Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
March 2009 FE408005AA FE408020AA FE408020XA FE408045XA FE408100XA FE408200XA Optinet™ User’s Guide Optinet—the bandwidth shaping, content filtering BLACK BOX appliance. ® Customer Support Information Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500) FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018 Web site: www.blackbox.com • E-mail: [email protected] Optinet User’s Guide We‘re here to help! If you have any questions about your application or our products, contact Black Box Tech Support at 724-746-5500 or go to blackbox.com and click on “Talk to Black Box.” You’ll be live with one of our technical experts in less than 20 seconds. TRADEMARKS USED IN THIS MANUAL Black Box and the Double Diamond logo are registered trademarks, and Optinet is a trademark, of BB Technologies, Inc. Any other trademarks mentioned in this manual are acknowledged to be the property of the trademark owners. 724-746-5500 | blackbox.com Table of Contents Table of Contents ........................................................................................................................ ii Chapter 1: Introducing Optinet .................................................................................................. 1 Chapter 2: Installing Optinet ...................................................................................................... 3 Gathering Initial Information ......................................................................................................................................... 4 Connecting to Optinet .................................................................................................................................................... 5 Running the Setup Wizard ............................................................................................................................................. 7 Cutting-Over .................................................................................................................................................................. 8 Accessing Optinet .......................................................................................................................................................... 9 Manual Configuration ............................................................................................................................................. 10 Management/Auxiliary Interface ............................................................................................................................ 10 Text Menu Interface................................................................................................................................................ 11 Proxy Mode ............................................................................................................................................................ 14 Configuring Port Settings ............................................................................................................................................ 16 Configuring Cabling .................................................................................................................................................... 17 Testing Fail to Wire or No Failover............................................................................................................................. 17 Fail to Wire ............................................................................................................................................................. 17 Bypass Mode .......................................................................................................................................................... 18 No Failover ............................................................................................................................................................. 18 Chapter 3: Navigating Optinet ................................................................................................. 20 General Navigation ...................................................................................................................................................... 20 Tasks Pane ................................................................................................................................................................... 22 Help Pane..................................................................................................................................................................... 23 Chapter 4: Generating Reports ................................................................................................ 25 Home Page................................................................................................................................................................... 25 The Message Center................................................................................................................................................ 25 System Notifications ............................................................................................................................................... 26 ii Getting Started ........................................................................................................................................................ 26 Hardware Settings ................................................................................................................................................... 26 System .................................................................................................................................................................... 26 General Reporting Options .......................................................................................................................................... 26 Selected Date .......................................................................................................................................................... 27 Search ..................................................................................................................................................................... 27 Correlated by .......................................................................................................................................................... 27 Result Type ............................................................................................................................................................. 27 Group ...................................................................................................................................................................... 27 Network Node ......................................................................................................................................................... 28 Directory User ........................................................................................................................................................ 28 Encryption Type ..................................................................................................................................................... 28 Application Set ....................................................................................................................................................... 28 Right-Click Options ................................................................................................................................................ 28 Drop-Down Arrows ................................................................................................................................................ 29 Bar-Pie Graph Drop-Down ..................................................................................................................................... 29 Snapshot-Real Time Drop-Down ........................................................................................................................... 29 Report Recommendations ....................................................................................................................................... 29 Users tab ...................................................................................................................................................................... 30 Dashboard Reports.................................................................................................................................................. 31 Applications tab ........................................................................................................................................................... 31 Threats tab ................................................................................................................................................................... 33 Internet Usage tab ........................................................................................................................................................ 34 System Reports tab ...................................................................................................................................................... 35 Dashboards tab ............................................................................................................................................................ 35 Chapter 5: Managing Optinet ................................................................................................... 38 General Manage Options ............................................................................................................................................. 38 Policies & Rules tab .................................................................................................................................................... 39 Groups .................................................................................................................................................................... 39 Time-of-Day Rules ................................................................................................................................................. 42 Traffic Flow Rule Sets ............................................................................................................................................ 43 Content Filtering ..................................................................................................................................................... 44 Advanced Filtering ................................................................................................................................................. 46 Internet Usage Rules ............................................................................................................................................... 48 Shaping Rules ......................................................................................................................................................... 51 Policy Manager ....................................................................................................................................................... 54 Directory Users & Nodes ............................................................................................................................................ 54 Network Nodes ....................................................................................................................................................... 55 Directory Users ....................................................................................................................................................... 58 Directory Agent ...................................................................................................................................................... 58 Broadcasts tab .............................................................................................................................................................. 59 System Access tab ....................................................................................................................................................... 60 Applications tab ........................................................................................................................................................... 60 Traffic Flow Rule Sets ............................................................................................................................................ 60 Application Sets ...................................................................................................................................................... 61 Applications ............................................................................................................................................................ 63 Chapter 6: Administrating Optinet .......................................................................................... 67 Setup Wizard ............................................................................................................................................................... 67 Configuration tab ......................................................................................................................................................... 68 Setup ....................................................................................................................................................................... 68 Advanced Setup ...................................................................................................................................................... 68 Ethernet Settings ..................................................................................................................................................... 70 Company Settings ................................................................................................................................................... 70 iii Registration Settings ............................................................................................................................................... 70 Miscellaneous (Misc.) Settings ............................................................................................................................... 70 Update Settings ....................................................................................................................................................... 72 Custom Category Rules .......................................................................................................................................... 72 Custom Category Options ....................................................................................................................................... 73 Remote Subnets ...................................................................................................................................................... 74 User Preferences ..................................................................................................................................................... 75 Static Routes ........................................................................................................................................................... 76 SSL Certificate Settings .......................................................................................................................................... 78 License Settings ...................................................................................................................................................... 78 Special Domains ..................................................................................................................................................... 78 LDAP Settings ........................................................................................................................................................ 79 Backup .................................................................................................................................................................... 79 Proxy Settings ......................................................................................................................................................... 80 Diagnostic Tools tab .................................................................................................................................................... 80 Device Status .......................................................................................................................................................... 81 Directory Agent Diagnostics................................................................................................................................... 81 Directory Agent Users ............................................................................................................................................ 81 Display ARP Table ................................................................................................................................................. 81 Ethernet Status ........................................................................................................................................................ 81 Group IP List .......................................................................................................................................................... 81 IP Address Map ...................................................................................................................................................... 81 No LDAP Network Nodes ...................................................................................................................................... 82 PING ....................................................................................................................................................................... 82 Test DNS Settings................................................................................................................................................... 82 Traceroute ............................................................................................................................................................... 82 IP Traffic Monitor ................................................................................................................................................... 82 Downloads tab ............................................................................................................................................................. 83 Logs tab ....................................................................................................................................................................... 83 Activity Log ............................................................................................................................................................ 83 Kernel Log .............................................................................................................................................................. 84 Redirection Pages ........................................................................................................................................................ 84 Blocked URL .......................................................................................................................................................... 84 Directory Agent Login Page ................................................................................................................................... 85 Utilities ........................................................................................................................................................................ 85 System Resets ......................................................................................................................................................... 86 Support Link ........................................................................................................................................................... 88 Spyware Removal Tool .......................................................................................................................................... 89 Chapter 7: Integrating Directory Users with Optinet ............................................................. 90 Directory Overview ..................................................................................................................................................... 90 Directory Options ........................................................................................................................................................ 92 Directory Option 1: Directory Agent with Directory Client (cymdir.exe) .............................................................. 92 Directory Option 2: Directory Agent with IP Lookup ............................................................................................ 93 Directory Option 3: Directory Agent with NTLM .................................................................................................. 93 Directory Option 4: Directory Agent with Login Page ........................................................................................... 94 Directory Configurations ............................................................................................................................................. 95 Install Directory Agents .......................................................................................................................................... 95 Create Directory Agents ......................................................................................................................................... 97 Create Optinet Groups ............................................................................................................................................ 97 Create Directory Agent Group ................................................................................................................................ 98 Deploy Directory Client Client ............................................................................................................................. 101 Create Directory Internet Usage Rules ................................................................................................................. 109 Directory Troubleshooting......................................................................................................................................... 111 Using Diagnostic Tools ........................................................................................................................................ 111 iv Troubleshooting GPO Issues ................................................................................................................................ 113 Troubleshooting Directory Client ......................................................................................................................... 114 Chapter 8: Implementing HTTPS/SSL Filtering with Optinet .............................................. 117 Certificate Authorities ............................................................................................................................................... 118 SSL Anonymous Proxies ........................................................................................................................................... 118 SSL CGI Proxy ..................................................................................................................................................... 119 SSL Full Proxy ..................................................................................................................................................... 119 SOCKS4/5 Proxy .................................................................................................................................................. 119 TorPark Network .................................................................................................................................................. 119 HTTPS/SSL Filtering ................................................................................................................................................ 119 Disable SSL Inspection and Filtering ................................................................................................................... 119 Enable SSL Certificate-Based Content Filtering .................................................................................................. 119 Enable Denied Access Page for SSL Certificate-Based Content Filtering ........................................................... 120 Enable Full SSL Content Filtering ........................................................................................................................ 120 Only Allow Trusted Certificate Authorities and Non-Expired Certificates .......................................................... 120 HTTPS/SSL Filter Exemption List ....................................................................................................................... 120 Content Filtering Rules ......................................................................................................................................... 120 HTTPS/SSL Blocking ............................................................................................................................................... 121 HTTPS/SSL Filtering Requirements ......................................................................................................................... 121 Enabling SSL Certificate-Based Filtering ................................................................................................................. 122 Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filter ......................................................................... 122 Web Filter + Anonymous Proxy Guard + SSL Filter ........................................................................................... 123 Web Filter + SSL Filter ........................................................................................................................................ 123 The Optinet Digital Certificate .................................................................................................................................. 123 Installing The Optinet Digital Certificate .................................................................................................................. 124 Deploying The Optinet Certificate via Web Browsers ......................................................................................... 124 Deploying The Optinet Certificate via Active Directory ...................................................................................... 127 Enabling Full SSL Content Filtering ......................................................................................................................... 130 Confirming The Optinet Digital Certificate............................................................................................................... 131 Viewing Sensitive Content on HTTPS/SSL Web Sites ............................................................................................. 131 Customer Support and Feedback ......................................................................................... 133 Getting Help .............................................................................................................................................................. 133 Appendix A: Web Filtering Categories ................................................................................. 134 Appendix B: MIME Types ....................................................................................................... 141 Appendix C: File Types .......................................................................................................... 144 Appendix D: CIDR Cheat Sheet ............................................................................................. 146 Appendix E: End User License Agreement (EULA) & Warranty ......................................... 148 v Optinet User’s Guide Federal Communications Commission and Industry Canada Radio Frequency Interference Statements This equipment generates, uses, and can radiate radio-frequency energy, and if not installed and used properly, that is, in strict accordance with the manufacturer’s instructions, may cause inter ference to radio communication. It has been tested and found to comply with the limits for a Class A computing device in accordance with the specifications in Subpart B of Part 15 of FCC rules, which are designed to provide reasonable protection against such interference when the equipment is operated in a commercial environment. Operation of this equipment in a residential area is likely to cause interference, in which case the user at his own expense will be required to take whatever measures may be necessary to correct the interference. Changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to oper ate the equipment. This digital apparatus does not exceed the Class A limits for radio noise emis sion from digital apparatus set out in the Radio Interference Regulation of Industry Canada. Le présent appareil numérique n’émet pas de bruits radioélectriques dépassant les limites applicables aux appareils numériques de la classe A prescrites dans le Règlement sur le brouillage radioélectrique publié par Industrie Canada. 724-746-5500 | blackbox.com - NOM Statement Instrucciones de Seguridad (Normas Oficiales Mexicanas Electrical Safety Statement) 1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado. 2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura. 3. Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas. 4. Todas las instrucciones de operación y uso deben ser seguidas. 5. El aparato eléctrico no deberá ser usado cerca del agua—por ejemplo, cerca de la tina de baño, lavabo, sótano mojado o cerca de una alberca, etc.. 6. El aparato eléctrico debe ser usado únicamente con carritos o pedestales que sean recomendados por el fabricante. 7. El aparato eléctrico debe ser montado a la pared o al techo sólo como sea recomendado por el fabricante. 8. Servicio—El usuario no debe intentar dar servicio al equipo eléctrico más allá a lo descrito en las instrucciones de operación. Todo otro servicio deberá ser referido a personal de servicio calificado. 9. El aparato eléctrico debe ser situado de tal manera que su posición no interfiera su uso. La colocación del aparato eléctrico sobre una cama, sofá, alfombra o superficie similar puede bloquea la ventilación, no se debe colocar en libreros o gabinetes que impidan el flujo de aire por los orificios de ventilación. 10. El equipo eléctrico deber ser situado fuera del alcance de fuentes de calor como radiadores, registros de calor, estufas u otros aparatos (incluyendo amplificadores) que producen calor. 11. El aparato eléctrico deberá ser connectado a una fuente de poder sólo del tipo descrito en el instructivo de operación, o como se indique en el aparato. 12. Precaución debe ser tomada de tal manera que la tierra fisica y la polarización del equipo no sea eliminada. 13. Los cables de la fuente de poder deben ser guiados de tal manera que no sean pisados ni pellizcados por objetos colocados sobre o contra ellos, poniendo particular atención a los contactos y receptáculos donde salen del aparato. 14. El equipo eléctrico debe ser limpiado únicamente de acuerdo a las recomendaciones del fabricante. 15. En caso de existir, una antena externa deberá ser localizada lejos de las lineas de energia. 16. El cable de corriente deberá ser desconectado del cuando el equipo no sea usado por un largo periodo de tiempo. 17. Cuidado debe ser tomado de tal manera que objectos liquidos no sean derramados sobre la cubierta u orificios de ventilación. 18. Servicio por personal calificado deberá ser provisto cuando: A: El cable de poder o el contacto ha sido dañado; u B: Objectos han caído o líquido ha sido derramado dentro del aparato; o C: El aparato ha sido expuesto a la lluvia; o D: El aparato parece no operar normalmente o muestra un cambio en su desempeño; o E: El aparato ha sido tirado o su cubierta ha sido dañada. 724-746-5500 | blackbox.com Chapter 1: Introducing Optinet Welcome to Optinet. Optinet is a smart gateway appliance from Black Box Network Services that offers network administrators an in-depth view on network traffic and resources. With Optinet, you can monitor and manage traffic generated by specific applications within the network as well as traffic generated by specific users or computers. Not only can you manage traffic from users and devices, you can also control which web sites or categories can be visited. In addition to this, Optinet offers protection against spyware and virus web applications so that your network is running optimally. Optinet helps manage network traffic by reporting which types of traffic are being used on the network. The device also provides tools to help control the traffic and identify potentially dangerous users or applications. By monitoring all Internet traffic, Optinet will report on how much bandwidth is being used for browsing the Web, downloading files via File Transfer Protocol (FTP) or Peer-to-Peer (P2P) applications. This information is valuable as you will begin to see how your network resources are being used. With this information, you can then use Optinet to optimize traffic, identify high-priority traffic, and restrict unwanted types of traffic or web sites. In essence, Optinet will allow you to receive the most benefit from your network and users. Optinet provides three essential facets for traffic reporting and control: • Filter content—Optinet will monitor and report on web sites visited. Optinet will allow you to block unauthorized web sites or web categories. • Shape traffic—Optinet can prioritize applications or users within the network, allowing you to limit or restrict bandwidth and specific types of traffic. For example, P2P file sharing can consume large amounts of bandwidth. Optinet can restrict this traffic allocating more bandwidth to higher priority traffic. • Block spyware and web viruses—Optinet will also identify and block spyware or viral web sites and applications that can potentially harm your network and consume bandwidth. 1 Optinet can quickly increase bandwidth for high priority traffic, ensure employee productivity, provide appropriate web content, add an additional layer of security, and prevent users from compromising your network. This user guide will instruct you on how to use and deploy the various functions of Optinet. 2 Chapter 2: Installing Optinet In this chapter, you learn how to perform an initial installation of Optinet. The following topics will be covered: • Gathering Initial Information • Connecting to Optinet • Running the Setup Wizard • Cutting-Over • Accessing Optinet • Using Alternative Configuration Methods • Configuring Port Settings • Configuring Cabling • Testing Fail to Wire or No Failover Optinet is a powerful network device that is relatively easy to set up in any network environment using the instructions in this document and the Setup Wizard. Please read and understand all configuration and installation considerations before proceeding. If you have questions or are unsure about the installation of Optinet, please contact your Black Box Technical Support at 724-746-5500, your Authorized Black Box Network Services Reseller, and/or the person responsible for the service of your network. 3 Gathering Initial Information Under this section are listed the information and basic definitions of terms you will need to know before installing Optinet. Begin by reviewing the information and filling out the following table for documentation. You will need the subsequent information: License Key Licenses that have been purchased with your system will ship as a license key on a card in the Documentation & Accessories box or be delivered via email at the time of purchase. Locate this card to enable the licenses on your system during the setup process. License Key: Model Number: Serial Number: Licensed Network Nodes: Licensing—licensing with Optinet is based on network connections. One hundred connections on your network will constitute 100 Network Node license. Please make sure that the amount of licenses purchased is sufficient for the active connections present on your network. Model Number and Serial Number—these numbers are associated with your Optinet for device identification and are used in conjunction with the License Key for verification of the amount of licenses purchased. IP Configuration If you are unsure of the following fields, the Setup Wizard will detect available addresses and settings within your network via DHCP. You may copy over these settings during the Setup Wizard. Optinet (Bridge) IP address: Subnet Mask: Default Gateway (WAN Side) IP address: DNS Server IP address: Management/Auxiliary Port IP address: The Management/Auxiliary Port IP address cannot be in any active subnet in your network. Management/Auxiliary Port Subnet Mask: Total Download Bandwidth (in Kbps): Total Upload Bandwidth (in Kbps): 4 Time Zone: Amounts used in the Total Download Bandwidth and Total Upload Bandwidth will restrict total throughput through Optinet. Please make sure the amounts you enter in these fields are correct. If you would like to receive email alerts when users attempt to access viral web sites, you must fill out the Email Settings. If you are not interested in this option, you may leave the following fields blank. Email Settings In order for Optinet to send email alerts, the email server listed below must be configured to relay messages from Optinet. System Alerts & Broadcasts email address (System Administrator): Email Server Hostname or IP address (optional): Remote Subnets Optinet will identify and monitor all network traffic native to its local subnet. If you have a routed network (VLANs, different network addresses, etc.), please note the network addresses outside The Optinet local subnet with the appropriate CIDR notation. See Appendix E for CIDR Cheat Sheet. Subnet Address (CIDR notation): Subnet Address (CIDR notation): Subnet Address (CIDR notation): Once you have this information, you’re ready to make your initial connections to Optinet. Connecting to Optinet The next step is to power on and establish a connection to Optinet from a local management workstation/laptop. You will also need to connect Optinet to your network. 5 Running the Setup Wizard requires an active Internet connection from the network where Optinet will be installed. If you do not have an active Internet connection available, or you do not wish to use the Setup Wizard, please consult the section Using Alternative Configuration Methods. 1. Connect a cross-over cable (included in your Accessories Kit) from the Optinet LAN port to the network port on your workstation/laptop. 2. Connect a straight-through cable from the Optinet WAN port to an empty port on your local network switch. Figure 2.1 Optinet Configuration Connectivity 3. Write down the existing IP settings of your local workstation/laptop so that you can easily change them back when configuration is complete. 4. Change your local workstation/laptop IP settings. You will need to change the IP settings on your local workstation/laptop to communicate with the default settings of Optinet: • Default IP Address—192.168.1.80 • Default Subnet Mask—255.255.255.0 The suggested settings for the local workstation/laptop are the following: • IP Address—192.168.1.81 • Subnet Mask—255.255.255.0 6 Running the Setup Wizard 1. To access the Setup Wizard, open Microsoft’s Internet Explorer (IE) 6 or 7 and enter http://192.168.1.80 in the address bar. 2. Login to the system using: a. Default User Name: admin (all lowercase) b. Default Password: blackbox (all lowercase) 3. Please read and accept the EULA agreement. 4. The Welcome Screen is then displayed automatically on new systems, as well as on systems that have been reset to factory defaults. Read the following information displayed in the Welcome Screen and select Next>>. Figure 2.2 The Setup Wizard Welcome Screen 5. Using the information you collected in the section Gathering Initial Information, complete the steps within the Setup Wizard. Select Next>> when the page fields are complete. Optinet will test the settings of each step and if successful, will allow you to proceed. 6. The final step in the Setup Wizard allows you to confirm and, if necessary, edit your configuration. This step will also check for updates and will automatically retrieve and install them. Major firmware upgrades will require a reboot of your system when complete. 7 Please note that advanced configuration options such as Directory Integration or Ethernet Settings require additional steps that are not covered in the Setup Wizard. For additional information, please review their corresponding chapters. Cutting Over Only perform these next steps when network traffic can be momentarily interrupted. Now that you have finished the Setup Wizard, you are ready to place Optinet inline with Internet traffic. Optinet requires all Internet traffic to pass through its bridge interface, unless the device is configured in Proxy Mode. If you are planning to configure Optinet in Proxy Mode, you can skip the current section and proceed to the section Using Alternative Configuration Methods. For typical installations you will need to follow the next steps and physically place Optinet inline with your network’s traffic. In general this location is between the Firewall/WAN Router and the Core Network Switch. 1. Remove the cables connected to The Optinet WAN and LAN ports. 2. If you modified your local workstation/laptop IP settings, you will need to change your local workstation/laptop settings back to their original IP settings. 3. Locate the connection between the Core Network Switch and the Firewall/WAN Router. Unplug the cable from the Firewall/WAN Router and connect it to the LAN port on Optinet. 4. Using the cross-over cable, connect the WAN port of Optinet to the now open port on the Firewall/WAN Router that was previously used by the Core Network Switch. 5. Verify that the cross-over cable is plugged into The Optinet WAN port and the Firewall/WAN Router. 6. Verify that the straight-through cable is plugged into The Optinet LAN port and the Core Network Switch. Optinet should now be sitting inline with your Internet traffic. 7. Confirm the Light Emitting Diodes (LEDs) for both the WAN and LAN ports are posting solid green (link) lights and blinking amber (speed) lights. 8. Verify that local workstations can access the Internet by opening a web browser and navigating to several web sites. 8 Figure 2.3 Optinet Installation Connectivity If you are able to browse to the Internet, you have completed the installation of Optinet. The device should now be sitting inline with your Internet traffic and monitoring web requests. Accessing Optinet After completing the configuration and installation processes, you can access Optinet by using the IP address you assigned to the device during the Setup Wizard. 1. Open Microsoft’s IE 6 or higher and navigate to http://IP address assigned. 2. Login using the default credentials (listed under the section Running Setup Wizard) or with the newly created administrative login. 3. When you login to Optinet the Home Page will display. This page provides a snapshot of system health, filtering effectiveness, current firmware versions, subscription settings, as well as links to administration of your new system. We strongly recommend that you create a new administrative login, and change the default login password to limit access to Optinet. Select the Manage -> System Access -> Logins link to make these changes. 9 Using Alternative Configuration Methods The previous sections discuss the most common steps for installing Optinet. However, there are alternative methods that can be used for initial configuration of the device as well as different modes that Optinet can accommodate. In this section, the topics of installing Optinet without the assistance of the Setup Wizard as well as Proxy Mode will be discussed. Manual Configuration Physical connectivity for manual configuration of Optinet can be accomplished using a crossover cable from a local machine (such as a laptop) to either the LAN, WAN, or Management/Auxiliary (AUX) ports on Optinet. See the instructions in Connecting to Optinet on modifying your local machine IP settings to connect to Optinet. If you wish to configure Optinet without the assistance of the Setup Wizard, or if you are pre-configuring the system for installation, the Manual Configuration settings can be accessed through Admin -> Configuration settings screens. Simply cancel the Setup Wizard and access the settings listed in the table below. The following table shows where the network configuration information collected in Gathering Initial Information can be manually entered into The Optinet configuration pages. Quick Start Guide Table Name Admin -> Configuration -> Page Name License Key License IP Settings Setup Total Upload/Download Bandwidth Misc. Settings Email Settings Company Settings Remote Subnets Remote Subnets Management/Auxiliary Interface Optinet can be accessed via the Management/Auxiliary port for the initial configuration. However, the IP settings for the port will need to be different than those for the bridge interfaces (WAN and LAN ports) and cannot be an IP address found under the Remote Subnets listings. 