is displayed 2 Edit the list as follows To remove a search term from the list select the check box next to the term and click Delete To add a search term to the list in the Search terms text box enter the word or phrase and click Add To enable disable substring matching select or clear the Include substring matches check box You can choose to enable disable this option in ...

Page 180: ... the term and click Delete To remove multiple terms at once select the appropriate check boxes and click Delete 3 Click Save To remove a list of search terms 1 In the Search terms list select the check box to the right of the list that you want to delete 2 Click Delete The list and its contents are removed Related tasks Enabling Disabling Lists of Search Terms on page 179 ...

Page 181: ... By Suspicious Activity Search for attempts to contact malware command and control services By User Timeline Search usage by user for specific date ranges Note Searches will only display users that the administrator has permission to see However if the administrator also has permission to search by IP address then all users will be shown in the search results 2 On the Search Parameters sidebar ent...

Page 182: ...atus from the Filter by status drop down list You can also enter a specific web site in the Filter by site text box to view pages from that location that were viewed by the specified user If you chose to search By Site enter the site name that you want information on for example domain com page htm You can also search by domain alone e g example com and then refine your search further after review...

Page 183: ...ray on page 216 Related tasks Categories Download Types on page 75 Exporting Reports on page 170 6 1 1 Exporting Search Results Click Export A text file is generated that contains the search result data in comma separated values CSV format Your browser s file download dialog box is then displayed prompting you to save the file or open it in the default associated program The export to CSV function...

Page 184: ...ails about a specific downloaded item click its status A detailed report will be displayed with download information file information and results of the analysis 5 Optional To release an item that is currently being analyzed by Sandstorm that is with a status of In Progress or Error so that users can downloaded it immediately select the check box in the Released column and click Release Sandstorm ...

Page 185: ...the concerned download file 2 Optionally click the up down arrow button that appears immediately to the right of any of the column headers to organize the list by that information URL Orders the entries alphabetically by URL IP User Orders the entries alphabetically by the requester s username or IP address If your Web Appliance is configured to access a stand alone Active Directory server only th...

Page 186: ...le type from the Selected list or clearing the Block potentially unwanted applications check box This would either allow access to all files of that type or allow access to all PUAs respectively 6 3 2 1 Managing User Site Submissions To manage user submissions Open the first user submission that you want to respond to by clicking on the requested URL on the Search User Submission Sites page The Us...

Page 187: ...e saved as the comment in the Local Site List Note The comment field for new entries in the Local Site List will include which administrator approved the submission 3 Click Apply Next to apply your selected option and view the next user submission in the list or click Apply Close to apply your selected option and exit the User Submissions dialog box Optionally on the Adding an Alert Recipient on p...

Page 188: ...he System Status tab s default page shows nothing The buttons at the bottom of the System Status page provide the following functionality Click Show All to view a complete list of status items Some items such as those associated with Active Directory and eDirectory are only shown if the program is enabled in the appliance Click Show Exceptions to return to the display of only the existing exceptio...

Page 189: ...t Appliance A warning alert is triggered if the average scan time over the last 5 minutes exceeds 10 seconds WCCP Standalone and Joined Appliances Only A critical alert is triggered if the appliance is unable to communicate with configured Web Cache Communication Protocol routers Hardware Hard Disk A critical alert is triggered if the hard disk fails The number of hard disks listed will vary accor...

Page 190: ...ons Ensure that the username and password supplied have the relevant rights to access the domain and that your network is configured correctly to allow the appliance to access the relevant ports on the domain controller Contact Sophos Technical Support if additional help is required Active Directory synchronization Not available on Joined Web Appliance The Web Appliance synchronizes with the confi...

Page 191: ...blocked Related concepts Central Management on page 141 Alerts Monitoring on page 115 7 1 System Status on the Management Appliance The features described in this section only apply to the Management Appliance The System Status tab is different on the Management Appliance The list of monitored conditions is outlined in the System Status topic but the Management Appliance also has the ability to sh...

Page 192: ...nce Version The version of the software load on this appliance Concurrent users The number of concurrent users in the last reported minute Throughput Mbps The total kilobits or megabits per second of data passed to users In the Web Appliance system status view the following buttons are available Remove Removes this appliance from the list of joined appliances Back Returns you to the System Status ...

Page 193: ... Boolean operators type in AND OR or AND NOT in all uppercase letters Prepend a plus sign to a term to require the presence of that term Prepend a minus sign to a term to require the absence of that term 2 Press Enter or click the arrow button to the right of the Search text box The results are displayed in the text box on the sidebar that usually displays the Table of Contents The search results ...

Page 194: ...Subject Enter a short descriptive subject line for the issue Additional info Add whatever information is significant to understanding the problem 3 Once you have filled in all of the required and relevant information click Submit to email the request 8 3 2 Opening a Remote Assistance Session Important Prior to opening a remote assistance session contact Sophos Technical Support to speak with an en...

