Download FE408xxxAx - USR - To Parent Directory

March 2009
FE408005AA
FE408020AA
FE408020XA
FE408045XA
FE408100XA
FE408200XA
Optinet™ User’s Guide
Optinet—the bandwidth shaping, content filtering
BLACK BOX
appliance.
®
Customer
Support
Information
Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500)
FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746
Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018
Web site: www.blackbox.com • E-mail: [email protected]
Optinet User’s Guide
We‘re here to help! If you have any questions about your application
or our products, contact Black Box Tech Support at 724-746-5500
or go to blackbox.com and click on “Talk to Black Box.”
You’ll be live with one of our technical experts in less than 20 seconds.
TRADEMARKS USED IN THIS MANUAL
Black Box and the Double Diamond logo are registered trademarks, and Optinet is a trademark, of BB
Technologies, Inc.
Any other trademarks mentioned in this manual are acknowledged to be the property of the trademark owners.
724-746-5500 | blackbox.com
Table of Contents
Table of Contents ........................................................................................................................ ii Chapter 1: Introducing Optinet .................................................................................................. 1 Chapter 2: Installing Optinet ...................................................................................................... 3 Gathering Initial Information ......................................................................................................................................... 4 Connecting to Optinet .................................................................................................................................................... 5 Running the Setup Wizard ............................................................................................................................................. 7 Cutting-Over .................................................................................................................................................................. 8 Accessing Optinet .......................................................................................................................................................... 9 Manual Configuration ............................................................................................................................................. 10 Management/Auxiliary Interface ............................................................................................................................ 10 Text Menu Interface................................................................................................................................................ 11 Proxy Mode ............................................................................................................................................................ 14 Configuring Port Settings ............................................................................................................................................ 16 Configuring Cabling .................................................................................................................................................... 17 Testing Fail to Wire or No Failover............................................................................................................................. 17 Fail to Wire ............................................................................................................................................................. 17 Bypass Mode .......................................................................................................................................................... 18 No Failover ............................................................................................................................................................. 18 Chapter 3: Navigating Optinet ................................................................................................. 20 General Navigation ...................................................................................................................................................... 20 Tasks Pane ................................................................................................................................................................... 22 Help Pane..................................................................................................................................................................... 23 Chapter 4: Generating Reports ................................................................................................ 25 Home Page................................................................................................................................................................... 25 The Message Center................................................................................................................................................ 25 System Notifications ............................................................................................................................................... 26 ii
Getting Started ........................................................................................................................................................ 26 Hardware Settings ................................................................................................................................................... 26 System .................................................................................................................................................................... 26 General Reporting Options .......................................................................................................................................... 26 Selected Date .......................................................................................................................................................... 27 Search ..................................................................................................................................................................... 27 Correlated by .......................................................................................................................................................... 27 Result Type ............................................................................................................................................................. 27 Group ...................................................................................................................................................................... 27 Network Node ......................................................................................................................................................... 28 Directory User ........................................................................................................................................................ 28 Encryption Type ..................................................................................................................................................... 28 Application Set ....................................................................................................................................................... 28 Right-Click Options ................................................................................................................................................ 28 Drop-Down Arrows ................................................................................................................................................ 29 Bar-Pie Graph Drop-Down ..................................................................................................................................... 29 Snapshot-Real Time Drop-Down ........................................................................................................................... 29 Report Recommendations ....................................................................................................................................... 29 Users tab ...................................................................................................................................................................... 30 Dashboard Reports.................................................................................................................................................. 31 Applications tab ........................................................................................................................................................... 31 Threats tab ................................................................................................................................................................... 33 Internet Usage tab ........................................................................................................................................................ 34 System Reports tab ...................................................................................................................................................... 35 Dashboards tab ............................................................................................................................................................ 35 Chapter 5: Managing Optinet ................................................................................................... 38 General Manage Options ............................................................................................................................................. 38 Policies & Rules tab .................................................................................................................................................... 39 Groups .................................................................................................................................................................... 39 Time-of-Day Rules ................................................................................................................................................. 42 Traffic Flow Rule Sets ............................................................................................................................................ 43 Content Filtering ..................................................................................................................................................... 44 Advanced Filtering ................................................................................................................................................. 46 Internet Usage Rules ............................................................................................................................................... 48 Shaping Rules ......................................................................................................................................................... 51 Policy Manager ....................................................................................................................................................... 54 Directory Users & Nodes ............................................................................................................................................ 54 Network Nodes ....................................................................................................................................................... 55 Directory Users ....................................................................................................................................................... 58 Directory Agent ...................................................................................................................................................... 58 Broadcasts tab .............................................................................................................................................................. 59 System Access tab ....................................................................................................................................................... 60 Applications tab ........................................................................................................................................................... 60 Traffic Flow Rule Sets ............................................................................................................................................ 60 Application Sets ...................................................................................................................................................... 61 Applications ............................................................................................................................................................ 63 Chapter 6: Administrating Optinet .......................................................................................... 67 Setup Wizard ............................................................................................................................................................... 67 Configuration tab ......................................................................................................................................................... 68 Setup ....................................................................................................................................................................... 68 Advanced Setup ...................................................................................................................................................... 68 Ethernet Settings ..................................................................................................................................................... 70 Company Settings ................................................................................................................................................... 70 iii
Registration Settings ............................................................................................................................................... 70 Miscellaneous (Misc.) Settings ............................................................................................................................... 70 Update Settings ....................................................................................................................................................... 72 Custom Category Rules .......................................................................................................................................... 72 Custom Category Options ....................................................................................................................................... 73 Remote Subnets ...................................................................................................................................................... 74 User Preferences ..................................................................................................................................................... 75 Static Routes ........................................................................................................................................................... 76 SSL Certificate Settings .......................................................................................................................................... 78 License Settings ...................................................................................................................................................... 78 Special Domains ..................................................................................................................................................... 78 LDAP Settings ........................................................................................................................................................ 79 Backup .................................................................................................................................................................... 79 Proxy Settings ......................................................................................................................................................... 80 Diagnostic Tools tab .................................................................................................................................................... 80 Device Status .......................................................................................................................................................... 81 Directory Agent Diagnostics................................................................................................................................... 81 Directory Agent Users ............................................................................................................................................ 81 Display ARP Table ................................................................................................................................................. 81 Ethernet Status ........................................................................................................................................................ 81 Group IP List .......................................................................................................................................................... 81 IP Address Map ...................................................................................................................................................... 81 No LDAP Network Nodes ...................................................................................................................................... 82 PING ....................................................................................................................................................................... 82 Test DNS Settings................................................................................................................................................... 82 Traceroute ............................................................................................................................................................... 82 IP Traffic Monitor ................................................................................................................................................... 82 Downloads tab ............................................................................................................................................................. 83 Logs tab ....................................................................................................................................................................... 83 Activity Log ............................................................................................................................................................ 83 Kernel Log .............................................................................................................................................................. 84 Redirection Pages ........................................................................................................................................................ 84 Blocked URL .......................................................................................................................................................... 84 Directory Agent Login Page ................................................................................................................................... 85 Utilities ........................................................................................................................................................................ 85 System Resets ......................................................................................................................................................... 86 Support Link ........................................................................................................................................................... 88 Spyware Removal Tool .......................................................................................................................................... 89 Chapter 7: Integrating Directory Users with Optinet ............................................................. 90 Directory Overview ..................................................................................................................................................... 90 Directory Options ........................................................................................................................................................ 92 Directory Option 1: Directory Agent with Directory Client (cymdir.exe) .............................................................. 92 Directory Option 2: Directory Agent with IP Lookup ............................................................................................ 93 Directory Option 3: Directory Agent with NTLM .................................................................................................. 93 Directory Option 4: Directory Agent with Login Page ........................................................................................... 94 Directory Configurations ............................................................................................................................................. 95 Install Directory Agents .......................................................................................................................................... 95 Create Directory Agents ......................................................................................................................................... 97 Create Optinet Groups ............................................................................................................................................ 97 Create Directory Agent Group ................................................................................................................................ 98 Deploy Directory Client Client ............................................................................................................................. 101 Create Directory Internet Usage Rules ................................................................................................................. 109 Directory Troubleshooting......................................................................................................................................... 111 Using Diagnostic Tools ........................................................................................................................................ 111 iv
Troubleshooting GPO Issues ................................................................................................................................ 113 Troubleshooting Directory Client ......................................................................................................................... 114 Chapter 8: Implementing HTTPS/SSL Filtering with Optinet .............................................. 117 Certificate Authorities ............................................................................................................................................... 118 SSL Anonymous Proxies ........................................................................................................................................... 118 SSL CGI Proxy ..................................................................................................................................................... 119 SSL Full Proxy ..................................................................................................................................................... 119 SOCKS4/5 Proxy .................................................................................................................................................. 119 TorPark Network .................................................................................................................................................. 119 HTTPS/SSL Filtering ................................................................................................................................................ 119 Disable SSL Inspection and Filtering ................................................................................................................... 119 Enable SSL Certificate-Based Content Filtering .................................................................................................. 119 Enable Denied Access Page for SSL Certificate-Based Content Filtering ........................................................... 120 Enable Full SSL Content Filtering ........................................................................................................................ 120 Only Allow Trusted Certificate Authorities and Non-Expired Certificates .......................................................... 120 HTTPS/SSL Filter Exemption List ....................................................................................................................... 120 Content Filtering Rules ......................................................................................................................................... 120 HTTPS/SSL Blocking ............................................................................................................................................... 121 HTTPS/SSL Filtering Requirements ......................................................................................................................... 121 Enabling SSL Certificate-Based Filtering ................................................................................................................. 122 Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filter ......................................................................... 122 Web Filter + Anonymous Proxy Guard + SSL Filter ........................................................................................... 123 Web Filter + SSL Filter ........................................................................................................................................ 123 The Optinet Digital Certificate .................................................................................................................................. 123 Installing The Optinet Digital Certificate .................................................................................................................. 124 Deploying The Optinet Certificate via Web Browsers ......................................................................................... 124 Deploying The Optinet Certificate via Active Directory ...................................................................................... 127 Enabling Full SSL Content Filtering ......................................................................................................................... 130 Confirming The Optinet Digital Certificate............................................................................................................... 131 Viewing Sensitive Content on HTTPS/SSL Web Sites ............................................................................................. 131 Customer Support and Feedback ......................................................................................... 133 Getting Help .............................................................................................................................................................. 133 Appendix A: Web Filtering Categories ................................................................................. 134 Appendix B: MIME Types ....................................................................................................... 141 Appendix C: File Types .......................................................................................................... 144 Appendix D: CIDR Cheat Sheet ............................................................................................. 146 Appendix E: End User License Agreement (EULA) & Warranty ......................................... 148 v
Optinet User’s Guide
Federal Communications Commission and Industry Canada Radio Frequency Interference
Statements
This equipment generates, uses, and can radiate radio-frequency energy, and if not installed and used properly, that is, in strict
accordance with the manufacturer’s instructions, may cause inter ference to radio communication. It has been tested and found to
comply with the limits for a Class A computing device in accordance with the specifications in Subpart B of Part 15 of FCC rules,
which are designed to provide reasonable protection against such interference when the equipment is operated in a commercial
environment. Operation of this equipment in a residential area is likely to cause interference, in which case the user at his own
expense will be required to take whatever measures may be necessary to correct the interference.
Changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to oper
ate the equipment.
This digital apparatus does not exceed the Class A limits for radio noise emis sion from digital apparatus set out in the Radio
Interference Regulation of Industry Canada.
Le présent appareil numérique n’émet pas de bruits radioélectriques dépassant les limites applicables aux appareils numériques de
la classe A prescrites dans le Règlement sur le brouillage radioélectrique publié par Industrie Canada.
724-746-5500 | blackbox.com
-
NOM Statement
Instrucciones de Seguridad
(Normas Oficiales Mexicanas Electrical Safety Statement)
1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado.
2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura.
3. Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas.
4. Todas las instrucciones de operación y uso deben ser seguidas.
5. El aparato eléctrico no deberá ser usado cerca del agua—por ejemplo, cerca de la tina de baño, lavabo, sótano mojado o cerca
de una alberca, etc..
6. El aparato eléctrico debe ser usado únicamente con carritos o pedestales que sean recomendados por el fabricante.
7. El aparato eléctrico debe ser montado a la pared o al techo sólo como sea recomendado por el fabricante.
8. Servicio—El usuario no debe intentar dar servicio al equipo eléctrico más allá a lo descrito en las instrucciones de operación.
Todo otro servicio deberá ser referido a personal de servicio calificado.
9. El aparato eléctrico debe ser situado de tal manera que su posición no interfiera su uso. La colocación del aparato eléctrico
sobre una cama, sofá, alfombra o superficie similar puede bloquea la ventilación, no se debe colocar en libreros o gabinetes
que impidan el flujo de aire por los orificios de ventilación.
10. El equipo eléctrico deber ser situado fuera del alcance de fuentes de calor como radiadores, registros de calor, estufas u otros
aparatos (incluyendo amplificadores) que producen calor.
11. El aparato eléctrico deberá ser connectado a una fuente de poder sólo del tipo descrito en el instructivo de operación, o como
se indique en el aparato.
12. Precaución debe ser tomada de tal manera que la tierra fisica y la polarización del equipo no sea eliminada.
13. Los cables de la fuente de poder deben ser guiados de tal manera que no sean pisados ni pellizcados por objetos colocados
sobre o contra ellos, poniendo particular atención a los contactos y receptáculos donde salen del aparato.
14. El equipo eléctrico debe ser limpiado únicamente de acuerdo a las recomendaciones del fabricante.
15. En caso de existir, una antena externa deberá ser localizada lejos de las lineas de energia.
16. El cable de corriente deberá ser desconectado del cuando el equipo no sea usado por un largo periodo de tiempo.
17. Cuidado debe ser tomado de tal manera que objectos liquidos no sean derramados sobre la cubierta u orificios de ventilación.
18. Servicio por personal calificado deberá ser provisto cuando:
A: El cable de poder o el contacto ha sido dañado; u
B: Objectos han caído o líquido ha sido derramado dentro del aparato; o
C: El aparato ha sido expuesto a la lluvia; o
D: El aparato parece no operar normalmente o muestra un cambio en su desempeño; o
E: El aparato ha sido tirado o su cubierta ha sido dañada.
724-746-5500 | blackbox.com
Chapter 1: Introducing Optinet
Welcome to Optinet. Optinet is a smart gateway appliance from Black Box Network
Services that offers network administrators an in-depth view on network traffic and
resources. With Optinet, you can monitor and manage traffic generated by specific
applications within the network as well as traffic generated by specific users or computers.
Not only can you manage traffic from users and devices, you can also control which web
sites or categories can be visited. In addition to this, Optinet offers protection against
spyware and virus web applications so that your network is running optimally.
Optinet helps manage network traffic by reporting which types of traffic are being used on
the network. The device also provides tools to help control the traffic and identify
potentially dangerous users or applications. By monitoring all Internet traffic, Optinet will
report on how much bandwidth is being used for browsing the Web, downloading files via
File Transfer Protocol (FTP) or Peer-to-Peer (P2P) applications. This information is valuable
as you will begin to see how your network resources are being used. With this information,
you can then use Optinet to optimize traffic, identify high-priority traffic, and restrict
unwanted types of traffic or web sites. In essence, Optinet will allow you to receive the
most benefit from your network and users.
Optinet provides three essential facets for traffic reporting and control:
•
Filter content—Optinet will monitor and report on web sites visited. Optinet will
allow you to block unauthorized web sites or web categories.
•
Shape traffic—Optinet can prioritize applications or users within the network,
allowing you to limit or restrict bandwidth and specific types of traffic. For example,
P2P file sharing can consume large amounts of bandwidth. Optinet can restrict this
traffic allocating more bandwidth to higher priority traffic.
•
Block spyware and web viruses—Optinet will also identify and block spyware or viral
web sites and applications that can potentially harm your network and consume
bandwidth.
1
Optinet can quickly increase bandwidth for high priority traffic, ensure employee
productivity, provide appropriate web content, add an additional layer of security, and
prevent users from compromising your network. This user guide will instruct you on how to
use and deploy the various functions of Optinet.
2
Chapter 2: Installing Optinet
In this chapter, you learn how to perform an initial installation of Optinet. The following
topics will be covered:
•
Gathering Initial Information
•
Connecting to Optinet
•
Running the Setup Wizard
•
Cutting-Over
•
Accessing Optinet
•
Using Alternative Configuration Methods
•
Configuring Port Settings
•
Configuring Cabling
•
Testing Fail to Wire or No Failover
Optinet is a powerful network device that is relatively easy to set up in any network
environment using the instructions in this document and the Setup Wizard. Please read and
understand all configuration and installation considerations before proceeding.
If you have questions or are unsure about the installation of Optinet, please contact your
Black Box Technical Support at 724-746-5500, your Authorized Black Box Network Services
Reseller, and/or the person responsible for the service of your network.
3
Gathering Initial Information
Under this section are listed the information and basic definitions of terms you will need to
know before installing Optinet. Begin by reviewing the information and filling out the
following table for documentation. You will need the subsequent information:
License Key
Licenses that have been purchased with your system will ship as a license key on a card in the
Documentation & Accessories box or be delivered via email at the time of purchase. Locate this card
to enable the licenses on your system during the setup process.
License Key:
Model Number:
Serial Number:
Licensed Network Nodes:
Licensing—licensing with Optinet is based on network connections. One hundred
connections on your network will constitute 100 Network Node license. Please make sure
that the amount of licenses purchased is sufficient for the active connections present on
your network.
Model Number and Serial Number—these numbers are associated with your Optinet for
device identification and are used in conjunction with the License Key for verification of the
amount of licenses purchased.
IP Configuration
If you are unsure of the following fields, the Setup Wizard will detect available addresses and settings
within your network via DHCP. You may copy over these settings during the Setup Wizard.
Optinet (Bridge) IP address:
Subnet Mask:
Default Gateway (WAN Side) IP address:
DNS Server IP address:
Management/Auxiliary Port IP address:
The Management/Auxiliary Port IP address cannot be in any active subnet in your network.
Management/Auxiliary Port Subnet Mask:
Total Download Bandwidth (in Kbps):
Total Upload Bandwidth (in Kbps):
4
Time Zone:
Amounts used in the Total Download Bandwidth and Total Upload Bandwidth will
restrict total throughput through Optinet. Please make sure the amounts you enter in
these fields are correct.
If you would like to receive email alerts when users attempt to access viral web sites, you
must fill out the Email Settings. If you are not interested in this option, you may leave the
following fields blank.
Email Settings
In order for Optinet to send email alerts, the email server listed below must be configured to relay
messages from Optinet.
System Alerts & Broadcasts email address
(System Administrator):
Email Server Hostname or IP address
(optional):
Remote Subnets
Optinet will identify and monitor all network traffic native to its local subnet. If you have a routed
network (VLANs, different network addresses, etc.), please note the network addresses outside The
Optinet local subnet with the appropriate CIDR notation. See Appendix E for CIDR Cheat Sheet.
Subnet Address (CIDR notation):
Subnet Address (CIDR notation):
Subnet Address (CIDR notation):
Once you have this information, you’re ready to make your initial connections to Optinet.
Connecting to Optinet
The next step is to power on and establish a connection to Optinet from a local management
workstation/laptop. You will also need to connect Optinet to your network.
5
Running the Setup Wizard requires an active Internet connection from the
network where Optinet will be installed. If you do not have an active Internet
connection available, or you do not wish to use the Setup Wizard, please consult the section
Using Alternative Configuration Methods.
1. Connect a cross-over cable (included in your Accessories Kit) from the Optinet LAN
port to the network port on your workstation/laptop.
2. Connect a straight-through cable from the Optinet WAN port to an empty port on
your local network switch.
Figure 2.1 Optinet Configuration Connectivity
3. Write down the existing IP settings of your local workstation/laptop so that you can
easily change them back when configuration is complete.
4. Change your local workstation/laptop IP settings. You will need to change the IP
settings on your local workstation/laptop to communicate with the default settings of
Optinet:
•
Default IP Address—192.168.1.80
•
Default Subnet Mask—255.255.255.0
The suggested settings for the local workstation/laptop are the following:
•
IP Address—192.168.1.81
•
Subnet Mask—255.255.255.0
6
Running the Setup Wizard
1. To access the Setup Wizard, open Microsoft’s Internet Explorer (IE) 6 or 7 and enter
http://192.168.1.80 in the address bar.
2. Login to the system using:
a. Default User Name: admin (all lowercase)
b. Default Password: blackbox (all lowercase)
3. Please read and accept the EULA agreement.
4. The Welcome Screen is then displayed automatically on new systems, as well as on
systems that have been reset to factory defaults. Read the following information
displayed in the Welcome Screen and select Next>>.
Figure 2.2 The Setup Wizard Welcome Screen
5. Using the information you collected in the section Gathering Initial Information,
complete the steps within the Setup Wizard. Select Next>> when the page fields
are complete. Optinet will test the settings of each step and if successful, will allow
you to proceed.
6. The final step in the Setup Wizard allows you to confirm and, if necessary, edit your
configuration. This step will also check for updates and will automatically retrieve
and install them. Major firmware upgrades will require a reboot of your system
when complete.
7
Please note that advanced configuration options such as Directory Integration or Ethernet
Settings require additional steps that are not covered in the Setup Wizard. For additional
information, please review their corresponding chapters.
Cutting Over
Only perform these next steps when network traffic can be momentarily
interrupted.
Now that you have finished the Setup Wizard, you are ready to place Optinet inline with
Internet traffic. Optinet requires all Internet traffic to pass through its bridge interface,
unless the device is configured in Proxy Mode. If you are planning to configure Optinet in
Proxy Mode, you can skip the current section and proceed to the section Using Alternative
Configuration Methods.
For typical installations you will need to follow the next steps and physically place Optinet
inline with your network’s traffic. In general this location is between the Firewall/WAN
Router and the Core Network Switch.
1. Remove the cables connected to The Optinet WAN and LAN ports.
2. If you modified your local workstation/laptop IP settings, you will need to change
your local workstation/laptop settings back to their original IP settings.
3. Locate the connection between the Core Network Switch and the Firewall/WAN
Router. Unplug the cable from the Firewall/WAN Router and connect it to the LAN
port on Optinet.
4. Using the cross-over cable, connect the WAN port of Optinet to the now open port on
the Firewall/WAN Router that was previously used by the Core Network Switch.
5. Verify that the cross-over cable is plugged into The Optinet WAN port and the
Firewall/WAN Router.
6. Verify that the straight-through cable is plugged into The Optinet LAN port and the
Core Network Switch. Optinet should now be sitting inline with your Internet traffic.
7. Confirm the Light Emitting Diodes (LEDs) for both the WAN and LAN ports are
posting solid green (link) lights and blinking amber (speed) lights.
8. Verify that local workstations can access the Internet by opening a web browser and
navigating to several web sites.
8
Figure 2.3 Optinet Installation Connectivity
If you are able to browse to the Internet, you have completed the installation of Optinet.
The device should now be sitting inline with your Internet traffic and monitoring web
requests.
Accessing Optinet
After completing the configuration and installation processes, you can access Optinet by
using the IP address you assigned to the device during the Setup Wizard.
1. Open Microsoft’s IE 6 or higher and navigate to http://IP address assigned.
2. Login using the default credentials (listed under the section Running Setup Wizard)
or with the newly created administrative login.
3. When you login to Optinet the Home Page will display. This page provides a
snapshot of system health, filtering effectiveness, current firmware versions,
subscription settings, as well as links to administration of your new system.
We strongly recommend that you create a new administrative login, and change the
default login password to limit access to Optinet. Select the Manage -> System
Access -> Logins link to make these changes.
9
Using Alternative Configuration Methods
The previous sections discuss the most common steps for installing Optinet. However,
there are alternative methods that can be used for initial configuration of the device as well
as different modes that Optinet can accommodate. In this section, the topics of installing
Optinet without the assistance of the Setup Wizard as well as Proxy Mode will be discussed.
Manual Configuration
Physical connectivity for manual configuration of Optinet can be accomplished using a crossover cable from a local machine (such as a laptop) to either the LAN, WAN, or
Management/Auxiliary (AUX) ports on Optinet. See the instructions in Connecting to
Optinet on modifying your local machine IP settings to connect to Optinet.
If you wish to configure Optinet without the assistance of the Setup Wizard, or if you are
pre-configuring the system for installation, the Manual Configuration settings can be
accessed through Admin -> Configuration settings screens. Simply cancel the Setup Wizard
and access the settings listed in the table below.
The following table shows where the network configuration information collected in
Gathering Initial Information can be manually entered into The Optinet configuration pages.
Quick Start Guide Table Name
Admin -> Configuration -> Page Name
License Key
License
IP Settings
Setup
Total Upload/Download Bandwidth
Misc. Settings
Email Settings
Company Settings
Remote Subnets
Remote Subnets
Management/Auxiliary Interface
Optinet can be accessed via the Management/Auxiliary port for the initial configuration.
However, the IP settings for the port will need to be different than those for the bridge
interfaces (WAN and LAN ports) and cannot be an IP address found under the Remote
Subnets listings.
1. Connect a cross-over cable (included in your Accessories Kit) from The Optinet
Management/Auxiliary port to the network port on your workstation/laptop.
2. Write down the existing IP settings of your local workstation/laptop so that you can
easily change them back when configuration is complete.
3. Change you local workstation/laptop IP settings. You will need to change the IP
settings on your local workstation/laptop to communicate with the default settings of
Optinet:
•
Default Management/Auxiliary IP address—10.1.1.1
•
Default Subnet Mask—255.255.255.0
10
The suggested settings on the local workstation/laptop are the following:
•
IP address—10.1.1.2
•
Subnet Mask—255.255.255.0
4. From the Management/Auxiliary port, you can access Optinet via the GUI or Text
Menu (covered in the following section). If you choose to configure Optinet via the
GUI, please follow the steps listed under the section Setup Wizard. If you choose to
configure Optinet via the Text Menu, please follow the steps listed under the next
section.
Text Menu Interface
The Optinet Text Menu allows installers, system administrators, and other trained technical
personnel to access the device via a text interface, similar to a Command Line Interface
(CLI). While some of the basic features and options available within the Optinet web
interface are also available here, most advanced technical options are only available through
the GUI menus. The one exception is IP Traffic Monitor (Option 2—Utilities, Option 3—IP
Traffic Monitor), which is discussed under Chapter 6: Administrating Optinet, section
Diagnostic Tools tab. Below are the supported options for accessing The Optinet Text Menu:
•
Secure Shell (SSH)
•
HyperTerminal (via serial connection)
The default login for all these menus is the following:
•
Default User Name: menu (all lowercase)
•
Default Password: blackbox (all lowercase)
Secure Shell Access
Secure Shell (SSH) access allows administrators to access The Optinet Text Menu through a
secure connection. SSH applications such as PuTTY (a freeware application available from
the installation CD) make it easy to use this secure method of accessing systems remotely.
1. Download PuTTY.exe from the CD.
2. Double click on the program.
3. Enter in the IP address of Optinet.
4. Leave all other settings at default.
5. Click the Open button.
11
Figure 2.4 PuTTY Configuration
6. Login with the default credentials.
7. Type 1 to access Configure IP addresses submenu.
Figure 2.5 Text Menu Interface
12
8. Enter in the information collected in the IP Settings table under Gathering Initial
Information.
Serial Access
The following section lists steps on how to connect to the Optinet Text Menu using
HyperTerminal. Although there are other terminal simulators that can work with the Optinet
serial connection, the steps listed below are for a workstation/laptop with Windows XP and
HyperTerminal.
Ensure that you have the null modem (2U systems) or USB (1U systems) cable (included
with shipping materials) connected to a communication port of your local workstation/laptop
and to the Optinet serial port (38.4 8N1).
1. Set up a connection using HyperTerminal (Start -> All Programs -> Accessories ->
Communications -> HyperTerminal).
2. In the New Connection Description dialog, enter a name for the connection in the
Name field and select an icon if you want.
3. Click the OK button.
4. In the Connect To dialog, select the COM port for the connection.
5. Click the OK button.
6. In the COM Port Properties window, select the settings that correspond to:
•
Bits per second: 38,400
•
Data bits: 8
•
Parity: None
•
Stop bits: 1
•
Flow control: None
7. Click the OK button.
8. When the main HyperTerminal screen appears, press the Enter key to confirm a
connection.
9. Login with the default credentials:
a. Default User Name: menu (all lowercase)
b. Default Password: blackbox (all lowercase)
10. Type 1 to access the Configure IP addresses submenu.
11. Type the information collected in the IP Settings table under Gathering Initial
Information.
Once Optinet has been configured using an alternative method described above, you can
perform the steps listed under Cutting Over of this chapter.
13
We strongly recommend that you change the default password for the menu account
to limit access to the Text Menu. Select Option 3—Change Menu Password under the
main menu to make this change.
Proxy Mode
For full functionality of Optinet, we recommend placing the device inline with traffic.
However, if you do not want to place the device inline with network traffic, or if you have
users on the WAN side of Optinet that you want to filter, you can configure Optinet as a web
proxy. A web proxy is normally a server that carries out web requests for users. Typically,
web traffic is routed to the server which requests the web sites for the intended users.
Optinet does likewise with a configuration called Proxy Mode. This configuration does not
require Optinet to be inline with network traffic.
To use Optinet as a proxy, the device must have a network connection to the users and the
Internet via the WAN or LAN port (only one has to be active). With this connection, you can
then use either the Setup Wizard or an alternative method to assign the device the required
IP settings. Afterwards, you must alter the connection settings of the users’ web browsers
to use the IP address of Optinet as a proxy and port 8888 for browsing. (Port 8888 is the
assigned port used by the Optinet filtering engine). If Optinet has a private IP address and
you want external users to use Optinet as a proxy, you may need to create a Network
Address Translation (NAT) rule for Optinet.
Below are the steps on how to alter the LAN connections using IE 7 and Firefox 2. You can
also alter LAN connections via Group Policy Objects (GPOs), VPN connections, or other
network devices; however, these steps are not covered in the User Guide and will need to
be researched independently.
Internet Explorer (IE) 7
1. Open up IE 7 web browser.
2. Click on Tools -> Internet Options.
3. Click on the Connections tab.
4. Click the LAN Settings button.
5. Under Proxy Server section, select the checkbox for Use a proxy server for your LAN.
6. Under the Address field, enter in The Optinet IP address.
7. Under the Port filed, enter in the number 8888.
8. Click OK until the settings are applied.
Firefox 2
1. Open up Firefox 2 web browser.
2. Click on Tools -> Options.
3. Click on the Advanced menu.
4. Select the Network tab.
14
5. Under the Connection section, click the Settings button.
6. Select the radio button next to Manual proxy connection.
7. Enter in the IP address of Optinet in the HTTP Proxy field.
8. Enter in the number 8888 in the Port field.
9. You may also select the checkbox. Use this proxy server for all protocols as well if
you like.
10. Click OK until the settings are applied.
Once users’ web browsers have been configured to use Optinet as a proxy, you will then
need to configure Optinet to accept web requests. This setting is found under Admin ->
Configuration -> Advanced Setup. Select the check box next to Allow HTTP Connections on
port 8888. Don’t forget to apply the changes.
Optinet will then begin to create profiles for users as they begin to send web requests to
Optinet. You can confirm this under Manage -> Directory Users & Nodes -> Network Nodes.
If you have enabled Directory settings, Optinet will also create Directory Profiles as well
(Manage -> Directory Users & Nodes -> Directory Users). You can then create groups
based on the profiles for content filtering and reporting. Please see Chapter 5: Managing
Optinet for steps on how to create groups.
Please note that Proxy Mode does not offer all functions over network traffic normally
associated when in the default inline mode, in particular bandwidth control and full
reporting. Because network traffic is not physically passing through the Optinet bridge
interface, the device can no longer confirm which applications are passing nor control
bandwidth. In addition to this, you cannot use all of the Advanced Filtering options and
HTTPS/SSL Filtering settings to ensure content filtering.
With Proxy Mode you will only be able to filter web content and report on web sites visited.
As such, you will not be able to apply all Shaping Rules nor will there be data posted for
under the applications reports (Report -> Applications) or users reports (Report –> Users).
There will, however, be data under Internet Usage and Threats.
Below is a table of all supported reports and menus with Proxy Mode (Report and Manage
Tabs). If a specific feature is not listed in this table, then it is not supported in Proxy Mode.
Proxy Mode Support
Report
Threats
Spyware Overview
Spyware Infected Users
Spyware Threat Names
Virus Overview
Virus Infected Users
Virus Threat Names
Manage
Policies & Rules
Groups
Time of Day Rules
Internet Usage Rules
o TFRS (HTTP Traffic Only) Deny Access,
No Filters, Web Filter Only, Web Logging,
SSL Block, and SSL Filter, Content
Filtering, Advanced Filtering, HTTPS/SSL
Filtering (SSL Certificate Based Content
Filtering), Web Authentication
Shaping Rules
o Web Content
15
Internet Usage
Web Hits Overview
Web Bandwidth Overview
Web Hits by Network Node
Web Bandwidth by Network Node
Web Time Online
System Reports
Active Users
CPU Utilization
IP Connections
Latency
Packets per Second
RAM Usage
Dashboard
Real Time URL Monitor
Policy Manager
Directory Users & Nodes
Directory Users
Directory Agent
Network Nodes
Broadcast Manager
Applications
Traffic Flow Rule Sets (HTTP Traffic Only)
Deny Access, No Filters, Web Filter Only, Web
Logging, SSL Block, and SSL Filter
One final note: you can configure Optinet inline with traffic and use the device as a proxy
for a combination of functionality. For example, you can install Optinet inline with network
traffic for internal users, and then alter web browser settings for VPN or external users to
use Optinet as a proxy. This way, you gain full functionality for internal users and web
filtering functionality for external users.
Configuring Port Settings
The Optinet bridge ports (WAN and LAN) by default are set to auto-negotiate for both speed
and duplex settings. This means that Optinet will negotiate with the devices that are
plugged into these ports to verify their speeds and duplex mode. Normally auto negotiate
will allow Optinet to operate at least 100 Mbps or above and Full-Duplex.
However, you should confirm that Optinet is operating at least 100Mbps or above, FullDuplex, and is not generating any interface errors. You can do this under Admin ->
Diagnostic Tools -> Ethernet Status.
Review both WAN Port and LAN Port tabs to confirm that Optinet is operating at the correct
speed and duplex. Also verify that no errors are listed under the Errors field.
If the auto-negotiating settings list a speed under 100 Mbps, a duplex mode that is not Full
or are generating errors, you may need to hard set these settings on the interfaces. You
can do this under Admin -> Configuration -> Ethernet Settings.
Hard setting the Ethernet settings can cause network interruptions. Only perform these
next steps when network traffic can be momentarily interrupted.
Select the speed and duplex settings you would like to hard set for the desired port(s) and
press the Apply button. In addition to this, you may need to hard set the interface settings
on the devices connected to Optinet. This will allow Fail to Wire and No Failover to work
correctly. The next section will explain these options.
16
Configuring Cabling
In addition to confirming the port and duplex settings, you should also confirm cables
connected to Optinet. Typically, layer 3 devices connected to Optinet require a cross-over
cable while layer 2 devices connected to Optinet require straight-through cables.
In a standard installation, the Optinet WAN port will connect to the firewall via a cross-over
cable while the Optinet LAN port will connect to the core network switch via a straightthrough cable.
However, if you are installing Optinet in between a firewall and the core network router, you
may need cross-over cables for each port. Also, if the devices connecting to Optinet offer
Medium Dependent Interface Crossover (MDIX), which can compensate for switching
transmit and receiving signals, you may be able to use straight-through cables for each
port.
In any case, you will want to confirm the cabling for proper negotiation for Fail to Wire or No
Failover. You can confirm negotiation by reviewing the section Ethernet Status. If after
hard setting the ports, Optinet is still generating errors, you may need to change the
cabling. After confirming negotiation, you should confirm Fail to Wire or No Failover by
following the steps listed in the next section.
Testing Fail to Wire or No Failover
Optinet offers two options for network connectivity in case of a device failure or power loss:
Fail to Wire and No Failover. Unless specified before purchase, the model of Optinet you
receive will be designed for Fail to Wire. Fail to Wire allows network traffic to pass in case
Optinet fails or is powered down, while No Failover stops all network traffic in case of failure
or power loss. Your preference must be specified before purchasing the device as the
implementation is done via hardware. After confirming your preference and the installation
of Optinet, you should perform some tests to confirm the functionality.