1. Connect a cross-over cable (included in your Accessories Kit) from The Optinet Management/Auxiliary port to the network port on your workstation/laptop. 2. Write down the existing IP settings of your local workstation/laptop so that you can easily change them back when configuration is complete. 3. Change you local workstation/laptop IP settings. You will need to change the IP settings on your local workstation/laptop to communicate with the default settings of Optinet: • Default Management/Auxiliary IP address—10.1.1.1 • Default Subnet Mask—255.255.255.0 10 The suggested settings on the local workstation/laptop are the following: • IP address—10.1.1.2 • Subnet Mask—255.255.255.0 4. From the Management/Auxiliary port, you can access Optinet via the GUI or Text Menu (covered in the following section). If you choose to configure Optinet via the GUI, please follow the steps listed under the section Setup Wizard. If you choose to configure Optinet via the Text Menu, please follow the steps listed under the next section. Text Menu Interface The Optinet Text Menu allows installers, system administrators, and other trained technical personnel to access the device via a text interface, similar to a Command Line Interface (CLI). While some of the basic features and options available within the Optinet web interface are also available here, most advanced technical options are only available through the GUI menus. The one exception is IP Traffic Monitor (Option 2—Utilities, Option 3—IP Traffic Monitor), which is discussed under Chapter 6: Administrating Optinet, section Diagnostic Tools tab. Below are the supported options for accessing The Optinet Text Menu: • Secure Shell (SSH) • HyperTerminal (via serial connection) The default login for all these menus is the following: • Default User Name: menu (all lowercase) • Default Password: blackbox (all lowercase) Secure Shell Access Secure Shell (SSH) access allows administrators to access The Optinet Text Menu through a secure connection. SSH applications such as PuTTY (a freeware application available from the installation CD) make it easy to use this secure method of accessing systems remotely. 1. Download PuTTY.exe from the CD. 2. Double click on the program. 3. Enter in the IP address of Optinet. 4. Leave all other settings at default. 5. Click the Open button. 11 Figure 2.4 PuTTY Configuration 6. Login with the default credentials. 7. Type 1 to access Configure IP addresses submenu. Figure 2.5 Text Menu Interface 12 8. Enter in the information collected in the IP Settings table under Gathering Initial Information. Serial Access The following section lists steps on how to connect to the Optinet Text Menu using HyperTerminal. Although there are other terminal simulators that can work with the Optinet serial connection, the steps listed below are for a workstation/laptop with Windows XP and HyperTerminal. Ensure that you have the null modem (2U systems) or USB (1U systems) cable (included with shipping materials) connected to a communication port of your local workstation/laptop and to the Optinet serial port (38.4 8N1). 1. Set up a connection using HyperTerminal (Start -> All Programs -> Accessories -> Communications -> HyperTerminal). 2. In the New Connection Description dialog, enter a name for the connection in the Name field and select an icon if you want. 3. Click the OK button. 4. In the Connect To dialog, select the COM port for the connection. 5. Click the OK button. 6. In the COM Port Properties window, select the settings that correspond to: • Bits per second: 38,400 • Data bits: 8 • Parity: None • Stop bits: 1 • Flow control: None 7. Click the OK button. 8. When the main HyperTerminal screen appears, press the Enter key to confirm a connection. 9. Login with the default credentials: a. Default User Name: menu (all lowercase) b. Default Password: blackbox (all lowercase) 10. Type 1 to access the Configure IP addresses submenu. 11. Type the information collected in the IP Settings table under Gathering Initial Information. Once Optinet has been configured using an alternative method described above, you can perform the steps listed under Cutting Over of this chapter. 13 We strongly recommend that you change the default password for the menu account to limit access to the Text Menu. Select Option 3—Change Menu Password under the main menu to make this change. Proxy Mode For full functionality of Optinet, we recommend placing the device inline with traffic. However, if you do not want to place the device inline with network traffic, or if you have users on the WAN side of Optinet that you want to filter, you can configure Optinet as a web proxy. A web proxy is normally a server that carries out web requests for users. Typically, web traffic is routed to the server which requests the web sites for the intended users. Optinet does likewise with a configuration called Proxy Mode. This configuration does not require Optinet to be inline with network traffic. To use Optinet as a proxy, the device must have a network connection to the users and the Internet via the WAN or LAN port (only one has to be active). With this connection, you can then use either the Setup Wizard or an alternative method to assign the device the required IP settings. Afterwards, you must alter the connection settings of the users’ web browsers to use the IP address of Optinet as a proxy and port 8888 for browsing. (Port 8888 is the assigned port used by the Optinet filtering engine). If Optinet has a private IP address and you want external users to use Optinet as a proxy, you may need to create a Network Address Translation (NAT) rule for Optinet. Below are the steps on how to alter the LAN connections using IE 7 and Firefox 2. You can also alter LAN connections via Group Policy Objects (GPOs), VPN connections, or other network devices; however, these steps are not covered in the User Guide and will need to be researched independently. Internet Explorer (IE) 7 1. Open up IE 7 web browser. 2. Click on Tools -> Internet Options. 3. Click on the Connections tab. 4. Click the LAN Settings button. 5. Under Proxy Server section, select the checkbox for Use a proxy server for your LAN. 6. Under the Address field, enter in The Optinet IP address. 7. Under the Port filed, enter in the number 8888. 8. Click OK until the settings are applied. Firefox 2 1. Open up Firefox 2 web browser. 2. Click on Tools -> Options. 3. Click on the Advanced menu. 4. Select the Network tab. 14 5. Under the Connection section, click the Settings button. 6. Select the radio button next to Manual proxy connection. 7. Enter in the IP address of Optinet in the HTTP Proxy field. 8. Enter in the number 8888 in the Port field. 9. You may also select the checkbox. Use this proxy server for all protocols as well if you like. 10. Click OK until the settings are applied. Once users’ web browsers have been configured to use Optinet as a proxy, you will then need to configure Optinet to accept web requests. This setting is found under Admin -> Configuration -> Advanced Setup. Select the check box next to Allow HTTP Connections on port 8888. Don’t forget to apply the changes. Optinet will then begin to create profiles for users as they begin to send web requests to Optinet. You can confirm this under Manage -> Directory Users & Nodes -> Network Nodes. If you have enabled Directory settings, Optinet will also create Directory Profiles as well (Manage -> Directory Users & Nodes -> Directory Users). You can then create groups based on the profiles for content filtering and reporting. Please see Chapter 5: Managing Optinet for steps on how to create groups. Please note that Proxy Mode does not offer all functions over network traffic normally associated when in the default inline mode, in particular bandwidth control and full reporting. Because network traffic is not physically passing through the Optinet bridge interface, the device can no longer confirm which applications are passing nor control bandwidth. In addition to this, you cannot use all of the Advanced Filtering options and HTTPS/SSL Filtering settings to ensure content filtering. With Proxy Mode you will only be able to filter web content and report on web sites visited. As such, you will not be able to apply all Shaping Rules nor will there be data posted for under the applications reports (Report -> Applications) or users reports (Report –> Users). There will, however, be data under Internet Usage and Threats. Below is a table of all supported reports and menus with Proxy Mode (Report and Manage Tabs). If a specific feature is not listed in this table, then it is not supported in Proxy Mode. Proxy Mode Support Report Threats Spyware Overview Spyware Infected Users Spyware Threat Names Virus Overview Virus Infected Users Virus Threat Names Manage Policies & Rules Groups Time of Day Rules Internet Usage Rules o TFRS (HTTP Traffic Only) Deny Access, No Filters, Web Filter Only, Web Logging, SSL Block, and SSL Filter, Content Filtering, Advanced Filtering, HTTPS/SSL Filtering (SSL Certificate Based Content Filtering), Web Authentication Shaping Rules o Web Content 15 Internet Usage Web Hits Overview Web Bandwidth Overview Web Hits by Network Node Web Bandwidth by Network Node Web Time Online System Reports Active Users CPU Utilization IP Connections Latency Packets per Second RAM Usage Dashboard Real Time URL Monitor Policy Manager Directory Users & Nodes Directory Users Directory Agent Network Nodes Broadcast Manager Applications Traffic Flow Rule Sets (HTTP Traffic Only) Deny Access, No Filters, Web Filter Only, Web Logging, SSL Block, and SSL Filter One final note: you can configure Optinet inline with traffic and use the device as a proxy for a combination of functionality. For example, you can install Optinet inline with network traffic for internal users, and then alter web browser settings for VPN or external users to use Optinet as a proxy. This way, you gain full functionality for internal users and web filtering functionality for external users. Configuring Port Settings The Optinet bridge ports (WAN and LAN) by default are set to auto-negotiate for both speed and duplex settings. This means that Optinet will negotiate with the devices that are plugged into these ports to verify their speeds and duplex mode. Normally auto negotiate will allow Optinet to operate at least 100 Mbps or above and Full-Duplex. However, you should confirm that Optinet is operating at least 100Mbps or above, FullDuplex, and is not generating any interface errors. You can do this under Admin -> Diagnostic Tools -> Ethernet Status. Review both WAN Port and LAN Port tabs to confirm that Optinet is operating at the correct speed and duplex. Also verify that no errors are listed under the Errors field. If the auto-negotiating settings list a speed under 100 Mbps, a duplex mode that is not Full or are generating errors, you may need to hard set these settings on the interfaces. You can do this under Admin -> Configuration -> Ethernet Settings. Hard setting the Ethernet settings can cause network interruptions. Only perform these next steps when network traffic can be momentarily interrupted. Select the speed and duplex settings you would like to hard set for the desired port(s) and press the Apply button. In addition to this, you may need to hard set the interface settings on the devices connected to Optinet. This will allow Fail to Wire and No Failover to work correctly. The next section will explain these options. 16 Configuring Cabling In addition to confirming the port and duplex settings, you should also confirm cables connected to Optinet. Typically, layer 3 devices connected to Optinet require a cross-over cable while layer 2 devices connected to Optinet require straight-through cables. In a standard installation, the Optinet WAN port will connect to the firewall via a cross-over cable while the Optinet LAN port will connect to the core network switch via a straightthrough cable. However, if you are installing Optinet in between a firewall and the core network router, you may need cross-over cables for each port. Also, if the devices connecting to Optinet offer Medium Dependent Interface Crossover (MDIX), which can compensate for switching transmit and receiving signals, you may be able to use straight-through cables for each port. In any case, you will want to confirm the cabling for proper negotiation for Fail to Wire or No Failover. You can confirm negotiation by reviewing the section Ethernet Status. If after hard setting the ports, Optinet is still generating errors, you may need to change the cabling. After confirming negotiation, you should confirm Fail to Wire or No Failover by following the steps listed in the next section. Testing Fail to Wire or No Failover Optinet offers two options for network connectivity in case of a device failure or power loss: Fail to Wire and No Failover. Unless specified before purchase, the model of Optinet you receive will be designed for Fail to Wire. Fail to Wire allows network traffic to pass in case Optinet fails or is powered down, while No Failover stops all network traffic in case of failure or power loss. Your preference must be specified before purchasing the device as the implementation is done via hardware. After confirming your preference and the installation of Optinet, you should perform some tests to confirm the functionality. Only perform this test when network traffic can be momentarily interrupted and you are physically next to Optinet. Fail to Wire Fail to Wire allows network traffic to pass in case of failure by closing a circuit in between the WAN and LAN ports. However, for this to work properly, the devices connected to Optinet must be able to negotiate correctly. 1. Power off Optinet under Admin -> Utilities -> System Resets -> Hardware Shutdown. Do not power down Optinet by pulling the power cord or pressing the power button on the front bezel. These procedures should only be used when there is no other alternative for powering down the device. 17 2. Depending upon the devices that are connected to Optinet, the duplex settings and cabling, it may take up to 5 minutes for Fail to Wire to complete. As such, please wait up to 5 minutes after powering down Optinet completely before performing the next step. 3. Confirm by the interface LEDs that the firewall/WAN router and the core network switch are still communicating. • Confirm that all network options are available, i.e., browse the Web, log into a remote site, etc. • If the test is not successful, check the compatibility of port speed/duplex and cabling used on Optinet and the other devices. 4. Power on Optinet using the power button on the front bezel. 5. After waiting 5 minutes for the device to power up, log into Optinet and verify that the unit is functional. Bypass Mode Besides powering down Optinet, there are other scenarios that can cause Optinet to fail, i.e., running the device out of specs, hardware failure, etc. Once a failure is detected, Optinet will initiate the supported Bypass Mode (Fail to Wire or No Failover). This is indicated by the LEDs on all ports, which will blink and scroll in unison. If this happens, please contact Black Box Network Services Technical Support at 724-7465500 or your Authorized Black Box Network Services Reseller. Diagnosing and troubleshooting the problem may require that you physically remove Optinet from the network. No Failover No Failover works by simply grounding the circuit in between the WAN and LAN ports of Optinet. As such, when a failure is detected, all traffic will not be passed from the LAN port to the WAN port; thereby denying Internet access. 1. Power off Network under Admin -> Utilities -> System Resets -> Hardware Shutdown. Do not power down Optinet by pulling the power cord or pressing the power button on the front bezel. These procedures should only be used when there is no other alternative for powering down the device. 2. Depending upon the devices that are connected to Optinet, duplex settings, and cabling, it may take up to 5 minutes for No Failover to complete. As such, please wait up to 5 minutes after powering down Optinet completely before performing the next step. 3. Confirm by the interface lights that the firewall/WAN router and the core network switch are not communicating. • Confirm that all network options are not available, i.e., attempt to browse the Web, log into a remote site, etc. 18 • If the test is not successful, check the compatibility of port speed/duplex and cabling used on Optinet and the other devices. 4. Power on Optinet using the power button on the front bezel. 5. After waiting 5 minutes for the device to power up, log into Optinet and verify that the unit is functional. As with Fail to Wire, there are other scenarios that can cause Optinet to fail besides powering down the device. If Optinet is entering No Failover unintentionally, please contact Black Box Network Services Technical support at 724-746-5500 and/or your Authorized Black Box Network Services Reseller for diagnosis and troubleshooting. Now that you have confirmed Fail to Wire or No Failover, let’s discuss how to navigate through the Optinet GUI. 19 Chapter 3: Navigating Optinet This section contains guides and tips on how best to navigate through The Optinet Graphical User Interface (GUI). The chapter is divided into three sections: • General Navigation • Task Pane • Help Pane To access Optinet, open up Microsoft’s Internet Explorer (IE) 6 or higher and enter in the IP address assigned to Optinet in the address bar (Optinet only supports IE 6 and above). You should receive the login menu. General Navigation Once you login to Optinet, you will be presented with the Home Page. The Home Page provides a snapshot of system health, filtering effectiveness, current firmware versions, subscription settings, as well as links to guide the administration of your system. The Optinet navigation is divided into three tabs: Report, Manage, and Admin. Each tab presents you with different functions for Optinet. When you click on one of the tabs, the expanded menus for those tabs will appear. You can then select a sub-menu under the corresponding tabs for more options which will appear as expandable selections. In general, the Report tab will be used for generating reports and viewing network traffic. The Manage tab will be used to create groups, content filtering rules, and shaping rules. The Admin tab is used for basic and advanced configuration of the device, as well as troubleshooting and disaster recovery. 20 You can navigate back between tabs and reports by using the back arrow button located . Do not use the back arrow button available on your web browser next to the Admin tab since this will take you back to the Optinet login page. You can have multiple tabs open for ease of use by right-clicking a selection and choosing Open in new tab. Each tab color will correspond to the main menu tab color. Figure 3.1 Optinet Navigations tabs For large reports, group membership, or application menus, Optinet has a pagination menu that can be used to navigate to specific pages or towards the end or beginning of a series. The open box in the pagination menu allows you to view a certain page after entering the page number and clicking the Go button (the available pages are listed above the open box). You can also navigate to the next (Next) or previous (Prev) page by clicking the single arrow or to the very end or beginning of the series by clicking the double arrows. Where available, the pagination menu will post towards the bottom of the report, membership box, or application menu. Figure 3.2 Optinet Pagination arrows Finally, depending upon which tasks are being performed, you may receive a communication error from Optinet. This is usually a result of services being restarted. If you are presented with the below dialog box, select the OK button, wait 30 seconds, and attempt to access a menu. If the problem persists, you may need to re-login to Optinet. Figure 3.3 Communication Error Dialog Box Now that you have become familiar with general navigation, let’s explain the Tasks Pane, Help pane, and the different navigation options available. 21 Tasks Pane The Tasks Pane is located in the upper–right corner of any of the Optinet screens. The Tasks Pane lists actions or options that can be selected for the active page. Because of this, the contents displayed in the Tasks Pane will change depending on the screen currently displayed. The Tasks Pane is a great help that will post common accessible actions. For example, if you select a report, the Tasks Pane will list options on how to present the report, i.e., Email, Print, Export, etc. These actions are available by clicking on the Tasks Pane icons located in the Tasks Pane. Below are listed all options presented in the Tasks Pane with the corresponding action. Please review Chapter 4: Generating Reports for more information on some of the options. Actions —Directory User Dashboard: Displays Directory User Overview —Directory User Detail: Displays Directory User Detail for selected Directory User profiles —Network Node Overview: Display the Network Nodes Overview report —Network Node Detail: Display all details for the Network Node selected Re-scan Port: This will re-scan profiles under Network Node Manager (Manage -> Directory Users & Nodes -> Network Nodes). Use this action when a device needs to be re-scanned due to configuration changes, i.e., new NetBIOS name, new IP address, etc. Re-scan Directory User Name: This will re-scan profiles under Directory Users (Manage -> Directory Users & Nodes -> Directory Users). Use this action when Directory Users need to be re-scanned due to configuration changes, i.e., new domain, new groups, changed name, etc. Actions —Download Certificate: Download the SSL Certificate Correlate by —Category: Correlate report by Web categories visited —Directory User: Correlate report by Directory User profiles —File Type: Correlate report by File Types downloaded —Group: Correlate report by Group profiles —Host: Correlate report by Web sites (hosts) visited —MIME Type: Correlate report by MIME Types downloaded 22 —Network Node: Correlate report by Network Node profiles —None: No correlation —Service: Correlate IM reports by IM Client service Export —Email: Send the report in an email —Excel Document: Export the report or polices into a Comma Separated Value (CSV) format —Print: Print the report or polices currently displayed on screen —XML Document: Export the report or policies into an Extensible Markup Language (XML) document Getting Started —Getting Started Videos: Watch tutorial videos on the corresponding topic Related Dashboards —Directory User Dashboard: Display all traffic reported for the Directory User selected —Group Dashboard: Display all traffic reported for the group selected —Network Nodes Dashboard: Display all traffic reported for the Network Node selected Related Tasks —View Bandwidth Report: View amount of bandwidth consumed for selected Web category, Web site, or profile —View Hits Report: View amount of URL hits for selected Web category, Web site, or profile System Information System Information will post current system time. If your device does not post the correct time, you may need to adjust the Time Zone settings or the Network Time Protocol (NTP) server. Please review the sections Setup and Advanced Setup in Chapter 6: Administrating Optinet. Help Pane The Help Pane lists topics from the User Guide that are related to the page currently posted. For example, if you select the Application Overview report, the Help Pane will list Related Topics for the Application Overview. You can then select the link which will display the first 23 page within the User Guide dealing with the Application Overview. You must have Adobe Reader installed to use the Help Pane. The Help Pane also posts information regarding the Product Enhancement Program. The Product Enhancement Program allows Black Box Network Services to upload a small file containing anonymous configuration and system usage details as part of the scheduled update routine. This file will not contain personal identifiable information, will not be used for direct marketing, and will not impact system performance. The product details collected as part of the Product Enhancement Program may change from time to time as new features and capabilities are added to or changed in the product, but they will never include personal identifiable information. You can stop participating at any time by disabling the checkbox located in the Product Enhancement Program. One last item under the Help Pane is Black Box Network Services Optinet Privacy Policy. The privacy policy covers how Black Box Network Services will handle personal information collected and received with Optinet. For full details on this information, you can select the link for Black Box Network Services Optinet Privacy Policy under the Help pan. Lastly, the Tasks Pane and Help Pane are collapsible by selecting the collapse icon located to the right of the Tasks Pane. 24 Chapter 4: Generating Reports The Report tab will present information concerning network traffic, web sites visited, and system health. This chapter is divided into each report available and also general reporting rules that will apply to each different report. • Home Page • General Reporting Options • Users Tab • Applications Tab • Threats Tab • Internet Usage Tab • System Reports • Dashboards Tab Home Page The first page presented under the Report tab is the Home Page. The Home Page is divided into 5 sections: Message Center, System Notifications, Getting Started, Hardware Settings, and System. The top display will be the Message Center. The Message Center The Message Center posts message about firmware and software releases. The Message Center will also post important suggestions such as changing default passwords and 25 company communications. These messages are posted by date and can be read by selecting the individual messages. Afterwards, you may delete the messages by either selecting the trash icon next to the message or by clicking the delete button inside the messages. System Notifications System Notifications will post messages from Optinet. These messages are intended to alert the administrator of Optinet of critical configuration or incompatibility issues that may impede proper Optinet functionality. Messages such as incorrect installation, exceeded license count, or network scenarios such as asymmetrical routing that require advanced configuration will be posted here. These messages will be posted in their entirety on the System Notifications area. You may delete the messages by selecting the trash icon next to the message; however, the message may return if the problem is not resolved. Getting Started The Getting Started area provides you with links to the User Guide that may be helpful in beginning administration of the Optinet System. Hardware Settings The Hardware Settings area provides you with a summary of the Optinet hardware settings, i.e., Model, Serial number, and Device ID. This area also posts the device’s Licensed Nodes, Software Version, Last Known Updates, System Time, and expiration date of Annual Software Maintenance (ASM). ASM is used for support on your device and provides Optinet with continued updates on firmware, spyware, anti-virus, and content filtering. ASM also grants you access to Black Box Network Services Technical support if needed. If your ASM is not current, Optinet will not be able to update firmware, software, content filtering, spyware or anti-virus nor will Black Box Network Services Technical support be available. To renew your ASM please contact Black Box Technical Support at 724-746-5500, your Authorized Black Box Network Services Reseller, or a Black Box Network Services Sales Office. System The System area provides you with a summary of the Optinet monitoring statistics and system information such as blocked spyware, blocked viruses, blocked web requests, and average CPU load. Totals for each parameter are displayed for the last 24 hours. General Reporting Options There are several options available that are universal under the Report Tab. These options are Selected Date, Search, Correlated by, Result Type, Group, Network Node, Directory User, and Encryption Type. These options allow you to customize reports on any device, user, or application. 26 Figure 4.1 Reporting Options For example, click on the Application Overview report (Report -> Applications -> Application Overview). This will post the top applications passing traffic through the network within the last 24 hours. However, if you would like to search for traffic from a specific device within the last 30 days, you may adjust the Selected Date and search for device under Network Node. The report will then modify to display the last 30 days for the specific device. These same options can be used for a wide variety of reports. Below are listed all available adjustments with reporting. You may also click on the different settings contained within the specific reports for a list of available options. Selected Date Selected Date allows you to adjust the time frame for the generated report. The options available are Last Hour, Last 24 Hours, Last 7 Days, Last Week, Last 30 Days, Last Month, Last Year, and Custom. If you select Custom, you will be presented with a calendar that will allow you to adjust the time and days accordingly. Search This field will allow you to search for different sections in reports, i.e., specific web sites, categories, applications, etc. Enter in the search criteria and click the Search button (or press the Enter key) for results. Correlated by This field allows you to link traffic reports to the most bandwidth consuming users (Group, Directory User, and Network Nodes) for specific applications. You can also use the field to link Internet Usage reports by the most browsed web Categories, Hosts, File types, and MIME Types. Result Type This field is available under Web Content reporting. This option allows you to customize web reports based on the four general areas of web sites: No Filter (All web sites requested), Allowed (web sites that have been accessed), Blocked (web sites that have been blocked), and Bypassed (web sites that were bypassed using the Bypass Password). Group This field will allow you to search for specific Groups. Clicking this field will populate the Select Filter Group box. Search the Available Groups list for the desired Group profile, select the profile and click the Add button. Then click the OK button to run the report. 27 Network Node This field will allow you to search for specific Network Nodes (devices on the network). Clicking this field will populate the Select Filter Network Node box. Search the Available Network Node list for the desired Network Node Profile, select the profile and click the Add button. Then click the OK button to run the report. Directory User This field will allow you to search for specific Directory Users. Clicking this field will populate the Select Filter Directory box. Search the Available Directory Users list for the desired profile, select the profile and click the Add button. Then click the OK button to run the report. Encryption Type This field is available under Web Content reporting. This option allows you to customize web reports to display all web requests (No Filter), typical web requests that use Hypertext Transfer Protocol-HTTP (No Encryption), or web requests that use Secure Hypertext Transfer Protocol—HTTPS (Secure Socket Layer-SSL). Chapter 8: Implementing HTTPS/SSL Filtering with Optinet discusses this topic in more detail. Application Set This field is available under Application Overview and some detail reports. This option will allow you to filter reports by Application Sets. For more information on Application Sets please see the section Applications Tab in this chapter. Right-Click Options Right-click options allow you to customize reports using specific time, users, or devices. For example, to view specific applications under Application Set reports you can use right-click options to post the report. Go to Report -> Application -> Application Set Overview. This report will display all application sets passing through the network within the last 24 hours. Select an application set, and right-click on the title. You will be presented with several options that will allow you to correlate the report. Select Correlate by Application to view the exact applications within the Application set. Figure 4.2 Right-click Options Selecting this option will post the specific applications being used under the application set. Using right-click options will allow you to quickly access different correlations under all reports. If you are not sure how to retrieve detailed information within a specific report, right-clicking will present you with the most common options for the report. Other rightclick options available are correlations by Groups, Network Node, Directory User, etc. 28 Drop-Down Arrows Another option that allows you to customize reports is the Drop-Down Arrows. Any of the reports available can be collapsed by using the Up arrow icon on the right side of the corresponding menu bar. You can also expand an area in the Report tab using the Down arrow icon . Bar-Pie Graph Drop-Down Some reports allow you to choose the graph types of either Bar Graphs or Pie Graphs. Where this is available, you will be presented with a Drop-Down Box located in the Graph title that will make available a bar graph or pie graph for the report. Figure 4.3 Bar-Pie Graph Drop-Down Snapshot-Real Time Drop-Down The Snapshot-Real Time Drop-Down Menu allows you to view selected information historically or in real time. For example, if you are reviewing the report of Web Hits by Category (Report -> Internet Usage -> Allowed) the default settings will post the results by Snapshot within the last 24 hours (historically). If you select the option of Real Time, the report will change and display actual web hits as they pass through the device at the moment. This option is found under Internet Usage reports (Report -> Internet Usage) and is a great tool for troubleshooting and identifying problematic users or web sites as they occur. Figure 4.4 Snapshot-Real Time Drop-Down Real Time options also allow you to correlate reports by Network Node, Directory User, Groups, and other criteria. This is useful for confirming problems immediately and preventing them with less response time. For example, if a user is attempting to visit a prohibited site, you can verify the web sites he or she is visiting right now by correlating these reports by Network Node or Directory User. Report Recommendations Optinet is capable of reporting on a tremendous amount of information. Active users, web sites visited, and general overviews of applications are examples of the reports most readily available. Please keep in mind that while Optinet is recording information for reporting, the device is also filtering web traffic and shaping network applications. This requires that Optinet share resources between the different operations being performed. Because of this, priority is given to filtering and shaping so that reporting does not consume resources that may impact network performance. Optinet has a default timeout limit of five minutes for reports to complete. This is done to ensure reporting will not consume needed 29 resources for other operations. If a report cannot complete within the five minutes, you will receive a timeout message. If you receive a timeout message, you may alter the time limit under the Advanced Setup menu (Admin -> Configuration -> Advanced Setup -> Database Timeout). You can allocate up to 15 minutes for reports to complete. Don’t forget to Apply the changes. This will allow the database to dedicate more time to complete the report and post the results. Nonetheless, detailed reports that span large amounts of time and cover multiple users or applications may better be executed during non-peak traffic times; thus allowing more resources for Optinet to complete the report without running the risk of affecting network traffic or filtering and shaping rules. In addition to running detailed reports during non-peak traffic times, you can also use Summary Tables to expedite reporting results. Summary Tables allow Optinet to summarize or condense large web reports, allowing for a faster response time with Internet Usage reports. This utility will index web reports and correlations for all reports once the option is selected. Summary Tables also decrease dependency on shared resources. To enable Summary Tables go to Admin -> Configuration -> Advanced Setup and select the checkbox next to Enable Summary Tables. This will begin indexing web requests to allow for faster Internet Usage reporting. Please note that the Enable Summary Tables option will only begin summarizing from that point forward. If you would like to summarize previous data gathered before Enabling Summary Tables, you will need to run the Conversion Utility. The Conversion Utility will take previous data that has not been summarized and create a summary table for that information. There are three options for converting previous data: Web Request Summary Table, Level 1 Summary, and Level 2 Summary. Web Request Summary Table will summarize all Web requests data. Level 1 Summary Table will summarize the first correlation for those reports, i.e., first correlation by Category, Host, File Type, MIME Type, Group, Directory User, and Network Node. Level 2 Summary Table will summarize the second correlation for those reports, i.e., second correlation by Category, Host, File Type, MIME Type, Group, Directory User, and Network Node. The Conversion Utility is located under Admin -> Configuration -> Advanced Setup -> Run Conversion Utility Now. Once selected, you will be presented with the three different levels of conversion: Web Request Summary Table, Level 1 Summary Table, and Level 2 Summary Table. You can then select the Start Conversion Now button next to each level to activate the conversion. The Conversion Utility places additional load on Optinet and may consume a large amount of processes. Because of this, we strongly recommend that you run the Conversion Utility during non-peak hours to avoid unnecessary interruptions in network traffic. Also note that you can only run one conversion at a time, and they must be done in order. This concludes the section on general reporting options. In the next sections we will discuss the different reports for application and web traffic. Users tab The Users tab gives you an overview of the Internet traffic generated on your network by users. This report will display the top 25 users, devices, or groups on your network within 30 the last 24 hours. However, this time frame is customizable as well as sorting features. This report will display total network traffic as well as total download and upload for the corresponding criteria. The reports available are Directory User Overview, Group Overview, and Network Node Overview. Also available under this report are Directory User Detail, Group Detail, and Network Node Detail reports. These reports are often referred to as Dashboard reports. Dashboard Reports Dashboard Reports are detailed reports about individual users, devices, or groups. They present all information available about the selected device, user, or group. For example, go to Report -> Users -> Network Node Overview. Under the Network Node Details legend, select any profile and click on the name. This will populate the Network Node Detail report for the particular device. Dashboard Reports display all recorded information for the profile selected. The reports available are listed below: • Total Traffic—this traffic is the combined amount of upload and download traffic. • Application Traffic—this traffic is the amount of bandwidth consumed for all applications. • Uncategorized Traffic—this is traffic that Optinet does not recognize. • Web Requests by Host—these are the host name of Web sites visited by the user, device, or group. • Web Request by Category—these are categories of Web sites visited by the user, device, or group. • Possibly Infected Spyware—these are Web sites visited or applications used by the user, device, or group that are possibly infected with spyware. • Possibly Infected Virus—these are Web sites visited by the user, device, or group that are possibly infected with Web viruses. • Open ports—these are all ports active by the user, device, or group and their corresponding service. • Network Node Information—this report will post the Operating System (OS) as well as the assigned group for the device. If you need more detail on the individual reporting aspect, simply select the title of the report for a more comprehensive representation. To display dashboards for different users, devices, or groups, select the profile name located in the upper right-hand corner of the original dashboard. Applications tab The Applications tab displays the amount of bandwidth used by applications and application sets. These reports are presented in total downloads and uploads according to colors and amounts. When data is presented as a bar graph, the corresponding Network Node, 31 Directory User, Group or application will be posted next to a colored bar. When data is presented as a column graph, the most recent data is presented at the right end of the graph with the green column representing download traffic and the blue column representing upload traffic. Optinet identifies traffic based on application signatures. Applications can then be grouped into application sets (signature sets) of programs that perform a comparable purpose. For example, the signature set of Remote Desktop/Remote Control/X Traffic comprises the applications of PC Anywhere, Citrix, GoToMyPC, Microsoft’s Remote Desktop, and many more. For a complete list of application sets, please see Chapter 5: Managing Optinet. Also available in this tab are Custom Application Sets and Uncategorized Reports. Custom Application Sets report on traffic for which Optinet administrators have defined a custom signature. Uncategorized Reports presents specific stats of applications for which Optinet does not have an explicit signature. Although Optinet may not have a signature for this traffic, the device will record the protocol used, the destination port and the percent of bandwidth used. The application sets are listed below as bulleted items. • Application Overview—this is a summary of bandwidth consumed by individual applications. • Application Set Overview—this is a summary of bandwidth consumed by application sets. • Total Traffic—this is the amount of total bandwidth consumed. • Chat and IM—this is the amount of bandwidth consumed by Chat and IM applications. • Databases—this is amount of bandwidth consumed by Database applications. • DNS/Naming/Locators—this is the amount of bandwidth consumed by DNS and other network naming applications. • Email/Collaboration—this is the amount of bandwidth consumed by Email and services used to send email. • FTP/File Transfer—this is the amount of bandwidth consumed by File Transfer Protocol applications. • ICMP Traffic—this is the amount of bandwidth consumed by Internet Control Message Protocol applications. • Games—this is the amount of bandwidth consumed by online gaming applications. • HTTP—this is the amount of bandwidth consumed by Hypertext Transfer Protocol (Web) applications. • NetBIOS/MS File Service—this is the amount of bandwidth consumed by Network Basic Input/Output and other Microsoft File Service applications. • Network Mgt/Monitoring—this is the amount of bandwidth consumed by network management applications (SNMP, NMS, etc.). 32 • Network Routing—this is the amount of bandwidth consumed by network routing applications (RIP, NCP, etc). • Network Utility—this is the amount of bandwidth consumed by network utility applications (DHCP, NSW, etc.). • Peer 2 Peer—this is the amount of bandwidth consumed by Peer 2 Peer applications. • Printing and Reporting—this is the amount of bandwidth consumed by printing and reporting applications. • Proxy and Cache—this is the amount of bandwidth consumed by Proxy and cached applications. • RPC/Remote Execution—this is the amount of bandwidth consumed by remote execution applications. • Remote Desktop/Remote Control/X Traffic—this is the amount of bandwidth consumed by remote desktop and control applications. • Security/Authentication—this is the amount of bandwidth consumed by security applications. • Streaming Media—this is the amount of bandwidth consumed by streaming media (music and video) applications. • Telnet/SSH—this is the amount of bandwidth consumed by Telnet and SSH applications. • Uncategorized Traffic—this is the amount of bandwidth consumed by traffic that has no explicit signature set. • VIOP and Voice Chat—this is the amount of bandwidth consumed by Voice over Internet Protocol (VoIP) and Voice Chat applications. • VPN and Tunnel—this is the amount of bandwidth consumed by VPN and Tunneling applications. Threats tab The Threats tab will report and provide a detailed view of all activity in your network relating to Spyware and web viruses. These reports will present information on Spyware and Web viruses and possibly infected devices in your network. You can then use Optinet to identify possible threats before they become problematic. • Spyware Overview—this is a summary of spyware threats that have been blocked. • Spyware Infected Users—these are devices that may be infected with spyware. • Spyware Threat Names—these are the names of spyware threats present on the network. • Virus Overview—this is a summary of web viruses that have been blocked. 