Page 195: ...formation To display the About page information 1 On the Help window sidebar click About The following information is displayed number of users licensed to use the appliance license term license expiry date for the appliance Sophos Web Appliance Using Help 195 ...

Page 196: ...TCP SMTP Remote assistance notification 25 Outbound from appliance to internet TCP HTTP Outbound network web traffic 80 Outbound from appliance to internet UDP NTP Network time synchronization 123 Outbound from appliance to internet TCP HTTPS Outbound network web traffic 443 Note Opening ports 80 and 443 is a standard best practice However certain web sites may also require other ports to be opene...

Page 197: ...tween appliance and AD server TCP UDP LDAP Directory services synchronization 389 Inbound from LAN to appliance TCP HTTPS administrative web interface 443 Inbound outbound between appliance and AD server TCP UDP SMB MS server message block 445 Inbound outbound between appliance and eDirectory server TCP LDAPS LDAP synchronization 636 Inbound outbound between appliance and AD server TCP UDP MSGC MS...

Page 198: ...of the following methods an overview of these can be found at the end of the Sophos Web Appliance Configuring your network for Explicit Deployment Knowledgebase article which includes the following Creating Testing and Deploying a proxy pac File Publishing Proxy Info as a wpad dat File Creating a GPO Related tasks Explicit Deployment on page 25 B 1 Adding the Sophos Root Certificate This section c...

Page 199: ...r more information see Installing the Sophos Generated Certificate Authority in your Users Browsers B 1 2 Adding the Sophos Root Certificate in Firefox The Install Root Certificate page of the setup wizard prompts you to install the Sophos root certificate This page provides instructions for adding that root certificate in Firefox To install the Sophos root certificate in Firefox 1 On the Install ...

Page 200: ...Exit and restart Internet Explorer for your changes to take effect 8 Verify that you have successfully configured the Web Appliance as your proxy by visiting http www google com and performing a search Google com should display and return search results as usual 9 Verify that the virus scanning and blocking is working by accessing http www eicar org download eicar com You will see the Web Applianc...

Page 201: ... 1 Select Safari Choose Preferences The Safari Preferences dialog box is displayed 2 On the Advanced tab click Change Settings The Network pane of the System Preferences dialog box opens 3 Select the Web Proxy check box and enter the following settings IP address the domain name or IP address provided by your IT department Port Number the proxy port number is 8080 unless you have been instructed t...

Page 202: ...On the Security tab click Custom level The Security Settings dialog box is displayed 3 In the Downloads section of the Settings select the Enable option for the Automatic prompting for file downloads option and click OK to close each dialog box The next time that you request a report as a PDF a File Download dialog box is displayed prompting you to open or save the file B 4 Other Firefox Settings ...

Page 203: ...Related concepts Active Directory on page 123 Related tasks Transparent Deployment on page 29 Sophos Web Appliance Configuring Your Browser 203 ...

Page 204: ...ution The best solution is to add the Web Appliance to your DNS server Firewall reports attachments stripped from Web Appliance generated email Background The Web Appliance provides a managed appliance experience that is enabled in part by sending system status snapshots as email attachments to Sophos to ensure that your Web Appliance is operating within acceptable thresholds Problem Firewalls can...

Page 205: ...gs by clicking Verify Settings on the System Active Directory page C 2 2 Clock skew is too large The time difference between the appliance and your Active Directory Kerberos server is greater than three minutes Update the time on your Kerberos server or adjust the NTP Server setting set at the bottom of the Configuration System Time Zone page to synchronize the appliance to the same NTP source as ...

Page 206: ...t be found Check the Active Directory Domain Controller update the required fields on the System Active Directory page and click Verify Settings again C 2 9 Hostname is too long The appliance hostname cannot be longer than 15 characters to join the Active Directory domain Update your Fully qualified domain name on the Configuration Network Hostname page and configure your Active Directory settings...

Page 207: ...Domain Controller Check the Active Directory Domain Controller update the required fields on the System Active Directory page and click Verify Settings again C 2 15 Server error An error occurred when the appliance tried to join the Active Directory domain If you receive this error ensure that the following are true The detected or configured Domain Controller is currently running The required por...

Page 208: ...our Active Directory forest you can manually change the port number for the Active Directory LDAP server on the Configuration System Active Directory page to 389 to force the appliance to access the Active Directory server as a single domain C 2 17 Could not join the Secondary Domain Controller The appliance could not join the specified Secondary Domain Controller This may be because the Secondary...

Page 209: ...arning is issued when a base DN with no users is specified in the Base DN field or the user specified in the Authentication DN does not have sufficient privileges to query the contents of the LDAP tree Update these fields on the Configuration System eDirectory page and click Verify Settings again Additionally increase the time limit on your eDirectory server if it has run out C 3 5 Could not sync ...

