Home

8e6 Technologies R3000 Network Card User Manual

image

Contents

1. RS a Reload OU List Enable Disable All m wee Host Name logo com JF 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 9 Domain Details window Alias List tab However if there are many alias names to be loaded the tab initially displays without any data and the Search in Progress box opens Search in Progress i x The LDAP server is returning a substantial amount of data Please wait while the search is in progress Java Applet Window Fig 4 10 Search in Progress box 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 137 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE ANLDAP DOMAIN After the search is completed the Search in Progress box closes and the list displays the Alias Name and the corre sponding LDAP Container Name NOTE If the alias list does not display double check the settings on the other tabs and verify that all of your settings are correct The following actions can be performed on this tab e AnAlias Name can be edited by double clicking the Alias Name in the designated row and then making your modi fications e Ifan Organizational Unit OU has been deleted from the LDAP directory but has already been added to the alias list the list can be reloaded by clicking the Reload OU List button When clicking this button the Search in Progress box opens and the domain becomes inactive and
2. ae SON USER GUIDE for Authentication T Model R3000 Release 1 10 20 Version No 1 01 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 2006 8e6 Technologies All rights reserved 828 W Taft Ave Orange CA 92865 USA Version 1 01 published December 2006 To be used with R3000 User Guide version 1 01 for software release 1 10 20 Printed in the United States of America This document may not in whole or in part be copied photo copied reproduced translated or reduced to any electronic medium or machine readable form without prior written con sent from 8e6 Technologies Every effort has been made to ensure the accuracy of this document However 8e6 Technologies makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular pur pose 8e6 Technologies shall not be liable for any error or for incidental or consequential damages in connection with the furnishing performance or use of this manual or the exam ples herein Due to future enhancements and modifications of this product the information described in this documentation is subject to change without notice The latest version of this document can be obtained from http www 8e6 com docs r3000_auth_ug pdf Trademarks Other product names mentioned in this manual may be trade mark
3. a Select a group from the Profile Group s list box b Use the up or down arrow button to move that group up or down in the list c Click Apply to apply your settings 112 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS MEMBERS Manually add a user s name to the tree 1 Select the NT domain and choose Manually Add Member from the pop up menu to open the Manually Add Member dialog box Manually 4dd Member x i Please enter the user name Cancel Java Applet Window Fig 3 7 Manually Add Member box This dialog box is used for adding a username to the tree list so that a filtering profile can be defined for that user 2 Enter the username in the text box up to 16 characters TIP NT usernames should be entered without breaks or spaces The first character must be a letter The following ASCII charac ters can be used A Z a z 0 9 _ underscore and hyphen Examples TJONES JSmith Jane_Doe Doe John 3 Click OK to add the username to the domain s section of the tree NOTE See Add or maintain an entity s profile under Create and Maintain NT Profiles for information on defining the filtering profile for the user 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 113 CHAPTER 3 NT AUTHENTICATION SETUP SETUP NT DOMAIN GROUPS MEMBERS Manually add a gr
4. lavaApplet Window Fig 2 14 View Log File Result pop up window 5 Click the X in the upper right corner of the pop up window to close it 80 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Specify block page settings Click Control and select Block Page Authentication from the pop up menu to display the Block Page Authentication window i 8e6nrso00 _ Enterpri HOME SYSTEM GROUP LIBRARY REPORTING HELP ut Network Administrator Diagnostics Alert Patch Synchronization Mode Authentication NIC Mode Backup Restore Reset Radius Authentication Setting SNMP gt Hardware Failure Detection X Strikes Blocking Customization Block Page Authentication System gt Control gt Block Page Authentication Details Re authentication Options IR3000LDAP ota netlogon Logon Script Path eg computername sharepat Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 2 15 Block Page Authentication window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 81 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 82 Block Page Authentication 1 In the Re authentication Options field of the Details frame all block page options are selected by default except for Web based Authentication Choose from the followi
5. domain controller An authentication server that answers logon requests from workstations in a Windows NT domain There are two types of domain controller servers Primary Domain Controller PDC and Backup Domain Controller BDC entry A collection of attribute types that comprise a Distin guished Name DN Each attribute type of the Distin guished Name has a type and one or more values These types are mnemonic strings such as cn for common name dc for domain component or ou for organizational unit filter setting A setting made for a service port A service port with a filter setting uses filter settings created for library categories block or open settings to determine whether users should be denied or allowed access to that port 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX G GLOSSARY firewall mode An R3000 set up in the firewall mode will filter all requests If the request is appropriate the original packet will pass unchanged If the request is inappropriate the original packet will be blocked from being routed through global administrator An authorized administrator of the network who maintains all aspects of the R3000 except for managing master IP groups and their members and their associated filtering profiles The global administrator config ures the R3000 sets up master IP groups and performs routine maintenance on the server group administrator
6. ethO If using the invisible mode the Block Page Delivery Method frame displays Choose from either of the two Protocol Methods e Send Block Page via ARP Table this option uses the Address Resolution Protocol method to find the best possible destination MAC address of a specified host usually the R3000 gateway e Send Block to Specified Host MAC Address using this preferred method the block page will always be sent to the MAC address of a specified host usually the R3000 gateway Choose from either of the two Block Page Route To selections e Default Gateway this option indicates that the default gateway on your network will be used for sending block pages Alternate IP Address this option should be used if block pages are not being served Enter the IP address of the router or device that will serve block pages 4 Click Apply 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 61 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Specify the subnet mask IP address es Click Network and select LAN Settings from the pop up menu to display the LAN Settings window R3000 Enterprise Filter 15 x 8e6Ra000 Enterprise Filter e HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT en B aan LAN Settings a System gt Network gt LaN Settings Administrator Host Name R3000LDAP ota Diagrastics IP Mask Setting Alert Patch LAN1 IP
7. positioned after Category Codes designated as blocked indicating that all other categories should be open Open the defined category categories White list the defined category categories Block all categories Block the defined category categories 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX A USER GROUP FILE FORMAT AND RULES e Category Codes For the list of category codes short names and their corresponding descriptions long names go to http www 8e6 com r3000help files 2group_textfile_cat html cat NOTE The list of library category codes and corresponding descriptions is subject to change due to the addition of new cate gories and modification of current categories For explanations and examples of category items go to http www 8e6 com products datab pd_86db_r3000categories htm Filter Option codes Ox2 X Strikes Blocking 0x4 Google Yahoo Safe Search e 0x100 Search Engine Keyword e 0x200 URL Keyword e 0x1000 Extend URL Keyword Filter Control L NOTES To enable multiple filter codes add the codes together For example to enable all features for an NT LDAP profile add 2 4 100 200 1000 1306 which means that 0x1306 should be entered at the end of the profile string To disable all filter codes for an NT LDAP profile enter a 0 zero at the end of the profile string See http www 8e6 com r3000help files 2group_textfile_form
8. NOTES Groups automatically populate the Profile Group s list box if these groups have one or more identical users and were added to the tree list via the Select Groups Members from Domain window An entry for the Group Priority list is added to the end of the list when the group profile for that group is added to the R3000 and is removed automatically when you delete the profile 2 To change the order of groups in the list a Select a group from the Profile Group s list box b Use the up or down arrow button to move that group up or down in the list c Click Apply to apply your settings Manually add a user s name to the tree 1 Select the LDAP domain and choose Manually Add Member from the pop up menu to open the Manually Add Member dialog box Manually 4dd Member x i Please enter the user name Cancel Java Applet Window Fig 4 18 Manually Add Member box This dialog box is used for adding a username to the tree list so that a filtering profile can be defined for that user 2 Enter the username in the text box 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS MEMBERS TIP LDAP usernames should be input exactly as entered as entered for the LDAP Distinguished Name Examples CN Jane Doe CN Users DC qc DC local CN Public Joe Q OU Users OU Sales DC qc DC local CN Doe John CN Users DC qc DC
9. ticator is On unless the Novell eDirectory Agent option will be used instead When enabling the 8e6 Authenticator option and then downloading and installing the 8e6 Authenticator authenticat exe on a network share accessible by the domain controller or a Novell eDirectory server the 8e6 Authenticator automat ically authenticates the end user when he she logs into his her workstation 5 If you have a Novell eDirectory server and the 8e6 Authenticator will not be used turning On Novell eDirectory Agent will enable end user logon and logoff events to be logged To use this option the LDAP domain must be set up and activated in the Group tree A WARNING When enabling Novell eDirectory Agent the agent will immediately begin scanning Novell eDirectory based domain labels 6 If using Tier 1 in the Sending Keep Alive frame click On to specify that keep alives should be sent on a connection to verify whether it is still active Click Off to specify that the end user s session will be kept alive based on the number of minutes entered in the text box 7 Click Apply 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 65 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 66 Net use based authentication Tier 1 Web based Authentication disabled Net Use enabled Choose this option if you will be using net use based authentication for NT or Active Directory 1 Click
10. Authentication gl LDAP Custom URL Apply Enj m I Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 24 Group Profile window Redirect URL tab 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 159 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE MAINTAIN LDAP PROFILES 160 Redirect URL is used for specifying the URL to be used for redirecting users who attempt to access a site or service set up to be blocked 1 Specify the type of redirect URL to be used Default Block Page or Custom URL If Custom URL is selected enter the redirect URL in the corresponding text box Users will be redirected to the designated page at this URL instead of the block page 2 Click Apply to apply your settings Filter Options Click the Filter Options tab to display the Filter Options page of the Profile window sai 8e6Rs000 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT i croup Category Redirect URL Filter Options Global Group ge IP Filter Options Eg NT Group gt NT gt QC gt Enterprise Admins gt Filter Options a A Locsys Filter Options B QC JT X Strikes Blocking z testgroup IT Google Yahoo Safe Search Enforcement haslow a g Ta JT Search Engine Keyword Filter Control T URL Keyword Filter Control T Extend URL Keyword Filter Control Apply al gt I Host Name lago com IP 200 1
11. This action activates the Upload button 2 Click the Upload button to open the Upload SSL Certifi cate for LDAPS pop up window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 135 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE ANLDAP DOMAIN 136 Z upload SSL Certificate for LDAPS Microsoft Internet Exp or er E oj x File Edit View Favorites Tools Help Ea deck gt gt amp A A Qsearch Favorites meda Address http 200 10 100 75 88 servlet com r3000 server 7 Go Links gt Upload SSL Certificate for LDAPS File Browse Upload File Upload SSL Certificate for LDAPS Internet Fig 4 8 Upload SSL Certificate for LDAPS 3 Click Browse to open the Choose file window and select the R3000 server s SSL certificate 4 Click Upload File to upload the SSL certificate to the R3000 server A WARNING If using a Novell server be sure the name on the SSL certificate to be uploaded to the server matches the Server DNS Name entered in the Address Info tab 5 Click Next to go to the Alias List tab 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN Alias List The Alias List will be automatically populated if the Account Name was entered in the Account tab This list includes all alias names for the domain that will be included in the Alias pull down me
12. and select Refresh whenever changes have been made in this branch of the tree 104 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP CREATE AN NT DOMAIN View or modify NT domain details Domain Settings 1 Double click NT in the control panel to open the NT branch of the Group tree Select the NT domain you added and choose Domain Details from the pop up menu to display the default Settings tab of the NT Domain Details window nox 8e6 R3000 Enterprise Filter banman HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT nn Group Settings Default Rule Global Group n A 1P Domain Settings hg NT Group gt NT gt QC gt Domain Settings H LOGSYS D all LDAP Domain Name jac Controller 2000adnative IP Address h 90 160 250 2 User Name administrator Password reneeee Confirm Password Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 3 3 NT Domain Details window Settings tab NOTE To enter profile information for NT groups and users once domain settings are established see Set up NT Domain Groups Members 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 105 CHAPTER 3 NT AUTHENTICATION SETUP CREATE AN NT DOMAIN 106 2 For the Domain Settings The Domain Name entered in the Create Domain Controller dialog box displays greyed out and cannot be modified e The foll
13. as a result of various processes This data can be reorganized in the R3000 console by changing the order of the columns e list box an area in a dialog box Groups jCel ublishers window or screen that accommo pnsUpdateProsy dates and or displays entries of Domain Computers Domain Controllers items that can be added or removed Poman cuests Domain Users Enterprise Admins Group Policy Creator Owners MTS Trusted Impersonators f 4 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION HOW TO USE THIS USER GUIDE e pop up box or pop up window a box or window Daa Due aee OS ee that opens after you clicka memme button in a dialog box Fel Dome earn window or screen This box or window may display infor core mation or may require you to make one or more entries Unlike a dialog box you do not need to choose between options e pull down menu a field in a Default x dialog box window or screen that contains a down arrow to the right When you click the arrow a menu of items displays from which you make a selection e radio button a small circular object on C of in a dialog box window or screen used for selecting an option This object allows you to toggle between two choices By clicking a radio button a dot is placed in the circle indicating that you selected the option When the circle is empty the option is not selected
14. mask 9 Click Modify 178 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 4 Block everything for the Sub Group 1 Select the IP Sub Group from the tree 2 Click Sub Group Profile in the pop up menu to display the Sub Group Profile window lolx 8e6 R3000 Enterprise Filter HOMES SYSTEMS AGROUPA SLID RAR VES RBR ORRIN Css I aR SGU iis sa Q roup Category Redirect URL Filter Options Global Group Q IP Category Profile g admin Group gt IP gt webauth gt testsub gt Category Profile H gA tech Group testsub Current Profile Custom Profile get test AA webauth Available Filter Levels Minimum Filtering Level a ir Alcohol Fesgtestsub Custom Profile lt Child Pornography P a N Pornography Adult Content fal LDAP Rule Details Blocked Categories Pass Categories Always Allowed A A A Uncategorized Sites C Pass Block Apply Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 15 Sub Group Profile window Category tab 3 In the Category Profile page move all categories to the Blocked Categories list box by selecting categories from the Pass Categories and or Always Allowed list box es and using the left arrow lt to move them to the Blocked Categories list box TIP Blocks of categories can be selected by clicking the
15. 101 140 Alcohol http Awww coors com For further options click here To submit this blocked site for review click here For assistance contact your Administrator 8e6 R3000 Internet filtering provided by 8e6 Technologies Copyright 2003 All rights reserved Fig 5 22 Default Block Page 186 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Activate Web based authentication for the Global Group This selection of Web based authentication creates more of a load on the R3000 than the IP Group selection and should only be used as an alternative to IP Group authenti cation Step 1 Exclude filtering critical equipment This step involves the identification of equipment such as backup servers you wish to be excluded from being served the Authentication Request Form page For this step you must choose one of two options Block Web access only Select this option if you do not want to log traffic for a machine that you set up to be excluded from filtering on the network Using this option you exclude the IP address of a machine via the Range to Detect window If you select this option go to Step 1A Block Web access and log traffic Select this option if you wish to log traffic for a machine that you set up to be excluded from filtering on the network Using this option you cre
16. 104 Taiwan R O C Taipei Local 2501 5285 Fax 2501 5316 Domestic Taiwan 02 2501 5285 International 886 2 2501 5285 8e6 China Beijing Room 909 9 Floor Tower 1 Bright China Chang An Building No 7 Jian Guo Men Nei Dajie Beijing 100005 China Beijing Local 65180088 Fax 65180328 Domestic China 010 65180088 International 86 10 65180088 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 207 CHAPTER 6 TECHNICAL SUPPORT SUPPORT PROCEDURES Support Procedures When you contact our technical support department e You will be greeted by a technical professional who will request the details of the problem and attempt to resolve the issue directly e If your issue needs to be escalated you will be given a ticket number for reference and a senior level technician will contact you to resolve the issue e If your issue requires immediate attention such as your network traffic being affected or all blocked sites being passed you will be contacted by a senior level techni cian within one hour e Your trouble ticket will not be closed until your permission is confirmed 208 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX A USER GROUP FILE FORMAT AND RULES APPENDIX A User Group File Format and Rules The file with user group profiles you upload to the server must be set up in a specified format with one complete user group profile per line T
17. 236 Override Pop up Blockers 2 eeeeeeeeeeeceeeeeeeeeeeeeeeeee 236 Yahoo Toolbar Pop up Blocker c ceceeeeecceeceeeeeeeeeeeeeeeseees 237 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE Xi CONTENTS If pop up blocking is enabled ccceeeeeeeeeeeeeeeeteeeeeeeeeeeeees 237 Add override account to the white list ecceeeeeeeeeees 237 Google Toolbar Pop up Blocker 2 e eececceeeeeeeeeeeeteeeeeneees 239 If pop up blocking is enabled ccceeeeeeeeeeeeeeeceeeeeeeeeeeteees 239 Add override account to the white list ecceeeeeeeeeees 239 AdwareSafe Pop up Blocker ccccccecceeeeeeeeeeeeeeeceecaeeeeeeeneess 240 If pop up blocking is enabled ccc ceeeeeeeeeeeeeeecteeeeeeeeeeneees 240 Temporarily disable pop up blocking cceeeeeeteeeeeeeeeee 240 Mozilla Firefox Pop up Blocker 0 cecceeeeeeeeeceeeeeeeeeeeeteeeeeeees 241 Add override account to the white list ecceeeeeeeeeees 241 Windows XP SP2 Pop up Blocker 2 cecceeeeeeeeeeeeeeeeeeseees 242 Set up pop up blocking ccceeeeeeeeeceececeeeeeeeeeeeteeeseettnaeeees 242 Use the Internet Options dialog DOX ceeeeeteeeeeeee 242 Use the IE toolbar e aea a ea aa 243 Temporarily disable pop up blocking ss sssssseeseseessseesreeeen nnn 243 Add overri
18. An authorized administrator of the network who maintains a master IP group setting up and managing members within that group This administrator also adds and maintains customized library categories for the group group name The name of a group set up for a domain on an NT server For example production or sales invisible mode An R3000 set up in the invisible mode will filter all connections on the Ethernet between client PCs and the Internet without stopping each IP packet on the same Ethernet segment The unit will only intercept a session if an inappropriate request was submitted by a client LDAP One of two authentication method protocols used by the R3000 Lightweight Directory Access Protocol LDAP is a directory service protocol based on entries Distinguished Names LDAP host The LDAP domain name and DNS suffix For example yahoo com or server local login or logon script Consists of syntax that is used for re authenticating a user if the network connection between the user s machine and the server is lost machine name Pertains to the name of the user s work station machine computer 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 249 APPENDIX G GLOSSARY 250 minimum filtering level A set of library categories and service ports defined at the global level to be blocked or opened If the minimum filtering level is established it is applied in
19. Category 5 Popup Windows E Appearance E Navigator History Languages Helper Applica r Popup Windows I Block unrequested popup windows Allowed Sites When a popup window has been blocked Smart Browsing JT Play a sound Internet Search Tabbed Browsing Downloads IV Display an icon in the Navigator status bar E Composer Mail amp Newsgroups Note Blocking all popups may prevent important features of some web sites From working such as login windows for banks and shopping sites For details of how to allow specific sites to use popups while blocking all others click Help Even F blocked sites may use other methods to show popups E Privacy amp Security Cookies Images Forms Passwords Master Passw SSL Certificates Ce Cancel Help Fig F 6 Mozilla Firefox Popup Windows Preferences 3 With the Block unrequested popup windows checkbox checked click Allowed Sites and enter the URL to allow the override account window to pass 4 Click OK to save your changes and to close the dialog box 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 241 APPENDIX F OVERRIDE POP UP BLOCKERS Windows XP SP2 Pop up Blocker Set up pop up blocking There are two ways to enable the pop up blocking feature in the IE browser Use the Internet Options dialog box 1 From the IE browser go to the toolbar and select Tools gt Internet Option
20. DOMAIN e NETBIOS Domain Name an entry in this field is optional Server LDAPS Port by default 636 displays in this field Server LDAP Port by default the value that was entered in the LDAP Server Port field of the Create LDAP Domain dialog box displays in the field e LDAP Query Base root of the LDAP database to query using the LDAP Syntax i e DC domain DC com Q TIP The entry in this field is case sensitive 3 Click Next to go to the Account tab Backup Server Configuration x Address Accauint ssi Account Info Group gt LDAP gt Novell INACTIVE gt Account Info I Use Anonymous Bind LDAP AccountName SSS Password Confirm Password CS E Back Save Next Close Java Applet Window Fig 4 14 Backup Server Configuration Account Info 4 Enter edit or verify the following criteria e Use Anonymous Bind click this checkbox to grey out the fields in this tab if your LDAP database does not require a username to be provided in order to bind to the LDAP database e Otherwise 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 143 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE ANLDAP DOMAIN a Enter the authorized user s full LDAP Distinguished Name in the LDAP Account Name field For example cn Administrator cn Users dc qc2domain dc local b Enter the password in the Password and Confirm Password fields 5 Click Next to go to t
21. Enterprise Filter ln HOME SYSTEM GROUP LIBRARY REPORTING HELP QUI Tes iS pasa Authentication Form Customization Network System gt Customization gt Authentication Form Customization letwori Administrator Detalls Diagnostics Header WEB ACCESS AUTHENTICATION Alert Patch Please log in to access the Internet Synchronization Mode Description Authentication NIC Mode Backup Restore Reset Link Text Radius Authentication Setting E SNMP Link URL Hardware Failure Detection X Strikes Blocking Customization Restore Default Preview Apply i Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 2 21 Authentication Form Customization window NOTE This window is activated only if Authentication is enabled via System gt Authentication gt Enable Disable Authentication and Web based Authentication is specified TIP An entry in any of the fields in this window is optional but if an entry is made in the Link Text field a corresponding entry must also be made in the Link URL field 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 93 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 1 Make an entry in any of the following fields e In the Header field enter a static header to be displayed at the top of the Authentication Request Form Inthe Description field enter a static text message to b
22. Fig 5 8 Sub Group Profile window Filter Options tab 2 Uncheck all the checkboxes X Strikes Blocking Google Yahoo Safe Search Enforcement Search Engine Keyword Filter Control URL Keyword Filter Control and Extend URL Keyword Filter Control 3 Click Apply 170 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 8 Attempt to access Web content NOTE For this step you must have your own profile set up in order to complete the test process 1 Launch Internet Explorer Internet Mtering Technical Support Microsoft latent isplarer aloz Pie ER vew Ravortes Tecs Hep Hid e OIl Qh e Bree G D aaea Aadress herp ivan Bat comjsupport z z ph eta wr snc l Producie amp Services Resowes Cenier Solitons Suppo Prass Room Parinara Avout sea Technical Support Quek Linse Welcome to 86 s Technical Support center Comact Sumport FAQs Frequently ash w Fig 5 9 Internet Explorer browser 2 Enter a URL in the Address field of the browser window NOTE The URL should be one that begins with http not https 3 After clicking Go the Authentication Request Form should open 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 171 CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS 172 T Internet A
23. Filename field 6 Click Export to open another pop up window that asks where you would like to save the certificate the most convenient place would be your desktop The certificate can now be uploaded to the R3000 Obtain a Sun ONE SSL Certificate Unlike Microsoft or Novell the Sun ONE LDAP directory does not have a tool for exporting an SSL certificate once it has been imported to the LDAP server Therefore a copy of the root certificate in the cer or der format that was used to sign the LDAP server s certificate must be uploaded to the R3000 This certificate can be an internally generated root certificate if you have a certificate authority to generate the certificate or can be the root certificate used by the external signing authority 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 235 APPENDIX F OVERRIDE POP UP BLOCKERS 236 APPENDIX F Override Pop up Blockers An override account user with pop up blocking software installed on his her workstation will need to temporarily disable pop up blocking in order to authenticate him herself via the Options page 8e6 R3000 Microsoft Internet Explorer E z jol xi File Edit View Favorites Tools Help Ea Bak gt A Qsearch Favorites CBristory Gye SH gt 5 Address g w coors com amp IP 200 10 100 75 81 amp CAT ALCOBUSER LOGO Domain 2Z0Admins GLANG Y 60 Links ACCESS DENIED HE
24. Filter E 15 x 8e6 R3000 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Group Members i ave Group Group gt IP gt webauth gt Members g admin Add members by IP SubGroup ft tech get test IP Member a jesgwebauth If you are using IP addresses to identify groups on the network the IP address and netmask or IP a ae NT range for the designated member must first be entered in the Range to Detect global group window A ic oll LDAP member is added in this Frame by entering the IP address and netmask or IP start and IP end and then clicking Add Use the calculator to calculate IP ranges without overlaps Once a member is added a sub group can be created and defined Current Members 10 10 20 5 24 Remove Source IP i X Calculator or C Source IP Start End Add Host Name logo com IP 200 10 100 75 Frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 12 Members window 3 Click the radio button corresponding to Source IP Enter the Source IP address of the workstation and specify the subnet mask for the range of user IP addresses of users to be authenticated 5 Click Add to include the IP address range in the Current Members list box 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 3 Create an IP Sub Group 1 Select the IP
25. Group webauth from the tree 2 Click Add Sub Group in the pop up menu to open the Create Sub Group dialog box Create Sub Group xi Group Name ftestsub Cancel Java Applet Window Fig 5 13 Create Sub Group box Enter the Group Name of your choice Click OK to add the Sub Group to the IP Group Select the IP Sub Group from the tree O oa fF O Click Members in the pop up menu to display the Members window 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 177 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK R3000 Enterprise Filter o Mme 8e6 R3000 Enterprise Filter e HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT gar a Members i ee al Group Group gt IP gt webauth gt testsub gt Members Add members by IP SubGroup Modify Sub Group Member To add or modify member criteria enter the IP address and netmask or IP range in the Member Fields and click Modify Use the Calculator to calculate IP ranges without any overlaps al LDAP Member 10 10 20 5 255 255 255 255 Calculator or Member IP Start End Modify Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 14 Sub Group Members window 7 Click the radio button corresponding to Member 8 In the Member fields enter the IP address range for members of the Sub Group and specify the subnet
26. Internet content 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION FILTERING ELEMENTS Library Categories A library category contains a list of Web site addresses and keywords for search engines and URLs that have been set up to be blocked or white listed Library categories are used when creating a rule the minimum filtering level or a filtering profile 8e6 Supplied Categories 8e6 furnishes a collection of library categories grouped under the heading 8e6 Supplied Categories Updates to these categories are provided by 8e6 on an ongoing basis and global administrators also can add or delete individual URLs within a specified library category Custom Categories Custom library categories can be added by either global or group administrators As with 8e6 supplied categories addi tions and deletions can be made within a custom category However unlike 8e6 supplied categories a custom cate gory can be deleted NOTE 8e6 cannot provide updates to custom categories Main taining the list of URLs and keywords is the responsibility of the global or group administrator 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 17 CHAPTER 1 INTRODUCTION FILTERING ELEMENTS 18 Service Ports Service ports are used when setting up filter segments on the network the range of IP addresses netmasks to be detected by the R3000 the global default fil
27. NT gt QC gt Enterprise Admins gt Category Profile El LOGSYS Group Enterprise Admins Current Profile Custom Profile Ee QC j ini ilteri Ag EEEN Available Filter Levels Minimum Filtering Level 2 nterprise Admin Alcohol 3 testgroup Custom Profile M Child Pornography amp haslow Pornography Adult Content all LDAP p Rule Details Blocked Categories Pass Categories Always Allowed Alcohol Portals a Freeware Shareware A Real Estate Information Technolo Recreation Child Pornography Pornography Adult Cont gt Reviewed Miscellanec w 4 Uncategorized Sites Pass Block Web cele Apply E E Host Name logo com IP 200 10 100 75 Frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 3 12 Group Profile window Category tab The Profile window is used for viewing creating the filtering profile of the defined entity group or member Entries made in the Category Redirect URL and Filter Options tabs comprise the profile string for the entity 120 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES Category Profile Category Profile is used for creating the categories portion of the filtering profile for the entity L NOTE In order to use this tab filtering rules should already have been set up via the Rules window accessible from the Global Group options and the minimum filtering level
28. R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 3 CHAPTER 1 INTRODUCTION How TO USE THIS USER GUIDE e dialog box a box that xl opens in response to a command made in a window or screen and i requires your input YOU _Java Applet window must choose an option by clicking a button such as Yes or No or Next or Cancel to execute your command As dictated by this box you also might need to make one or more entries or selections prior to clicking a button 2 Are you sure you want to save the profile e field an area in a dialog box short Name CHAT window or screen that either accommodates your data entry or displays pertinent information A text box is a type of field e frame a boxed in area in a dialog Page Content box window or screen that M Basic includes a group of objects such as Filter info fields text boxes list boxes A Override Account buttons radio buttons check boxes and or tables Objects within a frame belong to a specific function or group A frame often is labeled to indi cate its function or purpose e grid an area in Date Filename Content Comment Jul 22 2003 lib1 tar gz LIBRARY_ONLY backup old library a frame that Jul 23 2003 config3 tar gz CONFIG_ONLY backup old configurations Jul 22 2003 config tar gz ICONFIG_ONLY testing displays rows Jul 22 2003 both tar gz CONFIG_AND_LIBRARY backup library and configs and columns of data
29. Step 2 Modify the Global Group Profile eee 204 CHAPTER 6 TECHNICAL SUPPORT ssseeceeeeeeeeees 206 HOUS aE r seicescaetsccivencebeccetusdetvcdcacetactesacesecteensbecedeectenscutns 206 Contact Information ssssssssssssssssssnnnnusnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 206 Domestic United States 20 ec eeeeeeeeeeeeeeeeeeeeteneeeeeseeenaeees 206 Intemational cense ee a aidan aa ea dene ince dae aai 206 EMail oere td ise et eee eet tly te cotacd fake dept ete raS 206 Office Locations and Phone Numbers cccceeeeeeeeeteeeees 207 8e6 Corporate Headquarters USA aeee 207 866 TaiWan 1 cen ee site ae ee eee 207 SeG6 China stri a ede ree 207 Support Procedures sseeeseeeeeeeeeeseeeeeeeeeeeeeeeeeeeeeeeeeee 208 APPENDIX A morai ee E aaa aa 209 x 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CONTENTS User Group File Format and Rules cccccceeesessssseeeeees 209 Username Formats cccccccceceeeeeeeeeeecencaeaeeeeeeeeeeeeeeseetsnsenaeees 209 RulesCriteria z rrea a Nindve hs tetris fe tata e aaia 210 File Format Rules and Examples eccecceceeeeeeeeeeeeesenaees 212 NT User List Format and Rules cscceceeeeeeeeeeeeseeneees 213 NT Group List Format and Rules ccceecceeeeeeseeteeeeeeees 214 LDAP User List Format and Rules 0 ccccceeeeeeeeseeeeeeeees 215 LDAP Gro
30. Tier 1 2 Inthe Sending Keep Alive frame click the radio button corresponding to the option to be used e On This option specifies that keep alives should be sent on a connection to verify whether it is still active Off This option specifies that the end user s session will be kept alive based on the number of minutes entered in the text box In the Inactive session lifetime in minutes field enter the number of minutes the end user s session will be kept alive 3 Click Apply to open the alert box that confirms your selection 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Web based authentication Choose either Tier 2 or Tier 3 if Web based authentication will be used L NOTE If selecting either Tier 2 or Tier 3 please be informed that in an organization with more than 5000 users slowness may be experienced during the authentication process In this scenario 8e6 recommends using an R3000 Filter with an SSL accelerator card installed Please contact 8e6 for more information Tier 2 Use time based profiles with time out in minutes Choose this option if using NT and or LDAP authentication and you want the user to have a time limit on his her Internet connection This option uses an authentica tion servlet that lets the user log into either domain with no persistent connection between the client PC