33 • Virus Infected Users—these are devices that may be infected with web viruses. • Virus Threat Names—these are names of web virus threats present on the network. Internet Usage tab Internet Usage tab reports on all web sites requested by users. This is a great report to give a general indication of which web sites and categories users are visiting or attempting to visit. One of the reports, Web Time Online, is a report based on estimated values and generated by counting the number of hits per page multiplied by the value entered in Miscellaneous Settings (Admin -> Configuration -> Misc. Settings). As with most online timers, there is not a definite method for determining if a user is actively surfing the Web or merely has a program in the background generating hits, i.e., weather report, stock ticker, or Internet radio. As such, these are estimates and not exact values. • Web Hits Overview—this report is presented in three categories: Allowed, Blocked, and Bypassed. Allowed refers to web hits on sites that users have been allowed to visit. Blocked refers to blocked web hits on sites that users have not been allowed to visit. Bypassed refers to web hits originally blocked on sites but were later allowed as users entered in the Bypass Password (for more information on this setting see Chapter 5: Managing Optinet). Clicking on each category will present all information pertinent to category. For example, clicking on Allowed will show you all hits for Web categories that users were allowed to visit. This will also post the percentage in comparison to the total number of hits for the Allowed category. You can correlate this report by Host, File Type, MIME Type, Group, Directory User, and Network Node. • Web Bandwidth Overview—this report displays how much bandwidth is being consumed by web requests. The report is presented in a similar format of web Hits Overview (Allowed, Blocked, and Bypassed) with a column graph showing the amount of bandwidth for Web requests. This report can be modified for specific dates, correlations, result types, and other features. • Web Hits by Network Node—this report shows the top users of web traffic in terms of hits. This reports display a bar graph which shows the top users followed by a detail view of the corresponding profiles, number of hits, and percentage of the users’ Web hits compared to total web hits. • Web Bandwidth by Network Node—this report shows the top users of Web traffic in terms of bandwidth. This report shows you the Hardware Profile (Network Node) and its corresponding download total, upload total, total bytes, and percentage of bandwidth consumed for web traffic. • Web Time Online—this report displays the amount of time users have spent browsing the Internet. Please remember that this report is an estimation of time spent browsing the Internet and is not an exact value. 34 System Reports tab System Reports tab reports on the actual system health of Optinet. This report posts the CPU and RAM utilization of the device. The report will also post the active connections in the network as well as requests for Directory Users. Understanding this report will allow you to schedule maintenance, plan for upgrades, and prevent problems on the network or with Optinet. • Active Users—this report refers to active devices present on the network. • CPU Utilization—this report refers to how much of the Central Processing Unit (CPU) Optinet is utilizing. • Directory Agent Requests—this report lists how many requests Optinet has sent to the Directory Agent installed on your directory server. For this report to post information, Directory Users must be integrated with Optinet. Please see Chapter 7: Integrating Directory Users with Optinet for more information. • IP Connections—this report refers to live IP flows traversing through Optinet. • Latency—this report shows in milliseconds the response time for PING requests sent from Optinet to the network’s default gateway. • HTTP Connections—this report shows the number of connections per second to Web sites being filtered by Optinet. • HTTP Requests—this report shows the number of Web requests per second Optinet has filtered. • Packets per Second—this report displays the number of Internet packets per second passing through Optinet. • RAM Usage—this report shows the amount of Random Access Memory (RAM) Optinet is using. • SSL Connections—this report shows the number of HTTP Connections that have been established with SSL. For this report to function, Optinet must be configured for HTTPS/SSL Filtering. For more information on this feature, please see Chapter 8: Implementing HTTPS/SSL Filtering with Optinet. Dashboards tab The Dashboards tab presents two tools that demonstrate traffic and Web request in real time. These tools are Real Time Monitor (RTM) and Real Time URL Monitor (RTUM). RTM displays traffic amounts as they happen. This can be helpful in troubleshooting network problems or resolving bandwidth issues in real time. RTM will post total application traffic, both upload and download, with a legend representing distinct applications. RTM parses traffic in three second intervals and display the amounts accordingly. 35 Figure 4.5 Real Time Monitor Figure 4.6 Real Time Monitor Legend 36 Another capability of RTM is the ability to correlate within the last hour to display the most bandwidth consuming users. For example, in the above diagram RTM has HTTP as the highest amount of traffic. If you right-click on this traffic, you will be presented with the options to correlate by Directory User, Group, or Network Node. Figure 4.7 Real Time Monitor Right-Click Options You can then select Correlate by Network Node to confirm what devices within the last hour have consumed the highest amount of HTTP traffic. RTM can be used to diagnose a problem in actual time; thus allowing you to resolve the issue as soon as possible. RTUM displays web requests as they pass through Optinet. This tool, in addition to RTM, can be used to confirm instantaneously the web sites that are being accessed, blocked, or bypassed. You can also use the different options to display the web requests for a specific Network Node, Directory User, and Group as well as the Date, Web category and Encryption Type of the request. Figure 4.8 Real Time URL Monitor This concludes the chapter on generating reports. The next chapter will guide you on how to manage Optinet in regards to creating groups, implementing policies, and managing devices and traffic. 37 Chapter 5: Managing Optinet Optinet allows you to control and identify network traffic based on applications and users. Optinet also allows you to separate problematic users from general traffic or problematic applications based on different criteria, time of day, and priority. The device can also block web sites or categories protecting users and your network from improper content. Optinet can also allocate resources to identify proprietary traffic within your network, thus customizing the device to your specific needs. Most of these options are available under the Manage tab and are covered in this chapter: • General Manage Options • Policies & Rules tab • Directory Users & Nodes • System Access tab • Application tab General Manage Options The Manage tab is where policies and organization of users will be enforced. Under this tab, you will create groups, time of day rules, content filtering rules, and shaping rules. This tab also allows you to customize traffic identification and select which devices or users will or will not be monitored. The basic principles behind the Manage tab are “Who, When, What, and How.” “Who” will define which users will be assigned to which groups. “When” will define what time during the day the rules take effect, i.e., all day, 9am to 5pm, etc. “What” will define the allowed content and applications, and “How” will deal with correlating specific policies to the 38 corresponding groups. Each menu under the Policies & Rules tab addresses these principles: • Groups—who will be in the group? • Time of Day Rules—when will the rules take effect? • Internet Usage Rules—what web sites can group members visit? • Shaping Rules—what applications can group members access? • Policy Manager—how to correlate rules to groups? As a general rule, these principles must be in line with these steps. For example, once you create a group, you will then want to define a Time of Day Rule (TDR) and an Internet Usage Rules (IUR). After those steps, you will create a shaping rule and tie all pieces together with the Policy Manager. In addition to these steps, please note that the more information you have about network traffic, the better prepared you will be to implement policies. Because of this, it is highly recommended that you first install and run Optinet in the network for at least 24 hours before implementing any policies. Afterwards, you can review the information collected and make a more precise decision on which web sites should be blocked, which applications should be shaped, and what threats are present on the network. The more information you have, the more adept you’ll be at deciding on policies and controlling the network and users. Policies & Rules tab You will want to become very familiar with the Polices & Rules tab. This tab is used for creating Groups, Time of Day Rules (TDRs), Internet Usage Rules (IURs), and Shaping Rules. This is the main management tab used for almost all user organization and policy implementation with Optinet. First let’s define Groups. Groups Optinet has by default 8 groups for your ease. These Groups are called Optinet Groups. All users and devices are placed in the Default Group until assigned to another group. You can assign users to Optinet Groups based on several different identifiers. First let’s discuss the default Optinet Groups and their accompanying policies. Then we’ll discuss how to add members to Optinet groups and how to create new Optinet Groups. Each group is assigned a default policy for Internet use. These policies are called Internet Usage Rules (IURs) and are covered in more detail under that section. Also, none of the default Optinet Groups has any shaping rules. • Default Group—all users and devices are in this group by default. As such you will not be able to add users or devices to this group but rather you will be able to remove them from this group. This is done by creating new groups and adding users or devices to the group or adding them to one of the other groups. The Default Group by default uses the Default Usage Rules. 39 • Deny Access Group—members of this group will not be able to access any Internet traffic. All web sites and application traffic will be denied for this group. Users in this group will be assigned the Deny Access Usage Rules. • Filter Bypass Group—members in this group will not be monitored or filtered by Optinet. Only bandwidth and application reporting will be recorded for members in this group. This group uses the Filter Bypass Usage Rules. • Moderate Group—members in this group will have their web pages monitored and filtered with typical restrictions on web categories such as Adult, Shopping, Tasteless, and Obscene. Users will be prohibited from passing web traffic through proxies and visiting proxy web sites. This group uses the Moderate Policy Rules. • Monitor Only—members of this group will have their web pages monitored but not filtered or blocked. This group uses the Monitor Only Policy Rules. • Monitor Only with Threat Protect Group—members in this group will have their web pages monitored but not filtered or blocked except in the case of Spyware and web viruses. This group uses the Monitor Only with Threat Protect Policy Rules. • Permissive Group—members in this group will have their web pages monitored and filtered based on light restrictions and a limited amount of blocked categories. Users will not be able to visit proxy web sites. This group uses the Permissive Policy Rules. • Strict Group—members in this group will have their web (HTTP) traffic monitored and filtered and secure web pages (HTTPS) blocked. A broad range of categories will be blocked as well as proxy web sites. In addition to this, users will not be able to pass web traffic through Open or Secure Proxies. Lastly users will not be able to view blocked content via search engines or search engine cached pages. This group uses the Strict Policy Rules. Now that we have described the pre-defined Optinet Groups, let’s discuss how to add members to these groups. Go to Manage -> Policies & Rules -> Groups. Select one of the Optinet Groups to which you want to add members. Once you select a group, you will be presented with the Add/Edit Group Detail field. In this field, you can change the name of the group as well as add devices, network addresses, or specific MAC addresses to the group. Before adding members to Optinet Groups, you need to understand how Optinet identifies devices on the network. Devices can be identified by several different criteria, i.e., by MAC address, by IP address, by VLAN, while users can be identified by Directory or user names. Because of this, Optinet allows you to configure how users will be identified depending on your network. This option is called Member Type. When you first access the Add/Edit Group Detail field, the default Member Type of Network Node will be selected. Network Node represents devices on the network that Optinet has already discovered. These devices will be listed by their NetBIOS name (if available) or by their IP address. If you would like to add devices to Optinet Groups by Network Node, simply click the open check box next to the profiles under the Member Name column and select Add>. However, if you would like to add users to the group by different criteria, click the Select a Member Type Drop-Down Box. This will present you with fourteen different member types listed below that allow you to identify users based on distinctive criteria. 40 Please note that the member type Network Node will post devices already discovered by Optinet. If you have integrated Directory Users with Optinet, Directory User will post Profiles already discovered by Optinet. All other fields will present an Enter New field that will allow you to manually add a user. • Network Node—this member type represents devices discovered by Optinet. • Directory User—this member type represents Directory profiles discovered by Optinet. • MAC Source—this member type represents profiles using the Media Access Control (MAC) source address of devices. • MAC Destination—this member type represents profiles using the MAC destination address of devices. • CIDR Block Source—this member type represents profiles using an IP source address or IP source address range listed in Classless Inter-Domain Routing (CIDR) notation. • CIDR Block Destination—this member type represents profiles using an IP destination address or IP destination address listed in CIDR notation. • CIDR Block Source and Destination—this member type represents profiles using an IP source and destination address or IP source and destination address range listed in CIDR notation. • VLAN—this member type represents profiles using Virtual Local Area Network (VLAN) tags. • Protocol—this member type represents profiles using different protocols, i.e., TCP, UDP, etc. • TOS—this member type represents Type of Service (TOS) profiles. TOS is a singlebyte field in an IP packet header that specifies the service level required for the packet. • DSCP—this member type represents Differentiated Services Code Point (DSCP) profiles. DSCP is an integer value encoded in the DS field of an IP header. • TTL—this member type represents Time to Live (TTL) profiles. TTL values exist in each IP packet headers and determine how long the packet can traverse the network before being dropped. • Length—this member type represents the Ethernet Length profiles. Ethernet length actually specifies the size of the frame used within the network interface. • CIDR Block Override—this member type represents IP addresses that you want to take precedence over any other group assignment. This member type is normally used in the Filter Bypass Group to ensure specific IP addresses or ranges of addresses are not filtered. Once you have added members to the pre-defined Optinet Groups, you can confirm the assignments by pressing the Save button. The pre-defined groups and any new groups you create based on the different member types are called Optinet Groups. 41 To create groups, you can click the Create button under the Group Manager. This will post the Choose a Group Type dialog box. You can use the previous steps to create a Optinet Group. If you would like to create groups based on Directory Users, please see Chapter 7: Integrating Directory Users with Optinet. If you want to create groups based on the different member types, you can then add members to the newly created Optinet Group following the same steps listed beforehand. If you need to delete groups you may do so with the Delete Selected button also located under the Group Manager. If you delete groups, all members from the deleted groups will fall into the Default Group again. Now that we have defined Optinet Groups, we’ll discuss Time of Day Rules. Time-of-Day Rules Optinet provides the ability to configure policies based on specific times of the day. For example, if you want to block access to certain web sites during business hours but allow access to those web sites during non-business hours, you can create a Time of Day Rule (TDR). Another scenario is if you want E-mail traffic to have priority during the day, but VPN traffic to have priority during the night, a TDR can allow you to distinguish accordingly. Unless otherwise specified all rules created will be in effect 24 hours a day, seven days a week. TDRs allow you to create different rules for different times of the day or different days of the week. The first step in creating TDRs is to define the blocks of time that will separate the different policies. Afterwards, you will assign an IUR to each block of time. This later step will be covered in the section Policy Manager. Select Manage -> Policies & Rules -> Time of Day Rules. Optinet ships with two default TDRs: All Day and Business Work Week. All Day (the default TDR) enforces policies 24 hours a day, seven days a week. Business Work Week enforces policies Monday through Friday, 9am to 5pm. If you would like to alter these blocks you may select them individually or create your own by selecting the Create button. Once you select or create a TDR, you will be presented with the Add/Edit Time of Day Detail field. Here you will give the TDR a name, a description, and define the blocks of time for the different polices. The blocks of time (presented in military time) can be separated by 15 minutes. Select the Start Time and End Time for each day and click the Add> button. Optinet will automatically separate the blocks from the rest of the day (24 hours) and post the time after saving the changes. Also, you can copy the blocks of time from one day to another by using the Copy From Drop-Down Box. Once you have selected the blocks of time for the individual days of the week, click the Save button. The second step with creating TDRs, is to assign different policies to the time blocks. This is covered under the section Policy Manager. Also, you can edit and delete any TDR by selecting them under Time of Day Rule Manager. Now that you have created groups and TDRs, we will discuss Internet Usage Rules (IURs) and how to manage them. Internet Usage Rules (IURs) are the main content filtering components of Optinet. IURs are used to block web sites, web categories, File Types, MIME Types, and even common tactics used to bypass content filtering. 42 First, we’ll define general options available in all IURs, including Traffic Flow Rule Sets (TFRS). Second, we’ll list the default IURs and the associated policies. Third, we’ll give an example on how to customize IURs and other advanced policies. Traffic Flow Rule Sets Click on Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules. This screen will present the options available under Add/Edit Internet Usage Rule Sets. Towards the top will be posted the Rule Set Name and Rule Set Description followed by the Traffic Flow Rule Set Drop-Down Box. For you to correctly control and filter web traffic, you will need to understand Traffic Flow Rule Sets. Traffic Flow Rule Sets (TFRS) are the basic traffic identification and control engine within Optinet. TFRS allow you to dictate how traffic will be identified, controlled, reported, filtered, and shaped. TFRS define the content rules and implement restrictions on identified traffic for users on the network. In essence, TFRS are the controlling mechanisms that decide what types of traffic are allowed and what types are not. TFRS will be your tool in managing network traffic and reporting on such. Select the Traffic Flow Rule Sets Drop-Down Box to view the default TFRS. These are also listed below with their corresponding targets. • Deny Access—this TFRS restricts all traffic that passes through Optinet. • No Filters—this TFRS performs no content filtering, no Web logging, no IM client logging, no Spyware scanning and no virus scanning. • Web Filter + Anonymous Proxy Guard—this TFRS performs content filtering, web logging, Spyware scanning, virus scanning for HTTP traffic (Web Filter), and prohibits HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous Proxy Guard). • Web Filter + Deny IM—this TFRS performs content filtering, web logging, Spyware scanning, virus scanning (Web Filter), and denies all IM Client conversations (Deny IM). • Web Filter + Deny IM + Anonymous Proxy Guard—this TFRS performs content filtering, web logging, Spyware scanning, virus scanning for HTTP traffic (Web Filter), denies all IM Client conversations (Deny IM), and prohibits HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous Proxy Guard). • Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filter—this TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP traffic (Web Filter) and HTTPS traffic (SSL Filter), denies all IM Client conversations (Deny IM), prohibits HTTP traffic on any port other than port 80 or a designated Proxy port, and prohibits HTTPS traffic on any port other than port 443 or a designated Proxy port (Anonymous Proxy Guard). • Web Filter—this TFRS performs content filtering, web logging, spyware scanning, virus scanning for HTTP traffic (Web Filter). This is the default TFRS for users and newly created IURs. • Web Filter + Anonymous Proxy Guard—this TFRS performs content filtering, web logging, spyware scanning, virus scanning for HTTP traffic (Web Filter), and prohibits 43 HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous Proxy Guard). • Web Filter + Anonymous Proxy Guard + SSL Block—this TFRS performs content filtering, web logging, spyware scanning, virus scanning for HTTP traffic (Web Filter), prohibits HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous Proxy Guard), and prohibits all HTTPS traffic from passing through Optinet (SSL Block). • Web Filter + Anonymous Proxy Guard + SSL Filter—this TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP traffic (Web Filter) and HTTPS traffic (SSL Filter), prohibits HTTP traffic on any port other than port 80 or a designated proxy port, and prohibits HTTPS traffic on any port other than port 443 or a designated proxy port (Anonymous Proxy Guard). • Web Filter + SSL Filter—this TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP traffic (Web Filter) and HTTPS traffic (SSL Filter). • Web Logging— this TFRS is being discontinued and is listed only for legacy support. We recommend using Web Filter Only, and then leaving the blocked categories list empty instead of enabling this TFRS. The most important factor in configuring TFRS is deciding on what needs to happen to traffic. For example, do you want to block certain web sites or categories? If so, the TFRS of Web Filter needs to be selected. Do you want to deny IM Client conversations? If so, the TFRS of Deny IM must be selected. These factors will help determine the active TFRS. Content Filtering Now that we have defined TFRS, let’s discuss the other components of the Add/Edit Internet Usage Rule set. Below the TFRS Drop-Down Box, you will see four tabs: Content Filtering, Advanced Filtering, HTTPS/SSL Filtering, and Web Authentication. In this section we will discuss the Content Filtering and Advanced Filtering tabs. HTTPS/SSL Filtering will be covered in Chapter 8: Implementing HTTPS/SSL Filtering with Optinet. Web Authentication is covered in Chapter 7: Integrating Directory Users with Optinet. Content Filtering provides general choices for filtering web traffic. For example, this tab displays Blocked Categories, Blocked URLs, White List URLs, Blocked File Types, Blocked MIME Types, and Web Authentication White List. If you would like to block a web category, e.g. Porn, you can select the sub-tab of Blocked Categories, click Edit Blocked Categories, and, search for the Porn category under Allowed Categories. Once found, select the category, click the Add> button to move it to the Blocked Category List, and click Ok. Once you save your changes, this category will be blocked for that particular Internet Usage Rule. Below are listed the general explanations of the Content Filtering tab. Appendix A through Appendix C lists all options for web categories, File, and MIME types. • Blocked Categories—this sub-tab lists all selected web categories for preventing access. They range from Adult and Porn to Online Communities and Shopping. To add categories to the Blocked Category list select the Blocked Category sub-tab and click Edit Blocked Categories button. 44 • • Blocked URLs—this sub-tab allows you to enter in a specific Universal Resource Locator (URL) address to be blocked. There are three compare strings that can be used to enter Blocked URLs: URL–Regular Expression, URL, and Domain. o URL-Regular Expression—this compare string uses regular expressions to block web sites. Regular expression (regex) is a method used to describe a string of text using metacharacters or wildcard symbols. To use URL-Regular Expression, you will need to understand the functions of regular expression metacharacters. URL-Regular Expression supports regular expressions for POSIX Basic and Extended Regular Expression. A full explanation of the syntax for a Regular Expresssion Rule is beyond the scope of this document. To add a URL-Regular Expression to the Blocked URL list, select the Blocked URLs sub-tab, click on the Edit the Blocked URLs button, and choose the URL-Regular Expression setting from the Compare String drop-down box. Enter the URL-Regular Expression, click the Update button and then the Ok button. o URL—this compare string looks for an exact URL match. Use this compare string to block specific web pages where an exact match is necessary. For example, an entry of myspace.com/forums will block MySpace’s forum web page, but not necessarily other MySpace web pages. However, you can use an asterisk symbol (*) as a wildcard with the compare string of URL. For instance, an entry of http://www.myspace.com* will block any web page that begins with http://www.myspace.com. To add a URL to the Blocked URL list, select the Blocked URLs sub-tab, click on the Edit the Blocked URLs button, and choose the URL setting from the Compare String drop-down box. Enter the URL, click the Update button and then the Ok button. o Domain—this compare string looks for any web page that begins with the domain name of the web site. Use this compare string to block web sites where the domain name is constant in the URL. For example, an entry of myspace.com will block all of MySpace’s web pages. You can also use an asterisk symbol (*) as a wildcard with the compare string of Domain. For instance, an entry of *myspace.com will block any web page that has myspace.com in the domain name regardless of http, https, or www. To add a Domain to the Blocked URL list, select the Blocked URLs sub-tab, click on the Edit the Blocked URLs button, and choose the Domain setting from the Compare String drop-down box. Enter the Domain name, click the Update button and then the Ok button. o Legacy Keyword Mode—this keyword string was used as a general match string under firmware releases 8.3.4 and earlier. It has now been replaced by the stronger compare strings above. This compare string should only be used to accommodate upgrades from earlier releases until they can be reclassified using the above compare strings. White List URLs—this sub-tab allows you to “whitelist” or allow users to access specific web sites. These fields are mostly used when there is a conflict with another rule. For example, if you choose to block the web category of Search Engines and Portals but want to allow Google searches, you would add Google into the White List, which will override the blocked category. White List URLs will override blocks from all policies except for web sites under the Blocked URLs and Non-HTTP traffic. White List URLs follow the same compare strings as Blocked URLs. 45 • Other settings available in the Content Filtering tab are Import, Export options, Remove Selected Rows, Remove All Rows, and Edit Selected Rows under Blocked URLs and White List URLs. Import, Export options allow you to import or export a plain text (.txt) version of your Blocked URLs and White List URLs, allowing you to back up your lists or share lists with multiple IURs. By selecting either option, you will be presented with Browse utility, where you can direct Optinet to import or export the plain text file. Removes Selected Rows and Remove All Rows allows you to remove selected entries in the Blocked URLs and White List URLs. Edit Selected Rows permit manual entries of selected entries. • Blocked File Types—this sub-tab lists all File types that can be blocked for download. To add File Types to the Blocked File Type list, select the Blocked File Type sub-tab and click Edit File Types button. • Blocked MIME Types—this sub-tab lists all Multipurpose Internet Mail Extensions (MIME) types available that can be blocked for download. To add MIME Types to the Blocked MIME Types list, select the Blocked MIME Type sub-tab and click the Edit MIME Types button. • Web Authentication White List—this sub-tab is defined in Chapter 7: Integrating Directory Users with Optinet. Advanced Filtering Click on Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules. Once this populates the Add/Edit Internet Usage Rule Set, click the Advanced Filtering tab. The Advanced Filtering tab presents complex selections that offer more stringent policy control for content filtering. Some options are selected by default for security reasons; however, you can enable or disable any of these options depending upon your requirements. Spyware • Enable Spyware URL Blocking—this setting scans web requests for URLs known to host spyware. • Enable Spyware MD5 Blocking—this setting scans web traffic for known MessageDigest algorithm 5 matches used for spyware downloads. • Enable Spyware ClassID Blocking—this settings scans HTML pages for Class IDs (identification tags associated with Active X or OLE objects) known to host spyware. Anti-Virus • Enable Anti-Virus Blocking—this settings scans web traffic for web pages that are infected with viruses. • Enable Anti-Virus Email Alert Email Address—this setting allows the administrator of Optinet to receive an email alert if a user attempts to download a web virus. For this setting to work, the Technical Admin Name and Technical Admin E-mail fields under the Miscellaneous tab must be completed (Admin -> Configuration -> Misc. Settings). • Enable Filter Avoidance IP Lookup—this setting associates proxy web sites with their IP addresses and prevents users from entering them into web browsers. 46 Filter Avoidance • Enable Filter Avoidance Real-Time Filter—this setting performs a real-time scan on web sites to validate if the web page is hosting proxy services. • Enable Filter Avoidance Deep HTTP Inspection—this setting scans content for the retrieved web pages from a proxy web site. • Enable Bypass—this setting allows users to bypass a blocked web site if he/she knows the Bypass Password. Filter Bypass • Enable Bypass—this setting allows users to access a blocked web site that is normally blocked by entering the correct password listed in the Bypass Password. • Bypass Password—this setting is for the password that will be used with the Enable Bypass setting. • Bypass Timeout (in minutes)—this setting specifies an exact time how long a user can access a blocked web site using the Enable Bypass setting. • Enable Filter Bypass on a Per-IP Address Basis—this setting allows users to bypass all web sites that are normally blocked instead of just a single blocked web site. Enable Filter Bypass on a Per-IP Address Basis will use the same password and timeout as the Enable Bypass setting. Web Policy • Enable Anonymous Browse Mode—this setting continues to block users from prohibited web sites; however, browsing history for these users will be reported. • Enable Safe Search Protection for Search Engines—this setting forces search engines to use “safe search”, which disallows search engines to post inappropriate results. The supported search engines for this setting are Google, Yahoo!, Ask, MSN, Hotbot, AOL, AlltheWeb, AltaVista, Lycos, and Netscape. • Block Search Engine Cached Pages—this setting allows you to blocked cached pages from search engines, i.e., binoculars, Google Image search, etc. • Allow ONLY White List URLs—this setting prohibits users from visiting web sites that are not specifically listed in the White List. • Apply White List to Referring URLs—this setting allows white listed web sites to post all page objects, i.e., banners, images, etc., that are referred within the web site regardless of the original hosting site. • Add X-Forwarded-For to HTTP header—this setting instructs Optinet to forwarded original host information when Enhanced Bridging Mode (EBM) is disabled. See Chapter 6: Administrating Optinet for more information. • Real-Time Filter—this setting instructs Optinet to analyze content on web pages in real time for better categorization and identification. • Enable Reverse DNS Lookups—this setting prohibits users from browsing blocked web sites via IP addresses instead of domain names. 47 • Block IP Address URLs—this setting prohibits users from browsing any web sites via IP addresses instead of domain names. • Allow Non-HTTP Traffic Through the Web Filter—this setting allows Non-HTTP traffic to pass through port 80 or the designated parent proxy port for web traffic. • Non-HTTP Traffic Socket Timeout (in minutes)—this setting allows you to set a time limit in minutes for how long Non-HTTP traffic can pass through port 80 or the designated parent proxy port for web traffic. • Force HTTP v1.0—this setting allows you to force web browsers to use HTTP version 1. HTTP v1.0 is the first protocol revision for HTTP traffic and is still in wide use, especially by proxy servers. Again, you can disable or enable any of these options by selecting the sub-tab of each selection, and then checking the check box next to the settings. Again, don’t forget to Save your changes. If you create a new IUR, the following table lists the default settings. All other options will be disabled. New IUR Default Settings TFRS Web Filter Spyware Enable Spyware URL Blocking, Enable Spyware MD5 Blocking, Enable Spyware ClassID Blocking Filter Avoidance Web Policy Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection Real-Time Filter, Allow Non-HTTP Traffic Through the Web Filter, Non-HTTP Traffic Socket Timeout (60 minutes) Anti-Virus Enable Anti-Virus Blocking Now that you are familiar with both the Content Filtering and Advanced Filtering tabs, let’s discuss the default Internet Usage Rules and how to create a new one. Internet Usage Rules Optinet has 8 default Internet Usage Rules (IURs). These IURs correspond to the default groups available with Optinet. Remember that the method is to create a group and then assign that group an IUR. Because Optinet has 8 default groups, their IURs are also available. The following are the pre-defined IURs and their settings. Default Usage Rules are the default settings for all users unless configured otherwise. By default, this IUR will log and filter only HTTP traffic. This IUR will not block any Web sites, File Types, or MIME Types except spyware and viral web sites. The following table lists all filtering options for the Default Usage Rules. Default Usage Rules TFRS Web Filter Spyware Enable Spyware URL Blocking, Enable Spyware MD5 Blocking, Anti-Virus Enable Anti-Virus Blocking 48 Enable Spyware ClassID Blocking Filter Avoidance Web Policy Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection Real-Time Filter, Allow Non-HTTP Traffic Through the Web Filter, Non-HTTP Traffic Socket Timeout (60 minutes) Deny Access Policy Rules denies all Web traffic and cannot be altered. Filter Bypass Policy Rules allows all network traffic to pass and only reports on bandwidth and applications used. This IUR cannot be altered. Moderate Policy Rules provides typical restrictions on common web categories and also blocks several file types. In addition to this, this IUR has some advanced filter avoidance options selected as well as a TFRS that blocks anonymous web surfing for HTTP traffic. The following table lists all filtering options for this IUR. Moderate Policy Rules TFRS Web Filter + Anonymous Proxy Guard Spyware Enable Spyware URL Blocking, Enable Spyware MD5 Blocking, Enable Spyware ClassID Blocking Blocked Categories Adult, Cheating and Plagiarism, Crime, Criminal Related, Cults, Dating, Filter Avoidance, Gambling, Hacking, Hate Speech, Illegal Drugs, Job Search, Lingerie, Non-sexual nudity, Online Communities, Peer File Transfer, Porn, Shopping, Tasteless or Obscene, Vice, Violence, and Weapons Anti-Virus Enable Anti-Virus Blocking Blocked File Types bat, cab, cmd, com, dll, ed2k, emo, exe, ini, iso, lnk,torrent, wmf Filter Avoidance Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection Web Policy Enable Safe Search Protection for Search Engines, Apply White List to Referring URLs, RealTime Filter, Allow NonHTTP Traffic Through the Web Filter, Non-HTTP Socket Timeout (60 minutes) Monitor Only Policy Rules are intended for users that will only be monitored and not filtered for web traffic. The following table lists all filtering options for this IUR. 49 Monitor Only Policy Rules TFRS Web Filter Filter Avoidance Web Policy Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection Apply White List to Referring URLs, Real-Time Filter, Allow Non-HTTP Traffic Through the Web Filter, Non-HTTP Socket Timeout (60 Minutes) Monitor Only with Threat Protection Policy Rules are intended for users that will only be monitored and not blocked except for in the case of spyware and web viruses. The following table lists all filtering options for this IUR. Monitor Only with Threat Protection Policy Rules TFRS Web Filter Spyware Enable Spyware MD5 Blocking, Enable Spyware ClassID Blocking Filter Avoidance Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection Anti-Virus Enable Anti-Virus Blocking Web Policy Apply White List to Referring URLs, Real-Time Filter, Allow Non-HTTP Traffic Through the Web Filter, Non-HTTP Socket Timeout (60 Minutes) Permissive Policy Rules are designed for users that will have more leniencies in regards to the web sites they can visit and what file extensions can be downloaded. Web traffic will be monitored and filtered. The following table lists all filtering options for this IUR. Permissive Policy Rules TFRS Web Filter Anti-Virus Enable Anti-Virus Blocking Blocked Categories Adult, Filter Avoidance, Hacking, Hate Speech, Illegal Drugs, Lingerie, Porn, Tasteless or Obscene, Vice, Violence, and Weapons Spyware Enable Spyware MD5 Blocking, Enable Spyware Class ID Blocking Filter Avoidance Web Policy Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection Apply White List to Referring URLs, Real-Time Filter, Allow Non-HTTP Traffic Through the Web Filter, Non-HTTP Traffic Socket Timeout (60 minutes) Strict Policy Rules are intended for users who will have stringent rules applied to Web browsing as well as file downloads. Users in this group will have HTTP monitored and filtered and HTTPS traffic blocked. Below is the table with all filtering options. 50 Strict Policy Rules TFRS Web Filter + Anonymous Proxy Guard + SSL Block Spyware Enable Spyware URL Blocking, Enable Spyware MD5 Blocking, Enable Spyware ClassID Blocking Blocked Categories Blocked File Types Adult, Alcohol and Tobacco, Cars and Motorcycles, Cheating and Plagiarism, Crime, Criminal Related, Cults, Dating, Filter Avoidance, FYI, Gambling, Games, Hacking, Hate Speech, Illegal Drugs, Instant Messaging, Job Search, Lingerie, Lottery and Sweepstakes, Non-mainstream, Non-sexual Nudity, Online Communities, Online Trading, Peer File Transfer, Porn, Real Estate, Sex Ed and Abortion, Shopping, Sports and Recreation, Streaming Media, Tasteless or Obscene, Tattoos, Vice, Violence, Weapons, Web Messaging, Web-based Chat, Web-based Email aac, adp, aiff, asx, avi, bat, cab, cmd, com, dll, dmg, ed2k, emo, exe, flac, flv, fpt, ini, iso, kmz, lit, lnk, log, m3u, m4a, mid, midi, moov, mov, mp3, mp4, mpeg, mpg, mpu, msi, mst, ogg, ogm, pab, pls, qt, ra, ram, rm, torrent, wav, wma, wmf, wmv Anti-Virus Filter Avoidance Enable Anti-Virus Blocking Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection Web Policy Enable Safe Search Protection for Search Engines, Block Search Engine Cached Pages, Real-Time Filter, Enable Reverse DNS Lookups, Block IP Address URLs Again, these are the default IURs available for ease of use. You may simply add users to these groups for the policy to apply. You can also alter all default IURs except for Deny Access Usage Rules and Filter Bypass Usage Rules by selecting the individual IURs under Internet Usage Rule Manager. If you would like to create you own IUR, select the Create button under Internet Usage Rule Manager. Shaping Rules Shaping Rules allow you to “shape” network bandwidth for applications, users, and web sites. In essence, Shaping Rules allow you to cap or restrict bandwidth for specific users or applications on the network. These rules also allow you to shape bandwidth to Web sites as well as assign priority levels for all traffic. Through Shaping Rules, you can control and manage network traffic to ensure that critical users and applications have complete access to the Internet and network resources. 51 Optinet has no default shaping rules. As such, you will need to create them under the Shaping Rule Manager (Manage -> Policies & Rules -> Shaping Rules). Here you will be presented with three tabs: Group, Application, and Web Content. Group shaping rules manage total bandwidth for users and groups. Application shaping rules administer bandwidth for specific application sets, i.e., P2P, Streaming Media, VoIP, etc. Web Content shaping rules control bandwidth for specific web sites, web categories, File Types, and MIME Types. To create shaping rules, you must first enter a name for Shaping Rule Detail. Afterwards, you can select the different tabs for each corresponding shaping rule. Please remember that shaping rules are restrictions. This means that Optinet will not allow a group, application, or web content to exceed the bandwidth assigned. These rules do not ensure that traffic will meet a certain amount, but rather will not go beyond the restriction. Think of shaping rules as a ceiling and not a floor. Because of this, many users and applications may not need a shaping rule unless they pose a threat to the network or are known consumers of bandwidth. A good practice is to install Optinet in the network and have it report on users and application before implementing shaping rules. Knowing what types of traffic are passing in the network and the amounts will help in creating a better shaping rule. When you decide to implement a shaping rule, keep in mind several things (listed below). • All shaping rules will have three settings: Max Upload, Max Download, and Priority Level. The Max Upload refers to traffic passing from the LAN port to the WAN port of Optinet. Max Download refers to traffic passing from the WAN port to the LAN port of Optinet. Priority refers to the precedence level assigned to the traffic. The options are Highest, Higher, High, Default, Low, Lower, and Lowest. • Group shaping rules restrict total bandwidth for all users within groups. This means that if you apply Application shaping rules as well as Web content shaping rules for the same group, these amounts must not exceed the Group shaping rule. • Group shaping rules are divided dynamically between active members. For example, if only one group member is active within a group that has a shaping rule of 1Mbps, then that one member will have total access of the bandwidth up to 1Mbps. However, if another group member becomes active, Optinet will dynamically divide the restriction and cap each member to 500 Kbps and so on depending on the amount of active group members. • The percentages of traffic shown in the Drop-Down Boxes for all tabs are calculated from the Available Upload Bandwidth and Available Download Bandwidth listed under Miscellaneous Settings. The default settings are set to 5000Kbps and will restrict traffic to that amount. If you have not adjusted this amount for your bandwidth, please do so during the Setup Wizard or under the Miscellaneous settings (Admin -> Configuration -> Misc. Settings). Please note that the amounts listed in the available upload and download under Miscellaneous Settings will restrict total traffic through Optinet. Make sure that the amounts entered in these fields are the correct amounts for your network (Admin -> Configuration -> Misc. Settings). 52 • If you choose to enter a custom amount for the upload and download restrictions, remember that this amount is presented in kilobits per second (Kbps). You will need to compute your bandwidth into this amount (1024Kbps = 1 Mbps). • There are two application sets that you probably should not restrict: HTTP and Uncategorized. The application set of HTTP correlates to all web-based traffic, including regular web browsing. Because this application set is commonly used more than any other application set, we recommend that you do not set a highly stringent shaping rule for HTTP. The application set of Uncategorized correlates to network traffic for which Optinet does not have an explicit signature. These applications could be proprietary, recent, or uncommon. In addition to this, this application set could also include traffic that is very important, such as a custom accounting application, or an unrecognized VoIP system, etc. Because of this, we strongly recommend that you do not disable this traffic or create a strict shaping rule for this traffic. • Priority levels are only used when there is not enough bandwidth to complete requests for active users or applications. For example, if you have two shaping rules: 1Mbps for VPN with a High priority level and 1Mbps for P2P with a Low priority level and there is not enough bandwidth to complete the requests for both applications, Optinet will restrict P2P even more than 1Mbps to allocate more bandwidth for VPN. • There can be some variance between shaping rules and reporting, especially with P2P and Streaming Media, because of how initial communications for these applications take place. For example, Bit Torrent will negotiate on random ports and may be considered Uncategorized until data begins to pass. After data is passed Optinet can identify Bit Torrent as P2P and will then report on all traffic passed beginning with the initial connections. However, shaping rules for Bit Torrent will not take effect until the data is confirmed as P2P, normally after the initial connections. Below are some general expectations for the variance: o Shaping rules under 256K can have up to 20% difference in reporting o Shaping rules under 1M can have up to 10% difference in reporting o Shaping rules under 5M can have up to 5% difference in reporting • If you chose to shape a web URL, use general phrases. For instance, if you want to shape traffic to the Web site YouTube, enter the phrase youtube instead of http://www.youtube.com. • Web Content shaping rules take precedence over Application shaping rules and will be recorded jointly for shared applications. For example, if you have an Application shaping rule for Streaming Media at 1Mbps and a Web Content shaping rule for YouTube at 1Mbps, the Web Content shaping rule will take preference while the Application shaping rule will not apply. Reporting for the Streaming Media Application Set will then report traffic for Streaming Media combined with traffic for YouTube (2Mbps). To assure that Streaming Media does not exceed a specific amount, balance the amount with Web Content shaping rules designated for Streaming Media Web sites. • All changes to shaping rules will flush the Optinet forwarding plane. The forwarding plane is the architecture that decides how to handle packets arriving on the LAN 53 interface, i.e., applying shaping rules, denying traffic, etc. Flushing the Optinet forwarding plane will drop all connections and reassign traffic accordingly. Because of this, we recommend that you only make changes to shaping rules during off peak hours. Once you have created a shaping rule, don’t forget to Save the changes. Also remember that shaping rules are not active until you assign them to a group in the Policy Manager. Policy Manager The Policy Manager correlates all polices to groups. That is to say, all the rules you have created under Time-of-Day Rules, Internet Usage Rules, and Shaping Rules will need to be assigned to groups using the Policy Manager. The default groups Optinet offers have already been assigned their corresponding Internet Usage Rules under the Policy Manager. In addition to this, the default groups use the default Time-of-Day Rule (TDR) of 24 hours a day, 7 days a week. However, if you would like to change their Internet Usage Rule or TDR, you can do so for all groups except for the Deny Access Group and the Filter Bypass Group with the Policy Manager. Also the Policy Manager allows you to assign shaping rules to groups. Click on Manage -> Policies & Rules -> Policy Manager -> Default Group. This will post the Add/Edit Policy. Presented here are two tabs: Single Rule Set and Multiple Rule Set. The Single Rule Set is used for Internet Usage Rules that will apply 24 hours a day, 7 days a week. The Multiple Rule Set is used for Internet Usage Rules that will use different blocks of time from TDRs. Under the Single Rule Set tab, select the Drop-Down Box for Internet Usage Rule Set. This will present you with all available IURs created under Internet Usage Rules. You may do the same for shaping rules under the Drop-Down Box for Shaping Rule Set. Once you have chosen an IUR and Shaping Rule for the group, select Save. The Multiple Rule Sets are used for assigning different IURs and Shaping Rule for time blocks created under TDRs. Click on Manage -> Policies & Rules -> Policy Manager -> Default Group -> Multiple Rule Sets. This tab will post a weekly calendar. Select the day of the week you will be assigning the time blocks. Towards the bottom will be a Time-of-Day Rule Set Drop-Down Box. Select this box and chose the TDR you have created. This will populate the time blocks created. Next, for each time block, assign an Internet Usage Rule Set and a Shaping Rule that will be active for the time specified. Repeat these steps for each day of the week (you may use the Copy button) and select the Save button. Once you complete these steps, Group membership, Time-of-day Rules, Internet Usage Rules, and Shaping Rules will be active for devices and users. Remember to always use this method when creating groups and policies: create Groups, create Time-ofDay Rules, create Internet Usage Rules, create Shaping Rules, and tie them all together with the Policy Manager. Next we’ll discuss the other options available under the Manage tab. Directory Users & Nodes Optinet can track Internet traffic by devices (Network Nodes) and by username (if Directory integration has been enabled). Once a device or user is discovered, Optinet will create a 54 profile and list it accordingly under Directory Users & Nodes. These profiles (devices or users) will then be available for group membership assignment under the Group menu (Manage -> Policies & Rules -> Groups). Directory Users & Nodes lists three separate options: Network Nodes, Directory Users, and Directory Agent. Network Nodes will list devices discovered by Optinet, while Directory Users will list Directory profiles. Directory Agent will list agents you have created for your directory servers. These topics are covered in more detail under Chapter 7: Integrating Directory Users with Optinet. Network Nodes Click Manage -> Directory Users & Nodes -> Network Nodes. This will post the Network Node Manager, which lists all devices (Network Nodes) discovered by Optinet. Optinet discovers these devices by examining network traffic as it passes through the bridge interface. Once a unique device is discovered, Optinet will send a port scan to retrieve several pieces of information to create a profile, i.e., NetBIOS name, Internet Protocol (IP) address, Operating System (OS), Media Access Control (MAC) address, and open ports. Optinet will also list the scan status and the date the profile was created. Optinet accomplishes this scan via a utility called Network Mapper (Nmap). For Nmap to retrieve these pieces of information successfully, some options may need to be permitted on the network (listed below): • UDP port 137 • Client for Microsoft Network • NetBIOS over TCP/IP • Samba to respond to NetBIOS queries • DNS entries for Macintosh computers • Simple Network Management Protocol (SNMP) for Macintosh computers If after enabling these settings, you need to rescan profiles for missing or changed information, you can select the profiles under Network Node Manager and click Re-scan port under the Tasks pane. The Scan Status for the selected profiles will then list Pending. After several minutes, the profile will be updated with the missing or changed information. If after rescanning a profile Optinet still cannot retrieve the missing or changed information, you can select profiles and manually enter change for the profile name. Don’t forget to Save your changes afterwards. If you have profiles listed under the Network Node Manager, click on one to see the information gathered for each device on the network. The first information posted is the Scan Name (NetBIOS name if available accompanied by the current IP address), Operating System (OS), Detected OS, and MAC address. Below that are posted two settings: Ignore multiple IP Addresses from this Network Node and Treat IPs as Remote Subnets from this Network Node. Ignore multiple IP Addresses from this Network Node can be used when Optinet identifies a single unique MAC address being used by multiple IP addresses. This behavior is typical in an asymmetrical network. Because profiles are created by MAC addresses, Optinet can 55 sometimes incorrectly associate traffic to the wrong Network Node with asymmetrical networks. If you have an asymmetrical network, you can select Ignore Multiple IP Addresses from this Network Node, which will permanently associate the IP address to the MAC address listed. Thus if Optinet sees the MAC address being used by another IP address, Optinet will assume this is due to asymmetrical routing and group the traffic based on the IP address and attempt to discover the true MAC address of the original sending device. The next option is Treat IPs as Remote Subnets from this Network Node. By default Optinet will create profiles for network devices in the local subnet based on MAC addresses. With routed networks, on the other hand, Optinet will create profiles for network devices based on IP addresses. These profiles will have the MAC addresses listed as all 0s while local profiles will post true MAC addresses. There are rare scenarios where profiles based on MAC addresses within the local subnet should be treated as remote profiles because of unique network architectures, e.g., network segments separated by layer three devices that use the same broadcast range or physical connections, asymmetrical networks, etc. In these cases, you may need to regard local profiles as remote. Also listed under the Add/Edit Network Node Detail are the IP addresses used by this Network Node as well as the open ports, protocols, state and services used by the device. These settings can be sorted by selecting the Column title of each setting. Another option available under Network Node Manager is the Search box. You can search for profiles based on IP address, Profile Name (normally the NetBIOS name or IP address), MAC address, and OS. Simply select the search criteria from the Search Drop-Down Menu, enter the corresponding value, and hit Enter. For example, to search for a specific MAC address, select MAC address from the Search Drop-Down Menu, enter the MAC address you are searching for, and click the Search icon (or press the Enter key). Use the format presented in the Network Node Manager, i.e., IP addresses are separated by dots (.) and MAC addresses are not separated by colons (:) to search according to the values. You can also sort the profiles by Name, IP address, OS, MAC address, Scan Status, and date profiles were created by clicking on the column titles. Please note that when Optinet is first installed or if new devices are installed on the network, you may see a profile entitled Unknown Network Node (mostly under the Report tab). Unknown Network Node simply represents profiles that have not been completely scanned. In essence, Optinet has identified new devices on the network but has not had sufficient time to complete the profile scan or is in the process of doing so. With time, this profile will disappear as Optinet is able to complete the profile scan and identify the new profiles. Lastly, Network Node Manager allows you to license and unlicense devices. Licensing with Optinet is based on network connections or active IP addresses on the network. That is to say, one hundred connections on your network will constitute 100 Network Node licenses. For example, in a flat network where all devices are connected via switches or hubs, Optinet can normally discover MAC addresses for individual devices. With this scenario, licensing and profile creation will be based on unique MAC addresses. You can verify whether Optinet is licensing based on MAC addresses by reviewing the column of MAC Address under 56 Network Node Manager. If individual MAC addresses are listed, then Optinet is essentially issuing a license to those MAC addresses. However, if an entry of all zeros is listed under the column of MAC address, then Optinet is licensing based on IP addresses (typical of routed networks as MAC address remain in local subnets). This means that individual IP addresses will consume licenses, and profiles will be based on such. You may review Chapter 6: Administrating Optinet for more information on installing Optinet in a routed network. Knowing how Optinet is issuing licenses will help you better manage your license count as exceeding the license count can cause inconsistencies with content filtering and reporting. For example, devices that are unlicensed are handled quite differently than licensed devices. Reporting for unlicensed devices will not list individual statistics. Traffic from Unlicensed Network Nodes will be aggregated into one profile entitled Unlicensed Network Nodes. Another drawback for Unlicensed Network Nodes is the inability to add these devices to a group via the Network Node Manager. If a device is unlicensed, you will not be able to select it when adding members to groups. Lastly, filtering will be handled differently with Unlicensed Network Nodes. Filtering for Unlicensed Network Nodes will still be in effect for these devices but depending upon your group configuration, traffic from Unlicensed Network Nodes can be in different groups. More than likely traffic from Unlicensed Network Nodes will fall into the Default Group, but different configurations can change this. Other scenarios to be aware of with licensing are devices such as printers, scanners, network cameras, plotters, or any other “non-user” specific devices that have Internet connections. Because these devices are configured with a MAC or IP address, they can potentially consume licenses unless configured otherwise. Also, a device with multiple Internet connections can possibly take up two licenses, e.g. a laptop with a wireless card and an Ethernet port. In addition to multiple Internet connections being a problem, large Dynamic Host Configuration Protocol (DHCP) ranges or short DCHP lease times can possibly pose an issue as well with licensing. If licensing is based on IP addresses, for example, a device will be assigned an IP address via DHCP. Optinet will issue a license to that IP address. If that same device is assigned a different IP address via DHCP, Optinet will again issue an additional license but now to the new IP address. Hence, in this scenario a device could possibly consume several licenses depending on how DHCP is configured. Also please note that historical data and grouping based on IP addresses will follow IP addresses as well and not the devices per se. Because of this, it is highly recommended that you purchase sufficient licenses to filter and report on all connections present in the network. Also, you will want to closely watch your license count and confirm that you do not exceed the license amount. This can be accomplished with Network Node Manager. Click Manage -> Directory Users & Nodes -> Network Nodes. Towards the bottom of the page you will see a listing of how many licenses have been issued (Showing 1—25 of 100). The last number listed is the complete number of profiles that have consumed licenses. You will want to periodically compare this number to your license count to confirm that you have sufficient licenses to report and filter correctly. Also, the total license count is posted on the 57 Home Page under Hardware Settings, and System Message Alerts will be sent when the license count is nearing 80%, 90%, and 100%. Network Node Manager also allows you to license and unlicense selected nodes. For example, if you had several printers that you do not wish to consume licenses you can select those profiles and click the Unlicense Selected Nodes button located at the bottom of the page of the Network Node Manager (Manage -> Directory User & Nodes -> Network Nodes -> Unlicense Selected Nodes). This will flag those profiles as unlicensed, and Optinet will not count those devices towards the total license count. Again, unlicensed nodes are handled quite differently than licensed nodes; however, devices such as printers, network cameras, etc., normally do not need content filtering and shaping. You can also license profiles that have been unlicensed by changing the License Status to Unlicensed (located in the top right corner of Network Node Manager). This will post all devices that have not been issued a license. You may select those profiles that you want be licensed and select License Selected Nodes. These profiles will now be issued a license and counted towards the total license count. If you need to purchase additional licenses, you may do so from Black Box Network Services or your Authorized Black Box Network Services Reseller. Additional licenses are issued in the form of a license key and may be entered during the Setup Wizard (Step 1) or under Admin -> Configuration -> License. Directory Users Directory User Manager is similar to Network Node Manager in the sense that this manager keeps track of all reported profiles. The difference being that Directory User Manager tracks all Directory Users and not Network Node Profiles. If you have implemented Directory Users with Optinet, the Directory User Manager will post all Directory Users Profiles discovered by Optinet. Directory User Manager will list all user names that Optinet has discovered. Please review Chapter 7: Integrating Directory Users with Optinet for more information. The Directory User Manager will also list the domain names associated with the profiles, as well as the Directory Agent (if applicable) and username used to access the directory. Another option available with the Directory Users Manager is Re-scan Directory User Name (located under the Tasks pane). This option allows you to update a profile by selecting the checkbox next to the user profile(s) you want to rescan. After selecting the profiles, select Re-scan Directory User Name and any changes made to the profiles, i.e., changed name, new directory group, etc., will be posted under the Directory Users Manager. Again, Chapter 7 covers these topics in more detail. One last important detail to note is that Directory Users have no effect on licensing. Directory Agent The Directory Agent Manager lists all created Directory Agents used for synchronization of Directory Users. For more information on this menu, please refer to Chapter 7: Integrating Directory Users with Optinet. 58 Broadcasts tab The Broadcast tab grants access to the Broadcast Manager, which displays all email reports that have been created for automated reporting. Email reports must first be created by selecting the report you want to email. Once you have done this, you may select the Email icon under the Tasks pane. For example, click on Report -> Application -> Application Overview. As a practice, you can set up this report for a weekly email. Under the Tasks pane, select the Email icon, which will populate the Add/Edit Broadcast field. Fill out the required information such as Name, Description, Send To:, Send From:, Reply To:, Subject Line, Send Format, and Schedule. If you need to send the email to multiple recipients, separate the emails with a semicolon (;). Also, the recommended Send Format is PDF as this format is more presentable; however, other formats available are HTML, XML, CSV. The schedule will depend on how frequently you want the automated report sent. For example, if you choose Weekly, several new fields will appear that will allow you to select the day of the week you want the report to run. The same is true with Monthly and Yearly. Once you have created the report and filled out the necessary fields, you will need to select which Activation mode for the email. Run Now will send the email report as soon as it is created. Send Once and Delete will send the report at the scheduled time and will then automatically delete the report once it has been sent. Activate Broadcast must be selected for any action to occur. Once you have selected all settings, don’t forget to select the Save button. Now that you have created the email report, it will be saved under the Broadcast Manager (unless you have selected Send Once and Delete). If you need to alter or delete the report in the future, you may do so under the Broadcast Manager by selecting the individual Email Broadcast or selecting the checkbox next to the report and clicking the Delete Selected button. All Email Broadcasts are handled by Black Box Network Services’ in-house Report Server. After you have created and activated an Email Broadcast, the data is encrypted using Secure Socket Layer (SSL) and sent to Black Box Network Services’ Report Server. The Report Server processes the encrypted data and creates the desired report in the selected format. The Report Server then sends the completed report to the requested email address(es) for retrieval. The process creates performance advantages for Optinet while still allowing automatic delivery of important reports and information. Also after the finalized Email Broadcast has been sent, the data is immediately deleted from the Report Server. The entire process normally takes less than 5 seconds. Physical access at Black Box Network Services’ Report Server is permitted through a minimum of two biometric authentication systems. On-site staff is notified of all building access in real time and environmental systems are maintained with N+1 redundancy. Because the data is leaving Optinet, some technical considerations may need to be implemented in order for the recipients to receive email reports. For example, if a spam filter is present on the network, you may need to allow email transmissions from Black Box Network Services’ Internet Service Provider (IP.XMISSION.COM). 59 In addition to this, you may need to alter the sender and receiver of the email to be different email addresses as same email addresses are commonly flagged as spoofing techniques. Also note that when the data leaves Optinet to Black Box Network Services Report Server, all data is encrypted. However, the transmission from Black Box Network Services’ Report Server to the recipients is not encrypted. Nevertheless, this is the same level of security as most common email messages sent over the Internet. System Access tab Optinet allows you to create multiple login accounts used to access the system. All accounts are listed under the Manage -> System Access -> Logins menu. By default only one account is present on the device (the admin account with a password of Black Box Network Services). Administrative login accounts can do anything that the default admin account can do. They can view any report and can make any configuration changes. Another access level exists (Read-Only) which allows users to view reports and configuration settings. However, users with Read-Only access cannot make configuration or administrative changes to the device. The Add/Edit Login Detail field (Manage -> System Access -> Logins -> Admin) allows you to customize all logins with User Name, Password, First Name, Last Name, Email Address, Admin Level (if you would like to create a login that does not have Admin Level, uncheck the box), and Activate Login (the login will not be accessible until this option is checked). Don’t forget to Save your changes after creating or modifying a login. We strongly recommend that you create a new administrative login, and change the default login password to limit access to the management interface. Select the Manage -> System Access -> Logins link to make these changes. Applications tab The Applications tab is designed for expert use. This menu and submenus allow you to customize applications and redefine default signature sets for a more tailored environment. The default application sets provided should be sufficient for most environments. Nonetheless, if you would like to customize signature definitions as well as Traffic Flow Rule Sets (TFRS), you can do so under the Applications tab. The three options available under the Applications tab are Traffic Flow Rule Sets, Applications Sets, and Applications. Traffic Flow Rule Sets Traffic Flow Rule Sets (TFRS) are the basic traffic identification and control engine within Optinet. By default, TFRS define content rules and implement restrictions on identified traffic. Optinet ships with 12 default TFRS (for more information see previous section on Traffic Flow Rules Sets); however, you can customize TFRS using the Traffic Flow Rule Set Manager. For example, suppose you had a group of users that needed a variety of functions not available in the default TFRS. Case in point would be the need to filter Web traffic (Web Filter), deny IM Client communications (Deny IM), and block HTTPS traffic (SSL Block). 60 There are several default TFRS that can do some of these options; however, there is no one TRFS that has all components (Web Filter + Deny IM + SSL Block). Nevertheless, the Traffic Flow Rule Set Manager allows you to combine or delete components of the TFRS to tailor how traffic will be handled. Select Manage -> Applications -> Traffic Flow Rule Sets. Rather than editing the default TFRS, you can copy them and make the necessary changes to create a custom TFRS. Although you can select the default TFRS and edit them, it is highly recommended that you do not edit default TFRS. Doing so can cause severe problems if the TFRS are configured incorrectly. You are better served by copying default TFRS and editing the copies. The key factor in creating a custom TFRS is to choose a default one that closely represents the end result. For this example, we will select to copy the TFRS of Web Filter + Deny IM and afterwards add the component of SSL Block. Copying TFRS is quite simple: select the checkbox next to the TFRS that is going to be copied and select the Copy Selected button. This will bring up the Add/Edit Traffic Flow Rule Set field. Here, you can create a distinct name and description for the custom TFRS. This field also allows you to remove certain applications for the TFRS. For example, if you didn’t want this TFRS to identify ICMP traffic, you could remove this application using the < Remove button. More often than not, you will only want to customize the name and description in this field as removing applications can cause unexpected effects. Another suggestion is to name the TFRS according to the targets. In our example, we would name the TFRS Web Filter + Deny IM + SSL Block. Again, don’t forget to Save your changes. Once you have created a custom TFRS, you will alter the targets according to the desired modifications. This is done under the Application Signature Manager (covered later under the Applications section). In our example, we will need to alter the SSL targets to block this traffic. Now that we have created a custom TFRS to block SSL traffic, we will need to alter the targets. The steps to alter targets are covered under the next sections. Other options available under the Traffic Flow Rule Set Manager are deleting and creating. There is also a search box to search available TFRS. Now let’s continue our example of a custom TFRS by discussing the Application Sets and Applications menus. The following sections will give a brief explanation of the options available and a common example of configuration changes. Application Sets Application sets, or simply signature sets, are groups of signatures for similar applications that perform a comparable purpose. For example, the signature set of Remote Desktop /Remote Control /X comprises the applications of PC Anywhere, Citrix, GoToMyPC, Microsoft’s Remote Desktop, and many more. Because these applications use similar signatures and perform an equivalent purpose (connecting users remotely to computers) the different applications are grouped together in an Application set. The Application Signature Set Manager (Manage -> Applications -> Application Sets) lists all sets of applications that Optinet can identify and shape. Currently there are 23 Application Sets that Optinet identifies. 61 • Chat and IM—this application set comprises signature definitions for chat and IM applications, e.g., Windows Live Messenger, Yahoo! Messenger, etc. • Databases—this application set comprises signature definitions for database applications, e.g., SQL, Oracle, etc. • DNS/Naming/Locators and Information—this application set comprises signature definitions for services that identify domains, users, and devices on a network, e.g., Domain Name Service (DNS), Lightweight Directory Access Protocol (LDAP), etc. • Email, Paging, and Collaboration—this application set comprises signature definitions for email services and protocols used to transmit emails, e.g., Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), etc. • FTP/File Transfer—this application set comprises signature definitions for File Transfer Protocol (FTP). • Games—this application set comprises signature definitions for online games or network games, e.g., XBOX Live, War of World Craft, etc. • HTTP—this application set comprises signature definitions for Web traffic or Hypertext Transfer Protocol (HTTP). • ICMP—this application set comprises signature definitions for Internet Control Message Protocol (ICMP) e.g., PING. • NetBIOS/Microsoft File Services—this application set comprises signature definitions for Network Basic Input/Output Service (NetBIOS) and Server Message Block (SMB or Samba) protocol. • Network Management and Monitoring—this application set comprises signature definitions for services that manage and monitor networks, e.g., Simple Network Management Protocol (SNMP), Network Management Service (NMS), etc. • Network Routing—this application set comprises signature definitions for networking protocols, e.g., Routing Information Protocol (RIP), Network Control Program (NCP), etc. • Network Utility—this application set comprises signature definitions for protocols used to manage networking devices, e.g., Dynamic Host Configuration Protocol (DHCP), NSW under System FE. • Peer to Peer—this application set comprises signature definitions for programs that share files via a direct (peer to peer) connection, e.g., Bit Torrent, Gnutella, etc. • Printing and Reporting—this application set comprises signature definitions for printing and reporting services, e.g., Network Printing, Internet Printing, etc. • Proxy and Cache—this application set comprises signature definitions for Proxy and cache servers, e.g., Squid, Sockets Server (SOCKS), etc. • Remote Desktop/Remote Control/X—this application set comprises signature definitions for programs used for remote management and administration, e.g., PC Anywhere, Citrix, etc. 62 • RPC/Remote Execution and Message—this application set comprises signature definitions for programs that execute other programs or routines remotely, e.g., Remote Procedure Call (RPC), IBM’s Tivoli, etc. • Security, Auditing, and Auth—this application set comprises signature definitions for network protocols that authenticate and secure users or devices, e.g., Kerberos, Pretty Group Privacy (PGP), etc. • Streaming Media—this application set comprises signature definitions for programs that stream audio and video content, e.g., Windows Media Player, Flash, etc. • Telnet and SSH—this application set comprises signature definitions for applications that use Telecommunication Network (Telnet) and Secure Shell (SSH) protocols. • Uncategorized—this application set comprises all traffic that does not meet a specific application set. • VOIP and Voice Chat—this application set comprises signature definitions for Voice over Internet Protocol (VoIP) and programs that facilitate voice conversations over the Internet, e.g., Ventrilo, Buddy Phone, etc. • VPN and Tunnel—this application set comprises signature definitions for protocols used for Virtual Private Network (VPN) and for tunneling, e.g., Internet Protocol Security (IPSec), Secure Socket Layer (SSL), etc. The Application Signature Set Manager also allows you to select Application Sets to review all applications present within the set. In addition to reviewing the applications within the set, you may add or remove individual applications. For example, if you wanted to separate Citrix traffic from Remote Desktop/Remote Control/X application set for individual shaping and reporting, you could create a new application set or custom TFRS to do so. Once more, this menu is intended for expert use. Still, following the example in the previous section of creating a custom TFRS of Web Filter + Deny IM + SSL Block, we will create a custom Application Set. In this example, we will separate SMTP traffic from Email, Paging, and Collaboration Application set. Click Manage -> Applications -> Application Set -> Create. This will populate the Add/Edit Application Set Details field. Here you will give the custom application set a Name and Description. In our example, we will call the Application Set SMTP. Don’t forget to Save the changes. Once a custom TFRS and Application Set have been created, you will need to alter the individual applications under the Application Manager. These final steps are covered in the next section. Two other options available under the Application Signature Set Manager is the ability to search for Application Sets using the Search box (located in the upper-left corner) and delete a custom Application Set using the Delete Selected button (located in the bottom of the page). Applications Now that we have detailed the applications listed under each Application Set, we can now look at the individual applications that Optinet can shape. This can be accomplished under the Applications Menu. 63 Like other menus under the Applications menu, this menu is intended for expert use. The Applications menu will allow you to finish creating the custom TFRS. You can also finish altering the Application Set to add or remove specific applications for an Application Set. Lastly, this menu allows you to search for individual applications, values (ports), and application sets to see how traffic is being categorized. Click Manage -> Applications -> Applications. This will bring up the Application Signature Manager. The Application Signature manager lists each individual application alphabetically according to the Traffic Flow Rule Set listed in the top right-hand corner. You can also search for a particular application based on the Name, Application Set, or Value and sort the different applications by the column titles. Below are the column titles and corresponding definitions: • Name—this is the name of the application. • Application Set—this will list which application set the application belongs under. • Type—this will list the type of signature identification used to recognize the traffic. The different types are the following: o Destination Port—this type is the target port of the application. o Diff Serv—this type is the Differentiated Services (DiffServ) of the application. DiffServ is a networking architecture that specifies a simple, scalable and coarse-grained mechanism for classifying, managing network traffic and providing Quality of Service (QoS). o Type of Service—this type is the Type of Service (TOS) of the application. TOS is a single-byte field in an IP packet header that specifies the service level required for the packet. o Length—this type is the Ethernet Length of the application. Ethernet length specifies the size of the frame used within the network interface. o VLAN—this type is the Virtual Local Area Network (VLAN) used for the application. o Protocol Only—this type is the protocol used for the application, i.e., TCP, UDP, etc. o Layer7—this type is The Optinet Layer 7 signature used for the application. o Source and Destination Port—this type is the sending and target port of the application. o Source Port—this type is the target port of the application. o XLi Engine—this type is the Cross Layer Intelligence (XLi) Engine used for the application. XLi is the component of Optinet that scans and identifies packet payload using 6 layers of the OSI model. o Web Request MIME Type—this type is the Multipurpose Internet Mail Extensions (MIME) for the application. o Web Request File Type—this type is the File Type for the application. 64 • Value—this will list the corresponding measures from the Type field. For example, under the application of HTTP, the Type is listed Destination and Port; hence, the Value is listed as 80 as this is the Destination and Port number for HTTP traffic. Other entries listed here will be the XLi values, File Type values, MIME values, and all other associated values for Types. • Target—this will list what actions will be taken with the corresponding application. For example, if the target is set to Pass Thru the application will be allowed. Other options available are Deny (block traffic), None (no action taken), Web Filter (content filtering, web logging, spyware scanning, and virus scanning) and Web Logging (only logs web request URLs). To review the different options for each application, you will need to create a custom TFRS. Let’s continue with the example of the custom TFRS created in the previous section. In the top right-hand corner, select the link for the TFRS of IM Only. This will then list all TFRS available. Chose Web Filter + Deny IM + SSL Block. Notice how the individual applications are now clickable. By creating a custom TFRS and application set, you can adjust each application and change settings such as Protocol, Type, and Value. Remember that we need to change the target of the custom TFRS to deny SSL traffic. You can do this by changing the Target field under the SSL applications. Click on the drop-down search box and select Value as the search criteria. Enter in the value of SSL and hit the Enter key. The Application Signatures Manager will post the associated applications for SSL traffic. Select the application of SSL CONNECT L7. This will show the Add/Edit Application Detail page. The Add/Edit Application Detail field allows you to change the Name of the application as well as other options, i.e., the Description, Application Set, Traffic Flow Rule Set, Type, Value, Protocol, and Target. Again, changing options can cause serious errors if you are unsure of the settings. More often than not you will only need to change the Application Set, Traffic Flow Rule Set, and Value. In general only use Destination Port, Source Port, and Source and Destination Port for the Type field. Finally, for Protocol you will probably only need to use TCP and UDP, and Target with Pass Thru or Deny. To block all SSL connections, you will change the targets from Pass Thru to Deny. Once you save the changes, this will block all SSL connections. You will need to do this for all other application that use SSL, (search for HTTPS applications as well). Once you have set all SSL applications to Deny, you only need to apply the custom TFRS. This is done by creating an Internet Usage Rule and applying it to a group under the Policy Manager. Please review the sections Internet Usage Rules and Policy Manager for more information. Before leaving the Application Signature Manager, we can continue with the example of separating an application from an application set. Again, click on Manage -> Applications > Applications. Make sure the custom TFRS is selected as the Traffic Flow Rule Sets in the top right-hand corner. Now, let’s search for the application that we’re going to separate. Select Name as the Search criteria and enter in the name of the application. In our example we will search for SMTP traffic. This will post all applications that use SMTP as a signature. Because we have created a custom TFRS and application set, we can select the applications to separate or modify them. In this example, we will separate SMTP from the application set of E-mail, 65 Paging, and Collaboration and tie it to the custom Application set of SMTP (created in the previous section). Click on the first SMTP application (On Demand SMTP Relay). This will post the Add/Edit Application Detail. Here, change the Application Set to SMTP from E-mail, Paging, and Collaboration. Don’t forget to Save your changes. Repeat the previous steps for all applications listed after the search. Again, these changes will take final effect once they are initiated under Internet Usage Rules and Policy Manager. One last option available under the Applications Set Manager is deleting custom applications. You may follow the general instructions listed above to create custom TFRS or Applications Set. This concludes Chapter 5: Managing Optinet. The next chapters describe advanced configuration methods and options with Optinet followed by chapters dedicated to Directory Users and HTTPS/SSL Filtering. 66 Chapter 6: Administrating Optinet The Admin tab of Optinet provides you with administration functions for initial configuration of the device. Also available are maintenance options such as backup settings and diagnostic tools that allow you to prevent failures or down time. Lastly, the Admin tab has advanced configuration options for Directory Users, SSL Certificate, custom redirection pages, and Spyware Removal. This chapter is divided into 6 sections. • Setup Wizard • Configuration tab • Diagnostic Tools tab • Downloads tab • Logs tab • Redirection Pages tab • Utilities tab Setup Wizard The Setup Wizard is available during the first login to Optinet and if the device has been reset back to factory defaults. If you would like to run the Setup Wizard again after the initial setup, you may do so with this tab. Remember that the Setup Wizard does require a live Internet connection to the network and will reboot if a firmware upgrade is downloaded. For more information, please review Chapter 2: Installing Optinet. 67 Configuration tab The Configuration tab provides you with a variety of tools that can help manage the installation and maintenance of Optinet. The options available under this tab allow you to optimize and customize your Optinet to meet the organization’s needs. Among these settings are basic and advanced settings, license settings, remote subnets, backup settings and static routes. This menu is intended for manual configurations of Optinet if you are unable to run the Setup Wizard or need to customize settings. Below are all the options available under the Configuration tab. Setup Use this menu to manually assign an IP address and Subnet Mask to the Bridge (WAN/LAN) interface. You can also assign a default gateway, DNS Server, and an IP address and Subnet Mask to the Management/Auxiliary Port. Remember that the IP address assigned to the Management/Auxiliary Port cannot be in any active subnet in your network. You can also use this menu to enter in the name or IP address of the Email server (if you would like to receive email alerts for viral web downloads). Lastly, you can specify the time zone for Optinet. Don’t forget to Apply any changes made. Advanced Setup The Advanced Setup provides you with enhanced configuration settings that are used for customization of Optinet within the network. Most of the below options are enabled by default; however, if Optinet is installed in a more complex or uncommon network topology, you may need to disable or adjust some of the settings. • Domain—this allows you to identify the domain name in which Optinet is installed. • Enable Port Scanning / OS Detection—this refers to the Nmap scan that is performed when a unique profile is discovered. This setting allows Optinet to post unique information about each device present on the network. However, some security settings may identify Nmap scans as intrusions; as such, you can disable this feature by unchecking this setting. For more information see section Network Nodes in Chapter 5: Managing Optinet. • Enable TCP Window Scaling—this allows Optinet to send a larger window size to improve TCP performance in networks with large bandwidth. However, some routers or web sites do not support this feature and can cause latency. If you are experiencing latency with Optinet or connection failure to web sites, you may need to disable this option to improve performance. • Disable MAC based Network Node Discovery—this is used when you do not want Optinet to create profiles based on MAC addresses. As previously mentioned in Chapter 5, devices located in The Optinet local subnet will be profiled based on MAC addresses. If you would prefer Optinet to profile these devices based on IP addresses, you will need to check this option. • NTP Server—this is used to specify a Network Time Protocol (NTP) server used to sync time for Optinet. The default setting is pool.ntp.org; however, if you have an NTP server or an Active Directory server and would prefer to use those devices instead, you may enter in either the IP address or domain name for the device in this field. Also, for NTP to function properly UDP port 123 must be open for Optinet. 68 • HTTP Keep-Alive Mode HTTP—this allows Optinet to use the same connection to send and receive multiple HTTP requests and responses, as opposed to opening new connections for every single HTTP request or response. This option can improve performance on frequently visited web sites and should be checked. This option is also necessary if you want to enable HTTPS/SSL Filtering. • Enhanced Bridging Mode (EBM)—this allows Optinet to act as a transparent bridge. As a transparent bridge, Optinet does not modify the web request or response beyond what is required for content filtering and identification. EBM facilitates an easier installation, especially in a routed network, without requiring static routes or running the risk of dropping network traffic. Because EBM does not alter web requests, Optinet can rely on networking devices already present to route traffic correctly. We highly recommend that EBM is enabled to avoid interrupting network traffic. Lastly, EBM can improve performance with Optinet and is necessary for HTTPS/SSL Filtering. • Allow HTTP Connections on port 8888—this allows Optinet to act as a proxy for web traffic. This option must be selected if you would like to install Optinet in Proxy Mode or use NTLM Web Authentication. Please see sections Proxy Mode in Chapter 2 and NTLM Web Authentication in Chapter 7 for more information. • Enable Summary Tables—this allows Optinet to summarize or condense large web reports, allowing for faster response times for Internet Usage reports. This utility will index web reports and correlations for all reports. For more information please see the section Report Recommendations in Chapter 3: Generating Reports. • Summary Table Conversion Utility—this utility will take previous data that has not been summarized and create summary tables. Selecting the link will present three options for converting previous data: Web Request Summary Table, Level 1 Summary, and Level 2 Summary. Web Request Summary Table will summarize all Web requests data. Level 1 Summary Table will summarize the first correlation for those reports, i.e., first correlation by Category, Host, File Type, MIME Type, Group, Directory User, and Network Node. Level 2 Summary Table will summarize the second correlation for those reports, i.e., second correlation by Category, Host, File Type, MIME Type, Group, Directory User, and Network Node. For more information please see the section Report Recommendations in Chapter3: Generating Reports. • Network Normalization Mode—this setting enables Optinet to discover MAC addresses in an asymmetrical network or where MAC addresses are alternating. For example, if MAC addresses change during data transmission, Optinet can encounter a problem with group assignments and reporting. However, by enabling Network Normalization Mode, Optinet can send Address Resolution Protocol (ARP) requests and discover MAC addresses of devices, and therefore group and report correctly. The recommended setting for this option is to be enabled (checked). • Allow DNS and HTTP block page for Deny Access Traffic Flow Rule Set—this will present group members of the Deny Access Group a blocked redirection page if they attempt to access the Internet. Please note, that for this page to post, DNS and HTTP traffic will be allowed to pass for the Deny Access Group for initial connections. 69 • Database Timeout—this setting places a limit (in minutes) of how much time Optinet has to complete a report. Because Optinet runs several different functions simultaneously (filtering, shaping, reporting, etc.), priority is given to filtering and shaping so that reporting does not consume resources that may impact network performance. Optinet has a default timeout of five minutes for reports to complete. If a report cannot complete within the five minutes, you will receive a timeout message stating accordingly. If needed, you may alter the time limit with this setting. You can allocate up to 15 minutes for reports to complete. Please see the section Report Recommendations in Chapter 4: Generating Reports for more information. • Group Member Type Precedence (GMTP)—this option is critical for assigning devices and users to correct groups. Because Optinet allows for multiple groups, a problem can arise when a device or a user can possibly be in multiple groups at the same time. For example, if a user begins to access the Internet, Optinet can identify the user and place him/her in a group by MAC address, IP address, or the Directory User account. The scenario can become even more complex if Optinet is configured to identify multiple groups based on VLANs, specific IP addresses, or Classless InterDomain Routing (CIDR) Blocks. Ethernet Settings This menu allows you to hard code speed and duplex settings for the WAN, LAN, and Management/Auxiliary ports. As mentioned in Chapter 2: Installing Optinet, normally Optinet will auto-negotiate correctly with the devices directly connected into the ports. However, if Optinet is unable to auto-negotiate correctly, you may need to hard set the speed and duplex settings. This can be done under the Ethernet Settings menu. Please note that if you make changes under this menu, more than likely you will need to hard code the interface settings of the devices connected to The Optinet ports. Also note that you may experience some network interruption while Optinet makes the necessary changes. Company Settings Company Settings allows you to customize Optinet and the GUI with information pertinent to the organization. This menu allows you to enter in the Company Name, Company Address, Company City, Company State, Company ZIP Code, Technical Admin Name, and Technical Admin E-mail. Once done, these settings will reflect in other menus as well (AntiVirus Email Alert, The Optinet Menu Bar, etc.) Registration Settings The Registration Settings menu presents the information that is used to register Optinet. The settings are the same settings as Company settings with two differences; Company Address 2 and Technical Admin Phone. Miscellaneous (Misc.) Settings Miscellaneous Settings displays five important options that are used in a variety of menus. The first two settings (Available Upload Bandwidth and Available Download Bandwidth) are used to calculate percentage for both shaping rules and reporting values and will cap total bandwidth available within the network. The default settings are set to 5000Kbps and will restrict traffic to that amount. If you have not adjusted this amount for your bandwidth, please do so during the Setup Wizard or under this menu. 70 Please note that the amounts listed in the available upload and download under Miscellaneous Settings will restrict total traffic through Optinet. Make sure that the amounts entered in these fields are the correct amounts for your network. The next option, Web Time Online seconds per hit, is used to calculate the amount of time for the Web Time Online Report (Report -> Internet Usage -> Web Time Online). Please note that the Web Time Online report is an estimated value generated by counting the number of hits per page, and then multiplying the number of hits by the number listed under this setting. The default setting of 20 seconds is an approximation based on typical business usage. However, in other circumstances the values may need to be altered. Simple Network Management Protocol (SNMP) can be used to monitor the state of Optinet and poll the device to verify its CPU, hard drive usage, and other pertinent information. SNMP works by a software component called an agent that runs on Optinet and reports information via SNMP to the managing systems. The managing system can retrieve the information through the GET and WALK protocol operations. Although you will have to supply the SNMP managing system to retrieve the information, the following fields will allow you to interact with The Optinet SNMP agent. The first field, SNMP Read Only Community is the password used for the GET requests and allows access to the Optinet SNMP agent. The default setting for this field is public, but the Read Only Community password can be changed to the desired password with this menu. Don’t forget to Apply the changes after altering the field. Afterwards, you can use the SNMP GET command to poll the following values from Optinet. Optinet SNMP Values Value Result 1 CPU Percent 2 Hard Drive Usage Percent 3 Web Hits 4 Web Hits by Category ID 5 Web Category Name by ID 6 Application Set Name by ID 7 Application Set Upload by ID 8 Application Set Download by ID 9 Total Traffic Upload/Download 10 Number of Possibly Infected Spyware 11 Number of Possibly Infected Virus 71 Also, please note that Object Identifier (OID) for Optinet is 1.3.6.1.4.1.31010. With the above listed values and The Optinet OID, you should be able to use the SNMP Get command: snmpget –v 2c –c public localhost 1.3.6.1.4.1.31010.1. The WALK command allows you to use the SNMP GETNEXT request to query Optinet for several pieces of information. SNMPWALK will search all SNMP values for Optinet and post the corresponding values. Again, with The Optinet OID, you can query The Optinet SNMP agent for all values present: snmpwalk –v 2c –c publick localhost 1.3.6.1.4.1.31010.1 The next setting is the SNMP Read Write Community. This setting is used to set SNMP MIB variables to a specified value. These writes are protected by the write community string and are set to the default settings of private. However, this field allows you to alter the password for the SNMP Read Write Community. Any changes made to these two fields will not take effect until you Apply the changes. Update Settings The Update Settings menu lists the available updates for Optinet. These updates are divided into five categories: Firmware, Software, Content Filter, Spyware, and Anti-Virus. Firmware updates deal with new features, Optinet OS upgrades, and signature updates. Software updates deal with component changes, maintenance patches, and code resolutions. Content Filter updates are for updating web categories, web sites, and file types. Spyware updates are for new definitions on spyware, while Anti-Virus handles new definitions for web viruses. All updates can be configured to execute automatically via the Enable check boxes and Daily Schedule Drop-Down Boxes, except for Firmware updates. The reason is that Firmware updates require a reboot. Because of this you will need to manually update the firmware using the Update Now button. You will be notified via the Message Center on the Home Page when a new firmware version is offered. For updates to be successful, Optinet will need access to port 80 as well as authorization to download MD5 check sums. Also, you should schedule updates during non-peak traffic times as some services may need to restart after the updates have completed. Default settings for Update Settings are 1am for Software, 2am for Content Filter, 3am for Spyware, and 4am for Anti-Virus. Custom Category Rules The Custom Category Rules menu allows you to modify or create web site categorization. This menu allows you to categorize web sites that have been mis-categorized, do not have an explicit categorization, or your organization needs a distinct categorization for the web site. For example, by default the web site YouTube is categorized as Online Communities. However, for your organization YouTube may be considered more of a streaming media web site than an online community. The Custom Category Rules allow you to enter the URL of YouTube and “re-categorize” the site as Streaming Media instead of Online Communities. This rule will then take effect for both reporting and Internet Usage Rules (IURs). To categorize a web site with the Custom Category Rules, enter the URL in the Match String field. Afterwards, chose a Compare String for the entry. There are three distinct compare strings that can be used to categorize web sites: URL-Regular Expression, URL, and Domain. 72 • URL-Regular Expression—this compare string utilizes regular expressions to categorize web sites. Regular expression (regex) is a method used to describe a string of text using metacharacters or wildcard symbols. To use URL-Regular Expression, you will need to understand the functions of regular expression metacharacters. URL-Regular Expression supports regular expressions for POSIX Basic and Extended Regular Expression. A complete discussion of Regular Expression capabilities is beyond the scope of this document. • URL—this compare string looks for an exact URL match. Use this compare string to categorize specific web pages where an exact match is necessary. For example, an entry of youtube.com/forums will categorize YouTube’s forum web page, but not necessarily other YouTube web pages. However, you can use an asterisk symbol (*) as a wildcard with the compare string of URL. For instance, an entry of http://www.youtube.com* will categorize any web page that begins with http://www.youtube.com. • Domain—this compare string looks for any web page that begins with the domain name of the web site. Use this compare string to categorize web sites where the domain name is constant in the URL. For example, and entry of youtube.com will categorize all of YouTube’s web pages. You can also use an asterisk symbol (*) as a wildcard with the compare string of Domain. For instance, an entry of *youtube.com will categorize any web page that has youtube.com in the domain name regardless of http, https, or www. After you make your entry in the Match String field and chose a Compare String, select which category the web site will be assigned to. You can also create your own category by selecting the **Add a Custom Category** selection. Once selected, you can type in the name of the custom category. Afterwards, you can choose which priority level will be assigned to the entry. Priority levels are only used when there are conflicts with other custom categorizations. For example, if you chose to categorize the web site youtube.com as Streaming Media but the web page of youtube.com/forums as Online Communities, you would select the URL of youtube.com/forums as a high priority. This indicates to Optinet to always categorize youtube.com/forums as Online Communities while other web sites under youtube.com will be categorized as Streaming Media. If there is any site with conflicting criteria, the higher priority rule will direct the categorization. To finalize your entry, click the Update button followed by the Apply button. Other options available in this menu are Reset (clear current entries under the Add/Edit Custom Category Rules), Remove Selected Rows (clear selected custom category entry), Edit Selected Rows (modify selected custom category entry), Export List and Import List (export or import a plain text file of entries from the custom category list), and Cancel button. Custom Category Options The Custom Options menu works in conjunction with the Custom Category Rules and has two tabs: Categories and Precedence. The Categories tab allows you to create or modify categories listed in The Optinet current category list. For example, the category of Computers and Internet covers web sites that post information about computers and software but also covers web sites with information about the Web and the Internet in general. If you wanted to separate this category into two separate categories, i.e., one category called Internet and another called Computers, you could create two new categories with the Custom Category Options menu. 73 As you add web sites to these new categories, the names of these categories will appear in the new category list under Admin -> Configuration -> Custom Category Rules ->. Assign a Category as well as under the Edit Blocked Categories list. To add a new category, enter the name of category in the Add/Edit Category Name field and click the Update button. Other options available are Edit Selected Row, Apply, and Cancel. The Precedence tab allows you to modify the order in which the Compare String is examined for classification of web sites. The Custom Category Rules use three compare strings to classify web sites: URL-Regular Expression, URL, and Domain. The Default order should be sufficient, but you can alter the order by clicking and dragging an entry and then selecting the Apply button. The Cancel button is also available under this menu. Remote Subnets By default, Optinet will monitor all traffic within the local subnet. However, Optinet can also monitor subnets outside the local subnet. These subnets are called Remote Subnets because they are not within The Optinet local subnet. Review the following topology. This is an example of a flat network. Characteristics of a flat network are all devices are connected via switches or hubs, there are no layer three devices (routers or layer 3 switches), and the network is not segmented logically by different IP address ranges (VLANs or remote subnets). If you have a flat network, all devices will fall into the local subnet, and you will not need to add entries to the Remote Subnets menu as Optinet will be able to track by MAC addresses. Figure 6.1 Flat Network Topology Now review the following topology. This is an example of a routed network. Notice how there are different logical segments separated by the IP address ranges within the network, i.e., 192.168.255.0, 172.16.0.0, and 10.0.0.0. Also notice how there is a layer three device present in the network (Router 1). These are characteristics of a routed network. 74 Figure 6.2 Routed Network Topology In this example, the network subnets of 10.0.0.0 and 172.16.0.0 will be identified as remote subnets. Optinet can track Internet traffic by IP addresses once these networks are identified as remote subnets. Optinet will not be able to track by MAC addresses for remote subnets as layer three devices maintain MAC addresses within their corresponding subnets. For more information on this you can review Chapter 5: Managing Optinet, section Directory Users & Nodes. To add network segments to the Remote Subnet menu, enter in the network address with the subnet mask in Classless Inter-Domain Routing (CIDR) notation. For example, a network address of 172.16.1.0 with a subnet mask of 255.255.255.0 would be entered in as 172.16.1.0/24. For more information on CIDR notation, please see Appendix D: CIDR Cheat Sheet. Once you have entered in the network address, select the Add> button and Apply. Please note that you may at any time add network addresses to remote subnets for monitoring and filtering. If you remove network addresses from remote subnets, this will require a Reset on Telemetry and Profile Data because of how Optinet profiles devices. Please review section System Utilities for more information on resetting the database. Once you have added the remote subnets, you can create static routes for those subnets. This topic is covered the section Static Routes. User Preferences User Preferences menu allows you to customize how reports and filters will be displayed by Optinet. This menu also allows you to automatically accept downloads from The Optinet GUI. 75 Default Rows per Page indicate how many results will be posted for each report. For example, if you want to see how many users have passed Peer to Peer traffic, you can access this information under Report -> Applications -> Peer to Peer -> Correlate by Network Node. This report will post by default the top 25 users of Peer to Peer traffic. However, if you wanted the report to post the top 30 users of Peer to Peer traffic, you will need to change the amount of Default Rows per Page to 30. Afterwards, all reports by default will post 30 results instead of 25. Report Filter Per Page is for Group, Network Node, and Directory User filters. These filters are available under individual reports and allow you to search for specific Groups, Network Nodes, or Directory Users for the specified reports. Clicking these fields will populate the Select Filter Group, Network Node, or Directory User box. You can then search the Available profiles listed for the desired Group, Network Node, or Directory User profile. By default these filters will post 10 profiles per page. You can change this amount by altering the Report Filter Per Page. Once the amount has been altered, all report filters will post the number specified on every filter page accordingly. Lastly, the lowest amounts for both fields are 5 and the highest is 500. The last setting in the User Preferences menu is Enable Automatic Downloads. Optinet has several downloads for different features, i.e., SSL Certificate, Directory Clients, etc. Selecting these downloads will post a file download dialog box with an additional link for the download. If you would like to skip the additional dialog box and have files from Optinet be downloaded automatically, you will need to enable this option. Please note that may also need to add the IP address of Optinet to the “Local Internet” security zone on your web browser as well as select Medium-Low security settings for downloads. Once you make changes to the User Preferences menu, don’t forget to Apply the changes. Default setting for Enable Automatic Downloads is unchecked. Static Routes The Static Routes menu is used in conjunction with the Remote Subnets menu. For example, if you have entries in the Remote Subnet menu, you may need to create static routes for those subnets. However, if you do not have entries in that menu, more than likely you will not need to add static routes. In addition to this, static routes are only necessary under certain circumstances. One circumstance is remote administration. For instance, if you had a network entry in the Remote Subnet menu and wanted to allow users on that remote subnet administrative access to Optinet, you would need to create a static route for that network. Other scenarios that require static routes are disabling Enhanced Bridging Mode (EBM), using Redirect blocked pages, and installing Directory Agents outside The Optinet local subnet. If you meet some of these requirements, you will need to create static routes. Static routes are created by identifying the next hop for Optinet to the remote subnets. Review the following topology. Notice how Optinet is installed on a network with a schema of 192.168.255.0. However, most users are located on 10.0.0.0. For Optinet to communicate properly with the users on the 10.0.0.0 network, the device will need to know the next hop to this network. The next hop is referred to as the gateway or destination gateway for the remote subnets. In this example, the remote subnet will be 10.0.0.0/8 with a gateway of 192.168.255.3. 76 Figure 6.3 Static Routes Diagram Please take special notice of the different gateways. The 10.0.0.0 has a default gateway of 10.0.0.1. This is not the gateway for the Optinet static route as this address is not the next hop for the remote subnet. The gateway will be 192.168.255.3 as this is the next hop for Optinet to communicate to users on the 10.0.0.0 network. Essentially, the static route will indicate to Optinet the routing path to take when direct communication is required to a host on the 10.0.0.0 network. Also, do not confuse the static route with the Optinet default gateway. Optinet uses the default gateway to access the Internet for updates while static route gateways are used to communicate with users on the remote subnet. Things that can help you to identify proper static gateways for Optinet are the following: • Static route gateways will always be in the same local subnet as the Optinet Bridge IP address. • Static route gateways will always be on the LAN side of Optinet. • Static route gateways will never be the same IP address as the Optinet default gateway. • Static route gateways will never be the default gateway for the remote subnets. After you have identified the correct static route with the corresponding remote subnet, you can enter them by entering in the network address of the remote subnet and the route gateway. Again, network addresses will be entered in CIDR notation. Once you have correctly entered in the settings, you can select the Add button and then apply. Remember that static routes are only necessary for remote subnets. Do not add a static route that will encompass the local subnet as this may cause routing problems with the default gateway for Optinet. 77 SSL Certificate Settings This menu is covered in Chapter 8: Implementing HTTPS/SSL Filtering with Optinet. License Settings The License Settings menu allows you to enter a license key to increase the amount of devices Optinet will profile. Licensing with Optinet is based on network connections. That is to say, one hundred connections on your network will constitute 100 licenses. For full functionality of Optinet, you will need to have sufficient licenses for all active connections on your network. You can purchase the license key from Black Box Network Services or your Authorized Black Box Network Services Reseller. Once purchased, you can enter in the License Key by selecting the Update button. Optinet will then confirm that License Key, and if correct will alter the Licensed Network Nodes to the correct amount. Don’t forget to Apply the changes. This option is also available during the Setup Wizard. Information pertinent to the device, such as Model Number, Serial Number, and Annual Software Maintenance (ASM) Expiration Date are posted on this menu as well. ASM is used for support on your device and provides Optinet with continued updates on Web content, Spyware, Web viruses, and application signatures. ASM also allows you to use Black Box Network Services Technical Support if needed. If ASM is not current, Optinet will not be able to update firmware, software, content filtering, Spyware, or virus definitions nor will Black Box Network Services Technical Support be available. To renew your ASM please contact Black Box Technical Support at 724-7465500, your Authorized Black Box Network Services Reseller, or Black Box Network Services Sales at 877-877-2269. Other stats available on this menu are Current Software Version, Available Software Version, Last Software Update Date, Last Anti-Virus Update Date, and Last Spyware Definition Update Date. Special Domains The Special Domains menu offers two settings to assist in troubleshooting group membership as well as Directory User integration. The first setting is Web Authentication Logout Domain. Web Authentication allows Optinet to identify Directory Users without using the Directory Client. Optinet does this by associating initial web connections to Directory Users. However, Web Authentication does not identify when Directory Users have logged out unless an inactivity or session timeout have been met. By using the URL in Web Authentication Logout Domain, Directory Users can immediately notify Optinet when they have logged out. The default setting is logout.blackbox.com, but you can use this menu to change the URL. Once users enter this URL into their web browser, Optinet will present them with a logout page. After logging out, Optinet will disassociate the web connections to the Directory Users. For this setting to work properly, you must have some form of Web Authentication enabled for users. For more information on Web Authentication, please see Chapter 7: Integrating Directory Users with Optinet. The next setting is Web Filter Info Domain. Web Filter Info Domain allows you to confirm group membership, Internet Usage Rules, and HTTPS/SSL Filtering rules. By entering in the URL into a web browser, you can confirm how Optinet is identifying the user, to which group 78 the user is being assigned, and if the correct rules are being applied. To use Web Filter Info, enter the URL into a web browser (default setting is info.blackbox.com), and the Web Filter Status Report will post the results. Please note that any changes to these two settings will require correct Domain Name Service (DNS) resolution. If you alter the URLs under the Special Domains menu, you will need to make specific entries for these web sites in users’ DNS records. LDAP Settings LDAP Settings are supported only for legacy installs using the CymLDAP client. This has been replaced with the Directory Integration process using the CymDIR client. Backup Optinet allows you to back up configuration data and telemetry data. These backups can be completed via FTP or HTTP manual backups. The submenus available here are Backup File Settings, FTP Automated Backup, FTP Manual Backup/Restore, and HTTP Manual Backup. The options available under Backup are Backup File Name, Add Timestamp to File Name, Backup Configuration Data (device configuration, groups, IUR, shaping rules, etc.), and Backup Telemetry Data (Web logs, application reports, etc.). Once these settings are configured, you will need to create the backup file using the Create File button. Afterwards, you can manually push the backup file to a FTP server or use HTTP to place the backup file in a folder accessible to Optinet. The FTP Automatic Backup menu allows you to automate backups via File Transfer Protocol. For this to work, Optinet needs write access to a FTP server. You can select Enable Automatic Backups and select the day and time for the backup to execute. In addition to this, Optinet will need to have listed the hostname or IP address of the FTP server as well as the Server User Name, Server Password, and path for the backup directory. Lastly, you can specify that Optinet only create a backup file automatically and not downloaded to an FTP server. This option is available as the check box for Create Backup File Only. You can also restore backups to Optinet in the case of device failure. For example, if you need to replace your current Optinet with another device, you can use a stored backup file to restore device settings on the replacement device. Although easy to execute, the restore options can only be accomplished with a FTP server. Also please note that restores are only possible through the same Optinet models. In other words you cannot restore a DC10 backup file to a DC30. Again, Optinet will need specifics related to the FTP server, i.e., Hostname or IP address, Server User Name, Server Password, Path, and File Name. The options available under this submenu are Restore From FTP Server and Backup To FTP Server. If you are intending to restore information to Optinet, you will need to select Restore from FTP Server. The Backup To FTP Server is for manual backups to a FTP server as opposed to automated backups available in the previous submenu. Finally, you can backup manually via HTTP if you do not have access to a FTP server. Again, you will need to create the backup file using the submenu Backup File Settings. Afterwards, you can select the Download button and browse to a network drive, network directory, or even to your desktop to place the backup file. When you are finished modifying the backup settings, remember to Apply the changes. 79 Proxy Settings Proxy Settings menu allows you to configure Optinet to work with your network’s proxy server. The most important factor with configuring Optinet with your network’s proxy server is the placement of the device in regards to the proxy server. If the proxy server is an inline device, the recommended placement for Optinet will be in between the proxy server and users to allow for correct identification of users and devices. In addition to this, if the proxy server requires users to enter a username and password for Internet connectivity, Optinet likewise will need such information to access the Internet for updates. These settings are entitled Parent Proxy Username and Parent Proxy Password. We recommend that you create a user specific account on the proxy server for Optinet. Optinet will also need access to the Web for updates and TCP port 22 for the Support Link utility to work. For correct reporting, Optinet will need to know the IP address and port used (other than port 80 and 8080) for the proxy server. If your network’s Proxy Server is not an inline device, please contact your Authorized Reseller or Black Box Network Services support before installing Optinet. If the network’s proxy server is not an inline device, you will not be able to place Optinet in between users and the proxy server as web requests will be traversing the proxy server’s connection twice; once for the initial request and once for the response. As such, you will need to contact Black Box Network Services Support or your Authorized Black Box Network Services Reseller for assistance with installing Optinet with this scenario. If Optinet cannot be placed in between the users and your network’s proxy server, you will need to configure Optinet differently. First, you will not need to enter any information in the Proxy Settings menu as your network’s proxy server will be on the LAN side of Optinet. Second, some advanced options are specifically designed for interoperability with current proxy servers, in particular Enhanced Bridging Mode (EBM) and HTTP Keep-Alive Mode. With the proxy server on the LAN side of Optinet, the device no longer needs these options enabled as the proxy server will perform similar functions. You may need to disable these options (Admin -> Configuration -> Advanced Setup). Finally, most proxy servers execute web requests via Network Address Translation (NAT). NAT is a technique of routing network traffic that involves re-writing or masquerading IP addresses. Optinet will only see the IP address of the proxy server passing web traffic instead of unique users. If the proxy server is located on The Optinet LAN side, individual filtering and reporting may be impossible because Optinet will not receive the users IP addresses. If your network’s proxy server allows you to disable NAT, this may be an option for individual reporting and filtering. Diagnostic Tools tab The Diagnostic Tools provides you with a variety of tools that you can use to test the functionality of your network as well as Optinet. The Diagnostic Tools tab includes utilities to test network connectivity and device status. This menu is a great place to start the troubleshooting process to confirm device settings and status. 80 Device Status Device Status posts the condition of Optinet and several key components of the device. Here you can confirm that the IP address for the bridge interface is correctly assigned. You can also verify the status of all Ethernet ports, WAN, LAN, and Management/Auxiliary. Lastly, you can validate device settings (Device Key, Serial Number) and device status in regards to uptime (how long the device has been up), CPU load, and Used Disk Space. Directory Agent Diagnostics This menu is covered in more detail under Chapter 7: Integrating Directory Users with Optinet. Directory Agent Users This menu is covered in more detail under Chapter 7: Integrating Directory Users with Optinet. Display ARP Table The Display ARP Table lets you view current entries in the Optinet Address Resolution Protocol (ARP) table. ARP provides dynamic address mapping between an IP address and hardware or MAC address. The Optinet ARP table displays IP or MAC address of devices that have directly communicated with Optinet within the last 5 minutes. The columns listed in the ARP table are Address (IP address), HW Types (Ethernet), MAC Address, Flags (C— reachable), and Interface (bro—Bridge, eth0—WAN, eth1—LAN). Ethernet Status The Ethernet Status menu lists the state of The Optinet ports, WAN, LAN, Management/ Auxiliary. The tabs are divided by each port and list the status, auto-negotiate, speed, duplex, packets, and errors. Use this tab to confirm that each active port is operating at correct speeds and duplex settings and not generating any errors. Auto-Negotiation is recommended, but not necessary. Group IP List Group IP List is a great tool that can be used to verify group membership for individual users. For example, if you have a device or user that is not being assigned to a group correctly, you can confirm which group is being assigned within the past five minutes for that user or device. Group IP List will list the Group, MAC address (where available), and IP address of the devices currently passing traffic through Optinet. Also available is a drop-down list that allows you to search entries based on Group name, MAC address, or IP address. You can then verify this group assignment against the member type and assigned group (Manage -> Policies & Rules -> Groups). If users or devices are being assigned to incorrect groups, you can use this tool as well as Group Member Type Precedence to resolve the issue and better configure Optinet. IP Address Map This menu is covered in more detail under Chapter 7: Integrating Directory Users with Optinet. 81 No LDAP Network Nodes This menu is covered in more detail under Chapter 7: Integrating Directory Users with Optinet. PING Packet Internet Groups (PING) is a useful troubleshooting tool for computer networks. This tool is used to test whether or not network hosts are reachable by sending an ICMP Echo Request packet. When the destination system receives the packet, it responds with an ICMP Echo Response packet. Optinet includes PING as a troubleshooting tool in the event that a device or web site cannot communicate with Optinet. You can enter in the hostname or IP address to run the PING test. You can also alter the number of attempts. If the test results in a failure, you may want to review the network topology and the Static Routes menu. Please note that many host-based software firewalls, such as those that ship with Microsoft Windows XP and Vista, deny PING traffic by default. You may need to enable ICMP traffic through firewall systems for this utility to be successful. Test DNS Settings Test Domain Names System (DNS) Settings menu allows you to test the DNS settings for Optinet, e.g., if Optinet can resolve web sites or NetBIOS names to their corresponding IP addresses correctly. Enter in the URL of the web site, i.e., www.google.com, or the NetBIOS name of the computer, i.e., computername.mydomain.com, and select Run for a test. You can also change the DNS server for the test by entering in a different IP address for the DNS server. A positive result will reply with a host name and an IP address. Traceroute Traceroute is a computer networking tool used to determine the route taken by packets across an IP network. The Optinet Traceroute menu allows you to confirm the path taken by Optinet to reach individual computers, routers, or web sites that respond to traceroute. Similar to Test DNS Settings, enter in the hostname or IP address for the Traceroute and select the Run button. You can also alter the Timeout in seconds. If the test is successful, the menu will list how many hops are taken for the packet to reach the destination. The menu will also list the time spent in reaching each individual hop. IP Traffic Monitor IP Traffic Monitor is a console-based network statistics utility that gathers a variety of data such as TCP connection packet and byte counts, interface statistics and activity indicators. IP Traffic Monitor shows information on network traffic as it passes in real-time through Optinet. Some of the information posted can be used to diagnose network connectivity problems as well as confirm highest bandwidth consuming IP addresses within the network. The difference with this diagnostic tool is that it is not accessible from the Diagnostic tab or any other menu in the Optinet GUI. Instead, you can access this utility via the Text Menu Interface (Option 2—Utilities, Option 3—IP Traffic Monitor). Please see Chapter 1: Configuring Optinet, Section Text Menu Interface for more information. 82 Downloads tab The Downloads tab stores the Directory Agent, Directory Client, and SSL Certificate necessary for Directory Users integration and SSL Filtering respectively. These topics are covered in Chapter 7: Integrating Directory Users with Optinet and Chapter 8: Implementing HTTPS/SSL Filtering with Optinet. Logs tab As Optinet completes its day-to-day tasks, the device will track important events, activities, and errors in log files. You can use the Activity Logs and Kernel logs to view these files for troubleshooting purposes. Activity Log The Activity Log records information about programmed events and their status, i.e., backups, updates, etc. If some of these functions are not working properly, you can use the Activity Log to troubleshoot the process. Also, the Activity Log is useful in troubleshooting Directory Users, which will be covered in Chapter 7: Integrating Directory Users with Optinet. By default, all types of Activity Log messages are for the last 24 hours. However, you can use the Selected Date option to browse for messages during different times, e.g., Last Hour, Last 24 Hours, Last 7 Days, Last Week, Last Month, Last Year, and custom dates. Also available are message type filters that can be used to post messages only relative to a problem. The message type options are No Filter, Verbose, Informational, Status, Warning, Error, Comment, and Invalid. Comment, Informational, Verbose are debug-level messages. These messages will give information regarding normal operation of processes and events. Warnings are non-fatal process errors or unexpected conditions, while Errors are fatal process faults that can affect device functionality. Invalid messages denote invalid or unexpected conditions that might prevent future code execution or cause future Warnings or Errors. Status messages give information regarding the current status of processes and or programmed event. The other option available under logs is Context. Context describes which components of Optinet have delivered the message. For example, if an error happens with the backup utility of Optinet, the Context will be backup and the message will be error. The options available under Context are No Filter, System, Initialization, Updates, Backup, Broadcast, and Alert. System Context means the error came from the forwarding plane. The forwarding plane is the Optinet architecture that decides how to handle packets arriving on the LAN interface, i.e., applying shaping rules, denying traffic, etc. Initialization messages are from boot-up or process launchers. Updates Context indicates that the messages were generated by the update system, e.g., Firmware, Software, Content Filter, etc. Backup messages come from the backup system (automated and forced), and 83 Broadcast messages come from the e-mail broadcast system. Alert messages are not currently used. Kernel Log The Kernel is the central component of the Optinet Operating System (OS). The Kernel’s responsibilities include managing communication between the hardware and software components. As the Kernel does this, it keeps several key entries in a log file that can be reviewed. This is an excellent place to begin troubleshooting hardware or software problems. Some of the entries are common markers or steps that are routinely run by Optinet. However, pay close attention to messages that concern the hard drive and messages that repeat several times in a row. Redirection Pages Optinet offers two customizable pages for blocking web sites and authentication Directory Users. The Directory Agent Login Page is defined in Chapter 7: Integrating Directory Users with Optinet. Blocked URL When Optinet blocks web sites based on Internet Usage Rules (IURs), users will be presented with a Block Redirection or Block Uniform Resource Locator (URL) page. The Redirection Pages menu allows you to customize the Block URL page to display company messages, customized phrases, etc. The first option available under Block URL Redirection Page is Display Blocked Reason. This will post the reason to users why the page has been blocked, i.e., because of a Blocked Category, Blocked URL, etc. The next option is the Blocked Phrase. Blocked Phrase allows you to customize the message posted to users. The default message is “Your access to the website %blockedURL% was blocked for the following reason:”. The Blocked Reason will then post underneath the message. The Bypass Message is for those users who have the password for the Enable Bypass (setting that allows users to bypass a blocked web site if he/she knows the Bypass Password). The default message for the Bypass Message is “Click here to bypass the filter for this website”. Please note that if you have not enabled the Enable Bypass, this message will not post. Contact Message allows users to contact the Optinet administrator in case a web site needs to be re-categorized or allowed. For example if a user is blocked from http://www.myspace.com.com, but believes that the web site should be allowed or recategorized, he/she can send an email by clicking on the link posted in the Blocked URL page. For this setting to be active, the Contact Email needs to have the email address of the Optinet administrator. Also note that the URL will not be automatically posted in the email. You should alter the Contact Message asking users to place the URL in the email. For Optinet to send the Blocked URL Page, the device needs to know the route taken by the initial request for redirection. Normally this is handled by a 200 HTTP response, indicating that the request was received and that the result is the Blocked URL Page. However, by selecting Redirect blocked pages, you can change the response to a 302 HTTP response, which redirects the response to another page. The difference with these options is that the 302 HTTP response posts an image of a stop sign located in the top right-hand corner of the 84 Blocked URL Page. Also the IP address of Optinet will be displayed in the URL of the web browser requesting the page. To activate the 302 HTTP response, select the checkbox next to Redirect blocked pages. Please note that the option of Redirect blocked pages requires static routes for remote subnets to issue the Blocked URL Page. Please see the previous section of Static Routes for more information. The last checkbox available is Reset to Defaults. This option allows you to erase any alterations to the Blocked URL Redirection Page and default back to the original settings. The box below the Reset to Defaults is the actual Hypertext Markup Language (HTML) code used for the Blocked URL Redirection Page. If you are familiar with HTML, you can alter the text, color, and format of the Blocked URL Redirection Page manually using the code present on the page. The following are some suggestions on what lines of codes handle the different format options within the page; however, again, you should be familiar with HTML code to make any alterations. Name Bypass URL Syntax %bypassURL% Spyware Removal Tool Optinet Trademark Blocked URL %spywareCleaner% %productName% %blockedURL% Blocked Reason %blockedReason% Blocked Message %blockedMessage% Bypass Message %bypassHTML% Contact Message %contactMessage% Contact Email %contactAddr% Function Posts a link to the Enable Bypass Password Posts a link to the Spyware Removal tool Posts the trademark on Optinet Posts the original URL requested by users that has been blocked Posts the reason for the Block URL Redirection Page, e.g., Category, URL. Posts an explanation why the pages has been blocked, i.e., access to this URL is restricted because… Post a link to bypass the Blocked Web site, i.e., Click here to bypass… Allows users to send an email to the Optinet administrator for re-categorization of a blocked Web site, etc. Posts the email address of the Optinet administrator. Once you have completed the alterations, don’t forget to Apply the changes. Directory Agent Login Page This menu is covered in more detail under Chapter 7: Integrating Directory Users with Optinet. Utilities The Utilities menu offers several functions that are used for troubleshooting and also deleting information. Also available are the menus of Support Link (allows Black Box Network Services Technicians to access your device for remote assistance) and Spyware 85 Removal Tool (utility that allows you to remotely scan and delete Spyware present on infected devices). Each utility should be used with caution as some of the options can drastically erase data and configuration of Optinet. System Resets System Resets is divided into four subsections: Restart Services, Filter Resets, Database Resets, and Device Power Resets. Restart Services Restart All Services will stop and reinitialize all system processes such as content filtering, application shaping, and report generating. Normally, you will not need to select this option; however, for troubleshooting you may need to select this option if a service is not responding correctly. For example, if you are unable to run a report, you may need to restart all services to terminate an orphan process and enable the particular report to run again. Restart All Services may cause a temporary drop in traffic, but should allow you to continue a service if it was not functioning correctly before. Filter Resets The first option under Filter Resets is Clear SSL Certificate. This option is covered in Chapter 8: Implementing HTTPS/SSL Filtering with Optinet. After that come Force cymdir.exe Session Timeouts and Flush Web Auth Cache. These utilities are covered in Chapter 7: Integrating Directory Users with Optinet. Database Resets Reset to Factory Defaults sets Optinet back to the factory settings. This means that all information is erased as well as configuration data. Basically the device will be reset to the original settings as the device was received. Use this option with care, as Reset to Factory Defaults completely wipes the entire system. You will lose your configuration parameters, accounts, rules, telemetry data, licensing information, and annual support contract information. Access to the device is reset to the username of admin and a password of Black Box Network Services. If you select this option, you must connect a system to The Optinet LAN port and run the initial configuration of the device. The next option is Reset the Database. Reset the Database erases the database used by Optinet for group configuration, device profiling, Internet Usage Rules, and Shaping Rules. This option also erases all historical data on the device. This utility is almost as drastic as Reset to Factory Defaults except that basic configuration settings, such as the bridge IP address, subnet mask, default gateway, and DNS server will remain intact. Licensing and ASM information will still remain. The following is a table that lists all settings lost with Reset the Database. Followed by a table that lists which options will be enabled or disabled after resetting the database. If an item is not mentioned, then it will be retained accordingly. 86 Lost Settings after Resetting the Database Report Manage Admin All information Groups Mail server Time of Day Rules Backup Settings Custom IURs Update Settings (dates erased) Shaping Rules Logs (erased) Network Nodes Directory Users Broadcasts Custom Logins Custom TFRS Custom Application Sets Custom Applications Default Settings after Resetting the Database Manage Admin All users assigned to Default Group Domain set to Black Box Network Services.com Default IUR set to Web Filter + IM Enable Port Scanning/OS Detection selected System Access Enable TCP Window Scaling selected admin; Black Box Network Services NTP Server set to pool.ntp.org HTTP-Keep Alive Mode Selected Allow DNS and HTTP Block page for Deny Access Traffic Flow Rule Set not selected Enable Summary Tables selected Database Timeout set to 5 minutes Default Settings for Group Member Type Precedence Default Settings for Special Domains 87 Web Time Online set to 20 seconds Default Times for Update Settings SSL Certificate Settings set to default Blocked URL Redirection Page set to default Directory Agent Login Page set to default Although resetting the database can be drastic, this option is necessary in many scenarios. For example, if you have made extensive changes to your network such as IP address schemes or new hardware, you will want to reset the database to avoid invalid licenses, incorrect device profiles, or inconsistent grouping. Another scenario that may require resetting the database is if you move Optinet within the network or from one network to another. Also, at any time that you remove subnets from the Remote Subnets settings, you will need to reset the database. Reset Telemetry Data is the least drastic of the reset options. This utility only erases the historical data from Optinet. For example, web logs, Application reports, Device Status reports will be erased with this option; but groups, IURs, Shaping Rules, and other settings will be retained. This utility is mostly used when a particular web log needs to be erased while rules and groups will remain. The final database reset option is Reset Telemetry and Profile Data (Preserves IURs, Shapers, and the Filter Bypass Group). This option is similar to Resetting the Database except that Internet Usage Rules, Shaping Rules, and members of the Filter Bypass Group by CIDR Block Override will be retained. If you need to reset the database but would like to retain these settings, you can select this option instead. Device Power Resets The last two options are for the actual power for Optinet. Hardware Shutdown will physically shut down the device and should be used when the device needs to be powered down. Hardware Reboot powers down the device and automatically powers it back up. All these options will require confirmation via a dialog box. Do not power down Optinet by pulling the power cord or pressing the power button on the front bezel. These procedures should only be used when there is no other alternative for powering down the device. Support Link Support Link is a utility that allows a Black Box Network Services technician to access your Optinet remotely and assist in troubleshooting or configuring the device. To activate a support link, you must first call Black Box Network Services Technical Support at 724-7465500 for a port number. This port number is only relevant to the technician and used on his/her side. Optinet will require outbound access to the Internet on port 22 (both TCP and UDP) for the support link to work. Once the technician issues you the port, enter in the number and select Connect. 88 Spyware Removal Tool Optinet has several tools that can identify applications and devices that are infected with spyware. Once a device has been identified as infected, Optinet offers a removal tool that allows you to scan the hard drive of the infected device and remove or quarantine the infected program. This tool is powered by Counter Spy and is called Spyware Removal Tool. This tool can be activated by accessing the GUI of Optinet from the infected device or having the user browse to http://spyware.Black Box Network Services.com. Once activated, the Spyware Removal Tool will prompt the user to download and install a program called WebDeploy.cab. This program is used to push the latest spyware definitions to the computer. You may also need to install an Active X Control for browsing capabilities. Once the Spyware Removal Tool has been installed properly, you can then select to perform a Quick Scan, Full Scan, or Cookies. After you choose which scan to perform, the Spyware Removal Tool will begin to scan the hard drive for infected applications. You can pause or stop this scan at any time. As soon as the scan is completed, you will be presented with the results of the scan, i.e., which applications were infected, which applications were quarantined, etc. Please note that the Spyware Removal Tool can only be used on computers using Windows OS, and users must have administrative rights to the hard drive as the Spyware Removal Tool will scan the entire drive. This concludes the chapter on administrating Optinet. The next chapters deal with additional options that allow you to use Optinet with an existing directory on the network to track traffic by Directory Users, and to filter secure web traffic via HTTPS/SSL Filtering. 89 Chapter 7: Integrating Directory Users with Optinet Optinet by default tracks all web and application traffic based on device addresses (MAC addresses or IP addresses). By default Optinet will report traffic by each individual device located on the network and list the traffic by Network Nodes. However, reporting by these criteria may be daunting or insufficient as IP addresses can change constantly or users will move from one machine to another on the network. In these cases, reporting by Directory Users may be more useful as Optinet can monitor and report based on Directory User Names as well as by Network Nodes. This chapter will explain how to integrate Directory Users with Optinet. The following topics will be explained. • Directory Overview • Directory Options • Directory Configurations • Directory Troubleshooting Directory Overview Integrating Directory Users with the Optinet consists of two steps: (1) allowing Optinet access to your directory server, and (2) identifying when users are accessing the network. The first step can be accomplished through the Directory Agent settings while the second step is done via the Directory Client or Web Authentication. Choosing which option depends upon the architecture of your network and how you are going to identify Directory Users on your network. 90 The Directory Client and Web Authentication are processes that signal to Optinet when users are logging onto the network. These processes correlate the Directory User profile to the corresponding Network Node in use. Review the following diagram. Figure 7.1 Directory Integration with Optinet Optinet uses both processes to identify Directory Users and filter accordingly. For example, when a user logs into a computer, the Directory Client or Web Authentication will signal to Optinet where the user is located and what credentials were used to access the network. When Optinet receives this traffic, it then queries the directory server either through the Directory Agent Settings to find the user with his/her associated group, Organizational Unit (OU), attribute, or other settings from your directory structure. Once the user has been identified, Optinet will then apply any filtering or shaping rules to the user and begin reporting traffic by the Directory User profile. When the user logs out or logs into another computer, the Directory Client or Web Authentication again will send an appropriate signal to Optinet that the user has logged out or started using a new workstation. Using these processes, Optinet can monitor all web traffic by Directory User regardless of where in the network he/she is located and apply appropriate rules to the traffic. The first step in integrating Directory Users with Optinet is deciding on which option will fit best for your network. Each option is designed for specific scenarios and has inherent advantages as well as disadvantages. 91 Directory Options Use the following Directory User Decision Tree to help you decide which Directory Option is correct for your environment. Each Directory Option is designed for specific scenarios or networks to facilitate Directory User integration. You will need to decide which level of Directory User integration is right for your organization and which requirements can be met by your network. Followed by the Directory Decision Tree are descriptions of each Directory Option listing advantages and disadvantages of each Directory Option. Figure 7.2 Directory User Decision Tree Directory Option 1: Directory Agent with Directory Client (cymdir.exe) This is the recommended option for most networks. This option allows Optinet to immediately identify when users are accessing the network while synchronizing with the already defined directory groups, OUs, or user attributes. This method involves installing the Directory Agent on your directory server and deploying a Directory Client through the login process to identify when users access the network. The advantages to this option are immediate identification of users when they access the network and more accurate application reporting based on Directory Users. Because users will be executing the Directory Client as they login to the network, Optinet will be instantly 92 notified of the user and will be able to associate all traffic to the corresponding Directory User. The Directory Client supports Windows 64-bit, 32-bit (2000 SP4 or above), and Macintosh OSX (10.3 or above) Operating Systems (OS). Some of the disadvantages with this option are that it only supports Microsoft Active Directory and computers that are members of the Active Directory domain. In addition to this, this option will not report on individual users through Terminal Services sessions or Citrix sessions. Directory Option 2: Directory Agent with IP Lookup This option is designed for networks that cannot deploy the Directory Client because no login process is initiated, login credentials are cached on devices locally, or company policies restrict pushing end client processes. With this option, Optinet identifies Directory Users when they initiate web (HTTP) traffic. After Optinet intercepts initial web requests from users, Optinet (through the Directory Agent) will petition the directory server to find the credentials used to login to the device. This option involves installing the Directory Agent on your directory server and creating an Internet Usage Rule to use IP Lookup. Because IP Lookup will petition the directory server to find login credentials, the Directory Agent must be installed on the Directory server with administrator rights (Log on as Administrator). In addition to this, the Operating System (OS) of users will need to be Windows 2000 (SP4) or above, and their computers must be joined to the domain. For computers to successfully communicate login credentials to the directory server, File and Print share rights must be enabled as well as their primary DNS server set to the IP address of the Active Directory server. Also, these computers must be joined to the domain and use Windows (2000 SP4 or above) OS. Lastly, you will need to create two groups with this feature; one for the devices used by the users (Network Node Group) and another for the Directory Users (Directory Group). Both these groups will need to use the same Internet Usage Rule (IUR) configured to use Web Based Authentication-IP Lookup. The main advantage to this option is that you do not have to execute the Directory Client during the login process. Also, if successfully executed, IP Lookup will seamlessly identify users without presenting them a secondary login page. One disadvantage is that users will not be correctly identified until Optinet first receives web (HTTP) traffic from users. As such, there may be some discrepancy with application control and reporting for users. Directory Option 3: Directory Agent with NTLM This option is intended for networks that use Terminal Server and Citrix Server sessions. Please note that Citrix Servers offer a feature called Virtual IPs (VIPs), which will allow you to use Directory Option 1: Directory Agent with Directory Client. If you can enable VIPs with your Citrix Servers, using Directory Option 1 is recommended. Directory Option 3 allows Optinet to identify individual users through devices or applications that use one single IP address for several users. With this option, you will be able to identify and filter individual users that access the Internet from the same device. This option requires that you install the Directory Agent on your directory server and then deploy proxy settings to users’ web browsers. Essentially, users will send web traffic to Optinet, acting as a proxy. This allows Optinet to identify users based on web sessions rather than by IP addresses (method used by all other directory options). 93 In addition to this, you will need to create two groups; one Network Node Group that will include the Terminal Services servers or Citrix Servers, and one Directory User Group that will include the Directory Users. Both groups will use the same Internet Usage Rule set to Web Authentication-NTLM. The main advantage to this option is the ability to individually identify and filter users through Terminal Server or Citrix Server sessions. Although users will be using identical devices to browse the Web, you can enforce different filtering policies based on Directory Users. The main disadvantage is that all application reporting and control are global for these users. Essentially, you will be able to control application and bandwidth traffic for the Terminal Services server or Citrix server, but you will not be able to control application and bandwidth traffic for specific users. Also, you will need to configure proxy settings accordingly. This option will only support Windows (2000 SP4 or above) devices. Directory Option 4: Directory Agent with Login Page This option is designed as a failsafe in the event that Directory Option 2 or Directory Option 3 does not succeed, or if users have directory accounts but their devices are not members of the domain. This option allows you to present users with a login page, where they can enter in their username and password. Optinet will then verify the credentials and enforce any filtering or shaping rules to the devices used to access the network. This option requires that the Directory Agent is installed on your directory server and that you create an IUR set to Require Web based authentication. This allows Optinet to identify users by on initial web (HTTP) requests and then query the directory server to confirm the user. You can also edit the login page presented to users under Admin -> Redirection Pages -> Login Page. This menu allows you to name the Login Page, add a description, and a username hint. You can also completely alter the page by using HTML code present on the page. The main advantage to this scenario is you can confirm Directory Users regardless of the device in use. Whether users access the network via Microsoft PC, Macintosh computers, Linux devices, or even hand held PDAs, Optinet will present all users with a login page before accessing the Web. The main disadvantage to this scenario is (depending upon your network) users may be presented with two login processes: one for the computer or network and one for Internet access. Also, users must have a login for the directory to use this feature. You cannot create a Optinet login specific for this feature. If you are attempting to use this feature for guest users, we recommend you create a guest account on your directory server and inform guest users of the credentials or alter the login page to present this information. Another disadvantage is that users will not be correctly identified until Optinet first receives web (HTTP) traffic from users. As such, there may be some discrepancy with application control and reporting for users. In addition to this, as with all Web Authentication options, you will need to create two groups for users, one for their devices (Network Node Group) and one for Directory Users (Directory Group). Both groups will need to use the same Internet Usage Rule set to Web Authentication. 94 Directory Configurations After deciding which Directory Option to use, you will need to follow the individual steps for the corresponding option. Below are listed the instructions on how to configure the various Directory Options. Directory Instructions Directory Option 1 Install Directory Agent Create Directory Agent Create Directory Agent Group Deploy Directory Client Create Directory IURs Directory Option 3 Install Directory Agent Create Directory Agent Create Optinet Group Create Directory Agent Group Create Directory IURs Directory Option 2 Install Directory Agent Create Directory Agent Create Optinet Group Create Directory Agent Group Create Directory IURs Directory Option 4 Install Directory Agent Create Directory Agent Create Optinet Group Create Directory Agent Group Create Directory IURs Figure 7.3 Directory Install Sequences Install Directory Agents The Directory Agent will allow Optinet to synchronize your Directory groups, OUs, or user attributes with the Optinet Directory Groups. The Directory Agent will also indicate how to display user names under Reports. You can download the Directory Agent under Admin -> Downloads -> Directory Software -> Download 32-bit Active Directory Agent. The Directory Agent must be installed on a Windows (2000 or above) Server that has access to the directory, e.g., Active Directory server, domain controller, etc. Once downloaded, double-click on the Directory Agent installation package. This will present you with the Directory Agent Installation Wizard. Follow the steps of the Wizard by accepting the License Agreement, selecting a destination folder (C:\\Program Files\Black Box Network Services Directory Agent\ is the recommended placement), and Directory Agent Settings. Figure 7.3 Directory Agent Settings 95 The Directory Agent Settings allow you to specify how Optinet will communicate with the Directory Agent. In this step, you can adjust the port used to communicate (we recommend you use the default setting of TCP 3462), and the password for authentication to and from the Directory Agent. Remember these settings in this step as you will need to use the same settings for creating the Directory Agent on Optinet. Once complete, select Finish as the last step for installing the Directory Agent. If you need to support multiple directories, perform the same steps on the additional directory servers. There are certain events that can cause the Directory Agent to fail. To avoid this, you can configure the Directory Agent to restart after failures. Access the Services on your directory server (Start -> Administrative Tools -> Services) and search for the service called Black Box Network Services Directory Agent. Right-click on the Black Box Network Services Directory Agent service and select Properties. On the Recovery Tab, you can select Restart the Service under First Failure, Second Failure, and Subsequent Failures. Figure 7.4 Black Box Network Services Directory Agent Properties One final note is that the Directory Agent needs domain user access with all Directory Options except for Directory Option 2: Directory Agent with IP Lookup. This option requires that the Directory Agent has administrative access (Log on as Administrator) to the directory server. This allows the Directory Agent to force the directory server to retrieve user credentials. Please make sure you select Log On as Administrator with this option. 96 Figure 7.5 Black Box Network Services Directory Agent Properties Create Directory Agents The second part to using the Directory Agent is to establish an association with Optinet. This is done by creating the Directory Agent on Optinet, which will allow the device to synchronize directory groups, OUs, and user attributes. Under Manage -> Directory Users & Nodes -> Directory Agent -> Click the Create button. This will bring up the Add/Edit Directory Agent menu. In this menu you can create a name for the Directory Agent, but more importantly you will specify the IP address of the AD server where the Directory Agent is installed. Also, indicate the Directory Agent settings from the previous section, i.e., TCP port (recommended port 3462), and the Directory Agent Password. Once you have entered these settings, click Save and Optinet will attempt to contact the Directory Agent confirming it can communicate with the Directory Agent. If any errors are returned, verify that you have entered the correct IP address, TCP port number, and password. If you have installed multiple Directory Agents, you will need to create multiple Directory Agents as a result. Create Optinet Groups Directory Options 2, 3, and 4 are different in the fact that the Directory Client is not used to indicate when Directory Users access the network. Rather, Optinet identifies Directory Users by initial web (HTTP) requests. Because of this, there is a potential that non-web (HTTP) traffic coming from users will not be handled or grouped correctly until they access the Web. To compensate for this, you will need to create Network Node Groups for the devices that will be used by Directory Users to ensure that all their traffic is handled correctly. To do this, follow the steps under the section Groups in Chapter 5: Managing Optinet. Add the devices that the Directory Users will be using to access the network. For example, if 97 you are using Directory Option 3: Directory Agent with NTLM, you will place the Citrix servers or Terminal Services servers into this group. Later, you will create a single Internet Usage Rule that will be used by both the Network Node Group as well as the Directory Users Group. If you are unaware of the exact devices that will be in use by the Directory Users, you can create a Optinet Group based on the IP address range assigned to their devices. Again, see the section Groups in Chapter 5: Managing Optinet for information on how to create Optinet Groups with different member types. An additional option is to have the Default Group (all unassigned devices) use the same Internet Usage Rule as your Directory Users. Create Directory Agent Group Directory Agent Groups are created under the same menu as Optinet Groups. The difference with Directory Agent Groups is that these groups will use the Directory Agent and your directory server to identify Directory Users. You must first install and create a Directory Agent before you can create Directory Agent Groups. Click on Manage -> Policies & Rules -> Groups -> Create -> Create a Directory Agent Group. This will post the Add/Edit Directory Agent Group Detail. In this menu, you will need to assign a name for the Directory Agent Group as well as a description. Afterwards, select which Directory Agent you will use to synchronize the Directory Agent Group with the Directory Agent drop-down box. Once you have selected your Directory Agent, click the Add Members button. Optinet will now communicate with the Directory Agent and query your directory server for Distribution Groups or Security Groups. To add these groups select the empty checkboxes next to the groups and then click the Ok button. If you need to select multiple profiles, you can use the Shift + Click or CTRL + Click accordingly. Distribution or Security Groups are just one of four member types you can synchronize with the Directory Agent. You can also synchronize Organizational Units (OUs) and user attributes. To select these different member types, click on the Choose a Member Type drop-down box under the Add Directory Group Members menu. If you select OUs, again, Optinet will communicate with the Directory Agent and query your directory server for OUs. You can then select the profiles for the OUs with the empty checkboxes and select Add. If you choose Attribute or Custom, you will be prompted to define the user attribute of the Directory Users you want to synchronize to the Directory Agent Group. Attributes are characteristics or distinguishing features that are applied to users. You can use the Directory Agent to query the directory server and find distinguishing attributes and group users accordingly. The two menus (Attributes and Custom) require advanced knowledge of your directory and users’ attributes. With Attribute you will need to specifically identify which user attributes will identify members of the Directory Agent Group, i.e., phone numbers, names, locations, etc. With Custom, you can use a combination of Attributes. Below is a table of some common examples used in directory servers and how to synchronize groups based on attributes. Use this guide or your own directory attributes to assist in synchronizing Directory Agent Groups with Optinet. 98 Common Directory Attributes CN (Common Name) displayName givenName objectCategory sAMAccountName userPrincipalName mail c (Country) company department location manager postalCode st (State) streetAddress telephoneNumber CN=John Doe displayName=John Doe givenName=John objectClass =user sAMAccountName=jdoe [email protected] [email protected] c=usa company=mycompany department=IT location=remote site manager=boss postalCode=11111 st=New York streetAddress=123 Main telephoneNumber=111-111-1111 An example of how to synchronize Directory Agent Groups based on Attributes would be creating a Directory Agent Group for all users that are upper level managers. The Attribute would read “manager” followed by “is exactly” and then “upper level”. Figure 7.6 Attribute Example This Directory Agent would then query the directory server for any user that has an Attribute of manager set to upper level. Accordingly, every time upper level managers access the network, Optinet will group the users as a result. Again, the member type of Attribute requires a high level of understanding on how to identify specific characteristics with Directory Users. The examples listed above are common directory attributes, but keep in mind that your directory server may have its own attributes specific to your organization. Because of this, you may need to perform some independent research on how to use the Attribute feature. The drop down options for the Attribute member type are is exactly, is approximately, is not, is less than or equal to, is greater then or equal to, contains, does not contain, starts with, and ends with. The Attribute and Value field allow you to enter case sensitive options from your directory server. The member type of Attribute allows you to specifically identify how to synchronize Directory Agent Groups based on a single attribute. However, if you want to synchronize Directory Agent Groups based on multiple Attributes, you will need to select the member type of Custom. 99 Custom allows you to synchronize Directory Agent Groups based on combined attributes. Using the example above we could create a group based on all upper level managers that didn’t include those from a remote site. The custom attribute would read “manager” followed by “= upper level”. Towards the end would be the attribute for the stipulation to not include the remote site “! location=remote site”. The Custom member type would require that you separate the different Attributes as well as enclose the entire string with parenthesis to identify these Directory Users correctly, e.g., ((manager=upperlevel)!(location=remote site)). Figure 7.7 Custom Example The following table lists common operators with Directory Custom Attributes. Common Directory Operators & | ! = ~= > < >= <= And Or Not Equals Approximately Greater than Less than Greater than or equals Less than or equals Once more, using Custom member type requires advanced knowledge of how to define Directory Attributes. If you are having difficulty creating Directory Agent Groups based on Attributes or Custom, please contact your Authorized Black Box Network Services Reseller or Black Box Network Services Support. One last note is that you can also combine Directory Users into one group using a combination of the different member types. After you have added members to the Directory Agent Group, you can also review the Directory Members by selecting Show User List. This menu is available under the Add/Edit Directory Agent Group Detail. Select the checkbox next to each Directory Member and click the Show User List button. You can also remove Directory Members with the Remove Members button. The Edit Member button is only available with Directory Members based on Attributes or Custom member types. The last option available with the Add/Edit Directory Agent Group Detail is the Edit Precedence. This setting is used when you have created multiple Directory Agent Groups and may have conflicting user membership. For example, if you have two Directory Agent Groups based on OUs and some users of the Directory Agent Groups are members of both OUs, you can use the Edit Precedence to specify which Directory Agent Group assignment will take priority. The Edit Precedence allows you to drag and drop Directory Agent Group 100 names to adjust group precedence. After you have synchronized your Directory Agent Groups, make sure to Save your changes. Deploy Directory Client The Directory Client is a small executable file that sends user information to Optinet. These transmissions are called heartbeats. They allow Optinet to identify the specific user that is generating network traffic from a particular computer. In essence, the Directory Client identifies the traffic by user name and associates it with the current computer’s IP address. While the Directory Client continues to send heartbeats, Optinet watches traffic from that IP address and associates it with the user. Once the user logs out, the Directory Client stop sending heartbeats, and Optinet disassociates the IP address from the user name. Thus, the Directory Client allows Optinet to identify user traffic for monitoring, shaping, and blocking. The steps to deploy the client follow. Directory Client Versions There are three versions of the Directory Client. The three versions of the Directory Client are cymdir.exe (Directory Client for 32-bit Windows OS), cymdir_64.exe (Directory Client for 64-bit Windows OS), and cymdir_MAC (Directory Client for Macintosh computers). Please note that the Directory Client is compatible with Windows 2000 SP4 and above platforms as well as Macintosh OSX 10.3 and above platforms. This next section details how to deploy the Directory Client for 32-bit Windows XP. The Macintosh clients have read me files that instruct on how to deploy the cymdir_MAC client. You can download the Macintosh client to access the read me files under Admin -> Configuration -> Downloads -> Directory Software. The other Directory Clients are also available under Admin -> Downloads -> Directory Software. Once you download the Directory Client, you will want to execute the file locally to present some of the help features that the Clients offer. You can also test how user names will be posted with Optinet. You will need to be logged into a Windows PC that is a member of the domain for these steps to work. Executing the Directory Client Place the Directory Client on your desktop. Now, double-click the executable. Although the Clients are signed applications, your security settings may trigger a warning about running executables. Simply click Run to continue executing the Client. You should receive the following help dialog box. 101 Figure 7.8 Directory Client Help Dialog Box Without any parameters set for the Clients, you should receive a help dialog box like the one posted above. This help dialog box will post when the Clients are unable to send heartbeats to Optinet or have other communication errors. This box will also appear if there are syntax errors or if no Optinet IP address is provided. The Help Dialog will provide several useful pieces of information: • Error Messages—this message will post when a connection failure is present for the Clients. Causes of connection failures are invalid IP addresses assigned as parameter values, Optinet is powered off, computers running the Clients are unable to connect to the network, bad command line parameters, etc. You can use the Error Message to diagnose problems with the Clients if they occur. • Authentication Type—this message will post which type of authentication appears to be on the network, such as Windows authentication or Novell authentication. If both are available, you can choose which you prefer by using the /AD switch (please see section Usage below). • Authentication Information—this option displays the current user logged into the computer as well as the Domain (Windows) or Context (eDirectory). If the computer is not part of a Domain, the Clients will return the name of the Windows workstation. • Usage—this is intended to show the proper syntax for command line options given to the Clients. Please note that The Optinet IP address is always required and should always come last. o /ad switch—this option is only necessary under either of the following conditions: Some of your workstations have the Novell Client installed. You want to use Active Directory even though eDirectory is present. This option will force the Clients to send Windows Active Directory user information and not eDirectory user information. 102 o /tcp switch—this option is used to force the Clients to use TCP connections instead of UDP. UDP connections are preferred as they do not require static routes; however, this option is available for backwards compatibility and troubleshooting. If you enable this option, you will need to create static routes accordingly. Please see the section Static Routes in Chapter 6: Administrating Optinet. • /silent switch—this option will prevent the help dialog from coming up under any circumstances. This setting is not recommended for troubleshooting and testing purposes; however, under normal usage this option is recommended. This option should be used when you deploy the Clients in your production environment. By doing so, you will prevent end users from seeing this dialog box and possibly disabling it or causing other problems. • /sleep switch—this option allows you to change the number of minutes the Clients will allow to pass before sending heartbeats and becoming dormant. The default setting is 5 minutes. The value must be 1 minute or greater. • IP address—this option is necessary to direct the Client to Optinet for heartbeats. You will need to use the IP address of Optinet. • Complete Usage Information—this option lists further reference information for assistance on deploying the Clients. Once you have reviewed the options available on the help dialog box for the Clients, you may exit the dialog box and properly execute the client locally for testing. Please follow these steps: 1. Open a Windows Run Prompt (Start -> Run). 2. Type “cmd” in the open dialog box. 3. Click OK. 4. Drag cymdir.exe to the Command Prompt, and drop it (this will paste the full path). 5. After “cymdir.exe” type in the IP address of the Optinet (in this example, we will use 192.168.255.2). Figure 7.9 Command Line Syntax for Directory Client 103 6. Execute the command by pressing ENTER. a. If the help dialog is raised, then there were communication errors. Please review the syntax and correct any possible errors, i.e., IP address, switches, etc. b. If the help dialog is not raised, then the command executed properly. You can verify this by looking at the process list of the Windows Task Manager. A process called cymdir.exe should be listed. Now that you have properly executed the Client locally, let’s confirm that Optinet received the heartbeat and posted the correct username. Click Manage -> Directory Users & Nodes > Directory Users. Verify there is a new profile listed by username used to access the computer. Deploying the Directory Client Now that you have confirmed that the Client can communicate to Optinet, you are ready to deploy the Client in your network. Because each network is unique, the User Guide and Black Box Network Services cannot make specific recommendations as to how you should integrate the Directory Client into your network and directory server. This section will provide the best information; however, please note that this information is provided “AS-IS” and without warranty of any kind. There are a variety of ways to deploy the Directory Client in your network that will execute when users login to the domain. The most common ways are the following: • Batch file • Registry Setting • Domain Group Policy Object (GPO) • Netware Login Script • VB Script • Registry Key • Shortcut in Startup folder All of these methods employ different means for executing the Directory Client. However, this chapter will only cover how to deploy the Directory Clients via a batch file, registry settings, and Domain GPO. Other methods presented will need to be researched and deployed at your discretion. Again, because each network is different, this User Guide will not advise which method is better. This guide will merely present the most common techniques used. Creating a Batch File for Directory Client 1. Pick a file directory on your directory server that will store both the batch file and Client (for example \\server\share\folder). 104 2. Copy Directory Client to this folder. 3. Create a Windows batch/command file in this folder (you can do this from notepad and change the file extension to .bat). 4. Enter the following text into the file: start /d “\\server\share\folder” cymdir.exe /silent IP address of Optinet (in this example we will use the path of \\mydomain.tld\netlogon\Black Box Network Services and the IP address of 192.168.255.2). a. Using Windows shell environment variables can add power and flexibility to the batch file. For example, by using the syntax: start /d “\\%directoryserver%\netlogin\” cymdir.exe /silent 192.168.255.2, you can deploy Directory Client over multiple directory servers. However, this may require additional troubleshooting if the variables do not resolve correctly. If this is the case, use the full syntax as displayed below. Figure 7.10 Batch File for Client 5. Verify that the newly created batch file executes when users login to the domain by loading the Windows Task Manger and confirming Directory Client is in the process list. Deploying the Directory Client in a Group Policy Object 1. Log on to your Domain or Active Directory server. 2. Open a Windows Run Prompt (Start -> Run). 3. In the Open field type “mmc” (Microsoft Management Console). 4. Click OK. 5. In the File menu select Add/Remove Snap-in. Figure 7.11 Console Prompt 105 6. Click the Add button. 7. Scroll down and select Group Policy Object Editor. Figure 7.12 Add Standalone Snap In 8. Click the Add button (this will launch the Group Policy Object Wizard). 9. Press the Browse button. 10. Select Default Domain Policy. 11. Click OK. Figure 7.13 Browse for Group Policy Object 12. Click Finish on the Add Group Policy Wizard. 13. Close the Add Standalone Snap-in dialog box. 106 14. Click OK on the Add/Remove Snap-in dialog box (you should now be looking at the MMC screen with the Console Root Folder above the new Default Domain Policy you have just added. Figure 7.14 Console Root 15. Expand the Default Domain Policy. 16. Expand the User Configuration option. 17. Expand the Windows Settings option. Figure 7.15 Scripts Logon 18. Select Scripts (Logon/Logoff). 19. Right-click the Logon option for the Logon Properties dialog box (depending on your current configuration you may already have several scripts running). 20. In order to place Directory Client in the correct folder for your Domain Policy select Show Files button (this will open a new window displaying the current files for the Domain Policy). 21. Copy Directory Client and paste it into the logon scripts folder (please confirm that you copied the entire file into the folder and not just a shortcut to the file or the file path). 22. Close the logon scripts folder to return to the Logon Properties dialog box. 107 23. Click Add to open the Add a Script dialog box. 24. Click Browse to open the Logon Script Folder. 25. Select Directory Client and click Open (you should now be in the Add a Script Dialog box; Directory Client should appear in the Script Name box). 26. Enter The Optinet IP address in the Script Parameters box (in this example we will use 192.168.255.2). Figure 7.16 Script Parameters 27. Click OK to close the Add a Script dialog box. 28. Click OK again to close the Logon Properties dialog box. 29. Confirm any other changes to the Console Root settings that you have edited. Directory Client is now ready to run the next time users login to the Active Directory domain. Again, you can confirm this by reviewing the Directory User tab in Optinet to verify that Optinet is receiving heartbeats from users. Deploying Directory Client in a Registry Entry This method requires additional administrative effort as Directory Client must be deployed to each work station in question and a registry key imported. Directory Client also may require multiple running instances in some circumstances; however, this will not impact performance or reporting. 108 1. Create a Windows registry file (you can do this from notepad and change the file extension to .reg). 2. Insert the following text. (You may need to adjust the path depending on your settings. Also the last line requires the IP address of Optinet. In this example, we will use 192.168.255.2) Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “BlackBoxNetworkServices”=”cymdir.exe /silent 192.168.255.2” 3. Save and exit the registry file 4. Place a copy of Directory Client on each workstation’s Windows folder. (You can also choose any location in PATH). 5. Import the registry file into each Windows’s registry. This concludes the section on how to deploy Directory Client. Again, because each network is unique, you may need to determine the best method (or perhaps combination of methods) to deploy the Directory Client. Create Directory Internet Usage Rules Creating Internet Usage Rules (IURs) for Directory Groups is quite similar to creating IURs for Optinet Groups. If you have chosen Directory Option 1 and Directory Option 5 for integrating Directory Users, you will follow the same steps listed in Chapter 5: Managing Optinet for your IURs. If you have chosen Directory Options 2, 3, and 4, you will need to enable the different features tailored for each option under the Internet Usage Rule Manager. This is done under the Web Authentication tab. There are several options that are universal for Directory Options 2, 3, 4 that are listed under Web Authentication. Web Authentication Remember that Web Authentication identifies uses by web (HTTP) requests. Because of this, non Web traffic, e.g., IM, P2P, etc, may not at first be correctly reported or controlled until Optinet receives a web request from Directory Users. Because of this, the IUR you assign to the Directory Users needs to be the same IUR you assign to a device in use by Directory Users. Directory Options 2, 3, 4, require you to make two groups: Optinet Groups for Directory Users’ devices and Directory Groups for Directory Users. Both these groups will need to use the exact same IUR. Also, remember that Directory Option 4 is the safeguard for Directory Option 2 and 3. If for some reason, these two Web Authentication pieces fail (IP Lookup or NTLM) Optinet will present a login page for members of the Directory Group. Below are settings that can be used with all Web Authentication rules. • Web Authentication White List—these are web sites for which Optinet will not require Directory credentials to access. 109 • Inactivity Timeout—this setting allows you to identify how much inactive time can pass before Optinet re-confirms Directory Users. For example, if you use Directory Option 4: Directory Agent with Login Page, Optinet will present a user with a login page on his/her first initial web (HTTP) request. If after logging in, the user does not pass any more web traffic within a certain amount of time, Optinet will again present the login page to the user. The default time for this setting is 5 minutes. • Session Timeout—this setting allows you to identify how much time can pass, regardless of activity, before Optinet re-confirms Directory Users. With Directory Option 2: Directory Agent with IP Lookup, Optinet will again (via the Directory Agent) have the Directory Server re-confirm the credentials of the Directory Users. With Directory Option 3: Directory Agent with NTLM, Optinet will review the Proxy connections of the users and re-confirm their credentials. Lastly, with Directory Option 4: Directory Agent with Login Page, Optinet will present users with a Login page. The default time for this setting is 30 minutes. Directory Option 2: Directory Agent with IP Lookup For Directory Option 2, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create. Name the Internet Usage Rule after its corresponding Directory Group. You can also select web categories, URLs, and other settings to block for the Directory Group by following the instructions listed under Internet Usage Rules in Chapter 5: Managing Optinet for your IURs. Afterwards, click on the Web Authentication tab and select Require Web Based Authentication. Once you have selected this, the checkbox next to Directory Agent IP Lookup will be available. Check the box next to the option and Save your changes. Don’t forget to apply the IUR to the Directory Group and its corresponding Optinet Group using the Policy Manager. Directory Option 3: Directory Agent with NTLM For Directory Option 3, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create. Name the Internet Usage Rule after its corresponding Directory Agent Group. You can also select Web categories, URLs, and other settings to block for the Directory Agent Group by following the instructions listed under Internet Usage Rules in Chapter 5: Managing Optinet for your IURs. Afterwards, click on the Web Authentication tab and select Require Web Based Authentication. Once you have selected this, the checkbox next to Directory Agent NTLM Handshake will be available. Check the box next to the option and Save your changes. Don’t forget to apply the IUR to the Directory Group and Optinet Group using the Policy Manager. Because the NTLM handshake will be issued via a proxy connection, make sure that Optinet is configured in Proxy mode (Admin -> Configuration -> Advanced Setup -> Allow HTTP Connections on Port 8888). For more information on this setting please see Chapter 2: Installing Optinet. Directory Option 4: Directory Agent with Login Page For Directory Option 4, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create. Name the Internet Usage Rule after its corresponding Directory Group. You can select which web categories, URLs, and other settings to block for the Directory Group by following 110 the instructions listed under Internet Usage Rules in Chapter 5: Managing Optinet for your IURs. Afterwards, click on the Web Authentication tab and select Require Web Based Authentication. Users will now be presented with a Login Page as soon as they initiate a web (HTTP) request. Remember to Save your changes and apply the IUR to the Directory Group as well as the Optinet Group using the Policy Manager. Directory Troubleshooting There are several variables that can cause Directory integration to not work properly with Optinet. Identifying which components of Directory integration are not working properly will help you find a solution. We’ll first discuss using Optinet to diagnose the problem. We then discuss troubleshooting Group Policy Objects with the Directory Client, scripting issues, and other possible problems. Using Diagnostic Tools There are five Optinet diagnostic tools that can be used to confirm if Directory is working properly. The first four tools are located under Admin -> Configuration -> Diagnostic Tools. The last is listed under Admin -> Logs. All the tools are listed below as bulleted items: • Directory Agent Diagnostics—this menu allows you to confirm Directory group synchronization, Directory User assignment, and current devices in use by Directory Users. This menu has several options to confirm that the Directory Agent is operating correctly, and that Optinet is able to associate network traffic with the correct Directory User. The first option is User Lookup. User Lookup can determine where users are located on the Directory Server to ensure they are synchronized correctly to Directory Groups on Optinet. Select Test Type User Lookup and the Directory Agent that is installed on the Directory Server for the corresponding user. Enter in the Username and click the Run Diagnostic button. If the Directory Agent can successfully find the Username, the user’s Common Name, Directory Agent Group (the synchronized group for Optinet), the Directory Agent Group (the actual user group from the Directory Server), the Distinguished Name, and the time taken to run the test will be posted. If this information is not posted or is incorrect, verify that the Directory Agent is running correctly and can communicate to Optinet. Also, confirm that the user’s account is present on the Directory Server where the Directory Agent is installed. The next option is IP Lookup. This option allows you to query a workstation and confirm that the user is present on the workstation. This option is used in conjunction with Directory Option 2: Directory Agent with IP Lookup and will (via the Directory Agent) petition the Directory Server to confirm user credentials for specific IP addresses. Select the IP Lookup from the Test Type drop-down box and the Directory Agent for the specific Directory User. Enter in the IP address of the device you want to query, and click the Run Diagnostic button. If the Directory Server can successfully communicate to IP address, the Directory Agent will post the Username, the user’s 111 Common Name, Directory Agent Group (the synchronized group for Optinet), the Directory Agent Group (the actual user group from the Directory Server), the Distinguished Name, and the time taken to run the test. If the test is unsuccessful, confirm that File and Print share rights are enabled on the end user’s device. Also, verify that the user’s DNS server is set to use the Directory server where the Directory Agent is installed. Lastly, confirm that the user’s account is present on the Directory Server where the Directory Agent is installed. The last option available on the Directory Agent Diagnostics menu is Validate Username/Password. This option will query the Directory Server to verify the username and password of the user. If users are having trouble accessing their Directory account, you can use this tool to confirm credentials. Select the Validate Username/Password selection from the Test Type drop-down box. Then, select the corresponding Directory Agent from the Directory Agent drop-down box. You can then enter the Username and Password and click the Run Diagnostic button. Again, if the test is successful, the Results will post the Username, the user’s Common Name, Directory Agent Group (the synchronized group for Optinet), the Directory Agent Group (the actual user group from the Directory Server), the Distinguished Name, and the time taken to run the test. One additional line will post with this test confirming if the password is valid or not. If this test is unsuccessful, confirm the Username and Password (case sensitive) for the user on the Directory Server. You will also want to verify that Optinet can communicate to the Directory Server and that the user’s account is present on the Directory Server where the Directory Agent is installed. • Directory Agent Users—this menu allows you to confirm how Optinet is identifying Directory Users, which Directory Group users are being assigned, and their associated IP addresses. The columns of Username, Common Name, IP Address, Directory Agent Group, Mode, and Status will list current conditions for the selected Directory Users. The first option (Username) allows you to enter a Username and confirm the user’s Username, and Common Name from the Directory. However, also listed are the IP address of the user currently in use, the Directory Agent Group to which Optinet is assigning the user, and the Mode (Directory Option 1, 2, 3, 4, or 5) being used to identify the Directory User. Lastly, the status will be listed to post the current status stage of the user, i.e., active, inactive, etc. Other search options available are Common Name, IP Address, and Directory Agent Group. Simply select the searchable option you want to use as criteria, enter in the parameters for the search, and click the Search icon (or hit the Enter key). Optinet will then query the Directory Agent Users menu and post the results. If Directory Users are being assigned to incorrect groups or by incorrect modes, you should confirm how you have created your Directory Groups or what particular attributes have been assigned to your users on your Directory Server. • IP Address Map—IP Address Map shows the association between Directory Users and IP addresses. You can use this tool to confirm that an active IP Address is being assigned to the correct Directory User. If after a user logs in and the IP address is 112 not posting the correct Directory User profile, you can then confirm that the Directory Client is not executing correctly. Review your deployment of the Directory Client as a possible culprit for this problem. • No LDAP Network Nodes—this menu lists all devices currently passing traffic that do not have an associated Directory heartbeat. This is a great tool to use to confirm if a computer on the network is sending Directory heartbeats. Please keep in mind that there will inevitably be some devices on the network that do not execute the Directory Client upon login (such as network printers, wireless access points, network appliances, etc). You can use IP Address Map and No LDAP Network Nodes to confirm if a user is executing the Directory Client upon login. • Activity Logs—this log keeps tracks of all process running from Optinet. If Optinet cannot communicate with the Directory Agent or cannot query the Directory Server, the Activity log will post an error or alert accordingly. Verify that the Directory Agent is running as this log normally indicates a failed communication between Optinet and the Directory server. If after using these tools, you are still experiencing problems, continue with the following suggestions. • Force cymdir.exe Session Timeouts—this utility forces all cymdir.exe sessions to time out immediately. Use this tool if cymdir.exe users are not being correctly grouped and you need to verify the deployment process. If the Directory Client has been deployed correctly, Optinet should receive new heartbeats after forcing session timeouts and begin to regroup users according to their Directory Agent Group assignment. • Flush Web Auth Cache—this utility forces all Web Authentication sessions to time out immediately. Use this tool if Web Authentication users are not being correctly grouped and you need to verify the Web Authentication process. If Web Authentication is working properly, Optinet should identify users after forcing session timeouts and begin to regroup users according to their Directory Agent Group assignment. Troubleshooting GPO Issues To troubleshoot potential GPO issues, replace the text in cymdir Login Script.bat with the following (where the text is bold and italicized you will need to replace with the pertinent information). @ECHO OFF REM This part runs the login client for troubleshooting and testing REM add /tcp if you suspect network/routing problems start /d \\server\share\ cymdir.exe /log %tmp% 192.168.1.80 REM This part runs the version 8 login client for production use REM start /d \\server\share\ cymdir.exe /silent 192.168.1.80 REM This part verifies that this Login Script is being run by calling standard Windows routines. time /t > %TMP%\login.txt 113 date /t >> %TMP%\login.txt echo %USERNAME% >> %TMP%\login.txt REM Browse to “%tmp%” in windows explorer by typing %TMP% in the address bar (use internet explorer if necessary) REM There should be BOTH a cymdir.log and also a login.txt file in %TMP% folder. REM If both are missing, this script is not being run REM if both are present, send cymdir.log to support@Black Box Network Services.com The purpose of this script is the put the date, time, and username of the last login in a text file called login.txt located in the user’s %TMP% directory. As these are all standard Windows Shell Functions, there are no references to cymdir. Figure 7.17 %TMP% Folder After logging in with this policy, browse to the temporary folder %TMP%. %TMP% is a Windows Shell Variable that corresponds to each user’s Temporary Files Folder. You can navigate to it directly by putting %TMP% in the Address Line of Windows Explorer. Open login.txt if it exists. If login.txt is in the Temporary Directory, verify the login time, date, and username are correct. If so, then Group Policies seem to be working properly, and you should try some of the other troubleshooting methods mentioned below. If the login.txt does not exist or does not contain the correct information, you will more than likely need to contact perform some troubleshooting and verify your GPO settings. Once your Group Policy Object Login scripts are performing as expected, cymdir.exe can be deployed in your network. Troubleshooting Directory Client If the Directory Client Help Dialog Box keeps popping up, look for an error message. The top portion of the cymdir.exe dialog will display a relevant error message (connection failure, unrecognized option, bad or misspelled command name, Invalid IP address, etc). Double check the login script. If there are no error messages, it implies that no command line arguments were given to Directory Client (Similar to double clicking cymdir.exe). Some scripting languages require enclosing the parameters in quotes. If there are no Directory User profiles under Manage -> Directory Users & Nodes -> Directory Users, Optinet is not receiving heartbeats from the Directory Client. Confirm that 114 cymdir.exe is being loaded at login by checking the Process list in the Windows Task Manager. If not, there may be a script problem. If one or more users are not sending heartbeats, network routing issues can prevent packets from reaching Optinet. Use the /tcp switch to test for connection failures. Please note that you will not be able to use the /silent option for this test. Another scenario that will impede Optinet from posting the Directory User profile for a user is if the computer has not sent Internet traffic through Optinet. If the workstation has not sent traffic to the Internet, then Optinet has no Network Node profile (IP address or MAC address) with which to attach the Directory User. This will correct itself as soon as the workstation sends traffic to the Internet through Optinet. (Checking the Admin -> Logs -> Activity Log can be used to identify this issue). By default, the Directory Client uses port 3642 to communicate with Optinet. You can verify that this port is open by using telnet and attempting to connect to Optinet on port 3642 from an affected workstation. The syntax for the Windows command line telnet client is this: C:\>telnet 192.168.1.80 3642. Remember to use the IP address of your Optinet. If you are able to connect and receive an error message about needing to authenticate, then there are no network issues. If you are not able to connect, then please review your firewall or settings on the network as they may be blocking access on port 3642. If the Directory Client causes long login times, this could be due to the syntax in the batch file. Make sure that the batch file begins with “start”. Start is required to detach programs from the Windows shell. If it is omitted, Windows may not detach the referenced program as an independent process, and wait 10 minutes before terminating the process. Occasionally, some traffic is not associated with a Directory User. Cymdir.exe runs when a user logs in, and stop running when a user logs off. If traffic occurs when no user is logged into a Network Node, it will not be associated with any user. This commonly occurs when a user reboots, which logs the user off and then generates network traffic, or when Windows updates are downloaded and installed. In some circumstances (particularly involving laptop computers) a user will not run the login script or Group Policy Object from the network as they log in. This could be because they are not connected to any network, they are connected to a network that is not their home network, or they have somehow bypassed their network login script. (Consider using an alternate method like Web Authentication for these users instead of the Directory Client.) Also, users can potentially terminate the cymdir.exe process from the Task Manager in an attempt to escalate their network privileges. If this happens, their workstation will be added to the next appropriate group (typically the Default Group). To prevent privilege escalation, simply make the Default Group (or other group as appropriate) have the fewest network privileges available. This way, users will only de-escalate their access by terminating the Directory Client. Some security settings may impede the Directory Client from executing correctly. If you are unable to execute the client after following the deployment steps, you may need to unblock the executable from running. You can do this by right-clicking on the cymdir.exe and selecting Properties. Under the General tab, click the Unblock button and then apply the changes. 115 Lastly make sure that you use the correct Directory Client for your Operating System. There are three versions (32-bit, 64-bit, and Macintosh) and should be deployed accordingly. 116 Chapter 8: Implementing HTTPS/SSL Filtering with Optinet Secure Socket Layer (SSL) is a technology that is used to encrypt data sent over the network. (Newer versions of SSL are called Transport Layer Security or TLS. Statements in this User Guide regarding SSL also apply to TLS.) This encryption is done to insure that the data transmission is secure and only readable by the intended recipients. This technology is most commonly associated with Secure Hypertext Transfer Protocol (HTTPS) sent over the Internet. For example, web pages such as banking or ecommerce sites post information that is very sensitive for users, i.e., credit card numbers, social security numbers, etc. Because this information is important, the web site must take some special precautions to make sure that this information is not viewed by the wrong person. Also, the Web site needs to confirm the identity of the site visitor and make sure that the transmission of data across the Internet is not intercepted by anyone. However, SSL can also be used to conceal web traffic and visit prohibited sites. The most common practice of this is with proxy web sites or proxy web servers. Optinet uses HTTPS/SSL Filtering to allow you to view and restrict Web traffic for secure web sites and also prohibit users from viewing unauthorized content. This chapter can be used to enable HTTPS/SSL Filtering. The following topics will be covered. • Certificate Authorities • SSL Anonymous Proxies • HTTPS/SSL Filtering • HTTPS/SSL Blocking • HTTPS/SSL Filtering Requirements 117 • Enabling SSL Certificate-Based Filtering • The Optinet Digital Certificate • Installing The Optinet Digital Certificate • Enabling Full SSL Content Filtering • Confirming The Optinet Digital Certificate • Reporting on HTTPS/SSL Web Sites • Viewing Sensitive Content on HTTPS/SSL Web Sites Certificate Authorities For Web sites to use SSL to post secure data, they employ a digital certificate signed by Certificate Authorities (CA), like VeriSign or Thawte. A CA issues and signs a digital certificate which confirms the identity of the Web site and that the page is secure. The CA also attests that the certificate belongs to the organization, server, or other entity noted in the certificate. How do users know if a web site is secure?—through the digital certificate presented on the web site. Normally, web browsers have a list of trustworthy CAs. When users connect to a secure web site, the web browser will check the name of the web site with the corresponding certificate. If the certificate name matches the name of the web site, is not expired, and is signed by a trusted CA, the web browser will display the web site. If any of these checks fail, a warning is displayed indicating the error. Thus web sites and users depend on digital certificates to confirm identities and information. SSL Anonymous Proxies In addition to using SSL for securing web traffic, SSL can also be used to conceal web traffic. The purpose of the Optinet HTTPS/SSL Filtering is to prohibit users from concealing their web traffic and from viewing unauthorized content. One of the ways users can conceal web traffic with SSL is by using SSL Anonymous Proxies. SSL Anonymous Proxies, available to anyone with Internet access, instruct users on how to direct their web traffic to a specific web site or service. Like traditional anonymous proxies, they allow a user to put in a URL, which the proxy then fetches and returns to the user. From a web filter’s perspective, it is as if all the content was from the proxy site. An SSL Anonymous Proxy takes this one step further by encrypting this data, thereby concealing the user’s traffic and visiting prohibited web sites. The most common tactics of SSL Anonymous Proxy Servers is using Common Gateway Interface (CGI) web sites that create tunnels to web sites. However, there are many forms of proxy servers that are designed to make web surfing anonymous and bypass content filtering. Below are listed the most common Anonymous Proxy Services and how they conceal web traffic. 118 SSL CGI Proxy This type of proxy has users enter the Universal Resource Locator (URL) of the web site they want to browse to into a web form. The web site then processes the request and retrieves the page on behalf of the user. The web sites changes the links and images within the page so that the requests are actually hosted by the proxy web site and not the original web site. SSL Full Proxy This type of proxy requires users to modify their web browser settings to use a proxy server. Some of these sites will also use non-standard ports to conceal web traffic. SOCKS4/5 Proxy This type of proxy also has users modify web browser settings to use a proxy server. TorPark Network This type of proxy is a SSL based network that allows users to hide web browsing. TorPark normally uses non standard port numbers to avoid detection and uses SSL to conceal the content of web sites. Optinet has several options that allow you to block Anonymous SSL web surfing and users from concealing their traffic. These options are discussed in the next section. HTTPS/SSL Filtering Optinet offers you several tools to filter HTTPS/SSL traffic, and to block proxy web sites that allow users to cover their web traffic. Depending upon the type of control you want over SSL traffic, you will need to configure HTTPS/SSL Filtering accordingly. All HTTPS/SSL filtering options are handled by Traffic Flow Rule Sets (TFRS). TFRS are the basic traffic identification and control engine within Optinet. TFRS allow you to dictate how traffic will be identified, controlled, reported, filtered and shaped. In the case of HTTPS/SSL traffic, Optinet has several TFRS that will handle HTTPS/SSL traffic according to the settings listed below. The component of TFRS that handle HTTPS/SSL Filtering is called SSL Filter. SSL Filter can perform content filtering, web logging, spyware scanning, and virus scanning on all HTTPS web sites. However, there are several options with SSL Filtering. Below are all available options. Disable SSL Inspection and Filtering This option will not perform any HTTPS/SSL Filtering or Inspection. This is the default option and will not filter, report, or inspect any HTTPS/SSL traffic. Enable SSL Certificate-Based Content Filtering This option allows you to filter HTTPS web sites based only on the certificate name present. In addition to this, this option will only log and filter the first web page accessed for the site. No other pages on the web site will be scanned. Also, if the certificate name does not 119 match the URL of the web site, some mis-categorization can happen. Finally, if users attempt to access an HTTPS web site that has been prohibited, they will not receive a redirection page alerting them that the site has been blocked by Optinet. This is the level of protection provided by almost all Secure Net Gateway devices that support SSL features. Enable Denied Access Page for SSL Certificate-Based Content Filtering This option allows you to filter HTTPS web sites based only on the certificate name present. In addition to this, this option will only log and filter the first web page accessed for the site. No other pages on the web site will be scanned. Also, if the certificate name does not match the URL of the web site, some mis-categorization can happen. However, this option will present users with a blocked redirection page if the web site has been prohibited and can be used in conjunction with SSL Certificate-Base Content Filtering. Enable Full SSL Content Filtering This option allows you to filter HTTPS web sites based on both the certificate name present, the name of the web site, and the site’s content. This option is the most robust and complete of all SSL Filter options as it allows for better categorization of HTTPS web sites, continued filtering of all pages within the web site, and blocked redirection pages for prohibited secure sites. Also, this is the only SSL Filter option that offers full scanning of HTTPS web sites for spyware and virus. Because of the additional steps required to enable Full SSL Content Filtering, you will not be able to turn on this option without first contacting a Black Box Network Services Support Technician. If you are interested in enabling Full SSL Content Filtering, please call Black Box Network Services Technical Support. Do not enable Full SSL Content Filtering without deploying The Optinet Digital Certificate beforehand. Doing so will cause interruption with HTTPS web sites. Please read the section on Installing The Optinet Certificate before enabling this option. Only Allow Trusted Certificate Authorities and Non-Expired Certificates This option will increase security for web traffic as it will not allow users to visit HTTPS sites that have expired certificates or certificates issued from non-trusted CAs. This option can be used in conjunction with SSL Certificate-Based Content Filtering and Full SSL Content Filtering. HTTPS/SSL Filter Exemption List This option allows you to enter URLs of secure web sites that will be exempt from SSL Filtering. For sensitive web sites, such as banking and ecommerce, you may want to enter the URLs of these sites to avoid content filtering on specific web sites. This option can be used in conjunction will all SSL filtering options. Content Filtering Rules Once you have enabled any of the HTTPS/SSL Filtering options, all your Content Filtering Rules will now apply to HTTPS web sites. For example, if you have entered myspace in the Blocked URL list under the Content Filtering tab and enabled HTTPS/SSL Filtering, users will not be able to access http://www.myspace.com or https://www.myspace.com. 120 As such, if you want to block a specific web category or web site that is using HTTPS, enter the web site as blocked in the Content Filtering tab, select a TFRS that has SSL Filtering and choose one of the HTTPS/SSL Filtering options. HTTPS/SSL Blocking There is an additional TFRS for SSL traffic entitled SSL Block. This TFRS does not perform any content filtering, web logging, spyware scanning, and virus scanning on HTTPS web sites. This TFRS only prohibits all HTTPS/SSL traffic from passing through Optinet. By default there is only one TFRS that is set to block HTTPS traffic. This TFRS is called Web Filter + Anonymous Proxy Guard + SSL Block. This TFRS performs content filtering, web logging, spyware scanning, and virus scanning for HTTP traffic (Web Filter). This TFRS also prohibits HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous Proxy Guard). Finally this TFRS prohibits all HTTPS/SSL traffic from passing through Optinet (SSL Block). HTTPS/SSL Filtering Requirements HTTPS/SSL Filtering does place additional processing load on Optinet. As such, HTTPS traffic cannot be more 25% of non SSL model bandwidth specs (see following table). Before enabling any form of HTTPS/SSL Filtering, please confirm that your HTTPS traffic does not exceed the specified amount listed below. Model Optinet 5 Optinet 20 Optinet 20 SSL Optinet 45 SSL Optinet 100 SSL Optinet 200 SSL Max Total Throughput 5 Mbps 20 Mbps 20 Mbps 45 Mbps 100 Mbps 200 Mbps Max HTTPS Throughput 1.25 Mbps 5 Mbps 20 Mbps 45 Mbps 100 Mbps 200 Mbps SSL Acceleration Optinet models come equipped with SSL Accelerators which perform part of the HTTPS/SSL Filtering, relieving the load on Optinet. These models are indicated with the SSL description above. Also, HTTPS/SSL Filtering does require a live Internet connection preferably active for at least 24 hours. A good practice is to install Optinet and let the device collect data for at least 24 hours. This way you can verify via Report -> Application Overview -> HTTPS if the amount of traffic is below 25% of The Optinet maximum bandwidth specification and afterwards enable HTTPS/SSL Filtering. Lastly, Optinet only supports HTTPS/SSL Filtering for web browsers that use SSL v2.0, SSL v3.0, and Transport Layer Security (TLS) v1.0. Current web browsers use these versions by default, but you may want to verify that your network’s web browsers are updated. In addition to bandwidth and connections requirements, HTTPS/SSL Filtering requires that you enable two options under the Advanced Setup tab (Admin -> Configuration -> 121 Advanced Setup) that will allow Optinet to support HTTPS/SSL filtering. These two options are HTTP Keep-Alive Mode and Enhanced Bridging Mode (EBM). HTTP Keep-Alive Mode allows Optinet to use the same connection to send and receive multiple HTTP requests and responses, as opposed to opening a new connection for every single HTTP request or response. Using HTTP Keep-Alive Mode is essential for improving Web performance with HTTPS/SSL Filtering. EBM allows Optinet to act as a transparent filter. As a transparent filter, Optinet does not modify the Web request or response beyond what is required for authentication and identification. EBM also improves the quality of service delivering content at higher bandwidth and reducing transmission latency. If either of these options is not enabled, HTTPS/SSL Filtering is not possible. One last requirement before enabling HTTPS/SSL Filtering is deciding on what options to use. All HTTPS/SSL filtering is handled by TFRS. However, some of the different HTTPS/SSL Filtering options will determine what steps need to be performed first. For example, Full SSL Content Filtering requires additional steps for configuration before enabling HTTPS/SSL Filtering. This option utilizes a digital certificate from Optinet similar to ones used by CAs. If you plan on using Full SSL Content Filtering, you will need to deploy the certificate before enabling HTTPS/SSL Filtering. Please review the section entitled Installing The Optinet Digital Certificate. Enabling SSL Certificate-Based Filtering Enabling SSL Certificate-Based Content Filtering allows you to filter HTTPS web sites based only on the certificate name present. You can also select Denied Access Page for SSL Certificate-Based Content Filtering to present users a redirection page for blocked HTTPS Web sites as well as Only Allow Trusted Certificate Authorities and Non-expired Certificates. To do this, you will first select an Internet Usage Rule (IUR). Click Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules (or another group’s usage rules). The first step is to alter an IUR for HTTPS/SSL Filtering by choosing a TFRS that can identify and filter HTTPS traffic. Select the Drop-Down Box for TFRS and chose a rule set that has SSL Filter as a component. This will then allow you to access the HTTPS/SSL Filtering tab. Optinet has three default TFRS that filter HTTPS/SSL traffic. These TFRS are listed below with their corresponding targets. Please note that these are the default settings for the TFRS and can be changed or customized based on your needs. Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filter This TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP (Web Filter) and HTTPS traffic (SSL Filter). This TFRS also denies all IM Client conversations (Deny IM) and prohibits HTTP traffic on any port other than port 80 or the designated proxy ports and SSL traffic on any port other than port 443 (Anonymous Proxy Guard). 122 Web Filter + Anonymous Proxy Guard + SSL Filter This TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP (Web Filter) and HTTPS traffic (SSL Filter). This TFRS also prohibits HTTP traffic on any port other than port 80 or a designated proxy port and SSL traffic on any port other than port 443 (Anonymous Proxy Guard). Web Filter + SSL Filter This TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP (Web Filter) and HTTPS traffic (SSL Filter). Depending upon how you would like to filter HTTPS traffic, you can choose the TFRS accordingly. Again, once you have selected a TFRS with SSL Filter, you can now select options under the HTTPS/SSL Filtering tab. In this section, we will only be detailing the options of SSL Certificate-Based Filtering. Click on the HTTPS/SSL Filtering tab, and select the radio button for Enable SSL Certificate-Based Content Filtering. Also, you can select the check box for the Enable “Denied Access” page and Only Allow for Trusted Certificate Authorities and Non-expired Certificates. You can also enter in any URLs for the Filter Exemption List. Once modified, don’t forget to save your changes. Once the IUR has been saved, make sure that the new rules are being applied to the group under the Policy Manager. You can review how to do this under Chapter 5: Managing Optinet. You have now finished creating an Internet Usage Rule that will filter certificates for HTTPS Web sites and assigned it to the corresponding group. You can follow the previous mentioned steps to assign additional IURs that will filter certificates for HTTPS web sites or groups as well. The Optinet Digital Certificate For Optinet to fully scan HTTPS web sites, the device will need to inspect the data traversing the SSL connection between the user and the Web site. Consequently, deploying a third party certificate to act as the “middle man” for the user and the secure Web site is the most effective method to allow the secure connection while examining the content. By deploying a third party certificate from Optinet to the user, a secure connection between the two is established. Optinet then issues a separate secure connection between itself and the secure Web site or server. In this fashion, Optinet acts as an SSL proxy, allowing the two connections to be fully inspected without dropping the connection (see the following diagram). Figure 8.1 Optinet Certificate 123 In essence, Optinet establishes two SSL connections, one to the user and one to the web site. After these connections are established, the user sends the SSL request to Optinet. Optinet reviews the SSL request, verifies filtering rules, and then sends a SSL request on behalf of the user to the web site. This process allows Optinet to fully inspect the SSL traffic from both the user and the responding web server. Again for this option to work correctly, users will need the Optinet digital certificate installed in their individual Web browsers. This certificate can be downloaded from Optinet under Admin -> Configuration -> Downloads -> SSL Authority Certificate or at http://IP address of Optinet/downloads/cacert.cer. Although you can install the certificate individually for each user, this chapter has several options on how to deploy the certificate on a wider scale. Lastly, you can also customize the certificate used for Full SSL Content Filtering. If you would prefer the certificate to display your company information, your company’s organizational unit, or your contact information, you may modify these settings under Admin -> Configuration -> SSL Certificate Settings. If you make any errors or need to change the SSL Certificate Settings, you can select the Clear SSL Certificates (Admin -> Utilities -> System Resets -> Clear SSL Certificates). This will set the SSL Certificate Settings back to default settings. However, if you alter the SSL certificate in any form, make sure that users have the new finalized certificate before enabling Full SSL Filtering. Installing The Optinet Digital Certificate The Optinet certificate can be deployed individually on each computer’s Web browser or it can be deployed as a Group Policy Object (GPO) by Active Directory. The following sections describe how to perform each accordingly. Deploying The Optinet Certificate via Web Browsers The Optinet certificate can be downloaded and installed directing your users to their Web browsers. A good practice is to download and install the certificate in a network share and have users install the certificate directly from the shared drive. Another option is to send an email to users with an attached zipped file of the certificate or with the URL of the certificate (http://IP address of Optinet/downloads/cacert.cer). Once you have distributed the certificate, simply have users import the certificate. Depending upon users OS or default web browsers, the steps will be different on how to install the certificate. Below are email templates you can copy and use to instruct users how to install the certificate using Windows PCs and Internet Explorer and Firefox. Areas where you need to add information before sending the template are italicized and bold. With other Web browsers or OS you will need to research and find how to import digital certificates. Email Template for Windows XP and Internet Explorer 6 As part of our efforts to better provide a secure work environment and offer users reliable Web access, we have decided to employ content filtering for Secure Hypertext Transfer Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is used by web sites to secure information. 124 However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to users and the network. Filtering HTTPS web sites will improve our ability to protect the network and ensure safe web browsing. You will need to import a digital certificate into your web browser that will allow you to access legitimate web sites that use HTTPS. Please click on the following link and save the certificate (cacert.cer) to your desktop: http://IP address of your Optinet/downloads/cacert.cer. Or please download the following zipped attachment (cacert.cer) to your desktop. Then follow the instructions listed below to import the certificate. Thanks and have a nice day. 1. Open up Internet Explorer 6. 2. Click on Tools -> Internet Options. 3. Select the Content tab and click the Certificates button (this will bring up the Certificate dialog box). 4. Select the Trusted Root Certification Authorities tab and then click the Import button (this will bring up the Certificate Import Wizard). 5. Begin the Wizard by selecting Next and when prompted browse to the certificate you downloaded to your desktop. 6. If asked, allow Windows to automatically select the certificate store. 7. Complete the Certificate Import Wizard by selecting Next when prompted. 8. After you have completed the Certificate Import Wizard click the Finish button (you may receive a security warning about installing the certificate; select Yes to allow the import). You have now completed the Certificate Import Wizard for Internet Explorer 6. You can delete the certificate file on your desktop. Email Template for Windows XP and Internet Explorer 7 As part of our efforts to better provide a secure work environment and offer users reliable web access, we have decided to employ content filtering for Secure Hypertext Transfer Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is used by web sites to secure information. However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to users and the network. Filtering HTTPS web sites will improve our ability to protect the network and ensure safe web browsing. You will need to import a digital certificate into your Web browser that will allow you to access legitimate web sites that use HTTPS. Please click on the following link and save the certificate (cacert.cer) to your desktop: http://IP address of your Optinet/downloads/cacert.cer. Or please download the following zipped attachment (cacert.cer) to your desktop. Then follow the instructions listed below to import the certificate. Thanks and have a nice day. 125 1. Open up Internet Explorer 7. 2. Click on Tools -> Internet Options 3. Select the Content tab and click the Certificates button (this will bring up the Certificate dialog box) 4. Select the Trusted Root Certification Authorities tab and then click the Import button (this will bring up the Certificate Import Wizard) 5. Begin the Wizard by selecting Next and when prompted browse to the certificate you downloaded to your desktop 6. If asked, allow Windows to automatically select the certificate store. 7. Complete the Certificate Import Wizard by selecting Next when prompted. 8. After you have completed the Certificate Import Wizard click the Finish button (you may receive a security warning about installing the certificate; select Yes to allow the import). You have now completed the Certificate Import Wizard for Internet Explorer 7. You can delete the certificate file on your desktop. Email Template for Windows Vista and Internet Explorer 7 As part of our efforts to better provide a secure work environment and offer users reliable web access, we have decided to employ content filtering for Secure Hypertext Transfer Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is used by web sites to secure information. However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to users and the network. Filtering HTTPS web sites will improve our ability to protect the network and ensure safe web browsing. You will need to import a digital certificate into your web browser that will allow you to access legitimate web sites that use HTTPS. Please click on the following link and save the certificate (cacert.cer) to your desktop: http://IP address of your Optinet/downloads/cacert.cer. Or please download the following zipped attachment (cacert.cer) to your desktop. Then follow the instructions listed below to import the certificate. Thanks and have a nice day. 1. Open up Internet Explorer 7. 2. Click on Tools -> Internet Options. 3. Select the Content tab and click the Certificates button (this will bring up the Certificate dialog box). 4. Select the Trusted Root Certification Authorities tab and then click the Import button (this will bring up the Certificate Import Wizard). 5. Begin the Wizard by selecting Next and when prompted browse to the certificate you downloaded to your desktop. 126 6. When asked, Place the certificate in the Trusted Root Certification Authorities store. 7. Complete the Certificate Import Wizard by selecting Next when prompted. 8. After you have completed the Certificate Import Wizard click the Finish button (you may receive a security warning about installing the certificate; select Yes to allow the import). You have now completed the Certificate Import Wizard for Internet Explorer 7. You can delete the certificate file on your desktop. Email Template for Windows XP/Vista and Firefox 2 As part of our efforts to better provide a secure work environment and offer users reliable web access, we have decided to employ content filtering for Secure Hypertext Transfer Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is used by web sites to secure sensitive information. However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to users and the network. Filtering HTTPS web sites will improve our ability to protect the network and ensure safe web browsing. You will need to import a digital certificate into your web browser that will allow you to access legitimate web sites that use HTTPS. Please click on the following link and save the certificate (cacert.cer) to your desktop: http://IP address of your Optinet/downloads/cacert.cer. Or please download the following zipped attachment (cacert.cer) to your desktop. Then follow the instructions listed below to import the certificate. Thanks and have a nice day. 1. Open up Firefox 2. 2. Click on Tools -> Options. 3. Select the Encryption tab and click the View Certificates button (this will bring up the Certificate Manager box). 4. Select the Authorities tab and then click the Import button. 5. Browse to your desktop and select the certificate you just downloaded. 6. Select Trust this CA to identify web sites. 7. Click OK twice to complete the import. You have now completed the Certificate Import Wizard for Firefox. You can delete the certificate file on your desktop. Deploying the Optinet Certificate via Active Directory Again, follow the previous steps to download the certificate and place in on the local drive of the Active Directory server. Once you have done that, follow the subsequent steps. 1. Log on to your Domain or Active Directory server. 127 2. Open a Windows Run Prompt (Start -> Run). 3. In the Open field type "mmc" (Microsoft Management Console). 4. Click OK. 5. In the File menu, select Add/Remove Snap-in. Figure 8.2 Console Prompt 6. Click the Add button. 7. Scroll down and select Group Policy Object Editor. Figure 8.3 Add Standalone Snap-in 8. Click the Add button (this will launch the Group Policy Object Wizard). 128 9. Press the Browse button. 10. Select Default Domain Policy. 11. Click OK. Figure 8.4 Group Policy Object 12. Click Finish on the Add Group Policy Wizard. 13. Close the Add Standalone Snap-in dialog box. 14. Click OK on the Add/Remove Snap-in dialog box (you should now be looking at the MMC screen with the Console Root Folder above the new Default Domain Policy you have just added). Figure 8.5 Console Root 15. Expand the Default Domain Policy. 16. Expand the Computer Configuration option. 17. Expand the Windows Settings option. 18. Expand the Security Settings option. 19. Expand the Public Key Policies. 20. Select the Trusted Root Certification Authorities. 129 21. In the Action menu, select Import (this will launce the Import Wizard). Figure 8.6 Group Policy Object Editor 22. Click the Next button. 23. Browse to where you download The Optinet certificate (unless you have changed the title, the certificate is entitled cacert.cer). 24. Click the Next button. 25. Make sure the Place All Certificates in the Following Store radio button is selected. 26. Make sure the Certificate Store is Trusted Root Certification Authorities. 27. Click the Next button (the Import Wizard will now display a summary of the import process. 28. Click the Finish button. 29. The Import Wizard will inform you if the import was successful. You have now finished deploying The Optinet certificate either via a direct import or Active Directory’s GPO. Now that you have completed these steps, you are ready to enable Full SSL Content Filtering. You can also enable Only Allow Trusted Certificate Authorities and Non-Expired Certificates. Enabling Full SSL Content Filtering Now that you have installed The Optinet certificate, you will need to contact Black Box Network Services Technical Support to enable Full SSL Filtering. Because Full SSL Filtering 130 requires additional steps, this option is only available after a certified Black Box Network Services Technician reviews the device settings. This precaution has been taken to avoid unnecessary interruption with secure Web sites. You can contact Black Box Network Services Technical Support at 724-746-5500. Once approved by a support technician, he/she will ask you what Internet Usage Rules will have Full SSL Content Filtering. Afterwards, you can review the settings under Manage -> Policy & Rules -> Internet Usage Rules -> Default Usage Rules (or another group’s usage rules). Select the Traffic Flow Rule Set Drop-Down Box and chose a TFRS that has listed the component of SSL Filter. After a TFRS of SSL Filter has been select, the HTTPS/SSL Filtering tab is accessible. Click on the tab, and confirm that the radio button of Enable Full SSL Content Filtering is selected. If you like you can also select the check box next to Only Allow Trusted Certificate Authorities and Non-Expired Certificates. In addition to this, you can enter in the URLs for the Filter Exemption list. Again don’t forget to Save your changes and apply the IUR to the correct groups under Policy Manager. Please note that if you clear the SSL Certificate under Admin -> Utilities -> System Resets or alter the certificate under Admin -> Configuration -> SSL Certificate Settings, you will need to deploy the new certificate to users’ Web browsers. Confirming the Optinet Digital Certificate Now that you have deployed the Optinet certificate, and you have finished configuring Optinet for Full SSL Content Filtering, the last item to verify is that the Optinet digital certificate is working correctly. You can do this by browsing to a secure Web site (https) and viewing the digital certificate on the page. You can click on the padlock icon located at the end of the URL of the web site and select View certificates. Once selected, make sure that the digital certificate is issued by the Certificate Common Name from Optinet (Admin > Configuration -> SSL Certificate Settings). Reporting on HTTPS/SSL Web Sites After you have enabled HTTPS/SSL Filtering, you can report on HTTPS/SSL web sites. Click on Report -> Internet Usage -> Web Hits Overview -> Allowed. This will post all allowed Web hits within the past 24 hours. In the top right-hand corner of the report is a reporting option entitled Encryption Type. By default this option is set to No Filter, which will post all Web hits. Select that option and chose SSL. The report will then display all HTTPS/SSL Web site hits within the last 24 hours. You can then adjust the report to correlate and filter for specific user, times frames, etc. Wherever the option of Encryption Type is displayed, you can adjust reporting to display HTTPS/SSL Web sites. Viewing Sensitive Content on HTTPS/SSL Web Sites SSL operates by opening a tunnel session and passing information using a public and private key for transmission. Although Web sites that use SSL can be monitored and filtered using Optinet, items such as passwords, bank account numbers, and social security 131 numbers are normally encrypted at an additional layer within the SSL tunnel. As such, Optinet normally cannot decipher these items. Typically Optinet will only capture the URL and Hypertext Markup Language (HTML) of the web site accessed and not the additional encrypted items. However, if you are concerned about sensitive content being captured by Optinet, you can list Web sites in the HTTPS/SSL Filter Exemption List. Web sites listed in the HTTPS/SSL Exemption List will not be filtered, monitored, or decrypted in any form. For more information, please review the section HTTPS/SSL Filter Exemption List. This concludes the chapter for HTTPS/SSL Filtering. If you need further assistance with this or any other component of Optinet, please read the following section on getting help. 132 Customer Support and Feedback Getting Help For additional help, please consult Black Box Network Services Support at 724-746-5500. Additionally, you can contact your Authorized Black Box Network Services Reseller for support. For more information contact Black Box Network Services at 724-746-5500. Please have the following information ready: • • • • • • • Total bandwidth Total number of network nodes Optinet model and serial number Optinet firmware version A network topology diagram Presence of VLANs, proxy servers, remote subnets What symptoms or issues you are experiencing We welcome your feedback and comments on Optinet. Contact us and let us know. Please identify your Optinet model and tell us how we can reach you. 133 Appendix A: Web Filtering Categories Optinet has several distinct layers to identify and filter web sites depending upon the settings you employ on the device. Among the most distinct layers are URL checks against database entries, key-word searches, real-time analysis on web page context, digital certificate scans, and full payload decryption on HTTPS/SSL traffic. These distinct layers allow Optinet to quickly categorize well-known web sites while providing a more in-depth identification for new, indistinct, and constantly changing Web sites. If you would like to confirm the categorization of a web site, you can use the diagnostic tool of /?webFilterCategory. To use this tool, go to any computer that is being filtered by Optinet and open a web browser. Enter the URL of the web site you want to confirm categorization, and append to it the phrase /?webFilterCategory, i.e., http://www.google.com/?webFilterCategory. This will post the Web Filter Category Report and list the categorization of the web page and which component (URL database, key-word search, or content analysis) categorized the site. If you would like to re-categorize a web site, you can use the Custom Category Rules menu (Admin -> Configuration -> Custom Category Rules) or submit the URL to http://www.blackbox.com/category. The following table lists the available categories, together with the filtering level typically applied to each. These categories are followed with a brief description of the type of content contained by each and some web site examples. 134 Category Filtering (Typical) Adult Unacceptable Alcohol and Tobacco Non-business Arts and Entertainment Non-business Automatic Updating Non-business Business and Industry Business Cars and Motorcycles Non-business Cheating and Plagiarism Non-business Description These are sites directed to adults, not necessarily pornographic sites. Adult clubs: strip clubs, swingers clubs, escort services, strippers; general information about sex, non-pornographic in nature; genital piercing; adult products, adult greeting cards; information about sex not in the context of health or disease. Beer, wine, spirits: beer and wine making, cocktail recipes, liquor sellers, wineries, vineyards, breweries; mixed drinks, drinking establishments; tobacco; pipes and smoking products. Also Tobacco. Galleries and exhibitions; artists and art; photography; literature and books, publishing; movies; performing arts and theater; music and radio; television; celebrities and fan sites; design; architecture; entertainment news, venues; humor. Also Entertainment. Web pages that monitor activities and automatically update page content on a regular basis, such as stock tickers or weather reports. Sites involved in business-to-business transactions of all kinds. Advertising, marketing, commerce, corporations, business practices, workforce, human resources, transportation, payroll, security, venture capital, etc; office supplies; industrial equipment (process equipment), machines and mechanical systems; heating equipment, cooling equipment; materials handling equipment; packaging equipment; manufacturing: solids handling, metal fabrication construction and building; passenger transportation; commerce; industrial design; construction, building materials; industrial design; shipping and freight: freight services, trucking, freight forwarders, truckload carriers, freight/transportation brokers, expedited services, load & freight matching, track & trace, NVOCC, railroad shipping, ocean shipping, road feeder services, moving & storage. Also Industry. Sites about personal transportation; information about cars and motorcycles; shopping for new and used cars and motorcycles; car clubs; boats, RVs, etc. (Note: auto and motorcycle racing is categorized as Sports and Recreation). Also Motorcycles. Sites promoting cheating and selling written work (e.g. term papers) for plagiarism. Also Plagiarism. Examples fhm.com cybereroticanews.com budweiser.com philipmorrisusa.com disney.com mgm.com ticker.nasdaq.com pub.weatherbug.com dow.com ussteel.com autobytel.com autos.msn.com cheathouse.com bestpapers.com 135 Category Filtering (Typical) Computers and Internet Business Crime Business Criminal Related Non-business Cults Non-business Dating Unacceptable Dining and Drinking Non-business Early Childhood Dev. Non-business Education Business Filter Avoidance Unacceptable Finance Business FYI Business Gambling Non-business Description Information about computers and software such as: hardware, software, software support sites; information for software engineers, programming and networking; website design, and the web and Internet in general; computer science; computer graphics and clipart. Also Internet. Sites related to crime, crime reporting, law enforcement, crime statistics, etc. Pages that promote crime such as stealing, fraud, phreaking and cracking; warez and pirated software; computer viruses; terrorism, bombs, and anarchy; sites depicting murder and suicide as well as explaining ways to commit them. Cults and cult behavior. Dating sites, online personals, matrimonial agencies, etc., for adults. Eating and drinking establishments; restaurants, bars, taverns, brewpubs, restaurant guides and reviews Sites directed toward and specifically approved for young children Education-related sites and web pages such as schools, colleges, universities, teaching materials, teachers resources; technical and vocational training; online training; education issues and policy; financial aid; school funding; standards and testing. Web pages that promote and aid undetectable and anonymous surfing Sites and information that are primarily financial in nature such as: accounting practices and accountants; taxation; banking; insurance; investing: information relating to the stock market, stocks, bonds, mutual funds, brokers, stock analysis and commentary, stock screens, stock charts, IPOs, stock splits; the national economy; personal finance involving insurance of all types; credit cards; retirement and estate planning; loans; mortgages; taxes. City and state guides; maps, weather, time; reference sources; dictionaries; libraries; museums; ski conditions; personal information; mass transportation: consumer mass transit information (bus, commuter train, subway, airport), maps, schedules. Casinos and online gambling sites; bookmakers and odds; gambling advice; horse and dog racing in a gambling context; sports book; sports gambling. Examples dell.com update.microsoft.com crime.com terrorism.com illegalworld.com anarchistcookbook.com kimmillerconcernedchris tians.com heavensgate.com eharmony.com friendfinder.com pizzahut.com mortons.com nickjr.com pbskids.org usc.edu nyu.edu proxify.com proxyblind.org nasdaq.com wellsfargo.com maps.google.com weather.com partypoker.com bodog.com 136 Category Filtering (Typical) Games Non-business Gay and Lesbian Non-business Government and Law Business Hacking Non-business Hate Speech Unacceptable Health and Nutrition Non-business Illegal Drugs Non-business Instant Messaging Non-business Job Search Non-business Lingerie Unacceptable Description Various card games, board games, word games, video games; computer games, Internet games (RPGs and D&D); combat games; sports games; downloadable games; game reviews; cheat sheets. Gay, lesbian, bisexual, transgender: gay family, gay parenting, coming out, gay pride sites; gay civil rights, politics, sports, clubs and events, travel and accommodations, leisure activities; gay bars Foreign relations; news and information relating to politics and elections such as: politics, political parties, election news and voting; sites and information relating the field of law such as: attorneys, law firms, law publications, legal reference material, courts, dockets, legal associations; legislation and court decisions; civil rights issues; immigration; patents and copyrights; sites and information relating to law enforcement and correctional systems; sites relating to the military such as: the armed forces, military bases, military organizations, and military equipment; antiterrorism. Also Law. Sites discussing ways to hack into web sites, software, and computers. Hate-related sites, involving racism, sexism, racist theology; hate music; Christian identity religions; World Church of the Creator; Neo-Nazi organizations: Aryan Nations, American Nazi parties, Neo-Nazis, Ku Klux Klan, National Alliance, White Aryan Resistance, white supremacists; National Socialist Movement; Holocaust denial. Health care; disease and disabilities; medical care; hospitals; doctors; medicinal drugs; mental health; psychiatry; pharmacology; exercise and fitness; physical disabilities; vitamins and supplements; sex in a context of health (disease and health care); tobacco use, alcohol use, drug use, and gambling in a context of health (disease and health care); food in general; food and beverage; cooking and recipes; food and nutrition, health, dieting. Information about recreational drugs, drug paraphernalia, marijuana seeds; advice on how to grow marijuana. Web-based instant messaging. Career advice; advice on resume writing and interviewing skills; job placement services; job databanks; employment and temp agencies; employer sites. Intimate apparel, especially when modeled. Examples games.yahoo.com worldofwarcraft.com gay.com gayamerica.com foreignaffairs.org firstgov.gov elitehackers.com hackerstuff.com kkk.com blacksandjews.com efitness.com emedicine.com weedcity.com cannabis.com messenger.yahoo.com meebo.com dice.com monster.com victoriasecret.com pamperedpassions.com 137 Category Filtering (Typical) Lottery and Sweepstakes Non-business Miscellaneous Non-business Nature Non-business News Non-business Non-mainstream Non-business Non-sexual nudity Unacceptable Online Communities Non-business Online Trading Non-business Peer File Transfer Non-business Porn Non-business Description Sweepstakes, contests and lotteries. Cannot be categorized—often because the web page is secured from outside visibility or there’s either no text or too little text to access it. Natural resources; ecology and conservation; forests; wilderness; plants; flowers; forest conservation; forest, wilderness, forestry practices; forest management (re-forestation, forest protection, conservation, harvesting, forest health, thinning, prescribed burning); agricultural practices: agriculture, gardening, horticulture, landscaping, planting, weed control, irrigation, pruning, harvesting; pollution issues: air quality, hazardous waste, pollution prevention, recycling, waste management, water quality, environmental clean-up industry; animals, pets, livestock, zoology; biology; botany. News, headlines, newspapers; TV station wireless Non-mainstream approaches to life. Occult practices: esoteric magic, voodoo, witchcraft, casting spells; fortune telling practices: I Ching, numerology, psychic advice, Tarot; paranormal: out of body, astral travel, séances; astrology, horoscopes; UFOs and aliens; gay, lesbian and bisexual: gay family, gay parenting, coming out, gay pride sites, civil rights issues, politics, sports, clubs and events, travel and accommodations, leisure activities; gay bars. Nudism/nudity; nudist camps; artistic nudes Personal web pages; affinity groups; special interest groups; professional organizations for social purposes; personal photo collections; web newsgroups. Online brokerages, sites which afford the user the ability to trade stocks online. Peer-to-peer file request sites. This does not track the file transfers themselves. Sexually explicit text or depictions. Includes the following: nude celebrities; anime and XXX cartoons; general XXX depictions; material of a sexually violent nature (bondage, domination, sadomasochism, torture, rape, spanking, snuff, fantasy death, necrophilia); other fetish material (foot/legs, infantilism, balloon sex, latex gloves, enema, pregnant women, pony-play, BBW, bestiality); XXX chat rooms; sex simulators; gay pornography; sites that offer strip poker; adult movies; lewd art; web-based pornographic e-mail. Examples powerball.com calottery.com peta.org nature.org nytimes.com msnbc.com tarot.com psychic.com barenakedgallery.com fineartnude.com myspace.com facebook.com franklintrading.com ameritrade.com torrentz.com piratebay.com hustler.com penthouse.com 138 Category Filtering (Typical) Real Estate Non-business Science and Technology Non-business Search Engines and Portals Business Sex Education and Abortion Unacceptable Shopping Non-business Social Science Non-business Society and Culture Non-business Spiritual Healing Non-business Sports and Recreation Non-business Streaming Media Non-business Tasteless or Obscene Unacceptable Tattoos Non-business Travel Non-business Description Information that would support the search for real estate. This includes: office and commercial space; real estate listings: rentals, apartments, homes; house building; roommates, etc. Sites involving science and technology: aerospace, electronics, engineering, mathematics, etc.; space exploration; meteorology; geography; environment; energy: oil, nuclear, wind, sun; communications: telephones, telecomm. Also Technology. Web directories and search engines that often serve as home pages such as Excite, MSN, Alta Vista, and Google. Sexual health, information about, or descriptions of, abortions procedures such as: abortion pills, medical abortions, surgical abortions; abortion clinics and abortion providers. Auctions; bartering; online purchasing; coupons and free offers; yellow pages; classified ads; general office supplies; online catalogs; online malls. Sites related to: archaeology; anthropology; cultural studies; economics; history; linguistics; philosophy; political science; psychology; theology; women's studies. Family and relationships; religions, ethnicity and race, social organizations; genealogy; seniors, clothing and fashion; spas; hair salons; cosmetics (skin care for diseases or conditions may be categorized as Health and Nutrition); hobbies; do-ityourself; toys for kids; model and remote control cars; toy soldiers. Spiritual healing; alternative approaches to health, both physical and mental. All sports, professional and amateur; recreational activities; hunting; fishing; fantasy sports; gun and hunting clubs; public parks; amusement parks; water parks; theme parks; zoos and aquariums. Sites that involve: net radio; net TV; web casts; streaming audio; streaming video. Sites that offer tasteless, often gory photographs such as autopsy photos, photos of crime scenes, crime or accident victims; sites displaying excessive obscene material. Pictures and text relating to body modification; tattoos and piercing venues; articles and information about tattoos and piercing; body painting. Business and personal travel: travel information; travel resources; travel agents; vacation packages; cruises; lodging and accommodations; travel transportation: flight booking, airfares, renting cars; vacation homes. Examples remax.com century21.com space.com ieee.org google.com msn.com abortion.com prolife.com ebay.com amazon.com civilwar.com ssrc.org unitedway.org goodhousekeeping.com aetherius.org enhancedhealing.com espn.com si.com xmradio.com sirius.com facesofdeath.com torture-museum.com tatoo.com tattoofinder.com travelocity.com hotels.com 139 Category Filtering (Typical) Uncategorized Non-business Vice Non-business Violence Unacceptable Weapons Business Web Hosting Business Web Messaging Non-business Web-based Chat Non-business Web-based Email Non-business Description Cannot be categorized—often because the web page is secured from outside visibility or there’s either no text or too little text to access it. Sites involving illegal drugs, alcohol, tobacco, and gambling. Sites related to violence and violent behavior. Sites or information relating to the purchase or use of conventional weapons such as: gun sellers; gun auctions; gun classified ads; gun accessories; gun shows; gun training; general information about guns; other weapons (e.g., knives, brass knuckles) may be included. Sites that provide web site hosting services. General use of the web for messages: e-cards, online meetings, message boards, etc. Web-based chat sites. Email portals and email messages ported through the web. Examples viceland.com vbs.tv psfights.com realfights.com nrahq.org remington.com webmasters.com rackspace.com bluemountain.com ecards.com chatango.com boldchat.com hotmail.com webmail.aol.com 140 Appendix B: MIME Types The following lists contain the MIME types you can block on your network. MIME type application/EDI-Consent application/EDI-X12 application/EDIFACT application/activemessage application/andrew-inset application/applefile application/atomicmail application/batch-SMTP application/beep+xml application/cals-1840 application/cnrp+xml application/commonground application/cpl+xml application/cybercash application/dca-rft application/dec-dx application/dicom application/dns application/dvcs application/epp+xml application/eshop application/fits application/font-tdpfr application/http MIME type application/hyperstudio application/iges application/im-iscomposing+xml application/index application/index.cmd application/index.obj application/index.response application/index.vnd application/iotp application/ipp application/isup application/mac-binhex40 application/macwriteii application/marc application/mathematica application/mikey application/mpeg4-generic application/msword application/news-message-id application/news-transmission application/ocsp-request application/ocsp-response application/octet-stream application/oda 141 MIME type application/ogg application/parityfec application/pdf application/pgp-encrypted application/pgp-keys application/pgp-signature application/pidf+xml application/pkcs10 application/pkcs7-mime application/pkcs7-signature application/pkix-cert application/pkix-crl application/pkix-pkipath application/pkixcmp application/postscript application/prs.alvestrand.titrax-sheet application/prs.cww application/prs.nprend application/prs.plucker application/qsig application/rdf+xml application/reginfo+xml application/remote-printing application/riscos application/rtf application/samlassertion+xml application/samlmetadata+xml application/sbml+xml application/sdp application/set-payment application/set-payment-initiation application/set-registration application/set-registration-initiation application/sgml application/sgml-open-catalog application/sieve application/simple-message-summary application/slate application/soap+xml application/spirits-event+xml application/timestamp-query application/timestamp-reply application/tve-trigger application/vemmi application/watcherinfo+xml application/whoispp-query application/whoispp-response application/wita application/wordperfect5.1 application/x400-bp application/xhtml+xml application/xml application/xml-dtd MIME type application/xml-external-parsed-entity application/xmpp+xml application/xop+xml application/zip audio/32kadpcm audio/3gpp audio/AMR audio/AMR-WB audio/CN audio/DAT12 audio/DVI4 audio/EVRC audio/EVRC-QCP audio/EVRC0 audio/G.722.1 audio/G722 audio/G723 audio/G726-16 audio/G726-24 audio/G726-32 audio/G726-40 audio/G728 audio/G729 audio/G729D audio/G729E audio/GSM audio/GSM-EFR audio/L16 audio/L20 audio/L24 audio/L8 audio/LPC audio/MP4A-LATM audio/MPA audio/PCMA audio/PCMU audio/QCELP audio/RED audio/SMV audio/SMV-QCP audio/SMV0 audio/VDVI audio/basic audio/clearmode audio/dsr-es201108 audio/dsr-es202050 audio/dsr-es202211 audio/dsr-es202212 audio/iLBC audio/mpa-robust audio/mpeg audio/mpeg4-generic audio/parityfec 142 MIME type audio/prs.sid audio/telephone-event audio/tone image/cgm image/fits image/g3fax image/gif image/ief image/jp2 image/jpeg image/jpm image/jpx image/naplps image/png image/prs.btif image/prs.pti image/t38 image/tiff image/tiff-fx message/CPIM message/delivery-status message/disposition-notification message/external-body message/http message/news message/partial message/rfc822 message/s-http message/sip message/sipfrag message/tracking-status model/iges model/mesh model/vrml multipart/alternative multipart/appledouble multipart/byteranges multipart/digest multipart/encrypted multipart/form-data multipart/header-set multipart/mixed multipart/parallel multipart/related multipart/report multipart/signed multipart/voice-message text/calendar text/css text/directory text/dns text/enriched text/html MIME type text/parityfec text/plain text/prs.fallenstein.rst text/prs.lines.tag text/rfc822-headers text/richtext text/rtf text/sgml text/t140 text/tab-separated-values text/uri-list text/xml text/xml-external-parsed-entity video/3gpp video/BMPEG video/BT656 video/CelB video/DV video/H261 video/H263 video/H263-1998 video/H263-2000 video/H264 video/JPEG video/MJ2 video/MP1S video/MP2P video/MP2T video/MP4V-ES video/MPV video/SMPTE292M video/mpeg video/mpeg4-generic video/nv video/parityfec video/pointer video/quicktime 143 Appendix C: File Types The following lists contain the file types you can block on your network. File type Active Server Page Active Server Page Active Server Page ActiveX Control Address Book Audio Audio Audio Audio Audio Audio Audio Audio Audio Audio Audio CGI Script Cascading Style Sheet Comma Separated Value Compressed Compressed Compressed Compressed Compressed Compressed Compressed File extension .asmx .asp .aspx .ocx .pab .aiff .m4a .mid .midi .mp3 .mpu .ra .ram .wav .wma .aac .cgi .css .csv .arc .gz .gzip .hqx .rar .sea .sit File type Compressed Compressed DOS Batch Database Database Disk Image Disk Image Document Document Document Document Dynamic Link Library eBook Executable File Shortcut Filemaker Pro Flash FoxPro HTML Icon Image Image Image Image Image Image Image File extension .z .zip .bat .db .mdb .dmg .img .pdf .rtf .wpd .wpt .dll .lit .exe .lnk .fpt .swf .dbx .html .ico .bmp .gif .jpe .jpeg .jpg .pct .png 144 File type Image Image Initialization Internet Certificate Java Archive JavaScript Log Lotus Lotus Database Lotus Database Lotus Database MIME MIME Macro Metafile Microsoft Project Microsoft Publisher Outlook PHP PHP PHP PageMaker Perl Script Photoshop Postscript PowerPoint File extension .tga .tiff .ini .cer .jar .js .log .wk1 .ns2 .ns3 .ns4 .mim .mime .wpm .wmf .mpp .pub .pst .php .php3 .php4 .p65 .pl .psd .ps .pps File type PowerPoint Quark Express SQL Spreadsheet Spreadsheet Spreadsheet Swap Tar Text Uuencoded Uuencoded Video Video Video Video Video Video Video Video Video Visio Windows Help Word Document Word Template XML File extension .ppt .qxd .sql .xls .xlt .xlw .sqp .tar .txt .uu .uue .avi .moov .mov .mp4 .mpeg .mpg .qt .rm .wmv .vsd .hlp .doc .dot .xml 145 Appendix D: CIDR Cheat Sheet Classless Inter-Domain Routing (CIDR) is the latest refinement on how to present IP Addresses and Subnet masks. CIDR replaces the previous generation of IP Address syntax, Classful networks. Rather than allocating address blocks in 8-bit (octet) boundaries, it uses a technique of a variable subnet mask to allow more allocation. With Optinet all IP Address are presented as CIDR notations, i.e., the network address of 192.168.255.0 with a subnet mask of 255.255.255.0 is presented as 192.168.255.0/24. Below is a CIDR Cheat Sheet that will help you enter IP Address in CIDR notation. CIDR Cheat Sheet CIDR Notation Class Hosts Mask /32 1/256 C 1 255.255.255.255 /31 1/128 C 2 255.255.255.254 /30 1/64 C 4 255.255.255.252 /29 1/32 C 8 255.255.255.248 /28 1/16 C 16 255.255.255.240 /27 1/8 C 32 255.255.255.224 /26 1/4 C 64 255.255.255.192 /25 1/2 C 128 255.255.255.128 /24 1C 256 255.255.255.0 /23 2C 512 255.255.254.0 146 /22 4C 1024 255.255.252.0 /21 8C 2048 255.255.248.0 /20 16 C 4096 255.255.240.0 /19 32 C 8192 255.255.224.0 /18 64 C 16384 255.255.192.0 /17 128 C 32768 255.255.128.0 /16 256 C 1B 65536 255.255.0.0 /15 512 C 2 B 131072 255.254.0.0 /14 1024 C 4 B 262144 255.252.0.0 /13 2048 C 8 B 524288 255.248.0.0 /12 4096 C 16 B 1048576 255.240.0.0 /11 8192 C 32 B 2097152 255.224.0.0 /10 16384 C 64 B 4194304 255.192.0.0 /9 32768 C 128 B 8388608 255.128.0.0 /8 65536 C 256 B 1 A 16777216 255.0.0.0 /7 131072 C 512 B 2 A 33554432 254.0.0.0 /6 262144 C 1024 B 4 A 67108864 252.0.0.0 /5 524288 C 2048 B 8 A 134217728 248.0.0.0 /4 1048576 C 4096 B 16 A 268435456 240.0.0.0 /3 2097152 C 8192 B 32 A 536870912 224.0.0.0 /2 4194304 C 16384 B 64 A 1073741824 192.0.0.0 /1 8388608 C 32768 B 128 A 2147483648 128.0.0.0 /0 1677216 C 65536 B 256 A 4294967296 0.0.0.0 147 Appendix E: End User License Agreement (EULA) & Warranty PLEASE READ THE FOLLOWING BEFORE USING THE ACCOMPANYING PRODUCT. YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE ACCOMPANYING SOFTWARE AND HARDWARE (“APPLIANCE”). THE USE OF THE PRODUCT IS LICENSED FOR USE ONLY AS SET FORTH BELOW. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT USE THE PRODUCT. IF YOU USE ANY PART OF THE SOFTWARE AND HARDWARE, SUCH USE WILL INDICATE THAT YOU ACCEPT. License Grant Subject to the terms and conditions of this License, you are granted a nonexclusive right and license to use the Software on the Appliance. In addition, (1) you may not reverse engineer, decompile, disassemble or modify the Software or Appliance, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation; and (2) you may not transfer rights under this License unless such transfer is part of a permanent sale or transfer of the Product, and you transfer at the same time the Appliance and Software to the same party or destroy such materials not transferred, and the recipient agrees to this License. No license is granted in any of the Software’s proprietary source code. You may make a reasonable number of copies of the electronic documentation accompanying the Software for each Software license you acquire, provided that, you must reproduce and include all copyright notices and any other proprietary rights notices appearing on the electronic documentation. Black Box Network Services and their suppliers reserve all rights not expressly granted herein. Intellectual Property Rights The Software and Appliance is protected by copyright laws, international copyright treaties, and other intellectual property laws and treaties. This license does not grant you any rights to patents, copyright, trade secrets, trademarks or any other rights with respect to the Software and Appliance. Black Box Network Services and its suppliers retain all ownership of, and intellectual property rights in (including copyright), the Software and Appliance. However, certain components of the Software are components licensed under the GNU General Public License (version 2). You may obtain a copy of the GNU General Public License at http:/www.fsf.org/copyleft/gpl.html. Black Box will provide source code for any of the components of the Software licensed under the GNU General Public License upon request. Additionally, this product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/). 148 Export Restrictions You agree that you will not export or re-export the Appliance, Software, any part thereof, or any process or service that is the direct product of the Appliance or Software in violation of any applicable laws or regulations of the United States or the country in which you obtained them. U.S. Government Restricted Rights. The Software and related documentation are provided with Restricted Rights. Use, duplication, or disclosure by the Government is subject to restrictions set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c) (1) and (2) of the Commercial Computer Software–Restricted Rights at 48 C.F.R. 52.227-19, as applicable, or any successor regulations. Term and Termination This License is effective until terminated. The License terminates immediately if you fail to comply with any term or condition. In such an event, you must destroy all copies of the Software. You may also terminate this License at any time by destroying the Product. Governing Law and Attorney’s Fees This License is governed by the laws of the State of Utah, USA, excluding its conflict of law rules. You agree that the United Nations Convention on Contracts for the International Sale of Goods is hereby excluded in its entirety and does not apply to this License. In any action or suit to enforce any right or remedy under this License or to interpret any provision of this License, the prevailing party will be entitled to recover its costs, including reasonable attorneys’ fees. Entire Agreement This License constitutes the entire agreement between you and Black Box Network Services and its suppliers with respect to the Software, and supersedes all other agreements or representations, whether written or oral. The terms of this License can only be modified by express written consent of both parties. If any part of this License is held to be unenforceable as written, it will be enforced to the maximum extent allowed by applicable law, and will not affect the enforceability of any other part. BLACK BOX NETWORK SERVICES DISCLAIMS ANY AND ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OTHER THAN AS STATED HEREIN, THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. ALSO, THERE IS NO WARRANTY AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE SOFTWARE OR AGAINST INFRINGEMENT. IF YOU HAVE RECEIVED ANY WARRANTIES REGARDING THE DEVICE OR THE SOFTWARE, THOSE WARRANTIES DO NOT ORIGINATE FROM, AND ARE NOT BINDING ON, BLACK BOX NETWORK SERVICES. NO LIABILITY FOR CERTAIN DAMAGES. EXCEPT AS PROHIBITED BY LAW, BLACK BOX NETWORK SERVICES SHALL HAVE NO LIABILITY FOR COSTS, LOSS, DAMAGES OR LOST OPPORTUNITY OF ANY TYPE WHATSOEVER, INCLUDING BUT NOT LIMITED TO, LOST OR ANTICIPATED PROFITS, LOSS OF USE, LOSS OF DATA, OR ANY INCIDENTAL, EXEMPLARY SPECIAL OR CONSEQUENTIAL DAMAGES, WHETHER UNDER CONTRACT, TORT, WARRANTY OR OTHERWISE ARISING FROM OR IN CONNECTION WITH THIS LICENSE OR THE USE OR PERFORMANCE OF THE SOFTWARE. IN NO EVENT SHALL BLACK BOX NETWORK SERVICES BE LIABLE FOR ANY AMOUNT IN EXCESS OF THE PURCHASE PRICE AND/OR ANY LICENSE FEES PAID TO BLACK BOX NETWORK SERVICES UNDER THIS LICENSE. SOME STATES AND COUNTRIES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY TO YOU. Hardware Warranty Black Box Network Services Corp. warrants your Black Box Network Services product to be in good working order and to be free from defects in workmanship and material (except in those cases where materials are supplied by the Purchaser) under normal and proper use and service for the period of one (1) year from the date of purchase from an Authorized Black Box Network Services Reseller. In the event that this product fails to meet this warranty within the applicable warranty period, and provided that Black Box Network Services confirms the specified defects, Purchaser’s sole remedy is to have Black Box Network Services, at Black Box Network Services’ sole discretion, repair or replace such product at the place of manufacture, at no additional charge other than the cost of freight of the defective product to and from the Purchaser. Repair costs and replacement products will be provided on an exchange basis and will be either new or reconditioned. Black Box Network Services will retain, as its property, all replaced parts and products. Notwithstanding the foregoing, this hardware warranty does not include service to replace or repair damage to the product resulting from accident, disaster, abuse, misuse, electrical stress, negligence, any non- 149 Black Box Network Services modification of the product except as provided or explicitly recommended by Black Box Network Services, or other cause not arising out of defects in material or workmanship. This hardware warranty also does not include service to replace or repair damage to the product if the serial number or seal or any part thereof has been altered, defaced, or removed. If Black Box Network Services does not find the product to be defective, the Purchaser will be invoiced for said inspection and testing at Black Box Network Services’ then current rates, regardless of whether the product is under warranty. 150 Black Box Tech Support: FREE! Live. 24/7. Tech support the way it should be. Great tech support is just 20 seconds away at 724-746-5500 or blackbox.com. About Black Box Black Box Network Services is your source for more than 118,000 networking and infrastructure products. You’ll find everything from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by free, live 24/7 Tech support available in 20 seconds or less. © Copyright 2009. All rights reserved. 724-746-5500 | blackbox.com