Only perform this test when network traffic can be momentarily interrupted and
you are physically next to Optinet.
Fail to Wire
Fail to Wire allows network traffic to pass in case of failure by closing a circuit in between
the WAN and LAN ports. However, for this to work properly, the devices connected to
Optinet must be able to negotiate correctly.
1. Power off Optinet under Admin -> Utilities -> System Resets -> Hardware
Shutdown.
Do not power down Optinet by pulling the power cord or pressing the power
button on the front bezel. These procedures should only be used when there is no other
alternative for powering down the device.
17
2. Depending upon the devices that are connected to Optinet, the duplex settings and
cabling, it may take up to 5 minutes for Fail to Wire to complete. As such, please
wait up to 5 minutes after powering down Optinet completely before performing the
next step.
3. Confirm by the interface LEDs that the firewall/WAN router and the core network
switch are still communicating.
•
Confirm that all network options are available, i.e., browse the Web, log into
a remote site, etc.
•
If the test is not successful, check the compatibility of port speed/duplex and
cabling used on Optinet and the other devices.
4. Power on Optinet using the power button on the front bezel.
5. After waiting 5 minutes for the device to power up, log into Optinet and verify that
the unit is functional.
Bypass Mode
Besides powering down Optinet, there are other scenarios that can cause Optinet to fail,
i.e., running the device out of specs, hardware failure, etc. Once a failure is detected,
Optinet will initiate the supported Bypass Mode (Fail to Wire or No Failover). This is
indicated by the LEDs on all ports, which will blink and scroll in unison.
If this happens, please contact Black Box Network Services Technical Support at 724-7465500 or your Authorized Black Box Network Services Reseller. Diagnosing and
troubleshooting the problem may require that you physically remove Optinet from the
network.
No Failover
No Failover works by simply grounding the circuit in between the WAN and LAN ports of
Optinet. As such, when a failure is detected, all traffic will not be passed from the LAN port
to the WAN port; thereby denying Internet access.
1. Power off Network under Admin -> Utilities -> System Resets -> Hardware
Shutdown.
Do not power down Optinet by pulling the power cord or pressing the power
button on the front bezel. These procedures should only be used when there is no other
alternative for powering down the device.
2. Depending upon the devices that are connected to Optinet, duplex settings, and
cabling, it may take up to 5 minutes for No Failover to complete. As such, please
wait up to 5 minutes after powering down Optinet completely before performing the
next step.
3. Confirm by the interface lights that the firewall/WAN router and the core network
switch are not communicating.
•
Confirm that all network options are not available, i.e., attempt to browse the
Web, log into a remote site, etc.
18
•
If the test is not successful, check the compatibility of port speed/duplex and
cabling used on Optinet and the other devices.
4. Power on Optinet using the power button on the front bezel.
5. After waiting 5 minutes for the device to power up, log into Optinet and verify that
the unit is functional.
As with Fail to Wire, there are other scenarios that can cause Optinet to fail besides
powering down the device. If Optinet is entering No Failover unintentionally, please contact
Black Box Network Services Technical support at 724-746-5500 and/or your Authorized
Black Box Network Services Reseller for diagnosis and troubleshooting.
Now that you have confirmed Fail to Wire or No Failover, let’s discuss how to navigate
through the Optinet GUI.
19
Chapter 3: Navigating Optinet
This section contains guides and tips on how best to navigate through The Optinet Graphical
User Interface (GUI). The chapter is divided into three sections:
•
General Navigation
•
Task Pane
•
Help Pane
To access Optinet, open up Microsoft’s Internet Explorer (IE) 6 or higher and enter in the IP
address assigned to Optinet in the address bar (Optinet only supports IE 6 and above). You
should receive the login menu.
General Navigation
Once you login to Optinet, you will be presented with the Home Page. The Home Page
provides a snapshot of system health, filtering effectiveness, current firmware versions,
subscription settings, as well as links to guide the administration of your system.
The Optinet navigation is divided into three tabs: Report, Manage, and Admin. Each tab
presents you with different functions for Optinet. When you click on one of the tabs, the
expanded menus for those tabs will appear. You can then select a sub-menu under the
corresponding tabs for more options which will appear as expandable selections.
In general, the Report tab will be used for generating reports and viewing network traffic.
The Manage tab will be used to create groups, content filtering rules, and shaping rules.
The Admin tab is used for basic and advanced configuration of the device, as well as
troubleshooting and disaster recovery.
20
You can navigate back between tabs and reports by using the back arrow button located
. Do not use the back arrow button available on your web browser
next to the Admin tab
since this will take you back to the Optinet login page. You can have multiple tabs open for
ease of use by right-clicking a selection and choosing Open in new tab. Each tab color will
correspond to the main menu tab color.
Figure 3.1 Optinet Navigations tabs
For large reports, group membership, or application menus, Optinet has a pagination menu
that can be used to navigate to specific pages or towards the end or beginning of a series.
The open box in the pagination menu allows you to view a certain page after entering the
page number and clicking the Go button (the available pages are listed above the open
box).
You can also navigate to the next (Next) or previous (Prev) page by clicking the single
arrow or to the very end or beginning of the series by clicking the double arrows. Where
available, the pagination menu will post towards the bottom of the report, membership box,
or application menu.
Figure 3.2 Optinet Pagination arrows
Finally, depending upon which tasks are being performed, you may receive a
communication error from Optinet. This is usually a result of services being restarted. If
you are presented with the below dialog box, select the OK button, wait 30 seconds, and
attempt to access a menu. If the problem persists, you may need to re-login to Optinet.
Figure 3.3 Communication Error Dialog Box
Now that you have become familiar with general navigation, let’s explain the Tasks Pane,
Help pane, and the different navigation options available.
21
Tasks Pane
The Tasks Pane is located in the upper–right corner of any of the Optinet screens. The
Tasks Pane lists actions or options that can be selected for the active page. Because of this,
the contents displayed in the Tasks Pane will change depending on the screen currently
displayed. The Tasks Pane is a great help that will post common accessible actions.
For example, if you select a report, the Tasks Pane will list options on how to present the
report, i.e., Email, Print, Export, etc. These actions are available by clicking on the Tasks
Pane icons located in the Tasks Pane.
Below are listed all options presented in the Tasks Pane with the corresponding action.
Please review Chapter 4: Generating Reports for more information on some of the options.
Actions
—Directory User Dashboard: Displays Directory User Overview
—Directory User Detail: Displays Directory User Detail for selected Directory User profiles
—Network Node Overview: Display the Network Nodes Overview report
—Network Node Detail: Display all details for the Network Node selected
Re-scan Port: This will re-scan profiles under Network Node Manager (Manage -> Directory
Users & Nodes -> Network Nodes). Use this action when a device needs to be re-scanned
due to configuration changes, i.e., new NetBIOS name, new IP address, etc.
Re-scan Directory User Name: This will re-scan profiles under Directory Users (Manage ->
Directory Users & Nodes -> Directory Users). Use this action when Directory Users need to
be re-scanned due to configuration changes, i.e., new domain, new groups, changed name,
etc.
Actions
—Download Certificate: Download the SSL Certificate
Correlate by
—Category: Correlate report by Web categories visited
—Directory User: Correlate report by Directory User profiles
—File Type: Correlate report by File Types downloaded
—Group: Correlate report by Group profiles
—Host: Correlate report by Web sites (hosts) visited
—MIME Type: Correlate report by MIME Types downloaded
22
—Network Node: Correlate report by Network Node profiles
—None: No correlation
—Service: Correlate IM reports by IM Client service
Export
—Email: Send the report in an email
—Excel Document: Export the report or polices into a Comma Separated Value (CSV)
format
—Print: Print the report or polices currently displayed on screen
—XML Document: Export the report or policies into an Extensible Markup Language
(XML) document
Getting Started
—Getting Started Videos: Watch tutorial videos on the corresponding topic
Related Dashboards
—Directory User Dashboard: Display all traffic reported for the Directory User selected
—Group Dashboard: Display all traffic reported for the group selected
—Network Nodes Dashboard: Display all traffic reported for the Network Node selected
Related Tasks
—View Bandwidth Report: View amount of bandwidth consumed for selected Web
category, Web site, or profile
—View Hits Report: View amount of URL hits for selected Web category, Web site, or
profile
System Information
System Information will post current system time. If your device does not post the correct
time, you may need to adjust the Time Zone settings or the Network Time Protocol (NTP)
server. Please review the sections Setup and Advanced Setup in Chapter 6: Administrating
Optinet.
Help Pane
The Help Pane lists topics from the User Guide that are related to the page currently posted.
For example, if you select the Application Overview report, the Help Pane will list Related
Topics for the Application Overview. You can then select the link which will display the first
23
page within the User Guide dealing with the Application Overview. You must have Adobe
Reader installed to use the Help Pane.
The Help Pane also posts information regarding the Product Enhancement Program. The
Product Enhancement Program allows Black Box Network Services to upload a small file
containing anonymous configuration and system usage details as part of the scheduled
update routine. This file will not contain personal identifiable information, will not be used
for direct marketing, and will not impact system performance. The product details collected
as part of the Product Enhancement Program may change from time to time as new
features and capabilities are added to or changed in the product, but they will never include
personal identifiable information. You can stop participating at any time by disabling the
checkbox located in the Product Enhancement Program.
One last item under the Help Pane is Black Box Network Services Optinet Privacy Policy.
The privacy policy covers how Black Box Network Services will handle personal information
collected and received with Optinet. For full details on this information, you can select the
link for Black Box Network Services Optinet Privacy Policy under the Help pan.
Lastly, the Tasks Pane and Help Pane are collapsible by selecting the collapse icon located to
the right of the Tasks Pane.
24
Chapter 4: Generating Reports
The Report tab will present information concerning network traffic, web sites visited, and
system health. This chapter is divided into each report available and also general reporting
rules that will apply to each different report.
•
Home Page
•
General Reporting Options
•
Users Tab
•
Applications Tab
•
Threats Tab
•
Internet Usage Tab
•
System Reports
•
Dashboards Tab
Home Page
The first page presented under the Report tab is the Home Page. The Home Page is divided
into 5 sections: Message Center, System Notifications, Getting Started, Hardware Settings,
and System. The top display will be the Message Center.
The Message Center
The Message Center posts message about firmware and software releases. The Message
Center will also post important suggestions such as changing default passwords and
25
company communications. These messages are posted by date and can be read by
selecting the individual messages. Afterwards, you may delete the messages by either
selecting the trash icon next to the message or by clicking the delete button inside the
messages.
System Notifications
System Notifications will post messages from Optinet. These messages are intended to
alert the administrator of Optinet of critical configuration or incompatibility issues that may
impede proper Optinet functionality. Messages such as incorrect installation, exceeded
license count, or network scenarios such as asymmetrical routing that require advanced
configuration will be posted here. These messages will be posted in their entirety on the
System Notifications area. You may delete the messages by selecting the trash icon next to
the message; however, the message may return if the problem is not resolved.
Getting Started
The Getting Started area provides you with links to the User Guide that may be helpful in
beginning administration of the Optinet System.
Hardware Settings
The Hardware Settings area provides you with a summary of the Optinet hardware settings,
i.e., Model, Serial number, and Device ID. This area also posts the device’s Licensed Nodes,
Software Version, Last Known Updates, System Time, and expiration date of Annual
Software Maintenance (ASM).
ASM is used for support on your device and provides Optinet with continued updates on
firmware, spyware, anti-virus, and content filtering. ASM also grants you access to Black
Box Network Services Technical support if needed. If your ASM is not current, Optinet will
not be able to update firmware, software, content filtering, spyware or anti-virus nor will
Black Box Network Services Technical support be available. To renew your ASM please
contact Black Box Technical Support at 724-746-5500, your Authorized Black Box Network
Services Reseller, or a Black Box Network Services Sales Office.
System
The System area provides you with a summary of the Optinet monitoring statistics and
system information such as blocked spyware, blocked viruses, blocked web requests, and
average CPU load. Totals for each parameter are displayed for the last 24 hours.
General Reporting Options
There are several options available that are universal under the Report Tab. These options
are Selected Date, Search, Correlated by, Result Type, Group, Network Node, Directory
User, and Encryption Type. These options allow you to customize reports on any device,
user, or application.
26
Figure 4.1 Reporting Options
For example, click on the Application Overview report (Report -> Applications -> Application
Overview). This will post the top applications passing traffic through the network within the
last 24 hours. However, if you would like to search for traffic from a specific device within
the last 30 days, you may adjust the Selected Date and search for device under Network
Node. The report will then modify to display the last 30 days for the specific device. These
same options can be used for a wide variety of reports.
Below are listed all available adjustments with reporting. You may also click on the different
settings contained within the specific reports for a list of available options.
Selected Date
Selected Date allows you to adjust the time frame for the generated report. The options
available are Last Hour, Last 24 Hours, Last 7 Days, Last Week, Last 30 Days, Last Month,
Last Year, and Custom.
If you select Custom, you will be presented with a calendar that will allow you to adjust the
time and days accordingly.
Search
This field will allow you to search for different sections in reports, i.e., specific web sites,
categories, applications, etc. Enter in the search criteria and click the Search button (or
press the Enter key) for results.
Correlated by
This field allows you to link traffic reports to the most bandwidth consuming users (Group,
Directory User, and Network Nodes) for specific applications. You can also use the field to
link Internet Usage reports by the most browsed web Categories, Hosts, File types, and
MIME Types.
Result Type
This field is available under Web Content reporting. This option allows you to customize
web reports based on the four general areas of web sites: No Filter (All web sites
requested), Allowed (web sites that have been accessed), Blocked (web sites that have
been blocked), and Bypassed (web sites that were bypassed using the Bypass Password).
Group
This field will allow you to search for specific Groups. Clicking this field will populate the
Select Filter Group box. Search the Available Groups list for the desired Group profile,
select the profile and click the Add button. Then click the OK button to run the report.
27
Network Node
This field will allow you to search for specific Network Nodes (devices on the network).
Clicking this field will populate the Select Filter Network Node box. Search the Available
Network Node list for the desired Network Node Profile, select the profile and click the Add
button. Then click the OK button to run the report.
Directory User
This field will allow you to search for specific Directory Users. Clicking this field will populate
the Select Filter Directory box. Search the Available Directory Users list for the desired
profile, select the profile and click the Add button. Then click the OK button to run the
report.
Encryption Type
This field is available under Web Content reporting. This option allows you to customize
web reports to display all web requests (No Filter), typical web requests that use Hypertext
Transfer Protocol-HTTP (No Encryption), or web requests that use Secure Hypertext
Transfer Protocol—HTTPS (Secure Socket Layer-SSL). Chapter 8: Implementing HTTPS/SSL
Filtering with Optinet discusses this topic in more detail.
Application Set
This field is available under Application Overview and some detail reports. This option will
allow you to filter reports by Application Sets. For more information on Application Sets
please see the section Applications Tab in this chapter.
Right-Click Options
Right-click options allow you to customize reports using specific time, users, or devices. For
example, to view specific applications under Application Set reports you can use right-click
options to post the report. Go to Report -> Application -> Application Set Overview. This
report will display all application sets passing through the network within the last 24 hours.
Select an application set, and right-click on the title. You will be presented with several
options that will allow you to correlate the report. Select Correlate by Application to view
the exact applications within the Application set.
Figure 4.2 Right-click Options
Selecting this option will post the specific applications being used under the application set.
Using right-click options will allow you to quickly access different correlations under all
reports. If you are not sure how to retrieve detailed information within a specific report,
right-clicking will present you with the most common options for the report. Other rightclick options available are correlations by Groups, Network Node, Directory User, etc.
28
Drop-Down Arrows
Another option that allows you to customize reports is the Drop-Down Arrows. Any of the
reports available can be collapsed by using the Up arrow icon
on the right side of the
corresponding menu bar. You can also expand an area in the Report tab using the Down
arrow icon .
Bar-Pie Graph Drop-Down
Some reports allow you to choose the graph types of either Bar Graphs or Pie Graphs.
Where this is available, you will be presented with a Drop-Down Box located in the Graph
title that will make available a bar graph or pie graph for the report.
Figure 4.3 Bar-Pie Graph Drop-Down
Snapshot-Real Time Drop-Down
The Snapshot-Real Time Drop-Down Menu allows you to view selected information
historically or in real time.
For example, if you are reviewing the report of Web Hits by Category (Report -> Internet
Usage -> Allowed) the default settings will post the results by Snapshot within the last 24
hours (historically). If you select the option of Real Time, the report will change and display
actual web hits as they pass through the device at the moment.
This option is found under Internet Usage reports (Report -> Internet Usage) and is a great
tool for troubleshooting and identifying problematic users or web sites as they occur.
Figure 4.4 Snapshot-Real Time Drop-Down
Real Time options also allow you to correlate reports by Network Node, Directory User,
Groups, and other criteria. This is useful for confirming problems immediately and
preventing them with less response time. For example, if a user is attempting to visit a
prohibited site, you can verify the web sites he or she is visiting right now by correlating
these reports by Network Node or Directory User.
Report Recommendations
Optinet is capable of reporting on a tremendous amount of information. Active users, web
sites visited, and general overviews of applications are examples of the reports most readily
available. Please keep in mind that while Optinet is recording information for reporting, the
device is also filtering web traffic and shaping network applications. This requires that
Optinet share resources between the different operations being performed.
Because of this, priority is given to filtering and shaping so that reporting does not consume
resources that may impact network performance. Optinet has a default timeout limit of five
minutes for reports to complete. This is done to ensure reporting will not consume needed
29
resources for other operations. If a report cannot complete within the five minutes, you will
receive a timeout message.
If you receive a timeout message, you may alter the time limit under the Advanced Setup
menu (Admin -> Configuration -> Advanced Setup -> Database Timeout). You can allocate
up to 15 minutes for reports to complete. Don’t forget to Apply the changes. This will allow
the database to dedicate more time to complete the report and post the results.
Nonetheless, detailed reports that span large amounts of time and cover multiple users or
applications may better be executed during non-peak traffic times; thus allowing more
resources for Optinet to complete the report without running the risk of affecting network
traffic or filtering and shaping rules.
In addition to running detailed reports during non-peak traffic times, you can also use
Summary Tables to expedite reporting results. Summary Tables allow Optinet to
summarize or condense large web reports, allowing for a faster response time with Internet
Usage reports. This utility will index web reports and correlations for all reports once the
option is selected. Summary Tables also decrease dependency on shared resources.
To enable Summary Tables go to Admin -> Configuration -> Advanced Setup and select the
checkbox next to Enable Summary Tables. This will begin indexing web requests to allow
for faster Internet Usage reporting. Please note that the Enable Summary Tables option will
only begin summarizing from that point forward. If you would like to summarize previous
data gathered before Enabling Summary Tables, you will need to run the Conversion Utility.
The Conversion Utility will take previous data that has not been summarized and create a
summary table for that information. There are three options for converting previous data:
Web Request Summary Table, Level 1 Summary, and Level 2 Summary. Web Request
Summary Table will summarize all Web requests data. Level 1 Summary Table will
summarize the first correlation for those reports, i.e., first correlation by Category, Host,
File Type, MIME Type, Group, Directory User, and Network Node. Level 2 Summary Table
will summarize the second correlation for those reports, i.e., second correlation by
Category, Host, File Type, MIME Type, Group, Directory User, and Network Node.
The Conversion Utility is located under Admin -> Configuration -> Advanced Setup -> Run
Conversion Utility Now. Once selected, you will be presented with the three different levels
of conversion: Web Request Summary Table, Level 1 Summary Table, and Level 2
Summary Table. You can then select the Start Conversion Now button next to each level to
activate the conversion.
The Conversion Utility places additional load on Optinet and may consume a large amount of
processes. Because of this, we strongly recommend that you run the Conversion Utility
during non-peak hours to avoid unnecessary interruptions in network traffic. Also note that
you can only run one conversion at a time, and they must be done in order.
This concludes the section on general reporting options. In the next sections we will discuss
the different reports for application and web traffic.
Users tab
The Users tab gives you an overview of the Internet traffic generated on your network by
users. This report will display the top 25 users, devices, or groups on your network within
30
the last 24 hours. However, this time frame is customizable as well as sorting features.
This report will display total network traffic as well as total download and upload for the
corresponding criteria. The reports available are Directory User Overview, Group Overview,
and Network Node Overview. Also available under this report are Directory User Detail,
Group Detail, and Network Node Detail reports. These reports are often referred to as
Dashboard reports.
Dashboard Reports
Dashboard Reports are detailed reports about individual users, devices, or groups. They
present all information available about the selected device, user, or group. For example, go
to Report -> Users -> Network Node Overview. Under the Network Node Details legend,
select any profile and click on the name. This will populate the Network Node Detail report
for the particular device.
Dashboard Reports display all recorded information for the profile selected. The reports
available are listed below:
•
Total Traffic—this traffic is the combined amount of upload and download traffic.
•
Application Traffic—this traffic is the amount of bandwidth consumed for all
applications.
•
Uncategorized Traffic—this is traffic that Optinet does not recognize.
•
Web Requests by Host—these are the host name of Web sites visited by the user,
device, or group.
•
Web Request by Category—these are categories of Web sites visited by the user,
device, or group.
•
Possibly Infected Spyware—these are Web sites visited or applications used by the
user, device, or group that are possibly infected with spyware.
•
Possibly Infected Virus—these are Web sites visited by the user, device, or group
that are possibly infected with Web viruses.
•
Open ports—these are all ports active by the user, device, or group and their
corresponding service.
•
Network Node Information—this report will post the Operating System (OS) as well
as the assigned group for the device.
If you need more detail on the individual reporting aspect, simply select the title of the
report for a more comprehensive representation.
To display dashboards for different users, devices, or groups, select the profile name located
in the upper right-hand corner of the original dashboard.
Applications tab
The Applications tab displays the amount of bandwidth used by applications and application
sets. These reports are presented in total downloads and uploads according to colors and
amounts. When data is presented as a bar graph, the corresponding Network Node,
31
Directory User, Group or application will be posted next to a colored bar. When data is
presented as a column graph, the most recent data is presented at the right end of the
graph with the green column representing download traffic and the blue column
representing upload traffic.
Optinet identifies traffic based on application signatures. Applications can then be grouped
into application sets (signature sets) of programs that perform a comparable purpose. For
example, the signature set of Remote Desktop/Remote Control/X Traffic comprises the
applications of PC Anywhere, Citrix, GoToMyPC, Microsoft’s Remote Desktop, and many
more. For a complete list of application sets, please see Chapter 5: Managing Optinet.
Also available in this tab are Custom Application Sets and Uncategorized Reports. Custom
Application Sets report on traffic for which Optinet administrators have defined a custom
signature. Uncategorized Reports presents specific stats of applications for which Optinet
does not have an explicit signature. Although Optinet may not have a signature for this
traffic, the device will record the protocol used, the destination port and the percent of
bandwidth used.
The application sets are listed below as bulleted items.
•
Application Overview—this is a summary of bandwidth consumed by individual
applications.
•
Application Set Overview—this is a summary of bandwidth consumed by application
sets.
•
Total Traffic—this is the amount of total bandwidth consumed.
•
Chat and IM—this is the amount of bandwidth consumed by Chat and IM
applications.
•
Databases—this is amount of bandwidth consumed by Database applications.
•
DNS/Naming/Locators—this is the amount of bandwidth consumed by DNS and other
network naming applications.
•
Email/Collaboration—this is the amount of bandwidth consumed by Email and
services used to send email.
•
FTP/File Transfer—this is the amount of bandwidth consumed by File Transfer
Protocol applications.
•
ICMP Traffic—this is the amount of bandwidth consumed by Internet Control Message
Protocol applications.
•
Games—this is the amount of bandwidth consumed by online gaming applications.
•
HTTP—this is the amount of bandwidth consumed by Hypertext Transfer Protocol
(Web) applications.
•
NetBIOS/MS File Service—this is the amount of bandwidth consumed by Network
Basic Input/Output and other Microsoft File Service applications.
•
Network Mgt/Monitoring—this is the amount of bandwidth consumed by network
management applications (SNMP, NMS, etc.).
32
•
Network Routing—this is the amount of bandwidth consumed by network routing
applications (RIP, NCP, etc).
•
Network Utility—this is the amount of bandwidth consumed by network utility
applications (DHCP, NSW, etc.).
•
Peer 2 Peer—this is the amount of bandwidth consumed by Peer 2 Peer applications.
•
Printing and Reporting—this is the amount of bandwidth consumed by printing and
reporting applications.
•
Proxy and Cache—this is the amount of bandwidth consumed by Proxy and cached
applications.
•
RPC/Remote Execution—this is the amount of bandwidth consumed by remote
execution applications.
•
Remote Desktop/Remote Control/X Traffic—this is the amount of bandwidth
consumed by remote desktop and control applications.
•
Security/Authentication—this is the amount of bandwidth consumed by security
applications.
•
Streaming Media—this is the amount of bandwidth consumed by streaming media
(music and video) applications.
•
Telnet/SSH—this is the amount of bandwidth consumed by Telnet and SSH
applications.
•
Uncategorized Traffic—this is the amount of bandwidth consumed by traffic that has
no explicit signature set.
•
VIOP and Voice Chat—this is the amount of bandwidth consumed by Voice over
Internet Protocol (VoIP) and Voice Chat applications.
•
VPN and Tunnel—this is the amount of bandwidth consumed by VPN and Tunneling
applications.
Threats tab
The Threats tab will report and provide a detailed view of all activity in your network
relating to Spyware and web viruses. These reports will present information on Spyware
and Web viruses and possibly infected devices in your network. You can then use Optinet to
identify possible threats before they become problematic.
•
Spyware Overview—this is a summary of spyware threats that have been blocked.
•
Spyware Infected Users—these are devices that may be infected with spyware.
•
Spyware Threat Names—these are the names of spyware threats present on the
network.
•
Virus Overview—this is a summary of web viruses that have been blocked.
33
•
Virus Infected Users—these are devices that may be infected with web viruses.
•
Virus Threat Names—these are names of web virus threats present on the network.
Internet Usage tab
Internet Usage tab reports on all web sites requested by users. This is a great report to
give a general indication of which web sites and categories users are visiting or attempting
to visit.
One of the reports, Web Time Online, is a report based on estimated values and generated
by counting the number of hits per page multiplied by the value entered in Miscellaneous
Settings (Admin -> Configuration -> Misc. Settings).
As with most online timers, there is not a definite method for determining if a user is
actively surfing the Web or merely has a program in the background generating hits, i.e.,
weather report, stock ticker, or Internet radio. As such, these are estimates and not exact
values.
•
Web Hits Overview—this report is presented in three categories: Allowed, Blocked,
and Bypassed. Allowed refers to web hits on sites that users have been allowed to
visit. Blocked refers to blocked web hits on sites that users have not been allowed to
visit. Bypassed refers to web hits originally blocked on sites but were later allowed
as users entered in the Bypass Password (for more information on this setting see
Chapter 5: Managing Optinet). Clicking on each category will present all information
pertinent to category. For example, clicking on Allowed will show you all hits for
Web categories that users were allowed to visit. This will also post the percentage in
comparison to the total number of hits for the Allowed category. You can correlate
this report by Host, File Type, MIME Type, Group, Directory User, and Network Node.
•
Web Bandwidth Overview—this report displays how much bandwidth is being
consumed by web requests. The report is presented in a similar format of web Hits
Overview (Allowed, Blocked, and Bypassed) with a column graph showing the
amount of bandwidth for Web requests. This report can be modified for specific
dates, correlations, result types, and other features.
•
Web Hits by Network Node—this report shows the top users of web traffic in terms of
hits. This reports display a bar graph which shows the top users followed by a detail
view of the corresponding profiles, number of hits, and percentage of the users’ Web
hits compared to total web hits.
•
Web Bandwidth by Network Node—this report shows the top users of Web traffic in
terms of bandwidth. This report shows you the Hardware Profile (Network Node) and
its corresponding download total, upload total, total bytes, and percentage of
bandwidth consumed for web traffic.
•
Web Time Online—this report displays the amount of time users have spent browsing
the Internet. Please remember that this report is an estimation of time spent
browsing the Internet and is not an exact value.
34
System Reports tab
System Reports tab reports on the actual system health of Optinet. This report posts the
CPU and RAM utilization of the device. The report will also post the active connections in
the network as well as requests for Directory Users. Understanding this report will allow
you to schedule maintenance, plan for upgrades, and prevent problems on the network or
with Optinet.
•
Active Users—this report refers to active devices present on the network.
•
CPU Utilization—this report refers to how much of the Central Processing Unit (CPU)
Optinet is utilizing.
•
Directory Agent Requests—this report lists how many requests Optinet has sent to
the Directory Agent installed on your directory server. For this report to post
information, Directory Users must be integrated with Optinet. Please see Chapter 7:
Integrating Directory Users with Optinet for more information.
•
IP Connections—this report refers to live IP flows traversing through Optinet.
•
Latency—this report shows in milliseconds the response time for PING requests sent
from Optinet to the network’s default gateway.
•
HTTP Connections—this report shows the number of connections per second to Web
sites being filtered by Optinet.
•
HTTP Requests—this report shows the number of Web requests per second Optinet
has filtered.
•
Packets per Second—this report displays the number of Internet packets per second
passing through Optinet.
•
RAM Usage—this report shows the amount of Random Access Memory (RAM) Optinet
is using.
•
SSL Connections—this report shows the number of HTTP Connections that have been
established with SSL. For this report to function, Optinet must be configured for
HTTPS/SSL Filtering. For more information on this feature, please see Chapter 8:
Implementing HTTPS/SSL Filtering with Optinet.
Dashboards tab
The Dashboards tab presents two tools that demonstrate traffic and Web request in real
time. These tools are Real Time Monitor (RTM) and Real Time URL Monitor (RTUM).
RTM displays traffic amounts as they happen. This can be helpful in troubleshooting
network problems or resolving bandwidth issues in real time. RTM will post total application
traffic, both upload and download, with a legend representing distinct applications. RTM
parses traffic in three second intervals and display the amounts accordingly.
35
Figure 4.5 Real Time Monitor
Figure 4.6 Real Time Monitor Legend
36
Another capability of RTM is the ability to correlate within the last hour to display the most
bandwidth consuming users. For example, in the above diagram RTM has HTTP as the
highest amount of traffic. If you right-click on this traffic, you will be presented with the
options to correlate by Directory User, Group, or Network Node.
Figure 4.7 Real Time Monitor Right-Click Options
You can then select Correlate by Network Node to confirm what devices within the last hour
have consumed the highest amount of HTTP traffic. RTM can be used to diagnose a
problem in actual time; thus allowing you to resolve the issue as soon as possible.
RTUM displays web requests as they pass through Optinet. This tool, in addition to RTM,
can be used to confirm instantaneously the web sites that are being accessed, blocked, or
bypassed. You can also use the different options to display the web requests for a specific
Network Node, Directory User, and Group as well as the Date, Web category and Encryption
Type of the request.
Figure 4.8 Real Time URL Monitor
This concludes the chapter on generating reports. The next chapter will guide you on how
to manage Optinet in regards to creating groups, implementing policies, and managing
devices and traffic.
37
Chapter 5: Managing Optinet
Optinet allows you to control and identify network traffic based on applications and users.
Optinet also allows you to separate problematic users from general traffic or problematic
applications based on different criteria, time of day, and priority. The device can also block
web sites or categories protecting users and your network from improper content. Optinet
can also allocate resources to identify proprietary traffic within your network, thus
customizing the device to your specific needs. Most of these options are available under the
Manage tab and are covered in this chapter:
•
General Manage Options
•
Policies & Rules tab
•
Directory Users & Nodes
•
System Access tab
•
Application tab
General Manage Options
The Manage tab is where policies and organization of users will be enforced. Under this tab,
you will create groups, time of day rules, content filtering rules, and shaping rules. This tab
also allows you to customize traffic identification and select which devices or users will or
will not be monitored.
The basic principles behind the Manage tab are “Who, When, What, and How.” “Who” will
define which users will be assigned to which groups. “When” will define what time during
the day the rules take effect, i.e., all day, 9am to 5pm, etc. “What” will define the allowed
content and applications, and “How” will deal with correlating specific policies to the
38
corresponding groups. Each menu under the Policies & Rules tab addresses these
principles:
•
Groups—who will be in the group?
•
Time of Day Rules—when will the rules take effect?
•
Internet Usage Rules—what web sites can group members visit?
•
Shaping Rules—what applications can group members access?
•
Policy Manager—how to correlate rules to groups?
As a general rule, these principles must be in line with these steps. For example, once you
create a group, you will then want to define a Time of Day Rule (TDR) and an Internet
Usage Rules (IUR). After those steps, you will create a shaping rule and tie all pieces
together with the Policy Manager.
In addition to these steps, please note that the more information you have about network
traffic, the better prepared you will be to implement policies. Because of this, it is highly
recommended that you first install and run Optinet in the network for at least 24 hours
before implementing any policies. Afterwards, you can review the information collected and
make a more precise decision on which web sites should be blocked, which applications
should be shaped, and what threats are present on the network. The more information you
have, the more adept you’ll be at deciding on policies and controlling the network and
users.
Policies & Rules tab
You will want to become very familiar with the Polices & Rules tab. This tab is used for
creating Groups, Time of Day Rules (TDRs), Internet Usage Rules (IURs), and Shaping
Rules. This is the main management tab used for almost all user organization and policy
implementation with Optinet. First let’s define Groups.
Groups
Optinet has by default 8 groups for your ease. These Groups are called Optinet Groups. All
users and devices are placed in the Default Group until assigned to another group. You can
assign users to Optinet Groups based on several different identifiers.
First let’s discuss the default Optinet Groups and their accompanying policies. Then we’ll
discuss how to add members to Optinet groups and how to create new Optinet Groups.
Each group is assigned a default policy for Internet use. These policies are called Internet
Usage Rules (IURs) and are covered in more detail under that section. Also, none of the
default Optinet Groups has any shaping rules.
•
Default Group—all users and devices are in this group by default. As such you will
not be able to add users or devices to this group but rather you will be able to
remove them from this group. This is done by creating new groups and adding users
or devices to the group or adding them to one of the other groups. The Default
Group by default uses the Default Usage Rules.
39
•
Deny Access Group—members of this group will not be able to access any Internet
traffic. All web sites and application traffic will be denied for this group. Users in
this group will be assigned the Deny Access Usage Rules.
•
Filter Bypass Group—members in this group will not be monitored or filtered by
Optinet. Only bandwidth and application reporting will be recorded for members in
this group. This group uses the Filter Bypass Usage Rules.
•
Moderate Group—members in this group will have their web pages monitored and
filtered with typical restrictions on web categories such as Adult, Shopping,
Tasteless, and Obscene. Users will be prohibited from passing web traffic through
proxies and visiting proxy web sites. This group uses the Moderate Policy Rules.
•
Monitor Only—members of this group will have their web pages monitored but not
filtered or blocked. This group uses the Monitor Only Policy Rules.
•
Monitor Only with Threat Protect Group—members in this group will have their web
pages monitored but not filtered or blocked except in the case of Spyware and web
viruses. This group uses the Monitor Only with Threat Protect Policy Rules.
•
Permissive Group—members in this group will have their web pages monitored and
filtered based on light restrictions and a limited amount of blocked categories. Users
will not be able to visit proxy web sites. This group uses the Permissive Policy Rules.
•
Strict Group—members in this group will have their web (HTTP) traffic monitored and
filtered and secure web pages (HTTPS) blocked. A broad range of categories will be
blocked as well as proxy web sites. In addition to this, users will not be able to pass
web traffic through Open or Secure Proxies. Lastly users will not be able to view
blocked content via search engines or search engine cached pages. This group uses
the Strict Policy Rules.
Now that we have described the pre-defined Optinet Groups, let’s discuss how to add
members to these groups. Go to Manage -> Policies & Rules -> Groups. Select one of the
Optinet Groups to which you want to add members. Once you select a group, you will be
presented with the Add/Edit Group Detail field. In this field, you can change the name of
the group as well as add devices, network addresses, or specific MAC addresses to the
group.
Before adding members to Optinet Groups, you need to understand how Optinet identifies
devices on the network. Devices can be identified by several different criteria, i.e., by MAC
address, by IP address, by VLAN, while users can be identified by Directory or user names.