31. a LOGSYS INACTIVE E a QC INACTIVE NY 0 cera Include List phe List group L Remove L Remove o et Include Exclude Membership Attribute nember Back Next Activate Host Name logo com JIP 200 10 100 75 rersion R3000 Enterprise Fiter 1 10 00 24 Java Applet Window Fig 4 3 Domain Details window Group tab 128 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN By default the Include List will be populated with appro priate group objects based on the server type Generally no action needs to be performed on this tab However under special circumstances a group object can be added or excluded by making an entry in the appropriate field and then clicking the Include or Exclude button A group object name can be edited by selecting the group object from the appropriate list box editing the name in the field and then clicking the Edit button A group object can be removed by selecting the group object and then clicking Remove The Membership Attribute field is populated by default The membership attribute is the name of the LDAP attribute in a group record that identifies members of a group If using Active Directory the Use Primary Group checkbox displays on this tab You may wish to check this box to indicate that profiles based on user groups should be assigned to users Click Next to go to the User tab 8E6
32. add or remove a standalone Snap in from the console Snap ins added to l m Description Fig E 4 Add Remove Snap in 4 Click Add to open the Add Standalone Snap in dialog box Add Standalone Snap in 2 x Available Standalone Snap ins 8 Active Directory Domains and Trusts Microsoft Corporation Bi Active Directory Sites and Services Microsoft Corporation Active Directory Users and Computers Microsoft Corporation ofty Activex Control Certificates Microsoft Corporation E Certification Authority Microsoft Corporation Component Services Microsoft Corporation Ss Computer Management Microsoft Corporation AA Device Manager Microsoft Corporation DHCP Microsoft Corporation xl ae Description The Certificates snap in allows you to browse the contents of the certificate stores for yourself a service or a computer cee Fig E 5 Add Standalone Snap in 5 Select Certificates and click Add to open the Certificates snap in wizard dialog box 228 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE Certificates snap in 3 This snap in will always manage certificates for My user account Service account Computer account x Back Cancel Fig E 6 Certificates snap in dialog box 6 Choose Computer account and click Next to go to the Select Computer wizard page Select
33. bkupserver gt Category Profile El p tech Group bkupserver Current Profile Minimum Filtering Level a Available Filter Levels Minimum Filtering Level gr testers Alcohol Gel coke RuleO Minimum Fitering Level Child Pornography Ee test Pornography Adult Content g webauth fg NT Rule Details Ej LDAP all Blocked Categories Pass Categories Always Allowed Alcohol Information Technology Child Pornography Pornography Adult Conte gt Banner Web Ads Books amp Literature W 4 gt Uncategorized Sites Pass Block Apply Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 31 Sub Group Profile window Category tab 3 In the Category Profile page create a custom profile by selecting categories to block pass or white list and indi cating whether uncategorized sites should pass or be blocked 4 Click Apply 196 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 5 Click the Redirect URL tab to display the Redirect URL page R3000 Enterprise Filter Vaal xi 8e6rs000 Enterprise Filter S SYSTEMS SOR OURS SURAR SRERORTINGS KHE URE SOT Category Port Default Redirect URL Filter Options Default Redirect URL Group gt Global Group gt Default Redirect URL Specify a redirect URL Eft testers Default Block Page cpike eget test Au
34. conjunction with a user s filtering profile If a user does not belong to a group or the user s group does not have a filtering profile the default global filtering profile is used and the minimum filtering level does not apply to that user name resolution A process that occurs when the R3000 attempts to resolve the IP address of the authentication server with the machine name of that server This contin uous and regulated automated procedure ensures the connection between the two servers is maintained net use A command that is used for connecting a computer to or disconnecting a computer from a shared resource or displaying information about computer connec tions The command also controls persistent net connec tions NetBIOS Network Basic Input Output System is an appli cation programming interface API that augments the DOS BIOS by adding special functions to local area networks LANs Almost all LANs for PCs are based on the NetBIOS NetBIOS relies on a message format called Server Message Block SMB NetBIOS name lookup An authentication method used for validating a client machine by its machine name Network Address Translation NAT Allows a single real IP address to be used by multiple PCs or servers This is accomplished via a creative translation of inside fake IP addresses into outside real IP addresses open setting A setting assigned to a service port or library category when crea
35. domain default profile from an NT or LDAP authentication domain If a minimum filtering level is defined it applies to all master IP groups and their members and NT LDAP groups who have been assigned filtering profiles after authenticating The minimum filtering level combines with the user s profile to guarantee that categories blocked in the minimum filtering level are blocked in the user s profile For master IP group members a A master IP group filtering profile takes precedence over the global profile b A master IP group time profile takes precedence over the master IP group profile For IP sub group members a An IP sub group filtering profile takes precedence over the master IP group s time profile b An IP sub group time profile takes precedence over the IP sub group profile For individual IP members a An individual IP member filtering profile takes prece dence over the IP sub group s time profile b An individual IP member time profile takes precedence over the individual IP member profile 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION FILTERING ELEMENTS 6 For NT LDAP users if a user is authenticated settings for the user s group or individual profile from the NT LDAP domain are applied and take precedence over any IP profile a If the user belongs to more than one group in an authentication domain the profile for the use
36. e screen a main i Eoso rrterorne raten aliz object of an appli s rso i o a m cation that teed 1 S displays across en e your monitor A screen can contain panels windows frames fields tables text boxes list boxes icons buttons and radio buttons tsuas aie bce R wean D0 opo e S 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 5 CHAPTER 1 INTRODUCTION HOW TO USE THIS USER GUIDE 8e6 Supplied Categories Library Details Adware sub topic a subset of a main Librany gt 8e6 Supplied Categories gt Alco etails topic that displays E ma A as a menu item for Search Engine Keywords pco Child Pornography Comics the topic The menu of subtopics opens when a pertinent topic link in the left panel the control panel of a screen is clicked If a sub topic is selected the window for that sub topic displays in the right panel of the screen or a pop up window or an alert box opens as appropriate text box an area in a dialog box window or screen that accommodates your data entry A text box is a type of field See field ald topic a topic displays as a np it link in the left a panel the Z control panel of a screen By clicking the link for a topic the window for that topic displays in the right panel of the screen or a menu of sub topics opens swf l E OF TXT Person G0 ter
37. examining the Windows registry then retrieves the username and domain name using either Windows or Novell APIs and sends this informa tion LOGON event to the R3000 The R3000 looks up the groups to which the end user belongs Windows AD PDC or eDirectory through LDAP or NTLM Samba and determines the profile assignment The R3000 sets the profile for the end user with user name including the group name if it is available and IP The 8e6 Authenticator client continually sends a heart beat to the R3000 with a specified interval of seconds between each heartbeat until the end user logs off The end user logs off and the 8e6 Authenticator client sends a LOGOFF event to the R3000 The R3000 removes the user s profile NOTE The 8e6 Authenticator can handle up to 20 logons per second 44 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS 8e6 Authenticator configuration priority The source and order in which parameters are received and override one another are described below NOTE Any parameter set at the end of the list will override any parameter that was previously set 1 Compiled Defaults Given no parameters at all the client will try to execute using the default compilation 2 Configuration File optional The default location of the configuration file is the same path name as the authen ticat exe cl
38. global default filtering settings will apply instead Filter Settings Categories and service ports use the following settings to specify how filtering will be executed block if a category or a service port is given a block setting users will be denied access to the item set up as blocked open if a category or the filter segment detected on the network is given an open pass setting users will be allowed access to the item set up as opened always allowed if a category is given an always allowed setting the category is included in the user s white list and takes precedence over blocked categories filter if a service port is given a filter setting that port will use filter settings created for library categories block or open settings to determine whether users should be denied or allowed access to that port ignore if the filter segment detected on the network has a service port set up to be ignored that service port will be bypassed 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION FILTERING ELEMENTS 20 Filtering Rules Individual User Profiles A user in an NT or LDAP domain can have only one individual profile set up per domain Filtering Levels Applied 1 The global default filtering profile applies to any user under the following circumstances e the user does not belong to a master IP group e the user has not been assigned a
39. gt Administrative Tools gt Certification Authority to open the Certification Authority window amp Certification Authority F l0j x ation vew gt m g gt m ret i ding sts Failed Requests Policy Settings Fig E 1 Certfication Authority window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE 2 Verify that the certificate authority has been installed on this server and is up and running indicated by a green check mark on the server icon see circled item in Fig E 1 Locate Certificates folder 1 Go to Start gt Run to open the Run dialog box In the Open field type in mmc exe to specify that you wish to access the Microsoft Management Console Run 21x R me ype the name of a program Folder document or Internet resource and Windows wil open it for you Fig E 2 Run dialog box 2 Click OK to open the Console window Console window Hep D S fed action view Eavortes gt m Tree Favorites Fig E 3 Microsoft Console window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 227 APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE 3 From the toolbar click Console to open the pop up menu Select Add Remove Snap in to open the Add Remove Snap in dialog box Standalone Extensions Use this page to
40. it Q TIP Click Delete CSR to remove the certificate from the server 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 77 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION View log results Use the View Log File window if you need to troubleshoot any problems with the authentication setup process 1 Click Diagnostics and select View Log File from the pop up menu to display the View Log File window RE 8e6 R3000 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT E System Control Network Administrator View Log File System gt Diagnostics gt View Log File Log File Details Log File Wbwatch Log wbwatch log M Last Number of Lines 100 Synchronization Mode Authentication NIC Mode Backup Restore Reset Radius Authentication Setting SNMP Hardware Failure Detection X Strikes Blocking Customization a E Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 2 13 View Log File window NOTE In this user guide only authentication options will be addressed For information about all other options see the View Log File window in the R3000 User Guide 2 In the Log File Details frame select the type of Log File to view e User Name Log usage log used for viewing the time and date a user logged on and off the network along with the user s profile informati
41. or additional options click here T 8e6 Technologies Internet Filtering and Reporting for the Enterprise Microsoft Internet Explorer Fie Edit Vew Favorites Too Heb ic Z Fav Ps 4 Ow x A Ch Psh Sfp raveries E gt bo B 3 hto www Se5 com E Pop up blocked To see this pop up or additonal optens dck here e The Internet Filtering and Reporting Solution for the Enterprise Contact Us 1 888 786 7999 Ho oduc F s Partners je Q Sea Beb Technologies Fig F 10 Information Bar showing blocked pop up status 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 245 APPENDIX F OVERRIDE POP UP BLOCKERS 3 Click the Information Bar for settings options T 806 Technologies Internet Filtering and Reporting for the Enterprise Microsoft Internet Explorer Fie Edit Wew Favorites Tool Heb Q gt x H A p gt sch She Favorites amp 3 amp w i amp 3 ess B htto Aewn 8e5 com A Po blocked To see this sis Aeneid deed Temporarily Alow Pop ups Always Allow Pop ups from This Site eocefdooe Settings The Filtering and Reporting Soluti cece eee Internet Filtering ani porting lution Infeemation Ber Help for the Enterprise Contact Us 1 888 786 7999 Home i Products i Solubons 3 Support 3 Press Center i Pariners i About ae6 OSearch Beb Technologies Fig F 11 Information Bar menu options 4 Select Always Allow Pop ups from This Site this acti
42. remove the entity s profile from the tree Specify a group s filtering profile priority 1 Select the LDAP domain and choose Set Group Priority from the pop up menu to display the Set Group Priority window wax 8e6Rs000 Enterprise Filter eee HOME SYSTEM GROUP LIBRARY REPORTING HEER SaO Wip ce Set Group Priority Group gt LDAP gt TEST gt Set Group Priority Group Priority Profile Group s H 3 LOGSYS INACTIVE CN Quality Control CN Users DC qc DC local a E QC INACTIVE CN qctestgrp1479 OU QCcontainer1479 OU MasterContainer DC qc2domain DC local y H A CN Domain Users CN Users DC qc2domain DC local CN Domain Controllers CN Users DC qc2domain DC local CN DnsAdmins CN Users DC qc2domain DC local CN Domain Admins CN Users DC qc2domain DC local CN DnsUpdateProxy CN Users DC qc2domain DC local CN Domain Computers CN Users DC qc2domain DC local CN Domain Guests CN Users DC qc2domain DC local 4 Apply Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 17 Set Group Priority window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 149 CHAPTER 4 LDAP AUTHENTICATION SETUP SETUP LDAP DOMAIN GROUPS MEMBERS 150 This window is used for designating which group profile will be assigned to a user when he she logs in If a user is a member of multiple groups the one that is positioned highest in the list is applied
43. should already be established The minimum filtering level is set up in the Minimum Filtering Level window accessible from the Global Group options See the R3000 User Guide for more information about these windows By default RuleO Minimum Filtering Level displays in the Available Filter Levels pull down menu and the Minimum Filtering Level box displays Child Pornography and Pornography Adult Content By default Uncategorized Sites are allowed to Pass LS NOTE By default the Available Filter Levels pull down menu also includes these three rule choices Rule1 BYPASS Rule2 BLOCK Porn Rule3 Block IM and Porn and Rule4 8e6 CIPA Compliance To create the category portion of the entity s filtering profile 1 Select a filtering rule from the available choices e If you select a filtering rule from the Available Filter Levels pull down menu this action automatically populates the Blocked Categories Pass Categories and or Always Allowed list box es in the Rule Details frame with library categories set up as blocked passed or included in the white list for that rule e If you select a library category from the Blocked Cate gories Pass Categories or Always Allowed list box and use the right arrow gt or left arrow lt to move that category to another list box the Available Filter Levels pull down menu changes to Custom Profile 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHEN
44. specified in the RV command as well e For RA each IP address is separated by a semi colon y and the first IP address will be tried for each new connection attempt When the main IP address fails to respond the next IP address in the list will be tried and so on if it fails After the last IP address is tried the logic will continue from the first IP address again A retry attempt on the main IP address is subject to the RR Reconnect time After any disconnection the logic will always begin with the main IP address as its first attempt e For RV sets of R3000 addresses are specified based on an IP range that matches the client s IP address multiple destination R3000 addresses may be used in each set and will have the same functionality as multiple destinations specified in the RA parameter Each set is surrounded by parentheses s and sets are separated by commas Any local client IP address that does not match any set will use the RA address Sample format RV 102 108 1 0 102 108 1 255 1 1 1 1 2 2 2 2 102 108 2 0 102 108 2 255 3 3 3 3 222 In this example a client with an IP address of 102 108 1 5 would try to connect to 1 1 1 1 using the RP port 2 2 2 2 as the backup A client with 192 168 2 15 would try to connect to 3 3 3 3 port 222 which has no backup e Any local address that would end up connecting to 0 0 0 0 will not be observed by the 8e6 Authenticator This allows RV to all
45. tabs of the wizard L NOTES If the server type is changed on this tab object type settings will be overwritten with the new object type settings User settings will not be modified If Novell eDirectory is selected and the Novell eDirectory Agent option is enabled in the Enable Disable Authentication window the Default Rule tab lets you configure a backup server See Default Rule for Novell eDirectory 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 127 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE ANLDAP DOMAIN e Click Next to go to the Group tab WARNING The contents of the tabs for User and Group do not normally need to be changed The settings on these tabs are made automatically when you select the server type at the begin ning of the setup process Unless you have made changes to the Schema of your LDAP server and are sure of the consequences of altering these settings do not alter anything in these tabs The only action you need to execute on these tabs is to confirm the settings by clicking the Next button at the bottom of the window until you reach the Address tab Group Objects The Group tab is used for including or excluding group objects in the LDAP domain Ez 8ebrso00 Enterpris LE SYSTEM GROUP LIBRARY REPORTING HELP QUIT Group Global Group Type Group User Address Account SSL Alias List Default Rule Group Objects Group gt LDAP gt TEST gt Group Objects
46. the Re authentication Options field in the Block Page Authen tication window Clicking this link takes the user to the Options window described in the Options page sub section To submit this blocked site for review click here This phrase and link is included if an email address was entered in the Submission Email Address field in the Common Customization window Clicking this link launches the user s default email client In the compo sition window the email address from the Submission Email Address field populates the To field The user s message is submitted to the global administrator 2 Click the X in the upper right corner of the window to close the sample customized block page TIP If necessary make edits in the Block Page Customization window or the Common Customization window and then click Preview in this window again to view a sample block page 100 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP JOIN THE NT DOMAIN CHAPTER 3 NT AUTHENTICATION SETUP NOTE If you are running a Windows 2000 or Windows 2003 Server and are using the NTLM authentication protocol then you need to make SMB Signing not required See Appendix D Disable SMB Signing Requirements for steps on how to disable SMB Signing restrictions Join the NT Domain Click Authentication and select Authentication Settings from the pop up menu to display the Authenti
47. to a group IP group Master Group master group filtering profile used by end users who belong to the master group e master time profile used by master group users at a specified time IP group member e sub group filtering profile used by a sub group member e individual filtering profile used by an individual IP group member e time profile used by a sub group individual IP group member at a specified time Authentication filtering profiles e NT LDAP group filtering profile used by an NT or LDAP group NT LDAP member filtering profile used by an NT or LDAP group member 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION FILTERING ELEMENTS Other filtering profiles e override account profile set up in either the global group section or the master group section of the console NOTE An override account set up in the master IP group section of the R3000 console takes precedence over an override account set up in the global group section of the console e lock profile set up under X Strikes Blocking in the Filter Options section of the profile Static Filtering Profiles Static filtering profiles are based on fixed IP addresses and include profiles for master IP groups and their members Master IP Group Filtering Profile The master IP group filtering profile is created by the global administrator and is maintained by the group administr
48. to a service port or library category when creating a rule or when setting up a filtering profile or the minimum filtering level If an item is given a block setting users will be denied access to it common name cn An attribute type entered for a user name and group when using LDAP directory This information source on a server contains attribute based data relevant to a DN entry 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 247 APPENDIX G GLOSSARY 248 directory service Uses a directory on a server to auto mate administrative tasks for storing and managing objects on a network such as users passwords and network resources users can access ADS DNS and NDS Novell Directory Services are types of directory services Distinguished Name DN A string of cn and dc attribute types comprised of the username and group name domain name and DNS suffix For example cn admin_user cn admin dc yahoo dc com The ou attribute type also could be a part of the DN For example cn Joe Smith ou users ou sales dc acme dc com DNS Domain Name Service is a distributed Internet direc tory service DNS is used mostly for making translations between domain names and IP addresses domain An entity on a network comprised of servers workstations and peripherals domain component dc An attribute type entered for a domain name and DNS suffix when using LDAP
49. to perform the initial installation setup defined in Chapter 2 Network Setup After all settings have been made authentication is ready to be used on the network Chapter 5 outlines the step you need to take to test and to activate your settings before deploying authentication on the network Chapter 6 provides support information Appendices at the end of this user guide feature instructions on filtering profile file components and setup a chart of ports used for authen tication system access notes on customizations to make on specified LDAP servers steps to modify the SMB protocol to disable SMB Signing requirements information on how to obtain or export an SSL certificate and upload it to the R3000 tips on how to override pop up windows with pop up 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 1 CHAPTER 1 INTRODUCTION HOW TO USE THIS USER GUIDE blocker software installed a glossary on authentication terms and an index How to Use this User Guide Conventions The following icons are used throughout this user guide NOTE The note icon is followed by italicized text providing additional information about the current subject TIP The tip icon is followed by italicized text giving you hints on how to execute a task more efficiently A WARNING The warning icon is followed by italicized text cautioning you about making entries in the application executing certain processes o
50. use based authentication only or both Web based and net use based authentication 9 Click the Filter Options tab to display the Filter Options page If necessary select appropriate filter options to be enabled and click Apply 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 205 CHAPTER 6 TECHNICAL SUPPORT HOURS CHAPTER 6 TECHNICAL SUPPORT For technical support visit 8e6 Technologies s Technical Support Web page at http www 8e6 com support index htm or contact us by phone by e mail or in writing Hours Regular office hours are from Monday through Friday 8 a m to 5 p m PST After hours support is available for emergency issues only Requests for assistance are routed to a senior level techni cian through our forwarding service Contact Information Domestic United States 1 Call 1 888 786 7999 2 Select option 2 International 1 Call 1 714 282 6111 2 Select option 2 E Mail For non emergency assistance e mail us at support 8e6technologies com 206 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 6 TECHNICAL SUPPORT CONTACT INFORMATION Office Locations and Phone Numbers 8e6 Corporate Headquarters USA 828 West Taft Avenue Orange CA 92865 4232 USA Local 714 282 6111 Fax 714 282 6116 Domestic US 1 888 786 7999 International gt 1 714 282 6111 8e6 Taiwan RM B2 13F No 49 Sec 3 Minsheng E Rd Taipei
51. 0 100 75 frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 25 Group Profile window Filter Options tab 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE MAINTAIN LDAP PROFILES Filter Options is used for specifying which filter option s will be applied to the entity s filtering profile 1 Click the checkbox es corresponding to the option s to be applied to the filtering profile X Strikes Blocking Google Yahoo Safe Search Enforcement Search Engine Keyword Filter Control URL Keyword Filter Control and Extend URL Keyword Filter Control NOTE See the R3000 User Guide for information about Filter Options 2 Click Apply to apply your settings Remove an entity s profile from the tree To remove a group or member s profile from the tree select the profile in order to open the pop up menu and choose Remove 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 161 CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS CHAPTER 5 AUTHENTICATION DEPLOYMENT This final step of the authentication setup process includes testing authentication settings and activating authentication on the network Test Authentication Settings Before deploying authentication on the network you should test your settings to be sure the Authentication Request Form login page can be acc
52. 00 10 100 75 Frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 2 7 Authentication SSL Certificate window This window is comprised of three tabs Self Signed Certifi cate Third Party Certificate and Download View Delete Certificate These tabs are used to create view and or delete self signed or third party SSL certificates 72 8 6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Create Download a Self Signed Certificate 1 On the Self Signed Certificate tab click Create Self Signed Certificate to generate the SSL certificate 2 Click the Download View Delete Certificate tab R3000 Enterprise Filter E ioj xj 8e6 R3000 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT 2 sige Authentication SSL Certificate N System gt Authentication gt Authentication SSL Certificate letworl Administrator The R3000 uses a SSL certificate to secure its communications with clients for Web based Authentication After creating a self signed certificate or a Certificate Request CSR the DNS name of Diagnostics the R3000 should not be changed If the DNS name changes a new certificate must be created and Alert possibly added to each client workstation s trusted certificate list Patch Synchronization Self Signed Certificate Third Party Certificate Download View Delete Certificate Click Down
53. 00 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION A xi Tier 3 Authentication requires a current version of Java Runtime Environment JRE on end users PCs In some cases a JRE will need to be downloaded and installed on workstations and the R3000 will allow the JRE download at the time of login However some operating systems may require this action to be performed manually To ensure that the end users are using the most current version of JRE choose the method for distributing the current version to their workstations 8e6 automatically distributes JRE during user login Administrator manually distributes JRE to user workstations Continue Cancel Java Applet Window Fig 2 5 Tier 3 dialog box 3 To ensure that end users are using the most current version of JRE choose the method for distributing the current version to their workstations 8e6 automatically distributes JRE during user login or the default selection Administrator manually distributes JRE to user worksta tions 4 Click Continue to open the alert box that confirms your selection 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 69 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 70 Enter network settings for authentication 1 Click Authentication and select Authentication Settings from the pop up menu to display the Authenticati
54. 00 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 239 APPENDIX F OVERRIDE POP UP BLOCKERS AdwareSafe Pop up Blocker If pop up blocking is enabled 1 In the Options page see Fig F 1 enter your Username and Password 2 Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button this action opens the override account pop up window Temporarily disable pop up blocking AdwareSafe s SearchSafe toolbar lets you toggle between enabling pop up blocking popups blocked and disabling pop up blocking Popup protection off by clicking the pop up icon 1 In the IE browser go to the SearchSafe toolbar and click the icon for popups blocked to toggle to Popup protec tion off This action turns off pop up blocking 2 Inthe Options page see Fig F 1 enter your Username and Password 3 Click the Override button to open the override account pop up window 4 Go back to the SearchSafe toolbar and click the icon for Popup protection off to toggle back to popups blocked This action turns on pop up blocking again 240 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX F OVERRIDE POP UP BLOCKERS Mozilla Firefox Pop up Blocker Add override account to the white list 1 From the browser open the Preferences dialog box 2 Go to the Category list box and select Privacy amp Security gt Popup Windows to display the Popup Windows page xi
55. 00 User Guide for more informa tion on the minimum filtering level 8 amp 6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS MEMBERS 5 Click Upload File to upload this file to the server The Upload Successful pop up window informs you to click Reload in order for these changes to be effective 6 Click Reload 7 Go to the NT branch of the tree and choose Refresh from the NT group menu 117 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES Create and Maintain NT Profiles Once an NT group or member has been added to the tree a filtering profile can be created and maintained for that entity For groups the following options are available for filtering profile creation and maintenance Group Member Details Profile and Remove For members the following options are available for filtering profile creation and maintenance Profile and Remove Add an NT group member to the tree list Select the NT domain and choose Group Member Details from the pop up menu to display the Group Member Details window Pees 8e6 R3000 Enterprise Filter _ me HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT n Group i Group Member Details Q S l Group Group gt NT gt QC gt Enterprise Admins gt Group Member Details ii Group Details E a NT H LOGSYS Group Enterprise
56. 000 FONE SYSTEM Administrator Diagnostics Alert Patch Synchronization Authentication NIC Mode Backup Restore Reset Radius Authentication Settinc SNMP Hardware Failure Detection X Strikes Blocking Customization 2 5 x Enterprise Filter GROUP HELP QUIT LIBRARY REPORTING Operation Mode System gt Mode gt Operation Mode Mode Invisible Router C Firewall Listening Device Device jethO Block Page Delivery Method Protocol Methods Block Page Device Device to send block page fethi Send Block Page via ARP Table Send Block to Specified Host MAC Address Block Page Route To Default Gateway Alternate IP Address m Current MAC Address 00 04 76 CD 05 8A Host Name logo com IP 200 10 100 75 fiersion R3000 Enterprise Filter 1 10 10 5 Java Applet Window Fig 2 1 Operation Mode window 60 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION The entries made in this window will vary depending on whether you will be using the invisible mode or the router or firewall mode 1 In the Mode frame select the mode to be used Invis ible Router or Firewall 2 In the Listening Device frame set the Device to eth0O 3 In the Block Page Device frame e If using the invisible mode select eth1 e If using the router or firewall mode select
57. 14 NT LDAP Group Filtering Profile 00 ceeeeeeeeeeeeeenees 14 NT LDAP Member Filtering Profile cceeeeeeeeeeeeeeeee 14 Override Account Profile 0 0 0 cceeceeeeeeeeeeeeeteeeeeeeenneeeeeees 15 Hime Prone ai c3 ass cots ara e a dene ah aes ae 15 LOCK PRONG anei ei aa ae a aaia 15 Filtering Profile Components sssseeessesesseesrreeessrnnecenrnreeseinnresrrenresens 16 Library Categories o na E E A E 17 8e6 Supplied Categories cseccccceeceeeeeeeeeteesensneaeees 17 Custom Categories s eei a aaa AEAEE REE 17 SEVICE PONS eie A E ate 18 ROS acc hts Aloe aul et eee ats ati a E E i 18 Minimum Filtering Level ee eeeeeeeeeeeeeeeeeeeenneeeeeeeennaeeeeeeeaas 18 Fiter SOttinGS t c cicteasbeceaessdtancchanalii fy entiaphicees athinciges Hate mandated 19 FilterinG Rules Tursina T aasdcaedt pasa tol anion 20 Authentication Operations eeeeeeeeeeeeeneeeneeeneeess 23 R3000 Authentication Protocols 0 cceeeeeeeeeeeeeeteeeeeeetneeeeeees 23 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CONTENTS R3000 Authentication Tiers ccccceceeeceeeeeeecceeceeeeeeeeeeeteeteeseenaees 23 Tier 1 Single Sign On Authentication 00 cece eeeeneeeeeeeeeees 25 Net use based authentication process esseeseeeeeeeeeees 25 Re authentication Process cccccceceeceeeeseeeeeceeeeeeeeeeeeeees 26 Authentication methods cceccccceeeeceeeeeeeeeeeecs
58. 3 INDEX 264 technical support 206 text box terminology 6 Tier 1 net use based authentication 25 55 66 174 Tier 1 and Tier 2 Script 39 Tier 2 time based Web based authentication 36 Tier 2 Script 38 Tier 2 Tier 3 Web based authentication 55 67 174 Tier 3 session based Web based authentication 47 tiers definition 252 Web based authentication 174 time profile definition 252 profile type 15 time based authentication Tier 2 23 time based profile 67 82 topic terminology 6 tree terminology 7 Type tab 126 Upload User Group Profile window LDAP domain 152 NT domain 175 URL definition 252 usage logs 78 user objects 130 User tab 130 username formats 209 View Log File window 78 virtual IP address 32 71 definition 252 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE INDEX wbwatch log 79 Web based authentication 54 64 72 block page authentication 82 SSL certificate 56 Web based definition 253 white list definition 253 window terminology 7 Windows 2003 SMB Signing 27 WINS Server 70 name resolution usage 29 workstation requirements 58 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 265
59. 3 8e6 Authenticator 23 42 8e6 supplied category 17 A Account tab 134 Address tab 131 ADS definition 247 alert box terminology 3 Alias List tab 137 Alias Name 138 always allowed 19 Anonymous Bind 134 143 attribute definition 247 authentication activate NT 203 activate on network 174 activate Web based for Global Group 187 activated Web based for IP group 175 configuration procedures 54 methods 27 net use based module diagram 25 net use based process 25 servlet 67 setup procedures 30 specifications and requirements 27 test net use settings 173 test settings 162 test Web based settings 164 Authentication Form Customization 93 authentication method definition 247 Authentication Request Form 87 162 171 figure 162 172 authentication server 11 definition 247 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 255 INDEX 256 function in net use based process 25 login scripts 32 Authentication Settings window 70 join the domain 101 authentication solution single user compatibility chart 53 Authentication SSL Certificate window 72 authmodule log 79 Backup Domain Controller BDC 248 backup server Novell eDirectory 141 Backup Server Configuration wizard 141 Block page 83 block page 13 14 Block Page Authentication 82 Block Page Customization 97 block setting 19 definition 247 button terminology 3 category custom categories 17 library 17 category codes 211 Category Profile LDAP
60. 3000 set up in the router mode will act as an Ethernet router filtering IP packets as they pass from one card to another While all original packets from client PCs are allowed to pass if the R3000 determines that a request is inappropriate a block page is returned to the client to replace the actual requested Web page or service rule A filtering component comprised of library categories set up to be blocked or opened Each rule created by the global administrator is assigned a number and a name that should be indicative of its theme Rules are used when creating filtering profiles for entities on the network 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 251 APPENDIX G GLOSSARY 252 search engine A program that searches Web pages for specified keywords and returns a list of the pages or services where the keywords were found service port Service ports can be set up to blocked Examples of these ports include File Transfer Protocol FTP Hyper Text Transfer Protocol HTTP Network News Transfer Protocol NNTP Secured HTTP Transmission HTTPS and Other ports such as Secure Shell SSH SMB One of two authentication method protocols used by the R3000 Server Message Block is a client server request response protocol sub group An entity of a master IP group with an associ ated member IP address and filtering profile time based profile A user profile used by both the NT and
61. 7 Set Global Group to filter unknown traffic 1 Click Global Group in the tree to open the pop up menu 2 Select Global Group Profile to display the Category tab of the Profile window LiL dix 8e6R3000 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP As a Category Port Default Redirect URL Filter Options Category Profile Group gt Global Group gt Category Profile Group Global Group Current Profile Custom Profile Available Filter Levels Custom Profile Rule Details Blocked Categories Pass Categories Always Allowed General Business Government Information Technology Books amp Literature W Comics Hate amp Discrimination gt Uncategorized Sites Pass Block Apply Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 18 Global Group Profile window Category tab a In the Category Profile page select categories to block pass or white list and indicate whether uncate gorized sites should pass or be blocked b Click Apply 3 Click the Port tab to display the Port page 182 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 8e6ra000 Enterprises M HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Category Port Default Redirect URL Filter Options Port Group gt Global Group gt Por
62. 76 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Download a Third Party Certificate 1 In the Authentication SSL Certificate window click Download View CSR to open a pop up window containing the contents of the certificate request T http 2700 10 100 75 88 serviet cam rs0O0 servers Poby suithese Mi PITE Fo Fie Edt View Favores Took Helo eoi gt DAA Ah Groes Ged Al a A Address hetp 200 10 100 75 68 servietfcom r3000 server upload OownloadBinaryServiet abjauthcsR Go inks BEGIN CERTIFICATE REQUEST NITBODCCATKCAQAwGYExC ZAJBGNVBAYTAIVTHRNVEQYDVCOIEwpDYUxp Zn ybmlh NQSuDOYDVG vZPomFul2 UxDDAKBGNVBAOTAcH IN EMMACCALUECKMDRUSHNSEW HwYDVCo wMGxkYXACDSRMLuF 3Ljh1NiSulX0xGzAZBykahk iGSvOBCOEW DGRVAGF Vb TCUnr ANEGKGhk1G9 URAQEF AAOU JQAVQYKCOYEAG TecixI AeqedSunZzy3 l EuvJYerGI mI430JSKRUS7VESZ28J zo eSvCTNvEbguplqib n TH Wap CINQ LR2wRNNGGRZ2 EHURGTEONKUXASt cP ul VGKZgAyUDIXURMISKIJZUKL e4ete 241 Tum S ThHtaNePOPuxGeL ZAC AWE RAMAAMAOGCSGS Th3 DOEBBAUA AAGBAIVB228 I omTWaEN43S sINLVepHZg icSbPhv YmSH43 xwudLPxScMv TUUh AUES4C190 12 TdVewt a dLSScCBVv jUfm DAHBOS i END CERTIFICATE Ami Ry lt RSt GRenLKt ShnynF AyLbweaLrs2Oy2v7b KALTUAK nce SgYSjUL S 5 bern D mennt Fig 2 12 Download CSR pop up window 2 Click the X in the upper right corner of the window to close
63. ATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Authentication methods Tier 1 supports two server authentication methods Server Message Block SMB and LDAP SMB protocol SMB is a client server protocol that requires the client to send a request to the server and receive an authentication response from the server in order for the client to access resources on the network As the default protocol for NT 4 0 and earlier operating systems SMB is supported by Windows 2000 and later OS versions SMB Signing SMB Signing is a Windows security feature that prevents an active network session between a client and server from being tapped While Microsoft has made this feature avail able since Windows NT 4 0 it was not a default setting However in Windows 2003 this feature is enabled by default Since SMB Signing is not currently supported by the R3000 8e6 recommends disabling the requirement for this feature This does not disable SMB Signing for machines that support it but allows devices that do not support SMB Signing to connect To disable the default setting that requires SMB Signing for all connections follow the instruc tions in Appendix D Disable SMB Signing Requirements Alternately if you have an available Windows 2000 Server or an earlier Windows NT 4 0 Server and are willing to establish the necessary trust relationships with the Windows 2003 Server this earlier Windows server can
64. AUTHENTICATION SETUP CREATE AN LDAP DOMAIN e By default the LDAP Query Base displays the root of the LDAP database to query using the LDAP Syntax i e DC domain DC com The entry in this field is case sensitive and should be edited if necessary If this field is not populated enter the LDAP query base Click Next to go to the Account tab 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 133 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE ANLDAP DOMAIN Account Info BE 8e6 R3000 Enterprise Filter meee HOME SYSTEM GROUP LIBRARY REPORTING HE LP QUI Tes Group Global Group Type Group User Address Account SSL Alias List Default Rule Account Info Group gt LDAP gt TEST gt Account Info E LOGSYS INACTIVE G a QC INACTIVE A El I Use Anonymous Bind LDAP Account Name fn Users dc qc2domain dc local Password TTT TT Confirm Password Back Next Activate Host Name logo com TP 200 10 100 75 Jrersion R3000 Enterprise Fiker 1 10 00 24 Java Applet Window Fig 4 6 Domain Details window Account tab 1 If your LDAP database does not require a username to be provided in order to bind to the LDAP database click the Use Anonymous Bind checkbox to grey out the fields in this tab Otherwise e Enter the authorized user s full LDAP Distinguished Name in the LDAP Account Name field For example cn Administrator cn Users dc qc2domain dc local Enter the pas
65. Admins B QC Full Name pS Enterprise Admini ke 3 testgroup Domain Qc g haslow Domain Type nr gl LDAP Add Member to Profile Members Administrator j E Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 3 11 Group Member Details window 118 8 6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES This window is used for viewing profile information about a group and for adding members to a group In the Group Details frame the following details display Group name Domain name and Domain Type Members that belong to the group display in the Members list box in the Add Member to Profile frame To add a member to the tree list so that a profile can be created for that member 1 Select the entity from the Members list box 2 Click Add 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 119 CHAPTER 3 NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES Add or maintain an entity s profile Select the NT domain and choose Profile from the pop up menu to display the default Category tab of the Profile window R3000 Enterprise Filter la xi 8ebnrso00 Enterpri HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Group Category Redirect URL Filter Options Global Group fg IP Category Profile Eg NT Group gt
66. CATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 5 Click the Filter Options tab to display the Filter Options page R3000 Enterprise Filter AmE 8e6 R3000 m Enterprise Filler HELP QUIT HOME SYSTEM GROUP LIBRARY REPORTING Category Port l Default Redirect URL Filter Options Filter Options Group gt Global Group gt Filter Options Filter Options IT amp Strikes Blocking Google Yahoo Safe Search Enforcement 7 Search Engine Keyword Filter Control URL Keyword Filter Control IV Extend URL Keyword Filter Control Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 37 Global Group Profile window Filter Options tab a Select filter options to be enabled b Click Apply As a result of these entries a user who does not have a filtering profile will be served the Authentication Request Form so he she can be authenticated 202 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Activate NT authentication After testing the NET USE command the next step is to add the NET USE command to users login scripts We recom mend that you add the 3 try login script to the existing domain login script The 3 try login script is used for attempting to log in the user to the authentication server in three separate attempts in case of a login failur
67. CTIVATE AUTHENTICATION ON THE NETWORK ni 8e6Rs000 Enterprise Sites mene HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Range to Detect Setup Wizard Group gt Global Group gt Range to Detect Setup Wizard Step 3 Source IPs to Exclude from Detection Source IP 10 10 10 34 Modify Remove IP Netmask fi w Add Calculator Individual IP i Back Next Cancel Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 27 Range to Detect Setup Wizard Step 3 5 An entry for this step of the Wizard is optional If there are source IP address es to be ignored enter the IP address and specify the Netmask or enter the Indi vidual IP address 6 Click Next to go to Step 4 of the Wizard 192 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK E 8e6Rs000 Enterprise Fi a HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT a Range to Detect Setup Wizard Group gt Global Group gt Range to Detect Setup Wizard Step 4 Destination IPs to Exclude from Detection EFT m Destination IP 10 10 10 0 24 Modify Remove IP f Netmask 255 255 255 0 v Add Calculator Individual IP Add Back Cancel Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 28 Range to Detect Setup Wizard Step 4 7 Anent
68. Computer E Select the computer you want this Snap in to manage x r This snap in will always manage Local computer the computer this console is running on JT Allow the selected computer to be changed when launching from the command line This Another computer only applies if you save the console lt Back Cancel Fig E 7 Select Computer dialog box 7 Choose Local computer the computer this console is running on and click Finish to close the wizard dialog box 8 Click Close to close the Add Standalone Snap in dialog box Click OK to close the Add Remove Snap in dialog box 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 229 APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE Notice that the snap in has now been added to the Console Root folder Ta Lonsolet Console Root Certificates Local Computer Personal Certificates aiojxi E Console window Hele D SU 0 laid ation yew Emotes Om A DBIA Tree Favcrtes Isund To Issued By Expiration Date el z000aserver qrzdeman tocal ee2deman becal 6 71200 o Bdaczdemsn tocal ademanes jrizazs lt D E Trasted Root Certification Authore rkorpeise Trust irtemedate Certification Authortie S Trusted Pubkehers O Urtrusted Cortficates o O theory Rect Certficaten asho Gy Trusted Peopin C Conttixate Errolmert Requests asx j iia j 2 Personi store contains 2 c
69. Console View right panel File Edit View Wizards Tools Help EFCH JERJIETODEF myw o Console View nos TET Q P OC TREE Bos A Bh Bes l Security Poucy gt 19 Exgneerng ER Aunnorizec Login Met ER Login Policy ER Ausnorizes Post Logi B risware FA Security Gitems nae Soe SOE ae ES Fig E 15 Novell Console window 2 Find the tree s folder and right click it to open the pop up menu Select Properties to open the Properties dialog box Ceneri Certificates gt NDS Rights Other Rights 10 Fer and Folders Self Signed Cerunicme Subjectmame forgais issuer name OU Orgunizaonal CAOC TREE Etective date fiz 20043 3131 AN POT UU Expiration date jy i3 201433131 AM POT _ Pane Options h Cmi Avvly_ __Heto_ Fig E 16 Properties dialog box 234 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE 3 Click the Certificates tab to go to the Self Signed Certifi cate page 4 Click Export to open the Export A Certificate pop up window i Export A Certificate Specify an output format for the certificate Output format File in binary DER format File in Base64 format Filename _ root SelfSignedCert der Bron Cancel Fig E 17 Export A Certificate pop up window 5 Select File in binary DER format for the Output format The path of the certificate displays in the
70. DC 248 profile string definition 257 elements 210 Profile window 120 LDAP domain 157 protocol definition 257 LDAP 28 SMB 27 proxy server definition 257 pull down menu terminology 5 radio button terminology 5 re authentication block page authentication 82 net use based process 26 Redirect URL tab LDAP domain 159 NT domain 122 requirements environment 58 router mode 61 62 definition 257 rule 18 criteria 270 definition 257 rules LDAP server setup 35 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE INDEX screen terminology 5 search engine definition 252 secondary IP address 63 Select Groups Members from Domain window 110 Server Message Block SMB definition 252 service port 78 definition 252 session based authentication Tier 3 23 Set Group Priority window LDAP domain 149 NT domain 111 Single Sign On Novell eDirectory authentication 50 Tier 1 authentication 25 single sign on authentication Tier 1 23 SMB definition 252 disable Signing requirements in Windows 2003 221 protocol 27 Signing 27 SMB NT name resolution method 29 SSL certificate 73 Active Directory 226 Novell 234 obtain export from LDAP server 226 Sun ONE 235 SSL settings 135 SSL tab 135 SSO 50 static filtering profiles 13 sub group definition 252 sub topic terminology 6 Sun Planet 127 Sun ONE 23 Sun One 127 system requirements 58 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 26
71. Details frame with library categories set up as blocked passed or included in the white list for that rule e If you select a library category from the Blocked Cate gories Pass Categories or Always Allowed list box and use the right arrow gt or left arrow lt to move that category to another list box the Available Filter Levels pull down menu changes to Custom Profile 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE MAINTAIN LDAP PROFILES TIP Multiple categories can be selected by clicking each cate gory while pressing the Ctrl key on your keyboard Blocks of cate gories can be selected by clicking the first category and then pressing the Shift key on your keyboard while clicking the last category 2 Click the Pass or Block radio button to specify whether all Uncategorized Sites should pass or be blocked 3 Click Apply to apply your settings at the entity s filtering level Redirect URL Click the Redirect URL tab to display the Redirect URL page of the Profile window ME 8e6 R3000 Enterprise Filter _ HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Group Redirect URL Fil i Global Group Category Filter Options eget IP Redirect URL B ae NT Group gt NT gt QC gt Enterprise Admins gt Redirect URL ia aa Specify a redirect URL Enterprise Admir Default Block Page testgroup amp haslow
72. Domain Controller 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP CREATE AN NT DOMAIN Create an NT Domain After joining the domain go to the Group section of the console and add an NT domain that contains entities to be authenticated Add an NT domain 1 Click NT in the control panel to open the pop up menu and select Add Domain to open the Create Domain Controller dialog box x Domain Name Jac Domain Controller 2o00aanstive IP Address fi 90 160 250 2 UserName administrator Password areenane Confirm Password rx EARRAN Apply Cancel Java Applet Window Fig 3 2 Create Domain Controller 2 In the Domain Name field enter the name of the domain on which the R3000 resides using capital letters NOTE The Domain Name must be the same name entered in the Authentication Settings window s Name of Domain field 3 In the Domain Controller field enter the name of the authentication server for the domain 4 Enter the domain controller s IP Address 5 In the UserName field enter the username of the admin istrator 6 Enter the password in the Password and Confirm Pass word fields 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 103 CHAPTER 3 NT AUTHENTICATION SETUP CREATE AN NT DOMAIN 7 Click Apply to add the domain to the tree Refresh the NT branch Click NT in the control panel to open the pop up menu
73. ECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN The LDAP domain window is comprised of the following wizard tabs Type Group User Address Account SSL Alias List and Default Rule By going through the entire wizard domain details are established for the LDAP domain preparing the LDAP domain for group and user filtering profile setup After all entries are made on the wizard tabs the domain can be activated A WARNING The instructions in this user guide have been docu mented based on standard default settings in LDAP for Microsoft Active Directory Services The suggested entries and examples may not be applicable to all other server types or if any changes have made to default settings on the LDAP Active Directory server LDAP Server Type Based on the entries made when creating the LDAP domain the R3000 will attempt to auto detect the type of server being used and if successfully detected the appro priate LDAP Server Type radio button will be selected on the Type tab e The following options are available Microsoft Active Directory Mixed Mode Microsoft Active Directory Native Mode Sun One Sun IPlanet or Netscape Direc tory Server Novell eDirectory and Other If the server type is not detected Other will be selected The server type setting on this tab defines the content that displays on all other
74. ERPRISE FILTER AUTHENTICATION USER GUIDE 39 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS try1 NET USE 10 10 10 10 R3000 if errorlevel 1 goto try2 if errorlevel 0 echo code 0 Success goto end try2 NET USE 10 10 10 10 R3000 if errorlevel 1 goto try3 if errorlevel 0 echo code 0 Success goto end try3 NET USE 10 10 10 10 R3000 if errorlevel 1 goto error if errorlevel 0 echo code 0 Success goto end error if errorlevel 1 echo code 1 Failed end in environments that use both Tier 1 and Tier 2 if a logoff script is used on the network the Tier 2 Script should be inserted into the network s logoff script 40 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Tier 3 Session based Web Authentication The diagram on the previous page Fig 1 6 and steps below describe the operations of the session based authen tication process 1 The user makes a Web request by entering a URL in his her browser window 2 The R3000 intercepts this request and sends the user the Authentication Request Form requesting the user to log in with his her login ID and password 3 The R3000 verifies the user s information with the authentication server Domain Controller Active Direc tory LDAP etc 4 A pop up window opens on the user s workstation while the original window loads the requested URL The user w
75. HAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 74 Once the certificate is saved to your workstation it can be distributed to client workstations for users who need to be authenticated TIP Click Delete Certificate to remove the certificate from the server Create Upload a Third Party Certificate Create a Third Party Certificate 1 Click the Third Party Certificate tab amp R3000 Enterprise Filter Liaj xi 8e6 R3000 Authentication SSL Certificate System gt Authentication gt Authentication SSL Certificate Network Administrator The R3000 uses a SSL certificate to secure its communications with clients for Web based Diagnostics Authentication After creating a self signed certificate or a Certificate Request CSR the DNS name of the R3000 should not be changed If the DNS name changes a new certificate must be created and a possibly added to each client workstation s trusted certificate list Patcl Synchronization Self Signed Certificate Third Party Certificate Download view Delete Certificate Mode Create a Third Party Certificate Request CSR Authentication Click Create CSR to generate a request for a Third Party Certificate Authority NIC Mode Click Download View CSR to display the existing request for download Backup Restore Click Upload Certificate to save the completed Third Party Certificate to the R3000 Reset Click Delete CSR to clear the initial CSR request Radius Authentica
76. ION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Option 3 Option 3 is included in the Options page if Override Account was selected at the Re authentication Options field in the Block Page Authentication window This option is used by any user who has an override account set up for him her by the global group administrator or the group administrator An override account allows the user to access Internet content blocked at the global or IP sub group level The user should enter his her Username and Password and then click Override to open the Profile Control window This window must be left open throughout the user s session in order for the user to be able to access blocked Internet content amp NOTES See Appendix F Override Pop up Blockers for informa tion on how a user with an override account can authenticate if a pop up blocker is installed on his her workstation See the R3000 User Guide for information about the Override Account feature 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 89 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Common Customization Common Customization lets you specify elements to be included in block pages and or the authentication request form end users will see Click Customization and then select Common Customiza tion from the pop up menu to display the Common Custom ization window R3000 Enterp
77. IP 9 LDAP 11 NT 10 types of 8 group administrator definition 249 group name definition 249 group objects 129 Group tab 128 Group Member Details window LDAP domain 155 NT domain 178 HTTPS 59 IANA 28 individual IP member profile type 13 Internet Explorer 58 invisible mode 67 62 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE INDEX definition 249 IP group 9 diagram 9 IPC share 25 Java applet 68 Java Plug in 58 Java Runtime Environment 58 68 Java Virtual Machine 58 JavaScript 58 join the domain 102 LAN Settings window 62 LDAP Active Directory Service usage 35 authentication protocol 23 definition 249 domain diagram 17 domain groups 11 name resolution method 29 profile file format 153 protocol 28 server customizations 219 server setup 35 LDAP domain add 125 add groups users 146 LDAP domain window 126 LDAP host definition 249 LDAP Query Base 133 143 LDAP Server Type 127 LDAP User Group Browser window 147 library categories 17 category codes list 277 list box terminology 4 lock profile 13 profile type 15 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 259 INDEX log view files 78 login or logon script definition 249 examples 32 usage 25 machine name definition 249 Manually Add Group dialog box LDAP 151 NT domain 114 Manually Add Member dialog box LDAP 150 NT domain 113 master IP group 9 filtering profile 13 methods authenticatio
78. LDAP authentication methods to give a user a time limit on his her Internet connection time profile A customized filtering profile set up to be effective at a specified time period for designated users tiers Levels of authentication methods Tier 1 uses net use based authentication for NT or LDAP Tier 2 uses time based profiles for both the NT and LDAP authentication methods Tier 3 uses persistent login connections for either the NT or LDAP authentication methods URL An abbreviation for Uniform Resource Locator the global address of Web pages and other resources on the Internet A URL is comprised of two parts The first part of the address specifies which protocol to use such as http The second part specifies the IP address or the domain name where the resource is located such as 203 15 47 23 or 8e6 com virtual IP address The IP address used for communi cating with all users who log on the network 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX G GLOSSARY Web based An authentication method that uses time based profiles or persistent login connections white list A list of approved library categories for a speci fied entity s filtering profile 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 253 APPENDIX G GLOSSARY 254 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE INDEX Numerics 3 try login script 20
79. LP Internet access to the requested website has been denied based on your user profile and organization s Internet Usage Policy User Machine LOGO Domain Admins GLANG IP 200 10 101 140 Category Alcohol Requested URL http www coors com For further options click here To submit this blocked site for review click here For assistance contact your Administrator 8e6 R3000 Internet filtering provided by Se6 Technologies Copyright 2003 All rights reserved ie Internet 7 Fig F 1 Options page This appendix provides instructions on how to use an over ride account if typical pop up blocking software is installed as in the following products Yahoo Toolbar Google Toolbar AdwareSafe Mozilla Firefox and Windows XP Service Pack 2 SP2 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX F OVERRIDE POP UP BLOCKERS Yahoo Toolbar Pop up Blocker If pop up blocking is enabled 1 In the Options page see Fig F 1 enter your Username and Password 2 Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button this action opens the override account pop up window Add override account to the white list If the override account window was previously blocked by the Yahoo Toolbar it can moved from the black list and added to the white list so that it will always be allowed to pass To do this 1 Go to the Ya
80. M then you need to make SMB Signing not required SMB Signing Compatibility To find out whether SMB Signing on your Windows server is compatible with the R3000 refer to the chart below SMB SMB eer R3000 Auth DERE Sa SMB Signing Server Mode Signing Signing Not Defined Enabled Disabled Win2000 NT Tier 1 2 3 Not compatible Compatible Compatible mixed Win2000 NT Tier 1 2 3 Not compatible Not compatible Not compatible native Win2003 NT Tier 1 2 3 Not compatible Compatible Not compatible mixed Win2003 NT Tier 1 2 3 Not compatible Not compatible Not compatible native Win2000 LDAP Tier 1 2 3 Compatible Compatible Compatible mixed Win2000 LDAP Tier 1 2 3 Compatible Compatible Compatible native Win2003 LDAP Tier 1 2 3 Compatible Compatible Compatible mixed Win2003 LDAP Tier 1 2 3 Compatible Compatible Compatible native 220 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUT HENTICATION USER GUIDE APPENDIX D DISABLE SMB SIGNING REQUIREMENTS Disable SMB Signing Requirements in Windows 2003 By default the SMB protocol in Windows 2003 is set to Not Defined On To disable turn Off SMB Signing do the following 1 From your Windows 2003 workstation go to Start gt All Programs gt Administrative Tools gt Active Directory Users and Computers Administrator T Manage Your Server Simy Computer je C
81. Manage t Ei Public Key Policies Disoftware Restriction Policies BLP security Policies on Active Internet Protocol Security IPSec Administration a E Adrinistrative Templates f Fig D 6 Group Policy Object Editor window Security Settings 7 Select Local Policies to display the contents of this folder in the right panel Ble action yew Hep e omele l E Scripts Startup Shutdown aj Name Description E Security Settings Bast Pokcy Audt Policy GP Account Policies GBUser Rights Assignment User Rights Assignment gj Local Policies Securty Options Security Options 8 def Evert Log H G Restricted Groups E E System Services m Regstry H G File System HY Wireless Network IEEE 802 11 Polcies E E Pubic Key Policies H Software Restriction Poicies E IP Securty Policies on Active Drectory G x f I Fig D 7 Group Policy Object Editor window Local Policies 8 Select Security Options to display the contents of this folder in the right panel ia Group Policy Object Editor Efe Action yew heh gt G n xrBie Defauk Domain Controllers Policy tyudt QCAD local Policy E Computer Configuration H E Software Settings E Windows Settings EE Scripts Startup shutdown B Securky Settings GP Account Policies E g Local Policies G Audt Policy E ggj User Rights Assignment gg Security Options E S Event Log E E Restricted Groups HOA FA Micro
82. OLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Name resolution methods The name resolution process occurs when the R3000 attempts to resolve the IP address of the authentication server with the machine name of that server This contin uous and regulated automated procedure ensures the connection between the two servers is maintained When using an NT server with SMB the name resolution process occurs when a valid Windows Internet Name Service WINS Server IP address is entered or a broadcast query is made When using an LDAP server the name resolution process occurs when a Domain Name Service DNS entry is made In order to accommodate this request the LDAP server must have a valid DNS entry or the IP address must be added to the R3000 hosts file LS NOTE If LDAP is used client machines will still use the SMB authentication method to communicate with the R3000 server for Tier 1 authentication LDAP communication only occurs between the R3000 server and the LDAP server 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 29 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS 30 Authentication setup procedures Server setup types R3000 authentication is designed to support the following server types for the specified tier s Tier 1 Net use based authentication NOTE Login scripts must be used for net use based authentica ti
83. ON ON THE NETWORK sent to the Authentication Request Form if he she attempts to access content on the Internet After filling out this form and being authenticated the user will be able to access Internet content based on his her filtering profile Step 6 Disable filter options 1 Click the Filter Options tab to display the Filter options page iol 8e6 B3000 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Q 3 E 5 Category Redirect URL Filter Options Global Group gory Redi IP Filter Options eS eft admin Group gt IP gt webauth gt testsub gt Filter Options cH tech j s Filter Options test ao E g webauth I E Strikes Blocking testsub IT Google Yahoo Safe Search Enforcement a LDAP T Search Engine Keyword Filter Control T URL Keyword Filter Control T Extend URL Keyword Filter Control Apply Host Name logo com IP 200 10 100 75 Frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 17 Sub Group Profile window Filter Options tab 2 Uncheck all the checkboxes X Strikes Blocking Google Yahoo Safe Search Enforcement Search Engine Keyword Filter Control URL Keyword Filter Control and Extend URL Keyword Filter Control 3 Click Apply 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 181 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step
84. ONS APPENDIX C LDAP Server Customizations The R3000 has been tested on common types of standard LDAP servers with default settings However due to the number of LDAP servers available and the limitless ways in which any type of LDAP server can be configured customi zations may need to be made on such an LDAP server that fits either description NOTE Please contact technical support for assistance in imple menting any of the changes described in this appendix OpenLDAP Server Scenario Not all users returned in User Group Browser In this scenario a query is performed in the LDAP User Group Browser window on an OpenLDAP server and not all users are returned To resolve this problem do the following 1 Change the current directory to usr local shadow etc Idapgroup 2 Find the subdirectory bearing the name of the LDAP domain and change the current directory to that subdi rectory 3 Open the file Idapobjectdef conf for editing 4 Search for the line LDC_LDAP_query_name_prefix CN 5 Replace CN with uid and save these changes 6 Restart the R3000 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 219 APPENDIX D DISABLE SMB SIGNING REQUIREMENTS APPENDIX D Disable SMB Signing Requirements SMB Signing is a Windows security feature that is not currently supported by the R3000 If you are running a Windows 2000 or Windows 2003 server and are using NTL
85. P address and subnet mask in the applicable fields 3 Select Authentication from the control panel and then select Enable Disable Authentication from the pop up menu Enable authentication and then select one of three tiers in the Web based Authentication frame e Tier 1 Choose this option if you will only be using net use based authentication for NT or Active Directory servers e Tier 2 Choose this option if you wish to use timed Web based authentication for NT and LDAP domains This option gives the user a timed session for his her Internet access After the timed profile expires the user will have to log in again if he she wants to continue to have Internet access e Tier 3 Choose this option if you wish to use persistent Web based authentication for NT and LDAP domains This option gives the user a persistent network connection via a pop up window that keeps the user s session open until the window is closed so the user does not have to log in repeatedly If choosing Tier 2 or Tier 3 enable either 8e6 Authenti cator or Novell eDirectory Agent as appropriate to your environment 4 Select Authentication from the control panel and then select Authentication Settings from the pop up menu 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 55 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS 56 In the Settings frame enter general configuration settings for the R3000 se
86. P address is used by the R3000 to communicate with all users who log on to that server This address must be in the same subnet as the one used by the transmitting interface of the R3000 e For testing user information can be specified on the command line as follows NET USE irtualip R3000 user DOMAIN NAME username password Example NET USE 192 168 0 20 R3000 user LOGO jsmith xyz579 e The command to disconnect a session is NET USE irtualip R3000 delete 32 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS View login script on the server console The login script can be viewed on the authentication server console This script resides in a different location on the server depending on the version of the server e Windows 2000 or Windows 2003 Server servername suffix sysvol domainname suffix policies guid user scripts logon c winnt sysvol sysvol domainname suffix scripts c winnt sysvol domainname scripts e Windows NT 4 0 Server servername netlogon ipaddress netlogon c winnt system32 repl import scripts The login script must be specified either in the user s domain account or in the Active Directory Group Policy Object so that it runs when the user logs into the domain 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 33 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Block page authentication login s
87. P domain ssa eea aaia aaa ai 125 Refresh the LDAP branch 00 cccceeeeeeeeeeeeeeeceeeeeeeeeeeeeeteesnenaees 126 View modify enter LDAP domain details cceeeeeettees 126 LDAP Server Type nunnor aa e T E 127 Group Objects osimatsris iire a A SAA 128 viii 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CONTENTS User ObJOCts ea ieeiee idea tes Ae Aedes ae ash eee 130 AGGIESS sl 1 pcs nic Peet he a a re re 131 ACCOUNT IMO idiei eeraa e a ceteus a 134 DOL SSMINGS a aara a iatdeneesuad naleeseey 135 AWASHEIS Ue weeded a rectal ab cot ae as atte Ata tanita dt badly 137 Detault RUG gcse hee sice tea age ct ota ntes a rE a 139 Default Rule for Novell eDirectory iesene 141 Configure a backup SEFVET eee eeeeeeeeeeeeeeeeeeeeeeeneeeees 141 Modify a backup server s configuration 0 08 145 Delete a backup server s configuration 8 145 Delete a dOmain sses a had slecteeecgeacatta tages 145 Set up LDAP Domain Groups Members 0 e0eeee 146 Add LDAP groups users to the tree cceeeeeeeeeeeecceeceeeeeeeeteees 146 Perform a basic search ccceeeeeeeeeeeeecaeeeeeeeeeeeeeteeeseenieaeenes 147 Options for search results 2ccceeeeeeeeeeeeeeceeeceeeeeeeeeeeteeneees 147 Apply a filtering rule to a profile cccccceceeceeeeeeeeeeeetetneeees 148 Delete a rule eci iaaa aa a a a a a 149 Specify a group
88. Protocol domain on a network server is comprised of LDAP groups and their associated members users derived from profiles on the network s authentication server The LDAP group type is represented in the tree by the LDAP icon all This branch will only display if authentica tion is enabled Using the tree menu the global adminis trator adds and maintains LDAP domains a and profiles of LDAP groups and members within the domain Filtering profiles can be created for a specified group Bg or user amp If users belong to more than one group the global administrator sets the priority for group filtering ali m LDAP Groups do LDAP Domain Bg Bg LDAP Group LDAP Group e E is is User User Fig 1 3 LDAP domain diagram with sample groups and members 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 11 CHAPTER 1 INTRODUCTION FILTERING ELEMENTS 12 Filtering Profile Types A filtering profile is used by all users who are set up to be filtered on the network This profile consists of rules that dictate whether a user has access to a specified Web site or service on the Internet The following types of filtering profiles can be created based on the set up in the tree menu of the Group section of the console Global Group e global filtering profile the default filtering profile posi tioned at the base of the hierarchical tree structure used by end users who do not belong
89. REATE MAINTAIN LDAP PROFILES Add or maintain an entity s profile Select the LDAP domain and choose Profile from the pop up menu to display the default Category tab of the Profile window R3000 Enterprise Filter la xi 8ebnrso00 Enterpri HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Group Category Redirect URL Filter Options Global Group fg IP Category Profile Gg NT Group gt NT gt QC gt Enterprise Admins gt Category Profile E LOGSYS Group Enterprise Admins Current Profile Custom Profile Ee QC ini ilteri la ETETE Available Filter Levels Minimum Filtering Level 2 nterprise Admin alcohol a testgroup Custom Profile ba Child Pornography amp haslow Pornography Adult Content all LDAP p Rule Details Blocked Categories Pass Categories Always Allowed Alcohol Portals Freeware Shareware A Real Estate Recreation Child Pornography Pornography Adult Cont Information Technolo Restaurant Dining gt Reviewed Miscellanec w 4 Uncategorized Sites Pass Block Web cele Apply E E Host Name logo com IP 200 10 100 75 Frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 23 Group Profile window Category tab The Profile option is used for viewing creating the filtering profile of the defined entity group or member Entries made in the Category Redirect URL and Filter Options tabs comprise the profile string for the
90. RRIDE POP UP BLOCKERS Google Toolbar Pop up Blocker If pop up blocking is enabled 1 In the Options page see Fig F 1 enter your Username and Password 2 Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button this action opens the override account pop up window Add override account to the white list To add the override account window to the white list so that it will always be allowed to pass go to the Google Toolbar and click the blocked icon F Google Toolbar Options Help Microsoft Internet Explorer 15 x Fle Ed vew Favortes Took Hep weak OAA Dlh oes Grew G D SH J Address E retp Rocker googie comjpopup heip Nad OG uw Google Grseoch web g ir Eho boded E Faltes 9 Tolck thes button to alveays allow popups on 826 com oogle To let an individual popup through press the Chri hey while diding on a link Toolbar Fig F 4 blocked icon enabled Clicking this icon toggles to the Site pop ups allowed icon adding the override account window to your white list F Google Toolbar Options Help Microsoft Internet Explorer ioj xj Pe EGR vew Favores Toos Hep Hex OAA Dlh oes Pa J DB Iw Address E retp Rocker googie comjpopup heip Had Oo uw Googe z tihsearch web Em p looters A mem om Google saanee Toolbar Fig F 5 Site pop ups allowed icon enabled 8E6 TECHNOLOGIES R30
91. TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 129 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE ANLDAP DOMAIN User Objects The User tab is used for including or excluding user objects in the LDAP domain Hix 8e6 R3000 Enterprise Filter meen HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT nani Group Global Group Type Group User Address Account SSL Alias List Default Rule User Objects Group gt LDAP gt TEST gt User Objects El LOGSYS INACTIVE o C INACTIVE h a ry Include List Exclude List user L Remove L Remove computer __ Remove eat p Include Exclude I7 Use Case Sensitive Comparison Back Next Activate Host Name logo com TP 200 10 100 75 rersion R3000 Enterprise Fiter 1 10 00 24 Java Applet Window Fig 4 4 Domain Details window User tab By default the Include List and Exclude List will be popu lated with appropriate user objects based on the server type e Generally no action needs to be performed on this tab However under special circumstances a user object can be added or excluded by making an entry in the appro priate field and then clicking the Include or Exclude button 130 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN A user object name can be edited by selecting the user object from the appropriate list box editing the name in the field
92. THENTICATION USER GUIDE 141 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE ANLDAP DOMAIN E Address Account SSL Address Info Group gt LDAP gt Novell INACTIVE gt Address Info Server DNS Name Server IP Address DNS Domain Name NETBIOS Domain Name Server LDAPS Port 636 Server LDAP Port 389 LDAP Query Base Back Save Next Close Java Applet Window Fig 4 13 Backup Server Configuration Address Info NOTE The Back and Save buttons can be clicked at any time during the wizard setup process Click Close to close the wizard pop up window 2 Enter edit or verify the following criteria Server DNS Name DNS name of the LDAP server such as server logo local NOTES If your LDAP server s name is not a resolvable fully qualified DNS name you may be able to enter the domain name Be sure the Server DNS Name exactly matches the name on the SSL certificate that will be uploaded to the server e Server IP Address IP address of the server such as 100 10 150 30 DNS Domain Name DNS name of the LDAP domain such as logo local NOTES If your LDAP server s name is not a resolvable fully qualified DNS name you may be able to enter the domain name Be sure the DNS Domain Name exactly matches the name on the SSL certificate that will be uploaded to the server 142 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE AN LDAP
93. TICATION USER GUIDE 121 CHAPTER 3 NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES 122 TIP Multiple categories can be selected by clicking each cate gory while pressing the Ctrl key on your keyboard Blocks of cate gories can be selected by clicking the first category and then pressing the Shift key on your keyboard while clicking the last category 2 Click the Pass or Block radio button to specify whether all Uncategorized Sites should pass or be blocked 3 Click Apply to apply your settings at the entity s filtering level Redirect URL Click the Redirect URL tab to display the Redirect URL page of the Profile window 8e6R3000 Enterpri HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Group Redirect URL Fil i Global Group Category Filter Options eget IP Redirect URL B a NT Group gt NT gt QC gt Enterprise Admins gt Redirect URL a A e Specify a redirect URL Enterprise Admir Default Block Page testgroup amp haslow Authentication Request For af LDAP C Custom URL i es Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 3 13 Group Profile window Redirect URL tab 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES Redirect URL is used for specifying the URL to be used for redirecting users who a
94. TION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Group section In the Group section of the Administrator console choose NT or LDAP and then do the following 1 Add a domain from the network to the list of domains that will have users authenticated by the R3000 NOTE If the network has more than one domain the first one you add should be the domain on which the R3000 resides 2 Create filtering profiles for each group within that domain 3 Set the group priority by designating which group profile will be assigned to a user when he she logs in If a user is a member of multiple groups the group that is positioned highest in the list is applied 4 Create unique filtering profiles for individual users 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 57 CHAPTER 2 NETWORK SETUP ENVIRONMENT REQUIREMENTS 58 CHAPTER 2 NETWORK SETUP Environment Requirements Workstation Requirements Administrator Minimum system requirements for the administrator include the following Windows 98 or later operating system not compatible with Windows server 2003 Internet Explorer IE 5 5 or later JavaScript enabled Java Virtual Machine Java Plug in use the version specified for the R3000 software version Java Runtime Environment if using Tier 3 authentication End User Windows 98 or later operating system not compatible with WIndows server 2003 Internet Exp
95. UTHENTICATION Block page When a user attempts to access Internet content set up to be blocked the block page displays on the user s screen E 8e6 R3000 Microsoft Internet Explorer l0l x Eie Edit Yiew Favorites Tools Help Bak gt A Qsearch Favorites Bristory Bv amp E Address FT w coors com amp IP 200 10 100 75 81 amp CAT ALCORUSER LOGO Domain 20Admins GLANG 60 Links ACCESS DENIED Internet access to the requested website has been denied based on your user profile and organization s Internet Usage Policy User Machine LOGO Domain Admins GLANG IP 200 10 101 140 Category Alcohol Requested URL http Awww coors com For further options click here To submit this blocked site for review click here For assistance contact your Administrator 8e6 R3000 Internet filtering provided by Se6 Technologies Copyright 2003 All rights reserved Fig 2 16 Block page NOTES See Block Page Customization for information on adding free form text and a hyperlink at the top of the block page Appendix D Create a Custom Block Page from the R3000 User Guide for information on creating a customized block page using your own design 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 83 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION User Machine frame By default the following data displays in the User Machi
96. WORK FOR AUTHENTICATION Help Link URL By default htto Avww 8e6 com tech support deniedresponse html displays as the help link URL Enter the URL to be used when the end user clicks the help link text Specified in the Help Link Text field e Submission Review Display if enabled displays in block pages the email address of the administrator to receive requests for a review on sites the end users feel are incorrectly blocked The associated email address specified in the Submission Email Address field described below is accessible to the end user by clicking the click here link NOTE If enabling the Submission Review Display feature an email address entry of the designated administrator in your orga nization must be made in the Submission Email Address field e Submission Email Address By default admin company com displays in block pages as the email address of the administrator to receive feedback on content the end user feels has been incorrectly blocked Enter the global administrator s email address 2 Click Apply to save your entries 9 TIP Click Restore Default to revert to the default settings 92 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Authentication Form Customization To customize the Authentication Request Form click Customization and select Authentication Form from the pop up menu Li aX 8e6 R3000
97. When translated this string of code means e LDAP profile for group with ID Sales user group Users domain qc DNS suffix local Bypass all cate gories use filter mode 1 use redirect URL http www cnn com in place of the standard block page X Strikes Blocking and Search Engine Keyword filter options enabled 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 217 APPENDIX B PORTS FOR AUTHENTICATION SYSTEM ACCESS APPENDIX B Ports for Authentication System Access The following ports should be used for authentication system access Type No Function TCP 8081 Used between the R3000 s transmitting inter face and the SSL block page for Tier 2 or Tier 3 authentication TCP 836 Used between the R3000 s Virtual IP address and Java applet for Tier 3 authentication TCP 139 Used between the R3000 and workstations requiring Tier 1 or Tier 3 authentication TCP 137 Used between the R3000 and workstations UDP requiring Tier 1 authentication LDAP 389 Used for communicating with domain control lers in order to bind with them so that user group information can be queried accessed LDAPS 636 Used for communicating with domain control lers in order to bind with them so that user group information can be queried accessed 218 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX C LDAP SERVER CUSTOMIZATI
98. access for a set period of time if the end user s profile has the X Strikes Blocking filter option enabled and he she has received the maximum number of strikes for inappropriate Internet usage NOTE Refer to the R3000 User Guide for additional information on the Override Account Profile Time Profile and Lock Profile 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 15 CHAPTER 1 INTRODUCTION FILTERING ELEMENTS Filtering Profile Components Filtering profiles are comprised of the following compo nents 16 library categories used when creating a rule minimum filtering level or filtering profile for the global group or any entity service ports used when setting up filter segments on the network creating the global group default filtering profile or establishing the minimum filtering level rules specify which library categories should be blocked left open or white listed filter options specify which features will be enabled X Strikes Blocking Google Yahoo Safe Search Enforce ment Search Engine Keyword Filter Control URL Keyword Filter Control minimum filtering level takes precedence over filtering profiles of entities who are using a filtering profile other than the global default filtering profile filter settings used by service ports filtering profiles rules and the minimum filtering level to indicate whether users should be granted or denied access to specified
99. address should be the same as the one entered in the Virtual IP Address to Use for Authentication field in the Authentication Settings window see Chapter 2 Network Setup Enter network settings for authentication 2 Make a Web request to a site you can access based on your filtering profile The test process has been completed successfully if you are now able to access the content for the URL you entered at step 2 in this section 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 173 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 174 Activate Authentication on the Network After successfully testing authentication settings you are now ready to activate authentication on the network To verify that authentication is ready to be activated on the network do either of the following based on the Tier you selected If Tier 2 or Tier 3 Web based authentication will be used There are two options for Web based authentica tion IP Group authentication and Global Group Profile authentication Select the option you wish to use on your network Go to the Activate Web based authentication for an IP Group sub section for instructions on setting up an IP Group profile for authentication Go to the Activate Web based authentication for the Global Group sub section for instructions on setting up the Global Group Profile for authentication NOTE An accelerator card is recommended if usi
100. aeeaeeeeeeeeees 27 SMB protoco less 5 cse ec Sierra ea ee etintis oa eater ede ceases 27 SMB SIJINE ecer a eeus Adds cecee EEA 27 LDAP protocol e 2sfictsecezecaig tia D aaar ei ER Snes 28 Name resolution methods ce eeceeceeeeeeeeeeeeeeeeessesnneaaeees 29 Authentication setup procedures cceeeeeeeeeeeeteeaeeeeeeeeees 30 Server Setup YPES ara aana ae aaa a EES 30 Tier 1 Net use based authentication 000 30 Tier 2 and Tier 3 Web based authentication 30 Configuring the authentication Server eeens 31 LOGIN SOPIS eani coca dbtehecideaahitecnessahdiees 32 Enter net use syntax in the login script ee 32 View login script on the server console seee 33 Block page authentication login scripts 34 LDAP server setup rule Senanin eaa eaaa aa aeaa 35 Tier 2 Time based Web Authentication ccccceseececeeeeeeseeeeees 36 Tier 2 implementation in an environment cccceeeeeeeee 37 TWEED SCHIP EAE EEEE EE A EE T 38 Tier 1 and Tier 2 Script cine iaa a enia 39 Tier 3 Session based Web Authentication cceeeceseeeeeeee es 41 8e6 Authenticating aeiietuslentcace tea a a ae a a 42 Environment requirements ececceeeeeeeeeeeeteeeeeteenneeaeees 42 Minimum system requirement c cee eeseeeeeeenteeeeeeenees 42 Recommended system requirements s es 43 Workstation requirement cccecceceee
101. age from the pop up menu R3000 Enterprise Filter al xi 8ebnrsoo0 Enterprise Filter eee HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT m System Block Page Customization Control System gt Customization gt Block Page Customization Network R Administrator Details Diagnostics Header Jaccess DENIED Alert Patch Internet access to the requested website Synchronization has been denied based on your user Mode Description profile and organization s Internet Usage Authentication Policy NIC Mode Backup Restore Reset Link Text Radius Authentication Setting SNMP Hardware Failure Detection X Strikes Blocking Customization Link URL Restore Default Preview Apply Host Name logo com IP 200 10 100 75 Jersion R3000 Enterprise Filter 1 10 10 5 Java Applet Window Fig 2 23 Block Page Customization window NOTE See Appendix D Create a Custom Block Page from the R3000 User Guide for information on creating a customized block page using your own design TIP An entry in any of the fields in this window is optional but if an entry is made in the Link Text field a corresponding entry must also be made in the Link URL field 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 97 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 1 Make an entry in any of the following fields e In the Header field enter a static header to be displayed at the top of the block pag
102. ak gt Q At Qsearch Rjravorites media lt 4 Address http 200 10 100 75 88 R3000 serviet com r3000 se 7 Go Upload Member Profile File File Browse Upload File Y Upload Member Profile File Internet Fig 3 10 Upload Member Profile File window 3 Click Browse to open the Choose file window 4 Select the file to be uploaded WARNING Any file uploaded to the server will overwrite the existing user group profile file Each user group profile in the file uploaded to the server must be set up in a specified format in order for the profile to be activated on the server This format differs depending on whether the profiles are user or group profiles Based on the type of file format used the file should have the following name ntuserprofile conf if the file contains NT user profiles ntgroupprofile conf if the file contains NT group profiles NOTE See Appendix A User Group File Format and Rules for examples of valid filtering profile formats to use when creating a list of profiles to be uploaded to the server WARNING When uploading a list of profiles to the tree list the user will be blocked from Internet access if the minimum filtering level has not been defined via the Minimum Filtering Level window If you have just established the minimum filtering level filter settings will not be effective until the user logs off and back on the server Refer to the R30
103. al IP 255 255 255 255 PORT 0 0 0 0 0 0 0 0 Address RV R3000 VPN Sup IP IP IP PORT port Table RP R3000 Port 1 65535 139 139 RH R3000 Heartbeat 1 4 billion milliseconds 30000 30000 30 Timer MS sec RR R3000 Reconnect 1 4 billion milliseconds 30000 30000 30 Time MS sec RC R3000 Connect 1 4 billion milliseconds 10000 10000 10 Timeout MS sec LE Log using Event 1 or O event view or log 0 log 1 event Viewer file file view LD Logging Detail 1 2 3 o0r4 1 light O errors only LF Path ONLY to out 1 1000 alphanum C C put log file CF Full path name of 1 1000 alphanum Configuration File 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 47 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS 48 If UT O is set then the Novell environment will be ignored if present and only the Windows environment information will be retrieved and sent to the R3000 If UT 1 is set and the Novell environment is invalid or the user is not authenticated with its Novell server then the results sent to the R3000 are invalid probably empty values The default UT 255 auto detects Novell vs Win32 and will automatically favor Novell authentication over Windows if possible Special Interest Values most likely to change during testing configuration and production implementation Alternate configuration file is only valid when specified on the command
104. and the R3000 1 Click Tier 2 2 Enter a whole number for the duration of time the user will retain his her Internet connection 3 Click Apply to open the alert box that confirms your selection 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 67 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Tier 3 Use persistent logins via a Java Applet Choose this option if using NT and or LDAP authentication and you want the user to maintain a persistent network connection This option the preferred method for NT authentication opens a profile window that uses a Java applet Z Muthenticator Keep Op Username JSmith Keep this window running to remain authenticated Fig 2 4 Java applet The profile window must be kept open during the user s session in order for the user to have continued access to the Internet LS NOTE Tier 3 Authentication requires a current version of Java Runtime Environment JRE on end users PCs In some cases a JRE will need to be downloaded and installed on workstations and the R3000 will allow the JRE download at the time of login However some operating systems may require this action to be performed manually 1 Click Tier 3 2 Click Apply to open the dialog box that informs you about the requirement of a current Java Runtime Envi ronment JRE to be installed on each end user s work station 68 8 6 TECHNOLOGIES R30
105. and then clicking the Edit button e A user object can be removed by selecting the user object and then clicking Remove e Ifthe user DN cannot be auto detected during the profile setup process click Use Case Sensitive Comparison to perform a manual comparison check Click Next to go to the Address tab Address Info The LDAP domain address information populates the Address tab Hix 8e6 R3000 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP Quit N Group Addi ias Li Global Group Type Group User ress Account SSL Alias List Default Rule Address Info Group gt LDAP gt TEST gt Address Info El LOGSYS INACTIVE a QC INACTIVE Server DNS Name 2000qgcserver qc2domain local aA Server IP Address 190 160 20 54 DNS Domain Name NETBIOS Domain Name Server LDAPS Port 636 Server LDAP Port 389 LDAP Query Base IDC qc2domain DC local Back Next Activate Host Name logo com TP 200 10 100 75 Frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 5 Domain Details window Address tab 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 131 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE ANLDAP DOMAIN NOTE If the DNS settings are not published in the LDAP direc tory the Server DNS Name DNS Domain Name and LDAP Query Base fields will not be populated automatically Func tioning forward and reverse DNS name resolution is one of the requirements fo
106. at_nt html for examples of NT filtering profile entries and http www 8e6 com r3000help files 2group_textfile_format_Idap html for examples of LDAP filtering profile entries 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 211 APPENDIX A USER GROUP FILE FORMAT AND RULES File Format Rules and Examples When setting up the file to upload to the server the following items must be considered e Each profile must be entered on a separate line in the file e Category Codes must be entered in capital letters e Port and category command codes must be entered in capital letters e Aredirect URL cannot exceed 200 characters in length The string must end with a 0 zero if no filter options will be enabled 212 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX A USER GROUP FILE FORMAT AND RULES NT User List Format and Rules When setting up the ntuserprofile conf file each entry must consist of the username and either a rule number or rule criteria port category and filter mode specifications A redirect URL can be included if a specific URL should be used in place of the standard block page If a redirect URL is not included a blank space should be entered in its place in the profile string Segments of the profile string should be separated by commas A zero 0 should be placed at the end of a profile string without any filter options enabl
107. ate an IP profile for the machine via the Sub Group Profile window If you select this option go to Step 1B 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 187 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 1A Block Web access logging via Range to Detect NOTE Segments of network traffic should not be defined if using the firewall mode Range to Detect Settings 1 Click Global Group in the tree to open the pop up menu 2 Select Range to Detect to display the Range to Detect Settings window Pier 8e6 B000 Enterprise Filter _ HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Range to Detect Settings Group gt Global Group gt Range to Detect Settings Current Ranges src net 115 10 0 0 16 and not dst port 42 or dst port 62 src net 200 10 150 63 24 and dst net 200 10 160 43 32 and not src host Add 200 10 150 22 and not dst net 200 10 150 63 24 and not dst port 64 not src host 100 10 130 22 src host 100 10 150 130 Modify KK src host 5 4 3 2 or src host 5 4 3 3 src net 210 50 11 33 src net 100 10 15 33 Remove Mandatory Settings jot host 1 2 3 4 or host 190 160 20 75 ot host 1 2 3 5 cp Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 23 Range to Detect Settings window main window 3 In the Current Ranges frame click Add to go to the next Settin
108. ator This filtering profile is used by members of the group including sub group and individual IP group members and is customized to allow deny users access to URLs to redi rect users to another URL instead of having a block page display and to specify usage of appropriate filter options IP Sub Group Filtering Profile An IP sub group filtering profile is created by the group administrator This filtering profile applies to end users in an IP sub group and is customized for sub group members Individual IP Member Filtering Profile An individual IP member filtering profile is created by the group administrator This filtering profile applies to a speci fied end user in a master IP group 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 13 CHAPTER 1 INTRODUCTION FILTERING ELEMENTS 14 Active Filtering Profiles Active filtering profiles include the global group profile NT LDAP authentication profile override account profile time profile and lock profile Global Filtering Profile The global filtering profile is created by the global adminis trator This profile is used as the default filtering profile The global filtering profile consists of a customized profile that contains a list of library categories to block open or add to a white list and service ports that are configured to be blocked A URL can be specified for use instead of the stan dard block page when users attempt to acces
109. be used as the primary authentication server for the R3000 instead of the Windows 2003 Server 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 27 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS NOTE For information on SMB Signing compatibility with the R3000 refer to the chart in Appendix D Disable SMB Signing Requirements LDAP protocol LDAP is a directory service protocol that stores entries Distinguished Names in a domain s directory using a hier archical tree structure The LDAP directory service is based on a client server model protocol to give the client access to resources on the network When a client connects to a server and asks it a question the server responds with an answer and or with a pointer to the server that stores the requested information typically another LDAP server No matter which LDAP server the client accesses the same view of the directory is seen The LDAP specification defines both the communication protocol and the structure or schema to a lesser degree There is an Internet Assigned Network Authority IANA standard set that all LDAP directories should contain Novell and Microsoft both have additional schema definitions that extend the default setups Most server operating systems now support some imple mentations of LDAP authentication The Microsoft Active Directory LDAP based model became available with the release of Windows 2000 28 8E6 TECHN
110. ber to the tree Select the LDAP domain and choose Group Member Details from the pop up menu to display the Group Member Details window Hx 8e6 B3000 Enterprise Filter _ m HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT ee Group i Group Member Details Q a al Group Group gt NT gt QC gt Enterprise Admins gt Group Member Details i Group Details E a NT H LOGSYS Group Enterprise Admins E A QC Full Name Enterprise Admin ke testgroup Domain Qc g haslow Domain Type nr af Loap Add Member to Profile Members Administrator Eo T E Host Name logo com TP 200 10 100 75 Fersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 22 Group Member Details window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 155 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE MAINTAIN LDAP PROFILES 156 This window is used for viewing profile information about a group and for adding members to a group In the Group Details frame the following details display Group name Full Name Distinguished Name of the group Domain name and Domain Type Members that belong to the group display in the Members list box in the Add Member to Profile frame To add a member to the tree list so that a profile can be created for that member 1 Select the entity from the Members list box 2 Click Add 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP C
111. can be used to view end user logon logoff events and the debug log NOTE After the Novell eDirectory Agent is enabled an indi vidual s username will not display in the event log until he she logs in again Until that time the user will be logged by his her current filtering profile which most likely would be IPGROUP or DEFAULT user 52 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Authentication Solution Compatibility Below is a chart representing the authentication solution compatibility for a single user Tier1 Tier 2 Tier 3 z 8e6 eDirectory net ime cite Authenticator Agent use based based g Tier 1 Yes Yes N R N A Tier 2 Yes N A Yes Yes Tier 3 Yes N A Yes Yes 8e6 N R Yes Yes N R Authenticator eDirectory N A Yes Yes N R Agent KEY N A Not Applicable N R Not Recommended 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 53 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Configuring the R3000 for Authentication Configuration procedures When configuring the R3000 server for authentication settings must be made in System and Group windows in the Administrator console NOTES If the network has more than one domain the first one you add should be the domain on which the R3000 resides The entries described in this section represent ent
112. cation Settings window R3000 Enterprise Filter lol x 8e6 R3000 Enterprise Filter _ anms HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT ee Authentication Settings System gt Authentication gt Authentication Settings Administrator The curent authentication mode is Enabled Diagnostics Settings Alert R3000 NetBIOS Name R3000LDAP ota Patch IP Address of WINS Server 190 160 250 2 Synchronization 2 ios Mode Virtual IP Address to Use for Authentication 1 2 3 5 Authentication NIC Device to Use for Authentication fethi NIC Mode Appl gt Backup Restore ba S NT Authentication Server Details Radius Authentication Setting SNMP Name of Domain Rc Hardware Failure Detection POC NetBIOS Name 2000ADNATIVE X Strikes Blocking SowCustomization PDC IP Address 190 160 250 2 Administrator Username Administrator Administrator Password RRRRERR Warning If values in Domain Details section change please click Join Domain to make the changes take effect Save Join Domain i es E Host Name logo com TP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 3 1 Authentication Settings window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 101 CHAPTER 3 NT AUTHENTICATION SETUP JOIN THE NT DOMAIN 102 3 Information should only be entered in the NT Authentication Server Details frame if the R3000 will use the NT Authenti cation method to authenticate use
113. ccess Authentication Microsoft Internet Lxplorer gt 7 igi xj Pe Edt View Favortes Tods Heip Bok e gt O Al Ah roes oy De am id Address E teton Sir 000s q kcal 208 JaitherticabionServer duthenticabior erm f7UBL 192 168 20 Ofrecer Heri 1 168 20 S08CAT SFORTSALISER CEFALA T WEB ACCESS AUTHENTICATION EL Please log in to access the Internet Deb 2000 Internet fitering provided by De Technologies Copyright 2005 All rigtts reserved Or 5 O menet Fig 5 10 Authentication Request Form 4 Enter the following information Username Password If the Domain and Alias fields display select the following information e Domain you are using Alias name for that domain unless Disabled displays and the field is greyed out 5 Click Log In to authenticate or re authenticate yourself on the network The test process has been completed successfully if you are now able to access the content for the URL you entered at step 2 in this section 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Test net use based authentication settings 1 From the test workstation go to the NET USE command line and enter the NET USE command using the following format NET USE Wirtualip R3000 For example NET USE 192 168 0 20 R3000 The entry you make should initiate a connection with Tier 1 TIP The virtual IP
114. ce when using NetWare eDirectory server 6 5 Server class PC with two way Pentium Ill IV or Xeon 700 MHz or higher processors 1 GB of RAM VESA compliant 1 2 or higher display adapter DOS partition with 1 GB of available space 4 GB of available unpartitioned disk space outside the DOS partition for volume sys One or more network boards Bootable CD drive that supports the El Torito specifica tion USB or PS 2 mouse Workstation requirements The 8e6 Authenticator client works with the following oper ating systems Windows XP Pro SP1 and 2 Windows 2000 Pro SP4 Windows XP and Windows 2000 with Novell client v4 91 NOTE Any non domain supported Windows operating system such as ME or XP Home Edition will not work with the 8e6 Authenticator unless the Novell eDirectory client is installed for login and deployment of the 8e6 Authenticator client using a Novell server 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 43 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Work flow in a Windows environment 1 The administrator stores the 8e6 Authenticator client authenticat exe in a network shared location that a login script can access Using a Windows machine an end user logs on the domain or logs on the eDirectory tree via a Novell client 3 The end user s login script evokes authenticat exe The 8e6 Authenticator client determines the authentica tion environment by
115. cripts In addition to the use of login scripts in the console of the authentication server a login script path must be entered in the Block Page window of the R3000 Administrator console This script is used for reauthenticating users on the network The following syntax must be used SERVERNAME netlogon or IPaddress netlogon NOTE See Block Page Authentication for more information about these entries 34 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS LDAP server setup rules A WARNING The instructions in this user guide have been docu mented based on standard default settings in LDAP for Microsoft Active Directory Services The use of other server types or any changes made to these default settings must be considered when configuring the R3000 server for authentication If LDAP will be used the following items should be consid ered e The administrator in charge of the LDAP server should create a user for the R3000 in order to give that user full read access to the groups and users in the directory e Since the LDAP directory is structured as a tree data needs to be retrieved the same way Additionally the order of the syntax is reversed compared to how it appears in normal file system folders The deepest layer is listed first in a similar manner as a DNS domain name e g engineering company net In LDAP a directory entry woul
116. ct URL Specify a redirect URL Default Block Page Authentication Request Form Custom URL fienticationServer AuthenticationForm isp Apply Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 7 Sub Group Profile window Redirect URL tab 2 Select Authentication Request Form NOTE The host name of the R3000 will be used in the redirect URL of the Authentication Request Form not the IP address Be sure a forward reverse DNS entry for the R3000 is made on the DNS server 3 Click Apply 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 169 CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 7 Disable filter options 1 Click the Filter Options tab to display the Filter options page ox 8e6rRs005 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Group Category Redirect URL Filter Options Global Group 1P Filter Options E g admin Group gt IP gt test gt workstation gt Filter Options Faa H g tech i a Filter Options El gt test P IT amp Strikes Blocking a fay webauth 7 Google Yahoo Safe Search Enforcement E NT a ald LDAP 7 Search Engine Keyword Filter Control TF URL Keyword Filter Control T Extend URL Keyword Filter Control Apply Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window
117. d X 509 CER and click Next to go to the File to Export page of the wizard Certificate Export Wizard xj File to Export Specify the name of the file you want to export File name E domain cer Browse lt Back Cancel Fig E 13 File to Export 6 Enter the File name of the file to be exported followed by the cer extension Click Next to go to the final page of the wizard 232 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE Certificate Export Wizard xj Completing the Certificate Export Wizard You have successfully completed the Certificate Export wizard You have specified the following settings File Name E dom Export Keys No Include all certificates in the certification path No File Format Base64 4 lt Back Cancel Fig E 14 Settings 7 Notice that the specified settings display in the list box indicating the certificate has been successfully copied from the console to your disk Click Finish to close the wizard dialog box 8 Close the Console The certificate can now be uploaded to the R3000 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 233 APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE Export a Novell SSL Certficate 1 From the console of the LDAP server go to the tree in the left panel and open the Security folder to display the contents in the
118. d look like this cn engineering dc company dc net e Make sure all network configuration settings are correct such as DNS IP etc before configuring LDAP settings LS NOTE All filtering profiles are stored on the R3000 server 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 35 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS 36 Tier 2 Time based Web Authentication The following diagram and steps describe the operations of the time based authentication process Authentication Server Fig 1 6 Web based authentication module diagram 1 The user makes a Web request by entering a URL in his her browser window The R3000 intercepts this request and sends the user the Authentication Request Form requesting the user to log in with his her login ID and password The R3000 verifies the user s information with the authentication server Domain Controller Active Direc tory LDAP etc The authenticated user is allowed to access the requested URL for the time period specified by the administrator 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Tier 2 implementation in an environment In an environment where Tier 2 time based profiles have been implemented end users receive filtering profiles after correctly entering their credentials into a Web based Authentication Request Form A profi
119. d member must first be entered in the Range to Detect global group window A fal LDAP member is added in this frame by entering the IP address and netmask or IP start and IP end and then clicking Add Use the calculator to calculate IP ranges without overlaps Once a member is added a sub group can be created and defined Current Members 190 160 20 80 32 Remove Source IP i X Calculator or Source IP Start End Add Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 4 Group Members window 3 Click the radio button corresponding to Source IP 4 Enter the Source IP address of the workstation and select 255 255 255 255 as the subnet mask 5 Click Add to include the IP address in the Current Members list box 166 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 4 Give workstation a 32 bit net mask 1 Select the IP Sub Group workstation from the tree 2 Click Members in the pop up menu to display the Members window R3000 Enterprise Filter I x 8e6 R3000 Enterprise Filter es HO ES SST EN SOROUR LIBRARY REPORTING HELP QUIT sop Members Q eve Group Group gt IP gt test gt workstation gt Members H A admin Add members by IP SubGroup E tech Ege test Modify Sub Group Member To add or modify m
120. d the Novell eDirectory Agent option was enabled in the Enable Disable Authentication window in the System section of the console the Default Rule tab includes buttons for configuring a backup server to be used in the event the primary server cannot be accessed R3000 Enterprise Filter 15 x 8e6R3000 Enterprise Filter a HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT m croup Type Group User Address Account SSL Alias List Default Rule Global Group ra ee Default Rule 2 NT Group gt LDAP gt Novell INACTIVE gt Defautt Rule i al LDAP Select one of the Following as the default rule gy LOGSYS INACTIVE Rule 0 Minimum Filtering Level z E a QC INACTIVE E TEST Specify a redirect URL A CARTS Default Block Page Custom URL Filter Options IV x Strikes Blocking IV Google Yahoo Safe Search Enforcement Search Engine Keyword Filter Control I URL Keyword Filter Control 7 Extend URL Keyword Filter Control Novell eDirectory Agent Settings Backup Server Configurations Add Modify al Fi Back Next Activate Host Name logo com TP 200 10 100 75 Frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 12 Domain Details window Default Rule with Novell eDirectory Configure a backup server To add a backup server s settings 1 Click Add to open the Backup Server Configuration wizard pop up window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AU
121. de account to the white list ceccceeeeeeeeeees 244 Wse the IE toolbareccicuchen sickens ate iets 244 Use the Information Bar ccccceceeeeeeeeeteeeeeeseeeees 245 Set up the Information Bat ccecceeeeeeseeneeees 245 Access your override ACCOUNT eeeeceeeeeeeetreeeteeee 245 APPENDIX G sisian ste tecwneieccetesisavstiteupoiesiascctenaat 247 GIOSSAMY vssinsvissitsvseneasisaweciansasecdvvensanaaideiinieentwasnsiediveddsvendanenduivivedes 247 INDEX aie cescanziccnessscheveaxvecwids a aaa E a E 255 xii 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION ABOUT THIS USER GUIDE CHAPTER 1 INTRODUCTION The R3000 Authentication User Guide contains information about setting up authentication on the network About this User Guide This user guide addresses the network administrator desig nated to configure and manage the R3000 server on the network Chapter 1 provides information on how to use this user guide and also includes an overview of filtering compo nents and authentication operations Chapters 2 3 and 4 describe the R3000 Administrator console entries that must be made in order to prepare the network for using authentication for NT and or LDAP domains LS NOTE Refer to the R3000 Quick Start Guide for information on installing the unit on the network This document also provides information on how to access the R3000 console
122. domain 158 NT domain 121 Category tab LDAP domain 158 NT domain 121 checkbox terminology 3 Common Customization 90 common name cn definition 247 control panel definition 3 Create CSR 75 Create Domain Controller 103 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE INDEX Create LDAP Domain dialog box 125 custom categories 17 Default Rule tab 139 dialog box terminology 4 directory service definition 248 directory definition 247 Distinguished Name DN definition 248 LDAP protocol 28 DNS definition 248 domain definition 248 delete profile 145 domain component dc definition 248 domain controller definition 248 Domain Name Service DNS 248 edirAgent log 79 eDirectory 23 44 50 backup server 141 Default Rule tab 141 edirEvent log 79 Enable Disable Authentication window 64 entry definition 248 environment requirements 58 ethO eth1 60 63 71 field terminology 4 file formats 212 filter option codes 211 filter options 123 160 filter setting 19 definition 248 filtering 271 category codes 211 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 257 INDEX 258 profile components 16 profile types 12 rules 20 static profiles 13 user machine 14 firewall mode 61 62 definition 249 frame terminology 4 FTP 59 gateway IP address 62 global administrator definition 249 global filtering profile 14 global group 8 grid terminology 4 group global 8
123. dow This window is used for uploading a file to the tree with user or group names and their associated filtering profiles Click Upload to open the Upload Member Profile File pop up window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS MEMBERS E Upload Member Profile File Microsoft Internet Explorer I fra x File Edit View Favorites Tools Help Back gt gt amp 2 a Qsearch yFavorites Media g bad Address E http 200 10 100 75 88 R3000 servlet com r3000 se 7 Go Links Upload Member Profile File File Browse Upload File Internet Fig 4 21 Upload Member Profile File window Upload Member Profile File 3 Click Browse to open the Choose file window 4 Select the file to be uploaded A WARNING Any file uploaded to the server will overwrite the existing user group profile file Each user group profile in the file uploaded to the server must be set up in a specified format in order for the profile to be activated on the server This format differs depending on whether the profiles are user or group profiles Based on the type of file format used the file should have the following name Idapuserprofile conf if the file contains LDAP user profiles Idapgroupprofile conf if the file contains LDAP group profiles NOTE See Appendix A User Group File Format and Ru
124. e Inthe Description field enter a static text message to be displayed beneath the block page header e Inthe Link Text field enter text for the link s URL to be displayed beneath the Description in the block page and in the Link URL field enter the corresponding hyperlink in plain text using the http or https syntax Any entries made in these fields will display centered in the customized block page using the Arial font type 2 Click Apply TIP Click Restore Default to revert to the default text in this window 98 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Preview Sample Block Page 1 Click Preview to launch a separate browser window containing a sample customized block page based on entries saved in this window and in the Common Customization window 8e6 R3000 Microsoft Internet Explorer 15 x File Edit View Favorites Tools Help Back e o O A A Qsearch Favorites BPmeda D 4 a Address http 200 10 100 75 81 jcgifblock cgi7URL http www test com dP 111 111 111 1118CAT Block 20CategorySLiSER 7 Go Links gt ACCESS DENIED HELP Internet access to the requested website has been denied based on your user profile and organization s Internet Usage Policy User Machine Your Name IP 111 111 111 111 Category Block Category Blocked URL http www test com For further
125. e Step 1 Modify the 3 try login script Place a copy of the 3 try login script in the netlogon folder on your Domain Controller Note that this sample script should be modified to use your own Virtual IP address instead of the IP address 192 168 0 20 in the sample script This script lets users be re authenticated from the block page without re running the whole domain login script The script is as follows echo off start cls net use 192 168 0 20 r3000 delete try1 echo Running net use net use 192 168 0 20 r3000 if errorlevel 1 goto try2 if errorlevel 0 echo code 0 Success goto end try2 echo Running net use net use 192 168 0 20 r3000 if errorlevel 1 goto try3 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 203 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 204 if errorlevel O echo code 0 Success goto end try3 echo Running net use net use 192 168 0 20 r3000 if errorlevel 1 goto error if errorlevel 0 echo code 0 Success goto end error if errorlevel 1 echo code 1 Failed end Once this updated login script has been added to the domain each time users log in to Windows they will also log in to the R3000 Users will be blocked according to the profiles set up on the domain Step 2 Modify the Global Group Profile The last step of the activation process is to adjust the Global Group Pr
126. e John A R CHAT KDPORN FINAN GGAMES 1 http tumey url com 0 LDAP Idapuserprofile conf or Idapgroupprofile conf CN John Doe CN Users DC qe DC com Rule0 0 CN Public Joe Q U Sales 0C qe DC local Rulet 0 CN Doet John CN Users DC qo DC local A R CHAT KDPORN GPORN 1 1 0 The users name must match the entry on the server If the user s name includes characters such as a comma semicolon C equals sign quotation mark plus sign backslash less than symbol or greater than symbol gt a backslash must be entered before that character If the username contains a backslash you must enter an additional backslash before that character If the user s name is Doe John you would enter the name in the conf file as Doet John Warning The uploaded member profile does not take effect unless the Reload button is clicked Reload Member Profile Reload Fost Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 3 9 Upload User Group Profile window This window is used for uploading a file to the tree with user or group names and their associated filtering profiles 2 Click Upload to open the Upload Member Profile File pop up window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 115 CHAPTER 3 NT AUTHENTICATION SETUP SETUP NT DOMAIN GROUPS MEMBERS A A 116 znizi Fie Edit View Favorites Tools Help 8
127. e displayed beneath the Authentication Request Form header Inthe Link Text field enter text for the link s URL to be displayed beneath the Description in the Authentica tion Request Form and in the Link URL field enter the corresponding hyperlink in plain text using the Attp or https syntax Any entries made in these fields will display centered in the Authentication Request Form using the Arial font type 2 Click Apply TIP Click Restore Default to revert to the default text in this window 94 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Preview Sample Authentication Request Form 1 Click Preview to launch a separate browser window containing a sample Authentication Request Form based on entries saved in this window and in the Common Customization window lox Fie Edt View Favorites Tools Help Heak OB A Asearch Favorites Beda D Soe Address https 200 10 100 75 6081 AuthenticationServer PreviewAuthenticationForm jsp zl Go Links WEB ACCESS AUTHENTICATION HELP Please log in to access the Internet thentication Login Username Password Domain LOGSYS NT gt Alias Disabled Log In 8e6 R3000 Internet fitering provided by 8e6 Technologies Copyright 2005 All rights reserved EDn TT E Fig 2 22 Sample Customized Authentication Reque
128. e established e Default Block Page is selected by default as the Default Redirect URL If the default block page is used it will be applied to all groups and members in the NT domain without a filtering profile established If Custom URL is selected a URL must be entered in the corresponding text box 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 107 CHAPTER 3 NT AUTHENTICATION SETUP CREATE AN NT DOMAIN Filter Options that have been selected display check marks in corresponding checkboxes for X Strikes Blocking Google Yahoo Safe Search Enforcement Search Engine Keyword Filter Control URL Keyword Filter Control and Extend URL Keyword Filter Control Whenever criteria on this tab is modified click Modify to apply your settings Delete an NT domain To delete a domain profile choose Delete from the NT domain menu This action removes the domain from the tree 108 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS MEMBERS Set up NT Domain Groups Members In the control panel the NT domain branch of the tree menu includes options for setting up groups and or members in the domain so that filtering profiles can later be created The following options are used in this setup process Select Group Member from Domain Set Group Priority Manually Add Member Manually Add Grou
129. ead to authenticate end users NOTE See 8e6 Authenticator and Novell eDirectory Agent for information on setting up these types of authentication on the network 24 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Tier 1 Single Sign On Authentication Net use based authentication process The following diagram and steps describe the operations of the net use based user authentication process R3000 Filtering Server User Client Machine Fig 1 5 Net use based authentication module diagram 1 The user logs on the network from a Windows worksta tion also known as client or machine 2 The authentication server on the network sends the user s workstation a login script containing a net use command 3 The execution of this net use command causes the Windows workstation to create an IPC share command exchange with the R3000 filter box as a shared network device NOTE When the IPC share is created no drives are mapped in this share 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 25 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS 4 Upon creating the IPC share the software in the R3000 queries the network authentication server with the user s login name and password sent by the workstation 5 Once the user is successfully authenticated the R3000 matches the user s login name or
130. ed JSmith B 80 R 21 J J FINAN Q 1 http www 8e6 com 0 John_Doe Q R AUTO GENTER I 1 0x104 Doe Jane Rule1 0x202 When translated these strings of code mean e NT profile for a user with ID JSmith Filter port 80 Block port 21 White List and Open Financial Category and Block all other categories use filter mode 1 use redirect URL http Awww 8e6 com in place of the standard block page all filter options disabled e NT profile for a user with ID John_Doe Block all ports Block Automobile and Entertainment categories use filter mode 1 Google Yahoo Safe Search and Search Engine Keyword filter options enabled e NT profile for a user with ID Doe Jane Bypass all cate gories use standard block page X Strikes Blocking and URL Keyword filter options enabled 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 213 APPENDIX A USER GROUP FILE FORMAT AND RULES NT Group List Format and Rules When setting up the ntgroupprofile conf file each entry must consist of the group name and either a rule number or rule criteria port category and filter mode specifications A redirect URL can be included if a specific URL should be used in place of the standard block page If a redirect URL is not included a blank space should be entered in its place in the profile string Segments of the profile string should be separated by commas A zero 0 should be placed at the e
131. ed in braces is consid ered a comment A immediately preceding a param eter will cause that parameter and its data to be ignored which is convenient for temporarily reverting a parameter to default values during testing Sample command line parameters authenticat exe LF c ra 192 168 0 43 Rr 40000 Sample configuration file RA 100 10 101 30 R3000 Virtual IP address RP 139 R3000 Port RH 30000 Heartbeat timer 30 seconds RR 30000 Reconnect time before connecting again RC 10000 Connect Timeout how long to wait for a connection response LE 0 LF 100 10 101 117 publogs Where to put logs Sample R3000 configuration update packet PCFG After decryption with protocol headers removed RH 30000 RC 1000 LE 1 46 8 amp 6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS You only need to change the options you do not wish to remain as default Often the IP address of the R3000 RA and the log file LF are the most desired options to change Note that full network paths are allowed Table of parameters The following table contains the different parameters their meanings and possible values Param Parameter Values Dbg Release ID Meaning Default Default UT User s Logon 1 256 0 Win32 1 Nov 255 255 auto Environment ell auto RA R3000 Virtu
132. eeeeeeeeeeceeeeeeeeeeeeeeeees 43 Work flow in a Windows environment cccceeeeeeteeeeeeeeee 44 8e6 Authenticator configuration priority 0ceeeeeeeeee 45 8e6 Authenticator configuration syntax cceeeeeeeee 46 Sample command line parameters 000e 46 Table of parameters ccccccecceeeeeeeeeeeecneeceeeeeeeeeeeeeeeeees 47 Novell eDirectory Agent carai iicininiipn enii nanak iden an ikinen niai 50 Environment requirements ececcceceeeeeeeeeeeeteeeeeseeeaeees 50 Novell eDirectory servers cececceeeeseeeeeeeeetteeeeeeeeneeeeeeeaas 50 Client workstations 20 00 0022 cccceeeeeeeeeeeeeneeceeeeeeeeteeteeeesnneeaees 51 Novell CHeNts e222 225 scented trecdee sas tibet tap acieadehidbset tdi nelaghiecll 51 Novell eDirectory setup ec ceeceeeeeeeeeeeneeeeeeeenaeeeeeeetaeeeeeeeaas 51 R3000 setup and event IOS ceceeeeeeeeeeeeeeteeeeeeeentaeeeeeeeaas 52 vi 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CONTENTS Authentication Solution Compatibility eccceeseseeceeeeeeeeeeeeeees 53 Configuring the R3000 for Authentication cceeceeeeeeeeeees 54 Configuration Procedures e ceeeeeceeceeeeeeeeeeeeeeeeesseneneeaees 54 System section 2 2 cece cece cece eeeeeeceeaececeeeeeeeeeesessensaeeeeeeees 54 Group SECON xs ins a aud eesti 57 CHAPTER 2 NETWORK SETUP cccccssseeeeesseeeesne
133. eeteees 170 Step 8 Attempt to access Web content eeeeees 171 Test net use based authentication settings ce eeeeeeeeeeeeneees 173 Activate Authentication on the Network cccccssssssseeeeee 174 Activate Web based authentication for an IP Group 06 175 Step 1 Create a new IP Group webauth 00 175 Step 2 Set webauth to cover users in range sece 176 Step 3 Create an IP Sub Group cceccecceeeeeeeeeteteeeneees 177 Step 4 Block everything for the Sub Group n se 179 Step 5 Use Authentication Request Page for redirect URL 180 Step 6 Disable filter options cceeeeeeeeeeeceeeeeeeeeteeeeeneees 181 Step 7 Set Global Group to filter unknown traffic 182 Activate Web based authentication for the Global Group 187 Step 1 Exclude filtering critical equipment 187 Step 1A Block Web access logging via Range to Detect 188 Range to Detect Settings cc ceeeceeeeeeeeteeeeetenteeeeeeeee 188 Range to Detect Setup Wizard 000 0 eceeeeeeeeeetteeeeeeeee 190 Step 1B Block Web access via IP Sub Group profile 196 Step 2 Modify the Global Group Profile eeeeee 199 Activate NT authentication ccccceccccceceeeeeeeeeeeeeeeeseeeeeeeeerees 203 Step 1 Modify the 3 try login Script ce eeeeeeeeeeeeeereeeeeteee 203
134. ember criteria enter the IP address and netmask or IP range in the Member fields g webauth and click Modify Use the Calculator to calculate IP ranges without any overlaps m a LDAP Member 190 160 20 80 255 255 255 255 x Calculator or Member IP Start End Modify Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 5 Sub Group Members window 3 Click the radio button corresponding to Member 4 In the Member fields enter the IP address of the work station and select 255 255 255 255 as the subnet mask 5 Click Modify 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 167 CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 5 Block everything for the Sub Group 1 Select the IP Sub Group workstation from the tree 2 Click Sub Group Profile in the pop up menu to display the Sub Group Profile window amp R3000 Enterprise Filter 5 xj 8e6 R3000 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Q roup Global Group P EE admin gA tech gA test fal LDAP Ci ef Category Redirect URL Filter Options Category Profile Group gt IP gt test gt workstation gt Category Profile Group workstation Current Profile Custom Profile Available Filter Levels Custom Profile z Rule Details Minimum Filtering Level Alcohol Child Por
135. en Confirm Password f Tea T TTA Cancel Java Applet Window Fig 5 2 Create New Group box 3 Enter test as the Group Name 4 Enter the password in the Password and Confirm Pass word fields 5 Click OK to add the group to the tree 164 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 2 Create a Sub Group workstation Select the IP Group from the tree Click Add Sub Group in the pop up menu to open the Create Sub Group dialog box Create Sub Group x Group Name workstation Cancel Java Applet Window Fig 5 3 Create Sub Group box 3 Enter workstation as the Group Name 4 Click OK to add the Sub Group to the IP Group 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 165 CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 3 Set up test with a 32 bit net mask 1 Select the IP Group named test from the tree 2 Click Members in the pop up menu to display the Members window R3000 Enterprise Filter o x 8e6 R3000 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HE b Poma mmm G bh is fl Members Group gt IP gt test gt Members Add members by IP SubGroup IP Member pe w If you are using IP addresses to identify groups on the network the IP address and netmask or IP E ae NT range for the designate
136. ence dade teers ee 103 Refresh the NT branch ccccceceeeeeeeeeeeeeeeeeeeaeeeeeeeeeeeeeeeeeeeees 104 View or modify NT domain details 2 0 0 0 ceccceeeessteeeeeeettteeeeeeeenee 105 Domain Settings 20 eeeeceeceeeeeeceeeeeeeeeneeeeeeesseeeeeeeeneeeeesenaaes 105 Detault Rules Ase eraa a ra ae aie Ques 107 Delete an NT domain 0 ccccccceceeeeeeeeeeeeeceecaeeeeeeeeeeeseteesseenieaeeees 108 Set up NT Domain Groups Members eseeeeeeeeeeee 109 Add NT groups members to the tree ccceceeeeeeeeeeeeeceeeeeeeeeees 109 Specify a group s filtering profile priority eee eeeeeeeeeeeeees 111 Manually add a users name to the tree ooo eeeeeeeeeeeeeeeeeeeneeeees 113 Manually add a group s name to the tree naasa 114 Upload a file of filtering profiles to the tree 0 ccceeeeeeeeeeteees 115 Create and Maintain NT Profiles aaeeea 118 Add an NT group member to the tree list ceeceeeeeeeeeeees 118 Add or maintain an entity s profile ee eeeeeeeeeteneeeeeeentteeeeeees 120 Category Profle cctscctstaccc vtsdaccetaasiadacecuaaalivcetysdansieedesadceeeiatalies 121 Redirect Ry s a a e r a Ge axegons eoudasent naeeeneea te 122 Filter Options inaner a ee ie ee 123 Remove an entity s profile from the tree i e 124 CHAPTER 4 LDAP AUTHENTICATION SETUP 125 Create an LDAP Domain 2 eeeeeeeeceeeeeeeeeeeeeeeeeeeeee 125 Add the LDA
137. enenees 58 Environment Requirements cccccceseeseeeeeceeceeeeeeeeeeeeees 58 Workstation Requirement ccccccecceceeeeeeeeeeeeecaeeeeeeeeeeeteeeeeneees 58 Administrator senini ate we hie ee lene eS 58 ENG WS Or rics caecte EE detets E cies A E T EA 58 Network Requirement cccccccecceeeeeeeeeeeceneecaeeeeeeeeeeeeeeeeteeeseaeees 59 Set up the Network for Authentication c ccscceeeeeeeeeees 60 Specify the operation mode ccceceeeeeeeeeeecaeceeeeeeeeeseeeeeeeenneaeees 60 Specify the subnet mask IP address es eceeeeeeseeeeeeeeeeeeeneeeees 62 Invisible MOde a 1 6 ss esis aa a 63 Router or firewall mode ccccccccesesessesseeeeeeceecceeeeeeeeeeeeeeeenaaes 63 Enable authentication specify criteria ccccccceeeeeeeeeeeeeeeeteeees 64 Net use based authentication ccccccceceeeeeeeeeeeeeeeeeneeaeees 66 Web based authentication ccccccecceeeeeeeeeeeeeceeeeeeeeeeeeeeeeees 67 Enter network settings for authentication cc eeeeereeeeeeeeeeeeees 70 Create an SSL Certificate 0 0 cc cccccceseseeeesssssseeeseseseseseeeeeeeess 72 Create Download a Self Signed Certificate 0 ee 73 Create Upload a Third Party Certificate 0 0 0 0 ee 74 Create a Third Party Certificate e 74 Upload a Third Party Certificate cc eeeeeeeeeeeeeeenes 76 Download a Third Party Certificate 00 0 eeeeeeeeeees 77 View OG NOSUITS ir
138. entered in its place in the profile string Each segment of the profile string following the semicolon for the DN should be separated by commas A zero 0 should be placed at the end of a profile string without any filter options enabled For example CN Jane Doe CN Users DC qc DC local R 21 A J J FINAN Q 1 http www cnn com 0x2 CN Public Joe Q OU Users OU Sales DC qc DC local Q R AUTO GENTER I 1 0x4 LS NOTE The DN format must contain the username and user group CN common name attribute type and the domain and DNS suffix DC domain component attribute type The OU organizational unit attribute type also can be included Each attribute type should be followed by an equals sign and sepa rated by acomma When translated these strings of code mean e LDAP profile for a user with username Jane Doe user group Users domain qc DNS suffix local Block port 21 and Filter all other ports White List and Open Financial Category and Block all other categories use filter mode 1 use redirect URL http www cnn com in place of the standard block page X Strikes Blocking filter option enabled 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 215 APPENDIX A USER GROUP FILE FORMAT AND RULES e LDAP profile for a user with username Public Joe Q organizational units Users and Sales domain qc DNS suffix local Bl
139. entity 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 157 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE MAINTAIN LDAP PROFILES 158 Category Profile amp g Category Profile is used for creating the categories portion of the filtering profile for the entity NOTE In order to use this tab filtering rules should already have been set up via the Rules window accessible from the Global Group options and the minimum filtering level should already be established The minimum filtering level is set up in the Minimum Filtering Level window accessible from the Global Group options By default RuleO Minimum Filtering Level displays in the Available Filter Levels pull down menu and the Minimum Filtering Level box displays Child Pornography and Pornography Adult Content By default Uncategorized Sites are allowed to Pass NOTE By default the Available Filter Levels pull down menu also includes these three rule choices Rule1 BYPASS Rule2 BLOCK Porn Rule3 Block IM and Porn and Rule4 8e6 CIPA Compliance To create the category portion of the entity s filtering profile 1 Select a filtering rule from the available choices and or select categories to block e If you select a filtering rule from the Available Filter Levels pull down menu this action automatically populates the Blocked Categories Pass Categories and or Always Allowed list box es in the Rule
140. ertificates Fig E 8 Console Root with snap in Export the master certificate for the domain 1 Go to the right panel of the Console and select the master certificate for the domain that you just added Right click the certificate to open the pop up menu and select All Tasks gt Export 7a Consolet Console Root Certificates Local Computer Personal Certificates ioj xi Conse Window Help Oca ix ation Yew Emotes gt Om X a x S 2 issued To IZET Exp ation bate ie Ga 20c0ne server c2doman local a 2domain socal 64712006 Es Open k EED o p Aronen se aia a Samal CREAN AAA E Gil remesso Certtication Authorkie Copy Request Certificate with Same Koy i E Trusted Aubishers Delete Renew Certificate with New Key Renew Certificate with Sane Key Urtrusted Certificates Ey That Party Root Certification autho Ly Trusted People C Certfxate trrotinerk Requests a sls J Export a certificate Fig E 9 Select the certificate to be exported 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE This action launches the Certificate Export Wizard Certificate Export Wizard xj Welcome to the Certificate Export Wizard This wizard helps you copy certificates certificate trust lists and certificate revocation lists from a certificate store to your disk A certificate which is issued by a c
141. ertification authority is a confirmation of your identity and contains information used to protect data or to establish secure network connections A certificate store is the system area where certificates are kept To continue click Next Back Cancel Fig E 10 Certificate Export Wizard 3 Click Next to go to the Export Private Key page of the wizard Certificate Export Wizard xj Export Private Key You can choose to export the private key with the certificate Private keys are password protected IF you want to export the private key with the certificate you must type a password on a later page Do you want to export the private key with the certificate C Yes export the private key No do not export the private key lt Back Cancel Fig E 11 Export Private Key 4 Select No do not export the private key and click Next to go to the Export File Format page of the wizard 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 231 APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE Certificate Export Wizard E Export File Format Certificates can be exported in a variety of file Formats Select the Format you want to use DER encoded binary 509 CER Base 64 encoded X 509 CER Cryptographic Message Syntax Standard PKCS 7 Certificates P7B F ind fica a path if possible Be Fig E 12 Export File Format 5 Select Base 64 encode
142. essed If properly set up the Authentication Request Form opens on a user s workstation if the user has been blocked from accessing specified Internet content This form allows the user to authenticate him herself in order to access Web content permitted by his her filtering profile T Internet Access Authentication Microsoft Internet Explorer z aloj xj Fin Edt Vew Favorites Tools Heip Hek gt OA Al Aoh Gyravertes Grtstory Ge oh mt Addeoss fa Petpsf 30000 ar Jocab000 AuthenticationServer Muthenticationform spt URL 192 160 20 10findex hemiaiP 192 166 20 COMCATMSPORTSOUSER OEFALLT T co WEB ACCESS AUTHENTICATION HELP Please log in to access the Internet BAG FIDO Internet Mering provided by G26 Technologies Copyright 2005 AN rights reserved Eje B O ere Fig 5 1 Authentication Request Form 162 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS NOTE In order to complete the test process you should be sure you have your own filtering profile set up To verify that authentication is working do either of the following based on the Tier you selected If Tier 2 or Tier 3 Web based authentication will be used Go to the Test Web based authentication settings sub section for instructions on testing the Authentication Request Form login page from a single workstation For this test you will create a
143. ethO 1 2 3 4 255 255 255 255 v Synchronization Mode LANZ IP eth1 190 160 20 75 255 255 0 0 Poe Authentication NIC Mode DNS Backup Restore Primary IP 190 160 20 1 Reset Radius Authentication Setting Secondary IP oo o ooo SNMP gt Hardware Failure Detection Gateway X Strikes Blocking Customization Gateway IP 190 160 20 1 Kil gt Apply Host Name logo com TP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 2 2 LAN Settings window The entries made in this window will vary depending on whether you are using the invisible mode or the router or firewall mode L NOTE If the gateway IP address on the network changes be sure to update the Gateway IP address in this window 62 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Invisible mode For the LAN1 IP eth0 address select 255 255 255 255 for the subnet mask and click Apply Router or firewall mode 1 Enter the following information e In the LAN1 IP eth0 field of the IP Mask Setting frame enter the IP address and specify the corre sponding subnet of the ethO network interface card to be used on the network In the LANZ2 IP eth1 field enter the IP address and specify the corresponding subnet of the eth1 network interface card to be used on the network TIP The LAN1 and LAN2 IP addresses should usually be
144. evra ied eriaeetlereashegse the r lacie A eae 78 Specify block page settings 20 ceeeeeeeeeeceeeeeeeeeaeeeeeeenaeeeeeeeaas 81 Block Page Authentication 0 ccccceeeeeeeeeeeeeenteeeeeeeenteeeeeeeaas 82 BOCK page oinarrian ia a cies teeee sendin a 83 User Machine frame 0 ccccccceceeceeeeeeeeecceecaeeeeeeeeees 84 Standard LINKS ccccccceceeeeeececeeeeeeeeeeeeseeseaeseseeeeaenes 84 Optional LINKS 200 0020 cc ceeeeeeeeeeeeceeceeeeeeeeeeeeseetecettneeeaeeees 85 Options Page iniri lal ee eel tnd are de 86 Option sete era ea e aae cape yetinctaed 87 Option AE E E A dae it 88 001101 ES EAE EEE AE A dee E T 89 Common Customization 22 02 02 cece cece eee eeeeeecceeeeeeeeeeeeeeeeeeeeeeees 90 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE vii CONTENTS Enable Disable Features cccccccccesseeeeceeeceseeeeeeeeaaees 91 Authentication Form Customization e ecceeeeeeeeeeeeeees 93 Preview Sample Authentication Request Form 95 Block Page Customization ccccccecceeeeeeeeeeeeeeseeneeeeeseeatees 97 Preview Sample Block Page cccceccesteeeeeeeeseeeeeeeeenaaes 99 CHAPTER 3 NT AUTHENTICATION SETUP nasais 101 Join the NT Domain 0 ccccceccseeeseeeseeeeeeeeeeeceassesseeeneeeeseneaes 101 Create an NT Domain 2 22 seeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 103 Addani NT JOMAI e asiarra levee tet er
145. first category and then pressing the Shift key on your keyboard while clicking the last category 4 For Uncategorized Sites click Block 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 179 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 180 5 Click Apply Step 5 Use Authentication Request Page for redirect URL Click the Redirect URL tab to display the Redirect URL page REE 8e6rsoo0 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Group Category Redirect URL Filter Options Global Group ocd i pe Ej Redirect URL Group gt IP gt webauth gt testsub gt Redirect URL Specify a redirect URL Default Block Page Authentication Request Form Custom URL Apply Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 16 Sub Group Profile window Redirect URL tab 2 Select Authentication Request Form NOTE Since the Authentication Request Form radio button selection uses the host name of the server not the IP address be sure there is a DNS resolution for the host name 3 Click Apply As aresult of these entries Web based authentication takes effect immediately and any user in this Sub Group will be 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATI
146. group name with a stored list of profile settings in the R3000 As a result of this process the user is assigned the appropriate level of filtering 6 The matched profile is set for the user s IP address The IPC connection is completed and maintained with peri odic keep alives 7 When the user logs off changes IP addresses loses the network connection or in any way causes the IPC connection to be altered or deactivated the R3000 senses this change and returns the IP address to the configured global filtering level WARNING Authentication will fail if a Network Address Transla tion NAT device is set up between the authentication server and end user clients Authentication may also fail if network connec tions are overloaded causing a severe delay in the transportation of SMB traffic This can be a problem in any network but is most prevalent in WAN links or in trunk links that are overloaded Re authentication process 1 The user loses his her user profile after one of the following incidences occurs e the server is rebooted or the connection from the user s machine to the server is dropped as with a faulty network cable 2 A block page displays for the user 3 In order to re access the Internet the user must re authenticate him herself by clicking a link in the block page to generate a login script that re authenticates the user s profile 26 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTIC
147. gs page 188 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK R3000 Enterprise Filter 8e6Rs000 Enterprise Fite aeons HOME SYSTEM GROUP LIBRARY REPORTING HELP OY on Range to Detect Settings Group gt Global Group gt Range to Detect Settings Range to Detect Setup Wizard This wizard will help guide you through the steps needed to establish a filtering rule that the R3000 will use when filtering traffic Click on Start the Setup Wizard in order to begin the Setup Wizard Start the Setup Wizard Advanced Settings Window Opening the Advanced Settings Window allows a user to enter their settings manually This option requires knowlege of tcpdump syntax Not recommended for those users unfamiliar with network settings Advanced Settings Host Name logo com r 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 24 Range to Detect Settings window main window 4 Click Start the Setup Wizard to display Step 1 of the Range to Detect Setup Wizard 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 189 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Range to Detect Setup Wizard ax 8e6Rs000 Enterpti HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT e Range to Detect Setup Wizard Group gt Global Group gt Range to Detect Setup Wi
148. he SSL tab Backup Server Configuration xj Address Account 55L SSL Settings Group gt LDAP gt Novell INACTIVE gt SSL Settings I Enable Secure LDAP over SSL Upload SSL Certificate for LDAPS Enter the path to the SSL certificate for your LDAP server This certificate is required to communica te with your LDAP server wil ith secure enc ryption The certificate should be a Base64 encoded der or cer format SSL Certificate Current cert file Upload Back Save Next Close Java Applet Window Fig 4 15 Backup Server Configuration SSL Settings SSL settings should be made if your network requires a secure connection from the R3000 to the LDAP server NOTE See Appendix E Obtain or Export an SSL Certificate for information on how to export a Novell server s SSL certficate to your desktop and then upload it to the R3000 a If applicable click in the Enable Secure LDAP over SSL checkbox This action activates the Upload button b Click the Upload button to open the Upload SSL Certificate for LDAPS pop up window see Fig 4 8 144 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN c Click Browse to open the Choose file window and select the R3000 server s SSL certificate d Click Upload File to upload the SSL certificate to the R3000 server A WARNING Be sure the name on the SSL certificate to be uploaded to t
149. he format for the file will differ depending on whether the file contains a list of user or group profiles for an NT or LDAP server Each filtering profile in the file must contain the following items 1 The username or group name 2 Filtering profile criteria e Rule number RuleO Rule etc or e rule criteria a Ports to Block or Filter b Categories to Block or Open c Filter Mode 3 Redirect URL optional 4 Filter Options optional A zero should be placed at the end of a profile string with all filter options disabled Username Formats NOTE For examples of valid username entries see File Format Rules and Examples in this appendix or go to http www 8e6 com r3000help files 2group_textfile_user html 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 209 APPENDIX A USER GROUP FILE FORMAT AND RULES Rule Criteria Rule criteria consists of selections made from the following lists of codes that are used in profile strings 210 Port command codes DO WS Filter all ports Filter the defined port number s Open all ports Open the defined port number s Block all ports Block the defined port number s Port Numbers FTP File Transfer Protocol HTTP Hyper Text Transfer Protocol NNTP Network News Transfer Protocol HTTPS Secured HTTP Transmission Filter Mode Values 1 2 4 Default Block Mode Monitoring Mode Bypassing Mode Category command codes J JJ Q R
150. he server matches the Server DNS Name entered in the Address Info tab 6 After all entries are made using the wizard click Save 7 Click Close to close the wizard pop up window Modify a backup server s configuration 1 On the Default Rult tab for a Novell eDirectory server set up in the LDAP tree menu click Modify to open the Backup Server Configuration wizard pop up window 2 Click the tab s in which to make edits for the backup server Address Account SSL 3 Make the necessary edits 4 Click Save 5 Click Close to close the wizard pop up window Delete a backup server s configuration On the Default Rult tab for a Novell eDirectory server set up in the LDAP tree menu click Delete to remove the backup server s configuration Delete a domain To delete a domain profile choose Delete from the LDAP domain menu This action removes the domain from the tree 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 145 CHAPTER 4 LDAP AUTHENTICATION SETUP SETUP LDAP DOMAIN GROUPS MEMBERS Set up LDAP Domain Groups Members In the control panel the LDAP domain branch of the tree menu includes options for setting up groups and or members in the domain so that filtering profiles can later be created The following options are used in this setup process Select Group Member from Domain Set Group Priority Manually Add Member Manually Add Group and Upload User Group Profile Add LDAP gro
151. hoo Toolbar and click the pop up icon to open the pop up menu F Yahoo Toolbar Overview Microsott Internet Explorer alol x Fie Edt Vew Favortes Took Hsp a vock gt OA Qura arene Sue Sd BA ee fed comparion yshoo comio us stm Fo Oma Boyrarcot CF Games R Personas Up Blocker Play Sound When Pop Up Ts Blocked Yew Recently Blocked Pop Ups YAHOO Toolbar Total Pop Ups Blocked 3 Why am 1 stil geting pop ups Pop Up Blocker Test Mere Heb Tella Friend About Pop Up Blocker Overview Yaarch Anyerhere Trv At Now Save time online with Yahoo Toolbar Fig F 2 Select menu option Always Allow Pop Ups From 2 Choose Always Allow Pop Ups From to open the Yahoo Pop Up Blocker dialog box 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 237 APPENDIX F OVERRIDE POP UP BLOCKERS 238 Yahoo Pop Up Blocker x Sources of Recently Blocked Pop Ups edit COMPANION YAROQ COM lnson Allow Always Allow Pop Ups From These Sources 8e6 com Fig F 3 Allow pop ups from source 3 Select the source from the Sources of Recently Blocked Pop Ups list box to activate the Allow button 4 Click Allow to move the selected source to the Always Allow Pop Ups From These Sources list box 5 Click Close to save your changes and to close the dialog box 8 6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX F OVE
152. ics Authentication mode Enabled Enable Disable Alert Patch Web based Authentication Synchronization Mode Tier 1 Web based Authentication disabled Net Use enabled Click Enable to enable authentication Select one of three tiers in the Web based Authentication Enable Disable Authentication System gt Authentication gt Enable Disable Authentication Authentication Tier 2 Use time based profiles with time out in minutes 30 Tier 3 Use persistent logins via a Java Applet Tier 2 amp 3 Note ir an organization with more than 5000 users slowness may be experienced during the authentication process h this scenario 86 recommends using an R3000 Filter with an SSL On Off Download 86 Authenticator his highly recommended that the G26 Authenticator option be tumed on at all times Novell eDirectory Agent C On off Sending Keep Alive on C Off Inactive session lifetime in minutes 20160 i E E Host Name logo com IP 200 10 100 75 Frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 2 3 Enable Disable Authentication window NOTE See the information on the next pages for details about each of the tiers and for the steps that must be executed to enable your tier selection 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 4 In the 8e6 Authenticator frame be sure the 8e6 Authen
153. ient but with a cfg extension instead of exe The full path name can be specified on the command line with the CF parameter Review the comment following Table 1 for more information 3 Command Line optional Options on the command line will override compiled defaults and the configuration file The command line can be left blank 4 R3000 Configuration Packet optional The R3000 may send a configuration packet that will override all other settings including the command line If the R3000 changes the IP address or port used by authenticat exe then when authenticat exe reconnects authenticat exe will use the new IP address and port NOTE The R3000 can force authenticat exe to reconnect with a re logon event packet 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 45 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS 8e6 Authenticator configuration syntax All configuration parameters regardless of their source will use the following format syntax wAA B w C w Parameter AA with Data B and Comment C ignored w DD E w C w The semicolon causes DD E to be ignored C is also ignored Whereas AA is a two letter case insensitive parameter name B is the value for this parameter wrapped in brackets and w is zero or more white spaces space tab carriage return line feed C is completely ignored and anything wrapp
154. ill continue to be authenticated as long as the pop up window remains open 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 41 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS 42 8e6 Authenticator The 8e6 Authenticator ensures the end user is authenti cated on his her workstation via an executable file that launches during the login process To use this option the 8e6 Authenticator client authenticat exe should be placed in a network share accessible by the domain controller or a Novell eDirectory server such as NetWare eDirectory server 6 5 NOTE The 8e6 Authenticator client authenticat exe can be downloaded from the Enable Disable Authentication window See the Enable authentication specify criteria sub section in Chapter 2 Network Setup Environment requirements Minimum system requirements The following minimum server components are required when using NetWare eDirectory server 6 5 Server class PC with a Pentium II or AMD K7 processor 512 MB of RAM Super VGA display adapter DOS partition of at least 200 MB and 200 MB available space 2 GB of available unpartitioned disk space outside the DOS partition for volume sys One network board CD drive 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Recommended system requirements The following server components are recommended for optimal performan
155. le remains active for a configurable amount of time even if the user logs out of the workstation changes IP addresses etc Tier 2 time based profiles do not call for the R3000 to main tain a connection with the client machine so the R3000 cannot detect when the user logs off of a workstation In order to remove the end user s profile one of two scripts detailed in this sub section should be inserted into the network s login and or logoff script The Tier 2 Script should be used if Tier 2 is the only tier implemented in an environment The Tier 1 and Tier 2 Script should be used if Tier 2 is implemented along with Tier 1 in an environment Since both sets of scripts use the NET USE command the client machine must already have the ability to connect to the R3000 via NET USE in order for the profile to be removed in either environment 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 37 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Tier 2 Script If using Tier 2 only this script should be inserted into the network s login script If the network also uses a logoff script 8e6 s script should be inserted there as well The inclusion of this script ensures that the previous end user s profile is completely removed in the event the end user did not log out successfully echo off start cls net use 10 10 10 10 LOGOFF delete try1 NET USE 10 10 10 10 LOGOFF if errorlevel 1 got
156. les for examples of valid filtering profile formats to use when creating a list of profiles to be uploaded to the server A WARNING When uploading a list of profiles to the tree the user will be blocked from Internet access if the minimum filtering level has not been defined via the Minimum Filtering Level window If you have just established the minimum filtering level filter settings will not be effective until the user logs off and back on the server 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 153 CHAPTER 4 LDAP AUTHENTICATION SETUP SETUP LDAP DOMAIN GROUPS MEMBERS 5 Click Upload File to upload this file to the server The Upload Successful pop up window informs you to click Reload in order for these changes to be effective 6 Click Reload 7 Go to the LDAP branch of the tree and choose Refresh from the LDAP group menu 154 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE MAINTAIN LDAP PROFILES Create Maintain LDAP Profiles Once an LDAP group or member has been added to the tree a filtering profile can be created and maintained for that entity For groups the following options are available for filtering profile creation and maintenance Group Member Details Profile and Remove For members the following options are available for filtering profile creation and mainte nance Profile and Remove Add an LDAP group mem
157. line It will be ignored in any other context If the configuration file cannot be loaded from the alter nate location an error will be logged and an attempt will be made to load the default configuration file If the alter nate configuration file is specified and is blank CFI the 8e6 Authenticator will not attempt to load any config uration file this can minimally speed up execution time The compiled default value of CF causes the default configuration file loading to be attempted which has the same full path and filename of the current loaded 8e6 Authenticator executable but with an extension of cfg instead of exe That is if the 8e6 Authenticator client is example authenticat exe the search for the default configuration file would be example authenticat cfg It is not an error if the default configuration file does not exist It is an error if the default configuration file exists but cannot be read or parsed correctly Unknown param eters are ignored Format syntax errors will abort the reading and report an error but the 8e6 Authenticator will attempt to continue running For each IP address where PORT is omitted from the address the RP port value is used For example if RA 1 1 1 1 5555 is set the RP parameter is ignored 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS RPI affects port less addresses
158. llers pop up menu Select Properties to open the Domain Controllers Prop erties dialog box Domain Controllers Properties ixi General Managed By COM Group Policy S Current Group Policy Object Links for Domain Controllers Group Policy Object Links Default Domain Controllers Policy Group Policy Objects higher in the list have the highest priority This list obtained from tyudt QCAD jocal IT Block Policy inheritance Cares too Fig D 3 Domain Controllers Properties 4 Click the Group Policy tab choose the Default Domain Controllers Policy and then click Edit to open the Group Policy Object Editor window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX D DISABLE SMB SIGNING REQUIREMENTS Ja Group Policy Object Editor Jor File Action wew Help gt m eR e 5 Default Domain Controllers Policy t E Computer Configuration E3 Software Settings B E Windows Settings amp G Administrative Templates E User Configuration E Software Settings H Windows Settings m Administrative Templates S Default Domain Controllers Policy tyudt QCAD ocal Policy Select an item to view its description Name a Computer Configuration User Configuration 4 Z Extended Standard 7 l Fig D 4 Group Policy Object Editor window 5 In the left panel go to the Computer Configuration branch of the tree and select the Windows Se
159. load View Certificate to save a copy of the R3000 s current SSL certificate file to your workstation This will allow you to obtain the R3000 s certificate so you can distribute it to client workstations Backup Restore Reset Click Delete Certificate to erase the R3000 s current SSL certificate This should be done ONLY if the DNS name of the R3000 has changed After deleting the current certificate you will need to create a new certificate or CSR and distribute it to any workstation that will use the R3000 s Web based Authentication Radius Authentication Setting SNMP Hardware Failure Detection X Strikes Blocking Download View Certificate Delete Certificate Customization fl ee Host Name logo com IP 200 10 100 75 Frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 2 8 Download View Delete Certificate tab 3 Click Download View Certificate to open the File Down load dialog box where you indicate whether you wish to Open and view the file or open the Save As window so that you can Save the SSL certificate to a specified folder on your workstation NOTE While the SSL certificate can be downloaded on a Macin tosh computer the best method to import the certificate is via the Authentication Request Form when prompted by the Security Alert warning message to add the certificate to the trusted certifi cate store 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 73 C
160. local 3 Click OK to add the username to the domain s section of the tree NOTE See Add or maintain an entity s profile under Create and Maintain LDAP Profiles for information on defining the filtering profile for the user Manually add a group s name to the tree 1 Select the LDAP domain and choose Manually Add Group from the pop up menu to open the Manually Add Group dialog box Manually Add Group x G Please enter the group name Cancel Java Applet Window Fig 4 19 Manually Add Group box This dialog box is used for adding a group name to the tree list so that a filtering profile can be defined for that group 2 Enter the group s name in the text box using the entire Distinguished Name format 3 Click OK to add the group name to the domain s section of the tree 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 151 CHAPTER 4 LDAP AUTHENTICATION SETUP SETUP LDAP DOMAIN GROUPS MEMBERS 152 NOTE See Add or maintain the entity s profile under Create and Maintain LDAP Profiles for information on defining the filtering profile for the group Upload a file of filtering profiles to the tree 1 Select the LDAP domain and choose Upload User Group Profile from the pop up menu to open the Upload User Group Profile window zii 8e6 R3000 Enterprise Filter nnn HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Group Upload User Group Profile Q Sgi Group Gr
161. lorer IE 5 5 or later JavaScript enabled Java Runtime Environment if using Tier 3 authentication Pop up blocking software if installed must be disabled 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP ENVIRONMENT REQUIREMENTS Network Requirements e High speed connection from the R3000 server to the client workstations FTP or HTTPS connection to 8e6 s patch server e Internet connectivity for downloading Java Virtual Machine and Java Runtime Environment if neces sary if not already installed 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 59 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Set up the Network for Authentication The first settings for authentication must be made in the System section of the console in the following windows Operation Mode LAN Settings Enable Disable Authentica tion Authentication Settings Authentication SSL Certificate if Web based authentication will be used View Log File for troubleshooting authentication setup and Block Page Authentication Entries for customizing the block page and or authentication request form are made in the Common Customization Authentication Form Customization and Block Page Customization windows Specify the operation mode Click Mode and select Operation Mode from the pop up menu to display the Operation Mode window R3000 Enterprise Filter 8e6 R3
162. ly described for the Block page display in the upper half of the Options page BACK and HELP links e User Machine frame contents The frame beneath the User Machine frame includes infor mation for options 1 2 and or 3 based on settings made in the Block Page Authentication window 86 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Option 1 Option 1 is included in the Options page if Web based Authentication was selected at the Re authentication Options field in the Block Page Authentication window The following phrase link displays Click here for secure Web based authentication When the user clicks the link the Authentication Request Form opens T Internet access Authentication Microsoft Internet Explorer a aloj xj Flo Edt Vew Favorites Tools Hep Hek gt QD BD Aoh Giravertes Beto Wb ob mw Address bitos r20000 qc Jocal008 AuthenticationServer Muthenticationform pT URL 192 160 20 1Ofindex hemihtP 192 160 20 00CAT SPORTSOUISER OCFALLT e WEB ACCESS AUTHENTICATION HELP Please log in to access the Internet Authentication Login Username tones Passwort P oo Ahas QC_Sorver Login BAG RIQ rternet Sering provided by Ge6 Technologies Copyright 2005 Al rights reserved GEJ S reene j Fig 2 18 Authentication Request Form LS NOTE See Authentication Form Customization for informati
163. n or Off to enable or disable the following elements in the HTML pages and make entries in fields to display customized text if necessary Username Display if enabled displays User Machine followed by the end user s username in block pages IP Address Display if enabled displays IP followed by the end user s IP address in block pages Category Display if enabled displays Category followed by the long name of the blocked category in block pages Blocked URL Display if enabled displays Blocked URL followed by the blocked URL in block pages Copyright Display if enabled displays 8e6 R3000 copyright information at the footer of block pages and the authentication request form Title Display if enabled displays the title of the page in the title bar of the block pages and the authentica tion request form Help Display if enabled displays the specified help link text in block pages and the authentication request form The associated URL specified in the Help Link URL field described below is accessible to the end user by clicking the help link NOTE If enabling the Help Display feature both the Help Link Text and Help Link URL fields must be populated Help Link Text By default HELP displays as the help link text Enter the text to display for the help link 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 91 CHAPTER 2 NETWORK SETUP SET UP THE NET
164. n 27 name resolution 29 Microsoft Active Directory Mixed Mode 30 127 Native Mode 30 127 minimum filtering level 18 definition 250 name resolution definition 250 methods 29 WINS Server 29 NAT definition 250 net use command 203 definition 250 syntax 32 NetBIOS definition 250 260 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE INDEX name lookup definition 250 NetBIOS Domain Name 132 143 NetBIOS name 70 Netscape Directory Server 127 Network Address Translation NAT definition 250 network requirements 59 NIC device 71 Novell 23 28 30 44 48 127 136 226 Novell eDirectory Agent 50 NT domain diagram 10 domain groups 10 profile file format 116 NT domain add 103 Default Rule 107 Domain Settings 105 NTLM authentication protocol 23 101 open setting 19 definition 250 OpenLDAP 23 147 server customizations 219 Operation Mode window 60 Options page 86 organizational unit ou definition 251 override account AdwareSafe popup blocking 240 block page authentication 82 definition 251 Google Toolbar popup blocking 239 Mozilla Firefox popup blocking 241 override popup blockers 236 profile type 15 Windows XP SP2 popup blocking 242 Yahoo Toolbar popup blocking 237 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 261 INDEX 262 PDC 102 definition 257 pop up blocking disable 236 pop up box window terminology 5 primary IP address 63 Primary Domain Controller P
165. n IP profile for the test machine s IP address and set the Redirect URL for the profile to access the Authentication Request Form L NOTE Before testing Web based authentication settings be sure the SSL certificate you created via the System gt Authentication gt Authentication SSL Certificate window in Chapter 2 is placed on all workstations of users who will be authenticated This ensures that users will not receive the Security Alert warning message from the server If Tier 1 net use based authentication will be used Go to the Test net use authentication settings sub section for instructions on testing the net use based login command to see if you can access the assigned profile If you the administrator can be successfully authenticated in the domains that were set up the test process is complete and you are ready to activate authentication on the network see Activate Authentication on the Network 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 163 CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Test Web based authentication settings To verify that authentication is working properly make the following settings in the Group section of the console Step 1 Create an IP Group test 1 Click the IP branch of the tree 2 Select Add Group from the pop up menu to open the Create New Group dialog box Create New Group x Group Name test Password errer
166. nd of a profile string without any filter options enabled Admin Rule http www cnn com 0x4 Sales Rule2 0x300 Tech A RCHAT KDPORN FINAN GGAMES GPORN I 1 0x6 When translated these strings of code mean e NT profile for a group with ID Admin Bypass all catego ries use redirect URL http www cnn com in place of the standard block page Google Yahoo Safe Search filter option enabled NT profile for a group with ID Sales Block Porn cate gory use standard block page Search Engine Keyword and URL Keyword filter options enabled e NT profile for a group with ID Tech Filter all ports Block Chat Child Porn Finance and Games categories but leave all other categories open use filter mode 1 use standard block page X Strikes Blocking and Google Yahoo Safe Search filter options enabled 214 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX A USER GROUP FILE FORMAT AND RULES LDAP User List Format and Rules When setting up the Idapuserprofile conf file each entry must consist of the Distinguished Name DN with each part of the DN separated by commas The DN should be followed by a semicolon and then a rule number or rule criteria port category and filter mode specifications A redirect URL can be included if a specific URL should be used in place of the standard block page If a redirect URL is not included a blank space should be
167. ndows Update Windows Messenger Microsoft com Home Site Map ICQ Lite Cla meat Ea Office Online Sun Java Console Internet Options Fig F 8 Toolbar setup When you click Turn On Pop up Blocker this menu selec tion changes to Turn Off Pop up Blocker and activates the Pop up Blocker Settings menu item You can toggle between the On and Off settings to enable or disable pop up blocking Temporarily disable pop up blocking 1 In the Options page see Fig F 1 enter yourUsername and Password 2 Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button this action opens the override account pop up window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 243 APPENDIX F OVERRIDE POP UP BLOCKERS Add override account to the white list There are two ways to disable pop up blocking for the over ride account and to add the override account to your white list Use the IE toolbar 1 With pop up blocking enabled go to the toolbar and select Tools gt Pop up Blocker gt Pop up Blocker Settings to open the Pop up Blocker Settings dialog box Pop up Blocker Settings Exceptions Pop ups are currently blocked You can allow pop ups from specific Web sites by adding the site to the list below Address of Web site to allow Allowed sites 8e6 com Notifications and Filter Level v Play a sound when a pop up is blocked v Show Inf
168. ne frame e User Machine field The username displays for the NT LDAP user This field is blank for the IP group user e IP field The user s IP address displays e Category field The name of the library category that blocked the user s access to the URL displays If the content the user attempted to access is blocked by an Exception URL Exception displays instead of the library category name Blocked URL field The URL the user attempted to access displays Standard Links By default the following standard links are included in the block page e HELP Clicking this link takes the user to 8e6 s Technical Support page that explains why access to the site or service may have been denied e 8e6 Technologies Clicking this link takes the user to 8e6 s Web site 84 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Optional Links By default these links are included in the block page under the following conditions For further options click here This phrase and link is included if any option was selected at the Re authentica tion Options field in the Block Page Authentication window Clicking this link takes the user to the Options window described in the Options page sub section that follows To submit this blocked site for review click here This phrase and link is included if an email address was en
169. ng Web based authentication If Tier 1 net use based authentication will be used Go to the Activate net use based authentication sub section for instructions on testing the login script and modifying the Global Group Profile for authenticating users 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Activate Web based authentication for an IP Group IP Group authentication is the preferred selection for Web based authentication over the Global Group Profile authentication option as it decreases the load on the R3000 Step 1 Create a new IP Group webauth 1 Click the IP branch of the tree 2 Select Add Group from the pop up menu to open the Create New Group dialog box x Group Name webauth Password irrena Confirm Password errena Cancel Java Applet Window Fig 5 11 Create New Group box 3 Enter webauth as the Group Name 4 Enter the password in the Password and Confirm Pass word fields 5 Click OK to add the group to the tree 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 175 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 176 Step 2 Set webauth to cover users in range Select the IP group webauth from the tree Click Members in the pop up menu to display the Members window R3000 Enterprise
170. ng options by clicking your selection Web based Authentication select this option if using Web authentication with time based profiles or persistent login connections for NT or LDAP authenti cation methods e Re authentication select this option for the re authentication option The user can restore his her profile and NET USE connection by clicking an icon in a window to run a NET USE script Override Account select this option if any user has an Override Account allowing him her to access URLs set up to be blocked at the global or IP group level TIP Multiple options can be selected by clicking each option while pressing the Ctrl key on your keyboard amp NOTE See the R3000 User Guide for information about the Override Account feature 2 If the Re authentication option was selected in the Logon Script Path field RDCSHARE scripts displays by default In this field enter the path of the logon script that the R3000 will use when re authenticating users on the network in the event that a user s machine loses its connection with the server or if the server is rebooted This format requires the entry of two backslashes the authentication server s computer name or computer IP address in capital letters a backslash and name of the share path 3 Click Apply to apply your settings 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR A
171. nography Pornography Adult Content Blocked Categories Banner Web Ads a Books amp Literature W Chat Child Pornography Comics Community Organizat amp Pass Categories Always Allowed A Cults gt Dating Personals Y 4 Pass Block vy Uncategorized Sites Apply Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 6 Sub Group Profile window Category tab Inthe Category Profile page move all categories to the Blocked Categories list box by selecting categories from the Pass Categories and or Always Allowed list box es and using the left arrow lt to move them to the Blocked Categories list box TIP Blocks of categories can be selected by clicking the first category and then pressing the Shift key on your keyboard while clicking the last category 4 For Uncategorized Sites click Block 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS 5 Click Apply Step 6 Use Authentication Request Page for redirect URL 1 Click the Redirect URL tab to display the Redirect URL page REE 8e6rsoo0 Enterprise Filter HOME SYSTEM __ GROUP _ LIBRARY REPORTING HELP QUIT Group Cate Redirect URL Filter Opti Gobel Group ategory ilter Options iS Redirect URL Group gt IP gt test gt workstation gt Redire
172. ns page R3000 Enterprise Filter Vaal xi 8e6Rs000 HOMES RSV STEMS EGR OURS ES LIBRARY SRERORTINGS KH E i Pi a G k T s Category Port Default Redirect URL Filter Options Filter Options Group gt Global Group gt Filter Options Filter Options IV Google Yahoo Safe Search Enforcement IT Search Engine Keyword Filter Control 7 URL Keyword Filter Control T Extend URL Keyword Filter Control Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 21 Global Group Profile window Filter Options tab a Select filter options to be enabled b Click Apply 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 185 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK As a result of these entries the standard block page will display instead of the Authentication Request Form when any user in this Sub Group is blocked from accessing Internet content Eie Edit View Favorites Tools Help EBak gt A A Gsearch fyravorites CBristory B 3 fig SE Address E w coors com amp IP 200 10 100 75 81 amp CAT ALCORUSER LOGO Domain 20Admins GLANG ACCESS DENIED Internet access to the requested website has been denied based on your user profile and organization s Internet Usage Policy User Machine IP Category Requested URL LOGO Domain Admins GLANG 200 10
173. nter the two character Country code such as US 9 Click Create to generate the Certificate Signing Request NOTE Once the third party certificate has been created the Create CSR button displays greyed out and the Download View CSR Upload Certificate Delete CSR buttons are now activated 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 75 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Upload a Third Party Certificate 1 Click Upload Certificate to open the Upload Signed SSL Certificate for R3000 pop up window Upload Signed SSL Certificate for R3000 Microsoft Internet 0 x File Edit View Favorites Tools Help Ea esak gt OA Al Asearch Gyravorites Meda Address http 200 10 100 75 88 servlet com r3000 server 7 Go Links Upload Signed SSL Certificate for R3000 File Browse Upload File Upload Signed SSL Certificate for R3000 Internet Fig 2 11 Upload Signed SSL Certificate box The Message dialog box also opens with the message Click OK when upload completes Q TIP Click Cancel in the dialog box to cancel the procedure 2 In the Upload Signed SSL Certficate for R3000 pop up window click Browse to open the Choose file window 3 Select the file to be uploaded 4 Click Upload File to upload this file to the R3000 5 Click OK in the Message dialog box to confirm the upload and to close the dialog box
174. nu in the Authentication Request Form R3000 Enterprise Filter 2 5 xi 8e6 R3000 ___Enterpri HOME SYSTEM GROUP LIBRARY HEBER wi Type Group User Address Account SSL Default Rule Alias List Group gt LDAP gt TEST gt Alias List El LOGSYS INACTIVE A QC INACTIVE Alias Name LDAP Container Name Alias Enabled A El Builtin CN Builtin OC qc2domain DC local Idapgroup OU Idapgroup DC qc2domain DC local QCcontainer1000_M OU QCcontainer1000 OU MasterContainer D QCcontainer1001_M OU QCcontainer1001 0U MasterContainer D QCcontainer1002_M OU QCcontainer1002 OU MasterContainer D QCcontainer1003_M QCcontainer1003 OU MasterContainer D QCcontainer1004_M OU QCcontainer1004 0U MasterContainer D OU QCcontainer1005 O0U MasterContainer D OU QCcontainer 1006 0U MasterContainer D OU QCcontainer1007 0U MasterContainer D QCcontainer1008_M OU QCcontainer1008 OU MasterContainer D QCcontainer1009_M OU QCcontainer 1009 OU MasterContainer D QCcontainer100_Ma OU QCcontainer100 OU MasterContainer DC iQCcontainer1010_M OU QCcontainer1010 OU MasterContainer D QCcontainer1011_M OU QCcontainer1011 0U MasterContainer D QCcontainer1012_ I QCcontainer1012 OU MasterContainer D QCcontainer1 013_M 55 OU QCcontainer1013 0U MasterContainer D ie QCcontainer1014_M OU QCcontainer1014 0U MasterContainer D WIVIVIGVIII ggg Iq
175. o try2 if errorlevel 0 echo code 0 Success goto end try2 NET USE 10 10 10 10 LOGOFF if errorlevel 1 goto try3 if errorlevel 0 echo code 0 Success goto end try3 NET USE 10 10 10 10 LOGOFF if errorlevel 1 goto error if errorlevel 0 echo code 0 Success goto end error if errorlevel 1 echo code 1 Failed end net use 10 10 10 10 LOGOFF delete 38 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Tier 1 and Tier 2 Script In an environment in which both Tier 1 and Tier 2 are used this version of 8e6 s script should be inserted into the network s login script 8e6 s script attempts to remove the previous end user s profile and then lets the new user log in with his her assigned profile echo off startremove cls NET USE 10 10 10 10 LOGOFF delete tryremove1 NET USE 10 10 10 10 LOGOFF if errorlevel 1 goto tryremove2 if errorlevel 0 echo code 0 Success goto endremove tryremove2 NET USE 10 10 10 10 LOGOFF if errorlevel 1 goto tryremove3 if errorlevel 0 echo code 0 Success goto endremove tryremove3 NET USE 10 10 10 10 LOGOFF if errorlevel 1 goto removalerror if errorlevel 0 echo code 0 Success goto endremove removalerror if errorlevel 1 echo code 1 Failed to send removal request endremove net use 10 10 10 10 LOGOFF delete 8 E6 TECHNOLOGIES R3000 ENT
176. obal Group gt Port Block Portis 60 Pot AOC Remove Apply Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 35 Global Group Profile window Port tab a Enter the Port number to be blocked and then click Add to include the port number in the Block Port s list box b After entering all port numbers to be blocked click Apply 200 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 4 Click the Default Redirect URL tab to display the Default Redirect URL page HEH 8e6Rs000 Enterpri a HOME SYSTEM GROUP LIBRARY REPORTING HELP OY a Category Port Default Redirect URL Filter Options Default Redirect URL Group gt Global Group gt Default Redirect URL Specify a redirect URL Default Block Page Authentication Request Form Custom URL Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 36 Global Group Profile window Redirect URL tab a Select Authentication Request Form NOTE Since the Authentication Request Form radio button selection uses the host name of the server not the IP address be sure there is a DNS resolution for the host name b Click Apply 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 201 CHAPTER 5 AUTHENTI
177. ock all ports Block Automobile and Entertainment categories use filter mode 1 use stan dard block page Google Yahoo Safe Search filter option enabled 216 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX A USER GROUP FILE FORMAT AND RULES LDAP Group List Format and Rules When setting up the Idapgroupprofile conf file each entry must consist of the Distinguished Name DN with each part of the DN separated by commas The DN should be followed by a semicolon and then a rule number or rule criteria port category and filter mode specifications A redirect URL can be included if a specific URL should be used in place of the standard block page If a redirect URL is not included a blank space should be entered in its place in the profile string Each segment of the profile string following the semicolon for the DN should be separated by commas A zero 0 should be placed at the end of a profile string without any filter options enabled For example CN Sales CN Users DC qc DC local Rule 1 http www cnn com 0x102 LS NOTE The DN format must contain the group name and if applicable user group CN common name attribute type and the domain and DNS suffix DC domain component attribute type The OU organizational unit attribute type also can be included Each attribute type should be followed by an equals sign and separated by a comma
178. ofile to set the policy for members of an IP based profile or for users who are not authenticated If you set a restrictive profile unauthenticated users will not be able to obtain access until they are successfully authen ticated If you set up a less restrictive profile to allow access a user can still be authenticated but won t be prompted to authen ticate him herself unless attempting to access a site that is blocked Since the login script will automatically run when the user logs in a less restrictive profile might be used to allow logging with the user s name without forced blocking 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 1 Click Global Group in the tree to open the pop up menu 2 Select Global Group Profile to display the Category tab of the Profile window 3 In the Category Profile page select categories to block pass or white list and indicate whether uncategorized sites should pass or be blocked 4 Click Apply 5 Click the Port tab to display the Port page 6 Enter the Port number to be blocked and then click Add to include the port number in the Block Port s list box 7 After entering all port numbers to be blocked click Apply 8 Click the Default Redirect URL tab to display the Default Redirect URL page Your options on this tab will vary based on whether your network will be using net
179. olution enter the IP address of each Windows DNS server to be filtered by this R3000 with a space between each IP address 8 6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 3 In the Virtual IP Address to Use for Authentication field 7 2 3 5 displays by default If using Tier 1 or Tier 3 enter the IP address that from now on will be used for communicating authentication information between the R3000 and the PDC This must be an IP address that is not being used on the same segment of the network as the R3000 WARNING If the IP address entered here is not in the same subnet as this R3000 the net use connection will fail 4 In the NIC Device to Use for Authentication field e if using the invisible mode enter eth Ethernet 1 for sending traffic on the network in particular for trans ferring authentication data if using the router or firewall mode enter ethO Ethernet 0 5 Click Apply to apply your settings 3 NOTE If using the NT authentication method you will later return to this window to join the domain See the section on Join the NT domain in Chapter 3 NT Authentication Setup for information about these procedures 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 71 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Create an SSL certificate Authentication SSL Certificate sho
180. ommand Prompt B Control Panel l Gig Administrative Tools gt fev Windows Explorer en Printers and Faxes Notepad rl a EAr aS ell OB Active Directory Domains and Trusts ive s j 5 Computers i yeh Active Directory Stes and Services B ve d Co y kank T ain Certification Authorty E ore cae 2 Cluster Administrator petal Ma 8 fe Component Services Browser te E I Accessories 8 Computer Management emmy d Configure Your Server Wizard I Startup GJ Data Sources ODEC Internet Explorer aig Distributed File System UA Outlook Express 2 ONS All Programs fe Remote Assistance Log off g Shut Down start Fig D 1 Go to Active Directory Users and Computers 2 When the Active Directory Users and Computers window opens click Domain Controllers in the left panel to open the pop up menu 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 221 APPENDIX D DISABLE SMB SIGNING REQUIREMENTS 222 Active Directory Users and Computers od lt Bile Action View Window Help a e om xr oB e nRyrage Active Directory Users and Computer Domain Controllers 1 objects C Saved Queries une a GP QCAD local Gea Buikin S tvuot Computer a E Computers a ForeignSes Delegate Control a ocresto Find New Al Tasks Yew New Window From Here Refresh Export List Fig D 2 Select Properties in the Domain Contro
181. on 8 6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Wbwatch Log wbwatch log used for viewing messages on attempts to join the domain via the Authentication Settings window e Authentication Log AuthenticationServer log used for viewing information about the authentication process for users including SEVERE and WARNING error messages Admin GUI Server Log AdminGUIServer log used for viewing information on entries made by the admin istrator in the console eDirectory Agent Debug Log edirAgent log used for viewing the debug log if using eDirectory LDAP authentication eDirectory Agent Event Log edirEvent log used for viewing the event log if using eDirectory LDAP authentication e Authentication Module Log authmodule log used for viewing information about SEVERE error messages pertaining to LDAP authentication connec tion attempts 3 Choose the Last Number of Lines to view 100 500 from that file 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 79 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 4 Click View to display results in the Result pop up window 8e6rs000 Enterprise Filters View Log File i System gt Diagnostics gt View Log File Result Tue Jul 18 12 11 14 2006 The R3000 has successfully joined the domain
182. on Using SMB NetBIOS e Windows NT 4 0 SP4 or later e Windows 2000 or 2003 Server in mixed legacy mode NOTE SMB Signing must not be required Using LDAP e Microsoft Active Directory Mixed Mode e Microsoft Active Directory Native Mode Tier 2 and Tier 3 Web based authentication Using an NT authentication domain e Windows NT 4 0 SP4 or later e Windows 2000 or 2003 Server in mixed legacy mode NOTE SMB Signing must not be required Using an LDAP domain e Windows Active Directory 2002 and 2003 e Novell eDirectory e SunONE directory server 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Configuring the authentication server When configuring authentication you must first go to the authentication server and make all necessary entries before configuring the R3000 The following authentication components must be set up or entered on the console of the authentication server domain name usernames and passwords user groups login scripts 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 31 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Login scripts Login or logon scripts are used by the R3000 server for reauthenticating users on the network The following syntax must be entered in the appropriate directory on the authentication server console Enter net use syntax in the login script The virtual I
183. on on adding free form text and a hyperlink at the top of the Authen tication Request Form 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 87 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 88 Option 2 The following phrase link displays based on options selected at the Re authentication Options field in the Block Page Authentication window Re start your system and re login This phrase displays for Option 1 whether or not either of the Re authentication Options Re authentication or Web based Authentication was selected in the Block Page Authentication window If the user believes he she was incorrectly blocked from a specified site or service he she should re start his her machine and log back in Try re authenticating your user profile This link displays if Re authentication was selected at the Re authentication Options field and an entry was made in the Logon Script Path field When the user clicks this link a window opens netlogon on LOGOO Microsoft Internet Explorer 5 x ae netlogon This folder is Online Select an item to view its description Network Logon Script Capacity 3 99 GB E used 2 26 GB O Free 1 72 GB Fig 2 19 Re authentication option The user should click the logon bat icon to run a script that will re authenticate his her profile on the network 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICAT
184. on Settings window Pree 8e6 RSO00O0 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT E system Authentication Settings Control System gt Authentication gt Authentication Settings e Th t authentication mode is Enabled Administrator e curren authentication mode is Enables Diagnostics Settings Alert R3000 NetBIOS Name R3000LDAP ota Patch IP Address of WINS Server 190 160 250 2 Synchronization z Mode Virtual IP Address to Use for Authentication 1 2 3 5 Authentication NIC Device to Use for Authentication eth1 NIC Mode Backup Restore Apply Reset i r NT Authentication Server Details Radius Authentication Setting SNMP Name of Domain QC Hardware Failure Detection POC NetBIOS Name 2000ADNATIVE X Strikes Blocking Customization PDC IP Address 190 160 250 2 Administrator Username Administrator Administrator Password tear Warning If values in Domain Details section change please click Join Domain to make the changes take effect Save Join Domain E E E Host Name logo com fP 200 10 100 75 Frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 2 6 Authentication Settings window In the Settings frame at the R3000 NetBIOS Name field the NetBIOS name of the R3000 displays This informa tion comes from the entry made in the Host Name field of the LAN Settings window Inthe IP Address of WINS Server field if using a WINS server for name res
185. on opens the Allow pop ups from this site dialog box Allow pop ups from this site G Would you like to allow pop ups from www 8a6 com Cu Fig F 12 Allow pop ups dialog box 5 Click Yes to add the override account to your white list and to close the dialog box NOTE To view your white list go to the Pop up Blocker Settings dialog box see Fig F 9 and see the entries in the Allowed sites list box 6 Go back to the Options page and click Override to open the override account window 246 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX G GLOSSARY APPENDIX G Glossary This glossary includes definitions for terminology used in this user guide ADS Active Directory Services is a Windows 2000 direc tory service that acts as the central authority for network security by letting the operating system validate a user s identity and control his or her access to network resources attribute A component of a group base or Distinguished Name DN that has a type and value Attribute types include cn for common name dc for domain component and ou for organizational unit authentication method A way to validate users on a network Methods include SMB NT referred to as NT throughout this user guide and LDAP authentication server The domain controller on a domain This server is used for authenticating users on the network block setting A setting assigned
186. ons include the following elements groups filtering profiles and their components and rules for filtering Group Types In the Group section of the Administrator console group types are structured in a tree format in the control panel There are four group types in the tree list e Global Group IP groups NT domain groups LDAP domain groups NOTE If authentication is enabled the global administrator who has all rights and permissions on the R3000 server uwill see all branches of the tree Global Group IP NT and LDAP If authentication is disabled only the Global Group and IP branches will be seen Global Group The first group that must be set up is the global group represented in the tree structure by the global icon E The filtering profile created for the global group represents the default profile to be used by all groups that do not have a filtering profile and all users who do not belong to a group 8 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION FILTERING ELEMENTS IP Groups The IP group type is represented in the tree by the IP icon oe A master IP group is comprised of sub group members and or individual IP members a The global administrator adds master IP groups adds and maintains override accounts at the global level and estab lishes and maintains the minimum filtering level The group administrator of a master IP group adds
187. options click here To submit this blocked site for review click here For assistance contact your Administrator 8e6 R3000 Internet filtering provided by 866 Technologies Copyright 2006 All rights reserved Fig 2 24 Sample Customized Block Page By default the following data displays in the User Machine frame e User Machine field The username displays for the NT LDAP user This field is blank for the IP group user IP field The user s IP address displays e Category field The name of the library category that blocked the user s access to the URL displays If the content the user attempted to access is blocked by an Exception URL Exception displays instead of the library category name Blocked URL field The URL the user attempted to access displays 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 99 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION By default the following standard links are included in the block page e HELP Clicking this link takes the user to 8e6 s Tech nical Support page that explains why access to the site or service may have been denied e 8e6 Technologies Clicking this link takes the user to 8e6 s Web site By default these links are included in the block page under the following conditions For further options click here This phrase and link is included if any option was selected at
188. ormation Bar when a pop up is blocked Filter Level vl Close Medium Block most automatic pop ups Popa ap Blocker FAQ Fig F 9 Pop up Blocker Settings 2 Enter the Address of Web site to allow and click Add to include this address in the Allowed sites list box Click Close to close the dialog box The override account window has now been added to your white list 3 In the Options page see Fig F 1 enter your Username and Password 4 Click the Override button to open the override account pop up window 244 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX F OVERRIDE POP UP BLOCKERS Use the Information Bar With pop up blocking enabled the Information Bar can be set up and used for viewing information about blocked pop ups or allowing pop ups from a specified site Set up the Information Bar 1 Go to the toolbar and select Tools gt Pop up Blocker gt Pop up Blocker Settings to open the Pop up Blocker Settings dialog box see Fig F 9 2 In the Notifications and Filter Level frame click the checkbox for Show Information Bar when a pop up is blocked 3 Click Close to close the dialog box Access your override account 1 In the Options page see Fig F 1 enter your Username and Password 2 Click the Override button This action displays the following message in the Information Bar Pop up blocked To see this pop up
189. osoft network client Digitally sign communications always I Define this policy setting Enabled Disabled Cancel Apply Fig D 9 Define this policy setting Click in the Define this policy setting checkbox to acti vate the radio buttons Choose Diabled and then click OK 10 Go back to the Group Policy Object Editor window see Fig D 8 and find the policies for the following items e Microsoft network server Digitally sign communica tions always e Domain controller LDAP server signing requirements e Domain controller LDAP client signing requirements For each of these items follow the instructions in step 9 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 225 APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE 226 APPENDIX E Obtain or Export an SSL Certificate When using Web based authentication the LDAP server s SSL certificate needs to be exported and saved to the hard drive then uploaded to the R3000 so that the R3000 will recognize LDAP server as a trusted source This appendix provides steps on exporting an SSL certifi cate from a Microsoft Active Directory or Novell server the most common types of LDAP servers Also included is infor mation on obtaining a Sun ONE server s SSL certificate Export an Active Directory SSL Certificate Verify certificate authority has been installed 1 From the console of the LDAP server go to Start gt Programs
190. oup s name to the tree 1 Select the NT domain and choose Manually Add Group from the pop up menu to open the Manually Add Group dialog box Manually Add Group xj G Please enter the group name Cancel Java Applet Window Fig 3 8 Manually Add Group box This dialog box is used for adding a group name to the tree list so that a filtering profile can be defined for that group 2 Enter the group s name in the text box 3 Click OK to add the group name to the domain s section of the tree NOTE See Add or maintain an entity s profile under Create and Maintain NT Profiles for information on defining the filtering profile for the group 114 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS MEMBERS Upload a file of filtering profiles to the tree 1 Select the NT domain and choose Upload User Group Profile from the pop up menu to display the Upload User Group Profile window amp R3000 Enterprise Filter S o xi 8e6 R3000 Enterprise Filter anm HOME SYSTEM GROUP LIBRARY REPORTING HELP r QUIT mmmn Upload User Group Profile Group gt NT gt QC gt Upload User Group Profile Upload Profile Upload Member Profile Upload Warning This file will overwrite the current usergroup file File must be in the following filename and format NT ntuserprofile conf or ntgroupprofile conf JPUBLIC Rulet 0 John Doe Ruled 0 Do
191. oup gt LDAP gt TEST gt Upload User Group Profile Upload Profile 93 NT Sef Loar Upload Member Profile Click Upload T a LOGSYS INACTIVE Warning This file will overwrite the current user group file H a QC INACTIVE File must be in the Following filename and format H T PERIN or ntgroupprofile conf PPUBLIC Rule1 0 Hohn Doe Ruled 0 Poe John A R CHAT KDPORN FINAN GGAMES I 1 http www url comf 0 DAP idapuserprofile conf or Idapg CN John Doe CN Users DC qc CN Public Jo CN Doel John CN Users D pprofile cont com Ruled 0 cal Rulet 0 1c DC local 4 R CHAT KDPORN GPORN I 1 0 The user s name must match the entry on the server If the user s name includes characters such as a comma semicolon equals sign quotation mark plus sign backslash less than iie lt or greater than symbol gt a backslash must be entered before that character E the username contains a backslash you must enter an additional backslash before that character f the user s name is Doe John you would enter the name in the conf file as Doet John Reload Member Profile Click Reload farning The uploaded member profile does not take effect unless the Reload button is clicked Upload Member Profile Upload Reload Member Profile Reload Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 20 Upload User Group Profile win
192. ow only specified ranges of IP addresses to be observed by the 8e6 Authenticator 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 49 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Novell eDirectory Agent Novell eDirectory Agent provides Single Sign On SSO authentication for an R3000 set up in a Novell eDirectory environment Using Novell eDirectory Agent the R3000 is notified by the eDirectory server when an end user logs on or off the network and adds removes his her network IP address thus setting the end user s filtering profile accord ingly Environment requirements Novell eDirectory servers The following eDirectory versions 8 7 or higher with Master Read Write Read replicas have been tested e eDirectory 8 7 in RedHat Linux 9 0 e eDirectory 8 7 in NetWare 6 5 SP5 NOTE See 8e6 Authenticator Environment requirements for Minimum and Recommended system requirements These requirements also apply to eDirectory 8 7 in RedHat Linux 9 0 50 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Client workstations To use this option all end users must log in the network The following OS have been tested e Windows 2000 Professional Windows XP e Macintosh Novell clients The following Novell clients have been tested e Windows Version 4 91 SP2 e Macintosh Prosoft NetWare client Version 2 0 Novell eDirec
193. owing fields can be modified name of the domain Controller IP Address User Name Pass word and Confirm Password Whenever criteria on this tab is modified a The password from the Password field must be entered in the Confirm Password field for verification b Click Modify to apply your settings 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP CREATE AN NT DOMAIN Default Rule 1 Click the Default Rule tab to display the Default Rule settings of the NT Domain Details window zix 8e6 R3000 Enterprise Filter _ aes HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT N Group Settings Default Rule Global Group IP Default Rule ai NT Group gt NT gt QC gt Defautt Rule E LOGSYS ae Eel afl LDAP Default Rule RuleO Minimum Filtering Level z Default Redirect URL Default Block Page Custom URL Fitar Options T x Strikes Blocking T Google Yahoo Safe Search Enforcement IT Search Engine Keyword Filter Control T URL Keyword Filter Control T Extend URL Keyword Filter Control Modify Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 3 4 NT Domain Details window Default Rule tab 2 For the Default Rule e RuleO the Minimum Filtering Level displays by default as the Default Rule If this rule is used it will be applied to all groups and members in the NT domain without a filtering profil
194. p and Upload User Group Profile Add NT groups members to the tree Before you can create filtering profiles for groups and or members in a domain you must first add the groups and or members to the tree list for that domain R3000 Enterprise Filter 8e6 R3000 e la xi Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT A Group Select Groups Members from Domain Global Group Group gt NT gt QC gt Select Groups Members from Domain Add Profile for Groups Members Available Groups Cert Publishers DnsUpdateProxy Domain Controllers Domain Guests Group Policy Creator Owners Red Team 1 Schema Admins Selected Groups Domain Computers Available Members Administrator Selected Members Add Selected Groups amp Members version R3000 Enterprise Filter 1 10 00 24 Host Name logo com IP 200 10 100 75 Java Applet Window Fig 3 5 Select Groups Members from Domain window 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 109 CHAPTER 3 NT AUTHENTICATION SETUP SETUP NT DOMAIN GROUPS MEMBERS 110 Select the NT domain and choose Select Group Member from Domain from the pop up menu to display the Select Groups Members from Domain window see Figure 3 5 To add groups that need filtering profiles to the tree list 1 2 Choose a group from the Available Groups list box Use the right arrow button gt to move the group to the Selected Grou
195. placed in different subnets e In the Primary IP field of the DNS frame enter the IP address of the first DNS server to be used for resolving the IP address of the authentication server with the machine name of that server e In the Secondary IP field of the DNS frame enter the IP address of the second DNS server to be used for resolving the IP address of the authentication server with the machine name of that server e In the Gateway IP field of the Gateway frame enter the IP address of the default router to be used for the entire network segment 2 Click Apply to apply your settings NOTE Whenever modifications are made in this window the server must be restarted in order for the changes to take effect 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 63 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 64 Enable authentication specify criteria 1 Click Authentication and select Enable Disable Authenti cation from the pop up menu to display the Enable Disable Authentication window frame Pee 8e6 RS000 Enterprise Filter SYSTEM GROUP LIBRARY REPORTING HELP QUIT ns oh B system Control Network Authentication NIC Mode Backup Restore Reset Radius Authentication Setting SNMP Hardware Failure Detection accelerator card installed Please contact 826 for more infomation X Strikes Blocking 8e6 Authenticator Customization Administrator Diagnost
196. plied to the filtering profile X Strikes Blocking Google Yahoo Safe Search Enforcement Search Engine Keyword Filter Control URL Keyword Filter Control If URL Keyword Filter Control is selected the Extend URL Keyword Filter Control option can be selected NOTE See the R3000 User Guide for information about Filter Options 2 Click Apply to apply your settings Remove an entity s profile from the tree To remove a group or member s profile from the tree select the profile in order to open the pop up menu and choose Remove 124 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN CHAPTER 4 LDAP AUTHENTICATION SETUP Create an LDAP Domain In the Group section of the console add an LDAP domain that contains entities to be authenticated Add the LDAP domain 1 Click LDAP in the control panel to open the pop up menu and select Add Domain to open the Create LDAP Domain dialog box Create LDAP Domain x LDAP Server IP fiso 160 20 54 LDAP Server Port 389 LDAP Domain Label Jac Apply Cancel Java Applet Window Fig 4 1 Create LDAP Domain box 2 Inthe LDAP Server IP field enter the IP address of the authentication server 3 In the LDAP Server Port field enter the LDAP server port number By default enter 389 4 In the LDAP Domain Label field enter the name of the LDAP domain This en
197. ppendix C LDAP Server Customizations if using an OpenLDAP server Perform a basic search 1 Specify the type of search by clicking the User or Group radio button 2 Choose either cn common name or uid user ID from the pull down menu for the attribute type used in the LDAP directory 3 In the User or Group Name field input the group or username exactly as it was entered on the LDAP server or enter a partial name followed by the asterisk wild card 4 Click Search to display rows of results in the grid below The following information is included for each entity Type USR or GRP Name as entered on the LDAP server DN string Profile Rule number if assigned View button check box Options for search results After performing a search you can do either of the following e Narrow your search To narrow your search make a selection from the OU Name pull down menu and then click Search In Results This will limit your results to the specified section of the LDAP database 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 147 CHAPTER 4 LDAP AUTHENTICATION SETUP SETUP LDAP DOMAIN GROUPS MEMBERS 148 e Search within existing results To search within the list of records returned by your initial query change your search criteria and then click Search In Results This can speed up searches when the LDAP server is slow to respond The View b
198. ps list box If necessary select a group and use the left arrow button lt to move the group back to the Available Groups list box To add group members who need filtering profiles to the tree list 1 2 Choose the group from the Available Groups list box Click Show Members to display group members in the Available Members list box Choose a member from the Available Members list box and use the right arrow button gt to move the group to the Selected Members list box If necessary select a member and use the left arrow button lt to move the member back to the Available Members list box When all entities who need filtering profiles have been added to the selected Groups and or Selected Members list box es click Add Selected Groups amp Members to add them within the domain s section of the tree list NOTE See Add or maintain an entity s profile under Create and Maintain NT Profiles for information on defining the filtering profile for the group 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 3 NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS MEMBERS A WARNING When adding an NT group or member to the tree list the group member will be blocked from Internet access if the minimum filtering level has not been defined via the Minimum Filtering Level window If you have just established the minimum filtering level filter settings will not be effective until the g
199. r LDAP authentication Please ensure the correct DNS settings are set e The Server DNS Name field should contain the DNS name of the server If this field is already populated it may need to be edited if there is more than one DNS server available L NOTES If your LDAP server s name is not a resolvable fully qualified DNS name you may be able to enter the domain name If using a Novell server be sure the Server DNS Name exactly matches the name on the SSL certificate that will be uploaded to the server The Server IP Address that displays by default is the one that was entered in the LDAP Server IP field of the Create LDAP Domain dialog box e The DNS Domain Name should be the DNS name of the LDAP domain such as Yahoo com and may need to be edited if the entire domain name does not display by default L NOTES If your LDAP server s name is not a resolvable fully qualified DNS name you may be able to enter the domain name If using a Novell server be sure the DNS Domain Name exactly matches the name on the SSL certificate that will be uploaded to the server e If necessary the NETBIOS Domain Name can be entered e By default 636 displays in the Server LDAPS Port field By default the value that was entered in the LDAP Server Port field of the Create LDAP Domain dialog box displays in the Server LDAP Port field 132 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP
200. r is deter mined by the order in which the groups are listed in the Group Priority list set by the global administrator The user is assigned the profile for the group highest in the Group Priority list b If a user has an individual profile set up that profile supercedes all other profile levels for that user The user can have only one individual profile in each domain 7 An override account profile takes precedence over an authentication profile This account may override the minimum filtering level if the override account was set up in the master IP group tree and the global adminis trator allows override accounts to bypass the minimum filtering level or if the override account was set up in the global group tree NOTE An override account set up in the master IP group section of the R3000 console takes precedence over an override account set up in the global group section of the console 8 A lock profile takes precedence over all filtering profiles This profile is set up under Filter Options by enabling the X Strikes Blocking feature 21 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION FILTERING ELEMENTS Global Default Filtering Profile Individual IP Profile Fig 1 4 Sample filtering hierarchy diagram 22 8 6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS Authentication Operation
201. r procedures or the outcome of specified actions 2 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION HOw TO USE THIS USER GUIDE Terminology The following terms are used throughout this user guide Sample images not to scale are included for each item alert box a message box xi that opens in response to an entry you made in a dialog box window or screen This box often contains a button usually labeled OK for you to click in order to confirm or execute a command button an object in a dialog box Appl window or screen that can be clicked apply with your mouse to execute a command A lt gt Successfully saved Alert emails Java Applet Window checkbox a small square in a dialo box window or screen used for a v Profile cating whether or not you wish to select an option This object allows you to toggle between two choices By clicking in this box a check mark or an X is placed indi cating that you selected the option When this box is not checked the option is not selected control panel the panel that displays at the left of a screen This panel can contain links that can be clicked to open windows or dialog boxes at the right of the screen One or more tree lists also can display in this panel When an item in the tree list is double clicked the tree list opens to reveal items that can be selected 8E6 TECHNOLOGIES
202. re Pw L100 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION HOW TO USE THIS USER GUIDE tree a tree displays in the control panel of a screen and is comprised of a hierarchical list of items An entity associated with a branch of the tree is preceded by a plus sign when the branch is collapsed By double clicking the item a minus sign replaces the plus sign and any entity within that branch of the tree displays An item in the tree is selected by clicking it window a window displays on a screen and can contain frames fields text boxes list boxes buttons checkboxes and radio buttons A window for a topic or sub topic displays in the right panel of the screen Other types Filter Systen gt Controb gt Fiter Local Filtering Local Fitoring VLAN Detection Service Blocking Instant Messaging Pop HTTPS Fittering TEPS tren Lereni Service Control Praxy Pattern hobr Targatis Fittering Al Target Pitering a Group Global Group IP gA admin lg tech eget test opt webauth amp Group Global Group IP lp admin lgpt tech cf bkupserver gf testers cpike of windows include pop up windows login windows or ones from the system such as the Save As or Choose file windows 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION FILTERING ELEMENTS Filtering Elements Filtering operati
203. ries to be made on a typical network System section The first settings for authentication must be made in the System section of the Administrator console in the following windows Operation Mode LAN Settings Enable Disable Authentication Authentication Settings Authentication SSL Certificate if Web based authentication will be used and Block Page Authentication 1 Select Mode from the control panel and then select Operation Mode from the pop up menu The entries made in the Operation Mode window will vary depending on whether you will be using the invisible mode or the router or firewall mode In the Listening Device frame set the Listening Device to ethO In the Block Page Device frame e If using the invisible mode select eth1 e If using the router or firewall mode select ethO 2 Select Network from the control panel and then select LAN Settings from the pop up menu 54 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS The entries made in this window will vary depending on whether you are using the invisible mode or the router or firewall mode The LAN 1 and LAN 2 IP addresses should usually be in a different subnet e If using the invisible mode For the LAN1 IP eth0O address select 255 255 255 255 for the subnet mask If using the router or firewall mode Specify the appro priate I
204. rise Filter o x 8e6 R3000 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT some E system Common Customization Control System gt Customization gt Common Customization Network P Administrator Detalls Diagnostics Username Display On off Alert patch IP Address Display on C off Synchronization Category Display on C Off Mode Authentication Blocked URL Display On Off NIC Mode Backup Restore Reset Title Display On C off Radius Authentication Setting SNMP Hardware Failure Detection Help Link Text HELP Copyright Display On C Off Help Display On C off Strikes Blocking Help Link URL http www 8e6 com techsupport deniedresponse html wae ustomization Submission Review Display On C Off Submission Email Address fadmin company com Restore Default Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 10 5 Java Applet Window Fig 2 20 Common Customization window By default in the Details frame all elements are selected to display in the HTML pages the Help link points to the FAQs page on 8e6 s public site that explains why access was denied and a sample email address is included for adminis trator contact information These details can be modified as necessary 90 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Enable Disable Features 1 Click O
205. roup member user logs off and back on the server Refer to the R3000 User Guide for more information on the minimum filtering level Specify a group s filtering profile priority 1 Select the NT domain and choose Set Group Priority from the pop up menu to display the Set Group Priority window ax 8e6 R3000 Enterprise Filter a HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT a Set Group Priority Group gt NT gt QC gt Set Group Priority Group Priority Profile Group s Enterprise Admins A testgroup vy Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 3 6 Set Group Priority window This window is used for designating which group profile will be assigned to a user when he she logs in If a user is a member of multiple groups the one that is positioned highest in the list is applied 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 111 CHAPTER 3 NT AUTHENTICATION SETUP SETUP NT DOMAIN GROUPS MEMBERS NOTES Groups automatically populate the Profile Group s list box if these groups have one or more identical users and were added to the tree list via the Select Groups Members from Domain window An entry for the Group Priority list is added to the end of the list when the group profile for that group is added to the R3000 and is removed automatically when you delete the profile 2 To change the filtering priority of groups
206. rs NOTE The following Windows servers are supported by the current version of authentication NT 4 0 SP4 or later Mixed Mode 2000 and 2003 A Windows 2003 server may require changes to the default settings for SMB signing to allow commu nications The account that is provided for accessing the Windows server must have the administrative rights to add a machine account to the specified domain on the R3000 This require ment ensures the R3000 will be able to authenticate users from the Windows domain 1 Enter the alphanumeric Name of Domain on which this server resides using capital letters 2 Using capital letters enter up to 15 alphanumeric charac ters of the PDC NetBIOS Name which is the computer name of the authentication server or Primary Domain Controller 3 Enter the PDC IP Address which is the authentication server s IP address 4 Enter the Administrator Username and Administrator Password This account used for joining the domain must have administrator privileges 5 Click Join Domain to save your entries and to submit a request for the R3000 to join the domain TIP If entries in the NT Authentication Server Details frame are modified after joining the domain you must join the domain again NOTE Click Save if you are only pre configuring the box This option lets you save credentials without re entering the informa tion each time the domain is joined or if the R3000 gets out of sync with the Primary
207. rver such as IP address entries In the NIC Device to Use for Authentication field e If using the invisible mode Enter eth Ethernet 1 as the device to send traffic on the network e If using the router or firewall mode Enter ethO Ethernet 0 Information should only be entered in the NT Authentica tion Server Details frame if the R3000 will use the NT Authentication method to authenticate users Select Authentication from the control panel and then select Authentication SSL Certificate from the pop up menu This option should be used if Web based authen tication will be deployed on the R3000 server Using this option you create either a self signed certifi cate or a Certificate Request CSR for use by the Secure Sockets Layer SSL The certificate should be placed on client machines so that these machines will recognize the R3000 as a valid server with which they can communicate Select Control from the control panel and then select Block Page Authentication from the pop up menu In the Block Page Authentication window select the Re authentication Options to be used The items you select will be listed as options for re authentication on the Options page accessible from the standard block page If the Re authentication NET USE option is selected enter the login script path to be used by the R3000 for re authentication purposes 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICA
208. ry for this step of the Wizard is optional If there are destination IP address es to be ignored enter the IP address and specify the Netmask or enter the Indi vidual IP address 8 Click Next to go to Step 5 of the Wizard 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 193 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK ni 8e6Rs000 Enterprise Sites enemas HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Range to Detect Setup Wizard Group gt Global Group gt Range to Detect Setup Wizard Step 5 Destination Ports to Exclude from Detection IP a NT all LDAP Destination Port 64 Individual Port Remove Back Next Cancel Fost Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 29 Range to Detect Setup Wizard Step 5 9 An entry for this step of the Wizard is optional If there are ports to be excluded from filtering enter each port number in the Individual Port field and click Add 10 Click Next to go to the final step of the Wizard 194 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK amp R3000 Enterprise Filter EE 8e6 R3000 __ Enterprise Filter s HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Range to Detect Setup Wizard Group gt Global Group gt Range to Detect Setup Wi
209. s R3000 Authentication Protocols The R3000 supports two types of authentication protocols Windows NT LAN Manager NTLM and Lightweight Direc tory Access Protocol LDAP e NTLM authentication supports NTLM authentication running on any of the following servers Windows NT 4 0 Windows 2000 Mixed Mode and Windows 2003 Mixed Mode e LDAP authentication supports all versions of LDAP such as Microsoft Active Directory Novell eDirectory Sun ONE and OpenLDAP R3000 Authentication Tiers The R3000 authentication architecture for NTLM and LDAP authentication protocols is comprised of three tiers When using NT and or LDAP authentication with the R3000 one of these three tiers is selected for use on the network depending on the server s used on the network and the preferred authentication method s to be employed e Tier 1 Single sign on net use based authentication for NT or Active Directory domains e Tier 2 Time based Web authentication for NT and LDAP authentication methods Tier 3 Session based Web authentication for NT or LDAP authentication method When using Tier 2 or Tier 3 the 8e6 Authenticator should be enabled to ensure the end user is authenticated when logging into his her workstation Or if using a Novell eDirec 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 23 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS tory server the Novell eDirectory Agent can be used inst
210. s filtering profile priority cece eeeeeeeeeenees 149 Manually add a users name to the tree 150 Manually add a group s name to the tree n 151 Upload a file of filtering profiles to the tree ceeeeeeeeeeeeeees 152 Create Maintain LDAP Profiles 2 ccessssseeeeceeeeeeeees 155 Add an LDAP group member to the tree cceeceeeeeeeeteeees 155 Add or maintain an entity s profile ec ceeeeeeeeeeteeeeeeeteeeeeees 157 Category Prowile ccisictstosccevasiancteariadaceaisaataicees NEETA 158 Redirect URS a a a Ea 159 Filter Options enoet aarti eh a 160 Remove an entity s profile from the tree aeee 161 CHAPTER 5 AUTHENTICATION DEPLOYMENT 0 162 Test Authentication Settings 00 cccccccsessseeeeeceeeeeeeeeeeeneeeees 162 Test Web based authentication settings ecceeeeeeeeeeetees 164 Step 1 Create an IP Group test ceseeceeeeeeeeeeeeeteees 164 Step 2 Create a Sub Group workstation 0 165 Step 3 Set up test with a 32 bit net mask eee 166 Step 4 Give workstation a 32 bit net mask 0 167 Step 5 Block everything for the Sub Group sesser 168 Step 6 Use Authentication Request Page for redirect URL 169 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CONTENTS Step 7 Disable filter Options cccecceceeeeeeeeeeeeesenet
211. s material set up to be blocked Various filter options can be enabled NT LDAP Group Filtering Profile An NT or LDAP group filtering profile is created by the global administrator This profile can be customized to allow deny group users access to URLs to redirect users to another URL instead of having the standard block page display and to specify usage of appropriate filter options If users belong to more than one group all groups to which they belong must be ranked to determine the priority each filtering profile takes over another NT LDAP Member Filtering Profile An NT or LDAP member filtering profile is created by the global administrator This profile can be customized to allow deny a user access to URLs to redirect the user to another URL instead of the standard block page and to specify usage of appropriate filter options 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION FILTERING ELEMENTS Override Account Profile If any user needs access to a specified URL that is set up to be blocked the global administrator or group administrator can create an override account for that user This account grants the user access to areas set up to be blocked on the Internet Time Profile A time profile is a customized filtering profile set up to be effective at a specified time period for designated users Lock Profile This filtering profile blocks the end user from Internet
212. s or registered trademarks of their respective companies and are the sole property of their respective manufacturers Part R3 10_AUG_v1 01 0612 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE iii 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CONTENTS CHAPTER 1 INTRODUCTION ccccceeeesseeeeeeeeeeeeeeeeeeeeeeeees 1 About this User Guide cesssessseeeeeeeeeeeesseeeeeeeeeeeseenneeeeeeeeeees 1 How to Use this User Guide ccceceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeneeeeenees 2 GONVENTIONS siiil iiei ih thie eae el ceeded 2 tenmin lo a EE A Aei tesa O E 3 Filtering Elements sscccccesssseesseeeeeeeeseseeseeseeeeeeeeeeesesseeneeees 8 Group Types ie p cian ene a aeaa ed dee aed 8 Global Grou Decks acces teks oh cache a canton a E aea ea 8 IPHGIOUDS iyterte ales Settee each ae ee oi ad a ee a N 9 NT Domain Groups 0 ccccccecceeeeeeeeeeeeeceecaeeeeeeeeeeeeeteetecsnnaeens 10 EDAP Domain Groups r n tainane hechatidnnehettiadieeds 11 Filtering Profile Types eien a E AT 12 Static Filtering Profiles sererai na r A R 13 Master IP Group Filtering Profile 0 ecceeeeeeeeeeeeeeenees 13 IP Sub Group Filtering Profile eee eeeeeeeeeenteeeeeeeeaes 13 Individual IP Member Filtering Profile 0 cess 13 Active Filtering Profiles 0 0 ecccceceeeeeeeeeeeeeeeeeeeeeseeeneeeeeeenaaees 14 Global Filtering Profile rrer eeren enren RE EEE EEEE
213. s to open the Internet Options dialog box 2 Click the Privacy tab Internet Options General Security Privacy Content Connections Programs Advanced Settings e Move the slider to select a privacy setting for the Internet zone Medium Blocks third party cookies that do not have a compact privacy policy Blocks third party cookies that use personally identifiable LI information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Sites Import Advanced Pop up Blocker Prevent most pop up windows from appearing Block pop ups Settings OK Cancel Apply Fig F 7 Enable pop up blocking 3 In the Pop up Blocker frame check Block pop ups 4 Click Apply and then click OK to close the dialog box 242 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX F OVERRIDE POP UP BLOCKERS Use the IE toolbar In the IE browser go to the toolbar and select Tools gt Pop up Blocker gt Turn On Pop up Blocker Microsoft Office Online Installation Troubleshooter Microsoft Internet Explorer File Edit View Favorites Tools Help Mail and News gt Sa Eil x Pop up Blocker Bi Turn On Pop up Blocker ce z i search web Manage Add ons Address http foffice microso eyniores Links 8e6 Source wi
214. soft network dient Digitally sign communications always Not Defined 2 Microsoft network client Digtally sign communications F server Not Defined Bx microsoft network dient Send unencrypted password to third pa Not Defined B3 Microsoft network server Amount of idle time required before su Not Defined BE Microsoft network server Digkally sign communications always Enabled aem network server Digtaly sign communications if cent Enabled il BY Microsofe network server Disconnect clients when logon hours e Not Defined Ei Network access Allow anonymous SID Name translation Not Defined iNetwork access Do not allow anonymous enumeration of SAM a Not Defined E Network access Do not allow anonymous enumeration of SAM a Not Defined Ef Network access Do not allow storage of credentials or NET Pas Not Defined ll Pharti sonnen iat Drennan mamninsionn senda bo snannmna at Dafina Fig D 8 Group Policy Object Editor window Security Options 224 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX D DISABLE SMB SIGNING REQUIREMENTS Scroll down and find Microsoft network client Digitally sign communications always 9 Right click this item to open the pop up menu and select Properties to open the dialog box with the Security Policy Setting tab Microsoft network client Digitally sign communications always 21x Security Policy Setting E Micr
215. st Form By default the following data displays in the frame e Username field The username displays e Password field The user s IP address displays Domain field All LDAP domain names set up on the R3000 display in the pull down menu e Alias field optional All alias names associated with the LDAP domain specified in the field above display in the pull down menu if the account names were entered for that LDAP domain 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 95 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION By default the following standard links are included in the Authentication Request Form e HELP Clicking this link takes the user to 8e6 s Tech nical Support page that explains why access to the site or service may have been denied e 8e6 Technologies Clicking this link takes the user to 8e6 s Web site 2 Click the X in the upper right corner of the window to close the sample Authentication Request Form TIP If necessary make edits in the Authentication Form Custom ization window or the Common Customization window and then click Preview in this window again to view a sample Authentica tion Request Form 96 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Block Page Customization To customize the block page click Customization and select Block P
216. sub group and individual IP members override account and time profiles and maintains filtering profiles of all members in the master IP group El IP Groups Master IP Group T F oe oe Sub Group Sub Group Individual IP 209 11 120 0 24 210 11 110 0 32 211 11 108 4 Fig 1 1 IP diagram with a sample master IP group and its members 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 9 CHAPTER 1 INTRODUCTION FILTERING ELEMENTS NT Domain Groups An NT domain on a network server is comprised of Windows NT groups and their associated members users derived from profiles on the network s domain controller The NT group type is represented in the tree by the NT icon ai This branch will only display if authentication is enabled Using the tree menu the global administrator adds and maintains NT domains gs and profiles of NT groups and members within the domain Filtering profiles can be created for a specified group a or user amp If users belong to more than one group the global administrator sets the priority for group filtering at NT Groups NT Domain NT Group NT Group NT Group pe pe pe Q e r cs r oh cos User User User User User Fig 1 2 NT domain diagram with sample groups and members 10 8 6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION FILTERING ELEMENTS LDAP Domain Groups An LDAP Lightweight Directory Access
217. sword in the Password and Confirm Password fields 2 Click Next to go to the SSL tab 134 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN SSL Settings SSL settings should be made if your network requires a secure connection from the R3000 to the LDAP server 8e6 R3000 Enterprise Filter nns HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT en Group SSL Alias Li Global Group Type Group User Address Account alias List Default Rule SSL Settings Group gt LDAP gt TEST gt SSL Settings TH gy LOGSYS INACTIVE I Enable Secure LDAP over SSL E QC INACTIVE Upload SSL Certificate for LDAPS A Enter the path to the SSL certificate for your LDAP server This certificate is required to communicate with your LDAP server with secure encryption The certificate should be a Base64 encoded der or cer format SSL Certificate Current cert file Upload Back Next Activate Host Name logo com TP 200 10 100 75 rersion R3000 Enterprise Fiter 1 10 00 24 Java Applet Window Fig 4 7 Domain Details window SSL tab NOTE See Appendix E Obtain or Export an SSL Certificate for information on how to obtain a Sun ONE server s SSL certificate or how to export an Active Directory or Novell server s SSL certfi cate to your desktop and then upload it to the R3000 1 If applicable click in the Enable Secure LDAP over SSL checkbox
218. t Block Portis 60 et l ad Remove Apply Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 19 Global Group Profile window Port tab a In the Port page enter the Port number to be blocked b Click Add to include the port number in the Block Port s list box c After entering all port numbers to be blocked click Apply 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 183 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 4 Click the Default Redirect URL tab to display the Default Redirect URL page Kiki clx 8e6Rs000 _ Enterprise Filter a HOME SYSTEM GROUP LIBRARY REPORTING HELP Ot Category Port Default Redirect URL Filter Options Default Redirect URL Group gt Global Group gt Defautt Redirect URL Specify a redirect URL Default Block Page Authentication Request Form Custom URL fienticationServer AuthenticationForm isp Host Name logo com IP 200 10 100 75 Frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 20 Global Group Profile window Default Redirect URL tab a Select Default Block Page b Click Apply 184 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 5 Click the Filter Options tab to display the Filter Optio
219. te this process 198 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 2 Modify the Global Group Profile 1 Click Global Group in the tree to open the pop up menu 2 Select Global Group Profile to display the Category tab of the Profile window lei 8e6R3000 Enterpri m HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT R Category Port Default Redirect URL Filter Options Category Profile Group gt Global Group gt Category Profile Group Global Group Current Profile Custom Profile Available Filter Levels Custom Profile v Rule Details Blocked Categories Pass Categories Always Allowed K4 Banner Web Ads gt gt Books amp aparea gt Uncategorized Sites Pass Block Apply Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 34 Global Group Profile window Category tab a Block all categories and specify that uncategorized sites should be blocked b Click Apply 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 199 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 3 Click the Port tab to display the Port page IA 8ebrao00 _ Enterprise Eiter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Category Port Default Redirect URL Filter Options Port Group gt Gl
220. tered in the Submission Email Address field in the Common Customization window Clicking this link launches the user s default email client In the composi tion window the email address from the Submission Email Address field populates the To field The user s message is submitted to the global administrator 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 85 CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Options page The Options page displays when the user clicks the following link in the block page For further options click here oix File Edit View Favorites Tools Help Bak gt A Bsearch Favorites Bristory Bv H Address http 200 10 100 75 81 cai block cai gt 6o Links g OPTIONS User Machine LOGO Domain Admins GLANG IP 200 10 101 140 Category Alcohol Requested URL http Avwvy coors com Option1 Click here for secure Web based authentication Option 2 If the above profile is incorrect or there has been an error you can Re start your system and re login or Try re authenticating your user profile Option 3 If you have an override account enter your username and password Username Password Override Warning The override account option will not function if antLpopup software is installed on your system Internet Fig 2 17 Options page The following items previous
221. tering profile and the minimum filtering level When setting up the range of IP addresses netmasks to be detected service ports can be set up to be open ignored When creating the global filtering profile and the minimum filtering level service ports can be set up to be blocked or filtered Examples of service ports that can be set up include File Transfer Protocol FTP Hyper Text Transfer Protocol HTTP Network News Transfer Protocol NNTP Secured HTTP Transmission HTTPS and Secure Shell SSH Rules A rule is comprised of library categories to block leave open or include in a white list Each rule that is created by the global administrator is assigned a number A rule is selected when creating a filtering profile for an entity Minimum Filtering Level The minimum filtering level consists of library categories set up at the global level to be blocked or opened and service ports set up to be blocked or filtered If the minimum filtering level is created it applies to all users in IP NT and LDAP groups and takes precedence over filtering settings made for group and member filtering profiles The minimum filtering level does not apply to any user who does not belong to a group and to groups that do not have a filtering profile established 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 1 INTRODUCTION FILTERING ELEMENTS NOTE If the minimum filtering level is not set up
222. thentication Request Form gA webauth g 33 NT Custom URL penticationServer AuthenticationForm jsp afl LDAP Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 32 Sub Group Profile window Redirect URL tab 6 Select Default Block Page and then click Apply 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 197 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 7 Click the Filter Options tab to display the Filter Options page R3000 Enterprise Filter la x 8e6R3000 Enterprise Filter ee HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT op Category Redirect URL Filter Options Global Group ge ip Filter Options E et admin Group gt IP gt tech gt bkupserver gt Filter Options Filter Options A testers I X Strikes Blocking cpike 7 Google Yahoo Safe Search Enforcement E test webauth Search Engine Keyword Filter Control eg NT T URL Keyword Filter Control fal LDAP T Extend URL Keyword Filter Control Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 33 Sub Group Profile window Filter Options tab 8 Select filter options to be enabled and click Apply As a result of these entries the machine will not be served the Authentication Request Form and will use the default block page instead Go on to Step 2 to comple
223. ting a rule or when setting up a filtering profile or the minimum filtering level If an item is given an open pass setting users will have access to it 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE APPENDIX G GLOSSARY organizational unit ou An attribute type that can be entered in the LDAP Distinguished Name for a user group override account An account created by the global group administrator or the group administrator to give an autho rized user the ability to access Internet content blocked at the global level or the group level PDC A Primary Domain Controller functions as the authen tication server on a Windows NT domain This server main tains the master copy of the directory database used for vali dating users profile string The string of characters that define a filtering profile A profile string can consist of the following components category codes service port numbers and redirect URL protocol A type of format for transmitting data between two devices LDAP and SMB are types of authentication method protocols proxy server An appliance or software that accesses the Internet for the user s client PC When a client PC submits a request for a Web page the proxy server accesses the page from the Internet and sends it to the client A proxy server may be used for security reasons or in conjunciton with caching for bandwidth and performance reasons router mode An R
224. tion Setting SNMP Hardware Failure Detection X Strikes Blocking Customization Download View CSR Upload Certificate Delete CSR ee i Enterprise Filter _ M eH OME SYSTEM GROUP LIBRARY REPORTING HE Lae a Gh A ip Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 2 9 Third Party Certificate tab NOTE If a third party certificate has not yet been created the Create CSR button is the only button activated on this tab 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 2 NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 2 Click Create CSR to open the Create CSR pop up window Create CSR xj Common Name Host Name R3000LDAP ota Email Address pjohnson logo com Organization LOGO Organization Unit Inc Locality Orange State or Province California Country 2 character country code US coe Java Applet Window Fig 2 10 Create CSR pop up window The Common Name Host Name field should automat ically be populated with the host name This field can be edited if necessary 3 Enter your Email Address 4 Enter the name of your Organization such as 8e6 Technologies 5 Enter an Organizational Unit code set up on your server such as Corp 6 Enter Locality information such as the name of your city or principality 7 Enter the State or Province name in its entirety such as California 8 E
225. tory setup The eDirectory Agent uses the LDAP eDirectory domain configuration setup in the R3000 Administrator console The eDirectory Agent receives notification from the eDirectory server regarding logon and logoff events by end users The Novell client must be installed on each end user s worksta tion in order to handle logons to the eDirectory network In this setup the Novell client replaces the Windows logon application 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 51 CHAPTER 1 INTRODUCTION AUTHENTICATION OPERATIONS R3000 setup and event logs When using a Novell eDirectory server and choosing to use the Novell eDirectory Agent option in the R3000 e Enable Novell eDirectory Agent in the Enable Disable Authentication window NOTES If using an SSO authentication solution Tier 2 or Tier 3 should be selected as a fallback authentication operation When choosing the Novell eDirectory Agent option the 8e6 Authenticator option must be disabled If applicable a back up server can be specified in the LDAP domain setup wizard in the event of a connection failure to the primary Novell eDirectory server Email alerts are sent to the administrator in such events NOTE Back up server settings are made in the Default Rule tab of the LDAP Domain Details window described in Chapter 4 LDAP Authentication Setup e Once the Novell eDirectory Agent option is set up the View Log File window
226. try does not need to match the NetBIOS name 5 Click Apply to add the domain to the tree This action takes you directly to the LDAP domain window see View modify enter LDAP domain details 8 E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 125 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE ANLDAP DOMAIN Refresh the LDAP branch Click LDAP in the control panel to open the pop up menu and select Refresh whenever changes have been made in this branch of the tree View modify enter LDAP domain details Double click LDAP in the control panel to open the LDAP branch of the Group tree Select the LDAP domain you added and choose Domain Details from the pop up menu to display the default Type tab of the LDAP Domain Details window R3000 Enterprise Filter la x 8e6 Esaa Enterprise Filter e HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT ee D obal Gop Type Group User Address Account SSL Alias List Default Rule gt LDAP Server Type 3 NT Group gt LDAP gt TEST gt LDAP Server Type B a LDAP Microsoft Active Directory Mixed Mode E LOGSYS INACTIVE E x n C hg QC INACTIVE Microsoft Active Directory Native Mode H A Sun One Sun IPlanet or Netscape Directory Server Novell eDirectory Other Back Next Activate Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 2 Domain Details window Type tab 126 8E6 T
227. ttempt to access a site or service set up to be blocked 1 Specify the type of redirect URL to be used Default Block Page or Custom URL If Custom URL is selected enter the redirect URL in the corresponding text box Users will be redirected to the designated page at this URL instead of the block page 2 Click Apply to apply your settings Filter Options Click the Filter Options tab to display the Filter Options page of the Profile window lele 8e6Rs000 Enterprise Filter HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT mmn croup Category Redirect URL Filter Options Global Group ge IP Filter Options Eg NT Group gt NT gt QC gt Enterprise Admins gt Filter Options a A Locsys Filter Options B QC JT X Strikes Blocking z testgroup IT Google Yahoo Safe Search Enforcement haslow a g Ta JT Search Engine Keyword Filter Control T URL Keyword Filter Control T Extend URL Keyword Filter Control Apply al gt I Host Name lago com IP 200 10 100 75 frersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 3 14 Group Profile window Filter Options tab 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 123 CHAPTER 3 NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES Filter Options is used for specifying which filter option s will be applied to the entity s filtering profile 1 Click the checkbox es corresponding to the option s to be ap
228. ttings folder to display the Windows Settings contents in the right panel Ta Group Policy Object Editor AEE Fle Action View Help e ome e 3 Default Domain Controllers Policy tyuct QCAD local Policy fa Windows Settings S E Computer Configuration a a Software mae Select an tem to view ks description Name Windows Settings Escripts Startup Shutdown E E Administrative Templates EA Security settings B User Configuration Software Settings E Windows Settings 6 Admiristrative Templates Extended K standard Fig D 5 Group Policy Object Editor window Windows Settings 6 Choose Security Settings to display the contents of this folder in the right panel 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 223 APPENDIX D DISABLE SMB SIGNING REQUIREMENTS ia Group Policy Object Editor L O Ele Action yew Help ome 3 Defaut Domain Controlers Polcy tyudt QCAD local Policy Computer Configuration D E Software Settings E Windows Settings Description Password and account lockout polcies Auditing user rights and securky options polcies Event Log Scripts Startup Shutdown mamii Gin Securty Settings E E Adninstrative Templates Kare oe te B User Configuration gstry y 4 Software Settings File security settings Windows Settings Y Wireless Network IEEE 802 1 Wireless Network Policy Administration
229. uld be used if Web based authentication will be deployed on the R3000 server Using this feature a Secured Sockets Layer SSL self signed certificate is created and placed on client machines so that the R3000 will be recognized as a valid server with which they can communicate Click Authentication and select Authentication SSL Certifi cate from the pop up menu to display the Authentication SSL Certificate window R3000 Enterprise Filter 15 x 8e6 B32323000 Enterprise Filter anaa HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT B pana Authentication SSL Certificate a A System gt Authentication gt Authentication SSL Certificate letwor _onfdministrator The R3000 uses a SSL certificate to secure its communications with clients for Web based Di ti Authentication After creating a self signed certificate or a Certificate Request CSR the DNS name of lagnostics the R3000 should not be changed If the DNS name changes a new certificate must be created and Alert possibly added to each client workstation s trusted certificate list Patch Synchronization Self Signed Certificate Third Party Certificate DownloadView Delete Certificate Mode Create Self Signed Certificate to generate a self signed SSL certificate for the R3000 NIC Mode Create Self Signed Certificate Backup Restore Reset Radius Authentication Setting SNMP Hardware Failure Detection X Strikes Blocking Customization Host Name logo com TP 2
230. ule tab NOTE If using Novell eDirectory see Default Rule for Novell eDirectory The tab is comprised of the following components that can be modified e By default RuleO is the default rule This rule can be changed by making another selection from the pull down menu e To specify the type of redirect URL to be used for users who do not have a filtering profile click the radio button corresponding to Default Block Page or Custom URL 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 139 CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE ANLDAP DOMAIN 140 If Custom URL is selected enter the redirect URL in the text box Click the checkbox es corresponding to the option s to be applied to the filtering profile X Strikes Blocking Google Yahoo Safe Search Enforcement Search Engine Keyword Filter Control URL Keyword Filter Control If URL Keyword Filter Control is selected the Extend URL Keyword Filter Control option can be selected After all entries have been made in the tabs click Activate to activate the domain NOTE To enter profile information for LDAP groups and users see Create Maintain LDAP Profiles 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN Default Rule for Novell eDirectory If Novell eDirectory was selected for the LDAP Server Type an
231. up List Format and Rules ccseeeeeeeeeeeeees 217 APPENDIX B isscossscciscs i508 tect cp epetsassacsanccoceeetsseeueeeacneatas 218 Ports for Authentication System ACCESS ccccceeeeeeeeeees 218 APPENDIX O siisi lecctenedensacnananevcccenssenuanieeceass 219 LDAP Server Customizations ccccccccceeeeeeeeeeeeeeeeeeeeeeeeees 219 OpenLDAP Server Scenario cceceeeeeeeeeeeceeceeeeeeeeeeeeteeeeeseees 219 Not all users returned in User Group Browser 0 0 0 219 APPENDIX D csssicneeeesibacssscve conscecertencccssacaseepeewsesavanniss 220 Disable SMB Signing Requirements sseeeeeeeeeeeeeeeeees 220 SMB Signing Compatibility eeeeecneeeeeeenceeeeeeeeetaeeeeeeeaaes 220 Disable SMB Signing Requirements in Windows 2003 a se 221 APPENDIX E orein eee pti a eea aeeaiei aaeei 226 Obtain or Export an SSL Certificate cc eeeeeeee cence 226 Export an Active Directory SSL Certificate ce eeeeeeeeeees 226 Verify certificate authority has been installed 0 0 0 226 Locate Certificates folder ccccccecceeeeeeeeeeeeneecaeeeeeeenees 227 Export the master certificate for the domain c008 230 Export a Novell SSL Certficate c cccccceceeeeeeeeeeeeeeeeeeeteeaeeees 234 Obtain a Sun ONE SSL Certificate 2 0 0 2 eee eeeeseeeeeeeeeeeeeeeteteeee 235 APPENDIX F sist oacescunsenucedaceiletenseueeataenanshnoesaaedtectiees ox
232. ups users to the tree Before you can create filtering profiles for groups and or members in a domain you must first add the groups and or members to the tree list for that domain EE 8e6 R3000 Enterprise Filter _ HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Group Global Group fa kd IP Group gt LDAP gt TEST gt Set Group Priority LDAP User Group Browser User or Group Name User Group fin De E a LOGSYS INACTIVE E QC INACTIVE OU Name None agres Search In Results Profile GRP Avalon CN Av lon CN GRP _lalluser CN alluser CN U GRP Administrators CN Administrator GRP Account Operators CN Account Ope Kil Mark Unmark All Mark Unmark Selected Add or Delete a filtering rule to the marked entries Rule 0 Minimum Filtering Level z Add Rule Delete Rule Host Name logo com JIP 200 10 100 75 Fersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 16 LDAP User Group Browser window 146 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS MEMBERS Select the LDAP domain and choose Select Group Member from Domain from the pop up menu to display the LDAP User Group Browser window see Figure 4 12 This window is used for retrieving the names of groups or users from an LDAP domain so that a filtering profile can be assigned NOTE See A
233. utton in the Members column is used for either querying the list of groups in which a user is a member or the list of users who are members of a Group Record To select or deselect all items in the grid click Mark Unmark All To select or deselect all highlighted items in the grid click Mark Unmark Selected This feature works only if items are first selected in the grid by clicking on them Multiple items are selected by clicking one item and then pressing the Ctrl key on your keyboard and clicking another item A block of multiple items is selected by clicking the first item in the block then pressing the Shift key on your keyboard and then clicking the last item in the block Apply a filtering rule to a profile To apply a filtering rule to an entity in the grid 1 Go to the Mark column and click the checkbox for that entity Select a filtering rule from the drop down menu 3 Click Add Rule to display the selected Rule number in the Profile column When the LDAP branch of the tree is refreshed all enti ties with rules applied to them appear in the tree 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS MEMBERS Delete a rule To delete a rule from a profile the entity must currently display in the grid and have a rule assigned to the profile 1 Click the Mark checkbox for the entity 2 Click Delete Rule to
234. will need to be reactivated e By default all items are selected for inclusion in the alias list as indicated by a check mark in the Alias Enabled checkbox To deselect an item click the checkbox to remove the check mark e To select or deselect all items in the list click the Enable Disable All button This button lets you toggle between these two operations Click Next to go to the Default Rule tab 138 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 4 LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN Default Rule The Default Rule applies to any authenticated user in the LDAP domain who does not have a filtering profile f x 8e6Rs000 Enterprise Filter meee HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT ee Group ias List Default Rul Global Group Type Group User Address Account SSL Alias List Default Rule Default Rule Group gt LDAP gt TEST gt Default Rule Select one of the following as the default rule E LOGSYS INACTIVE Bg OC INACTIVE Rule 0 Minimum Filtering Level ad cosy Specify a redirect URL Default Block Page Custom URL Filter Options I X Strikes Blocking IV Google Yahoo Safe Search Enforcement J7 Search Engine Keyword Filter Control Y URL Keyword Filter Control Activate Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 4 11 Domain Details window Default R
235. zard Step 1 Source IPs to Detect Source IP 10 10 10 0 24 Pinetmask Sof OE Calculator Individual IP Add Next Cancel Host Name logo com IP 200 10 100 75 Prersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 25 Range to Detect Setup Wizard Step 1 1 Enter the IP address and specify the Netmask or enter the Individual IP address of the source IP address es to be filtered 2 Click Next to go to Step 2 of the Wizard 190 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK ao 8e6Rs000 Enterprise Filtet mene HOME SYSTEM GROUP LIBRARY REPORTING HELP QUIT Range to Detect Setup Wizard Group gt Global Group gt Range to Detect Setup Wizard Step 2 Destination IPs to Include for Detection Destination IP 10 10 10 43 32 Pinem ou a Calculator Individual IP Add ae Fost Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Java Applet Window Fig 5 26 Range to Detect Setup Wizard Step 2 3 An entry for this step of the Wizard is optional If there are destination IP address es to be filtered enter the IP address and specify the Netmask or enter the Indi vidual IP address 4 Click Next to go to Step 3 of the Wizard 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 191 CHAPTER 5 AUTHENTICATION DEPLOYMENT A
236. zard Step 6 Recap Source IP Include IP Exclude IP 10 10 10 0 24 Modify 10 10 10 34 Modify Destination IP Include IP Exclude IP m paai 10 10 10 0724 moy Destination Port IP Netmask Calculator Exclude Port ea weary 1 Netmask 4 255 255 255 0 gt Calculator Back Host Name logo com IP 200 10 100 75 Jrersion R3000 Enterprise Filter 1 10 00 24 Cancel Java Applet Window Fig 5 30 Range to Detect Setup Wizard Step 6 11 After review the contents in all list boxes click Finish to accept all your entries As a result of these entries the IP address es specified to be excluded will not be logged or filtered on the network Bypass Step 1B and go on to Step 2 to complete this process 8E6 TECHNOLOGIES R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 195 CHAPTER 5 AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 1B Block Web access via IP Sub Group profile NOTE This step assumes that the IP Group and Sub Group have already been created 1 2 Select the IP Sub Group from the tree Click Sub Group Profile in the pop up menu to display the Sub Group Profile window R3000 Enterprise Filter E15 x 8e6 R3000 HOME SYSTEM GROUP LIBRARY REPORTING Enterprise Filter _ La G i ap Category Redirect URL Filter Options Global Group ge ip Category Profile g admin Group gt IP gt tech gt

Download Pdf Manuals

image

Related Search

Related Contents

Dietz Click 9 Lite Duo Deluxe  Using vmrun to Control Virtual Machines    AJA D10CEA Manual  User Manual Eng.  Rev. 1  FC-810    exercise peddler with digital display ejercitador de pedales con  Manual de instrucciones Regla para la medición de altura KERN  

Copyright © All rights reserved.
Failed to retrieve file