Page 210: ...leshooting This page describes the problems that can be encountered when joining a Web Appliance to a Management Appliance and it provides solutions to these problems Join fails with Mismatched Software Load error message Problem Clicking Join Management Appliance produces a Software versions to not match error message at the Verifying software version check Cause Installed software loads on the t...

Page 211: ...es Active Directory access configuration but the firewall between the new Management Appliance and the Active Directory server has not been configured to open the required ports Solution Configure your firewall to provide access to the ports and services listed in the following tables External Connections Connection Protocol Service Function Port Outbound from appliance to sophos com TCP SSH Remot...

Page 212: ... synchronization 636 Inbound outbound between appliance and AD server TCP UDP MSGC MS AD Global Catalog synchronization 3268 Inbound outbound between LAN and appliance TCP HTTP HTTPS Proxy end user web browsing 8080 NewWebAppliancejoinproducesanADintegrationalertandblocks all users web access Problem When you join a new Web Appliance to a configured Management Appliance the Web Appliance raises an...

Page 213: ...thenticity of their submission is similarly verified by the certificate authority The Web Appliance provides two security features related to this process certificate validation and HTTPS scanning Certificate Validation Often end users have little knowledge about the reliability of a certificate authority so they will often accept certificate authorities without knowing if they are from trusted so...

Page 214: ...sers This can be done as a centralized system administration operation using Group Policy Objects Note For more information see the knowledgebase article Installing the Sophos Generated Certificate Authority in Your Users Browsers In greater detail here is how the Web Appliance handles HTTPS scanning You the administrator download the Sophos certificate authority from the Web Appliance and install...

Page 215: ... users browsers see Downloading the Certificate Authority on page 108 HTTPS Compatibility with Sites Many financial sites require that clients use a specific certificate authority to establish an HTTPS session with the financial institution s site During HTTPS scanning the appliance replaces the client certificate with its own certificate Therefore financial institutions that require special clien...

Page 216: ...alidation on page 108 Adding a Certificate from a Web Site on page 109 Adding a Root Authority Certificate on page 109 Configuring HTTPS Scanning on page 105 C 6 Images Display as Gray When images are loaded in a browser or third party application directly from a blocked or warned site the images will be displayed as gray boxes If a user visits a site that policy blocks or warns against the applia...

Page 217: ...req GET http www google ca HTTP 1 1 dom google ca filetype rule 0 filesize 25815 axtime 0 048193 fttime 0 049360 scantime 0 011 src_cat 0x2f0000002a labs_cat 0x2f0000002a dcat_prox target_ip 74 125 127 94 labs_rule_id 0 reqtime 0 027 adtime 0 001625 ftbypass os Windows authn 53 auth_by portal_cache dnstime 0 000197 quotatime sandbox h 192 168 98 38 u SILKNET2 t xc3 xb5m xc3 xa4sj xc3 xb3n xc3 xa9s...

Page 218: ...as completed X connection aborted before the response completed connection may be kept alive after the response is sent connection will be closed after the response is sent X Timestamp in seconds of when the request was first received since the UNIX Epoch i e 1970 01 01 00 00 00 UTC t Time in microseconds required to serve this request T Time required in seconds to serve this request Ts Action cod...

Page 219: ...7 Blocked because the originating server failed SSL certificate validation 1408 Blocked Range requests 1409 Blocked by tag 1410 Blocked Lookup failed 1411 Blocked because of application control 1412 Blocked by Sandstorm rsn Malware Virus name detected by the scanner threat MIME type identified by the appliance type Content Type indicated by the originating server ctype Sophos Anti virus engine ver...

Page 220: ...rved for this request does not include HTTP protocol overhead filesize Amount of time in seconds it took to perform access checks axtime Amount of time in seconds it took to perform file typing fttime Amount of time in seconds it took to perform scanning scantime Internal use only src_cat Internal use only labs_cat Internal use only dcat_prox The IP address that the request resolves to target_ip I...

Page 221: ... accept log lines terminated by any of the standard text line termination schemes linefeed carriage return ASCII CR 0x0D or LF CR as used by Windows DOS Quotes and backslashes within a value are escaped by prepending a backslash Keys will never contain such characters Null values may be represented by an empty string e g key or key or a dash character e g key or key Any value containing only a das...

Page 222: ... s Sites 0x2n0000001C Uncategorized 0x0n00000000 Motor Vehicles 0x2n0000001D Adult Sexually Explicit 0x2n00000001 News 0x2n0000001E Advertisements Pop Ups 0x2n00000002 Peer to Peer 0x2n0000001F Alcohol Tobacco 0x2n00000003 Personals and Dating 0x2n00000020 Arts 0x2n00000004 Philanthropic Professional Orgs 0x2n00000021 Blogs Forums 0x2n00000005 Phishing Fraud 0x2n00000022 Business 0x2n00000006 Phot...