Because of this, Optinet allows you to configure how users will be identified depending on
your network. This option is called Member Type.
When you first access the Add/Edit Group Detail field, the default Member Type of Network
Node will be selected. Network Node represents devices on the network that Optinet has
already discovered. These devices will be listed by their NetBIOS name (if available) or by
their IP address. If you would like to add devices to Optinet Groups by Network Node,
simply click the open check box next to the profiles under the Member Name column and
select Add>.
However, if you would like to add users to the group by different criteria, click the Select a
Member Type Drop-Down Box. This will present you with fourteen different member types
listed below that allow you to identify users based on distinctive criteria.
40
Please note that the member type Network Node will post devices already discovered by
Optinet. If you have integrated Directory Users with Optinet, Directory User will post
Profiles already discovered by Optinet. All other fields will present an Enter New field that
will allow you to manually add a user.
•
Network Node—this member type represents devices discovered by Optinet.
•
Directory User—this member type represents Directory profiles discovered by
Optinet.
•
MAC Source—this member type represents profiles using the Media Access Control
(MAC) source address of devices.
•
MAC Destination—this member type represents profiles using the MAC destination
address of devices.
•
CIDR Block Source—this member type represents profiles using an IP source address
or IP source address range listed in Classless Inter-Domain Routing (CIDR) notation.
•
CIDR Block Destination—this member type represents profiles using an IP destination
address or IP destination address listed in CIDR notation.
•
CIDR Block Source and Destination—this member type represents profiles using an
IP source and destination address or IP source and destination address range listed
in CIDR notation.
•
VLAN—this member type represents profiles using Virtual Local Area Network (VLAN)
tags.
•
Protocol—this member type represents profiles using different protocols, i.e., TCP,
UDP, etc.
•
TOS—this member type represents Type of Service (TOS) profiles. TOS is a singlebyte field in an IP packet header that specifies the service level required for the
packet.
•
DSCP—this member type represents Differentiated Services Code Point (DSCP)
profiles. DSCP is an integer value encoded in the DS field of an IP header.
•
TTL—this member type represents Time to Live (TTL) profiles. TTL values exist in
each IP packet headers and determine how long the packet can traverse the network
before being dropped.
•
Length—this member type represents the Ethernet Length profiles. Ethernet length
actually specifies the size of the frame used within the network interface.
•
CIDR Block Override—this member type represents IP addresses that you want to
take precedence over any other group assignment. This member type is normally
used in the Filter Bypass Group to ensure specific IP addresses or ranges of
addresses are not filtered.
Once you have added members to the pre-defined Optinet Groups, you can confirm the
assignments by pressing the Save button. The pre-defined groups and any new groups you
create based on the different member types are called Optinet Groups.
41
To create groups, you can click the Create button under the Group Manager. This will post
the Choose a Group Type dialog box. You can use the previous steps to create a Optinet
Group. If you would like to create groups based on Directory Users, please see Chapter 7:
Integrating Directory Users with Optinet.
If you want to create groups based on the different member types, you can then add
members to the newly created Optinet Group following the same steps listed beforehand. If
you need to delete groups you may do so with the Delete Selected button also located
under the Group Manager. If you delete groups, all members from the deleted groups will
fall into the Default Group again. Now that we have defined Optinet Groups, we’ll discuss
Time of Day Rules.
Time-of-Day Rules
Optinet provides the ability to configure policies based on specific times of the day. For
example, if you want to block access to certain web sites during business hours but allow
access to those web sites during non-business hours, you can create a Time of Day Rule
(TDR). Another scenario is if you want E-mail traffic to have priority during the day, but
VPN traffic to have priority during the night, a TDR can allow you to distinguish accordingly.
Unless otherwise specified all rules created will be in effect 24 hours a day, seven days a
week. TDRs allow you to create different rules for different times of the day or different
days of the week. The first step in creating TDRs is to define the blocks of time that will
separate the different policies. Afterwards, you will assign an IUR to each block of time.
This later step will be covered in the section Policy Manager.
Select Manage -> Policies & Rules -> Time of Day Rules. Optinet ships with two default
TDRs: All Day and Business Work Week. All Day (the default TDR) enforces policies 24
hours a day, seven days a week. Business Work Week enforces policies Monday through
Friday, 9am to 5pm. If you would like to alter these blocks you may select them
individually or create your own by selecting the Create button.
Once you select or create a TDR, you will be presented with the Add/Edit Time of Day Detail
field. Here you will give the TDR a name, a description, and define the blocks of time for
the different polices.
The blocks of time (presented in military time) can be separated by 15 minutes. Select the
Start Time and End Time for each day and click the Add> button. Optinet will automatically
separate the blocks from the rest of the day (24 hours) and post the time after saving the
changes.
Also, you can copy the blocks of time from one day to another by using the Copy From
Drop-Down Box. Once you have selected the blocks of time for the individual days of the
week, click the Save button.
The second step with creating TDRs, is to assign different policies to the time blocks. This is
covered under the section Policy Manager. Also, you can edit and delete any TDR by
selecting them under Time of Day Rule Manager.
Now that you have created groups and TDRs, we will discuss Internet Usage Rules (IURs)
and how to manage them. Internet Usage Rules (IURs) are the main content filtering
components of Optinet. IURs are used to block web sites, web categories, File Types, MIME
Types, and even common tactics used to bypass content filtering.
42
First, we’ll define general options available in all IURs, including Traffic Flow Rule Sets
(TFRS). Second, we’ll list the default IURs and the associated policies. Third, we’ll give an
example on how to customize IURs and other advanced policies.
Traffic Flow Rule Sets
Click on Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules. This
screen will present the options available under Add/Edit Internet Usage Rule Sets. Towards
the top will be posted the Rule Set Name and Rule Set Description followed by the Traffic
Flow Rule Set Drop-Down Box. For you to correctly control and filter web traffic, you will
need to understand Traffic Flow Rule Sets.
Traffic Flow Rule Sets (TFRS) are the basic traffic identification and control engine within
Optinet. TFRS allow you to dictate how traffic will be identified, controlled, reported,
filtered, and shaped. TFRS define the content rules and implement restrictions on identified
traffic for users on the network. In essence, TFRS are the controlling mechanisms that
decide what types of traffic are allowed and what types are not. TFRS will be your tool in
managing network traffic and reporting on such.
Select the Traffic Flow Rule Sets Drop-Down Box to view the default TFRS. These are also
listed below with their corresponding targets.
•
Deny Access—this TFRS restricts all traffic that passes through Optinet.
•
No Filters—this TFRS performs no content filtering, no Web logging, no IM client
logging, no Spyware scanning and no virus scanning.
•
Web Filter + Anonymous Proxy Guard—this TFRS performs content filtering, web
logging, Spyware scanning, virus scanning for HTTP traffic (Web Filter), and prohibits
HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous
Proxy Guard).
•
Web Filter + Deny IM—this TFRS performs content filtering, web logging, Spyware
scanning, virus scanning (Web Filter), and denies all IM Client conversations (Deny
IM).
•
Web Filter + Deny IM + Anonymous Proxy Guard—this TFRS performs content
filtering, web logging, Spyware scanning, virus scanning for HTTP traffic (Web Filter),
denies all IM Client conversations (Deny IM), and prohibits HTTP traffic on any port
other than port 80 or a designated proxy port (Anonymous Proxy Guard).
•
Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filter—this TFRS performs
content filtering, web logging, spyware scanning, virus scanning for both HTTP traffic
(Web Filter) and HTTPS traffic (SSL Filter), denies all IM Client conversations (Deny
IM), prohibits HTTP traffic on any port other than port 80 or a designated Proxy port,
and prohibits HTTPS traffic on any port other than port 443 or a designated Proxy
port (Anonymous Proxy Guard).
•
Web Filter—this TFRS performs content filtering, web logging, spyware scanning,
virus scanning for HTTP traffic (Web Filter). This is the default TFRS for users and
newly created IURs.
•
Web Filter + Anonymous Proxy Guard—this TFRS performs content filtering, web
logging, spyware scanning, virus scanning for HTTP traffic (Web Filter), and prohibits
43
HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous
Proxy Guard).
•
Web Filter + Anonymous Proxy Guard + SSL Block—this TFRS performs content
filtering, web logging, spyware scanning, virus scanning for HTTP traffic (Web Filter),
prohibits HTTP traffic on any port other than port 80 or a designated proxy port
(Anonymous Proxy Guard), and prohibits all HTTPS traffic from passing through
Optinet (SSL Block).
•
Web Filter + Anonymous Proxy Guard + SSL Filter—this TFRS performs content
filtering, web logging, spyware scanning, virus scanning for both HTTP traffic (Web
Filter) and HTTPS traffic (SSL Filter), prohibits HTTP traffic on any port other than
port 80 or a designated proxy port, and prohibits HTTPS traffic on any port other
than port 443 or a designated proxy port (Anonymous Proxy Guard).
•
Web Filter + SSL Filter—this TFRS performs content filtering, web logging, spyware
scanning, virus scanning for both HTTP traffic (Web Filter) and HTTPS traffic (SSL
Filter).
•
Web Logging— this TFRS is being discontinued and is listed only for legacy support.
We recommend using Web Filter Only, and then leaving the blocked categories list
empty instead of enabling this TFRS.
The most important factor in configuring TFRS is deciding on what needs to happen to
traffic. For example, do you want to block certain web sites or categories? If so, the TFRS
of Web Filter needs to be selected. Do you want to deny IM Client conversations? If so, the
TFRS of Deny IM must be selected. These factors will help determine the active TFRS.
Content Filtering
Now that we have defined TFRS, let’s discuss the other components of the Add/Edit Internet
Usage Rule set. Below the TFRS Drop-Down Box, you will see four tabs: Content Filtering,
Advanced Filtering, HTTPS/SSL Filtering, and Web Authentication. In this section we will
discuss the Content Filtering and Advanced Filtering tabs. HTTPS/SSL Filtering will be
covered in Chapter 8: Implementing HTTPS/SSL Filtering with Optinet. Web Authentication
is covered in Chapter 7: Integrating Directory Users with Optinet.
Content Filtering provides general choices for filtering web traffic. For example, this tab
displays Blocked Categories, Blocked URLs, White List URLs, Blocked File Types, Blocked
MIME Types, and Web Authentication White List. If you would like to block a web category,
e.g. Porn, you can select the sub-tab of Blocked Categories, click Edit Blocked Categories,
and, search for the Porn category under Allowed Categories. Once found, select the
category, click the Add> button to move it to the Blocked Category List, and click Ok. Once
you save your changes, this category will be blocked for that particular Internet Usage Rule.
Below are listed the general explanations of the Content Filtering tab. Appendix A through
Appendix C lists all options for web categories, File, and MIME types.
•
Blocked Categories—this sub-tab lists all selected web categories for preventing
access. They range from Adult and Porn to Online Communities and Shopping. To
add categories to the Blocked Category list select the Blocked Category sub-tab and
click Edit Blocked Categories button.
44
•
•
Blocked URLs—this sub-tab allows you to enter in a specific Universal Resource
Locator (URL) address to be blocked. There are three compare strings that can be
used to enter Blocked URLs: URL–Regular Expression, URL, and Domain.
o
URL-Regular Expression—this compare string uses regular expressions to
block web sites. Regular expression (regex) is a method used to describe a
string of text using metacharacters or wildcard symbols. To use URL-Regular
Expression, you will need to understand the functions of regular expression
metacharacters. URL-Regular Expression supports regular expressions for
POSIX Basic and Extended Regular Expression. A full explanation of the
syntax for a Regular Expresssion Rule is beyond the scope of this document.
To add a URL-Regular Expression to the Blocked URL list, select the Blocked
URLs sub-tab, click on the Edit the Blocked URLs button, and choose the
URL-Regular Expression setting from the Compare String drop-down box.
Enter the URL-Regular Expression, click the Update button and then the Ok
button.
o
URL—this compare string looks for an exact URL match. Use this compare
string to block specific web pages where an exact match is necessary. For
example, an entry of myspace.com/forums will block MySpace’s forum web
page, but not necessarily other MySpace web pages. However, you can use
an asterisk symbol (*) as a wildcard with the compare string of URL. For
instance, an entry of http://www.myspace.com* will block any web page
that begins with http://www.myspace.com. To add a URL to the Blocked
URL list, select the Blocked URLs sub-tab, click on the Edit the Blocked URLs
button, and choose the URL setting from the Compare String drop-down box.
Enter the URL, click the Update button and then the Ok button.
o
Domain—this compare string looks for any web page that begins with the
domain name of the web site. Use this compare string to block web sites
where the domain name is constant in the URL. For example, an entry of
myspace.com will block all of MySpace’s web pages. You can also use an
asterisk symbol (*) as a wildcard with the compare string of Domain. For
instance, an entry of *myspace.com will block any web page that has
myspace.com in the domain name regardless of http, https, or www. To add
a Domain to the Blocked URL list, select the Blocked URLs sub-tab, click on
the Edit the Blocked URLs button, and choose the Domain setting from the
Compare String drop-down box. Enter the Domain name, click the Update
button and then the Ok button.
o
Legacy Keyword Mode—this keyword string was used as a general match
string under firmware releases 8.3.4 and earlier. It has now been replaced
by the stronger compare strings above. This compare string should only be
used to accommodate upgrades from earlier releases until they can be
reclassified using the above compare strings.
White List URLs—this sub-tab allows you to “whitelist” or allow users to access
specific web sites. These fields are mostly used when there is a conflict with another
rule. For example, if you choose to block the web category of Search Engines and
Portals but want to allow Google searches, you would add Google into the White List,
which will override the blocked category. White List URLs will override blocks from
all policies except for web sites under the Blocked URLs and Non-HTTP traffic. White
List URLs follow the same compare strings as Blocked URLs.
45
•
Other settings available in the Content Filtering tab are Import, Export options,
Remove Selected Rows, Remove All Rows, and Edit Selected Rows under Blocked
URLs and White List URLs. Import, Export options allow you to import or export a
plain text (.txt) version of your Blocked URLs and White List URLs, allowing you to
back up your lists or share lists with multiple IURs. By selecting either option, you
will be presented with Browse utility, where you can direct Optinet to import or
export the plain text file. Removes Selected Rows and Remove All Rows allows you
to remove selected entries in the Blocked URLs and White List URLs. Edit Selected
Rows permit manual entries of selected entries.
•
Blocked File Types—this sub-tab lists all File types that can be blocked for download.
To add File Types to the Blocked File Type list, select the Blocked File Type sub-tab
and click Edit File Types button.
•
Blocked MIME Types—this sub-tab lists all Multipurpose Internet Mail Extensions
(MIME) types available that can be blocked for download. To add MIME Types to the
Blocked MIME Types list, select the Blocked MIME Type sub-tab and click the Edit
MIME Types button.
•
Web Authentication White List—this sub-tab is defined in Chapter 7: Integrating
Directory Users with Optinet.
Advanced Filtering
Click on Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules. Once
this populates the Add/Edit Internet Usage Rule Set, click the Advanced Filtering tab. The
Advanced Filtering tab presents complex selections that offer more stringent policy control
for content filtering. Some options are selected by default for security reasons; however,
you can enable or disable any of these options depending upon your requirements.
Spyware
•
Enable Spyware URL Blocking—this setting scans web requests for URLs known to
host spyware.
•
Enable Spyware MD5 Blocking—this setting scans web traffic for known MessageDigest algorithm 5 matches used for spyware downloads.
•
Enable Spyware ClassID Blocking—this settings scans HTML pages for Class IDs
(identification tags associated with Active X or OLE objects) known to host spyware.
Anti-Virus
•
Enable Anti-Virus Blocking—this settings scans web traffic for web pages that are
infected with viruses.
•
Enable Anti-Virus Email Alert Email Address—this setting allows the administrator of
Optinet to receive an email alert if a user attempts to download a web virus. For this
setting to work, the Technical Admin Name and Technical Admin E-mail fields under
the Miscellaneous tab must be completed (Admin -> Configuration -> Misc.
Settings).
•
Enable Filter Avoidance IP Lookup—this setting associates proxy web sites with their
IP addresses and prevents users from entering them into web browsers.
46
Filter Avoidance
•
Enable Filter Avoidance Real-Time Filter—this setting performs a real-time scan on
web sites to validate if the web page is hosting proxy services.
•
Enable Filter Avoidance Deep HTTP Inspection—this setting scans content for the
retrieved web pages from a proxy web site.
•
Enable Bypass—this setting allows users to bypass a blocked web site if he/she
knows the Bypass Password.
Filter Bypass
•
Enable Bypass—this setting allows users to access a blocked web site that is
normally blocked by entering the correct password listed in the Bypass Password.
•
Bypass Password—this setting is for the password that will be used with the Enable
Bypass setting.
•
Bypass Timeout (in minutes)—this setting specifies an exact time how long a user
can access a blocked web site using the Enable Bypass setting.
•
Enable Filter Bypass on a Per-IP Address Basis—this setting allows users to bypass
all web sites that are normally blocked instead of just a single blocked web site.
Enable Filter Bypass on a Per-IP Address Basis will use the same password and
timeout as the Enable Bypass setting.
Web Policy
•
Enable Anonymous Browse Mode—this setting continues to block users from
prohibited web sites; however, browsing history for these users will be reported.
•
Enable Safe Search Protection for Search Engines—this setting forces search engines
to use “safe search”, which disallows search engines to post inappropriate results.
The supported search engines for this setting are Google, Yahoo!, Ask, MSN, Hotbot,
AOL, AlltheWeb, AltaVista, Lycos, and Netscape.
•
Block Search Engine Cached Pages—this setting allows you to blocked cached pages
from search engines, i.e., binoculars, Google Image search, etc.
•
Allow ONLY White List URLs—this setting prohibits users from visiting web sites that
are not specifically listed in the White List.
•
Apply White List to Referring URLs—this setting allows white listed web sites to post
all page objects, i.e., banners, images, etc., that are referred within the web site
regardless of the original hosting site.
•
Add X-Forwarded-For to HTTP header—this setting instructs Optinet to forwarded
original host information when Enhanced Bridging Mode (EBM) is disabled. See
Chapter 6: Administrating Optinet for more information.
•
Real-Time Filter—this setting instructs Optinet to analyze content on web pages in
real time for better categorization and identification.
•
Enable Reverse DNS Lookups—this setting prohibits users from browsing blocked
web sites via IP addresses instead of domain names.
47
•
Block IP Address URLs—this setting prohibits users from browsing any web sites via
IP addresses instead of domain names.
•
Allow Non-HTTP Traffic Through the Web Filter—this setting allows Non-HTTP traffic
to pass through port 80 or the designated parent proxy port for web traffic.
•
Non-HTTP Traffic Socket Timeout (in minutes)—this setting allows you to set a time
limit in minutes for how long Non-HTTP traffic can pass through port 80 or the
designated parent proxy port for web traffic.
•
Force HTTP v1.0—this setting allows you to force web browsers to use HTTP version
1. HTTP v1.0 is the first protocol revision for HTTP traffic and is still in wide use,
especially by proxy servers.
Again, you can disable or enable any of these options by selecting the sub-tab of each
selection, and then checking the check box next to the settings. Again, don’t forget to Save
your changes. If you create a new IUR, the following table lists the default settings. All
other options will be disabled.
New IUR Default Settings
TFRS
Web Filter
Spyware
Enable Spyware URL Blocking,
Enable Spyware MD5 Blocking,
Enable Spyware ClassID Blocking
Filter Avoidance
Web Policy
Enable Filter Avoidance IP
Lookup, Enable Filter
Avoidance Real-Time Filter,
Enable Filter Avoidance
Deep HTTP Inspection
Real-Time Filter, Allow Non-HTTP
Traffic Through the Web Filter,
Non-HTTP Traffic Socket Timeout
(60 minutes)
Anti-Virus
Enable Anti-Virus Blocking
Now that you are familiar with both the Content Filtering and Advanced Filtering tabs, let’s
discuss the default Internet Usage Rules and how to create a new one.
Internet Usage Rules
Optinet has 8 default Internet Usage Rules (IURs). These IURs correspond to the default
groups available with Optinet. Remember that the method is to create a group and then
assign that group an IUR. Because Optinet has 8 default groups, their IURs are also
available. The following are the pre-defined IURs and their settings.
Default Usage Rules are the default settings for all users unless configured otherwise. By
default, this IUR will log and filter only HTTP traffic. This IUR will not block any Web sites,
File Types, or MIME Types except spyware and viral web sites. The following table lists all
filtering options for the Default Usage Rules.
Default Usage Rules
TFRS
Web Filter
Spyware
Enable Spyware URL Blocking,
Enable Spyware MD5 Blocking,
Anti-Virus
Enable Anti-Virus Blocking
48
Enable Spyware ClassID Blocking
Filter Avoidance
Web Policy
Enable Filter Avoidance IP
Lookup, Enable Filter
Avoidance Real-Time Filter,
Enable Filter Avoidance
Deep HTTP Inspection
Real-Time Filter, Allow Non-HTTP
Traffic Through the Web Filter,
Non-HTTP Traffic Socket Timeout
(60 minutes)
Deny Access Policy Rules denies all Web traffic and cannot be altered.
Filter Bypass Policy Rules allows all network traffic to pass and only reports on bandwidth
and applications used. This IUR cannot be altered.
Moderate Policy Rules provides typical restrictions on common web categories and also
blocks several file types. In addition to this, this IUR has some advanced filter avoidance
options selected as well as a TFRS that blocks anonymous web surfing for HTTP traffic. The
following table lists all filtering options for this IUR.
Moderate Policy Rules
TFRS
Web Filter + Anonymous
Proxy Guard
Spyware
Enable Spyware URL
Blocking, Enable Spyware
MD5 Blocking, Enable
Spyware ClassID Blocking
Blocked Categories
Adult, Cheating and Plagiarism,
Crime, Criminal Related, Cults,
Dating, Filter Avoidance,
Gambling, Hacking, Hate Speech,
Illegal Drugs, Job Search,
Lingerie, Non-sexual nudity,
Online Communities, Peer File
Transfer, Porn, Shopping,
Tasteless or Obscene, Vice,
Violence, and Weapons
Anti-Virus
Enable Anti-Virus Blocking
Blocked File Types
bat, cab, cmd, com, dll,
ed2k, emo, exe, ini, iso,
lnk,torrent, wmf
Filter Avoidance
Enable Filter Avoidance IP
Lookup, Enable Filter
Avoidance Real-Time Filter,
Enable Filter Avoidance
Deep HTTP Inspection
Web Policy
Enable Safe Search
Protection for Search
Engines, Apply White List
to Referring URLs, RealTime Filter, Allow NonHTTP Traffic Through the
Web Filter, Non-HTTP
Socket Timeout (60
minutes)
Monitor Only Policy Rules are intended for users that will only be monitored and not filtered
for web traffic. The following table lists all filtering options for this IUR.
49
Monitor Only Policy Rules
TFRS
Web Filter
Filter Avoidance
Web Policy
Enable Filter Avoidance IP
Lookup, Enable Filter Avoidance
Real-Time Filter, Enable Filter
Avoidance Deep HTTP Inspection
Apply White List to
Referring URLs, Real-Time
Filter, Allow Non-HTTP
Traffic Through the Web
Filter, Non-HTTP Socket
Timeout (60 Minutes)
Monitor Only with Threat Protection Policy Rules are intended for users that will only be
monitored and not blocked except for in the case of spyware and web viruses. The
following table lists all filtering options for this IUR.
Monitor Only with Threat Protection Policy Rules
TFRS
Web Filter
Spyware
Enable Spyware MD5 Blocking,
Enable Spyware ClassID Blocking
Filter Avoidance
Enable Filter Avoidance IP
Lookup, Enable Filter
Avoidance Real-Time Filter,
Enable Filter Avoidance
Deep HTTP Inspection
Anti-Virus
Enable Anti-Virus Blocking
Web Policy
Apply White List to Referring
URLs, Real-Time Filter, Allow
Non-HTTP Traffic Through the
Web Filter, Non-HTTP Socket
Timeout (60 Minutes)
Permissive Policy Rules are designed for users that will have more leniencies in regards to
the web sites they can visit and what file extensions can be downloaded. Web traffic will be
monitored and filtered. The following table lists all filtering options for this IUR.
Permissive Policy Rules
TFRS
Web Filter
Anti-Virus
Enable Anti-Virus Blocking
Blocked Categories
Adult, Filter Avoidance, Hacking,
Hate Speech, Illegal Drugs,
Lingerie, Porn, Tasteless or
Obscene, Vice, Violence, and
Weapons
Spyware
Enable Spyware MD5
Blocking, Enable Spyware
Class ID Blocking
Filter Avoidance
Web Policy
Enable Filter Avoidance IP
Lookup, Enable Filter Avoidance
Real-Time Filter, Enable Filter
Avoidance Deep HTTP Inspection
Apply White List to
Referring URLs, Real-Time
Filter, Allow Non-HTTP
Traffic Through the Web
Filter, Non-HTTP Traffic
Socket Timeout (60
minutes)
Strict Policy Rules are intended for users who will have stringent rules applied to Web
browsing as well as file downloads. Users in this group will have HTTP monitored and
filtered and HTTPS traffic blocked. Below is the table with all filtering options.
50
Strict Policy Rules
TFRS
Web Filter + Anonymous
Proxy Guard + SSL Block
Spyware
Enable Spyware URL
Blocking, Enable Spyware
MD5 Blocking, Enable
Spyware ClassID Blocking
Blocked Categories
Blocked File Types
Adult, Alcohol and Tobacco, Cars
and Motorcycles, Cheating and
Plagiarism, Crime, Criminal
Related, Cults, Dating, Filter
Avoidance, FYI, Gambling,
Games, Hacking, Hate Speech,
Illegal Drugs, Instant Messaging,
Job Search, Lingerie, Lottery and
Sweepstakes, Non-mainstream,
Non-sexual Nudity, Online
Communities, Online Trading,
Peer File Transfer, Porn, Real
Estate, Sex Ed and Abortion,
Shopping, Sports and
Recreation, Streaming Media,
Tasteless or Obscene, Tattoos,
Vice, Violence, Weapons, Web
Messaging, Web-based Chat,
Web-based Email
aac, adp, aiff, asx, avi,
bat, cab, cmd, com, dll,
dmg, ed2k, emo, exe, flac,
flv, fpt, ini, iso, kmz, lit,
lnk, log, m3u, m4a, mid,
midi, moov, mov, mp3,
mp4, mpeg, mpg, mpu,
msi, mst, ogg, ogm, pab,
pls, qt, ra, ram, rm,
torrent, wav, wma, wmf,
wmv
Anti-Virus
Filter Avoidance
Enable Anti-Virus Blocking
Enable Filter Avoidance IP
Lookup, Enable Filter
Avoidance Real-Time Filter,
Enable Filter Avoidance
Deep HTTP Inspection
Web Policy
Enable Safe Search
Protection for Search
Engines, Block Search
Engine Cached Pages,
Real-Time Filter, Enable
Reverse DNS Lookups,
Block IP Address URLs
Again, these are the default IURs available for ease of use. You may simply add users to
these groups for the policy to apply. You can also alter all default IURs except for Deny
Access Usage Rules and Filter Bypass Usage Rules by selecting the individual IURs under
Internet Usage Rule Manager. If you would like to create you own IUR, select the Create
button under Internet Usage Rule Manager.
Shaping Rules
Shaping Rules allow you to “shape” network bandwidth for applications, users, and web
sites. In essence, Shaping Rules allow you to cap or restrict bandwidth for specific users or
applications on the network. These rules also allow you to shape bandwidth to Web sites as
well as assign priority levels for all traffic. Through Shaping Rules, you can control and
manage network traffic to ensure that critical users and applications have complete access
to the Internet and network resources.
51
Optinet has no default shaping rules. As such, you will need to create them under the
Shaping Rule Manager (Manage -> Policies & Rules -> Shaping Rules). Here you will be
presented with three tabs: Group, Application, and Web Content.
Group shaping rules manage total bandwidth for users and groups. Application shaping
rules administer bandwidth for specific application sets, i.e., P2P, Streaming Media, VoIP,
etc. Web Content shaping rules control bandwidth for specific web sites, web categories, File
Types, and MIME Types.
To create shaping rules, you must first enter a name for Shaping Rule Detail. Afterwards,
you can select the different tabs for each corresponding shaping rule.
Please remember that shaping rules are restrictions. This means that Optinet will not allow
a group, application, or web content to exceed the bandwidth assigned. These rules do not
ensure that traffic will meet a certain amount, but rather will not go beyond the restriction.
Think of shaping rules as a ceiling and not a floor.
Because of this, many users and applications may not need a shaping rule unless they pose
a threat to the network or are known consumers of bandwidth. A good practice is to install
Optinet in the network and have it report on users and application before implementing
shaping rules. Knowing what types of traffic are passing in the network and the amounts
will help in creating a better shaping rule.
When you decide to implement a shaping rule, keep in mind several things (listed below).
•
All shaping rules will have three settings: Max Upload, Max Download, and Priority
Level. The Max Upload refers to traffic passing from the LAN port to the WAN port of
Optinet. Max Download refers to traffic passing from the WAN port to the LAN port
of Optinet. Priority refers to the precedence level assigned to the traffic. The
options are Highest, Higher, High, Default, Low, Lower, and Lowest.
•
Group shaping rules restrict total bandwidth for all users within groups. This means
that if you apply Application shaping rules as well as Web content shaping rules for
the same group, these amounts must not exceed the Group shaping rule.
•
Group shaping rules are divided dynamically between active members. For example,
if only one group member is active within a group that has a shaping rule of 1Mbps,
then that one member will have total access of the bandwidth up to 1Mbps.
However, if another group member becomes active, Optinet will dynamically divide
the restriction and cap each member to 500 Kbps and so on depending on the
amount of active group members.
•
The percentages of traffic shown in the Drop-Down Boxes for all tabs are calculated
from the Available Upload Bandwidth and Available Download Bandwidth listed under
Miscellaneous Settings. The default settings are set to 5000Kbps and will restrict
traffic to that amount. If you have not adjusted this amount for your bandwidth,
please do so during the Setup Wizard or under the Miscellaneous settings (Admin ->
Configuration -> Misc. Settings).
Please note that the amounts listed in the available upload and download under
Miscellaneous Settings will restrict total traffic through Optinet. Make sure that the
amounts entered in these fields are the correct amounts for your network (Admin ->
Configuration -> Misc. Settings).
52
•
If you choose to enter a custom amount for the upload and download restrictions,
remember that this amount is presented in kilobits per second (Kbps). You will need
to compute your bandwidth into this amount (1024Kbps = 1 Mbps).
•
There are two application sets that you probably should not restrict: HTTP and
Uncategorized. The application set of HTTP correlates to all web-based traffic,
including regular web browsing. Because this application set is commonly used more
than any other application set, we recommend that you do not set a highly stringent
shaping rule for HTTP. The application set of Uncategorized correlates to network
traffic for which Optinet does not have an explicit signature. These applications
could be proprietary, recent, or uncommon. In addition to this, this application set
could also include traffic that is very important, such as a custom accounting
application, or an unrecognized VoIP system, etc. Because of this, we strongly
recommend that you do not disable this traffic or create a strict shaping rule for this
traffic.
•
Priority levels are only used when there is not enough bandwidth to complete
requests for active users or applications. For example, if you have two shaping
rules: 1Mbps for VPN with a High priority level and 1Mbps for P2P with a Low priority
level and there is not enough bandwidth to complete the requests for both
applications, Optinet will restrict P2P even more than 1Mbps to allocate more
bandwidth for VPN.
•
There can be some variance between shaping rules and reporting, especially with
P2P and Streaming Media, because of how initial communications for these
applications take place. For example, Bit Torrent will negotiate on random ports and
may be considered Uncategorized until data begins to pass. After data is passed
Optinet can identify Bit Torrent as P2P and will then report on all traffic passed
beginning with the initial connections. However, shaping rules for Bit Torrent will not
take effect until the data is confirmed as P2P, normally after the initial connections.
Below are some general expectations for the variance:
o
Shaping rules under 256K can have up to 20% difference in reporting
o
Shaping rules under 1M can have up to 10% difference in reporting
o
Shaping rules under 5M can have up to 5% difference in reporting
•
If you chose to shape a web URL, use general phrases. For instance, if you want to
shape traffic to the Web site YouTube, enter the phrase youtube instead of
http://www.youtube.com.
•
Web Content shaping rules take precedence over Application shaping rules and will
be recorded jointly for shared applications. For example, if you have an Application
shaping rule for Streaming Media at 1Mbps and a Web Content shaping rule for
YouTube at 1Mbps, the Web Content shaping rule will take preference while the
Application shaping rule will not apply. Reporting for the Streaming Media
Application Set will then report traffic for Streaming Media combined with traffic for
YouTube (2Mbps). To assure that Streaming Media does not exceed a specific
amount, balance the amount with Web Content shaping rules designated for
Streaming Media Web sites.
•
All changes to shaping rules will flush the Optinet forwarding plane. The forwarding
plane is the architecture that decides how to handle packets arriving on the LAN
53
interface, i.e., applying shaping rules, denying traffic, etc. Flushing the Optinet
forwarding plane will drop all connections and reassign traffic accordingly. Because
of this, we recommend that you only make changes to shaping rules during off peak
hours.
Once you have created a shaping rule, don’t forget to Save the changes. Also remember
that shaping rules are not active until you assign them to a group in the Policy Manager.
Policy Manager
The Policy Manager correlates all polices to groups. That is to say, all the rules you have
created under Time-of-Day Rules, Internet Usage Rules, and Shaping Rules will need to be
assigned to groups using the Policy Manager.
The default groups Optinet offers have already been assigned their corresponding Internet
Usage Rules under the Policy Manager. In addition to this, the default groups use the
default Time-of-Day Rule (TDR) of 24 hours a day, 7 days a week. However, if you would
like to change their Internet Usage Rule or TDR, you can do so for all groups except for the
Deny Access Group and the Filter Bypass Group with the Policy Manager. Also the Policy
Manager allows you to assign shaping rules to groups.
Click on Manage -> Policies & Rules -> Policy Manager -> Default Group. This will post the
Add/Edit Policy. Presented here are two tabs: Single Rule Set and Multiple Rule Set. The
Single Rule Set is used for Internet Usage Rules that will apply 24 hours a day, 7 days a
week. The Multiple Rule Set is used for Internet Usage Rules that will use different blocks of
time from TDRs.
Under the Single Rule Set tab, select the Drop-Down Box for Internet Usage Rule Set. This
will present you with all available IURs created under Internet Usage Rules. You may do the
same for shaping rules under the Drop-Down Box for Shaping Rule Set. Once you have
chosen an IUR and Shaping Rule for the group, select Save.
The Multiple Rule Sets are used for assigning different IURs and Shaping Rule for time
blocks created under TDRs. Click on Manage -> Policies & Rules -> Policy Manager ->
Default Group -> Multiple Rule Sets. This tab will post a weekly calendar.
Select the day of the week you will be assigning the time blocks. Towards the bottom will
be a Time-of-Day Rule Set Drop-Down Box. Select this box and chose the TDR you have
created. This will populate the time blocks created. Next, for each time block, assign an
Internet Usage Rule Set and a Shaping Rule that will be active for the time specified.
Repeat these steps for each day of the week (you may use the Copy button) and select the
Save button. Once you complete these steps, Group membership, Time-of-day Rules,
Internet Usage Rules, and Shaping Rules will be active for devices and users. Remember to
always use this method when creating groups and policies: create Groups, create Time-ofDay Rules, create Internet Usage Rules, create Shaping Rules, and tie them all together
with the Policy Manager.
Next we’ll discuss the other options available under the Manage tab.
Directory Users & Nodes
Optinet can track Internet traffic by devices (Network Nodes) and by username (if Directory
integration has been enabled). Once a device or user is discovered, Optinet will create a
54
profile and list it accordingly under Directory Users & Nodes. These profiles (devices or
users) will then be available for group membership assignment under the Group menu
(Manage -> Policies & Rules -> Groups).
Directory Users & Nodes lists three separate options: Network Nodes, Directory Users, and
Directory Agent. Network Nodes will list devices discovered by Optinet, while Directory
Users will list Directory profiles. Directory Agent will list agents you have created for your
directory servers. These topics are covered in more detail under Chapter 7: Integrating
Directory Users with Optinet.
Network Nodes
Click Manage -> Directory Users & Nodes -> Network Nodes. This will post the Network
Node Manager, which lists all devices (Network Nodes) discovered by Optinet. Optinet
discovers these devices by examining network traffic as it passes through the bridge
interface. Once a unique device is discovered, Optinet will send a port scan to retrieve
several pieces of information to create a profile, i.e., NetBIOS name, Internet Protocol (IP)
address, Operating System (OS), Media Access Control (MAC) address, and open ports.
Optinet will also list the scan status and the date the profile was created.
Optinet accomplishes this scan via a utility called Network Mapper (Nmap). For Nmap to
retrieve these pieces of information successfully, some options may need to be permitted on
the network (listed below):
•
UDP port 137
•
Client for Microsoft Network
•
NetBIOS over TCP/IP
•
Samba to respond to NetBIOS queries
•
DNS entries for Macintosh computers
•
Simple Network Management Protocol (SNMP) for Macintosh computers
If after enabling these settings, you need to rescan profiles for missing or changed
information, you can select the profiles under Network Node Manager and click Re-scan port
under the Tasks pane. The Scan Status for the selected profiles will then list Pending. After
several minutes, the profile will be updated with the missing or changed information. If
after rescanning a profile Optinet still cannot retrieve the missing or changed information,
you can select profiles and manually enter change for the profile name. Don’t forget to
Save your changes afterwards.
If you have profiles listed under the Network Node Manager, click on one to see the
information gathered for each device on the network. The first information posted is the
Scan Name (NetBIOS name if available accompanied by the current IP address), Operating
System (OS), Detected OS, and MAC address. Below that are posted two settings: Ignore
multiple IP Addresses from this Network Node and Treat IPs as Remote Subnets from this
Network Node.
Ignore multiple IP Addresses from this Network Node can be used when Optinet identifies a
single unique MAC address being used by multiple IP addresses. This behavior is typical in
an asymmetrical network. Because profiles are created by MAC addresses, Optinet can
55
sometimes incorrectly associate traffic to the wrong Network Node with asymmetrical
networks.
If you have an asymmetrical network, you can select Ignore Multiple IP Addresses from this
Network Node, which will permanently associate the IP address to the MAC address listed.
Thus if Optinet sees the MAC address being used by another IP address, Optinet will assume
this is due to asymmetrical routing and group the traffic based on the IP address and
attempt to discover the true MAC address of the original sending device.
The next option is Treat IPs as Remote Subnets from this Network Node. By default Optinet
will create profiles for network devices in the local subnet based on MAC addresses. With
routed networks, on the other hand, Optinet will create profiles for network devices based
on IP addresses. These profiles will have the MAC addresses listed as all 0s while local
profiles will post true MAC addresses.
There are rare scenarios where profiles based on MAC addresses within the local subnet
should be treated as remote profiles because of unique network architectures, e.g., network
segments separated by layer three devices that use the same broadcast range or physical
connections, asymmetrical networks, etc. In these cases, you may need to regard local
profiles as remote.
Also listed under the Add/Edit Network Node Detail are the IP addresses used by this
Network Node as well as the open ports, protocols, state and services used by the device.
These settings can be sorted by selecting the Column title of each setting.
Another option available under Network Node Manager is the Search box. You can search
for profiles based on IP address, Profile Name (normally the NetBIOS name or IP address),
MAC address, and OS. Simply select the search criteria from the Search Drop-Down Menu,
enter the corresponding value, and hit Enter. For example, to search for a specific MAC
address, select MAC address from the Search Drop-Down Menu, enter the MAC address you
are searching for, and click the Search icon (or press the Enter key).
Use the format presented in the Network Node Manager, i.e., IP addresses are separated by
dots (.) and MAC addresses are not separated by colons (:) to search according to the
values. You can also sort the profiles by Name, IP address, OS, MAC address, Scan Status,
and date profiles were created by clicking on the column titles.
Please note that when Optinet is first installed or if new devices are installed on the
network, you may see a profile entitled Unknown Network Node (mostly under the Report
tab). Unknown Network Node simply represents profiles that have not been completely
scanned. In essence, Optinet has identified new devices on the network but has not had
sufficient time to complete the profile scan or is in the process of doing so. With time, this
profile will disappear as Optinet is able to complete the profile scan and identify the new
profiles.
Lastly, Network Node Manager allows you to license and unlicense devices. Licensing with
Optinet is based on network connections or active IP addresses on the network. That is to
say, one hundred connections on your network will constitute 100 Network Node licenses.
For example, in a flat network where all devices are connected via switches or hubs, Optinet
can normally discover MAC addresses for individual devices. With this scenario, licensing
and profile creation will be based on unique MAC addresses. You can verify whether Optinet
is licensing based on MAC addresses by reviewing the column of MAC Address under
56
Network Node Manager. If individual MAC addresses are listed, then Optinet is essentially
issuing a license to those MAC addresses.
However, if an entry of all zeros is listed under the column of MAC address, then Optinet is
licensing based on IP addresses (typical of routed networks as MAC address remain in local
subnets). This means that individual IP addresses will consume licenses, and profiles will be
based on such. You may review Chapter 6: Administrating Optinet for more information on
installing Optinet in a routed network.
Knowing how Optinet is issuing licenses will help you better manage your license count as
exceeding the license count can cause inconsistencies with content filtering and reporting.
For example, devices that are unlicensed are handled quite differently than licensed devices.
Reporting for unlicensed devices will not list individual statistics. Traffic from Unlicensed
Network Nodes will be aggregated into one profile entitled Unlicensed Network Nodes.
Another drawback for Unlicensed Network Nodes is the inability to add these devices to a
group via the Network Node Manager. If a device is unlicensed, you will not be able to
select it when adding members to groups. Lastly, filtering will be handled differently with
Unlicensed Network Nodes.
Filtering for Unlicensed Network Nodes will still be in effect for these devices but depending
upon your group configuration, traffic from Unlicensed Network Nodes can be in different
groups. More than likely traffic from Unlicensed Network Nodes will fall into the Default
Group, but different configurations can change this.
Other scenarios to be aware of with licensing are devices such as printers, scanners,
network cameras, plotters, or any other “non-user” specific devices that have Internet
connections. Because these devices are configured with a MAC or IP address, they can
potentially consume licenses unless configured otherwise. Also, a device with multiple
Internet connections can possibly take up two licenses, e.g. a laptop with a wireless card
and an Ethernet port.
In addition to multiple Internet connections being a problem, large Dynamic Host
Configuration Protocol (DHCP) ranges or short DCHP lease times can possibly pose an issue
as well with licensing. If licensing is based on IP addresses, for example, a device will be
assigned an IP address via DHCP. Optinet will issue a license to that IP address. If that
same device is assigned a different IP address via DHCP, Optinet will again issue an
additional license but now to the new IP address.
Hence, in this scenario a device could possibly consume several licenses depending on how
DHCP is configured. Also please note that historical data and grouping based on IP
addresses will follow IP addresses as well and not the devices per se.
Because of this, it is highly recommended that you purchase sufficient licenses to filter and
report on all connections present in the network. Also, you will want to closely watch your
license count and confirm that you do not exceed the license amount. This can be
accomplished with Network Node Manager.
Click Manage -> Directory Users & Nodes -> Network Nodes. Towards the bottom of the
page you will see a listing of how many licenses have been issued (Showing 1—25 of 100).
The last number listed is the complete number of profiles that have consumed licenses. You
will want to periodically compare this number to your license count to confirm that you have
sufficient licenses to report and filter correctly. Also, the total license count is posted on the
57
Home Page under Hardware Settings, and System Message Alerts will be sent when the
license count is nearing 80%, 90%, and 100%.
Network Node Manager also allows you to license and unlicense selected nodes. For
example, if you had several printers that you do not wish to consume licenses you can
select those profiles and click the Unlicense Selected Nodes button located at the bottom of
the page of the Network Node Manager (Manage -> Directory User & Nodes -> Network
Nodes -> Unlicense Selected Nodes). This will flag those profiles as unlicensed, and Optinet
will not count those devices towards the total license count.
Again, unlicensed nodes are handled quite differently than licensed nodes; however, devices
such as printers, network cameras, etc., normally do not need content filtering and shaping.
You can also license profiles that have been unlicensed by changing the License Status to
Unlicensed (located in the top right corner of Network Node Manager). This will post all
devices that have not been issued a license. You may select those profiles that you want be
licensed and select License Selected Nodes. These profiles will now be issued a license and
counted towards the total license count.
If you need to purchase additional licenses, you may do so from Black Box Network Services
or your Authorized Black Box Network Services Reseller. Additional licenses are issued in
the form of a license key and may be entered during the Setup Wizard (Step 1) or under
Admin -> Configuration -> License.
Directory Users
Directory User Manager is similar to Network Node Manager in the sense that this manager
keeps track of all reported profiles. The difference being that Directory User Manager tracks
all Directory Users and not Network Node Profiles. If you have implemented Directory Users
with Optinet, the Directory User Manager will post all Directory Users Profiles discovered by
Optinet.
Directory User Manager will list all user names that Optinet has discovered. Please review
Chapter 7: Integrating Directory Users with Optinet for more information. The Directory
User Manager will also list the domain names associated with the profiles, as well as the
Directory Agent (if applicable) and username used to access the directory.
Another option available with the Directory Users Manager is Re-scan Directory User Name
(located under the Tasks pane). This option allows you to update a profile by selecting the
checkbox next to the user profile(s) you want to rescan. After selecting the profiles, select
Re-scan Directory User Name and any changes made to the profiles, i.e., changed name,
new directory group, etc., will be posted under the Directory Users Manager.
Again, Chapter 7 covers these topics in more detail. One last important detail to note is
that Directory Users have no effect on licensing.
Directory Agent
The Directory Agent Manager lists all created Directory Agents used for synchronization of
Directory Users. For more information on this menu, please refer to Chapter 7: Integrating
Directory Users with Optinet.
58
Broadcasts tab
The Broadcast tab grants access to the Broadcast Manager, which displays all email reports
that have been created for automated reporting. Email reports must first be created by
selecting the report you want to email. Once you have done this, you may select the Email
icon under the Tasks pane.
For example, click on Report -> Application -> Application Overview. As a practice, you can
set up this report for a weekly email. Under the Tasks pane, select the Email icon, which
will populate the Add/Edit Broadcast field. Fill out the required information such as Name,
Description, Send To:, Send From:, Reply To:, Subject Line, Send Format, and Schedule.
If you need to send the email to multiple recipients, separate the emails with a semicolon
(;). Also, the recommended Send Format is PDF as this format is more presentable;
however, other formats available are HTML, XML, CSV.
The schedule will depend on how frequently you want the automated report sent. For
example, if you choose Weekly, several new fields will appear that will allow you to select
the day of the week you want the report to run. The same is true with Monthly and Yearly.
Once you have created the report and filled out the necessary fields, you will need to select
which Activation mode for the email.
Run Now will send the email report as soon as it is created. Send Once and Delete will send
the report at the scheduled time and will then automatically delete the report once it has
been sent. Activate Broadcast must be selected for any action to occur. Once you have
selected all settings, don’t forget to select the Save button.
Now that you have created the email report, it will be saved under the Broadcast Manager
(unless you have selected Send Once and Delete). If you need to alter or delete the report
in the future, you may do so under the Broadcast Manager by selecting the individual Email
Broadcast or selecting the checkbox next to the report and clicking the Delete Selected
button.
All Email Broadcasts are handled by Black Box Network Services’ in-house Report Server.
After you have created and activated an Email Broadcast, the data is encrypted using
Secure Socket Layer (SSL) and sent to Black Box Network Services’ Report Server. The
Report Server processes the encrypted data and creates the desired report in the selected
format. The Report Server then sends the completed report to the requested email
address(es) for retrieval. The process creates performance advantages for Optinet while
still allowing automatic delivery of important reports and information.
Also after the finalized Email Broadcast has been sent, the data is immediately deleted from
the Report Server. The entire process normally takes less than 5 seconds. Physical access
at Black Box Network Services’ Report Server is permitted through a minimum of two
biometric authentication systems. On-site staff is notified of all building access in real time
and environmental systems are maintained with N+1 redundancy.
Because the data is leaving Optinet, some technical considerations may need to be
implemented in order for the recipients to receive email reports. For example, if a spam
filter is present on the network, you may need to allow email transmissions from Black Box
Network Services’ Internet Service Provider (IP.XMISSION.COM).
59
In addition to this, you may need to alter the sender and receiver of the email to be
different email addresses as same email addresses are commonly flagged as spoofing
techniques. Also note that when the data leaves Optinet to Black Box Network Services
Report Server, all data is encrypted. However, the transmission from Black Box Network
Services’ Report Server to the recipients is not encrypted. Nevertheless, this is the same
level of security as most common email messages sent over the Internet.
System Access tab
Optinet allows you to create multiple login accounts used to access the system. All
accounts are listed under the Manage -> System Access -> Logins menu. By default only
one account is present on the device (the admin account with a password of Black Box
Network Services).
Administrative login accounts can do anything that the default admin account can do. They
can view any report and can make any configuration changes. Another access level exists
(Read-Only) which allows users to view reports and configuration settings. However, users
with Read-Only access cannot make configuration or administrative changes to the device.
The Add/Edit Login Detail field (Manage -> System Access -> Logins -> Admin) allows you
to customize all logins with User Name, Password, First Name, Last Name, Email Address,
Admin Level (if you would like to create a login that does not have Admin Level, uncheck
the box), and Activate Login (the login will not be accessible until this option is checked).
Don’t forget to Save your changes after creating or modifying a login.
We strongly recommend that you create a new administrative login, and change the
default login password to limit access to the management interface. Select the Manage
-> System Access -> Logins link to make these changes.
Applications tab
The Applications tab is designed for expert use. This menu and submenus allow you to
customize applications and redefine default signature sets for a more tailored environment.
The default application sets provided should be sufficient for most environments.
Nonetheless, if you would like to customize signature definitions as well as Traffic Flow Rule
Sets (TFRS), you can do so under the Applications tab. The three options available under
the Applications tab are Traffic Flow Rule Sets, Applications Sets, and Applications.
Traffic Flow Rule Sets
Traffic Flow Rule Sets (TFRS) are the basic traffic identification and control engine within
Optinet. By default, TFRS define content rules and implement restrictions on identified
traffic. Optinet ships with 12 default TFRS (for more information see previous section on
Traffic Flow Rules Sets); however, you can customize TFRS using the Traffic Flow Rule Set
Manager.
For example, suppose you had a group of users that needed a variety of functions not
available in the default TFRS. Case in point would be the need to filter Web traffic (Web
Filter), deny IM Client communications (Deny IM), and block HTTPS traffic (SSL Block).
60
There are several default TFRS that can do some of these options; however, there is no one
TRFS that has all components (Web Filter + Deny IM + SSL Block). Nevertheless, the
Traffic Flow Rule Set Manager allows you to combine or delete components of the TFRS to
tailor how traffic will be handled.
Select Manage -> Applications -> Traffic Flow Rule Sets. Rather than editing the default
TFRS, you can copy them and make the necessary changes to create a custom TFRS.
Although you can select the default TFRS and edit them, it is highly recommended that
you do not edit default TFRS. Doing so can cause severe problems if the TFRS are
configured incorrectly. You are better served by copying default TFRS and editing the
copies.
The key factor in creating a custom TFRS is to choose a default one that closely represents
the end result. For this example, we will select to copy the TFRS of Web Filter + Deny IM
and afterwards add the component of SSL Block. Copying TFRS is quite simple: select the
checkbox next to the TFRS that is going to be copied and select the Copy Selected button.
This will bring up the Add/Edit Traffic Flow Rule Set field. Here, you can create a distinct
name and description for the custom TFRS. This field also allows you to remove certain
applications for the TFRS. For example, if you didn’t want this TFRS to identify ICMP traffic,
you could remove this application using the < Remove button. More often than not, you will
only want to customize the name and description in this field as removing applications can
cause unexpected effects. Another suggestion is to name the TFRS according to the
targets. In our example, we would name the TFRS Web Filter + Deny IM + SSL Block.
Again, don’t forget to Save your changes.
Once you have created a custom TFRS, you will alter the targets according to the desired
modifications. This is done under the Application Signature Manager (covered later under
the Applications section). In our example, we will need to alter the SSL targets to block this
traffic. Now that we have created a custom TFRS to block SSL traffic, we will need to alter
the targets. The steps to alter targets are covered under the next sections.
Other options available under the Traffic Flow Rule Set Manager are deleting and creating.
There is also a search box to search available TFRS. Now let’s continue our example of a
custom TFRS by discussing the Application Sets and Applications menus. The following
sections will give a brief explanation of the options available and a common example of
configuration changes.
Application Sets
Application sets, or simply signature sets, are groups of signatures for similar applications
that perform a comparable purpose. For example, the signature set of Remote Desktop
/Remote Control /X comprises the applications of PC Anywhere, Citrix, GoToMyPC,
Microsoft’s Remote Desktop, and many more. Because these applications use similar
signatures and perform an equivalent purpose (connecting users remotely to computers)
the different applications are grouped together in an Application set.
The Application Signature Set Manager (Manage -> Applications -> Application Sets) lists all
sets of applications that Optinet can identify and shape. Currently there are 23 Application
Sets that Optinet identifies.
61
•
Chat and IM—this application set comprises signature definitions for chat and IM
applications, e.g., Windows Live Messenger, Yahoo! Messenger, etc.
•
Databases—this application set comprises signature definitions for database
applications, e.g., SQL, Oracle, etc.
•
DNS/Naming/Locators and Information—this application set comprises signature
definitions for services that identify domains, users, and devices on a network, e.g.,
Domain Name Service (DNS), Lightweight Directory Access Protocol (LDAP), etc.
•
Email, Paging, and Collaboration—this application set comprises signature definitions
for email services and protocols used to transmit emails, e.g., Simple Mail Transfer
Protocol (SMTP), Internet Message Access Protocol (IMAP), etc.
•
FTP/File Transfer—this application set comprises signature definitions for File
Transfer Protocol (FTP).
•
Games—this application set comprises signature definitions for online games or
network games, e.g., XBOX Live, War of World Craft, etc.
•
HTTP—this application set comprises signature definitions for Web traffic or
Hypertext Transfer Protocol (HTTP).
•
ICMP—this application set comprises signature definitions for Internet Control
Message Protocol (ICMP) e.g., PING.
•
NetBIOS/Microsoft File Services—this application set comprises signature definitions
for Network Basic Input/Output Service (NetBIOS) and Server Message Block (SMB
or Samba) protocol.
•
Network Management and Monitoring—this application set comprises signature
definitions for services that manage and monitor networks, e.g., Simple Network
Management Protocol (SNMP), Network Management Service (NMS), etc.
•
Network Routing—this application set comprises signature definitions for networking
protocols, e.g., Routing Information Protocol (RIP), Network Control Program (NCP),
etc.
•
Network Utility—this application set comprises signature definitions for protocols
used to manage networking devices, e.g., Dynamic Host Configuration Protocol
(DHCP), NSW under System FE.
•
Peer to Peer—this application set comprises signature definitions for programs that
share files via a direct (peer to peer) connection, e.g., Bit Torrent, Gnutella, etc.
•
Printing and Reporting—this application set comprises signature definitions for
printing and reporting services, e.g., Network Printing, Internet Printing, etc.
•
Proxy and Cache—this application set comprises signature definitions for Proxy and
cache servers, e.g., Squid, Sockets Server (SOCKS), etc.
•
Remote Desktop/Remote Control/X—this application set comprises signature
definitions for programs used for remote management and administration, e.g., PC
Anywhere, Citrix, etc.
62
•
RPC/Remote Execution and Message—this application set comprises signature
definitions for programs that execute other programs or routines remotely, e.g.,
Remote Procedure Call (RPC), IBM’s Tivoli, etc.
•
Security, Auditing, and Auth—this application set comprises signature definitions for
network protocols that authenticate and secure users or devices, e.g., Kerberos,
Pretty Group Privacy (PGP), etc.
•
Streaming Media—this application set comprises signature definitions for programs
that stream audio and video content, e.g., Windows Media Player, Flash, etc.
•
Telnet and SSH—this application set comprises signature definitions for applications
that use Telecommunication Network (Telnet) and Secure Shell (SSH) protocols.
•
Uncategorized—this application set comprises all traffic that does not meet a specific
application set.
•
VOIP and Voice Chat—this application set comprises signature definitions for Voice
over Internet Protocol (VoIP) and programs that facilitate voice conversations over
the Internet, e.g., Ventrilo, Buddy Phone, etc.
•
VPN and Tunnel—this application set comprises signature definitions for protocols
used for Virtual Private Network (VPN) and for tunneling, e.g., Internet Protocol
Security (IPSec), Secure Socket Layer (SSL), etc.
The Application Signature Set Manager also allows you to select Application Sets to review
all applications present within the set. In addition to reviewing the applications within the
set, you may add or remove individual applications. For example, if you wanted to separate
Citrix traffic from Remote Desktop/Remote Control/X application set for individual shaping
and reporting, you could create a new application set or custom TFRS to do so.
Once more, this menu is intended for expert use. Still, following the example in the
previous section of creating a custom TFRS of Web Filter + Deny IM + SSL Block, we will
create a custom Application Set. In this example, we will separate SMTP traffic from Email,
Paging, and Collaboration Application set.
Click Manage -> Applications -> Application Set -> Create. This will populate the Add/Edit
Application Set Details field. Here you will give the custom application set a Name and
Description. In our example, we will call the Application Set SMTP. Don’t forget to Save the
changes.
Once a custom TFRS and Application Set have been created, you will need to alter the
individual applications under the Application Manager. These final steps are covered in the
next section.
Two other options available under the Application Signature Set Manager is the ability to
search for Application Sets using the Search box (located in the upper-left corner) and
delete a custom Application Set using the Delete Selected button (located in the bottom of
the page).
Applications
Now that we have detailed the applications listed under each Application Set, we can now
look at the individual applications that Optinet can shape. This can be accomplished under
the Applications Menu.
63
Like other menus under the Applications menu, this menu is intended for expert use. The
Applications menu will allow you to finish creating the custom TFRS. You can also finish
altering the Application Set to add or remove specific applications for an Application Set.
Lastly, this menu allows you to search for individual applications, values (ports), and
application sets to see how traffic is being categorized.
Click Manage -> Applications -> Applications. This will bring up the Application Signature
Manager. The Application Signature manager lists each individual application alphabetically
according to the Traffic Flow Rule Set listed in the top right-hand corner. You can also
search for a particular application based on the Name, Application Set, or Value and sort the
different applications by the column titles. Below are the column titles and corresponding
definitions:
•
Name—this is the name of the application.
•
Application Set—this will list which application set the application belongs under.
•
Type—this will list the type of signature identification used to recognize the traffic.
The different types are the following:
o
Destination Port—this type is the target port of the application.
o
Diff Serv—this type is the Differentiated Services (DiffServ) of the application.
DiffServ is a networking architecture that specifies a simple, scalable and
coarse-grained mechanism for classifying, managing network traffic and
providing Quality of Service (QoS).
o
Type of Service—this type is the Type of Service (TOS) of the application.
TOS is a single-byte field in an IP packet header that specifies the service
level required for the packet.
o
Length—this type is the Ethernet Length of the application. Ethernet length
specifies the size of the frame used within the network interface.
o
VLAN—this type is the Virtual Local Area Network (VLAN) used for the
application.
o
Protocol Only—this type is the protocol used for the application, i.e., TCP,
UDP, etc.
o
Layer7—this type is The Optinet Layer 7 signature used for the application.
o
Source and Destination Port—this type is the sending and target port of the
application.
o
Source Port—this type is the target port of the application.
o
XLi Engine—this type is the Cross Layer Intelligence (XLi) Engine used for the
application. XLi is the component of Optinet that scans and identifies packet
payload using 6 layers of the OSI model.
o
Web Request MIME Type—this type is the Multipurpose Internet Mail
Extensions (MIME) for the application.
o
Web Request File Type—this type is the File Type for the application.
64
•
Value—this will list the corresponding measures from the Type field. For example,
under the application of HTTP, the Type is listed Destination and Port; hence, the
Value is listed as 80 as this is the Destination and Port number for HTTP traffic.
Other entries listed here will be the XLi values, File Type values, MIME values, and all
other associated values for Types.
•
Target—this will list what actions will be taken with the corresponding application.
For example, if the target is set to Pass Thru the application will be allowed. Other
options available are Deny (block traffic), None (no action taken), Web Filter
(content filtering, web logging, spyware scanning, and virus scanning) and Web
Logging (only logs web request URLs).
To review the different options for each application, you will need to create a custom TFRS.
Let’s continue with the example of the custom TFRS created in the previous section. In the
top right-hand corner, select the link for the TFRS of IM Only. This will then list all TFRS
available. Chose Web Filter + Deny IM + SSL Block.
Notice how the individual applications are now clickable. By creating a custom TFRS and
application set, you can adjust each application and change settings such as Protocol, Type,
and Value. Remember that we need to change the target of the custom TFRS to deny SSL
traffic. You can do this by changing the Target field under the SSL applications.
Click on the drop-down search box and select Value as the search criteria. Enter in the
value of SSL and hit the Enter key. The Application Signatures Manager will post the
associated applications for SSL traffic. Select the application of SSL CONNECT L7. This will
show the Add/Edit Application Detail page.
The Add/Edit Application Detail field allows you to change the Name of the application as
well as other options, i.e., the Description, Application Set, Traffic Flow Rule Set, Type,
Value, Protocol, and Target. Again, changing options can cause serious errors if you are
unsure of the settings. More often than not you will only need to change the Application
Set, Traffic Flow Rule Set, and Value. In general only use Destination Port, Source Port, and
Source and Destination Port for the Type field. Finally, for Protocol you will probably only
need to use TCP and UDP, and Target with Pass Thru or Deny.
To block all SSL connections, you will change the targets from Pass Thru to Deny. Once you
save the changes, this will block all SSL connections. You will need to do this for all other
application that use SSL, (search for HTTPS applications as well).
Once you have set all SSL applications to Deny, you only need to apply the custom TFRS.
This is done by creating an Internet Usage Rule and applying it to a group under the Policy
Manager. Please review the sections Internet Usage Rules and Policy Manager for more
information.
Before leaving the Application Signature Manager, we can continue with the example of
separating an application from an application set. Again, click on Manage -> Applications > Applications. Make sure the custom TFRS is selected as the Traffic Flow Rule Sets in the
top right-hand corner.
Now, let’s search for the application that we’re going to separate. Select Name as the
Search criteria and enter in the name of the application. In our example we will search for
SMTP traffic. This will post all applications that use SMTP as a signature. Because we have
created a custom TFRS and application set, we can select the applications to separate or
modify them. In this example, we will separate SMTP from the application set of E-mail,
65
Paging, and Collaboration and tie it to the custom Application set of SMTP (created in the
previous section).
Click on the first SMTP application (On Demand SMTP Relay). This will post the Add/Edit
Application Detail. Here, change the Application Set to SMTP from E-mail, Paging, and
Collaboration. Don’t forget to Save your changes. Repeat the previous steps for all
applications listed after the search.
Again, these changes will take final effect once they are initiated under Internet Usage Rules
and Policy Manager.
One last option available under the Applications Set Manager is deleting custom
applications. You may follow the general instructions listed above to create custom TFRS or
Applications Set.
This concludes Chapter 5: Managing Optinet. The next chapters describe advanced
configuration methods and options with Optinet followed by chapters dedicated to Directory
Users and HTTPS/SSL Filtering.
66
Chapter 6: Administrating Optinet
The Admin tab of Optinet provides you with administration functions for initial configuration
of the device. Also available are maintenance options such as backup settings and
diagnostic tools that allow you to prevent failures or down time. Lastly, the Admin tab has
advanced configuration options for Directory Users, SSL Certificate, custom redirection
pages, and Spyware Removal. This chapter is divided into 6 sections.
•
Setup Wizard
•
Configuration tab
•
Diagnostic Tools tab
•
Downloads tab
•
Logs tab
•
Redirection Pages tab
•
Utilities tab
Setup Wizard
The Setup Wizard is available during the first login to Optinet and if the device has been
reset back to factory defaults. If you would like to run the Setup Wizard again after the
initial setup, you may do so with this tab. Remember that the Setup Wizard does require a
live Internet connection to the network and will reboot if a firmware upgrade is downloaded.
For more information, please review Chapter 2: Installing Optinet.
67
Configuration tab
The Configuration tab provides you with a variety of tools that can help manage the
installation and maintenance of Optinet. The options available under this tab allow you to
optimize and customize your Optinet to meet the organization’s needs. Among these
settings are basic and advanced settings, license settings, remote subnets, backup settings
and static routes. This menu is intended for manual configurations of Optinet if you are
unable to run the Setup Wizard or need to customize settings. Below are all the options
available under the Configuration tab.
Setup
Use this menu to manually assign an IP address and Subnet Mask to the Bridge (WAN/LAN)
interface. You can also assign a default gateway, DNS Server, and an IP address and
Subnet Mask to the Management/Auxiliary Port. Remember that the IP address assigned to
the Management/Auxiliary Port cannot be in any active subnet in your network. You can
also use this menu to enter in the name or IP address of the Email server (if you would like
to receive email alerts for viral web downloads). Lastly, you can specify the time zone for
Optinet. Don’t forget to Apply any changes made.
Advanced Setup
The Advanced Setup provides you with enhanced configuration settings that are used for
customization of Optinet within the network. Most of the below options are enabled by
default; however, if Optinet is installed in a more complex or uncommon network topology,
you may need to disable or adjust some of the settings.
•
Domain—this allows you to identify the domain name in which Optinet is installed.
•
Enable Port Scanning / OS Detection—this refers to the Nmap scan that is performed
when a unique profile is discovered. This setting allows Optinet to post unique
information about each device present on the network. However, some security
settings may identify Nmap scans as intrusions; as such, you can disable this feature
by unchecking this setting. For more information see section Network Nodes in
Chapter 5: Managing Optinet.
•
Enable TCP Window Scaling—this allows Optinet to send a larger window size to
improve TCP performance in networks with large bandwidth. However, some routers
or web sites do not support this feature and can cause latency. If you are
experiencing latency with Optinet or connection failure to web sites, you may need to
disable this option to improve performance.
•
Disable MAC based Network Node Discovery—this is used when you do not want
Optinet to create profiles based on MAC addresses. As previously mentioned in
Chapter 5, devices located in The Optinet local subnet will be profiled based on MAC
addresses. If you would prefer Optinet to profile these devices based on IP
addresses, you will need to check this option.
•
NTP Server—this is used to specify a Network Time Protocol (NTP) server used to
sync time for Optinet. The default setting is pool.ntp.org; however, if you have an
NTP server or an Active Directory server and would prefer to use those devices
instead, you may enter in either the IP address or domain name for the device in this
field. Also, for NTP to function properly UDP port 123 must be open for Optinet.
68
•
HTTP Keep-Alive Mode HTTP—this allows Optinet to use the same connection to send
and receive multiple HTTP requests and responses, as opposed to opening new
connections for every single HTTP request or response. This option can improve
performance on frequently visited web sites and should be checked. This option is
also necessary if you want to enable HTTPS/SSL Filtering.
•
Enhanced Bridging Mode (EBM)—this allows Optinet to act as a transparent bridge.
As a transparent bridge, Optinet does not modify the web request or response
beyond what is required for content filtering and identification.
EBM facilitates an easier installation, especially in a routed network, without
requiring static routes or running the risk of dropping network traffic. Because EBM
does not alter web requests, Optinet can rely on networking devices already present
to route traffic correctly.
We highly recommend that EBM is enabled to avoid interrupting network traffic.
Lastly, EBM can improve performance with Optinet and is necessary for HTTPS/SSL
Filtering.
•
Allow HTTP Connections on port 8888—this allows Optinet to act as a proxy for web
traffic. This option must be selected if you would like to install Optinet in Proxy Mode
or use NTLM Web Authentication. Please see sections Proxy Mode in Chapter 2 and
NTLM Web Authentication in Chapter 7 for more information.
•
Enable Summary Tables—this allows Optinet to summarize or condense large web
reports, allowing for faster response times for Internet Usage reports. This utility
will index web reports and correlations for all reports. For more information please
see the section Report Recommendations in Chapter 3: Generating Reports.
•
Summary Table Conversion Utility—this utility will take previous data that has not
been summarized and create summary tables. Selecting the link will present three
options for converting previous data: Web Request Summary Table, Level 1
Summary, and Level 2 Summary. Web Request Summary Table will summarize all
Web requests data. Level 1 Summary Table will summarize the first correlation for
those reports, i.e., first correlation by Category, Host, File Type, MIME Type, Group,
Directory User, and Network Node. Level 2 Summary Table will summarize the
second correlation for those reports, i.e., second correlation by Category, Host, File
Type, MIME Type, Group, Directory User, and Network Node. For more information
please see the section Report Recommendations in Chapter3: Generating Reports.
•
Network Normalization Mode—this setting enables Optinet to discover MAC addresses
in an asymmetrical network or where MAC addresses are alternating. For example, if
MAC addresses change during data transmission, Optinet can encounter a problem
with group assignments and reporting. However, by enabling Network Normalization
Mode, Optinet can send Address Resolution Protocol (ARP) requests and discover
MAC addresses of devices, and therefore group and report correctly. The
recommended setting for this option is to be enabled (checked).
•
Allow DNS and HTTP block page for Deny Access Traffic Flow Rule Set—this will
present group members of the Deny Access Group a blocked redirection page if they
attempt to access the Internet. Please note, that for this page to post, DNS and
HTTP traffic will be allowed to pass for the Deny Access Group for initial connections.
69
•
Database Timeout—this setting places a limit (in minutes) of how much time Optinet
has to complete a report. Because Optinet runs several different functions
simultaneously (filtering, shaping, reporting, etc.), priority is given to filtering and
shaping so that reporting does not consume resources that may impact network
performance. Optinet has a default timeout of five minutes for reports to complete.
If a report cannot complete within the five minutes, you will receive a timeout
message stating accordingly.
If needed, you may alter the time limit with this setting. You can allocate up to 15
minutes for reports to complete. Please see the section Report Recommendations in
Chapter 4: Generating Reports for more information.
•
Group Member Type Precedence (GMTP)—this option is critical for assigning devices
and users to correct groups. Because Optinet allows for multiple groups, a problem
can arise when a device or a user can possibly be in multiple groups at the same
time. For example, if a user begins to access the Internet, Optinet can identify the
user and place him/her in a group by MAC address, IP address, or the Directory User
account. The scenario can become even more complex if Optinet is configured to
identify multiple groups based on VLANs, specific IP addresses, or Classless InterDomain Routing (CIDR) Blocks.
Ethernet Settings
This menu allows you to hard code speed and duplex settings for the WAN, LAN, and
Management/Auxiliary ports. As mentioned in Chapter 2: Installing Optinet, normally
Optinet will auto-negotiate correctly with the devices directly connected into the ports.
However, if Optinet is unable to auto-negotiate correctly, you may need to hard set the
speed and duplex settings. This can be done under the Ethernet Settings menu. Please
note that if you make changes under this menu, more than likely you will need to hard code
the interface settings of the devices connected to The Optinet ports. Also note that you
may experience some network interruption while Optinet makes the necessary changes.
Company Settings
Company Settings allows you to customize Optinet and the GUI with information pertinent
to the organization. This menu allows you to enter in the Company Name, Company
Address, Company City, Company State, Company ZIP Code, Technical Admin Name, and
Technical Admin E-mail. Once done, these settings will reflect in other menus as well (AntiVirus Email Alert, The Optinet Menu Bar, etc.)
Registration Settings
The Registration Settings menu presents the information that is used to register Optinet.
The settings are the same settings as Company settings with two differences; Company
Address 2 and Technical Admin Phone.
Miscellaneous (Misc.) Settings
Miscellaneous Settings displays five important options that are used in a variety of menus.
The first two settings (Available Upload Bandwidth and Available Download Bandwidth) are
used to calculate percentage for both shaping rules and reporting values and will cap total
bandwidth available within the network. The default settings are set to 5000Kbps and will
restrict traffic to that amount. If you have not adjusted this amount for your bandwidth,
please do so during the Setup Wizard or under this menu.
70
Please note that the amounts listed in the available upload and download under
Miscellaneous Settings will restrict total traffic through Optinet. Make sure that the
amounts entered in these fields are the correct amounts for your network.
The next option, Web Time Online seconds per hit, is used to calculate the amount of time
for the Web Time Online Report (Report -> Internet Usage -> Web Time Online). Please
note that the Web Time Online report is an estimated value generated by counting the
number of hits per page, and then multiplying the number of hits by the number listed
under this setting.
The default setting of 20 seconds is an approximation based on typical business usage.
However, in other circumstances the values may need to be altered.
Simple Network Management Protocol (SNMP) can be used to monitor the state of Optinet
and poll the device to verify its CPU, hard drive usage, and other pertinent information.
SNMP works by a software component called an agent that runs on Optinet and reports
information via SNMP to the managing systems. The managing system can retrieve the
information through the GET and WALK protocol operations. Although you will have to
supply the SNMP managing system to retrieve the information, the following fields will allow
you to interact with The Optinet SNMP agent.
The first field, SNMP Read Only Community is the password used for the GET requests and
allows access to the Optinet SNMP agent. The default setting for this field is public, but the
Read Only Community password can be changed to the desired password with this menu.
Don’t forget to Apply the changes after altering the field. Afterwards, you can use the SNMP
GET command to poll the following values from Optinet.
Optinet SNMP Values
Value
Result
1
CPU Percent
2
Hard Drive Usage Percent
3
Web Hits
4
Web Hits by Category ID
5
Web Category Name by ID
6
Application Set Name by ID
7
Application Set Upload by ID
8
Application Set Download by ID
9
Total Traffic Upload/Download
10
Number of Possibly Infected
Spyware
11
Number of Possibly Infected
Virus
71
Also, please note that Object Identifier (OID) for Optinet is 1.3.6.1.4.1.31010. With the
above listed values and The Optinet OID, you should be able to use the SNMP Get
command:
snmpget –v 2c –c public localhost 1.3.6.1.4.1.31010.1.
The WALK command allows you to use the SNMP GETNEXT request to query Optinet for
several pieces of information. SNMPWALK will search all SNMP values for Optinet and post
the corresponding values. Again, with The Optinet OID, you can query The Optinet SNMP
agent for all values present:
snmpwalk –v 2c –c publick localhost 1.3.6.1.4.1.31010.1
The next setting is the SNMP Read Write Community. This setting is used to set SNMP MIB
variables to a specified value. These writes are protected by the write community string
and are set to the default settings of private. However, this field allows you to alter the
password for the SNMP Read Write Community. Any changes made to these two fields will
not take effect until you Apply the changes.
Update Settings
The Update Settings menu lists the available updates for Optinet. These updates are
divided into five categories: Firmware, Software, Content Filter, Spyware, and Anti-Virus.
Firmware updates deal with new features, Optinet OS upgrades, and signature updates.
Software updates deal with component changes, maintenance patches, and code
resolutions. Content Filter updates are for updating web categories, web sites, and file
types. Spyware updates are for new definitions on spyware, while Anti-Virus handles new
definitions for web viruses.
All updates can be configured to execute automatically via the Enable check boxes and Daily
Schedule Drop-Down Boxes, except for Firmware updates. The reason is that Firmware
updates require a reboot. Because of this you will need to manually update the firmware
using the Update Now button. You will be notified via the Message Center on the Home
Page when a new firmware version is offered.
For updates to be successful, Optinet will need access to port 80 as well as authorization to
download MD5 check sums. Also, you should schedule updates during non-peak traffic
times as some services may need to restart after the updates have completed. Default
settings for Update Settings are 1am for Software, 2am for Content Filter, 3am for Spyware,
and 4am for Anti-Virus.
Custom Category Rules
The Custom Category Rules menu allows you to modify or create web site categorization.
This menu allows you to categorize web sites that have been mis-categorized, do not have
an explicit categorization, or your organization needs a distinct categorization for the web
site. For example, by default the web site YouTube is categorized as Online Communities.
However, for your organization YouTube may be considered more of a streaming media web
site than an online community. The Custom Category Rules allow you to enter the URL of
YouTube and “re-categorize” the site as Streaming Media instead of Online Communities.
This rule will then take effect for both reporting and Internet Usage Rules (IURs).
To categorize a web site with the Custom Category Rules, enter the URL in the Match String
field. Afterwards, chose a Compare String for the entry. There are three distinct compare
strings that can be used to categorize web sites: URL-Regular Expression, URL, and Domain.
72
•
URL-Regular Expression—this compare string utilizes regular expressions to
categorize web sites. Regular expression (regex) is a method used to describe a
string of text using metacharacters or wildcard symbols. To use URL-Regular
Expression, you will need to understand the functions of regular expression
metacharacters. URL-Regular Expression supports regular expressions for POSIX
Basic and Extended Regular Expression. A complete discussion of Regular
Expression capabilities is beyond the scope of this document.
•
URL—this compare string looks for an exact URL match. Use this compare string to
categorize specific web pages where an exact match is necessary. For example, an
entry of youtube.com/forums will categorize YouTube’s forum web page, but not
necessarily other YouTube web pages. However, you can use an asterisk symbol (*)
as a wildcard with the compare string of URL. For instance, an entry of
http://www.youtube.com* will categorize any web page that begins with
http://www.youtube.com.
•
Domain—this compare string looks for any web page that begins with the domain
name of the web site. Use this compare string to categorize web sites where the
domain name is constant in the URL. For example, and entry of youtube.com will
categorize all of YouTube’s web pages. You can also use an asterisk symbol (*) as a
wildcard with the compare string of Domain. For instance, an entry of *youtube.com
will categorize any web page that has youtube.com in the domain name regardless
of http, https, or www.
After you make your entry in the Match String field and chose a Compare String, select
which category the web site will be assigned to. You can also create your own category by
selecting the **Add a Custom Category** selection. Once selected, you can type in the
name of the custom category.
Afterwards, you can choose which priority level will be assigned to the entry. Priority levels
are only used when there are conflicts with other custom categorizations. For example, if
you chose to categorize the web site youtube.com as Streaming Media but the web page of
youtube.com/forums as Online Communities, you would select the URL of
youtube.com/forums as a high priority. This indicates to Optinet to always categorize
youtube.com/forums as Online Communities while other web sites under youtube.com will
be categorized as Streaming Media. If there is any site with conflicting criteria, the higher
priority rule will direct the categorization.
To finalize your entry, click the Update button followed by the Apply button. Other options
available in this menu are Reset (clear current entries under the Add/Edit Custom Category
Rules), Remove Selected Rows (clear selected custom category entry), Edit Selected Rows
(modify selected custom category entry), Export List and Import List (export or import a
plain text file of entries from the custom category list), and Cancel button.
Custom Category Options
The Custom Options menu works in conjunction with the Custom Category Rules and has
two tabs: Categories and Precedence. The Categories tab allows you to create or modify
categories listed in The Optinet current category list.
For example, the category of Computers and Internet covers web sites that post information
about computers and software but also covers web sites with information about the Web
and the Internet in general. If you wanted to separate this category into two separate
categories, i.e., one category called Internet and another called Computers, you could
create two new categories with the Custom Category Options menu.
73
As you add web sites to these new categories, the names of these categories will appear in
the new category list under Admin -> Configuration -> Custom Category Rules ->. Assign a
Category as well as under the Edit Blocked Categories list. To add a new category, enter
the name of category in the Add/Edit Category Name field and click the Update button.
Other options available are Edit Selected Row, Apply, and Cancel.
The Precedence tab allows you to modify the order in which the Compare String is examined
for classification of web sites. The Custom Category Rules use three compare strings to
classify web sites: URL-Regular Expression, URL, and Domain. The Default order should be
sufficient, but you can alter the order by clicking and dragging an entry and then selecting
the Apply button. The Cancel button is also available under this menu.
Remote Subnets
By default, Optinet will monitor all traffic within the local subnet. However, Optinet can also
monitor subnets outside the local subnet. These subnets are called Remote Subnets
because they are not within The Optinet local subnet.
Review the following topology. This is an example of a flat network. Characteristics of a
flat network are all devices are connected via switches or hubs, there are no layer three
devices (routers or layer 3 switches), and the network is not segmented logically by
different IP address ranges (VLANs or remote subnets). If you have a flat network, all
devices will fall into the local subnet, and you will not need to add entries to the Remote
Subnets menu as Optinet will be able to track by MAC addresses.
Figure 6.1 Flat Network Topology
Now review the following topology. This is an example of a routed network. Notice how
there are different logical segments separated by the IP address ranges within the network,
i.e., 192.168.255.0, 172.16.0.0, and 10.0.0.0. Also notice how there is a layer three device
present in the network (Router 1). These are characteristics of a routed network.
74
Figure 6.2 Routed Network Topology
In this example, the network subnets of 10.0.0.0 and 172.16.0.0 will be identified as
remote subnets. Optinet can track Internet traffic by IP addresses once these networks are
identified as remote subnets. Optinet will not be able to track by MAC addresses for remote
subnets as layer three devices maintain MAC addresses within their corresponding subnets.
For more information on this you can review Chapter 5: Managing Optinet, section Directory
Users & Nodes.
To add network segments to the Remote Subnet menu, enter in the network address with
the subnet mask in Classless Inter-Domain Routing (CIDR) notation. For example, a
network address of 172.16.1.0 with a subnet mask of 255.255.255.0 would be entered in as
172.16.1.0/24. For more information on CIDR notation, please see Appendix D: CIDR
Cheat Sheet. Once you have entered in the network address, select the Add> button and
Apply.
Please note that you may at any time add network addresses to remote subnets for
monitoring and filtering. If you remove network addresses from remote subnets, this will
require a Reset on Telemetry and Profile Data because of how Optinet profiles devices.
Please review section System Utilities for more information on resetting the database.
Once you have added the remote subnets, you can create static routes for those subnets.
This topic is covered the section Static Routes.
User Preferences
User Preferences menu allows you to customize how reports and filters will be displayed by
Optinet. This menu also allows you to automatically accept downloads from The Optinet
GUI.
75
Default Rows per Page indicate how many results will be posted for each report. For
example, if you want to see how many users have passed Peer to Peer traffic, you can
access this information under Report -> Applications -> Peer to Peer -> Correlate by
Network Node. This report will post by default the top 25 users of Peer to Peer traffic.
However, if you wanted the report to post the top 30 users of Peer to Peer traffic, you will
need to change the amount of Default Rows per Page to 30. Afterwards, all reports by
default will post 30 results instead of 25.
Report Filter Per Page is for Group, Network Node, and Directory User filters. These filters
are available under individual reports and allow you to search for specific Groups, Network
Nodes, or Directory Users for the specified reports. Clicking these fields will populate the
Select Filter Group, Network Node, or Directory User box. You can then search the
Available profiles listed for the desired Group, Network Node, or Directory User profile. By
default these filters will post 10 profiles per page. You can change this amount by altering
the Report Filter Per Page. Once the amount has been altered, all report filters will post the
number specified on every filter page accordingly. Lastly, the lowest amounts for both
fields are 5 and the highest is 500.
The last setting in the User Preferences menu is Enable Automatic Downloads. Optinet has
several downloads for different features, i.e., SSL Certificate, Directory Clients, etc.
Selecting these downloads will post a file download dialog box with an additional link for the
download. If you would like to skip the additional dialog box and have files from Optinet be
downloaded automatically, you will need to enable this option. Please note that may also
need to add the IP address of Optinet to the “Local Internet” security zone on your web
browser as well as select Medium-Low security settings for downloads. Once you make
changes to the User Preferences menu, don’t forget to Apply the changes. Default setting
for Enable Automatic Downloads is unchecked.
Static Routes
The Static Routes menu is used in conjunction with the Remote Subnets menu. For
example, if you have entries in the Remote Subnet menu, you may need to create static
routes for those subnets. However, if you do not have entries in that menu, more than
likely you will not need to add static routes.
In addition to this, static routes are only necessary under certain circumstances. One
circumstance is remote administration. For instance, if you had a network entry in the
Remote Subnet menu and wanted to allow users on that remote subnet administrative
access to Optinet, you would need to create a static route for that network.
Other scenarios that require static routes are disabling Enhanced Bridging Mode (EBM),
using Redirect blocked pages, and installing Directory Agents outside The Optinet local
subnet. If you meet some of these requirements, you will need to create static routes.
Static routes are created by identifying the next hop for Optinet to the remote subnets.
Review the following topology. Notice how Optinet is installed on a network with a schema
of 192.168.255.0. However, most users are located on 10.0.0.0.
For Optinet to communicate properly with the users on the 10.0.0.0 network, the device will
need to know the next hop to this network. The next hop is referred to as the gateway or
destination gateway for the remote subnets. In this example, the remote subnet will be
10.0.0.0/8 with a gateway of 192.168.255.3.
76
Figure 6.3 Static Routes Diagram
Please take special notice of the different gateways. The 10.0.0.0 has a default gateway of
10.0.0.1. This is not the gateway for the Optinet static route as this address is not the next
hop for the remote subnet. The gateway will be 192.168.255.3 as this is the next hop for
Optinet to communicate to users on the 10.0.0.0 network. Essentially, the static route will
indicate to Optinet the routing path to take when direct communication is required to a host
on the 10.0.0.0 network.
Also, do not confuse the static route with the Optinet default gateway. Optinet uses the
default gateway to access the Internet for updates while static route gateways are used to
communicate with users on the remote subnet. Things that can help you to identify proper
static gateways for Optinet are the following:
•
Static route gateways will always be in the same local subnet as the Optinet Bridge
IP address.
•
Static route gateways will always be on the LAN side of Optinet.
•
Static route gateways will never be the same IP address as the Optinet default
gateway.
•
Static route gateways will never be the default gateway for the remote subnets.
After you have identified the correct static route with the corresponding remote subnet, you
can enter them by entering in the network address of the remote subnet and the route
gateway. Again, network addresses will be entered in CIDR notation. Once you have
correctly entered in the settings, you can select the Add button and then apply.
Remember that static routes are only necessary for remote subnets. Do not add a static
route that will encompass the local subnet as this may cause routing problems with the
default gateway for Optinet.
77
SSL Certificate Settings
This menu is covered in Chapter 8: Implementing HTTPS/SSL Filtering with Optinet.
License Settings
The License Settings menu allows you to enter a license key to increase the amount of
devices Optinet will profile. Licensing with Optinet is based on network connections. That is
to say, one hundred connections on your network will constitute 100 licenses.
For full functionality of Optinet, you will need to have sufficient licenses for all active
connections on your network. You can purchase the license key from Black Box Network
Services or your Authorized Black Box Network Services Reseller. Once purchased, you can
enter in the License Key by selecting the Update button. Optinet will then confirm that
License Key, and if correct will alter the Licensed Network Nodes to the correct amount.
Don’t forget to Apply the changes. This option is also available during the Setup Wizard.
Information pertinent to the device, such as Model Number, Serial Number, and Annual
Software Maintenance (ASM) Expiration Date are posted on this menu as well. ASM is used
for support on your device and provides Optinet with continued updates on Web content,
Spyware, Web viruses, and application signatures. ASM also allows you to use Black Box
Network Services Technical Support if needed.
If ASM is not current, Optinet will not be able to update firmware, software, content
filtering, Spyware, or virus definitions nor will Black Box Network Services Technical Support
be available. To renew your ASM please contact Black Box Technical Support at 724-7465500, your Authorized Black Box Network Services Reseller, or Black Box Network Services
Sales at 877-877-2269.
Other stats available on this menu are Current Software Version, Available Software
Version, Last Software Update Date, Last Anti-Virus Update Date, and Last Spyware
Definition Update Date.
Special Domains
The Special Domains menu offers two settings to assist in troubleshooting group
membership as well as Directory User integration. The first setting is Web Authentication
Logout Domain. Web Authentication allows Optinet to identify Directory Users without using
the Directory Client. Optinet does this by associating initial web connections to Directory
Users. However, Web Authentication does not identify when Directory Users have logged
out unless an inactivity or session timeout have been met.
By using the URL in Web Authentication Logout Domain, Directory Users can immediately
notify Optinet when they have logged out. The default setting is logout.blackbox.com,
but you can use this menu to change the URL. Once users enter this URL into their web
browser, Optinet will present them with a logout page. After logging out, Optinet will
disassociate the web connections to the Directory Users.
For this setting to work properly, you must have some form of Web Authentication enabled
for users. For more information on Web Authentication, please see Chapter 7: Integrating
Directory Users with Optinet.
The next setting is Web Filter Info Domain. Web Filter Info Domain allows you to confirm
group membership, Internet Usage Rules, and HTTPS/SSL Filtering rules. By entering in the
URL into a web browser, you can confirm how Optinet is identifying the user, to which group
78
the user is being assigned, and if the correct rules are being applied. To use Web Filter
Info, enter the URL into a web browser (default setting is info.blackbox.com), and the
Web Filter Status Report will post the results.
Please note that any changes to these two settings will require correct Domain Name
Service (DNS) resolution. If you alter the URLs under the Special Domains menu, you will
need to make specific entries for these web sites in users’ DNS records.
LDAP Settings
LDAP Settings are supported only for legacy installs using the CymLDAP client. This has
been replaced with the Directory Integration process using the CymDIR client.
Backup
Optinet allows you to back up configuration data and telemetry data. These backups can be
completed via FTP or HTTP manual backups. The submenus available here are Backup File
Settings, FTP Automated Backup, FTP Manual Backup/Restore, and HTTP Manual Backup.
The options available under Backup are Backup File Name, Add Timestamp to File Name,
Backup Configuration Data (device configuration, groups, IUR, shaping rules, etc.), and
Backup Telemetry Data (Web logs, application reports, etc.). Once these settings are
configured, you will need to create the backup file using the Create File button. Afterwards,
you can manually push the backup file to a FTP server or use HTTP to place the backup file
in a folder accessible to Optinet.
The FTP Automatic Backup menu allows you to automate backups via File Transfer Protocol.
For this to work, Optinet needs write access to a FTP server. You can select Enable
Automatic Backups and select the day and time for the backup to execute. In addition to
this, Optinet will need to have listed the hostname or IP address of the FTP server as well as
the Server User Name, Server Password, and path for the backup directory. Lastly, you can
specify that Optinet only create a backup file automatically and not downloaded to an FTP
server. This option is available as the check box for Create Backup File Only.
You can also restore backups to Optinet in the case of device failure. For example, if you
need to replace your current Optinet with another device, you can use a stored backup file
to restore device settings on the replacement device. Although easy to execute, the restore
options can only be accomplished with a FTP server. Also please note that restores are only
possible through the same Optinet models. In other words you cannot restore a DC10
backup file to a DC30.
Again, Optinet will need specifics related to the FTP server, i.e., Hostname or IP address,
Server User Name, Server Password, Path, and File Name. The options available under this
submenu are Restore From FTP Server and Backup To FTP Server. If you are intending to
restore information to Optinet, you will need to select Restore from FTP Server. The Backup
To FTP Server is for manual backups to a FTP server as opposed to automated backups
available in the previous submenu.
Finally, you can backup manually via HTTP if you do not have access to a FTP server.
Again, you will need to create the backup file using the submenu Backup File Settings.
Afterwards, you can select the Download button and browse to a network drive, network
directory, or even to your desktop to place the backup file. When you are finished
modifying the backup settings, remember to Apply the changes.
79
Proxy Settings
Proxy Settings menu allows you to configure Optinet to work with your network’s proxy
server. The most important factor with configuring Optinet with your network’s proxy
server is the placement of the device in regards to the proxy server.
If the proxy server is an inline device, the recommended placement for Optinet will be in
between the proxy server and users to allow for correct identification of users and devices.
In addition to this, if the proxy server requires users to enter a username and password for
Internet connectivity, Optinet likewise will need such information to access the Internet for
updates. These settings are entitled Parent Proxy Username and Parent Proxy Password.
We recommend that you create a user specific account on the proxy server for Optinet.
Optinet will also need access to the Web for updates and TCP port 22 for the Support Link
utility to work. For correct reporting, Optinet will need to know the IP address and port
used (other than port 80 and 8080) for the proxy server.
If your network’s Proxy Server is not an inline device, please contact your
Authorized Reseller or Black Box Network Services support before installing
Optinet.
If the network’s proxy server is not an inline device, you will not be able to place Optinet in
between users and the proxy server as web requests will be traversing the proxy server’s
connection twice; once for the initial request and once for the response. As such, you will
need to contact Black Box Network Services Support or your Authorized Black Box Network
Services Reseller for assistance with installing Optinet with this scenario.
If Optinet cannot be placed in between the users and your network’s proxy server, you will
need to configure Optinet differently. First, you will not need to enter any information in the
Proxy Settings menu as your network’s proxy server will be on the LAN side of Optinet.
Second, some advanced options are specifically designed for interoperability with current
proxy servers, in particular Enhanced Bridging Mode (EBM) and HTTP Keep-Alive Mode.
With the proxy server on the LAN side of Optinet, the device no longer needs these options
enabled as the proxy server will perform similar functions. You may need to disable these
options (Admin -> Configuration -> Advanced Setup).
Finally, most proxy servers execute web requests via Network Address Translation (NAT).
NAT is a technique of routing network traffic that involves re-writing or masquerading IP
addresses. Optinet will only see the IP address of the proxy server passing web traffic
instead of unique users. If the proxy server is located on The Optinet LAN side, individual
filtering and reporting may be impossible because Optinet will not receive the users IP
addresses. If your network’s proxy server allows you to disable NAT, this may be an option
for individual reporting and filtering.
Diagnostic Tools tab
The Diagnostic Tools provides you with a variety of tools that you can use to test the
functionality of your network as well as Optinet. The Diagnostic Tools tab includes utilities
to test network connectivity and device status. This menu is a great place to start the
troubleshooting process to confirm device settings and status.
80
Device Status
Device Status posts the condition of Optinet and several key components of the device.
Here you can confirm that the IP address for the bridge interface is correctly assigned. You
can also verify the status of all Ethernet ports, WAN, LAN, and Management/Auxiliary.
Lastly, you can validate device settings (Device Key, Serial Number) and device status in
regards to uptime (how long the device has been up), CPU load, and Used Disk Space.
Directory Agent Diagnostics
This menu is covered in more detail under Chapter 7: Integrating Directory Users with
Optinet.
Directory Agent Users
This menu is covered in more detail under Chapter 7: Integrating Directory Users with
Optinet.
Display ARP Table
The Display ARP Table lets you view current entries in the Optinet Address Resolution
Protocol (ARP) table. ARP provides dynamic address mapping between an IP address and
hardware or MAC address. The Optinet ARP table displays IP or MAC address of devices
that have directly communicated with Optinet within the last 5 minutes. The columns listed
in the ARP table are Address (IP address), HW Types (Ethernet), MAC Address, Flags (C—
reachable), and Interface (bro—Bridge, eth0—WAN, eth1—LAN).
Ethernet Status
The Ethernet Status menu lists the state of The Optinet ports, WAN, LAN, Management/
Auxiliary. The tabs are divided by each port and list the status, auto-negotiate, speed,
duplex, packets, and errors. Use this tab to confirm that each active port is operating at
correct speeds and duplex settings and not generating any errors. Auto-Negotiation is
recommended, but not necessary.
Group IP List
Group IP List is a great tool that can be used to verify group membership for individual
users. For example, if you have a device or user that is not being assigned to a group
correctly, you can confirm which group is being assigned within the past five minutes for
that user or device.
Group IP List will list the Group, MAC address (where available), and IP address of the
devices currently passing traffic through Optinet. Also available is a drop-down list that
allows you to search entries based on Group name, MAC address, or IP address.
You can then verify this group assignment against the member type and assigned group
(Manage -> Policies & Rules -> Groups). If users or devices are being assigned to incorrect
groups, you can use this tool as well as Group Member Type Precedence to resolve the issue
and better configure Optinet.
IP Address Map
This menu is covered in more detail under Chapter 7: Integrating Directory Users with
Optinet.
81
No LDAP Network Nodes
This menu is covered in more detail under Chapter 7: Integrating Directory Users with
Optinet.
PING
Packet Internet Groups (PING) is a useful troubleshooting tool for computer networks. This
tool is used to test whether or not network hosts are reachable by sending an ICMP Echo
Request packet. When the destination system receives the packet, it responds with an
ICMP Echo Response packet.
Optinet includes PING as a troubleshooting tool in the event that a device or web site
cannot communicate with Optinet. You can enter in the hostname or IP address to run the
PING test. You can also alter the number of attempts. If the test results in a failure, you
may want to review the network topology and the Static Routes menu.
Please note that many host-based software firewalls, such as those that ship with Microsoft
Windows XP and Vista, deny PING traffic by default. You may need to enable ICMP traffic
through firewall systems for this utility to be successful.
Test DNS Settings
Test Domain Names System (DNS) Settings menu allows you to test the DNS settings for
Optinet, e.g., if Optinet can resolve web sites or NetBIOS names to their corresponding IP
addresses correctly. Enter in the URL of the web site, i.e., www.google.com, or the
NetBIOS name of the computer, i.e., computername.mydomain.com, and select Run for a
test. You can also change the DNS server for the test by entering in a different IP address
for the DNS server. A positive result will reply with a host name and an IP address.
Traceroute
Traceroute is a computer networking tool used to determine the route taken by packets
across an IP network. The Optinet Traceroute menu allows you to confirm the path taken
by Optinet to reach individual computers, routers, or web sites that respond to traceroute.
Similar to Test DNS Settings, enter in the hostname or IP address for the Traceroute and
select the Run button. You can also alter the Timeout in seconds.
If the test is successful, the menu will list how many hops are taken for the packet to reach
the destination. The menu will also list the time spent in reaching each individual hop.
IP Traffic Monitor
IP Traffic Monitor is a console-based network statistics utility that gathers a variety of data
such as TCP connection packet and byte counts, interface statistics and activity indicators.
IP Traffic Monitor shows information on network traffic as it passes in real-time through
Optinet. Some of the information posted can be used to diagnose network connectivity
problems as well as confirm highest bandwidth consuming IP addresses within the network.
The difference with this diagnostic tool is that it is not accessible from the Diagnostic tab or
any other menu in the Optinet GUI. Instead, you can access this utility via the Text Menu
Interface (Option 2—Utilities, Option 3—IP Traffic Monitor). Please see Chapter 1:
Configuring Optinet, Section Text Menu Interface for more information.
82
Downloads tab
The Downloads tab stores the Directory Agent, Directory Client, and SSL Certificate
necessary for Directory Users integration and SSL Filtering respectively. These topics are
covered in Chapter 7: Integrating Directory Users with Optinet and Chapter 8:
Implementing HTTPS/SSL Filtering with Optinet.
Logs tab
As Optinet completes its day-to-day tasks, the device will track important events, activities,
and errors in log files. You can use the Activity Logs and Kernel logs to view these files for
troubleshooting purposes.
Activity Log
The Activity Log records information about programmed events and their status, i.e.,
backups, updates, etc. If some of these functions are not working properly, you can use the
Activity Log to troubleshoot the process. Also, the Activity Log is useful in troubleshooting
Directory Users, which will be covered in Chapter 7: Integrating Directory Users with
Optinet.
By default, all types of Activity Log messages are for the last 24 hours. However, you can
use the Selected Date option to browse for messages during different times, e.g., Last Hour,
Last 24 Hours, Last 7 Days, Last Week, Last Month, Last Year, and custom dates.
Also available are message type filters that can be used to post messages only relative to a
problem. The message type options are No Filter, Verbose, Informational, Status, Warning,
Error, Comment, and Invalid. Comment, Informational, Verbose are debug-level
messages. These messages will give information regarding normal operation of processes
and events.
Warnings are non-fatal process errors or unexpected conditions, while Errors are fatal
process faults that can affect device functionality. Invalid messages denote invalid or
unexpected conditions that might prevent future code execution or cause future Warnings or
Errors. Status messages give information regarding the current status of processes and or
programmed event.
The other option available under logs is Context. Context describes which components of
Optinet have delivered the message. For example, if an error happens with the backup
utility of Optinet, the Context will be backup and the message will be error. The options
available under Context are No Filter, System, Initialization, Updates, Backup, Broadcast,
and Alert.
System Context means the error came from the forwarding plane. The forwarding plane is
the Optinet architecture that decides how to handle packets arriving on the LAN interface,
i.e., applying shaping rules, denying traffic, etc.
Initialization messages are from boot-up or process launchers. Updates Context indicates
that the messages were generated by the update system, e.g., Firmware, Software, Content
Filter, etc. Backup messages come from the backup system (automated and forced), and
83
Broadcast messages come from the e-mail broadcast system. Alert messages are not
currently used.
Kernel Log
The Kernel is the central component of the Optinet Operating System (OS). The Kernel’s
responsibilities include managing communication between the hardware and software
components. As the Kernel does this, it keeps several key entries in a log file that can be
reviewed. This is an excellent place to begin troubleshooting hardware or software
problems. Some of the entries are common markers or steps that are routinely run by
Optinet. However, pay close attention to messages that concern the hard drive and
messages that repeat several times in a row.
Redirection Pages
Optinet offers two customizable pages for blocking web sites and authentication Directory
Users. The Directory Agent Login Page is defined in Chapter 7: Integrating Directory Users
with Optinet.
Blocked URL
When Optinet blocks web sites based on Internet Usage Rules (IURs), users will be
presented with a Block Redirection or Block Uniform Resource Locator (URL) page. The
Redirection Pages menu allows you to customize the Block URL page to display company
messages, customized phrases, etc.
The first option available under Block URL Redirection Page is Display Blocked Reason. This
will post the reason to users why the page has been blocked, i.e., because of a Blocked
Category, Blocked URL, etc. The next option is the Blocked Phrase. Blocked Phrase allows
you to customize the message posted to users. The default message is “Your access to the
website %blockedURL% was blocked for the following reason:”. The Blocked Reason will
then post underneath the message.
The Bypass Message is for those users who have the password for the Enable Bypass
(setting that allows users to bypass a blocked web site if he/she knows the Bypass
Password). The default message for the Bypass Message is “Click here to bypass the filter
for this website”. Please note that if you have not enabled the Enable Bypass, this message
will not post.
Contact Message allows users to contact the Optinet administrator in case a web site needs
to be re-categorized or allowed. For example if a user is blocked from
http://www.myspace.com.com, but believes that the web site should be allowed or recategorized, he/she can send an email by clicking on the link posted in the Blocked URL
page. For this setting to be active, the Contact Email needs to have the email address of
the Optinet administrator. Also note that the URL will not be automatically posted in the
email. You should alter the Contact Message asking users to place the URL in the email.
For Optinet to send the Blocked URL Page, the device needs to know the route taken by the
initial request for redirection. Normally this is handled by a 200 HTTP response, indicating
that the request was received and that the result is the Blocked URL Page. However, by
selecting Redirect blocked pages, you can change the response to a 302 HTTP response,
which redirects the response to another page. The difference with these options is that the
302 HTTP response posts an image of a stop sign located in the top right-hand corner of the
84
Blocked URL Page. Also the IP address of Optinet will be displayed in the URL of the web
browser requesting the page. To activate the 302 HTTP response, select the checkbox next
to Redirect blocked pages.
Please note that the option of Redirect blocked pages requires static routes for remote
subnets to issue the Blocked URL Page. Please see the previous section of Static Routes for
more information.
The last checkbox available is Reset to Defaults. This option allows you to erase any
alterations to the Blocked URL Redirection Page and default back to the original settings.
The box below the Reset to Defaults is the actual Hypertext Markup Language (HTML) code
used for the Blocked URL Redirection Page. If you are familiar with HTML, you can alter the
text, color, and format of the Blocked URL Redirection Page manually using the code
present on the page.
The following are some suggestions on what lines of codes handle the different format
options within the page; however, again, you should be familiar with HTML code to make
any alterations.
Name
Bypass URL
Syntax
%bypassURL%
Spyware Removal Tool
Optinet Trademark
Blocked URL
%spywareCleaner%
%productName%
%blockedURL%
Blocked Reason
%blockedReason%
Blocked Message
%blockedMessage%
Bypass Message
%bypassHTML%
Contact Message
%contactMessage%
Contact Email
%contactAddr%
Function
Posts a link to the Enable Bypass
Password
Posts a link to the Spyware Removal tool
Posts the trademark on Optinet
Posts the original URL requested by users
that has been blocked
Posts the reason for the Block URL
Redirection Page, e.g., Category, URL.
Posts an explanation why the pages has
been blocked, i.e., access to this URL is
restricted because…
Post a link to bypass the Blocked Web
site, i.e., Click here to bypass…
Allows users to send an email to the
Optinet administrator for re-categorization
of a blocked Web site, etc.
Posts the email address of the Optinet
administrator.
Once you have completed the alterations, don’t forget to Apply the changes.
Directory Agent Login Page
This menu is covered in more detail under Chapter 7: Integrating Directory Users with
Optinet.
Utilities
The Utilities menu offers several functions that are used for troubleshooting and also
deleting information. Also available are the menus of Support Link (allows Black Box
Network Services Technicians to access your device for remote assistance) and Spyware
85
Removal Tool (utility that allows you to remotely scan and delete Spyware present on
infected devices). Each utility should be used with caution as some of the options can
drastically erase data and configuration of Optinet.
System Resets
System Resets is divided into four subsections: Restart Services, Filter Resets, Database
Resets, and Device Power Resets.
Restart Services
Restart All Services will stop and reinitialize all system processes such as content filtering,
application shaping, and report generating. Normally, you will not need to select this
option; however, for troubleshooting you may need to select this option if a service is not
responding correctly.
For example, if you are unable to run a report, you may need to restart all services to
terminate an orphan process and enable the particular report to run again. Restart All
Services may cause a temporary drop in traffic, but should allow you to continue a service if
it was not functioning correctly before.
Filter Resets
The first option under Filter Resets is Clear SSL Certificate. This option is covered in
Chapter 8: Implementing HTTPS/SSL Filtering with Optinet.
After that come Force cymdir.exe Session Timeouts and Flush Web Auth Cache. These
utilities are covered in Chapter 7: Integrating Directory Users with Optinet.
Database Resets
Reset to Factory Defaults sets Optinet back to the factory settings. This means that all
information is erased as well as configuration data. Basically the device will be reset to the
original settings as the device was received.
Use this option with care, as Reset to Factory Defaults completely wipes the entire
system. You will lose your configuration parameters, accounts, rules, telemetry data,
licensing information, and annual support contract information. Access to the device is
reset to the username of admin and a password of Black Box Network Services. If you
select this option, you must connect a system to The Optinet LAN port and run the initial
configuration of the device.
The next option is Reset the Database. Reset the Database erases the database used by
Optinet for group configuration, device profiling, Internet Usage Rules, and Shaping Rules.
This option also erases all historical data on the device. This utility is almost as drastic as
Reset to Factory Defaults except that basic configuration settings, such as the bridge IP
address, subnet mask, default gateway, and DNS server will remain intact. Licensing and
ASM information will still remain.
The following is a table that lists all settings lost with Reset the Database. Followed by a
table that lists which options will be enabled or disabled after resetting the database. If an
item is not mentioned, then it will be retained accordingly.
86
Lost Settings after Resetting the Database
Report
Manage
Admin
All information
Groups
Mail server
Time of Day Rules
Backup Settings
Custom IURs
Update Settings (dates erased)
Shaping Rules
Logs (erased)
Network Nodes
Directory Users
Broadcasts
Custom Logins
Custom TFRS
Custom Application Sets
Custom Applications
Default Settings after Resetting the Database
Manage
Admin
All users assigned to Default
Group
Domain set to Black Box Network Services.com
Default IUR set to Web Filter
+ IM
Enable Port Scanning/OS Detection selected
System Access
Enable TCP Window Scaling selected
admin; Black Box Network
Services
NTP Server set to pool.ntp.org
HTTP-Keep Alive Mode Selected
Allow DNS and HTTP Block page for Deny Access Traffic Flow
Rule Set not selected
Enable Summary Tables selected
Database Timeout set to 5 minutes
Default Settings for Group Member Type Precedence
Default Settings for Special Domains
87
Web Time Online set to 20 seconds
Default Times for Update Settings
SSL Certificate Settings set to default
Blocked URL Redirection Page set to default
Directory Agent Login Page set to default
Although resetting the database can be drastic, this option is necessary in many scenarios.
For example, if you have made extensive changes to your network such as IP address
schemes or new hardware, you will want to reset the database to avoid invalid licenses,
incorrect device profiles, or inconsistent grouping.
Another scenario that may require resetting the database is if you move Optinet within the
network or from one network to another. Also, at any time that you remove subnets from
the Remote Subnets settings, you will need to reset the database.
Reset Telemetry Data is the least drastic of the reset options. This utility only erases the
historical data from Optinet. For example, web logs, Application reports, Device Status
reports will be erased with this option; but groups, IURs, Shaping Rules, and other settings
will be retained. This utility is mostly used when a particular web log needs to be erased
while rules and groups will remain.
The final database reset option is Reset Telemetry and Profile Data (Preserves IURs,
Shapers, and the Filter Bypass Group). This option is similar to Resetting the Database
except that Internet Usage Rules, Shaping Rules, and members of the Filter Bypass Group
by CIDR Block Override will be retained. If you need to reset the database but would like to
retain these settings, you can select this option instead.
Device Power Resets
The last two options are for the actual power for Optinet. Hardware Shutdown will
physically shut down the device and should be used when the device needs to be powered
down. Hardware Reboot powers down the device and automatically powers it back up. All
these options will require confirmation via a dialog box.
Do not power down Optinet by pulling the power cord or pressing the power
button on the front bezel. These procedures should only be used when there is no other
alternative for powering down the device.
Support Link
Support Link is a utility that allows a Black Box Network Services technician to access your
Optinet remotely and assist in troubleshooting or configuring the device. To activate a
support link, you must first call Black Box Network Services Technical Support at 724-7465500 for a port number. This port number is only relevant to the technician and used on
his/her side. Optinet will require outbound access to the Internet on port 22 (both TCP and
UDP) for the support link to work. Once the technician issues you the port, enter in the
number and select Connect.
88
Spyware Removal Tool
Optinet has several tools that can identify applications and devices that are infected with
spyware. Once a device has been identified as infected, Optinet offers a removal tool that
allows you to scan the hard drive of the infected device and remove or quarantine the
infected program. This tool is powered by Counter Spy and is called Spyware Removal Tool.
This tool can be activated by accessing the GUI of Optinet from the infected device or
having the user browse to http://spyware.Black Box Network Services.com. Once
activated, the Spyware Removal Tool will prompt the user to download and install a
program called WebDeploy.cab. This program is used to push the latest spyware definitions
to the computer. You may also need to install an Active X Control for browsing capabilities.
Once the Spyware Removal Tool has been installed properly, you can then select to perform
a Quick Scan, Full Scan, or Cookies. After you choose which scan to perform, the Spyware
Removal Tool will begin to scan the hard drive for infected applications. You can pause or
stop this scan at any time. As soon as the scan is completed, you will be presented with the
results of the scan, i.e., which applications were infected, which applications were
quarantined, etc.
Please note that the Spyware Removal Tool can only be used on computers using Windows
OS, and users must have administrative rights to the hard drive as the Spyware Removal
Tool will scan the entire drive.
This concludes the chapter on administrating Optinet. The next chapters deal with
additional options that allow you to use Optinet with an existing directory on the network to
track traffic by Directory Users, and to filter secure web traffic via HTTPS/SSL Filtering.
89
Chapter 7: Integrating Directory Users with Optinet
Optinet by default tracks all web and application traffic based on device addresses (MAC
addresses or IP addresses). By default Optinet will report traffic by each individual device
located on the network and list the traffic by Network Nodes.
However, reporting by these criteria may be daunting or insufficient as IP addresses can
change constantly or users will move from one machine to another on the network. In
these cases, reporting by Directory Users may be more useful as Optinet can monitor and
report based on Directory User Names as well as by Network Nodes. This chapter will
explain how to integrate Directory Users with Optinet. The following topics will be
explained.
•
Directory Overview
•
Directory Options
•
Directory Configurations
•
Directory Troubleshooting
Directory Overview
Integrating Directory Users with the Optinet consists of two steps: (1) allowing Optinet
access to your directory server, and (2) identifying when users are accessing the network.
The first step can be accomplished through the Directory Agent settings while the second
step is done via the Directory Client or Web Authentication. Choosing which option depends
upon the architecture of your network and how you are going to identify Directory Users on
your network.
90
The Directory Client and Web Authentication are processes that signal to Optinet when
users are logging onto the network. These processes correlate the Directory User profile to
the corresponding Network Node in use. Review the following diagram.
Figure 7.1 Directory Integration with Optinet
Optinet uses both processes to identify Directory Users and filter accordingly. For example,
when a user logs into a computer, the Directory Client or Web Authentication will signal to
Optinet where the user is located and what credentials were used to access the network.
When Optinet receives this traffic, it then queries the directory server either through the
Directory Agent Settings to find the user with his/her associated group, Organizational Unit
(OU), attribute, or other settings from your directory structure.
Once the user has been identified, Optinet will then apply any filtering or shaping rules to
the user and begin reporting traffic by the Directory User profile. When the user logs out or
logs into another computer, the Directory Client or Web Authentication again will send an
appropriate signal to Optinet that the user has logged out or started using a new
workstation. Using these processes, Optinet can monitor all web traffic by Directory User
regardless of where in the network he/she is located and apply appropriate rules to the
traffic.
The first step in integrating Directory Users with Optinet is deciding on which option will fit
best for your network. Each option is designed for specific scenarios and has inherent
advantages as well as disadvantages.
91
Directory Options
Use the following Directory User Decision Tree to help you decide which Directory Option is
correct for your environment. Each Directory Option is designed for specific scenarios or
networks to facilitate Directory User integration. You will need to decide which level of
Directory User integration is right for your organization and which requirements can be met
by your network.
Followed by the Directory Decision Tree are descriptions of each Directory Option listing
advantages and disadvantages of each Directory Option.
Figure 7.2 Directory User Decision Tree
Directory Option 1: Directory Agent with Directory Client (cymdir.exe)
This is the recommended option for most networks. This option allows Optinet to
immediately identify when users are accessing the network while synchronizing with the
already defined directory groups, OUs, or user attributes. This method involves installing
the Directory Agent on your directory server and deploying a Directory Client through the
login process to identify when users access the network.
The advantages to this option are immediate identification of users when they access the
network and more accurate application reporting based on Directory Users. Because users
will be executing the Directory Client as they login to the network, Optinet will be instantly
92
notified of the user and will be able to associate all traffic to the corresponding Directory
User. The Directory Client supports Windows 64-bit, 32-bit (2000 SP4 or above), and
Macintosh OSX (10.3 or above) Operating Systems (OS).
Some of the disadvantages with this option are that it only supports Microsoft Active
Directory and computers that are members of the Active Directory domain. In addition to
this, this option will not report on individual users through Terminal Services sessions or
Citrix sessions.
Directory Option 2: Directory Agent with IP Lookup
This option is designed for networks that cannot deploy the Directory Client because no
login process is initiated, login credentials are cached on devices locally, or company policies
restrict pushing end client processes. With this option, Optinet identifies Directory Users
when they initiate web (HTTP) traffic. After Optinet intercepts initial web requests from
users, Optinet (through the Directory Agent) will petition the directory server to find the
credentials used to login to the device.
This option involves installing the Directory Agent on your directory server and creating an
Internet Usage Rule to use IP Lookup. Because IP Lookup will petition the directory server
to find login credentials, the Directory Agent must be installed on the Directory server with
administrator rights (Log on as Administrator). In addition to this, the Operating System
(OS) of users will need to be Windows 2000 (SP4) or above, and their computers must be
joined to the domain.
For computers to successfully communicate login credentials to the directory server, File
and Print share rights must be enabled as well as their primary DNS server set to the IP
address of the Active Directory server. Also, these computers must be joined to the domain
and use Windows (2000 SP4 or above) OS. Lastly, you will need to create two groups with
this feature; one for the devices used by the users (Network Node Group) and another for
the Directory Users (Directory Group). Both these groups will need to use the same
Internet Usage Rule (IUR) configured to use Web Based Authentication-IP Lookup.
The main advantage to this option is that you do not have to execute the Directory Client
during the login process. Also, if successfully executed, IP Lookup will seamlessly identify
users without presenting them a secondary login page. One disadvantage is that users will
not be correctly identified until Optinet first receives web (HTTP) traffic from users. As
such, there may be some discrepancy with application control and reporting for users.
Directory Option 3: Directory Agent with NTLM
This option is intended for networks that use Terminal Server and Citrix Server sessions.
Please note that Citrix Servers offer a feature called Virtual IPs (VIPs), which will allow you
to use Directory Option 1: Directory Agent with Directory Client. If you can enable VIPs
with your Citrix Servers, using Directory Option 1 is recommended.
Directory Option 3 allows Optinet to identify individual users through devices or applications
that use one single IP address for several users. With this option, you will be able to
identify and filter individual users that access the Internet from the same device.
This option requires that you install the Directory Agent on your directory server and then
deploy proxy settings to users’ web browsers. Essentially, users will send web traffic to
Optinet, acting as a proxy. This allows Optinet to identify users based on web sessions
rather than by IP addresses (method used by all other directory options).
93
In addition to this, you will need to create two groups; one Network Node Group that will
include the Terminal Services servers or Citrix Servers, and one Directory User Group that
will include the Directory Users. Both groups will use the same Internet Usage Rule set to
Web Authentication-NTLM.
The main advantage to this option is the ability to individually identify and filter users
through Terminal Server or Citrix Server sessions. Although users will be using identical
devices to browse the Web, you can enforce different filtering policies based on Directory
Users. The main disadvantage is that all application reporting and control are global for
these users. Essentially, you will be able to control application and bandwidth traffic for the
Terminal Services server or Citrix server, but you will not be able to control application and
bandwidth traffic for specific users. Also, you will need to configure proxy settings
accordingly. This option will only support Windows (2000 SP4 or above) devices.
Directory Option 4: Directory Agent with Login Page
This option is designed as a failsafe in the event that Directory Option 2 or Directory Option
3 does not succeed, or if users have directory accounts but their devices are not members
of the domain. This option allows you to present users with a login page, where they can
enter in their username and password. Optinet will then verify the credentials and enforce
any filtering or shaping rules to the devices used to access the network.
This option requires that the Directory Agent is installed on your directory server and that
you create an IUR set to Require Web based authentication. This allows Optinet to identify
users by on initial web (HTTP) requests and then query the directory server to confirm the
user. You can also edit the login page presented to users under Admin -> Redirection
Pages -> Login Page. This menu allows you to name the Login Page, add a description, and
a username hint. You can also completely alter the page by using HTML code present on
the page.
The main advantage to this scenario is you can confirm Directory Users regardless of the
device in use. Whether users access the network via Microsoft PC, Macintosh computers,
Linux devices, or even hand held PDAs, Optinet will present all users with a login page
before accessing the Web.
The main disadvantage to this scenario is (depending upon your network) users may be
presented with two login processes: one for the computer or network and one for Internet
access. Also, users must have a login for the directory to use this feature. You cannot
create a Optinet login specific for this feature. If you are attempting to use this feature for
guest users, we recommend you create a guest account on your directory server and inform
guest users of the credentials or alter the login page to present this information.
Another disadvantage is that users will not be correctly identified until Optinet first receives
web (HTTP) traffic from users. As such, there may be some discrepancy with application
control and reporting for users.
In addition to this, as with all Web Authentication options, you will need to create two
groups for users, one for their devices (Network Node Group) and one for Directory Users
(Directory Group). Both groups will need to use the same Internet Usage Rule set to Web
Authentication.
94
Directory Configurations
After deciding which Directory Option to use, you will need to follow the individual steps for
the corresponding option. Below are listed the instructions on how to configure the various
Directory Options.
Directory Instructions
Directory Option 1
Install Directory Agent
Create Directory Agent
Create Directory Agent Group
Deploy Directory Client
Create Directory IURs
Directory Option 3
Install Directory Agent
Create Directory Agent
Create Optinet Group
Create Directory Agent Group
Create Directory IURs
Directory Option 2
Install Directory Agent
Create Directory Agent
Create Optinet Group
Create Directory Agent Group
Create Directory IURs
Directory Option 4
Install Directory Agent
Create Directory Agent
Create Optinet Group
Create Directory Agent Group
Create Directory IURs
Figure 7.3 Directory Install Sequences
Install Directory Agents
The Directory Agent will allow Optinet to synchronize your Directory groups, OUs, or user
attributes with the Optinet Directory Groups. The Directory Agent will also indicate how to
display user names under Reports.
You can download the Directory Agent under Admin -> Downloads -> Directory Software ->
Download 32-bit Active Directory Agent. The Directory Agent must be installed on a
Windows (2000 or above) Server that has access to the directory, e.g., Active Directory
server, domain controller, etc.
Once downloaded, double-click on the Directory Agent installation package. This will
present you with the Directory Agent Installation Wizard. Follow the steps of the Wizard by
accepting the License Agreement, selecting a destination folder (C:\\Program Files\Black
Box Network Services Directory Agent\ is the recommended placement), and Directory
Agent Settings.
Figure 7.3 Directory Agent Settings
95
The Directory Agent Settings allow you to specify how Optinet will communicate with the
Directory Agent. In this step, you can adjust the port used to communicate (we
recommend you use the default setting of TCP 3462), and the password for authentication
to and from the Directory Agent. Remember these settings in this step as you will need to
use the same settings for creating the Directory Agent on Optinet.
Once complete, select Finish as the last step for installing the Directory Agent. If you need
to support multiple directories, perform the same steps on the additional directory servers.
There are certain events that can cause the Directory Agent to fail. To avoid this, you can
configure the Directory Agent to restart after failures. Access the Services on your directory
server (Start -> Administrative Tools -> Services) and search for the service called Black
Box Network Services Directory Agent. Right-click on the Black Box Network Services
Directory Agent service and select Properties. On the Recovery Tab, you can select Restart
the Service under First Failure, Second Failure, and Subsequent Failures.
Figure 7.4 Black Box Network Services Directory Agent Properties
One final note is that the Directory Agent needs domain user access with all Directory
Options except for Directory Option 2: Directory Agent with IP Lookup. This option requires
that the Directory Agent has administrative access (Log on as Administrator) to the
directory server. This allows the Directory Agent to force the directory server to retrieve
user credentials. Please make sure you select Log On as Administrator with this option.
96
Figure 7.5 Black Box Network Services Directory Agent Properties
Create Directory Agents
The second part to using the Directory Agent is to establish an association with Optinet.
This is done by creating the Directory Agent on Optinet, which will allow the device to
synchronize directory groups, OUs, and user attributes.
Under Manage -> Directory Users & Nodes -> Directory Agent -> Click the Create button.
This will bring up the Add/Edit Directory Agent menu. In this menu you can create a name
for the Directory Agent, but more importantly you will specify the IP address of the AD
server where the Directory Agent is installed.
Also, indicate the Directory Agent settings from the previous section, i.e., TCP port
(recommended port 3462), and the Directory Agent Password. Once you have entered
these settings, click Save and Optinet will attempt to contact the Directory Agent confirming
it can communicate with the Directory Agent. If any errors are returned, verify that you
have entered the correct IP address, TCP port number, and password. If you have installed
multiple Directory Agents, you will need to create multiple Directory Agents as a result.
Create Optinet Groups
Directory Options 2, 3, and 4 are different in the fact that the Directory Client is not used to
indicate when Directory Users access the network. Rather, Optinet identifies Directory
Users by initial web (HTTP) requests. Because of this, there is a potential that non-web
(HTTP) traffic coming from users will not be handled or grouped correctly until they access
the Web. To compensate for this, you will need to create Network Node Groups for the
devices that will be used by Directory Users to ensure that all their traffic is handled
correctly.
To do this, follow the steps under the section Groups in Chapter 5: Managing Optinet. Add
the devices that the Directory Users will be using to access the network. For example, if
97
you are using Directory Option 3: Directory Agent with NTLM, you will place the Citrix
servers or Terminal Services servers into this group. Later, you will create a single Internet
Usage Rule that will be used by both the Network Node Group as well as the Directory Users
Group.
If you are unaware of the exact devices that will be in use by the Directory Users, you can
create a Optinet Group based on the IP address range assigned to their devices. Again, see
the section Groups in Chapter 5: Managing Optinet for information on how to create Optinet
Groups with different member types. An additional option is to have the Default Group (all
unassigned devices) use the same Internet Usage Rule as your Directory Users.
Create Directory Agent Group
Directory Agent Groups are created under the same menu as Optinet Groups. The
difference with Directory Agent Groups is that these groups will use the Directory Agent and
your directory server to identify Directory Users. You must first install and create a
Directory Agent before you can create Directory Agent Groups.
Click on Manage -> Policies & Rules -> Groups -> Create -> Create a Directory Agent
Group. This will post the Add/Edit Directory Agent Group Detail. In this menu, you will
need to assign a name for the Directory Agent Group as well as a description. Afterwards,
select which Directory Agent you will use to synchronize the Directory Agent Group with the
Directory Agent drop-down box. Once you have selected your Directory Agent, click the
Add Members button.
Optinet will now communicate with the Directory Agent and query your directory server for
Distribution Groups or Security Groups. To add these groups select the empty checkboxes
next to the groups and then click the Ok button. If you need to select multiple profiles, you
can use the Shift + Click or CTRL + Click accordingly.
Distribution or Security Groups are just one of four member types you can synchronize with
the Directory Agent. You can also synchronize Organizational Units (OUs) and user
attributes. To select these different member types, click on the Choose a Member Type
drop-down box under the Add Directory Group Members menu.
If you select OUs, again, Optinet will communicate with the Directory Agent and query your
directory server for OUs. You can then select the profiles for the OUs with the empty
checkboxes and select Add. If you choose Attribute or Custom, you will be prompted to
define the user attribute of the Directory Users you want to synchronize to the Directory
Agent Group.
Attributes are characteristics or distinguishing features that are applied to users. You can
use the Directory Agent to query the directory server and find distinguishing attributes and
group users accordingly.
The two menus (Attributes and Custom) require advanced knowledge of your directory and
users’ attributes. With Attribute you will need to specifically identify which user attributes
will identify members of the Directory Agent Group, i.e., phone numbers, names, locations,
etc. With Custom, you can use a combination of Attributes.
Below is a table of some common examples used in directory servers and how to
synchronize groups based on attributes. Use this guide or your own directory attributes to
assist in synchronizing Directory Agent Groups with Optinet.
98
Common Directory Attributes
CN (Common Name)
displayName
givenName
objectCategory
sAMAccountName
userPrincipalName
mail
c (Country)
company
department
location
manager
postalCode
st (State)
streetAddress
telephoneNumber
CN=John Doe
displayName=John Doe
givenName=John
objectClass =user
sAMAccountName=jdoe
[email protected]
[email protected]
c=usa
company=mycompany
department=IT
location=remote site
manager=boss
postalCode=11111
st=New York
streetAddress=123 Main
telephoneNumber=111-111-1111
An example of how to synchronize Directory Agent Groups based on Attributes would be
creating a Directory Agent Group for all users that are upper level managers. The Attribute
would read “manager” followed by “is exactly” and then “upper level”.
Figure 7.6 Attribute Example
This Directory Agent would then query the directory server for any user that has an
Attribute of manager set to upper level. Accordingly, every time upper level managers
access the network, Optinet will group the users as a result.
Again, the member type of Attribute requires a high level of understanding on how to
identify specific characteristics with Directory Users. The examples listed above are
common directory attributes, but keep in mind that your directory server may have its own
attributes specific to your organization. Because of this, you may need to perform some
independent research on how to use the Attribute feature.
The drop down options for the Attribute member type are is exactly, is approximately, is
not, is less than or equal to, is greater then or equal to, contains, does not contain, starts
with, and ends with. The Attribute and Value field allow you to enter case sensitive options
from your directory server.
The member type of Attribute allows you to specifically identify how to synchronize
Directory Agent Groups based on a single attribute. However, if you want to synchronize
Directory Agent Groups based on multiple Attributes, you will need to select the member
type of Custom.
99
Custom allows you to synchronize Directory Agent Groups based on combined attributes.
Using the example above we could create a group based on all upper level managers that
didn’t include those from a remote site.
The custom attribute would read “manager” followed by “= upper level”. Towards the end
would be the attribute for the stipulation to not include the remote site “! location=remote
site”. The Custom member type would require that you separate the different Attributes as
well as enclose the entire string with parenthesis to identify these Directory Users correctly,
e.g., ((manager=upperlevel)!(location=remote site)).
Figure 7.7 Custom Example
The following table lists common operators with Directory Custom Attributes.
Common Directory Operators
&
|
!
=
~=
>
<
>=
<=
And
Or
Not
Equals
Approximately
Greater than
Less than
Greater than or equals
Less than or equals
Once more, using Custom member type requires advanced knowledge of how to define
Directory Attributes. If you are having difficulty creating Directory Agent Groups based on
Attributes or Custom, please contact your Authorized Black Box Network Services Reseller
or Black Box Network Services Support. One last note is that you can also combine
Directory Users into one group using a combination of the different member types.
After you have added members to the Directory Agent Group, you can also review the
Directory Members by selecting Show User List. This menu is available under the Add/Edit
Directory Agent Group Detail. Select the checkbox next to each Directory Member and click
the Show User List button. You can also remove Directory Members with the Remove
Members button. The Edit Member button is only available with Directory Members based
on Attributes or Custom member types.
The last option available with the Add/Edit Directory Agent Group Detail is the Edit
Precedence. This setting is used when you have created multiple Directory Agent Groups
and may have conflicting user membership. For example, if you have two Directory Agent
Groups based on OUs and some users of the Directory Agent Groups are members of both
OUs, you can use the Edit Precedence to specify which Directory Agent Group assignment
will take priority. The Edit Precedence allows you to drag and drop Directory Agent Group
100
names to adjust group precedence. After you have synchronized your Directory Agent
Groups, make sure to Save your changes.
Deploy Directory Client
The Directory Client is a small executable file that sends user information to Optinet. These
transmissions are called heartbeats. They allow Optinet to identify the specific user that is
generating network traffic from a particular computer. In essence, the Directory Client
identifies the traffic by user name and associates it with the current computer’s IP address.
While the Directory Client continues to send heartbeats, Optinet watches traffic from that IP
address and associates it with the user. Once the user logs out, the Directory Client stop
sending heartbeats, and Optinet disassociates the IP address from the user name. Thus,
the Directory Client allows Optinet to identify user traffic for monitoring, shaping, and
blocking. The steps to deploy the client follow.
Directory Client Versions
There are three versions of the Directory Client. The three versions of the Directory Client
are cymdir.exe (Directory Client for 32-bit Windows OS), cymdir_64.exe (Directory Client
for 64-bit Windows OS), and cymdir_MAC (Directory Client for Macintosh computers).
Please note that the Directory Client is compatible with Windows 2000 SP4 and above
platforms as well as Macintosh OSX 10.3 and above platforms. This next section details
how to deploy the Directory Client for 32-bit Windows XP. The Macintosh clients have read
me files that instruct on how to deploy the cymdir_MAC client. You can download the
Macintosh client to access the read me files under Admin -> Configuration -> Downloads ->
Directory Software.
The other Directory Clients are also available under Admin -> Downloads -> Directory
Software.
Once you download the Directory Client, you will want to execute the file locally to present
some of the help features that the Clients offer. You can also test how user names will be
posted with Optinet. You will need to be logged into a Windows PC that is a member of the
domain for these steps to work.
Executing the Directory Client
Place the Directory Client on your desktop. Now, double-click the executable. Although the
Clients are signed applications, your security settings may trigger a warning about running
executables. Simply click Run to continue executing the Client. You should receive the
following help dialog box.
101
Figure 7.8 Directory Client Help Dialog Box
Without any parameters set for the Clients, you should receive a help dialog box like the
one posted above. This help dialog box will post when the Clients are unable to send
heartbeats to Optinet or have other communication errors. This box will also appear if there
are syntax errors or if no Optinet IP address is provided. The Help Dialog will provide
several useful pieces of information:
•
Error Messages—this message will post when a connection failure is present for the
Clients. Causes of connection failures are invalid IP addresses assigned as
parameter values, Optinet is powered off, computers running the Clients are unable
to connect to the network, bad command line parameters, etc. You can use the
Error Message to diagnose problems with the Clients if they occur.
•
Authentication Type—this message will post which type of authentication appears to
be on the network, such as Windows authentication or Novell authentication. If both
are available, you can choose which you prefer by using the /AD switch (please see
section Usage below).
•
Authentication Information—this option displays the current user logged into the
computer as well as the Domain (Windows) or Context (eDirectory). If the computer
is not part of a Domain, the Clients will return the name of the Windows workstation.
•
Usage—this is intended to show the proper syntax for command line options given to
the Clients. Please note that The Optinet IP address is always required and should
always come last.
o
/ad switch—this option is only necessary under either of the following
conditions:
ƒ
Some of your workstations have the Novell Client installed.
ƒ
You want to use Active Directory even though eDirectory is present.
This option will force the Clients to send Windows Active Directory user
information and not eDirectory user information.
102
o
/tcp switch—this option is used to force the Clients to use TCP connections
instead of UDP. UDP connections are preferred as they do not require static
routes; however, this option is available for backwards compatibility and
troubleshooting. If you enable this option, you will need to create static
routes accordingly. Please see the section Static Routes in Chapter 6:
Administrating Optinet.
•
/silent switch—this option will prevent the help dialog from coming up under any
circumstances. This setting is not recommended for troubleshooting and testing
purposes; however, under normal usage this option is recommended. This option
should be used when you deploy the Clients in your production environment. By
doing so, you will prevent end users from seeing this dialog box and possibly
disabling it or causing other problems.
•
/sleep switch—this option allows you to change the number of minutes the Clients
will allow to pass before sending heartbeats and becoming dormant. The default
setting is 5 minutes. The value must be 1 minute or greater.
•
IP address—this option is necessary to direct the Client to Optinet for heartbeats.
You will need to use the IP address of Optinet.
•
Complete Usage Information—this option lists further reference information for
assistance on deploying the Clients.
Once you have reviewed the options available on the help dialog box for the Clients, you
may exit the dialog box and properly execute the client locally for testing. Please follow
these steps:
1. Open a Windows Run Prompt (Start -> Run).
2. Type “cmd” in the open dialog box.
3. Click OK.
4. Drag cymdir.exe to the Command Prompt, and drop it (this will paste the full path).
5. After “cymdir.exe” type in the IP address of the Optinet (in this example, we will use
192.168.255.2).
Figure 7.9 Command Line Syntax for Directory Client
103
6. Execute the command by pressing ENTER.
a. If the help dialog is raised, then there were communication errors. Please
review the syntax and correct any possible errors, i.e., IP address, switches,
etc.
b. If the help dialog is not raised, then the command executed properly. You
can verify this by looking at the process list of the Windows Task Manager. A
process called cymdir.exe should be listed.
Now that you have properly executed the Client locally, let’s confirm that Optinet received
the heartbeat and posted the correct username. Click Manage -> Directory Users & Nodes > Directory Users. Verify there is a new profile listed by username used to access the
computer.
Deploying the Directory Client
Now that you have confirmed that the Client can communicate to Optinet, you are ready to
deploy the Client in your network.
Because each network is unique, the User Guide and Black Box Network Services cannot
make specific recommendations as to how you should integrate the Directory Client into
your network and directory server. This section will provide the best information; however,
please note that this information is provided “AS-IS” and without warranty of any
kind.
There are a variety of ways to deploy the Directory Client in your network that will execute
when users login to the domain. The most common ways are the following:
•
Batch file
•
Registry Setting
•
Domain Group Policy Object (GPO)
•
Netware Login Script
•
VB Script
•
Registry Key
•
Shortcut in Startup folder
All of these methods employ different means for executing the Directory Client. However,
this chapter will only cover how to deploy the Directory Clients via a batch file, registry
settings, and Domain GPO. Other methods presented will need to be researched and
deployed at your discretion. Again, because each network is different, this User Guide will
not advise which method is better. This guide will merely present the most common
techniques used.
Creating a Batch File for Directory Client
1. Pick a file directory on your directory server that will store both the batch file and
Client (for example \\server\share\folder).
104
2. Copy Directory Client to this folder.
3. Create a Windows batch/command file in this folder (you can do this from notepad
and change the file extension to .bat).
4. Enter the following text into the file: start /d “\\server\share\folder” cymdir.exe
/silent IP address of Optinet (in this example we will use the path of
\\mydomain.tld\netlogon\Black Box Network Services and the IP address of
192.168.255.2).
a. Using Windows shell environment variables can add power and flexibility to
the batch file. For example, by using the syntax: start /d
“\\%directoryserver%\netlogin\” cymdir.exe /silent 192.168.255.2, you can
deploy Directory Client over multiple directory servers. However, this may
require additional troubleshooting if the variables do not resolve correctly. If
this is the case, use the full syntax as displayed below.
Figure 7.10 Batch File for Client
5. Verify that the newly created batch file executes when users login to the domain by
loading the Windows Task Manger and confirming Directory Client is in the process
list.
Deploying the Directory Client in a Group Policy Object
1. Log on to your Domain or Active Directory server.
2. Open a Windows Run Prompt (Start -> Run).
3. In the Open field type “mmc” (Microsoft Management Console).
4. Click OK.
5. In the File menu select Add/Remove Snap-in.
Figure 7.11 Console Prompt
105
6. Click the Add button.
7. Scroll down and select Group Policy Object Editor.
Figure 7.12 Add Standalone Snap In
8. Click the Add button (this will launch the Group Policy Object Wizard).
9. Press the Browse button.
10. Select Default Domain Policy.
11. Click OK.
Figure 7.13 Browse for Group Policy Object
12. Click Finish on the Add Group Policy Wizard.
13. Close the Add Standalone Snap-in dialog box.
106
14. Click OK on the Add/Remove Snap-in dialog box (you should now be looking at the
MMC screen with the Console Root Folder above the new Default Domain Policy you
have just added.
Figure 7.14 Console Root
15. Expand the Default Domain Policy.
16. Expand the User Configuration option.
17. Expand the Windows Settings option.
Figure 7.15 Scripts Logon
18. Select Scripts (Logon/Logoff).
19. Right-click the Logon option for the Logon Properties dialog box (depending on your
current configuration you may already have several scripts running).
20. In order to place Directory Client in the correct folder for your Domain Policy select
Show Files button (this will open a new window displaying the current files for the
Domain Policy).
21. Copy Directory Client and paste it into the logon scripts folder (please confirm that
you copied the entire file into the folder and not just a shortcut to the file or the file
path).
22. Close the logon scripts folder to return to the Logon Properties dialog box.
107
23. Click Add to open the Add a Script dialog box.
24. Click Browse to open the Logon Script Folder.
25. Select Directory Client and click Open (you should now be in the Add a Script Dialog
box; Directory Client should appear in the Script Name box).
26. Enter The Optinet IP address in the Script Parameters box (in this example we will
use 192.168.255.2).
Figure 7.16 Script Parameters
27. Click OK to close the Add a Script dialog box.
28. Click OK again to close the Logon Properties dialog box.
29. Confirm any other changes to the Console Root settings that you have edited.
Directory Client is now ready to run the next time users login to the Active Directory
domain. Again, you can confirm this by reviewing the Directory User tab in Optinet to verify
that Optinet is receiving heartbeats from users.
Deploying Directory Client in a Registry Entry
This method requires additional administrative effort as Directory Client must be deployed
to each work station in question and a registry key imported. Directory Client also may
require multiple running instances in some circumstances; however, this will not impact
performance or reporting.
108
1. Create a Windows registry file (you can do this from notepad and change the file
extension to .reg).
2. Insert the following text. (You may need to adjust the path depending on your
settings. Also the last line requires the IP address of Optinet. In this example, we
will use 192.168.255.2)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BlackBoxNetworkServices”=”cymdir.exe /silent 192.168.255.2”
3. Save and exit the registry file
4. Place a copy of Directory Client on each workstation’s Windows folder. (You can also
choose any location in PATH).
5. Import the registry file into each Windows’s registry.
This concludes the section on how to deploy Directory Client. Again, because each network
is unique, you may need to determine the best method (or perhaps combination of
methods) to deploy the Directory Client.
Create Directory Internet Usage Rules
Creating Internet Usage Rules (IURs) for Directory Groups is quite similar to creating IURs
for Optinet Groups. If you have chosen Directory Option 1 and Directory Option 5 for
integrating Directory Users, you will follow the same steps listed in Chapter 5: Managing
Optinet for your IURs.
If you have chosen Directory Options 2, 3, and 4, you will need to enable the different
features tailored for each option under the Internet Usage Rule Manager. This is done
under the Web Authentication tab. There are several options that are universal for
Directory Options 2, 3, 4 that are listed under Web Authentication.
Web Authentication
Remember that Web Authentication identifies uses by web (HTTP) requests. Because of
this, non Web traffic, e.g., IM, P2P, etc, may not at first be correctly reported or controlled
until Optinet receives a web request from Directory Users. Because of this, the IUR you
assign to the Directory Users needs to be the same IUR you assign to a device in use by
Directory Users. Directory Options 2, 3, 4, require you to make two groups: Optinet Groups
for Directory Users’ devices and Directory Groups for Directory Users. Both these groups
will need to use the exact same IUR.
Also, remember that Directory Option 4 is the safeguard for Directory Option 2 and 3. If for
some reason, these two Web Authentication pieces fail (IP Lookup or NTLM) Optinet will
present a login page for members of the Directory Group. Below are settings that can be
used with all Web Authentication rules.
•
Web Authentication White List—these are web sites for which Optinet will not
require Directory credentials to access.
109
•
Inactivity Timeout—this setting allows you to identify how much inactive time can
pass before Optinet re-confirms Directory Users. For example, if you use
Directory Option 4: Directory Agent with Login Page, Optinet will present a user
with a login page on his/her first initial web (HTTP) request. If after logging in,
the user does not pass any more web traffic within a certain amount of time,
Optinet will again present the login page to the user. The default time for this
setting is 5 minutes.
•
Session Timeout—this setting allows you to identify how much time can pass,
regardless of activity, before Optinet re-confirms Directory Users. With Directory
Option 2: Directory Agent with IP Lookup, Optinet will again (via the Directory
Agent) have the Directory Server re-confirm the credentials of the Directory
Users. With Directory Option 3: Directory Agent with NTLM, Optinet will review
the Proxy connections of the users and re-confirm their credentials. Lastly, with
Directory Option 4: Directory Agent with Login Page, Optinet will present users
with a Login page. The default time for this setting is 30 minutes.
Directory Option 2: Directory Agent with IP Lookup
For Directory Option 2, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create.
Name the Internet Usage Rule after its corresponding Directory Group. You can also select
web categories, URLs, and other settings to block for the Directory Group by following the
instructions listed under Internet Usage Rules in Chapter 5: Managing Optinet for your IURs.
Afterwards, click on the Web Authentication tab and select Require Web Based
Authentication. Once you have selected this, the checkbox next to Directory Agent IP
Lookup will be available. Check the box next to the option and Save your changes. Don’t
forget to apply the IUR to the Directory Group and its corresponding Optinet Group using
the Policy Manager.
Directory Option 3: Directory Agent with NTLM
For Directory Option 3, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create.
Name the Internet Usage Rule after its corresponding Directory Agent Group. You can also
select Web categories, URLs, and other settings to block for the Directory Agent Group by
following the instructions listed under Internet Usage Rules in Chapter 5: Managing Optinet
for your IURs.
Afterwards, click on the Web Authentication tab and select Require Web Based
Authentication. Once you have selected this, the checkbox next to Directory Agent NTLM
Handshake will be available. Check the box next to the option and Save your changes.
Don’t forget to apply the IUR to the Directory Group and Optinet Group using the Policy
Manager.
Because the NTLM handshake will be issued via a proxy connection, make sure that Optinet
is configured in Proxy mode (Admin -> Configuration -> Advanced Setup -> Allow HTTP
Connections on Port 8888). For more information on this setting please see Chapter 2:
Installing Optinet.
Directory Option 4: Directory Agent with Login Page
For Directory Option 4, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create.
Name the Internet Usage Rule after its corresponding Directory Group. You can select
which web categories, URLs, and other settings to block for the Directory Group by following
110
the instructions listed under Internet Usage Rules in Chapter 5: Managing Optinet for your
IURs.
Afterwards, click on the Web Authentication tab and select Require Web Based
Authentication. Users will now be presented with a Login Page as soon as they initiate a
web (HTTP) request. Remember to Save your changes and apply the IUR to the Directory
Group as well as the Optinet Group using the Policy Manager.
Directory Troubleshooting
There are several variables that can cause Directory integration to not work properly with
Optinet. Identifying which components of Directory integration are not working properly will
help you find a solution. We’ll first discuss using Optinet to diagnose the problem. We then
discuss troubleshooting Group Policy Objects with the Directory Client, scripting issues, and
other possible problems.
Using Diagnostic Tools
There are five Optinet diagnostic tools that can be used to confirm if Directory is working
properly. The first four tools are located under Admin -> Configuration -> Diagnostic Tools.
The last is listed under Admin -> Logs. All the tools are listed below as bulleted items:
•
Directory Agent Diagnostics—this menu allows you to confirm Directory group
synchronization, Directory User assignment, and current devices in use by Directory
Users. This menu has several options to confirm that the Directory Agent is
operating correctly, and that Optinet is able to associate network traffic with the
correct Directory User.
The first option is User Lookup. User Lookup can determine where users are located
on the Directory Server to ensure they are synchronized correctly to Directory
Groups on Optinet. Select Test Type User Lookup and the Directory Agent that is
installed on the Directory Server for the corresponding user. Enter in the Username
and click the Run Diagnostic button.
If the Directory Agent can successfully find the Username, the user’s Common Name,
Directory Agent Group (the synchronized group for Optinet), the Directory Agent
Group (the actual user group from the Directory Server), the Distinguished Name,
and the time taken to run the test will be posted. If this information is not posted or
is incorrect, verify that the Directory Agent is running correctly and can communicate
to Optinet. Also, confirm that the user’s account is present on the Directory Server
where the Directory Agent is installed.
The next option is IP Lookup. This option allows you to query a workstation and
confirm that the user is present on the workstation. This option is used in
conjunction with Directory Option 2: Directory Agent with IP Lookup and will (via the
Directory Agent) petition the Directory Server to confirm user credentials for specific
IP addresses.
Select the IP Lookup from the Test Type drop-down box and the Directory Agent for
the specific Directory User. Enter in the IP address of the device you want to query,
and click the Run Diagnostic button. If the Directory Server can successfully
communicate to IP address, the Directory Agent will post the Username, the user’s
111
Common Name, Directory Agent Group (the synchronized group for Optinet), the
Directory Agent Group (the actual user group from the Directory Server), the
Distinguished Name, and the time taken to run the test.
If the test is unsuccessful, confirm that File and Print share rights are enabled on the
end user’s device. Also, verify that the user’s DNS server is set to use the Directory
server where the Directory Agent is installed. Lastly, confirm that the user’s account
is present on the Directory Server where the Directory Agent is installed.
The last option available on the Directory Agent Diagnostics menu is Validate
Username/Password. This option will query the Directory Server to verify the
username and password of the user. If users are having trouble accessing their
Directory account, you can use this tool to confirm credentials.
Select the Validate Username/Password selection from the Test Type drop-down box.
Then, select the corresponding Directory Agent from the Directory Agent drop-down
box. You can then enter the Username and Password and click the Run Diagnostic
button.
Again, if the test is successful, the Results will post the Username, the user’s
Common Name, Directory Agent Group (the synchronized group for Optinet), the
Directory Agent Group (the actual user group from the Directory Server), the
Distinguished Name, and the time taken to run the test. One additional line will post
with this test confirming if the password is valid or not.
If this test is unsuccessful, confirm the Username and Password (case sensitive) for
the user on the Directory Server. You will also want to verify that Optinet can
communicate to the Directory Server and that the user’s account is present on the
Directory Server where the Directory Agent is installed.
•
Directory Agent Users—this menu allows you to confirm how Optinet is identifying
Directory Users, which Directory Group users are being assigned, and their
associated IP addresses. The columns of Username, Common Name, IP Address,
Directory Agent Group, Mode, and Status will list current conditions for the selected
Directory Users.
The first option (Username) allows you to enter a Username and confirm the user’s
Username, and Common Name from the Directory. However, also listed are the IP
address of the user currently in use, the Directory Agent Group to which Optinet is
assigning the user, and the Mode (Directory Option 1, 2, 3, 4, or 5) being used to
identify the Directory User. Lastly, the status will be listed to post the current status
stage of the user, i.e., active, inactive, etc.
Other search options available are Common Name, IP Address, and Directory Agent
Group. Simply select the searchable option you want to use as criteria, enter in the
parameters for the search, and click the Search icon (or hit the Enter key). Optinet
will then query the Directory Agent Users menu and post the results. If Directory
Users are being assigned to incorrect groups or by incorrect modes, you should
confirm how you have created your Directory Groups or what particular attributes
have been assigned to your users on your Directory Server.
•
IP Address Map—IP Address Map shows the association between Directory Users and
IP addresses. You can use this tool to confirm that an active IP Address is being
assigned to the correct Directory User. If after a user logs in and the IP address is
112
not posting the correct Directory User profile, you can then confirm that the
Directory Client is not executing correctly. Review your deployment of the Directory
Client as a possible culprit for this problem.
•
No LDAP Network Nodes—this menu lists all devices currently passing traffic that do
not have an associated Directory heartbeat. This is a great tool to use to confirm if a
computer on the network is sending Directory heartbeats.
Please keep in mind that there will inevitably be some devices on the network that
do not execute the Directory Client upon login (such as network printers, wireless
access points, network appliances, etc). You can use IP Address Map and No LDAP
Network Nodes to confirm if a user is executing the Directory Client upon login.
•
Activity Logs—this log keeps tracks of all process running from Optinet. If Optinet
cannot communicate with the Directory Agent or cannot query the Directory Server,
the Activity log will post an error or alert accordingly. Verify that the Directory Agent
is running as this log normally indicates a failed communication between Optinet and
the Directory server. If after using these tools, you are still experiencing problems,
continue with the following suggestions.
•
Force cymdir.exe Session Timeouts—this utility forces all cymdir.exe sessions to time
out immediately. Use this tool if cymdir.exe users are not being correctly grouped
and you need to verify the deployment process. If the Directory Client has been
deployed correctly, Optinet should receive new heartbeats after forcing session
timeouts and begin to regroup users according to their Directory Agent Group
assignment.
•
Flush Web Auth Cache—this utility forces all Web Authentication sessions to time out
immediately. Use this tool if Web Authentication users are not being correctly
grouped and you need to verify the Web Authentication process. If Web
Authentication is working properly, Optinet should identify users after forcing session
timeouts and begin to regroup users according to their Directory Agent Group
assignment.
Troubleshooting GPO Issues
To troubleshoot potential GPO issues, replace the text in cymdir Login Script.bat with the
following (where the text is bold and italicized you will need to replace with the pertinent
information).
@ECHO OFF
REM This part runs the login client for troubleshooting and testing
REM add /tcp if you suspect network/routing problems
start /d \\server\share\ cymdir.exe /log %tmp% 192.168.1.80
REM This part runs the version 8 login client for production use
REM start /d \\server\share\ cymdir.exe /silent 192.168.1.80
REM This part verifies that this Login Script is being run by calling standard Windows routines.
time /t > %TMP%\login.txt
113
date /t >> %TMP%\login.txt
echo %USERNAME% >> %TMP%\login.txt
REM Browse to “%tmp%” in windows explorer by typing %TMP% in the address bar (use internet
explorer if necessary)
REM There should be BOTH a cymdir.log and also a login.txt file in %TMP% folder.
REM If both are missing, this script is not being run
REM if both are present, send cymdir.log to support@Black Box Network Services.com
The purpose of this script is the put the date, time, and username of the last login in a text
file called login.txt located in the user’s %TMP% directory. As these are all standard
Windows Shell Functions, there are no references to cymdir.
Figure 7.17 %TMP% Folder
After logging in with this policy, browse to the temporary folder %TMP%. %TMP% is a
Windows Shell Variable that corresponds to each user’s Temporary Files Folder. You can
navigate to it directly by putting %TMP% in the Address Line of Windows Explorer.
Open login.txt if it exists. If login.txt is in the Temporary Directory, verify the login time,
date, and username are correct. If so, then Group Policies seem to be working properly,
and you should try some of the other troubleshooting methods mentioned below. If the
login.txt does not exist or does not contain the correct information, you will more than likely
need to contact perform some troubleshooting and verify your GPO settings. Once your
Group Policy Object Login scripts are performing as expected, cymdir.exe can be deployed
in your network.
Troubleshooting Directory Client
If the Directory Client Help Dialog Box keeps popping up, look for an error message. The
top portion of the cymdir.exe dialog will display a relevant error message (connection
failure, unrecognized option, bad or misspelled command name, Invalid IP address, etc).
Double check the login script. If there are no error messages, it implies that no command
line arguments were given to Directory Client (Similar to double clicking cymdir.exe). Some
scripting languages require enclosing the parameters in quotes.
If there are no Directory User profiles under Manage -> Directory Users & Nodes ->
Directory Users, Optinet is not receiving heartbeats from the Directory Client. Confirm that
114
cymdir.exe is being loaded at login by checking the Process list in the Windows Task
Manager. If not, there may be a script problem.
If one or more users are not sending heartbeats, network routing issues can prevent
packets from reaching Optinet. Use the /tcp switch to test for connection failures. Please
note that you will not be able to use the /silent option for this test.
Another scenario that will impede Optinet from posting the Directory User profile for a user
is if the computer has not sent Internet traffic through Optinet. If the workstation has not
sent traffic to the Internet, then Optinet has no Network Node profile (IP address or MAC
address) with which to attach the Directory User. This will correct itself as soon as the
workstation sends traffic to the Internet through Optinet. (Checking the Admin -> Logs ->
Activity Log can be used to identify this issue).
By default, the Directory Client uses port 3642 to communicate with Optinet. You can verify
that this port is open by using telnet and attempting to connect to Optinet on port 3642
from an affected workstation. The syntax for the Windows command line telnet client is
this: C:\>telnet 192.168.1.80 3642. Remember to use the IP address of your Optinet.
If you are able to connect and receive an error message about needing to authenticate,
then there are no network issues. If you are not able to connect, then please review your
firewall or settings on the network as they may be blocking access on port 3642.
If the Directory Client causes long login times, this could be due to the syntax in the batch
file. Make sure that the batch file begins with “start”. Start is required to detach programs
from the Windows shell. If it is omitted, Windows may not detach the referenced program
as an independent process, and wait 10 minutes before terminating the process.
Occasionally, some traffic is not associated with a Directory User. Cymdir.exe runs when a
user logs in, and stop running when a user logs off. If traffic occurs when no user is logged
into a Network Node, it will not be associated with any user. This commonly occurs when a
user reboots, which logs the user off and then generates network traffic, or when Windows
updates are downloaded and installed.
In some circumstances (particularly involving laptop computers) a user will not run the login
script or Group Policy Object from the network as they log in. This could be because they
are not connected to any network, they are connected to a network that is not their home
network, or they have somehow bypassed their network login script. (Consider using an
alternate method like Web Authentication for these users instead of the Directory Client.)
Also, users can potentially terminate the cymdir.exe process from the Task Manager in an
attempt to escalate their network privileges. If this happens, their workstation will be
added to the next appropriate group (typically the Default Group). To prevent privilege
escalation, simply make the Default Group (or other group as appropriate) have the fewest
network privileges available. This way, users will only de-escalate their access by
terminating the Directory Client.
Some security settings may impede the Directory Client from executing correctly. If you
are unable to execute the client after following the deployment steps, you may need to
unblock the executable from running. You can do this by right-clicking on the cymdir.exe
and selecting Properties. Under the General tab, click the Unblock button and then apply
the changes.
115
Lastly make sure that you use the correct Directory Client for your Operating System.
There are three versions (32-bit, 64-bit, and Macintosh) and should be deployed
accordingly.
116
Chapter 8: Implementing HTTPS/SSL Filtering with Optinet
Secure Socket Layer (SSL) is a technology that is used to encrypt data sent over the
network. (Newer versions of SSL are called Transport Layer Security or TLS. Statements in
this User Guide regarding SSL also apply to TLS.) This encryption is done to insure that the
data transmission is secure and only readable by the intended recipients. This technology is
most commonly associated with Secure Hypertext Transfer Protocol (HTTPS) sent over the
Internet.
For example, web pages such as banking or ecommerce sites post information that is very
sensitive for users, i.e., credit card numbers, social security numbers, etc. Because this
information is important, the web site must take some special precautions to make sure
that this information is not viewed by the wrong person. Also, the Web site needs to
confirm the identity of the site visitor and make sure that the transmission of data across
the Internet is not intercepted by anyone.
However, SSL can also be used to conceal web traffic and visit prohibited sites. The most
common practice of this is with proxy web sites or proxy web servers. Optinet uses
HTTPS/SSL Filtering to allow you to view and restrict Web traffic for secure web sites and
also prohibit users from viewing unauthorized content. This chapter can be used to enable
HTTPS/SSL Filtering. The following topics will be covered.
•
Certificate Authorities
•
SSL Anonymous Proxies
•
HTTPS/SSL Filtering
•
HTTPS/SSL Blocking
•
HTTPS/SSL Filtering Requirements
117
•
Enabling SSL Certificate-Based Filtering
•
The Optinet Digital Certificate
•
Installing The Optinet Digital Certificate
•
Enabling Full SSL Content Filtering
•
Confirming The Optinet Digital Certificate
•
Reporting on HTTPS/SSL Web Sites
•
Viewing Sensitive Content on HTTPS/SSL Web Sites
Certificate Authorities
For Web sites to use SSL to post secure data, they employ a digital certificate signed by
Certificate Authorities (CA), like VeriSign or Thawte. A CA issues and signs a digital
certificate which confirms the identity of the Web site and that the page is secure. The CA
also attests that the certificate belongs to the organization, server, or other entity noted in
the certificate. How do users know if a web site is secure?—through the digital certificate
presented on the web site.
Normally, web browsers have a list of trustworthy CAs. When users connect to a secure
web site, the web browser will check the name of the web site with the corresponding
certificate. If the certificate name matches the name of the web site, is not expired, and is
signed by a trusted CA, the web browser will display the web site. If any of these checks
fail, a warning is displayed indicating the error. Thus web sites and users depend on digital
certificates to confirm identities and information.
SSL Anonymous Proxies
In addition to using SSL for securing web traffic, SSL can also be used to conceal web
traffic. The purpose of the Optinet HTTPS/SSL Filtering is to prohibit users from concealing
their web traffic and from viewing unauthorized content. One of the ways users can conceal
web traffic with SSL is by using SSL Anonymous Proxies.
SSL Anonymous Proxies, available to anyone with Internet access, instruct users on how to
direct their web traffic to a specific web site or service. Like traditional anonymous proxies,
they allow a user to put in a URL, which the proxy then fetches and returns to the user.
From a web filter’s perspective, it is as if all the content was from the proxy site. An SSL
Anonymous Proxy takes this one step further by encrypting this data, thereby concealing
the user’s traffic and visiting prohibited web sites. The most common tactics of SSL
Anonymous Proxy Servers is using Common Gateway Interface (CGI) web sites that create
tunnels to web sites.
However, there are many forms of proxy servers that are designed to make web surfing
anonymous and bypass content filtering. Below are listed the most common Anonymous
Proxy Services and how they conceal web traffic.
118
SSL CGI Proxy
This type of proxy has users enter the Universal Resource Locator (URL) of the web site
they want to browse to into a web form. The web site then processes the request and
retrieves the page on behalf of the user. The web sites changes the links and images within
the page so that the requests are actually hosted by the proxy web site and not the original
web site.
SSL Full Proxy
This type of proxy requires users to modify their web browser settings to use a proxy
server. Some of these sites will also use non-standard ports to conceal web traffic.
SOCKS4/5 Proxy
This type of proxy also has users modify web browser settings to use a proxy server.
TorPark Network
This type of proxy is a SSL based network that allows users to hide web browsing. TorPark
normally uses non standard port numbers to avoid detection and uses SSL to conceal the
content of web sites.
Optinet has several options that allow you to block Anonymous SSL web surfing and users
from concealing their traffic. These options are discussed in the next section.
HTTPS/SSL Filtering
Optinet offers you several tools to filter HTTPS/SSL traffic, and to block proxy web sites that
allow users to cover their web traffic. Depending upon the type of control you want over
SSL traffic, you will need to configure HTTPS/SSL Filtering accordingly. All HTTPS/SSL
filtering options are handled by Traffic Flow Rule Sets (TFRS).
TFRS are the basic traffic identification and control engine within Optinet. TFRS allow you to
dictate how traffic will be identified, controlled, reported, filtered and shaped. In the case of
HTTPS/SSL traffic, Optinet has several TFRS that will handle HTTPS/SSL traffic according to
the settings listed below.
The component of TFRS that handle HTTPS/SSL Filtering is called SSL Filter. SSL Filter can
perform content filtering, web logging, spyware scanning, and virus scanning on all HTTPS
web sites. However, there are several options with SSL Filtering. Below are all available
options.
Disable SSL Inspection and Filtering
This option will not perform any HTTPS/SSL Filtering or Inspection. This is the default
option and will not filter, report, or inspect any HTTPS/SSL traffic.
Enable SSL Certificate-Based Content Filtering
This option allows you to filter HTTPS web sites based only on the certificate name present.
In addition to this, this option will only log and filter the first web page accessed for the site.
No other pages on the web site will be scanned. Also, if the certificate name does not
119
match the URL of the web site, some mis-categorization can happen. Finally, if users
attempt to access an HTTPS web site that has been prohibited, they will not receive a
redirection page alerting them that the site has been blocked by Optinet. This is the level of
protection provided by almost all Secure Net Gateway devices that support SSL features.
Enable Denied Access Page for SSL Certificate-Based Content Filtering
This option allows you to filter HTTPS web sites based only on the certificate name present.
In addition to this, this option will only log and filter the first web page accessed for the site.
No other pages on the web site will be scanned. Also, if the certificate name does not
match the URL of the web site, some mis-categorization can happen. However, this option
will present users with a blocked redirection page if the web site has been prohibited and
can be used in conjunction with SSL Certificate-Base Content Filtering.
Enable Full SSL Content Filtering
This option allows you to filter HTTPS web sites based on both the certificate name present,
the name of the web site, and the site’s content. This option is the most robust and
complete of all SSL Filter options as it allows for better categorization of HTTPS web sites,
continued filtering of all pages within the web site, and blocked redirection pages for
prohibited secure sites. Also, this is the only SSL Filter option that offers full scanning of
HTTPS web sites for spyware and virus.
Because of the additional steps required to enable Full SSL Content Filtering, you will not be
able to turn on this option without first contacting a Black Box Network Services Support
Technician. If you are interested in enabling Full SSL Content Filtering, please call Black
Box Network Services Technical Support.
Do not enable Full SSL Content Filtering without deploying The Optinet Digital
Certificate beforehand. Doing so will cause interruption with HTTPS web sites. Please
read the section on Installing The Optinet Certificate before enabling this option.
Only Allow Trusted Certificate Authorities and Non-Expired Certificates
This option will increase security for web traffic as it will not allow users to visit HTTPS sites
that have expired certificates or certificates issued from non-trusted CAs. This option can
be used in conjunction with SSL Certificate-Based Content Filtering and Full SSL Content
Filtering.
HTTPS/SSL Filter Exemption List
This option allows you to enter URLs of secure web sites that will be exempt from SSL
Filtering. For sensitive web sites, such as banking and ecommerce, you may want to enter
the URLs of these sites to avoid content filtering on specific web sites. This option can be
used in conjunction will all SSL filtering options.
Content Filtering Rules
Once you have enabled any of the HTTPS/SSL Filtering options, all your Content Filtering
Rules will now apply to HTTPS web sites. For example, if you have entered myspace in the
Blocked URL list under the Content Filtering tab and enabled HTTPS/SSL Filtering, users will
not be able to access http://www.myspace.com or https://www.myspace.com.
120
As such, if you want to block a specific web category or web site that is using HTTPS, enter
the web site as blocked in the Content Filtering tab, select a TFRS that has SSL Filtering and
choose one of the HTTPS/SSL Filtering options.
HTTPS/SSL Blocking
There is an additional TFRS for SSL traffic entitled SSL Block. This TFRS does not perform
any content filtering, web logging, spyware scanning, and virus scanning on HTTPS web
sites. This TFRS only prohibits all HTTPS/SSL traffic from passing through Optinet. By
default there is only one TFRS that is set to block HTTPS traffic. This TFRS is called Web
Filter + Anonymous Proxy Guard + SSL Block.
This TFRS performs content filtering, web logging, spyware scanning, and virus scanning for
HTTP traffic (Web Filter). This TFRS also prohibits HTTP traffic on any port other than port
80 or a designated proxy port (Anonymous Proxy Guard). Finally this TFRS prohibits all
HTTPS/SSL traffic from passing through Optinet (SSL Block).
HTTPS/SSL Filtering Requirements
HTTPS/SSL Filtering does place additional processing load on Optinet. As such, HTTPS
traffic cannot be more 25% of non SSL model bandwidth specs (see following table). Before
enabling any form of HTTPS/SSL Filtering, please confirm that your HTTPS traffic does not
exceed the specified amount listed below.
Model
Optinet 5
Optinet 20
Optinet 20 SSL
Optinet 45 SSL
Optinet 100 SSL
Optinet 200 SSL
Max Total Throughput
5 Mbps
20 Mbps
20 Mbps
45 Mbps
100 Mbps
200 Mbps
Max HTTPS Throughput
1.25 Mbps
5 Mbps
20 Mbps
45 Mbps
100 Mbps
200 Mbps
SSL Acceleration Optinet models come equipped with SSL Accelerators which perform part
of the HTTPS/SSL Filtering, relieving the load on Optinet. These models are indicated with
the SSL description above.
Also, HTTPS/SSL Filtering does require a live Internet connection preferably active for at
least 24 hours. A good practice is to install Optinet and let the device collect data for at
least 24 hours. This way you can verify via Report -> Application Overview -> HTTPS if the
amount of traffic is below 25% of The Optinet maximum bandwidth specification and
afterwards enable HTTPS/SSL Filtering.
Lastly, Optinet only supports HTTPS/SSL Filtering for web browsers that use SSL v2.0, SSL
v3.0, and Transport Layer Security (TLS) v1.0. Current web browsers use these versions by
default, but you may want to verify that your network’s web browsers are updated.
In addition to bandwidth and connections requirements, HTTPS/SSL Filtering requires that
you enable two options under the Advanced Setup tab (Admin -> Configuration ->
121
Advanced Setup) that will allow Optinet to support HTTPS/SSL filtering. These two options
are HTTP Keep-Alive Mode and Enhanced Bridging Mode (EBM).
HTTP Keep-Alive Mode allows Optinet to use the same connection to send and receive
multiple HTTP requests and responses, as opposed to opening a new connection for every
single HTTP request or response. Using HTTP Keep-Alive Mode is essential for improving
Web performance with HTTPS/SSL Filtering.
EBM allows Optinet to act as a transparent filter. As a transparent filter, Optinet does not
modify the Web request or response beyond what is required for authentication and
identification. EBM also improves the quality of service delivering content at higher
bandwidth and reducing transmission latency. If either of these options is not enabled,
HTTPS/SSL Filtering is not possible.
One last requirement before enabling HTTPS/SSL Filtering is deciding on what options to
use. All HTTPS/SSL filtering is handled by TFRS. However, some of the different
HTTPS/SSL Filtering options will determine what steps need to be performed first. For
example, Full SSL Content Filtering requires additional steps for configuration before
enabling HTTPS/SSL Filtering.
This option utilizes a digital certificate from Optinet similar to ones used by CAs. If you plan
on using Full SSL Content Filtering, you will need to deploy the certificate before enabling
HTTPS/SSL Filtering. Please review the section entitled Installing The Optinet Digital
Certificate.
Enabling SSL Certificate-Based Filtering
Enabling SSL Certificate-Based Content Filtering allows you to filter HTTPS web sites based
only on the certificate name present. You can also select Denied Access Page for SSL
Certificate-Based Content Filtering to present users a redirection page for blocked HTTPS
Web sites as well as Only Allow Trusted Certificate Authorities and Non-expired Certificates.
To do this, you will first select an Internet Usage Rule (IUR).
Click Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules (or
another group’s usage rules). The first step is to alter an IUR for HTTPS/SSL Filtering by
choosing a TFRS that can identify and filter HTTPS traffic. Select the Drop-Down Box for
TFRS and chose a rule set that has SSL Filter as a component. This will then allow you to
access the HTTPS/SSL Filtering tab.
Optinet has three default TFRS that filter HTTPS/SSL traffic. These TFRS are listed below
with their corresponding targets. Please note that these are the default settings for the
TFRS and can be changed or customized based on your needs.
Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filter
This TFRS performs content filtering, web logging, spyware scanning, virus scanning for
both HTTP (Web Filter) and HTTPS traffic (SSL Filter). This TFRS also denies all IM Client
conversations (Deny IM) and prohibits HTTP traffic on any port other than port 80 or the
designated proxy ports and SSL traffic on any port other than port 443 (Anonymous Proxy
Guard).
122
Web Filter + Anonymous Proxy Guard + SSL Filter
This TFRS performs content filtering, web logging, spyware scanning, virus scanning for
both HTTP (Web Filter) and HTTPS traffic (SSL Filter). This TFRS also prohibits HTTP traffic
on any port other than port 80 or a designated proxy port and SSL traffic on any port other
than port 443 (Anonymous Proxy Guard).
Web Filter + SSL Filter
This TFRS performs content filtering, web logging, spyware scanning, virus scanning for
both HTTP (Web Filter) and HTTPS traffic (SSL Filter).
Depending upon how you would like to filter HTTPS traffic, you can choose the TFRS
accordingly. Again, once you have selected a TFRS with SSL Filter, you can now select
options under the HTTPS/SSL Filtering tab. In this section, we will only be detailing the
options of SSL Certificate-Based Filtering. Click on the HTTPS/SSL Filtering tab, and select
the radio button for Enable SSL Certificate-Based Content Filtering. Also, you can select the
check box for the Enable “Denied Access” page and Only Allow for Trusted Certificate
Authorities and Non-expired Certificates. You can also enter in any URLs for the Filter
Exemption List. Once modified, don’t forget to save your changes.
Once the IUR has been saved, make sure that the new rules are being applied to the group
under the Policy Manager. You can review how to do this under Chapter 5: Managing
Optinet.
You have now finished creating an Internet Usage Rule that will filter certificates for HTTPS
Web sites and assigned it to the corresponding group. You can follow the previous
mentioned steps to assign additional IURs that will filter certificates for HTTPS web sites or
groups as well.
The Optinet Digital Certificate
For Optinet to fully scan HTTPS web sites, the device will need to inspect the data traversing
the SSL connection between the user and the Web site. Consequently, deploying a third
party certificate to act as the “middle man” for the user and the secure Web site is the most
effective method to allow the secure connection while examining the content.
By deploying a third party certificate from Optinet to the user, a secure connection between
the two is established. Optinet then issues a separate secure connection between itself and
the secure Web site or server. In this fashion, Optinet acts as an SSL proxy, allowing the
two connections to be fully inspected without dropping the connection (see the following
diagram).
Figure 8.1 Optinet Certificate
123
In essence, Optinet establishes two SSL connections, one to the user and one to the web
site. After these connections are established, the user sends the SSL request to Optinet.
Optinet reviews the SSL request, verifies filtering rules, and then sends a SSL request on
behalf of the user to the web site. This process allows Optinet to fully inspect the SSL traffic
from both the user and the responding web server.
Again for this option to work correctly, users will need the Optinet digital certificate installed
in their individual Web browsers. This certificate can be downloaded from Optinet under
Admin -> Configuration -> Downloads -> SSL Authority Certificate or at http://IP address of
Optinet/downloads/cacert.cer. Although you can install the certificate individually for each
user, this chapter has several options on how to deploy the certificate on a wider scale.
Lastly, you can also customize the certificate used for Full SSL Content Filtering. If you
would prefer the certificate to display your company information, your company’s
organizational unit, or your contact information, you may modify these settings under
Admin -> Configuration -> SSL Certificate Settings.
If you make any errors or need to change the SSL Certificate Settings, you can select the
Clear SSL Certificates (Admin -> Utilities -> System Resets -> Clear SSL Certificates). This
will set the SSL Certificate Settings back to default settings. However, if you alter the SSL
certificate in any form, make sure that users have the new finalized certificate before
enabling Full SSL Filtering.
Installing The Optinet Digital Certificate
The Optinet certificate can be deployed individually on each computer’s Web browser or it
can be deployed as a Group Policy Object (GPO) by Active Directory. The following sections
describe how to perform each accordingly.
Deploying The Optinet Certificate via Web Browsers
The Optinet certificate can be downloaded and installed directing your users to their Web
browsers. A good practice is to download and install the certificate in a network share and
have users install the certificate directly from the shared drive. Another option is to send an
email to users with an attached zipped file of the certificate or with the URL of the certificate
(http://IP address of Optinet/downloads/cacert.cer). Once you have distributed the
certificate, simply have users import the certificate.
Depending upon users OS or default web browsers, the steps will be different on how to
install the certificate. Below are email templates you can copy and use to instruct users
how to install the certificate using Windows PCs and Internet Explorer and Firefox. Areas
where you need to add information before sending the template are italicized and bold.
With other Web browsers or OS you will need to research and find how to import digital
certificates.
Email Template for Windows XP and Internet Explorer 6
As part of our efforts to better provide a secure work environment and offer users reliable
Web access, we have decided to employ content filtering for Secure Hypertext Transfer
Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is
used by web sites to secure information.
124
However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to
users and the network. Filtering HTTPS web sites will improve our ability to protect the
network and ensure safe web browsing.
You will need to import a digital certificate into your web browser that will allow you to
access legitimate web sites that use HTTPS. Please click on the following link and save
the certificate (cacert.cer) to your desktop: http://IP address of your
Optinet/downloads/cacert.cer. Or please download the following zipped
attachment (cacert.cer) to your desktop.
Then follow the instructions listed below to import the certificate. Thanks and have a nice
day.
1. Open up Internet Explorer 6.
2. Click on Tools -> Internet Options.
3. Select the Content tab and click the Certificates button (this will bring up the
Certificate dialog box).
4. Select the Trusted Root Certification Authorities tab and then click the Import button
(this will bring up the Certificate Import Wizard).
5. Begin the Wizard by selecting Next and when prompted browse to the certificate you
downloaded to your desktop.
6. If asked, allow Windows to automatically select the certificate store.
7. Complete the Certificate Import Wizard by selecting Next when prompted.
8. After you have completed the Certificate Import Wizard click the Finish button (you
may receive a security warning about installing the certificate; select Yes to allow the
import).
You have now completed the Certificate Import Wizard for Internet Explorer 6. You can
delete the certificate file on your desktop.
Email Template for Windows XP and Internet Explorer 7
As part of our efforts to better provide a secure work environment and offer users reliable
web access, we have decided to employ content filtering for Secure Hypertext Transfer
Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is
used by web sites to secure information.
However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to
users and the network. Filtering HTTPS web sites will improve our ability to protect the
network and ensure safe web browsing.
You will need to import a digital certificate into your Web browser that will allow you to
access legitimate web sites that use HTTPS. Please click on the following link and save
the certificate (cacert.cer) to your desktop: http://IP address of your
Optinet/downloads/cacert.cer. Or please download the following zipped
attachment (cacert.cer) to your desktop.
Then follow the instructions listed below to import the certificate. Thanks and have a nice
day.
125
1. Open up Internet Explorer 7.
2. Click on Tools -> Internet Options
3. Select the Content tab and click the Certificates button (this will bring up the
Certificate dialog box)
4. Select the Trusted Root Certification Authorities tab and then click the Import button
(this will bring up the Certificate Import Wizard)
5. Begin the Wizard by selecting Next and when prompted browse to the certificate you
downloaded to your desktop
6. If asked, allow Windows to automatically select the certificate store.
7. Complete the Certificate Import Wizard by selecting Next when prompted.
8. After you have completed the Certificate Import Wizard click the Finish button (you
may receive a security warning about installing the certificate; select Yes to allow the
import).
You have now completed the Certificate Import Wizard for Internet Explorer 7. You can
delete the certificate file on your desktop.
Email Template for Windows Vista and Internet Explorer 7
As part of our efforts to better provide a secure work environment and offer users reliable
web access, we have decided to employ content filtering for Secure Hypertext Transfer
Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is
used by web sites to secure information.
However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to
users and the network. Filtering HTTPS web sites will improve our ability to protect the
network and ensure safe web browsing.
You will need to import a digital certificate into your web browser that will allow you to
access legitimate web sites that use HTTPS. Please click on the following link and save
the certificate (cacert.cer) to your desktop: http://IP address of your
Optinet/downloads/cacert.cer. Or please download the following zipped
attachment (cacert.cer) to your desktop.
Then follow the instructions listed below to import the certificate. Thanks and have a nice
day.
1. Open up Internet Explorer 7.
2. Click on Tools -> Internet Options.
3. Select the Content tab and click the Certificates button (this will bring up the
Certificate dialog box).
4. Select the Trusted Root Certification Authorities tab and then click the Import button
(this will bring up the Certificate Import Wizard).
5. Begin the Wizard by selecting Next and when prompted browse to the certificate you
downloaded to your desktop.
126
6. When asked, Place the certificate in the Trusted Root Certification Authorities store.
7. Complete the Certificate Import Wizard by selecting Next when prompted.
8. After you have completed the Certificate Import Wizard click the Finish button (you
may receive a security warning about installing the certificate; select Yes to allow the
import).
You have now completed the Certificate Import Wizard for Internet Explorer 7. You can
delete the certificate file on your desktop.
Email Template for Windows XP/Vista and Firefox 2
As part of our efforts to better provide a secure work environment and offer users reliable
web access, we have decided to employ content filtering for Secure Hypertext Transfer
Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is
used by web sites to secure sensitive information.
However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to
users and the network. Filtering HTTPS web sites will improve our ability to protect the
network and ensure safe web browsing.
You will need to import a digital certificate into your web browser that will allow you to
access legitimate web sites that use HTTPS. Please click on the following link and save
the certificate (cacert.cer) to your desktop: http://IP address of your
Optinet/downloads/cacert.cer. Or please download the following zipped
attachment (cacert.cer) to your desktop.
Then follow the instructions listed below to import the certificate. Thanks and have a nice
day.
1. Open up Firefox 2.
2. Click on Tools -> Options.
3. Select the Encryption tab and click the View Certificates button (this will bring up the
Certificate Manager box).
4. Select the Authorities tab and then click the Import button.
5. Browse to your desktop and select the certificate you just downloaded.
6. Select Trust this CA to identify web sites.
7. Click OK twice to complete the import.
You have now completed the Certificate Import Wizard for Firefox. You can delete the
certificate file on your desktop.
Deploying the Optinet Certificate via Active Directory
Again, follow the previous steps to download the certificate and place in on the local drive of
the Active Directory server. Once you have done that, follow the subsequent steps.
1. Log on to your Domain or Active Directory server.
127
2. Open a Windows Run Prompt (Start -> Run).
3. In the Open field type "mmc" (Microsoft Management Console).
4. Click OK.
5. In the File menu, select Add/Remove Snap-in.
Figure 8.2 Console Prompt
6. Click the Add button.
7. Scroll down and select Group Policy Object Editor.
Figure 8.3 Add Standalone Snap-in
8. Click the Add button (this will launch the Group Policy Object Wizard).
128
9. Press the Browse button.
10. Select Default Domain Policy.
11. Click OK.
Figure 8.4 Group Policy Object
12. Click Finish on the Add Group Policy Wizard.
13. Close the Add Standalone Snap-in dialog box.
14. Click OK on the Add/Remove Snap-in dialog box (you should now be looking at the
MMC screen with the Console Root Folder above the new Default Domain Policy you
have just added).
Figure 8.5 Console Root
15. Expand the Default Domain Policy.
16. Expand the Computer Configuration option.
17. Expand the Windows Settings option.
18. Expand the Security Settings option.
19. Expand the Public Key Policies.
20. Select the Trusted Root Certification Authorities.
129
21. In the Action menu, select Import (this will launce the Import Wizard).
Figure 8.6 Group Policy Object Editor
22. Click the Next button.
23. Browse to where you download The Optinet certificate (unless you have changed the
title, the certificate is entitled cacert.cer).
24. Click the Next button.
25. Make sure the Place All Certificates in the Following Store radio button is selected.
26. Make sure the Certificate Store is Trusted Root Certification Authorities.
27. Click the Next button (the Import Wizard will now display a summary of the import
process.
28. Click the Finish button.
29. The Import Wizard will inform you if the import was successful.
You have now finished deploying The Optinet certificate either via a direct import or Active
Directory’s GPO. Now that you have completed these steps, you are ready to enable Full
SSL Content Filtering. You can also enable Only Allow Trusted Certificate Authorities and
Non-Expired Certificates.
Enabling Full SSL Content Filtering
Now that you have installed The Optinet certificate, you will need to contact Black Box
Network Services Technical Support to enable Full SSL Filtering. Because Full SSL Filtering
130
requires additional steps, this option is only available after a certified Black Box Network
Services Technician reviews the device settings. This precaution has been taken to avoid
unnecessary interruption with secure Web sites. You can contact Black Box Network
Services Technical Support at 724-746-5500.
Once approved by a support technician, he/she will ask you what Internet Usage Rules will
have Full SSL Content Filtering. Afterwards, you can review the settings under Manage ->
Policy & Rules -> Internet Usage Rules -> Default Usage Rules (or another group’s usage
rules). Select the Traffic Flow Rule Set Drop-Down Box and chose a TFRS that has listed
the component of SSL Filter. After a TFRS of SSL Filter has been select, the HTTPS/SSL
Filtering tab is accessible. Click on the tab, and confirm that the radio button of Enable Full
SSL Content Filtering is selected.
If you like you can also select the check box next to Only Allow Trusted Certificate
Authorities and Non-Expired Certificates. In addition to this, you can enter in the URLs for
the Filter Exemption list. Again don’t forget to Save your changes and apply the IUR to the
correct groups under Policy Manager.
Please note that if you clear the SSL Certificate under Admin -> Utilities -> System Resets
or alter the certificate under Admin -> Configuration -> SSL Certificate Settings, you will
need to deploy the new certificate to users’ Web browsers.
Confirming the Optinet Digital Certificate
Now that you have deployed the Optinet certificate, and you have finished configuring
Optinet for Full SSL Content Filtering, the last item to verify is that the Optinet digital
certificate is working correctly. You can do this by browsing to a secure Web site (https)
and viewing the digital certificate on the page. You can click on the padlock icon located at
the end of the URL of the web site and select View certificates. Once selected, make sure
that the digital certificate is issued by the Certificate Common Name from Optinet (Admin > Configuration -> SSL Certificate Settings).
Reporting on HTTPS/SSL Web Sites
After you have enabled HTTPS/SSL Filtering, you can report on HTTPS/SSL web sites. Click
on Report -> Internet Usage -> Web Hits Overview -> Allowed. This will post all allowed
Web hits within the past 24 hours. In the top right-hand corner of the report is a reporting
option entitled Encryption Type. By default this option is set to No Filter, which will post all
Web hits. Select that option and chose SSL. The report will then display all HTTPS/SSL
Web site hits within the last 24 hours. You can then adjust the report to correlate and filter
for specific user, times frames, etc. Wherever the option of Encryption Type is displayed,
you can adjust reporting to display HTTPS/SSL Web sites.
Viewing Sensitive Content on HTTPS/SSL Web Sites
SSL operates by opening a tunnel session and passing information using a public and
private key for transmission. Although Web sites that use SSL can be monitored and
filtered using Optinet, items such as passwords, bank account numbers, and social security
131
numbers are normally encrypted at an additional layer within the SSL tunnel. As such,
Optinet normally cannot decipher these items. Typically Optinet will only capture the URL
and Hypertext Markup Language (HTML) of the web site accessed and not the additional
encrypted items.
However, if you are concerned about sensitive content being captured by Optinet, you can
list Web sites in the HTTPS/SSL Filter Exemption List. Web sites listed in the HTTPS/SSL
Exemption List will not be filtered, monitored, or decrypted in any form. For more
information, please review the section HTTPS/SSL Filter Exemption List.
This concludes the chapter for HTTPS/SSL Filtering. If you need further assistance with this
or any other component of Optinet, please read the following section on getting help.
132
Customer Support and Feedback
Getting Help
For additional help, please consult Black Box Network Services Support at 724-746-5500.
Additionally, you can contact your Authorized Black Box Network Services Reseller for
support.
For more information contact Black Box Network Services at 724-746-5500.
Please have the following information ready:
•
•
•
•
•
•
•
Total bandwidth
Total number of network nodes
Optinet model and serial number
Optinet firmware version
A network topology diagram
Presence of VLANs, proxy servers, remote subnets
What symptoms or issues you are experiencing
We welcome your feedback and comments on Optinet. Contact us and let us know. Please
identify your Optinet model and tell us how we can reach you.
133
Appendix A: Web Filtering Categories
Optinet has several distinct layers to identify and filter web sites depending upon the
settings you employ on the device. Among the most distinct layers are URL checks against
database entries, key-word searches, real-time analysis on web page context, digital
certificate scans, and full payload decryption on HTTPS/SSL traffic. These distinct layers
allow Optinet to quickly categorize well-known web sites while providing a more in-depth
identification for new, indistinct, and constantly changing Web sites.
If you would like to confirm the categorization of a web site, you can use the diagnostic tool
of /?webFilterCategory. To use this tool, go to any computer that is being filtered by
Optinet and open a web browser.
Enter the URL of the web site you want to confirm categorization, and append to it the
phrase /?webFilterCategory, i.e., http://www.google.com/?webFilterCategory. This will post
the Web Filter Category Report and list the categorization of the web page and which
component (URL database, key-word search, or content analysis) categorized the site.
If you would like to re-categorize a web site, you can use the Custom Category Rules menu
(Admin -> Configuration -> Custom Category Rules) or submit the URL to
http://www.blackbox.com/category.
The following table lists the available categories, together with the filtering level typically
applied to each. These categories are followed with a brief description of the type of
content contained by each and some web site examples.
134
Category
Filtering (Typical)
Adult
Unacceptable
Alcohol and Tobacco
Non-business
Arts and Entertainment
Non-business
Automatic Updating
Non-business
Business and Industry
Business
Cars and Motorcycles
Non-business
Cheating and
Plagiarism
Non-business
Description
These are sites directed to adults, not necessarily
pornographic sites. Adult clubs: strip clubs, swingers
clubs, escort services, strippers; general information
about sex, non-pornographic in nature; genital
piercing; adult products, adult greeting cards;
information about sex not in the context of health or
disease.
Beer, wine, spirits: beer and wine making, cocktail
recipes, liquor sellers, wineries, vineyards,
breweries; mixed drinks, drinking establishments;
tobacco; pipes and smoking products. Also
Tobacco.
Galleries and exhibitions; artists and art;
photography; literature and books, publishing;
movies; performing arts and theater; music and
radio; television; celebrities and fan sites; design;
architecture; entertainment news, venues; humor.
Also Entertainment.
Web pages that monitor activities and automatically
update page content on a regular basis, such as
stock tickers or weather reports.
Sites involved in business-to-business transactions
of all kinds. Advertising, marketing, commerce,
corporations, business practices, workforce, human
resources, transportation, payroll, security, venture
capital, etc; office supplies; industrial equipment
(process equipment), machines and mechanical
systems; heating equipment, cooling equipment;
materials handling equipment; packaging
equipment; manufacturing: solids handling, metal
fabrication construction and building; passenger
transportation; commerce; industrial design;
construction, building materials; industrial design;
shipping and freight: freight services, trucking,
freight forwarders, truckload carriers,
freight/transportation brokers, expedited services,
load & freight matching, track & trace, NVOCC,
railroad shipping, ocean shipping, road feeder
services, moving & storage. Also Industry.
Sites about personal transportation; information
about cars and motorcycles; shopping for new and
used cars and motorcycles; car clubs; boats, RVs,
etc. (Note: auto and motorcycle racing is
categorized as Sports and Recreation). Also
Motorcycles.
Sites promoting cheating and selling written work
(e.g. term papers) for plagiarism. Also Plagiarism.
Examples
fhm.com
cybereroticanews.com
budweiser.com
philipmorrisusa.com
disney.com
mgm.com
ticker.nasdaq.com
pub.weatherbug.com
dow.com
ussteel.com
autobytel.com
autos.msn.com
cheathouse.com
bestpapers.com
135
Category
Filtering (Typical)
Computers and Internet
Business
Crime
Business
Criminal Related
Non-business
Cults
Non-business
Dating
Unacceptable
Dining and Drinking
Non-business
Early Childhood Dev.
Non-business
Education
Business
Filter Avoidance
Unacceptable
Finance
Business
FYI
Business
Gambling
Non-business
Description
Information about computers and software such as:
hardware, software, software support sites;
information for software engineers, programming
and networking; website design, and the web and
Internet in general; computer science; computer
graphics and clipart. Also Internet.
Sites related to crime, crime reporting, law
enforcement, crime statistics, etc.
Pages that promote crime such as stealing, fraud,
phreaking and cracking; warez and pirated software;
computer viruses; terrorism, bombs, and anarchy;
sites depicting murder and suicide as well as
explaining ways to commit them.
Cults and cult behavior.
Dating sites, online personals, matrimonial
agencies, etc., for adults.
Eating and drinking establishments; restaurants,
bars, taverns, brewpubs, restaurant guides and
reviews
Sites directed toward and specifically approved for
young children
Education-related sites and web pages such as
schools, colleges, universities, teaching materials,
teachers resources; technical and vocational
training; online training; education issues and policy;
financial aid; school funding; standards and testing.
Web pages that promote and aid undetectable and
anonymous surfing
Sites and information that are primarily financial in
nature such as: accounting practices and
accountants; taxation; banking; insurance; investing:
information relating to the stock market, stocks,
bonds, mutual funds, brokers, stock analysis and
commentary, stock screens, stock charts, IPOs,
stock splits; the national economy; personal finance
involving insurance of all types; credit cards;
retirement and estate planning; loans; mortgages;
taxes.
City and state guides; maps, weather, time;
reference sources; dictionaries; libraries; museums;
ski conditions; personal information; mass
transportation: consumer mass transit information
(bus, commuter train, subway, airport), maps,
schedules.
Casinos and online gambling sites; bookmakers and
odds; gambling advice; horse and dog racing in a
gambling context; sports book; sports gambling.
Examples
dell.com
update.microsoft.com
crime.com
terrorism.com
illegalworld.com
anarchistcookbook.com
kimmillerconcernedchris
tians.com
heavensgate.com
eharmony.com
friendfinder.com
pizzahut.com
mortons.com
nickjr.com
pbskids.org
usc.edu
nyu.edu
proxify.com
proxyblind.org
nasdaq.com
wellsfargo.com
maps.google.com
weather.com
partypoker.com
bodog.com
136
Category
Filtering (Typical)
Games
Non-business
Gay and Lesbian
Non-business
Government and Law
Business
Hacking
Non-business
Hate Speech
Unacceptable
Health and Nutrition
Non-business
Illegal Drugs
Non-business
Instant Messaging
Non-business
Job Search
Non-business
Lingerie
Unacceptable
Description
Various card games, board games, word games,
video games; computer games, Internet games
(RPGs and D&D); combat games; sports games;
downloadable games; game reviews; cheat sheets.
Gay, lesbian, bisexual, transgender: gay family, gay
parenting, coming out, gay pride sites; gay civil
rights, politics, sports, clubs and events, travel and
accommodations, leisure activities; gay bars
Foreign relations; news and information relating to
politics and elections such as: politics, political
parties, election news and voting; sites and
information relating the field of law such as:
attorneys, law firms, law publications, legal
reference material, courts, dockets, legal
associations; legislation and court decisions; civil
rights issues; immigration; patents and copyrights;
sites and information relating to law enforcement
and correctional systems; sites relating to the
military such as: the armed forces, military bases,
military organizations, and military equipment; antiterrorism. Also Law.
Sites discussing ways to hack into web sites,
software, and computers.
Hate-related sites, involving racism, sexism, racist
theology; hate music; Christian identity religions;
World Church of the Creator; Neo-Nazi
organizations: Aryan Nations, American Nazi
parties, Neo-Nazis, Ku Klux Klan, National Alliance,
White Aryan Resistance, white supremacists;
National Socialist Movement; Holocaust denial.
Health care; disease and disabilities; medical care;
hospitals; doctors; medicinal drugs; mental health;
psychiatry; pharmacology; exercise and fitness;
physical disabilities; vitamins and supplements; sex
in a context of health (disease and health care);
tobacco use, alcohol use, drug use, and gambling in
a context of health (disease and health care); food
in general; food and beverage; cooking and recipes;
food and nutrition, health, dieting.
Information about recreational drugs, drug
paraphernalia, marijuana seeds; advice on how to
grow marijuana.
Web-based instant messaging.
Career advice; advice on resume writing and
interviewing skills; job placement services; job
databanks; employment and temp agencies;
employer sites.
Intimate apparel, especially when modeled.
Examples
games.yahoo.com
worldofwarcraft.com
gay.com
gayamerica.com
foreignaffairs.org
firstgov.gov
elitehackers.com
hackerstuff.com
kkk.com
blacksandjews.com
efitness.com
emedicine.com
weedcity.com
cannabis.com
messenger.yahoo.com
meebo.com
dice.com
monster.com
victoriasecret.com
pamperedpassions.com
137
Category
Filtering (Typical)
Lottery and
Sweepstakes
Non-business
Miscellaneous
Non-business
Nature
Non-business
News
Non-business
Non-mainstream
Non-business
Non-sexual nudity
Unacceptable
Online Communities
Non-business
Online Trading
Non-business
Peer File Transfer
Non-business
Porn
Non-business
Description
Sweepstakes, contests and lotteries.
Cannot be categorized—often because the web
page is secured from outside visibility or there’s
either no text or too little text to access it.
Natural resources; ecology and conservation;
forests; wilderness; plants; flowers; forest
conservation; forest, wilderness, forestry practices;
forest management (re-forestation, forest protection,
conservation, harvesting, forest health, thinning,
prescribed burning); agricultural practices:
agriculture, gardening, horticulture, landscaping,
planting, weed control, irrigation, pruning,
harvesting; pollution issues: air quality, hazardous
waste, pollution prevention, recycling, waste
management, water quality, environmental clean-up
industry; animals, pets, livestock, zoology; biology;
botany.
News, headlines, newspapers; TV station wireless
Non-mainstream approaches to life. Occult
practices: esoteric magic, voodoo, witchcraft,
casting spells; fortune telling practices: I Ching,
numerology, psychic advice, Tarot; paranormal: out
of body, astral travel, séances; astrology,
horoscopes; UFOs and aliens; gay, lesbian and
bisexual: gay family, gay parenting, coming out, gay
pride sites, civil rights issues, politics, sports, clubs
and events, travel and accommodations, leisure
activities; gay bars.
Nudism/nudity; nudist camps; artistic nudes
Personal web pages; affinity groups; special interest
groups; professional organizations for social
purposes; personal photo collections; web
newsgroups.
Online brokerages, sites which afford the user the
ability to trade stocks online.
Peer-to-peer file request sites. This does not track
the file transfers themselves.
Sexually explicit text or depictions. Includes the
following: nude celebrities; anime and XXX
cartoons; general XXX depictions; material of a
sexually violent nature (bondage, domination,
sadomasochism, torture, rape, spanking, snuff,
fantasy death, necrophilia); other fetish material
(foot/legs, infantilism, balloon sex, latex gloves,
enema, pregnant women, pony-play, BBW,
bestiality); XXX chat rooms; sex simulators; gay
pornography; sites that offer strip poker; adult
movies; lewd art; web-based pornographic e-mail.
Examples
powerball.com
calottery.com
peta.org
nature.org
nytimes.com
msnbc.com
tarot.com
psychic.com
barenakedgallery.com
fineartnude.com
myspace.com
facebook.com
franklintrading.com
ameritrade.com
torrentz.com
piratebay.com
hustler.com
penthouse.com
138
Category
Filtering (Typical)
Real Estate
Non-business
Science and
Technology
Non-business
Search Engines and
Portals
Business
Sex Education and
Abortion
Unacceptable
Shopping
Non-business
Social Science
Non-business
Society and Culture
Non-business
Spiritual Healing
Non-business
Sports and Recreation
Non-business
Streaming Media
Non-business
Tasteless or Obscene
Unacceptable
Tattoos
Non-business
Travel
Non-business
Description
Information that would support the search for real
estate. This includes: office and commercial space;
real estate listings: rentals, apartments, homes;
house building; roommates, etc.
Sites involving science and technology: aerospace,
electronics, engineering, mathematics, etc.; space
exploration; meteorology; geography; environment;
energy: oil, nuclear, wind, sun; communications:
telephones, telecomm. Also Technology.
Web directories and search engines that often serve
as home pages such as Excite, MSN, Alta Vista,
and Google.
Sexual health, information about, or descriptions of,
abortions procedures such as: abortion pills,
medical abortions, surgical abortions; abortion
clinics and abortion providers.
Auctions; bartering; online purchasing; coupons and
free offers; yellow pages; classified ads; general
office supplies; online catalogs; online malls.
Sites related to: archaeology; anthropology; cultural
studies; economics; history; linguistics; philosophy;
political science; psychology; theology; women's
studies.
Family and relationships; religions, ethnicity and
race, social organizations; genealogy; seniors,
clothing and fashion; spas; hair salons; cosmetics
(skin care for diseases or conditions may be
categorized as Health and Nutrition); hobbies; do-ityourself; toys for kids; model and remote control
cars; toy soldiers.
Spiritual healing; alternative approaches to health,
both physical and mental.
All sports, professional and amateur; recreational
activities; hunting; fishing; fantasy sports; gun and
hunting clubs; public parks; amusement parks;
water parks; theme parks; zoos and aquariums.
Sites that involve: net radio; net TV; web casts;
streaming audio; streaming video.
Sites that offer tasteless, often gory photographs
such as autopsy photos, photos of crime scenes,
crime or accident victims; sites displaying excessive
obscene material.
Pictures and text relating to body modification;
tattoos and piercing venues; articles and information
about tattoos and piercing; body painting.
Business and personal travel: travel information;
travel resources; travel agents; vacation packages;
cruises; lodging and accommodations; travel
transportation: flight booking, airfares, renting cars;
vacation homes.
Examples
remax.com
century21.com
space.com
ieee.org
google.com
msn.com
abortion.com
prolife.com
ebay.com
amazon.com
civilwar.com
ssrc.org
unitedway.org
goodhousekeeping.com
aetherius.org
enhancedhealing.com
espn.com
si.com
xmradio.com
sirius.com
facesofdeath.com
torture-museum.com
tatoo.com
tattoofinder.com
travelocity.com
hotels.com
139
Category
Filtering (Typical)
Uncategorized
Non-business
Vice
Non-business
Violence
Unacceptable
Weapons
Business
Web Hosting
Business
Web Messaging
Non-business
Web-based Chat
Non-business
Web-based Email
Non-business
Description
Cannot be categorized—often because the web
page is secured from outside visibility or there’s
either no text or too little text to access it.
Sites involving illegal drugs, alcohol, tobacco, and
gambling.
Sites related to violence and violent behavior.
Sites or information relating to the purchase or use
of conventional weapons such as: gun sellers; gun
auctions; gun classified ads; gun accessories; gun
shows; gun training; general information about
guns; other weapons (e.g., knives, brass knuckles)
may be included.
Sites that provide web site hosting services.
General use of the web for messages: e-cards, online meetings, message boards, etc.
Web-based chat sites.
Email portals and email messages ported through
the web.
Examples
viceland.com
vbs.tv
psfights.com
realfights.com
nrahq.org
remington.com
webmasters.com
rackspace.com
bluemountain.com
ecards.com
chatango.com
boldchat.com
hotmail.com
webmail.aol.com
140
Appendix B: MIME Types
The following lists contain the MIME types you can block on your network.
MIME type
application/EDI-Consent
application/EDI-X12
application/EDIFACT
application/activemessage
application/andrew-inset
application/applefile
application/atomicmail
application/batch-SMTP
application/beep+xml
application/cals-1840
application/cnrp+xml
application/commonground
application/cpl+xml
application/cybercash
application/dca-rft
application/dec-dx
application/dicom
application/dns
application/dvcs
application/epp+xml
application/eshop
application/fits
application/font-tdpfr
application/http
MIME type
application/hyperstudio
application/iges
application/im-iscomposing+xml
application/index
application/index.cmd
application/index.obj
application/index.response
application/index.vnd
application/iotp
application/ipp
application/isup
application/mac-binhex40
application/macwriteii
application/marc
application/mathematica
application/mikey
application/mpeg4-generic
application/msword
application/news-message-id
application/news-transmission
application/ocsp-request
application/ocsp-response
application/octet-stream
application/oda
141
MIME type
application/ogg
application/parityfec
application/pdf
application/pgp-encrypted
application/pgp-keys
application/pgp-signature
application/pidf+xml
application/pkcs10
application/pkcs7-mime
application/pkcs7-signature
application/pkix-cert
application/pkix-crl
application/pkix-pkipath
application/pkixcmp
application/postscript
application/prs.alvestrand.titrax-sheet
application/prs.cww
application/prs.nprend
application/prs.plucker
application/qsig
application/rdf+xml
application/reginfo+xml
application/remote-printing
application/riscos
application/rtf
application/samlassertion+xml
application/samlmetadata+xml
application/sbml+xml
application/sdp
application/set-payment
application/set-payment-initiation
application/set-registration
application/set-registration-initiation
application/sgml
application/sgml-open-catalog
application/sieve
application/simple-message-summary
application/slate
application/soap+xml
application/spirits-event+xml
application/timestamp-query
application/timestamp-reply
application/tve-trigger
application/vemmi
application/watcherinfo+xml
application/whoispp-query
application/whoispp-response
application/wita
application/wordperfect5.1
application/x400-bp
application/xhtml+xml
application/xml
application/xml-dtd
MIME type
application/xml-external-parsed-entity
application/xmpp+xml
application/xop+xml
application/zip
audio/32kadpcm
audio/3gpp
audio/AMR
audio/AMR-WB
audio/CN
audio/DAT12
audio/DVI4
audio/EVRC
audio/EVRC-QCP
audio/EVRC0
audio/G.722.1
audio/G722
audio/G723
audio/G726-16
audio/G726-24
audio/G726-32
audio/G726-40
audio/G728
audio/G729
audio/G729D
audio/G729E
audio/GSM
audio/GSM-EFR
audio/L16
audio/L20
audio/L24
audio/L8
audio/LPC
audio/MP4A-LATM
audio/MPA
audio/PCMA
audio/PCMU
audio/QCELP
audio/RED
audio/SMV
audio/SMV-QCP
audio/SMV0
audio/VDVI
audio/basic
audio/clearmode
audio/dsr-es201108
audio/dsr-es202050
audio/dsr-es202211
audio/dsr-es202212
audio/iLBC
audio/mpa-robust
audio/mpeg
audio/mpeg4-generic
audio/parityfec
142
MIME type
audio/prs.sid
audio/telephone-event
audio/tone
image/cgm
image/fits
image/g3fax
image/gif
image/ief
image/jp2
image/jpeg
image/jpm
image/jpx
image/naplps
image/png
image/prs.btif
image/prs.pti
image/t38
image/tiff
image/tiff-fx
message/CPIM
message/delivery-status
message/disposition-notification
message/external-body
message/http
message/news
message/partial
message/rfc822
message/s-http
message/sip
message/sipfrag
message/tracking-status
model/iges
model/mesh
model/vrml
multipart/alternative
multipart/appledouble
multipart/byteranges
multipart/digest
multipart/encrypted
multipart/form-data
multipart/header-set
multipart/mixed
multipart/parallel
multipart/related
multipart/report
multipart/signed
multipart/voice-message
text/calendar
text/css
text/directory
text/dns
text/enriched
text/html
MIME type
text/parityfec
text/plain
text/prs.fallenstein.rst
text/prs.lines.tag
text/rfc822-headers
text/richtext
text/rtf
text/sgml
text/t140
text/tab-separated-values
text/uri-list
text/xml
text/xml-external-parsed-entity
video/3gpp
video/BMPEG
video/BT656
video/CelB
video/DV
video/H261
video/H263
video/H263-1998
video/H263-2000
video/H264
video/JPEG
video/MJ2
video/MP1S
video/MP2P
video/MP2T
video/MP4V-ES
video/MPV
video/SMPTE292M
video/mpeg
video/mpeg4-generic
video/nv
video/parityfec
video/pointer
video/quicktime
143
Appendix C: File Types
The following lists contain the file types you can block on your network.
File type
Active Server Page
Active Server Page
Active Server Page
ActiveX Control
Address Book
Audio
Audio
Audio
Audio
Audio
Audio
Audio
Audio
Audio
Audio
Audio
CGI Script
Cascading Style Sheet
Comma Separated
Value
Compressed
Compressed
Compressed
Compressed
Compressed
Compressed
Compressed
File extension
.asmx
.asp
.aspx
.ocx
.pab
.aiff
.m4a
.mid
.midi
.mp3
.mpu
.ra
.ram
.wav
.wma
.aac
.cgi
.css
.csv
.arc
.gz
.gzip
.hqx
.rar
.sea
.sit
File type
Compressed
Compressed
DOS Batch
Database
Database
Disk Image
Disk Image
Document
Document
Document
Document
Dynamic Link Library
eBook
Executable
File Shortcut
Filemaker Pro
Flash
FoxPro
HTML
Icon
Image
Image
Image
Image
Image
Image
Image
File extension
.z
.zip
.bat
.db
.mdb
.dmg
.img
.pdf
.rtf
.wpd
.wpt
.dll
.lit
.exe
.lnk
.fpt
.swf
.dbx
.html
.ico
.bmp
.gif
.jpe
.jpeg
.jpg
.pct
.png
144
File type
Image
Image
Initialization
Internet Certificate
Java Archive
JavaScript
Log
Lotus
Lotus Database
Lotus Database
Lotus Database
MIME
MIME
Macro
Metafile
Microsoft Project
Microsoft Publisher
Outlook
PHP
PHP
PHP
PageMaker
Perl Script
Photoshop
Postscript
PowerPoint
File extension
.tga
.tiff
.ini
.cer
.jar
.js
.log
.wk1
.ns2
.ns3
.ns4
.mim
.mime
.wpm
.wmf
.mpp
.pub
.pst
.php
.php3
.php4
.p65
.pl
.psd
.ps
.pps
File type
PowerPoint
Quark Express
SQL
Spreadsheet
Spreadsheet
Spreadsheet
Swap
Tar
Text
Uuencoded
Uuencoded
Video
Video
Video
Video
Video
Video
Video
Video
Video
Visio
Windows Help
Word Document
Word Template
XML
File extension
.ppt
.qxd
.sql
.xls
.xlt
.xlw
.sqp
.tar
.txt
.uu
.uue
.avi
.moov
.mov
.mp4
.mpeg
.mpg
.qt
.rm
.wmv
.vsd
.hlp
.doc
.dot
.xml
145
Appendix D: CIDR Cheat Sheet
Classless Inter-Domain Routing (CIDR) is the latest refinement on how to present IP
Addresses and Subnet masks. CIDR replaces the previous generation of IP Address syntax,
Classful networks. Rather than allocating address blocks in 8-bit (octet) boundaries, it uses
a technique of a variable subnet mask to allow more allocation. With Optinet all IP Address
are presented as CIDR notations, i.e., the network address of 192.168.255.0 with a subnet
mask of 255.255.255.0 is presented as 192.168.255.0/24. Below is a CIDR Cheat Sheet
that will help you enter IP Address in CIDR notation.
CIDR Cheat Sheet
CIDR Notation
Class
Hosts
Mask
/32
1/256 C
1
255.255.255.255
/31
1/128 C
2
255.255.255.254
/30
1/64 C
4
255.255.255.252
/29
1/32 C
8
255.255.255.248
/28
1/16 C
16
255.255.255.240
/27
1/8 C
32
255.255.255.224
/26
1/4 C
64
255.255.255.192
/25
1/2 C
128
255.255.255.128
/24
1C
256
255.255.255.0
/23
2C
512
255.255.254.0
146
/22
4C
1024
255.255.252.0
/21
8C
2048
255.255.248.0
/20
16 C
4096
255.255.240.0
/19
32 C
8192
255.255.224.0
/18
64 C
16384
255.255.192.0
/17
128 C
32768
255.255.128.0
/16
256 C 1B
65536
255.255.0.0
/15
512 C 2 B
131072
255.254.0.0
/14
1024 C 4 B
262144
255.252.0.0
/13
2048 C 8 B
524288
255.248.0.0
/12
4096 C 16 B
1048576
255.240.0.0
/11
8192 C 32 B
2097152
255.224.0.0
/10
16384 C 64 B
4194304
255.192.0.0
/9
32768 C 128 B
8388608
255.128.0.0
/8
65536 C 256 B 1 A
16777216
255.0.0.0
/7
131072 C 512 B 2 A
33554432
254.0.0.0
/6
262144 C 1024 B 4 A
67108864
252.0.0.0
/5
524288 C 2048 B 8 A
134217728
248.0.0.0
/4
1048576 C 4096 B 16 A
268435456
240.0.0.0
/3
2097152 C 8192 B 32 A
536870912
224.0.0.0
/2
4194304 C 16384 B 64 A
1073741824
192.0.0.0
/1
8388608 C 32768 B 128 A
2147483648
128.0.0.0
/0
1677216 C 65536 B 256 A
4294967296
0.0.0.0
147
Appendix E: End User License Agreement (EULA) & Warranty
PLEASE READ THE FOLLOWING BEFORE USING THE ACCOMPANYING PRODUCT. YOU SHOULD
CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE ACCOMPANYING
SOFTWARE AND HARDWARE (“APPLIANCE”). THE USE OF THE PRODUCT IS LICENSED FOR USE ONLY AS
SET FORTH BELOW. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO
NOT USE THE PRODUCT. IF YOU USE ANY PART OF THE SOFTWARE AND HARDWARE, SUCH USE WILL
INDICATE THAT YOU ACCEPT.
License Grant
Subject to the terms and conditions of this License, you are granted a nonexclusive right and license to use the
Software on the Appliance. In addition, (1) you may not reverse engineer, decompile, disassemble or modify the
Software or Appliance, except and only to the extent that such activity is expressly permitted by applicable law
notwithstanding this limitation; and (2) you may not transfer rights under this License unless such transfer is part of a
permanent sale or transfer of the Product, and you transfer at the same time the Appliance and Software to the same
party or destroy such materials not transferred, and the recipient agrees to this License. No license is granted in any
of the Software’s proprietary source code.
You may make a reasonable number of copies of the electronic documentation accompanying the Software for each
Software license you acquire, provided that, you must reproduce and include all copyright notices and any other
proprietary rights notices appearing on the electronic documentation.
Black Box Network Services and their suppliers reserve all rights not expressly granted herein.
Intellectual Property Rights
The Software and Appliance is protected by copyright laws, international copyright treaties, and other intellectual
property laws and treaties. This license does not grant you any rights to patents, copyright, trade secrets, trademarks
or any other rights with respect to the Software and Appliance. Black Box Network Services and its suppliers retain all
ownership of, and intellectual property rights in (including copyright), the Software and Appliance. However, certain
components of the Software are components licensed under the GNU General Public License (version 2). You may
obtain a copy of the GNU General Public License at http:/www.fsf.org/copyleft/gpl.html. Black Box will provide source
code for any of the components of the Software licensed under the GNU General Public License upon request.
Additionally, this product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(http://www.openssl.org/).
148
Export Restrictions
You agree that you will not export or re-export the Appliance, Software, any part thereof, or any process or service
that is the direct product of the Appliance or Software in violation of any applicable laws or regulations of the United
States or the country in which you obtained them.
U.S. Government Restricted Rights. The Software and related documentation are provided with Restricted Rights.
Use, duplication, or disclosure by the Government is subject to restrictions set forth in subparagraph (c) (1) (ii) of the
Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c) (1) and (2) of
the Commercial Computer Software–Restricted Rights at 48 C.F.R. 52.227-19, as applicable, or any successor
regulations.
Term and Termination
This License is effective until terminated. The License terminates immediately if you fail to comply with any term or
condition. In such an event, you must destroy all copies of the Software. You may also terminate this License at any
time by destroying the Product.
Governing Law and Attorney’s Fees
This License is governed by the laws of the State of Utah, USA, excluding its conflict of law rules. You agree that the
United Nations Convention on Contracts for the International Sale of Goods is hereby excluded in its entirety and
does not apply to this License. In any action or suit to enforce any right or remedy under this License or to interpret
any provision of this License, the prevailing party will be entitled to recover its costs, including reasonable attorneys’
fees.
Entire Agreement
This License constitutes the entire agreement between you and Black Box Network Services and its suppliers with
respect to the Software, and supersedes all other agreements or representations, whether written or oral. The terms
of this License can only be modified by express written consent of both parties. If any part of this License is held to be
unenforceable as written, it will be enforced to the maximum extent allowed by applicable law, and will not affect the
enforceability of any other part.
BLACK BOX NETWORK SERVICES DISCLAIMS ANY AND ALL OTHER WARRANTIES, WHETHER EXPRESS OR
IMPLIED, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE. OTHER THAN AS STATED HEREIN, THE ENTIRE RISK AS TO
SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. ALSO, THERE IS NO
WARRANTY AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE SOFTWARE OR AGAINST
INFRINGEMENT. IF YOU HAVE RECEIVED ANY WARRANTIES REGARDING THE DEVICE OR THE
SOFTWARE, THOSE WARRANTIES DO NOT ORIGINATE FROM, AND ARE NOT BINDING ON, BLACK BOX
NETWORK SERVICES.
NO LIABILITY FOR CERTAIN DAMAGES. EXCEPT AS PROHIBITED BY LAW, BLACK BOX NETWORK
SERVICES SHALL HAVE NO LIABILITY FOR COSTS, LOSS, DAMAGES OR LOST OPPORTUNITY OF ANY
TYPE WHATSOEVER, INCLUDING BUT NOT LIMITED TO, LOST OR ANTICIPATED PROFITS, LOSS OF USE,
LOSS OF DATA, OR ANY INCIDENTAL, EXEMPLARY SPECIAL OR CONSEQUENTIAL DAMAGES, WHETHER
UNDER CONTRACT, TORT, WARRANTY OR OTHERWISE ARISING FROM OR IN CONNECTION WITH THIS
LICENSE OR THE USE OR PERFORMANCE OF THE SOFTWARE. IN NO EVENT SHALL BLACK BOX
NETWORK SERVICES BE LIABLE FOR ANY AMOUNT IN EXCESS OF THE PURCHASE PRICE AND/OR ANY
LICENSE FEES PAID TO BLACK BOX NETWORK SERVICES UNDER THIS LICENSE. SOME STATES AND
COUNTRIES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY TO YOU.
Hardware Warranty
Black Box Network Services Corp. warrants your Black Box Network Services product to be in good working order
and to be free from defects in workmanship and material (except in those cases where materials are supplied by the
Purchaser) under normal and proper use and service for the period of one (1) year from the date of purchase from an
Authorized Black Box Network Services Reseller. In the event that this product fails to meet this warranty within the
applicable warranty period, and provided that Black Box Network Services confirms the specified defects,
Purchaser’s sole remedy is to have Black Box Network Services, at Black Box Network Services’ sole discretion,
repair or replace such product at the place of manufacture, at no additional charge other than the cost of freight of the
defective product to and from the Purchaser. Repair costs and replacement products will be provided on an exchange
basis and will be either new or reconditioned. Black Box Network Services will retain, as its property, all replaced
parts and products. Notwithstanding the foregoing, this hardware warranty does not include service to replace or
repair damage to the product resulting from accident, disaster, abuse, misuse, electrical stress, negligence, any non-
149
Black Box Network Services modification of the product except as provided or explicitly recommended by Black Box
Network Services, or other cause not arising out of defects in material or workmanship. This hardware warranty also
does not include service to replace or repair damage to the product if the serial number or seal or any part thereof
has been altered, defaced, or removed. If Black Box Network Services does not find the product to be defective, the
Purchaser will be invoiced for said inspection and testing at Black Box Network Services’ then current rates,
regardless of whether the product is under warranty.
150
Black Box Tech Support: FREE! Live. 24/7.
Tech support the
way it should be.
Great tech support is just 20 seconds away at 724-746-5500 or blackbox.com.
About Black Box
Black Box Network Services is your source for more than 118,000 networking and infrastructure products. You’ll find everything
from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by
free, live 24/7 Tech support available in 20 seconds or less.
© Copyright 2009. All rights reserved.
724-746-5500 | blackbox.com