Page 223: ...2n00000015 Tasteless Offensive 0x2n00000032 Hosting Sites 0x2n00000016 Travel 0x2n00000033 Illegal Drugs 0x2n00000017 Violence 0x2n00000034 Infrastructure 0x2n00000018 Weapons 0x2n00000035 Intimate Apparel Swimwear 0x2n00000019 Web based email 0x2n00000036 Intolerance Hate 0x2n0000001A Custom 0x2n10000037 Job Search Career Development 0x2n0000001B Sandbox codes The following table explains the val...

Page 224: ...cloud response file is clean sandbox 4 Sandbox fast response file is malicious sandbox 1 Sandbox fast response error occurred sandbox 2 Sandbox cloud response file is malicious sandbox 3 Sandbox cloud response error occurred sandbox 4 Related tasks Automating Backups on page 121 ...

Page 225: ... reserved Software originally written by Jesper Veggerby Hansen Copyright 2003 2004 Jesper Veggerby Hansen Software originally written by Thomas G Lane This software is based in part on the work of the Independent JPEG Group Software originally written by Andrew G Morgan Copyright 1997 Andrew G Morgan Software originally written by Mark Nudelman Copyright 1984 1999 Mark Nudelman Software developed...

Page 226: ...al exemplary or consequential damages including but not limited to procurement of substitute goods or services loss of use data or profits or business interruption however caused and on any theory of liability whether in contract strict liability or tort including negligence or otherwise arising in any way out of the use of this software even if advised of the possibility of such damage Software l...

Page 227: ...are under terms of this license revision or under the terms of any subsequent revision of the license THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS AS Is AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OPENLDAP FOUNDATION ITS CONTRIBUT...

Page 228: ...egistered trademark of the OpenLDAP Foundation Copyright 1999 2003 The OpenLDAP Foundation Redwood City California USA All Rights Reserved Permission to copy and distribute verbatim copies of this document is granted ...

Page 229: ...product or if it does not function as described in the documentation contact Sophos Technical Support http www sophos com support Corporate Contact Information To contact your local Sophos office see http sophos com companyinfo contacting Sophos Web Appliance Contacting Sophos 229 ...

Page 230: ...ompromised by an untrustworthy third party Certificates include information such as the hostname they are to be used with a digital signature from a certificate authority a start date and an expiry date To be considered valid a certificate must not yet be expired have a digital signature from a trusted certificate authority have a hostname associated with it that matches the hostname of the machin...

Page 231: ...C C or C2 is a computer that controls a botnet a network of compromised computers Some botnets use distributed command and control systems making them more resilient From the command and control center hackers can instruct multiple computers to perform their desired activities Command and control centers are often used to launch distributed denial of service attacks because they can instruct a vas...

Page 232: ...on of settings that defines user or computer settings for a group of users or computers The settings stored in Group Policy Objects reference Active Directory units such as sites and domains G 10 group List of users to which differentiated policy settings can be applied Lists of users that the Sophos email and URL filtering products use as a basis for the policy settings that determine which filte...

Page 233: ...n method NTLM is used by such Microsoft applications as Active Directory and Sharepoint Note that NTLM has the following restriction NTLM can get past a firewall but is generally stopped by proxies because NTLM is connection based and proxies do not necessarily keep connections established Applications such as Sharepoint inside an enterprise that require Integrated Windows Authentication which inc...

Page 234: ...gitimate uses but these should be installed only with the system administrator s knowledge and at his or her discretion Sophos is an active member of the Anti Spyware Coalition ASC When classifying PUAs SophosLabs uses the following broad definitions which are derived from the ASC risk model Adware Application that often has the primary function of delivering advertising to the desktop Software th...

Page 235: ...able for an enterprise network For example Adware bundled supported or affiliated software such as P2P applications Trial versions of server applications that are commonly used in a malicious context Chat clients commonly used in a malicious context Server applications such as FTP Telnet IRC or SMTP commonly used in a malicious context G 19 proxy A secure server through which internal clients conn...

Page 236: ...reat analysis centers ensures Sophos is able to respond to new threats without compromise achieving the highest levels of customer satisfaction and protection in the industry G 22 spyware Software that covertly gathers information on users internet activities Spyware gathers user information through the user s internet connection without his or her knowledge usually for advertising purposes Spywar...

Page 237: ... and switches WCCP allows for clustering failover load balancing and the transparent deployment of web proxy and security products without additional network configuration or hardware G 26 worm Unlike a virus it has the ability to self replicate and often will use email and the internet to spread Sophos Web Appliance Glossary 237 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands