Webwasher 6.7.2 System Configuration Guide - McAfee
Webwasher 6.7.2 System Configuration Guide - McAfee Webwasher 6.7.2 System Configuration Guide - McAfee
SYSTEM CONFIGURATION GUIDE Webwasher Web Gateway Security Version 6.7.2
- Page 2 and 3: Part Number: 86-0948728-A All Right
- Page 4 and 5: System Configuration Guide ii 3.3.3
- Page 6 and 7: System Configuration Guide iv 6.4.5
- Page 8 and 9: Introduction 1.1 About This Guide T
- Page 10 and 11: Introduction 1.3.1 First Level Tabs
- Page 12 and 13: Introduction 1-6 The Timeout Preven
- Page 14 and 15: Introduction 1-8 When you are attem
- Page 16 and 17: Introduction 1-10 Search A Search i
- Page 18 and 19: Introduction The following is provi
- Page 20 and 21: Introduction 1.5 The Webwasher Web
- Page 23 and 24: User Management Chapter 2 The funct
- Page 25 and 26: 2.2.1 Accounts The Accounts tab loo
- Page 27 and 28: — SSH Public Key User Management
- Page 29 and 30: Account Preferences User Management
- Page 31 and 32: User Management Use the following i
- Page 33 and 34: Role Definition Editor The Role Def
- Page 35 and 36: Role Permissions Window The Role Pe
- Page 37 and 38: User Management To configure a role
- Page 39 and 40: Policy Concept User Management The
- Page 41 and 42: User Management To perform these ac
- Page 43 and 44: There are three sections on this ta
- Page 45 and 46: — Using these rules User Manageme
- Page 47 and 48: User Management After specifying th
- Page 49 and 50: 2.4 User Management You can configu
- Page 51 and 52: User Management If users have been
SYSTEM CONFIGURATION GUIDE<br />
<strong>Webwasher</strong><br />
Web Gateway Security<br />
Version <strong>6.7.2</strong>
Part Number: 86-0948728-A<br />
All Rights Reserved, Published and Printed in Germany<br />
©2008 Secure Computing Corporation. This document may not, in whole or in part, be copied, photocopied,<br />
reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent<br />
in writing from Secure Computing Corporation. Every effort has been made to ensure the accuracy of this<br />
manual. However, Secure Computing Corporation makes no warranties with respect to this documentation<br />
and disclaims any implied warranties of merchantability and fitness for a particular purpose. Secure Computing<br />
Corporation shall not be liable for any error or for incidental or consequential damages in connection with<br />
the furnishing, performance, or use of this manual or the examples herein. The information in this document<br />
is subject to change without notice. <strong>Webwasher</strong>, MethodMix, AV PreScan, Live Reporting, Content Reporter,<br />
ContentReporter, Real-Time Classifier are all trademarks or registered trademarks of Secure Computing Corporation<br />
in Germany and/or other countries. Microsoft, Windows NT, Windows 2000 are registered trademarks<br />
of Microsoft Corporation in the United States and/or other countries. <strong>McAfee</strong> is a business unit of Network<br />
Associates, Inc. CheckPoint, OPSEC, and FireWall-1 are trademarks or registered trademarks of CheckPoint<br />
Software Technologies Ltd. or its affiliates. Sun and Solaris are trademarks or registered trademarks of Sun<br />
Microsystems, Inc. in the United States and other countries. Squid is copyrighted by the University of California,<br />
San Diego. Squid uses some code developed by others. Squid is Free Software, licensed under the terms<br />
of the GNU General Public License. The Mozilla SpiderMonkey and NSPR libraries distributed with <strong>Webwasher</strong><br />
are built from the original Mozilla source code, without modifications (MPL section 1.9). The source code is<br />
available under the terms of the Mozilla Public License, Version 1.1. NetCache is a registered trademark of<br />
Network Appliances, Inc. in the United States and other countries. Linux is a registered trademark of Linus<br />
Torvalds. Other product names mentioned in this guide may be trademarks or registered trademarks of their<br />
respective companies and are the sole property of their respective manufacturers.<br />
Secure Computing Corporation<br />
<strong>Webwasher</strong> – A Secure Computing Brand<br />
Vattmannstrasse 3, 33100 Paderborn, Germany<br />
Phone: +49 5251 8717 000<br />
Fax: +49 5251 8717 311<br />
info@webwasher.com<br />
www.webwasher.com<br />
www.securecomputing.com<br />
European Hotline<br />
Phone: +49 5251 8717 660<br />
US Hotline<br />
Phone: +1 800 700 8328, +1 651 628 1500
Contents<br />
Chapter 1 Introduction ........................................................................................ 1–1<br />
1.1 About This <strong>Guide</strong>............................................................................. 1–2<br />
1.2 What Else Will You Find in This Introduction? ........................................ 1–2<br />
1.3<br />
1.3.1<br />
1.3.2<br />
1.3.3<br />
Using <strong>Webwasher</strong>............................................................................<br />
First Level Tabs...............................................................................<br />
Configuring a Sample Setting.............................................................<br />
General Features of the Web Interface.................................................<br />
1–3<br />
1–4<br />
1–5<br />
1–7<br />
1.4<br />
1.4.1<br />
1.4.2<br />
Other Documents ...........................................................................<br />
Documentation on Main Products......................................................<br />
Documentation on Special Products ..................................................<br />
1–11<br />
1–12<br />
1–13<br />
1.5 The <strong>Webwasher</strong> Web Gateway Security Products ................................ 1–14<br />
Chapter 2 User Management ............................................................................... 2–1<br />
2.1 Overview ....................................................................................... 2–2<br />
2.2<br />
2.2.1<br />
2.2.2<br />
2.2.3<br />
Administrators.................................................................................<br />
Accounts........................................................................................<br />
LDAP/Radius Authentication ..............................................................<br />
Role Definition ..............................................................................<br />
2–2<br />
2–3<br />
2–8<br />
2–10<br />
2.3<br />
2.3.1<br />
2.3.2<br />
2.3.3<br />
2.3.4<br />
Policy Management........................................................................<br />
Concept.......................................................................................<br />
Management ................................................................................<br />
Web Mapping ...............................................................................<br />
E-Mail Mapping .............................................................................<br />
2–15<br />
2–16<br />
2–18<br />
2–20<br />
2–25<br />
2.4<br />
2.4.1<br />
2.4.2<br />
2.4.3<br />
2.4.4<br />
User Database..............................................................................<br />
User Database..............................................................................<br />
Import .........................................................................................<br />
LDAP Synchronization....................................................................<br />
Backup & Restore..........................................................................<br />
2–27<br />
2–28<br />
2–31<br />
2–35<br />
2–41<br />
2.5<br />
2.5.1<br />
Authentication Server .....................................................................<br />
Authentication Server .....................................................................<br />
2–42<br />
2–43<br />
2.6<br />
2.6.1<br />
2.6.2<br />
Windows Domain Membership .........................................................<br />
Windows Domain Membership .........................................................<br />
NTLM Authentication Test................................................................<br />
2–55<br />
2–55<br />
2–60<br />
2.7<br />
2.7.1<br />
2.7.2<br />
Languages ...................................................................................<br />
Languages ...................................................................................<br />
Import Language Pack....................................................................<br />
2–62<br />
2–63<br />
2–69<br />
Chapter 3 Reporting ............................................................................................ 3–1<br />
3.1 Overview ....................................................................................... 3–2<br />
3.2<br />
3.2.1<br />
View Live Reports (For Policy)............................................................<br />
View Live Reports............................................................................<br />
3–2<br />
3–3<br />
3.3<br />
3.3.1<br />
3.3.2<br />
Log File Management.......................................................................<br />
Activate Log Files ...........................................................................<br />
Auto-Rotation................................................................................<br />
3–6<br />
3–7<br />
3–10<br />
i
<strong>System</strong> <strong>Configuration</strong> <strong>Guide</strong><br />
ii<br />
3.3.3<br />
3.3.4<br />
3.3.5<br />
3.3.6<br />
Auto-Deletion................................................................................<br />
Auto-Pushing................................................................................<br />
Content Reporter...........................................................................<br />
Configuring Log File Processing for SmartReporter...............................<br />
3–13<br />
3–16<br />
3–21<br />
3–22<br />
3.4<br />
3.4.1<br />
View Log Files ..............................................................................<br />
View Log Files ..............................................................................<br />
3–28<br />
3–28<br />
3.5<br />
3.5.1<br />
3.5.2<br />
3.5.3<br />
Live Report Management ................................................................<br />
Report Activation ...........................................................................<br />
Load Reports................................................................................<br />
Anonymization ..............................................................................<br />
3–31<br />
3–32<br />
3–38<br />
3–40<br />
3.6<br />
3.6.1<br />
3.6.2<br />
3.6.3<br />
View Live Reports (Overall Reporting)................................................<br />
View Live Reports..........................................................................<br />
View Load ....................................................................................<br />
<strong>System</strong> Statistics ...........................................................................<br />
3–41<br />
3–42<br />
3–45<br />
3–46<br />
3.7<br />
3.7.1<br />
4-Eyes-Principle ............................................................................<br />
4-Eyes-Principle ............................................................................<br />
3–47<br />
3–48<br />
3.8<br />
3.8.1<br />
Deanonymization...........................................................................<br />
Deanonymization...........................................................................<br />
3–49<br />
3–49<br />
Chapter 4 Caching ............................................................................................... 4–1<br />
4.1 Overview ....................................................................................... 4–2<br />
4.2<br />
4.2.1<br />
Quick Snapshot...............................................................................<br />
Quick Snapshot...............................................................................<br />
4–2<br />
4–4<br />
4.3<br />
4.3.1<br />
4.3.2<br />
HTTP Caching ................................................................................<br />
HTTP Caching ................................................................................<br />
Cachable Objects List.......................................................................<br />
4–5<br />
4–6<br />
4–8<br />
4.4<br />
4.4.1<br />
4.4.2<br />
Cache Settings..............................................................................<br />
Cache Settings..............................................................................<br />
Cache Rules.................................................................................<br />
4–12<br />
4–12<br />
4–14<br />
4.5<br />
4.5.1<br />
Flush Cache .................................................................................<br />
Flush Cache .................................................................................<br />
4–17<br />
4–18<br />
Chapter 5 Proxies ................................................................................................ 5–1<br />
5.1 Overview ....................................................................................... 5–2<br />
5.2<br />
5.2.1<br />
5.2.2<br />
5.2.3<br />
5.2.4<br />
5.2.5<br />
HTTP Proxy....................................................................................<br />
Settings .........................................................................................<br />
Next Hop Proxies...........................................................................<br />
Authentication...............................................................................<br />
ICAP Services...............................................................................<br />
Transparent Setup .........................................................................<br />
5–3<br />
5–4<br />
5–13<br />
5–21<br />
5–40<br />
5–47<br />
5.3<br />
5.3.1<br />
5.3.2<br />
5.3.3<br />
5.3.4<br />
HTTPS Proxy................................................................................<br />
Settings .......................................................................................<br />
Next Hop Proxies...........................................................................<br />
Authentication...............................................................................<br />
ICAP Services...............................................................................<br />
5–52<br />
5–53<br />
5–60<br />
5–69<br />
5–74<br />
5.4<br />
5.4.1<br />
5.4.2<br />
5.4.3<br />
5.4.4<br />
FTP Proxy....................................................................................<br />
Settings .......................................................................................<br />
Next Hop Proxies...........................................................................<br />
Authentication...............................................................................<br />
ICAP Services...............................................................................<br />
5–76<br />
5–77<br />
5–83<br />
5–91<br />
5–95<br />
5.5<br />
5.5.1<br />
5.5.2<br />
5.5.3<br />
E-Mail Gateway.............................................................................<br />
Gateway Settings ..........................................................................<br />
ICAP Services..............................................................................<br />
Notifications.................................................................................<br />
5–98<br />
5–99<br />
5–104<br />
5–106
Contents<br />
5.5.4 ESMTP Extensions ....................................................................... 5–109<br />
5.6<br />
5.6.1<br />
5.6.2<br />
5.6.3<br />
Delivery Options...........................................................................<br />
Delivery Options...........................................................................<br />
Routing Rules ..............................................................................<br />
Secure Mail Delivery List................................................................<br />
5–113<br />
5–114<br />
5–117<br />
5–123<br />
5.7<br />
5.7.1<br />
Queue <strong>Configuration</strong> .....................................................................<br />
Queue <strong>Configuration</strong> .....................................................................<br />
5–126<br />
5–126<br />
5.8<br />
5.8.1<br />
5.8.2<br />
5.8.3<br />
Relay Protection...........................................................................<br />
Allowed Domains..........................................................................<br />
IP Networks.................................................................................<br />
Recipient LDAP Check ..................................................................<br />
5–128<br />
5–129<br />
5–132<br />
5–135<br />
5.9<br />
5.9.1<br />
5.9.2<br />
5.9.3<br />
5.9.4<br />
5.9.5<br />
5.9.6<br />
Exception Lists.............................................................................<br />
IP White List ................................................................................<br />
IP Black List ................................................................................<br />
Client Domain Black List ................................................................<br />
Sender Black List..........................................................................<br />
Recipient Black List.......................................................................<br />
TrustedSource .............................................................................<br />
5–138<br />
5–138<br />
5–141<br />
5–143<br />
5–146<br />
5–149<br />
5–152<br />
5.10<br />
5.10.1<br />
Load Limits..................................................................................<br />
Load Limits..................................................................................<br />
5–154<br />
5–154<br />
5.11<br />
5.11.1<br />
POP3 Access ..............................................................................<br />
POP3 Access ..............................................................................<br />
5–160<br />
5–160<br />
5.12<br />
5.12.1<br />
5.12.2<br />
5.12.3<br />
5.12.4<br />
ICAP(S) Server ............................................................................<br />
ICAP(S) Server ............................................................................<br />
Server Settings ............................................................................<br />
REQMOD Settings........................................................................<br />
RESPMOD Settings ......................................................................<br />
5–162<br />
5–163<br />
5–166<br />
5–172<br />
5–178<br />
5.13<br />
5.13.1<br />
Progress Indication Methods...........................................................<br />
Progress Indication Methods...........................................................<br />
5–181<br />
5–181<br />
5.14<br />
5.14.1<br />
Own Host Name...........................................................................<br />
Own Host Name...........................................................................<br />
5–186<br />
5–186<br />
5.15<br />
5.15.1<br />
5.15.2<br />
IFP ............................................................................................<br />
Settings ......................................................................................<br />
ICAP Services..............................................................................<br />
5–190<br />
5–191<br />
5–193<br />
5.16<br />
5.16.1<br />
WCCP........................................................................................<br />
WCCP........................................................................................<br />
5–195<br />
5–196<br />
Chapter 6 <strong>Configuration</strong> ...................................................................................... 6–1<br />
6.1 Overview ....................................................................................... 6–2<br />
6.2<br />
6.2.1<br />
6.2.2<br />
6.2.3<br />
6.2.4<br />
6.2.5<br />
6.2.6<br />
Update Manager..............................................................................<br />
General Options ..............................................................................<br />
URL Filter ....................................................................................<br />
AV Engine ....................................................................................<br />
Spam Filter...................................................................................<br />
Proactive Scanning ........................................................................<br />
CRLs ..........................................................................................<br />
6–3<br />
6–4<br />
6–14<br />
6–19<br />
6–23<br />
6–26<br />
6–29<br />
6.3<br />
6.3.1<br />
6.3.2<br />
6.3.3<br />
Central Management......................................................................<br />
Node Settings ...............................................................................<br />
Master Settings .............................................................................<br />
Site Settings .................................................................................<br />
6–31<br />
6–32<br />
6–40<br />
6–43<br />
6.4<br />
6.4.1<br />
6.4.2<br />
6.4.3<br />
6.4.4<br />
Appliance.....................................................................................<br />
General .......................................................................................<br />
Interfaces.....................................................................................<br />
Routes ........................................................................................<br />
Time and Date ..............................................................................<br />
6–47<br />
6–48<br />
6–50<br />
6–52<br />
6–54<br />
iii
<strong>System</strong> <strong>Configuration</strong> <strong>Guide</strong><br />
iv<br />
6.4.5<br />
6.4.6<br />
6.4.7<br />
Reboot/Shutdown ..........................................................................<br />
Update ........................................................................................<br />
High Availability.............................................................................<br />
6–57<br />
6–58<br />
6–62<br />
6.5<br />
6.5.1<br />
6.5.2<br />
6.5.3<br />
Web Interfaces..............................................................................<br />
Ports...........................................................................................<br />
Sessions......................................................................................<br />
Dashboard / Quick Snapshots ..........................................................<br />
6–71<br />
6–72<br />
6–79<br />
6–81<br />
6.6<br />
6.6.1<br />
Secure Administration Shell .............................................................<br />
General Settings............................................................................<br />
6–83<br />
6–84<br />
6.7<br />
6.7.1<br />
<strong>6.7.2</strong><br />
6.7.3<br />
6.7.4<br />
6.7.5<br />
SNMP Interface.............................................................................<br />
Agent ..........................................................................................<br />
Communities ................................................................................<br />
SNMPv3 Users .............................................................................<br />
Trap Sinks...................................................................................<br />
MIB Browser................................................................................<br />
6–89<br />
6–90<br />
6–94<br />
6–98<br />
6–101<br />
6–103<br />
6.8<br />
6.8.1<br />
Global Command Center................................................................<br />
Global Command Center................................................................<br />
6–106<br />
6–107<br />
6.9<br />
6.9.1<br />
6.9.2<br />
6.9.3<br />
6.9.4<br />
Certificate Management .................................................................<br />
<strong>Webwasher</strong> Root CA .....................................................................<br />
Private Key Handling.....................................................................<br />
Known Certificate Authorities ..........................................................<br />
Client Certificates .........................................................................<br />
6–110<br />
6–111<br />
6–114<br />
6–118<br />
6–122<br />
6.10<br />
6.10.1<br />
DNS Cache .................................................................................<br />
DNS Cache .................................................................................<br />
6–123<br />
6–124<br />
6.11<br />
6.11.1<br />
6.11.2<br />
6.11.3<br />
6.11.4<br />
Backup & Restore.........................................................................<br />
<strong>Configuration</strong> ...............................................................................<br />
Error Files ...................................................................................<br />
Share Folder................................................................................<br />
Proxy PAC ..................................................................................<br />
6–125<br />
6–126<br />
6–128<br />
6–130<br />
6–131<br />
6.12<br />
6.12.1<br />
6.12.2<br />
6.12.3<br />
Action Editor................................................................................<br />
Action Editor................................................................................<br />
Notifications.................................................................................<br />
Action Definition ...........................................................................<br />
6–133<br />
6–134<br />
6–137<br />
6–139<br />
6.13<br />
6.13.1<br />
6.13.2<br />
6.13.3<br />
Wizards ......................................................................................<br />
Reporting <strong>Configuration</strong> .................................................................<br />
Spam Filter Setup.........................................................................<br />
LDAP <strong>Configuration</strong> ......................................................................<br />
6–145<br />
6–146<br />
6–147<br />
6–148<br />
6.14<br />
6.14.1<br />
6.14.2<br />
6.14.3<br />
6.14.4<br />
6.14.5<br />
Debugging ..................................................................................<br />
Debugging ..................................................................................<br />
Tracing .......................................................................................<br />
Adjust Filter List............................................................................<br />
Analyse Object Filtering .................................................................<br />
E-Mail Troubleshooting ..................................................................<br />
6–149<br />
6–149<br />
6–152<br />
6–153<br />
6–156<br />
6–158
Introduction<br />
Chapter 1<br />
Welcome to the <strong>Webwasher</strong>® <strong>System</strong> <strong>Configuration</strong> <strong>Guide</strong>. It provides you<br />
with information about how to configure <strong>Webwasher</strong> features that do not belong<br />
to particular filters, but need to be set in order to run <strong>Webwasher</strong> as a whole.<br />
Configuring <strong>Webwasher</strong> to run as a proxy server or as an e-mail gateway are<br />
topics that are dealt with in this guide, as well as user management, reporting<br />
features and update procedures.<br />
1–1
Introduction<br />
1.1<br />
About This <strong>Guide</strong><br />
The following overview lists the chapters of this guide and explains briefly what<br />
they are about:<br />
<strong>System</strong> <strong>Configuration</strong> <strong>Guide</strong> – <strong>Webwasher</strong> Web Gateway Security<br />
Introduction Provides introductory information.<br />
User Management Describes the features that are configured with regard to the users<br />
working with <strong>Webwasher</strong>.<br />
Reporting Describes the reporting features provided by <strong>Webwasher</strong>.<br />
Caching Describes the caching features provided by <strong>Webwasher</strong>.<br />
Proxies Describes how to set up <strong>Webwasher</strong> for running as a proxy server,<br />
as an e-mail gateway and for communicating with the ICAP server<br />
or using the IFP protocol.<br />
<strong>Configuration</strong> Describes other system configurations features such as, e. g. the<br />
update manager or the action editor.<br />
1.2<br />
What Else Will You Find in This Introduction?<br />
1–2<br />
In addition to the overview that was given in the previous section, this introduction<br />
also:<br />
• Explains how to handle the Web interface that is provided for using <strong>Webwasher</strong>,<br />
see 1.3.<br />
• Informs you about the other documents that are provided for users of <strong>Webwasher</strong>,<br />
see 1.4.<br />
• Provides a list of the <strong>Webwasher</strong> Web Gateway Security products and<br />
gives a brief description for each of them, see 1.5.
1.3<br />
Using <strong>Webwasher</strong><br />
Introduction<br />
A user-friendly, task-oriented Web interface has been designed for handling<br />
the <strong>Webwasher</strong> features. It looks like this:<br />
The following sections provide some information to make you familiar with this<br />
interface. These sections:<br />
• List the first level tabs of this interface and explain their meanings, see<br />
1.3.1.<br />
• Describe a sample procedure showing how a setting is configured for a<br />
<strong>Webwasher</strong> feature, see 1.3.2.<br />
• Explain more about the general features of this interface, see 1.3.3.<br />
1–3
Introduction<br />
1.3.1<br />
First Level Tabs<br />
1–4<br />
The Web interface displays a number of tabs and sections for configuring the<br />
features provided by <strong>Webwasher</strong>. On the topmost level, there are these eleven<br />
tabs:<br />
• Home, Common, URL Filter, Anti Malware, Anti Spam, SSL Scanner, User<br />
Management, Reporting, Caching, Proxies, and <strong>Configuration</strong><br />
Only the tabs mentioned in the following are described in this guide.<br />
User Management, Reporting, Caching, Proxies, <strong>Configuration</strong> –<br />
These are tabs for configuring features that adapt <strong>Webwasher</strong> to the system<br />
environment it is running in.<br />
Note that the Caching tab and feature are only available with appliance versions<br />
of <strong>Webwasher</strong>.<br />
The following tabs are not described in this document:<br />
Home, Common – These tabs are for configuring basic and other features<br />
that are used by each of the <strong>Webwasher</strong> products, e. g. system alerts, licensing<br />
features, media type filters, etc.<br />
They are described in each of the User’s <strong>Guide</strong>s.<br />
URL Filter, Anti Malware, Anti Spam, SSL Scanner – These tabs are<br />
for configuring the features of the individual <strong>Webwasher</strong> products. Note that<br />
the Anti Malware tab is used for both the <strong>Webwasher</strong> Anti-Malware and the<br />
<strong>Webwasher</strong> Anti-Virus product.<br />
For a description of these tabs, see the corresponding User’s <strong>Guide</strong>s.
1.3.2<br />
Configuring a Sample Setting<br />
Introduction<br />
This section explains how to configure a sample setting of a <strong>Webwasher</strong> feature.<br />
The feature chosen here for explanation is Timeout Prevention.<br />
In order to avoid timeouts on the connections to its clients, <strong>Webwasher</strong> can<br />
send data lines in certain intervals.<br />
For this sample setting, just suppose you want to enable this feature for HTTP<br />
connections and send an empty line every 15 seconds.<br />
The following overview shows the main steps you need to complete in order to<br />
configure the feature in this way:<br />
Configuring Timeout Prevention – Overview<br />
Step 1 Navigate to the section.<br />
2 Configure settings.<br />
3 Make settings effective.<br />
In more detail, these steps include the following activities:<br />
1. Navigate to the section<br />
a. Select the Proxies tab:<br />
b. In the navigation area on the left, select HTTP Proxy, which is located<br />
under Web Proxies:<br />
c. From the tabs provided for configuring the HTTP Proxy options, select<br />
the Settings tab:<br />
1–5
Introduction<br />
1–6<br />
The Timeout Prevention section is located on this tab:<br />
2. Configure settings<br />
a. Enable the feature. To do this, mark the checkbox next to the section<br />
heading.<br />
b. Enter 15 in the input field labeled <strong>Webwasher</strong> should send every<br />
... seconds.<br />
c. Check the radio button labeled an empty line.<br />
Note: To get help information on these settings, click on the question<br />
mark in the top right corner of the section.<br />
The section should now look like this:<br />
3. Make settings effective<br />
Click on the Apply Changes button:<br />
This completes the sample configuration.
1.3.3<br />
General Features of the Web Interface<br />
Introduction<br />
This section explains more about the features that are provided in the Web<br />
interface for solving general tasks, e. g. applying changes to the <strong>Webwasher</strong><br />
settings or searching for a term on the tabs of the interface.<br />
The following features are explained here:<br />
• Apply Changes<br />
• Click History<br />
• Information Update<br />
• Logout<br />
• Main Feature Enabling<br />
• Search<br />
• Session Length<br />
• <strong>System</strong> Information<br />
Apply Changes<br />
After modifying the settings in one or more of the sections on a tab, you need to<br />
click on the Apply Changes button to make effective what you have modified.<br />
The Apply Changes button is located in the top right corner of the Web interface<br />
area:<br />
When modifying settings that belong only to a particular filtering policy, you can<br />
make the modified settings apply to all policies nevertheless.<br />
An arrow is displayed next to the Apply Changes button on each tab where<br />
policy-dependent settings can be configured:<br />
Clicking on this arrow will display a button, which you can use to apply changes<br />
to all policies.<br />
After clicking on this button, your modifications will be valid for settings of all<br />
policies.<br />
1–7
Introduction<br />
1–8<br />
When you are attempting to leave a tab after modifying its settings, but without<br />
clicking on Apply Changes, an alert is displayed to remind you to save your<br />
changes:<br />
Answer the alert by clicking Yes or No according to what you intend to do about<br />
your changes. This will take you to the tab you invoked before the alert was<br />
displayed.<br />
Clicking on Cancel will make the alert disappear, so you can continue your<br />
configuration activities on the current tab.<br />
Click History<br />
The tabs you visited while configuring settings are recorded on the top left<br />
corner of the Web interface area. They are recorded together with the paths<br />
leading to them.<br />
The current tab and path are always visible in the display field, e. g.:<br />
Clicking on the arrow to the right of the path display will show the “click history”,<br />
i. e. a list of the tabs you visited prior to this one:<br />
Clicking on any of the entries displayed in the list will take you to the corresponding<br />
tab.<br />
The click history is only recorded for the current session, i. e. until you log out.<br />
After logging in for a new session, the recording of tabs and paths will start all<br />
over again.
Information Update<br />
Introduction<br />
Some parts of the information that is provided on the tabs of the Web interface<br />
will change from time to time. In these cases, the information display is updated<br />
automatically every three seconds by <strong>Webwasher</strong>.<br />
So, e. g. you might have performed a manual update of the anti-virus engines.<br />
This means that the information provided in the Current Status and Log File<br />
Content sections on the corresponding AV Engine tab will begin to change<br />
continuously over a certain period of time until the update is completed.<br />
These sections are then updated automatically every three seconds to reflect<br />
the status of the update process.<br />
Logout<br />
To logout from a <strong>Webwasher</strong> session, click on the logout link, which is located<br />
in middle position at the top of the Web interface area.<br />
After logging out, the login page is displayed, where you can login again and<br />
start a new session.<br />
Main Feature Enabling<br />
There are <strong>Webwasher</strong> settings that cannot only be modified if a corresponding<br />
main feature is disabled. So, e. g. if you want to modify the settings of the<br />
Phishing Filter section on the Settings tab under Anti-Spam > Message<br />
Filters, you need to make sure the Message Filter feature itself is also enabled.<br />
If you attempt to modify settings while the corresponding main feature is not<br />
enabled, an alert is displayed to make you aware of this situation:<br />
1–9
Introduction<br />
1–10<br />
Search<br />
A Search input field and button are located in the top right corner of the Web<br />
interface area.<br />
Using these, you can start keyword queries of the entire Web interface by entering<br />
a search term in the input field and clicking on the Search button:<br />
The search output will be presented in a separate window, which displays a<br />
list of the tabs the search term was found on and the paths leading to them:<br />
Clicking on any of the entries displayed in the list will take you to the corresponding<br />
tab.<br />
Note: In order to be able to use the search function, make sure JavaScript is<br />
enabled.<br />
Session Length<br />
When working with the Web interface, you need to mind the session length.<br />
This interval can be configured in the Session Options section of the Sessions<br />
tab under <strong>Configuration</strong> > Web Interfaces.
1.4<br />
Introduction<br />
After modifying the interval specified there, click on Apply Changes to make<br />
the modification effective.<br />
When a session has timed out, the following notification is displayed:<br />
Click OK to acknowledge the notification. After clicking on a tab or button of<br />
the Web interface, the login window opens, where you can login again and<br />
start a new session.<br />
<strong>System</strong> Information<br />
At the top of the Web interface area, system information is provided on the<br />
current <strong>Webwasher</strong> session. This information includes:<br />
• Version and build of the <strong>Webwasher</strong> software<br />
• Name of the system <strong>Webwasher</strong> is running on<br />
• Name of the user logged in for the current session, e. g. Admin<br />
• Role assigned to this user, e. g. Super Administrator<br />
• Permissions granted to this user, e. g. read/write<br />
Other Documents<br />
This guide belongs to a series of documents provided for users of the<br />
<strong>Webwasher</strong> Web Gateway Security products. The following sections give an<br />
overview of them.<br />
The <strong>Webwasher</strong> user documentation can be viewed after navigating to the<br />
Manuals tab of the Web interface.<br />
It can also be viewed on the <strong>Webwasher</strong> Extranet and in the Secure Computing<br />
Resource Center.<br />
1–11
Introduction<br />
The following is provided in this section for the <strong>Webwasher</strong> Web Gateway Security<br />
products:<br />
• An overview of the documents on the main products, see 1.4.1<br />
• An overview of the documents on products for special tasks and environments,<br />
see 1.4.2<br />
1.4.1<br />
Documentation on Main Products<br />
1–12<br />
This section introduces the user documentation on the main <strong>Webwasher</strong> Web<br />
Gateway Security products.<br />
Document Group Document Name What about?<br />
General Documents Deployment Planning <strong>Guide</strong> Is <strong>Webwasher</strong> suited to my environment?<br />
Installation <strong>Guide</strong> How to install <strong>Webwasher</strong>?<br />
Quick <strong>Configuration</strong> <strong>Guide</strong> First steps to get <strong>Webwasher</strong><br />
running.<br />
<strong>System</strong> <strong>Configuration</strong> <strong>Guide</strong><br />
– this document<br />
Advanced <strong>Configuration</strong><br />
<strong>Guide</strong><br />
Features for configuring <strong>Webwasher</strong><br />
within the system environment.<br />
More sophisticated configuration<br />
tasks.<br />
Upgrade <strong>Guide</strong> What should I know when upgrading<br />
to a new <strong>Webwasher</strong> release?<br />
Product Documents User’s <strong>Guide</strong> URL Filter Features for configuring URL filtering<br />
policies.<br />
Reference Document<br />
User’s <strong>Guide</strong> Anti-Virus Features for configuring anti-virus<br />
filtering policies.<br />
User’s <strong>Guide</strong> Anti-Malware Features for configuring<br />
anti-malware filtering policies.<br />
User’s <strong>Guide</strong> Anti-Spam Features for configuring anti-spam<br />
filtering policies.<br />
User’s <strong>Guide</strong> SSL Scanner Features for configuring<br />
SSL-encrypted traffic filtering<br />
policies.<br />
Reference <strong>Guide</strong> Items concerning more than product,<br />
e. g. features for customizing actions<br />
or log files.
1.4.2<br />
Documentation on Special Products<br />
Introduction<br />
This section introduces the user documentation on the <strong>Webwasher</strong> Web Gateway<br />
Security products for special tasks and environments.<br />
Document Group Document Name What about?<br />
Content Reporter<br />
Documents<br />
Instant Message<br />
Filter Documents<br />
Special Environment<br />
Documents<br />
Appliances<br />
Documents<br />
Content Reporter Installation<br />
and <strong>Configuration</strong> <strong>Guide</strong><br />
Content Reporter User’s<br />
<strong>Guide</strong> for Reporting<br />
Instant Message Filter<br />
Installation and <strong>Configuration</strong><br />
<strong>Guide</strong><br />
User’s <strong>Guide</strong> Instant<br />
Message Filter<br />
Setting Up <strong>Webwasher</strong> on<br />
Microsoft ISA Server<br />
Setting Up <strong>Webwasher</strong> with<br />
Blue Coat<br />
Setting Up NetCache with<br />
ICAP<br />
Installing and configuring the<br />
<strong>Webwasher</strong> Content Reporter, which<br />
is done separately from the main<br />
products.<br />
Creating reports.<br />
Installing and configuring the<br />
<strong>Webwasher</strong> Instant Message Filter,<br />
which is done separately from the<br />
main products.<br />
Description of features.<br />
Setting up <strong>Webwasher</strong> or a<br />
product running with it in a special<br />
environment.<br />
See above.<br />
See above.<br />
NTML Agent Set-up <strong>Guide</strong> Setting up an additional <strong>Webwasher</strong><br />
product to enable authentication<br />
using the NTLM method on platforms<br />
other than Windows.<br />
HSM Agent Set-up <strong>Guide</strong> Setting up an additional <strong>Webwasher</strong><br />
product to enable use of a HSM<br />
(High Security Module) device.<br />
Appliances Installation and<br />
<strong>Configuration</strong> <strong>Guide</strong><br />
Installing and configuring the<br />
<strong>Webwasher</strong> appliances.<br />
Appliances Upgrade <strong>Guide</strong> What should I know when upgrading<br />
to a new release of the <strong>Webwasher</strong><br />
appliances?<br />
1–13
Introduction<br />
1.5<br />
The <strong>Webwasher</strong> Web Gateway Security Products<br />
1–14<br />
The <strong>Webwasher</strong> Web Gateway Security products provide an optimal solution<br />
for all your needs in the field of Web gateway security.<br />
They are unique in that they offer best-of-breed security solutions for individual<br />
threats and at the same time a fully integrated architecture that affords in-depth<br />
security and cost/time savings through inter-operability.<br />
A brief description of these products is given in the following.<br />
<strong>Webwasher</strong>®<br />
URL Filter<br />
<strong>Webwasher</strong>®<br />
Anti-Virus<br />
<strong>Webwasher</strong>®<br />
Anti-Malware<br />
<strong>Webwasher</strong>®<br />
Anti-Spam<br />
<strong>Webwasher</strong>®<br />
SSL Scanner<br />
Helps you boost productivity by reducing non-business related<br />
surfing to a minimum, thus curbing your IT costs. Suppresses<br />
offensive sites and prevents downloads of inappropriate files, thus<br />
minimizing risks of legal liabilities.<br />
Combines the strength of multiple anti-virus engines concurrently<br />
scanning all Web and e-mail traffic. The Proactive Scanning<br />
filtering technology additionally detects and blocks unknown<br />
malicious code, not relying on time-delayed virus pattern updates.<br />
This combination provides in-depth security against a multitude of<br />
threats while offering unmatched performance through use of the<br />
Anti-Virus PreScan technology.<br />
Offers in-depth security against all kinds of malicious code, such<br />
as aggressive viruses, potentially unwanted programs, spyware,<br />
day-zero attacks and blended threats not covered by traditional<br />
anti-virus and firewall solutions. The highly efficient anti-malware<br />
engine is used in combination with the Proactive Scanning filtering<br />
technology.<br />
Offers complete protection of the central Internet gateway. The<br />
highly accurate spam detection filters stem the flood of unwanted<br />
spam mail before it reaches the user’s desktop. Your systems<br />
will not be impaired, the availability of valuable internal mail<br />
infrastructures, such as group servers, is thus maintained.<br />
Helps you protect your network against attacks via the HTTPS<br />
protocol and prevents the disclosure of confidential corporate data,<br />
as well as infringements of Internet usage policies, thus ensuring<br />
that no one is illicitly sharing sensitive corporate materials.<br />
See next page
Introduction<br />
These two products have their own user interfaces, which are described in the<br />
corresponding documents:<br />
<strong>Webwasher</strong>®<br />
Content<br />
Reporter<br />
Features a library of rich, customizable reports based on built-in<br />
cache, streaming media, e-mail activity, Internet access and<br />
content filtering queries, all supported by unmatched convenience<br />
and performance features.<br />
<strong>Webwasher</strong>® Detects, reports and selectively blocks the unauthorized use<br />
Instant of high-risk and evasive P2P and IM from enterprise networks<br />
Message Filter and scans network traffic for characteristics that match the<br />
corresponding protocol signatures.<br />
1–15
User Management<br />
Chapter 2<br />
The functions described in this chapter are accessible over the User<br />
Management tab of the Web interface:<br />
The user management functions allow you to administer users with regard to<br />
the permissions they are granted for configuring and operating <strong>Webwasher</strong>.<br />
Furthermore, they allow you to map users to the various security policies that<br />
have been set up under <strong>Webwasher</strong> and configure authentication and language<br />
settings for users.<br />
The upcoming sections describe how to handle these functions. The description<br />
begins with an overview.<br />
2–1
User Management<br />
2.1<br />
Overview<br />
2.2<br />
The following overview shows the sections that are in this chapter:<br />
<strong>System</strong> <strong>Configuration</strong> <strong>Guide</strong> – <strong>Webwasher</strong> Web Gateway Security<br />
Introduction<br />
User Management Overview –thissection<br />
Reporting<br />
Caching<br />
Proxies<br />
<strong>Configuration</strong><br />
Administrators<br />
2–2<br />
Administrators, see 2.2<br />
Policy Management, see 2.3<br />
User Database, see 2.4<br />
Authentication Server, see 2.5<br />
Windows Domain Membership, see 2.6<br />
Languages, see 2.7<br />
The Administrators options are invoked by clicking on the corresponding button<br />
under User Management:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Accounts, see 2.2.1<br />
• LDAP/Radius Authentication, see2.2.2<br />
• Role Definition, see 2.2.3
2.2.1<br />
Accounts<br />
The Accounts tab looks like this:<br />
There is one section on this tab:<br />
• Account Overview<br />
It is described in the following.<br />
User Management<br />
2–3
User Management<br />
2–4<br />
Account Overview<br />
The Account Overview section looks like this:<br />
Using this section you can configure accounts for administrators and assign<br />
different rights and access privileges to them.<br />
To add an account to the list, use the area labeled:<br />
• Define new account<br />
Specify the information concerning an account using the following items:<br />
— Login<br />
In this input field, enter the login name for an administrator.<br />
— Password<br />
In this input field, enter the password the administrator is to submit.<br />
— Role<br />
From this drop-down list, select the role that is assigned to an administrator.<br />
You can select from the roles that are available for you under<br />
your current role. Only these roles are shown here.<br />
The pre-configured roles, which are Super Administrator, Policy<br />
Administrator and Administrator, cannot be modified.<br />
Go to the Role Definition tab to view the permissions for the preconfigured<br />
roles and create or edit user-configured roles, see 2.2.3.
— SSH Public Key<br />
User Management<br />
In this input field, enter the SSH Public Key assigned to an administrator.<br />
To do this, click on the Browse button next to this field and browse<br />
for the key file you want to specify here.<br />
— Allowed policies<br />
From this drop-down list, select the policy that the administrator is allowed<br />
access to. Select All to allow access to all policies.<br />
Note that you can only select policies that you have access to yourself,<br />
according to your account settings. Only these policies are shown here.<br />
— Read only<br />
Mark this checkbox to allow only reading access to <strong>Webwasher</strong> for an<br />
administrator.<br />
• Add New Account<br />
After specifying the appropriate values for the new account, click on this<br />
button to add it to the list.<br />
If this action was successful, the account is added to the list, which is displayed<br />
at the bottom of this section.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard. If the number of entries is higher than this number,<br />
the remaining entries are shown on successive pages.<br />
A page indicator is then displayed, where you can select a particular page by<br />
clicking on the appropriate arrow symbols.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field of the Account or Role column or<br />
in both and enter it using the Enter key of your keyboard. The list will then<br />
display only entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
To view and edit an account, click on the View + Edit Details button next to<br />
it.<br />
2–5
User Management<br />
2–6<br />
This will open a window where you can edit the settings that have been configured<br />
for the various accounts:<br />
For the meaning of these settings, see the description that was given at the<br />
beginning of this subsection.<br />
An additional description of the Account Preferences section of this windows<br />
is provided further below in this subsection.<br />
After editing the account settings, click on Apply Changes to make your<br />
changes effective.<br />
With an account that has been assigned one of the pre-configured roles, e.<br />
g. Super Administrator, you can only change its password. Click on the<br />
Change Password button next to it, to open the editing window and perform<br />
this change.<br />
The meaning of the settings in the Account Preferences settings is described<br />
in the following.
Account Preferences<br />
User Management<br />
Using this section, you can configure the preferred settings for an administrator<br />
account.<br />
After modifying these settings, click on Apply Changes to make the modification<br />
effective.<br />
Use the following checkboxes to configure the preferred settings:<br />
• Read only<br />
Mark this checkbox to configure a read-only permission.<br />
• View web related settings<br />
To have only Web-related settings displayed, make sure this checkbox is<br />
marked. The checkbox is marked by default.<br />
• View mail related settings<br />
To have only mail-related settings displayed, make sure this checkbox is<br />
marked. The checkbox is marked by default.<br />
• Show change warner dialog<br />
If you want to have a dialog window displayed that warns you to save your<br />
changes after modifying any settings, make sure this checkbox is marked.<br />
The checkbox is marked by default.<br />
• Show configuration hash<br />
Mark this checkbox to have the hash value for the current configuration<br />
displayed in the system information lines at the top of the Web interface<br />
display area.<br />
• No LDAP/Radius check (only local password check)<br />
If no LDAP or Radius authentication should be required for the administrator<br />
login, mark this checkbox. Submitting the locally configured password<br />
will then be sufficient for accessing <strong>Webwasher</strong>.<br />
This setting may be used to configure an administrator account that is available<br />
for login whenever the LDAP or Radius servers are down.<br />
2–7
User Management<br />
2.2.2<br />
LDAP/Radius Authentication<br />
2–8<br />
The LDAP/Radius Authentication tab looks like this:<br />
There are two sections on this tab:<br />
• Use LDAP to Authenticate Administrator<br />
• Use Radius to Authenticate Administrator<br />
They are described in the following.<br />
Use LDAP to Authenticate Administrator<br />
The Use LDAP to Authenticate Administrator section looks like this:<br />
It allows you to use the settings stored on an LDAP server for authenticating<br />
an administrator.<br />
If you want to use this feature, mark the checkbox next to the section heading.<br />
Then configure the items described below and click on Apply Changes to<br />
make your settings effective.
User Management<br />
Use the following items to configure the use of the LDAP server settings for<br />
administrator authentication:<br />
• Use LDAP settings for HTTP Proxy<br />
If you want to use the LDAP server settings with <strong>Webwasher</strong> configured<br />
as HTTP proxy, make sure this radio button is checked. The radio button<br />
is checked by default.<br />
• Use LDAP settings for ICAP server<br />
Click on this radio button to use the LDAP server settings with <strong>Webwasher</strong><br />
configured as ICAP server.<br />
• Check Status<br />
To view status information on the LDAP server settings, click on this button.<br />
This may be information, e. g. on whether a connection to an LDAP server<br />
has been configured or whether the server is available.<br />
• Use local account definition if LDAP authentication fails<br />
Mark this checkbox at the bottom of the tab to use local account information<br />
for authenticating an administrator in case LDAP and Radius authentication<br />
both fail.<br />
Use Radius to Authenticate Administrator<br />
The Use Radius to Authenticate Administrator section looks like this:<br />
This section allows you to use the settings stored on a Radius server for authenticating<br />
an administrator.<br />
If you want to use this kind of authentication, mark the checkbox next to the<br />
section heading and click on Apply Changes to make this setting effective.<br />
To go to the page where the Radius server settings are configured, click on the<br />
Define Proxy Authentication Options button provided here.<br />
Mark the checkbox at the bottom of the tab to use local account information for<br />
authenticating an administrator in case LDAP and Radius authentication both<br />
fail.<br />
2–9
User Management<br />
2.2.3<br />
Role Definition<br />
2–10<br />
The Role Definition tab looks like this:<br />
There is one section on this tab:<br />
• Role Definition Editor<br />
It is described in the following.
Role Definition Editor<br />
The Role Definition Editor section looks like this:<br />
User Management<br />
Using this section you can view the role permissions assigned to the administrator<br />
roles that are pre-configured within <strong>Webwasher</strong>, as well as create and<br />
edit new roles.<br />
To create a new administrator role, use the items provided in the following area:<br />
• Create role<br />
The meaning and usage of these items is as follows:<br />
— New role name<br />
In this input field, enter the name of the new role you want to create.<br />
The name must begin with an alphabetical character (A-Z). The number<br />
of the following characters is not prescribed. However, only alphabetical<br />
and numerical characters, dashes, underscores, and spaces are<br />
allowed here.<br />
— Role to duplicate<br />
If you want to use an existing role as starting point for your configuration<br />
of a new role, select one from the drop-down list provided here.<br />
— Create Role<br />
After entering a role name, click on this button to add the new role to<br />
the roles list. Also, if you have selected and renamed an existing role<br />
as starting point, click on this button to add the role to the list.<br />
2–11
User Management<br />
2–12<br />
The administrator roles list is displayed at the bottom of the section. You can<br />
view and edit the roles contained in this list, with the exception of the three<br />
pre-configured roles, i. e. Super Administrator, Administrator and Policy<br />
Administrator. These you can only view.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filtering term in the input field of the Role column and enter it using<br />
the Enter key of your keyboard. The list will then display only entries<br />
matching the filter.<br />
• View Role Permissions<br />
Click on this button, which is provided for each of the three pre-configured<br />
roles, to view the permissions assigned to any of them.<br />
This will open a window where the permissions are displayed.<br />
For a description of this window, see the subsection further below.<br />
• Edit Role Permissions<br />
Click on this, button, which is provided for each user-configured role, to<br />
view and edit the permissions assigned to any of them.<br />
This will open a window where the permissions are displayed and can be<br />
edited.<br />
For a description of this window. see the subsection further below.<br />
• Delete Selected<br />
Select the role you wish to delete by marking the Select checkbox next to<br />
it and click on this button. You can delete more than one role in one go,<br />
but not any of the three pre-configured roles.<br />
To delete all user-configured roles, mark the Select all checkbox and click<br />
on this button.
Role Permissions Window<br />
The Role Permissions window looks like this:<br />
User Management<br />
Note that this is the version for viewing and editing permissions. The version<br />
for viewing only has no Save button in the top right corner.<br />
By default, all permissions that can be configured in this window are granted.<br />
The seniority level is by default set to 100.<br />
To deny or grant a permission for the role you are configuring, clear or mark<br />
the corresponding checkbox. Then click on the Save button to make the modification<br />
effective.<br />
For further information on what it means to configure the seniority level, as well<br />
as allowed other roles, see the next subsections.<br />
2–13
User Management<br />
2–14<br />
Seniority<br />
The seniority level is measured by a value between 0 and 100.<br />
It is important for determining who can deny access privileges to another administrator<br />
while being logged in a the same time. As an administrator, you<br />
can only deny privileges to administrators with seniority levels lower than your<br />
own level.<br />
So, if your seniority level is 80 and two other administrators are logged in with<br />
seniority levels of 60 and 50, you can deny them simultaneous access or restrict<br />
it to read-only. If an administrator with a seniority level of 100 is logged<br />
in at the same time, you cannot deny this administrator anything. This administrator<br />
may, however, exclude you from reading or writing or from both.<br />
Note that there are three pre-configured roles with administrator levels of 100,<br />
80 and 50, respectively. These pre-configured roles cannot be changed or<br />
deleted. To view the seniority levels and other permissions for these roles,<br />
click on the View Role Permissions button next to the role in question.<br />
The permissions for administrators who are logged in at the same time are<br />
configured using the Access Permissions sectiononthePreferences tab<br />
under Home > Preferences.<br />
After specifying the appropriate value here, click on the Save button in the top<br />
right corner of the window to make this setting effective.<br />
Use the following input field to configure the seniority level for an administrator<br />
role:<br />
• Seniority<br />
Enter a value between 0 and 100 here according to the level required for<br />
this role.<br />
Allowed other roles<br />
This section allows you to configure the roles that can be assigned to another<br />
user account by a user with this role.<br />
So, e. g. if the Administrator role is assigned to a user account and Administrator<br />
and Policy Administrator are configured as allowed other roles<br />
for this role, the user in question can only assign one of these two roles when<br />
creating a new user account.<br />
The user cannot, in this case, assign the Super Administrator role to the<br />
account, or any other role that may be listed in this section, but is not selected.
User Management<br />
To configure a role as allowed for being assigned by this role, select it in the<br />
list by marking the corresponding checkbox.<br />
After configuring all other settings in the Permissions for role ... window as<br />
required, click on the Save button in the top right corner to make your settings<br />
effective.<br />
This will also close the window.<br />
2.3<br />
Policy Management<br />
The Policy Management options are invoked by clicking on the corresponding<br />
button under User Management:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Concept, see 2.3.1<br />
• Management, see 2.3.2<br />
• Web Mapping, see 2.3.3<br />
• E-Mail Mapping, see 2.3.4<br />
2–15
User Management<br />
2.3.1<br />
Concept<br />
2–16<br />
The Concept tab looks like this:<br />
There is one section on this tab:<br />
• Policy Concept<br />
It is described in the following.
Policy Concept<br />
User Management<br />
The Policy Concept section looks uses several textst and a diagram to explain<br />
the concept underlying the <strong>Webwasher</strong> policy management.<br />
The diagram looks like this:<br />
Using visual means, it represents the threefold structure of policy management<br />
as it is performed under <strong>Webwasher</strong>:<br />
• Selecting input<br />
• Performingalookup<br />
• Mapping to policy<br />
2–17
User Management<br />
2.3.2<br />
Management<br />
2–18<br />
The Management tab looks like this:<br />
There are three sections on this tab:<br />
• Modify Policy<br />
• Create New Policy<br />
• Duplicate Policy<br />
They are described in the following.<br />
Modify Policy<br />
The Modify Policy section looks like this:<br />
It allows you to reset the settings of an existing policy to their default values<br />
and to delete policies altogether.
User Management<br />
To perform these activities for a policy, select it from the drop-down list provided<br />
here and click on one of the following buttons:<br />
• Reset to default<br />
Click on this button to reset the selected policy to its default values.<br />
• Delete Policy<br />
Click on this button to delete the selected policy.<br />
Create New Policy<br />
The Create New Policy section looks like this:<br />
Using this section, you can begin to configure a new policy by creating it first.<br />
To configure settings for this policy use the tabs provided by this Web interface<br />
for virus scanning, spam filtering, etc. Together with these tabs, policy lists are<br />
provided, which will also include the new policy.<br />
Select it from these lists when you are configuring the various settings, to make<br />
sure they become part of this policy.<br />
Use the following items to create a new policy:<br />
• New policy name<br />
Enter the name for the new policy in this input field. Then click on the<br />
Create button next to it.<br />
The new policy will then appear on the policy lists that are provided on the<br />
tabs for configuring policy-dependent settings.<br />
Duplicate Policy<br />
The Duplicate Policy section looks like this:<br />
2–19
User Management<br />
Using this section, you can configure a new policy by duplicating an existing<br />
one first and taking it as the starting point for configuring further settings.<br />
2.3.3<br />
Web Mapping<br />
2–20<br />
Use the following items to duplicate an existing policy:<br />
• Policy to duplicate<br />
From this drop-down list, select the policy you want to duplicate.<br />
• New policy name<br />
Enter the new name here you want to give the duplicated policy. Then click<br />
on the Duplicate button next to it.<br />
The duplicated new policy will then appear under its new name on the policy<br />
lists that are provided on the tabs for configuring policy-dependent settings.<br />
The Web Mapping tab looks like this:
There are three sections on this tab:<br />
• Mapping Process<br />
• Mapping Options<br />
• Mapping Cache<br />
They are described in the following.<br />
Mapping Process<br />
The Mapping Process section looks like this:<br />
User Management<br />
Using this section, you can configure mapping rules to assign policies to ICAP<br />
requests received in Web communication according to the user information<br />
provided in these requests.<br />
To retrieve this information, various methods are applied, e. g. processing the<br />
user name or, the name of the user group, or the IP address.<br />
Furthermore, a lookup on an LDAP or NTLM server, or on a Novell eDirectory<br />
server can be configured with some methods.<br />
2–21
User Management<br />
2–22<br />
You can also configure the use of an emergency policy that will overrule all<br />
mapping rules configured here in case of an emergency, e. g. the outbreak of<br />
a new virus.<br />
Specify the appropriate information using the items described in the following.<br />
Then click on Apply Changes to make your settings effective.<br />
Use the following items to configure mapping rules for Web communication:<br />
• Use emergency policy ... overwriting all methods<br />
Select an emergency policy from the drop-down list provided here. This<br />
policy will be applied whenever an emergency situation occurs, e. g. the<br />
outbreak of a new virus.<br />
It will overrule all policies that would otherwise be applied according to the<br />
rules and methods configured here.<br />
• Mapping method order for REQMOD<br />
Use the items provided in this area to configure a mapping method, which<br />
will include specifications on what is mapped (map from: IP address, user<br />
or group name), using what authentication method (map via: lookup on an<br />
LDAP or NTLM server, or a Novell eDirectory server), and what rule.<br />
The rule will in turn specify the policy that is applied to the mapped object.<br />
You can configure more than rule for a method.<br />
You can also configure more than one method. Methods will then be applied<br />
in the order you position them here. Up to five methods can be configured<br />
this way.<br />
The specifications made in this are valid for REQMOD communication.<br />
They can be applied also to RESPMOD communication, otherwise methods<br />
and rules for RESPMOD communication can be configured separately<br />
in an area below this one.<br />
The following items are provided to configure mapping methods for REQ-<br />
MOD communication:<br />
— Map from<br />
From this drop-down list, select what you want to map: IP, User, or<br />
Group.<br />
— Map via<br />
From this drop-down list, select whether you want to map directly, e. g.<br />
a user name or an IP address to a policy, or if you want there to be a<br />
lookup first, e. g. a lookup on an LDAP or NTML server, or on a Novell<br />
eDirectory server.
— Using these rules<br />
User Management<br />
The drop-down list provided here displays the name of the rule or rules<br />
belonging to this mapping method. The name is a combination of the<br />
information specified in the Map from and Map via fields, e. g. User-<br />
LDAP-1.<br />
In order to specify more information for a rule, click on the Apply<br />
Changes button first to make the settings specified so far effective.<br />
Then click on the Edit rules and options button next to the rules<br />
entry in question. This will take you to another tab where you can<br />
specify the appropriate information.<br />
To add another rule under the same name, e. g. User-LDAP-2, and<br />
specify information for it, select Create new rules from the list and<br />
click on the Edit rules and options button.<br />
— Use REQMOD mapping also for RESPMOD<br />
Make sure this option is enabled if you want the same methods and<br />
rules to be applied in RESPMOD and in REQMOD communication. The<br />
option is enabled by default.<br />
— Determine RESPMOD policy during REQMOD<br />
Enable this option to make use of authentication information that is<br />
missing in RESPMOD, but availableinREQMOD,alsoforRESPMOD.<br />
The setting of this option does not depend on what has been configured<br />
for the Use REQMOD mapping also for RESPMOD option above.<br />
When, e. g. a mapping method is configured based on the user name,<br />
the corresponding information may be retrieved from the Proxy Authorization<br />
header (Standard Request header). If the SSL Scanner is to be<br />
used at the same time, the Proxy Authorization header will be included<br />
only in the first REQMOD message, i. e. in the CONNECT request,<br />
and not in any of the further requests, which are encrypted.<br />
In this case, you can enable the option described here to retrieve the<br />
missing information also for the RESPMOD messages.<br />
• Mapping method order for RESPMOD<br />
Use the items provided here to configure mapping methods and rules for<br />
RESPMOD communication. The items are only made available if you have<br />
disabled the UseREQMODmappingalsoforRESPMODoption.<br />
Use the items in the same way as described above for REQMOD communication<br />
mapping.<br />
2–23
User Management<br />
2–24<br />
Mapping Options<br />
The Mapping Options section looks like this:<br />
Using this section, you can configure what should happen if the mapping<br />
process fails for a user request.<br />
After modifying this setting, click on Apply Changes to make the modification<br />
effective.<br />
Use the following radio buttons to configure the action in case of a mapping<br />
failure:<br />
• Block request<br />
If you want to block the request, make sure this radio button is checked.<br />
The radio button is checked by default.<br />
• Allow request and use default policy<br />
Check this radio button to allow the request and use the default policy for<br />
further processing.<br />
Mapping Cache<br />
The Mapping Cache section looks like this:<br />
Using this section, you can configure a time interval for keeping data on<br />
mapped users in the cache. The data can be kept there even if the corresponding<br />
requests failed.<br />
The mapping cache stores user names and IP addresses as input data and a<br />
policy names as the corresponding output data.<br />
This stored information can be re-used, rather than each time repeating external<br />
server requests for input data. Looking up cached information is faster,<br />
which enhances system performance.
User Management<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following items to configure the mapping cache:<br />
2.3.4<br />
E-Mail Mapping<br />
• Time to keep users in cache: ... minutes<br />
In the input field provided here, enter the time interval (in minutes) for keeping<br />
user data in the mapping cache. The default time is 30 minutes.<br />
• Cache failed requests<br />
Mark this checkbox to cache also data retrieved from requests that were<br />
not allowed.<br />
The E-Mail Mapping tab looks like this:<br />
There are two sections on this tab:<br />
• Mapping Process<br />
• Mapping Options<br />
They are described in the following.<br />
2–25
User Management<br />
2–26<br />
Mapping Process<br />
The Mapping Process section looks like this:<br />
Using this section, you can configure mapping rules to assign policies to e-mail<br />
messages according to the information provided in these messages. To retrieve<br />
this information, an internal scheme or an LDAP lookup can be applied.<br />
Specify the appropriate information using the items described in the following.<br />
Then click on Apply Changes to make your settings effective.<br />
Use the items provided under this heading to configure mapping rules for e-mail<br />
communication:<br />
• Mapping method order for filtering e-mails (RESPMOD)<br />
The following items are provided here:<br />
Use the items provided in this area to configure a mapping method, which<br />
will include specifications on what is mapped (map from: IP address, user<br />
or group name), using what authentication method (map via: LDAP or<br />
NTLM lookup), and what rule. The rule will in turn specify the policy that<br />
is applied to the mapped object. You can configure more than rule for a<br />
method.<br />
You can also configure more than one method. Methods will then be applied<br />
in the order you position them here. Up to five methods can be configured<br />
this way.<br />
The specifications made in this are valid for REQMOD communication.<br />
They can be applied also to RESPMOD communication, otherwise methods<br />
and rules for RESPMOD communication can be configured separately<br />
in an area below this one.<br />
The following items are provided to configure mapping methods for e-mail<br />
messages RESPMOD communication:<br />
— Mapping scheme<br />
From this drop-down list, select the scheme you want to be used for<br />
the mapping method: Internal or LDAP.
2.4<br />
User Management<br />
You can configure more than one method. Methods will then be applied<br />
in the order you position them here. Up to two methods can be<br />
configured this way.<br />
In order to specify more information for a mapping scheme, click on<br />
the Apply Changes button first to make the settings specified so far<br />
effective. Then click on the Edit rules and options button next to the<br />
scheme entry in question.<br />
This will take you to another tab where you can specify the appropriate<br />
information.<br />
Mapping Options<br />
The Mapping Options section looks like this:<br />
It allows you configure the use of all the methods that were selected in the<br />
Mapping Process section above for policy mapping purposes.<br />
Usethefollowingitemtodothis:<br />
• Use all selected methods to assign policies<br />
User Database<br />
Enable this option to have all methods selected above applied. Then click<br />
on Apply Changes to make this setting effective.<br />
The Languages options are invoked by clicking on the corresponding button<br />
under User Management:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• User Database, see 2.4.1<br />
• Import, see 2.4.2<br />
2–27
User Management<br />
2.4.1<br />
User Database<br />
2–28<br />
• LDAP Synchronization, see 2.4.3<br />
• Backup & Restore, see 2.4.4<br />
The User Database tab looks like this:<br />
There are two sections on this tab:<br />
• LDAP Synchronization<br />
• User Database<br />
They are described in the following.<br />
LDAP Synchronization<br />
The LDAP Synchronization section looks like this:<br />
Using this section, you can configure synchronization of the user data base<br />
provided by <strong>Webwasher</strong> with an LDAP server.
User Management<br />
If users have been able to authenticate themselves on the LDAP server, their<br />
credentials are added to the user database.<br />
After specifying this setting in an appropriate way, click on Apply Changes to<br />
make it effective.<br />
Use the checkbox labeled as follows to configure LDAP synchronization:<br />
• Allow new Users to add themself to the User Database if they can<br />
authenticate at the LDAP Server<br />
Mark this checkbox to enable LDAP synchronization in the way described<br />
here.<br />
User Database<br />
The User Database section looks like this:<br />
It allows you to add users to the <strong>Webwasher</strong> User Database and edit user<br />
entries in that database.<br />
It allows you to enter user data in the <strong>Webwasher</strong> user database.<br />
To enter this data, use the items provided in the following area:<br />
• Add new user<br />
Specify the following information about the new user:<br />
2–29
User Management<br />
2–30<br />
— Login Name<br />
Login name of the new user<br />
— Real Name<br />
Real name of the new user<br />
Input in this field is optional.<br />
— Group(s)<br />
User group or groups you want to assign the new user to<br />
Input in this field is optional.<br />
— E-Mail address<br />
E-mail address of the new user<br />
Input in this field is optional.<br />
— Language<br />
Language to be used for messages to the new user<br />
Select the language from the drop-down list provided here. Input in this<br />
field is optional.<br />
— Password<br />
Password the new user is to submit for authentication.<br />
— Password (retype)<br />
Retype the password in this input field.<br />
— Password must be changed at next login<br />
Mark this checkbox to enforce a password change at the next login by<br />
the new user.<br />
• Add new user<br />
After specifying the appropriate information in the area above, click on this<br />
button to add the new user to the list.<br />
The user list is displayed at the bottom of the section.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.
2.4.2<br />
Import<br />
User Management<br />
To edit an entry, type the appropriate text in the corresponding input field of the<br />
Real Name, Group(s) or EMail column, or select a different language from<br />
the corresponding drop-down list.<br />
To edit the password for a user entry, click on the corresponding Edit button.<br />
This will open a separate window, where you can edit the password.<br />
Note that the login name of a user entry cannot be edited.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field of the Login Name, Real Name,<br />
Group(s) or Email column or any combination of these and enter this<br />
using the Enter key of your keyboard. The list will then display only entries<br />
matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all user entries, mark the Select all checkbox and click on this<br />
button.<br />
The Import tab looks like this:<br />
2–31
User Management<br />
2–32<br />
There is one section on this tab:<br />
• Import User Database<br />
It is described in the following.<br />
Import User Database<br />
The Import User Database section looks like this:<br />
It allows you to import a file providing information about users into the user<br />
database. Furthermore, you can configure a number of settings relating to this<br />
file.<br />
Use the following items to configure this file and import it into the user database:<br />
• Import from<br />
Specify the file containing the user information here. To do this, click on<br />
the Browse button next to the input field and browsetothisfile.<br />
Within this file, each line must contain information about one user only.<br />
A line must consist of six entries separated by the column separator, with<br />
each entry providing information as follows:<br />
1. Login Name<br />
The unique login name of the user
2. Full Name<br />
Full name of the user<br />
3. Groups<br />
The groups that the user is a member of.<br />
User Management<br />
If the user is a member of more than one group, separate group name<br />
by commas.<br />
4. E-mail address<br />
The e-mail address of the user<br />
5. Preferred language<br />
The language to be used for error template texts.<br />
If you want this information to be processed, you need to configure a<br />
corresponding language selection method.<br />
This is done in the Language Selection section on the Languages<br />
tab under User Management > Languages. The method you need<br />
to select there is User Database.<br />
6. Password<br />
Password for the user.<br />
This entry depends on the values you configure using the four radio<br />
buttons under Password options in this section, see below for their<br />
description.<br />
• Column separator character<br />
In the input field provided here, enter a character to be used for separating<br />
entries in the user import file, i. e. the file that is imported into the user<br />
database.<br />
The default separator is the | (pipe sign).<br />
• Password options<br />
Specify the options for the user password here.<br />
The first four options, which are configured using radio buttons, will determine<br />
the password entry in the user import file, i. e. the file that is imported<br />
into the user database.<br />
2–33
User Management<br />
2–34<br />
The meaning of these options is as follows:<br />
— Set random password and mail it to given email address<br />
This will create a random password with a length of eight characters.<br />
The password is sent to the address specified in the user import file.<br />
— Password column contains clear text password name<br />
If this option is enabled, the password will be taken from the plain text<br />
entered in the user import file.<br />
— Set password<br />
The groups that the user is a member of.<br />
If the user is a member of more than one group, separate group name<br />
by commas.<br />
— Password column contains NTLM hash (16 Bytes)<br />
This will put a 16 Byte NTLM hash in place of each password specified<br />
in the user import file. This hash is calculated as MD4 checksum based<br />
on the unicode values of the password in question.<br />
It is written into the user database, which will then also contain entries<br />
for existing passwords that were encrypted.<br />
— Password must be changed at next login<br />
Enable this option to enforce a password change at the next login of a<br />
user.<br />
For this option to work, you need to specify an end user port in the End<br />
User Port Settings section on the Ports tab under <strong>Configuration</strong> ><br />
Web Interfaces.<br />
• Overwrite existing entries<br />
Enable this option to allow the overwriting of existing user entries in the<br />
user database.<br />
Otherwise, the attempt to overwrite existing entries will result in an error.<br />
• Mail password to user<br />
Enable this option to have the password sent to the corresponding user by<br />
e-mail.<br />
The option is always enabled and cannot be disabled if the first of the Password<br />
options is also enabled, i. e. Set random password and mail it<br />
to given email address.
User Management<br />
Vice versa, it is always disabled and cannot be enabled if Password columncontainsNTLMhash(16Bytes)is<br />
enabled.<br />
• Import User<br />
Click on this button to import the specified user import file with the settings<br />
configured here.<br />
2.4.3<br />
LDAP Synchronization<br />
The LDAP Synchronization tab looks like this:<br />
There are three sections on this tab:<br />
• LDAP Connection Details<br />
• Attribute Details<br />
• LDAP Authentication<br />
They are described in the following.<br />
2–35
User Management<br />
2–36<br />
LDAP Connection Details<br />
The LDAP Connection Details section looks like this:<br />
Using this section, you can configure some basic settings of the LDAP connection<br />
for the user database.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following input fields to configure this connection:<br />
• LDAP server(s)<br />
Enter the IP address of the LDAP server here.<br />
You can add the port number after a colon, e. g. 192.168.0.5:389.<br />
You can specify more than one server. In this case, separate the IP addresses<br />
by spaces.<br />
<strong>Webwasher</strong> will then try to do load balancing based on a round-robin algorithm<br />
(server configurations must be the same).<br />
• WW’s user name<br />
Enter the name here that is used by <strong>Webwasher</strong> itself to get authenticated<br />
when logging in to the LDAP server.<br />
• WW’s password<br />
Enter the password used by <strong>Webwasher</strong> here.
Attribute Details<br />
The Attribute Details section looks like this:<br />
User Management<br />
Using this section, you can specify where the data needed for authentication<br />
should be extracted from.<br />
To do this, use the items provided in the following area:<br />
• Select where attributes originate<br />
Authentication information can be extracted from user attributes or from<br />
the attributes of the group a user belongs.<br />
Select User or Group object to have information extracted from the corresponding<br />
attributes and specify the appropriate information using following<br />
input fields and buttons:<br />
— User<br />
Mark the checkbox provided here if you want to extract information from<br />
user attributes and specify the following information:<br />
Attributes to extract<br />
Specify the attribute or attributes that should be extracted here ,<br />
separating attributes by commas.<br />
The default attribute to be extracted is cn.<br />
2–37
User Management<br />
2–38<br />
Concatenation string<br />
If more than one attribute is specified here, they will be concatenated<br />
using the string specified here.<br />
So, e. g. when attributes a and b are extracted and / (slash) is<br />
specified as concatenation string, then if <strong>Webwasher</strong> gets the values<br />
a1, a2, a3 for attribute a and b1 for attribute b, the output list<br />
will be as follows:<br />
a1/b1<br />
a2/b1<br />
a3/b1<br />
• Group object<br />
Mark the checkbox provided here if you want to extract information from<br />
group attributes and specify the following information:<br />
— Attributes to extract<br />
Specify the attribute or attributes that should be extracted here , separating<br />
attributes by commas.<br />
The default attribute to be extracted is cn.<br />
— Concatenation string<br />
If more than one attribute is specified here, they will be concatenated<br />
using the string specified here.<br />
So, e. g. when attributes a and b are extracted and / (slash) is specified<br />
as concatenation string, then if <strong>Webwasher</strong> gets the values a1, a2, a3<br />
for attribute a and b1 for attribute b, the output list will be as follows:<br />
a1/b1<br />
a2/b1<br />
a3/b1<br />
— Base DN to group objects<br />
Enter the Base DN (distinguishing name) for the group objects here.<br />
This is the name of the path leading to the location where the search<br />
for a group name should begin.<br />
— Group member attribute name<br />
Make sure this radio button is checked if you want enable use of the<br />
group member attribute name and enter a name in the input field next<br />
in the same line.<br />
The radio button is checked by default.
User Management<br />
The group member attribute name is the unique key of an entry for a<br />
group name stored on the authentication server.<br />
Note that the value specified for this name must be equal to the one<br />
specified under Base DN to group objects.<br />
The default name is uniquemember.<br />
— Object class for groups<br />
Specify an object class for groups here.<br />
This will limit the search for group attributes to those objects that are<br />
instances of this class.<br />
The default class name is groupofuniquenames.<br />
— Filter<br />
Check this radio button if you want use a filter and enter a filtering term<br />
in the input field in the same line.<br />
This will limit the search for group attributes to objects with names<br />
matching the filter.<br />
• Real Name<br />
Enter the real name of the user here that will be authenticated using the<br />
attributes specified above.<br />
• E–Mail Address<br />
Enter the e-mail address of the user here that will be authenticated using<br />
the attributes specified above.<br />
• Language<br />
Enter the language here that should be used for message to the use that<br />
will be authenticated using the attributes specified above.<br />
You can also specify a default language that will be used if no user is configured.<br />
To do this, use the drop-down list labeled as follows:<br />
— or . . . (if no mapping given or not specified for User)<br />
Select the default language for messages to the user here.<br />
2–39
User Management<br />
2–40<br />
LDAP Authentication<br />
The LDAP Authentication section looks like this:<br />
Using this section, you can configure It allows you to enter user data in the<br />
<strong>Webwasher</strong> user database.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following input fields to configure these settings:<br />
• Base DN to user object<br />
Enter the Base DN (distinguishing name) for the user here.<br />
This is the name of the path leading to the location where the search for a<br />
user name should begin.<br />
• UID attribute name<br />
Make sure this radio button is checked if you want enable use of the group<br />
member attribute name and enter a name in the input field next in the same<br />
line.<br />
The radio button is checked by default.<br />
The UID attribute name is the unique key of an entry for a user name stored<br />
on the authentication server.<br />
• Filter<br />
Check this radio button if you want to use a filter and enter a filtering term<br />
in the input field in the same line.<br />
This will limit the search for user attributes to objects with names matching<br />
the filter.
2.4.4<br />
Backup & Restore<br />
The Backup & Restore tab looks like this:<br />
There is one section on this tab:<br />
• Backup & Restore<br />
It is described in the following.<br />
Backup & Restore<br />
The Backup & Restore section looks like this:<br />
It allows you to download a user database file and to restore it.<br />
Use the following items to do this:<br />
• Download User Database File<br />
Click on this button to download the current user database file.<br />
User Management<br />
2–41
User Management<br />
2.5<br />
• Restore configuration from file<br />
To restore a configuration with a particular user database file enter the file<br />
name in this input field or browse to it using the Browse button next to the<br />
this field.<br />
Then click on Restore to restore the configuration.<br />
Authentication Server<br />
2–42<br />
The Authentication Server options are invoked by clicking on the corresponding<br />
button under User Management:<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• Authentication Server, see2.5.1
2.5.1<br />
Authentication Server<br />
The Authentication Server tablookslikethis:<br />
At the top of this tab, there is a button labeled:<br />
• Define Authentication Options<br />
User Management<br />
Click on this button to configure some general options relating to authentication.<br />
This will open a window where you can specify the appropriate<br />
information.<br />
The options of this window are described in 5.2.3.<br />
Furthermore, there are five sections on this tab:<br />
• Authentication Server Settings<br />
• Authentication Process<br />
• NTLM and NTLM-Agent Authentication Options<br />
• User Database Authentication Options<br />
• Propagate Authentication Options<br />
They are described in the following.<br />
2–43
User Management<br />
2–44<br />
Authentication Server Settings<br />
The Authentication Server Settings section looks like this:<br />
Using this section, you can enable the authentication server and configure a<br />
port on this server, as well as some additional settings for it. More settings can<br />
be configured in the remaining sections of the Authentication Server tab.<br />
The authentication server is used for performing the transparent authentication<br />
of users. Configuring this kind of authentication involves several sections and<br />
tabs of the Web interface. A description of this is given in the Transparent<br />
Authentication subsection below.<br />
If you want to use the authentication server, make sure the checkbox next to<br />
the section heading is marked.<br />
After modifying this setting or any other setting in this section, click on Apply<br />
Changes to make these settings effective.<br />
Use the following items to configure the authentication server:<br />
• Port<br />
In this input field, specify the port used on the authentication server. The<br />
input format is:<br />
[IP]: port<br />
The default port number is 9094.<br />
• Use SSL<br />
Make sure this checkbox is marked if you want use of SSL enycryption for<br />
communication with the authentication server. The checkbox is marked by<br />
default.<br />
This will protect your password against being intercepted during the authentication<br />
process. Your password is also protected, even without SSL<br />
encryption, if you configure use of the <strong>Webwasher</strong> user database with integrated<br />
authentication.
User Management<br />
ThiscanbedoneintheAuthentication Process and User Database<br />
Authentication Options sections on this tab.<br />
Configuring NTLM or the NTLM Agent in the Authentication Process<br />
section and integrated authentication in the section labeled NTLM and<br />
NTLM-Agent Authentication Options will protect your password in the<br />
same way.<br />
• Append parameter to avoid redirection loops<br />
Make sure this checkbox is marked if you want to append the parameter.<br />
The checkbox is marked by default.<br />
Make sure this checkbox is marked if you want use of SSL enycryption for<br />
communication with the authentication server. The checkbox is marked by<br />
default.<br />
This will help avoid redirection loops in situation like the following: The<br />
browser requests URL A. The ICAP server sends a redirect to B and the<br />
authentication server sends another redirect to A. Firefox treats this as an<br />
endless loop and stops the request, while the Internet Explorer does not<br />
recognise it.<br />
<strong>Webwasher</strong> appends a dummy parameter to A by default, which will end<br />
the loop: A->B->A2. The parameter is removed, however, in REQMOD<br />
communication.<br />
• Authentication expires after ... seconds<br />
In the input field provided here, enter the time interval (in seconds) that an<br />
authentication is to last. The default interval is 120 seconds.<br />
After the interval configured here has expired, the ICAP server will send<br />
another redirect for the next request, in order to renew the mapping and<br />
authentication interval.<br />
The disadvantage of configuring a longer interval here is that user switches<br />
on one system or a new assignment of the IP address to another system<br />
using DHCP will not be recognized, which makes the mapping less accurate.<br />
On the other hand, smaller intervals lead to frequent redirects.<br />
2–45
User Management<br />
2–46<br />
Transparent Authentication<br />
The following subsection provides you with some general information on the<br />
method of transparent authentication and describes a configuration procedure<br />
to set up this method on <strong>Webwasher</strong>.<br />
At the end some notes are given providing additional information.<br />
General Information<br />
The transparent authentication method can be configured as one of several<br />
methods to retrieve user credentials and authenticate users based on these<br />
credentials. It is usually incorporated in the process of mapping users to particular<br />
policies.<br />
Transparent authentication relies on a mapping between IP addresses and<br />
users, whereas other methods map users and connections or requests. With<br />
this address-based method, however, it is not possible to distinguish between<br />
multiple users on a single system. The user names can be searched for in the<br />
<strong>Webwasher</strong> user database, which has been provided for this purpose, or on<br />
an LDAP or NTLM server.<br />
Configuring transparent authentication may be appropriate in a situation where<br />
thereisnoproxy in your configuration, but you still want to have authentication<br />
or policy mapping, or where there is a proxy, but it is not capable of performing<br />
the demanded authentication method.<br />
<strong>Configuration</strong> Procedure<br />
Configuring transparent authentication involves two kinds of steps:<br />
• Steps that are required to configure the authentication server –<br />
These include configuring the settings of the Authentication Server Settings<br />
section, i. e. the section that this online help page is relating to.<br />
• Steps that are required to configure a policy mapping rule – These<br />
steps are required because transparent authentication is usually configured<br />
within the process of policy mapping. They need to be performed<br />
even if the intention is to configure only authentication and no policy mapping.<br />
Both kinds of steps are described in the following.
User Management<br />
Configuring the authentication server – This part of the procedure begins<br />
withgoingtotheAuthentication Server tab under User Management ><br />
Authentication Server, i. e. to the tab you have currently selected, and<br />
configuring the settings of the Authentication Server Settings section.<br />
It is continued by configuring the settings of the remaining sections on this tab.<br />
To get more detailed information about a setting, click on the question mark in<br />
the corresponding section.<br />
To configure the authentication server proceed as follows:<br />
1. Use the Authentication Server Settings section to enable the authentication<br />
server and to configure a port on it, as well as some additional<br />
parameters:<br />
• Make sure the checkbox next to the section heading is marked. This<br />
is required to have the authentication server enabled.<br />
• In the Port input field, specify the port used on the authentication<br />
server.<br />
• Make sure the Use SSL checkbox is marked.<br />
Clear it if you want to do without SSL encryption.<br />
• In the input field labeled Transparent authentication expires after<br />
... seconds, enter an interval (in seconds).<br />
2. In the Authentication Process section, select an authentication method<br />
from the first drop-down list provided here.<br />
You may also select one of the other methods in second position. A further<br />
option is to mark the checkbox labeled Use login page to get credentials,<br />
and then. This will enable the use of a login page.<br />
3. In the Authentication Process section, select an authentication method<br />
from the first drop-down list provided here.<br />
According to the method you selected under Authentication Process,<br />
configure the corresponding options in the NTML and NTML-Agent Authentication<br />
Options or the User Database Authentication Options<br />
section.<br />
2–47
User Management<br />
2–48<br />
Configuring a policy mapping rule – This part of the procedure will configure<br />
the settings required for a policy mapping rule that includes the use of the<br />
transparent authentication method.<br />
To get more detailed information about a setting, click on the question mark in<br />
the corresponding section.<br />
To configure a policy mapping rule including transparent authentication, proceed<br />
as follows:<br />
1. Go to the Web Mapping tab under User Management > Policy Mapping.<br />
2. Use the Mapping Process section to configure a rule for Web mapping.<br />
Select User Name and map directly if you want to configure a policy<br />
intended for a single user, or Group Name and map directly for a policy<br />
based on the membership of a user in a particular group.<br />
3. Click on the Edit rules and options button. This will take you to the<br />
User based Mapping tab.<br />
4. In the User Name Location section, select Transparent Authentication<br />
from the drop-down list labeled Extract user information from.<br />
5. From the drop-down list labeled Accepted Authenticated methods,<br />
select a method, e. g. Local, orAny to allow all methods.<br />
6. In the Add Rule section, add a rule for policy mapping.<br />
Notes<br />
A rule that might be added here is default = *, which will allow all authenticated<br />
users.<br />
To specify this rule, select default from the drop-down list of policies provided<br />
here and enter an * in the input field next to it. Then click on the<br />
Add first button to add this rule to the list.<br />
The following should be kept in mind when configuring transparent authentication:<br />
• POST requests will fail when the ICAP server sends a redirect to the authentication<br />
server, which is only done, however for the renewal of a mapping.<br />
This is because for the browser the request was successful and the POST<br />
body will not be sent again after the final redirect.<br />
• When authentication is done on a server, which is the authentication server<br />
in this case, over a proxy connection, the Internet Explorer will not send the<br />
credentials.
User Management<br />
The following might be configured as a workaround here:<br />
— Use a login page for authentication.<br />
— Configure the Internet Explorer not to use a proxy for the authentication<br />
server. This means that if <strong>Webwasher</strong> has been set up as a cluster, all<br />
IP addresses must be excluded.<br />
Authentication Process<br />
The Authentication Process section looks like this:<br />
Using this section, you can configure where users are authenticated. You can<br />
also configure the use of a login page for retrieving user credentials.<br />
The login page is a template, which is stored in the conf\errors folder of the<br />
<strong>Webwasher</strong> program files. You can create different language versions of this<br />
template.<br />
Note that to configure a method for selecting the appropriate language template<br />
you can only select methods that are available before the authentication<br />
process. These methods are IP and Browser. They are configured in the<br />
Language Selection section of the Languages tab under User Management<br />
> Languages.<br />
The authentication process may involve an LDAP or NTLM server, a Radius<br />
server, or the User Database provided by <strong>Webwasher</strong>.<br />
Furthermore, there is also an option for configuring the use of a Novell eDirectory<br />
server, which will then take the role of an LDAP server, in order to<br />
authenticate users.<br />
On this server, information is stored about the IP addresses of authenticated<br />
users, which can be extracted and used by <strong>Webwasher</strong> for the authentication<br />
process.<br />
The name of the field where the IP address of a user is stored is<br />
NetworkAddress. The port number can be stored there with the address.<br />
The field is in binary format, which means that no wildcard queries can be performed<br />
for user addresses. Instead, <strong>Webwasher</strong> periodically polls the eDirectory<br />
to retrieve the addresses of the users that logged in since the last request.<br />
2–49
User Management<br />
2–50<br />
The structure of this search is reflected in a filtering term, which is configured<br />
together with the settings for the LDAP method, see further below.<br />
Make sure the NetworkAddress field is visible when the user information is<br />
looked at via the LDAP server interface. Otherwise, <strong>Webwasher</strong> will not be<br />
able to extract the information.<br />
You can configure one or two methods of user authentication. They are applied<br />
in the order you specify them. A user is successfully authenticated as soon as<br />
one of the configured methods produces a match.<br />
After selecting a method, you can specify further settings that are relevant to<br />
this method in other sections of this tab, and in the window that appears after<br />
clicking on the Define Authentication Options buttoninthetopareaofthis<br />
tab.<br />
For the NTLM and NTLM-Agent methods, this can be done in the NTLM and<br />
NTLM-Agent Authentication Options section, and for the User Database<br />
method in the Userdatabase Authentication Options section. Both these<br />
sections are on this tab.<br />
For the LDAP method, there is the LDAP Authentication section in the Define<br />
Authentication Options window, where you also find the Radius Authentication<br />
section for the Radius server method.<br />
If you select eDirectory as method, you can also configure the use of a filter<br />
for searching the user information that is needed in the authentication process.<br />
This is done in the Novell eDirectory IP Filter input field, which is provided<br />
in the LDAP Authentication section of the Define Authentication Options<br />
window.<br />
A filtering term has been entered in this field, which should not be altered since<br />
this will prevent <strong>Webwasher</strong> from extracting the appropriate user information.<br />
The name of the storage field on the eDirectory server has also been preconfigured<br />
as one of the additional settings of the LDAP method and should likewise<br />
not be altered.<br />
Furthermore, you can configure the eDirectory option as part of the Web mapping<br />
process. There will be a lookup of these addresses then on the eDirectory<br />
server before they are mapped to security policies configured within <strong>Webwasher</strong>.<br />
Use the Mapping Process section on the Web Mapping tab under User<br />
Management > Policy Mapping to configure these settings.<br />
After specifying the appropriate settings here, click on Apply Changes to<br />
make them effective.
User Management<br />
Use the following checkbox and drop-down lists to configure methods for user<br />
authentication:<br />
• Use login page to get credentials, and then<br />
Mark this checkbox to have a login page presented to a user for entering<br />
the user credentials. After this has been completed, the authentication<br />
process will begin, using the methods configured below.<br />
The login page will be presented when the user tries to get authenticated<br />
for the first time and whenever the authentication interval has expired.<br />
If no login page is used, user credentials need to be submitted only when<br />
authentication is requested by a user for the first time, or, with integrated<br />
authentication on Windows, not at all. These methods are not less secure<br />
than using a login page, but clearly more comfortable.<br />
• Authentication process methods list 1<br />
Select a method for user authentication from this drop-down list. If you<br />
select an additional method from the second list, they are applied according<br />
to their order. If the first method fails, a user may still be authenticated by<br />
the second.<br />
The following methods are available: NTLM, NTLM Agent, LDAP, eDirectory,<br />
User Database and Radius.<br />
• Authentication process methods list 2<br />
Select a method for user authentication in the same way as described<br />
above from this drop-down list. You may also select None here, and have<br />
just one method for authenticating users.<br />
NTLM and NTLM-Agent Authentication Options<br />
The NTLM and NTLM-Agent Authentication Options section looks like<br />
this:<br />
2–51
User Management<br />
2–52<br />
Using this section, you can configure options for an authentication method that<br />
performs an NTLM lookup in order to authenticate users.<br />
NTLM is an authentication method used by Microsoft browsers, proxies and<br />
servers. It is more secure than other methods because the user password is<br />
not transmitted as plain text.<br />
The user of the NT domain is a member of several domain groups. The ICAP<br />
server can use these groups to do the policy mapping. A list of groups must<br />
be provided by the ICAP client.<br />
Only Internet Explorer supports NTLM for this kind of configuration, but there<br />
are additional utilities available for other browsers, such as Mod_NTLM for<br />
Apache, or MSNT for Squid.<br />
If you want to do NTLM authentication on an operating system other than Windows,<br />
you can use an agent application, called the NTLM Agent, to enable<br />
this. The settings configured here will apply also for the agent application.<br />
There is a basic and an integrated method of authenticating users.<br />
With basic authentication, the browser sends the user name and password<br />
as plain text (less secure) to <strong>Webwasher</strong>, who plays the role of the client to<br />
exchange authentication messages with the authentication server, so <strong>Webwasher</strong><br />
uses the NTLM method to authenticate the user.<br />
Integrated authentication encrypts messages going from the client browser to<br />
the authentication server and back. In this situation, <strong>Webwasher</strong> acts as the<br />
proxy server and forwards authentication server messages to the client.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following items to configure this kind of authentication:<br />
• Enable integrated authentication<br />
Enable this option to use the integrated authentication method.<br />
• Enable basic authentication<br />
Enable this option to use the basic authentication method and enter the<br />
default domain used for basic authentication in the input field provided here.<br />
This is the default option.<br />
• Select what groups to get from Domain Controller<br />
From the drop-down list provided here, select what groups should be<br />
fetched from the domain controller: Global, Local or both.
User Database Authentication Options<br />
User Management<br />
The User Database Authentication Options section looks like this:<br />
This section allows you to configure the method used for authentication with<br />
the <strong>Webwasher</strong> user database. This method can be either integrated or basic<br />
authentication.<br />
Integrated authentication is a challenge and response method that does not<br />
allow to recover the password during the authentication process over a sniffed<br />
connection. The password hash will be calculated with two random values,<br />
one chosen by the client and one by the server.<br />
With basic authentication, the client puts together user name and password<br />
and sends them as a base64 encoded request header to the corresponding<br />
destination, i. e. the proxy, the server, etc.<br />
After modifying the settings in this section, click on Apply Changes to make<br />
the modification effective.Using this section, you can configure authentication<br />
by means of using the information stored in a user database.<br />
There is a basic and an integrated method of authenticating users.<br />
With basic authentication, the browser sends the user name and password<br />
as plain text (less secure) to <strong>Webwasher</strong> (who plays the role of the client to<br />
exchange authentication messages with the authentication server), so <strong>Webwasher</strong><br />
uses the information stored in the user database to authenticate the<br />
user.<br />
Integrated authentication encrypts messages going from the client browser to<br />
the authentication server and back. In this situation, <strong>Webwasher</strong> acts as the<br />
proxy server and forwards authentication server messages to the client.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
this setting effective.<br />
Use the following checkboxes to configure an authentication method for the<br />
<strong>Webwasher</strong> user database:<br />
• Enable integrated authentication<br />
Mark this checkbox if you want to use integrated authentication.<br />
2–53
User Management<br />
2–54<br />
• Enable basic authentication<br />
Make sure this checkbox is marked if you want to use basic authentication.<br />
The checkbox is marked by default.<br />
Propagate Authentication Options<br />
The Propagate Authentication Options section looks like this:<br />
Using this section, you can configure the propagation of information on authenticated<br />
users in a cluster. The submaster will propagate this information to the<br />
master.<br />
This way, a user that has been authenticated successfully on a site instance<br />
needs not renew thes authentication if redirected for any reason to another site<br />
instance.<br />
If the cluster is running in a big network and is configured in a way that there<br />
are lots of sub-masters with each of them being responsible for a sub-net, this<br />
may cause problems because IP addresses that are unique locally may not be<br />
unique in the whole cluster.<br />
For this reason, there is the option to stop propagating authenticated users at<br />
sub-master level. If this feature is enabled, a sub-master will only propagate<br />
information on authenticated users to the site instances that are subscribed to<br />
it and will not them to its master. It will also does not retrieve such information<br />
from the master.<br />
After modifying the setting configured here, click on Apply Changes to make<br />
the modification effective.<br />
Use the following checkbox to configure the propagation of user information:<br />
• Sub master propagates authenticated users up to master<br />
If this checkbox is marked, information on authenticated users will be propagated<br />
from the sub-master instance in a cluster to its master.<br />
The checkbox is marked by default.
2.6<br />
Windows Domain Membership<br />
User Management<br />
The Windows Domain Membership options are invoked by clicking on the<br />
corresponding button under User Management:<br />
Note that these options are only available for instances of <strong>Webwasher</strong> running<br />
on UNIX systems, such as Linux or Solaris.<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Windows Domain Membership, see2.6.1<br />
• NTLM Authentication Test, see2.6.2<br />
2.6.1<br />
Windows Domain Membership<br />
The Windows Domain Membership tab looks like this:<br />
2–55
User Management<br />
2–56<br />
There is one section on this tab:<br />
• NTLM Authentication<br />
It is described in the following.<br />
NTLM Authentication<br />
The NTLM Authentication section looks like this:<br />
Using this section, you can configure an account within one or more Windows<br />
domains for an instance of <strong>Webwasher</strong> that is running on a particular system.<br />
An account like this is also known under the name of "machine account" or<br />
“computers”. It is used to forward user authentication requests received by<br />
<strong>Webwasher</strong> to the domain controller.<br />
The domain controller checks the user credentials to verify whether a particular<br />
user is an authenticated user within the domain, using the information stored<br />
in its database, and sends the result back to <strong>Webwasher</strong>.<br />
Depending on the result, a user who submitted an authentication request is<br />
allowed or denied access to the system <strong>Webwasher</strong> is running on.<br />
Note that you need to configure an individual account for every instance of<br />
<strong>Webwasher</strong> that is running on a particular system.
User Management<br />
This is also required if the <strong>Webwasher</strong> instance is a member of a cluster in a<br />
central management or a high-availability environment since the settings described<br />
here are not distributed within the cluster.<br />
Furthermore, note again that this section and tab are only available for instances<br />
of <strong>Webwasher</strong> running on UNIX systems, such as Linux or Solaris.<br />
Use the following items to configure a <strong>Webwasher</strong> account in a Windows domain:<br />
• Windows domain name<br />
In this input field, type the name of the Windows domain that the <strong>Webwasher</strong><br />
account should be joined to.<br />
Note that you need to type the name without extension, e. g. securecomputing,<br />
instead of securecomputing.com.<br />
• <strong>Webwasher</strong> account name<br />
In this input field, type the <strong>Webwasher</strong> account name, which is the “machine”<br />
name or “computer” name of the system <strong>Webwasher</strong> is running on.<br />
Note that this name must not be longer than 15 characters.<br />
Remember that you need to specify an individual account name for every<br />
<strong>Webwasher</strong> instance and also need to repeat the procedure of configuring<br />
all the settings described here for every instance, even if it is a member of<br />
a central management or a high-availability cluster.<br />
• Overwrite existing account<br />
Mark this checkbox to have the account you are presently configuring overwrite<br />
an account that existed before under the same name.<br />
In this case, you should make sure that the existing account is actually not<br />
needed anymore.<br />
• Configured Domain Controller(s)<br />
In this input field, specify one or more domain controllers. This should be<br />
done by typing their host name or names.<br />
IP addresses may also be used here, but this could in some cases lead<br />
to problems with correctly assigning users to their domains. This means<br />
that a user would have to submit a domain name together with the usual<br />
credentials in order to be authenticated.<br />
When specifying more than one controller here, separate entries by commas.<br />
Note also that any host name you specify here must be resolvable.<br />
Note, furthermore, that <strong>Webwasher</strong> will connect only to one domain controller<br />
at a time.<br />
2–57
User Management<br />
2–58<br />
If more than one controller is configured, <strong>Webwasher</strong> will try to connect to<br />
the first in the list, and in case this one is down, go through the list retrying<br />
until a connection has been established successfully.<br />
• Administrator name<br />
In this input field, type the name of an administrator account that has permission<br />
to execute the configuration activities required for setting up <strong>Webwasher</strong><br />
accounts in a Window domain.<br />
Note that the information you specify here is only used once to complete<br />
the configuration procedure and is not stored afterwards.<br />
• Password<br />
In this input field, type the password for the above administrator account.<br />
Note that also this information is only used once and not stored.<br />
• Join domain<br />
After specifying the appropriate information, click on this button to let a<br />
<strong>Webwasher</strong> account join a Windows domain.<br />
If this action was successful, a corresponding entry is added to the list of<br />
accounts, which is displayed at the bottom of the section.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To filter the list output, type a filtering term in input field at the top of the<br />
Domain column and enter it using the Enter key of your keyboard. The<br />
list will then only display entries with domain names matching this term.<br />
To edit an entry, type the appropriate information in the corresponding input<br />
field of the Domain Controller(s) column and click on Apply Changes<br />
to make the modification effective.<br />
You can edit more than one entry at a time and make the modification<br />
effective in one go.<br />
Note that you cannot edit the information in the Domain and Account<br />
columns.
User Management<br />
The indicator in the Status column shows the status for each entry. It can<br />
take different colors, which have the following meanings:<br />
— Gray<br />
The account is joined to the domain, but so far no authentication request<br />
has been submitted through this account, so it is unclear whether<br />
it is currently possible to connect to the domain controller.<br />
The gray color is also shown when a new domain was added to the<br />
configuration, regardless of whether the red or green color was previously<br />
shown for the account.<br />
— Red<br />
The account is joined to the domain, but there is a problem with the<br />
connection to the domain controller.<br />
— Green<br />
The connection between account and domain controller is working without<br />
any problems.<br />
To remove an account from the domain it is currently joined to, use the following<br />
button, which is provided for each entry:<br />
• Leave domain<br />
Click on this button to make an account leave its configured domain.<br />
2–59
User Management<br />
2.6.2<br />
NTLM Authentication Test<br />
2–60<br />
The NTLM Authentication Test tab looks like this:<br />
There is one section on this tab:<br />
• NTLM Authentication<br />
It is described in the following.
NTLM Authentication<br />
The NTLM Authentication section looks like this:<br />
User Management<br />
Using this section, you can test the settings you configured for NTLM authentication<br />
of a user in a Windows domain.<br />
If the test is passed successfully, information is displayed on the connection<br />
status, the authentication result for a given user, and the groups that this user<br />
is a member of within the domain.<br />
Use the following items to perform the authentication test:<br />
• Domain<br />
In this input field, enter the domain that the user should be authenticated<br />
for<br />
• User<br />
In this input field, enter the user name<br />
• Password<br />
In this input field, enter the password for the above user name<br />
2–61
User Management<br />
2.7<br />
• Authenticate user<br />
After submitting information in the three fields above, click on this button to<br />
perform the authentication test.<br />
If the test was passed successfully, you will see the following information in the<br />
area below the button:<br />
• Connection status<br />
Status of the connection to the domain controller<br />
• Active DC<br />
Languages<br />
2–62<br />
Name of the domain controller that a connection has been established to<br />
• Authentication result<br />
Information whether the authentication process was performed successfully<br />
for the user in question<br />
• User groups<br />
Number of groups within the Windows domain that this user is a member<br />
of<br />
A list of these groups is provided below the User groups line.<br />
The Languages options are invoked by clicking on the corresponding button<br />
under User Management:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming section:<br />
• Languages, see 2.7.1<br />
• Import Language Pack, see 2.7.2
2.7.1<br />
Languages<br />
The Languages tab looks like this:<br />
There are three sections on this tab:<br />
• Supported Languages<br />
• Language Selection<br />
• Language Selection Parameters<br />
They are described in the following.<br />
User Management<br />
2–63
User Management<br />
2–64<br />
Supported Languages<br />
The Supported Languages section looks like this:<br />
This section displays all languages that have been configured for sending messages<br />
to users of <strong>Webwasher</strong>, e. g. error messages or notifications. From<br />
these, you can select the languages that are actually used for sending messages.<br />
<strong>Webwasher</strong> will not support languages that have not been selected<br />
here.<br />
This is especially useful if you are customizing messages, but do not want to<br />
customize them in all available languages.<br />
The languages that are available for <strong>Webwasher</strong> and displayed here must have<br />
been entered in the global.ini (Windows) or global.conf (Linux/Solaris) configuration<br />
file.<br />
For a description of how to add more languages to this file, see Chapter 7,<br />
Language <strong>Configuration</strong>, of the <strong>Webwasher</strong> Reference <strong>Guide</strong>.<br />
Note that the following languages are displayed here by default: German,<br />
English, French, and Japanese. These are also the languages that user<br />
message templates are delivered for with the <strong>Webwasher</strong> software.<br />
You can implement the use of additional languages by importing sets of user<br />
message templates, known as "Language Packs", into <strong>Webwasher</strong>. Language<br />
packs are available for Italian, Spanish, Portuguese, Chinese, and Korean.<br />
Use the items on the Import Language Packs tab under User Management<br />
> Languages to import these.<br />
If you want <strong>Webwasher</strong> to support other languages than those mentioned so<br />
far, you need to provide own translations of the corresponding user message<br />
templates. For information on how to implement them within <strong>Webwasher</strong>, see<br />
also Chapter 7 of the Reference <strong>Guide</strong>.<br />
You can select more than one language here, which enables you to configure<br />
different languages for different users, e. g. with regard to their IP addresses<br />
or the security policies they have been mapped to.<br />
In the Language Selection section, you can configure methods to establish<br />
the language that is appropriate for sending messages to a particular user under<br />
particular circumstances.<br />
The Language Selection Parameters section is provided to configure settings<br />
for these methods. A configuration example is given on the online help<br />
page for this section.
User Management<br />
After specifying the appropriate settings here, click on Apply Changes to<br />
make them effective.<br />
Use the following items to configure the supported languages:<br />
• German [de], English [en], etc.<br />
Mark the checkbox of the languages you want to be supported for user<br />
messages.<br />
The English checkbox is marked by default.<br />
Language Selection<br />
The Language Selection section looks like this:<br />
Using this section, you can configure methods to establish which language is<br />
appropriate for sending messages to a particular user.<br />
Methods are applied in the order you configure them here. If no supported<br />
language is found by applying the first method, <strong>Webwasher</strong> uses the second<br />
method in the list to look up the language, and so on. If none of the selected<br />
methods yields a supported language, the default language is used.<br />
Note that some of these methods and corresponding parameters can be configured<br />
with regard to Web or e-mail traffic only.<br />
After specifying the appropriate settingss, click on Apply Changes to make<br />
them effective.<br />
Use the following items to configure methods for language selection:<br />
• Default language<br />
From this drop-down list, select the language <strong>Webwasher</strong> should use as<br />
default. By default, English is the default language.<br />
2–65
User Management<br />
2–66<br />
• 1.Method, 2.Method, etc.<br />
From the drop-down lists provided here, select the methods you want <strong>Webwasher</strong><br />
to apply for determining which language should be used in a message<br />
to a particular user.<br />
The method you select from the first list will be applied first, and so on.<br />
By default, only one method is selected from the first list, which is Browser,<br />
whereas no methods are selected from the remaining lists.<br />
The following methods can be selected here:<br />
— Browser<br />
<strong>Webwasher</strong> uses the browser language of a client that sent a request<br />
for sending any messages back to this client.<br />
— IP<br />
The language <strong>Webwasher</strong> uses for sending messages to a client depends<br />
on the range of IP addresses the client lies within. Languages<br />
are assigned to particular ranges in the Language Selection Parameters<br />
section.<br />
Note that this is a method for Web traffic only.<br />
— Email<br />
The language <strong>Webwasher</strong> uses for sending messages depends on particular<br />
attributes of the e-mails the messages are related to. These attributes<br />
are configured in the Language Selection Parameters section.<br />
Note that this is obviously a method for e-mail traffic only.<br />
— Policy<br />
The language <strong>Webwasher</strong> uses for sending messages depends on the<br />
policies configured for the filtering measures that caused the messages<br />
to be sent. Languages are assigned to particular policies in the Language<br />
Selection Parameters section.<br />
— LDAP<br />
The language <strong>Webwasher</strong> uses for sending messages to a client depends<br />
on the language attribute and other attributes that have been<br />
stored on an LDAP server for this client. These attributes are configured<br />
in the Language Selection Parameters section.<br />
Note that this is a method for e-mail traffic only.
— User Database<br />
User Management<br />
The language <strong>Webwasher</strong> uses for sending messages to a particular<br />
user depends on the language configured for this user in the <strong>Webwasher</strong><br />
User Database, see 2.4.1.<br />
Language Selection Parameters<br />
The Language Selection Parameters section looks like this:<br />
Using this section, you can configure parameters relating to the methods of<br />
the Language Selection section.<br />
Note that some of these methods and corresponding parameters can be configured<br />
with regard to Web or e-mail traffic only.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following items to configure language selection parameters:<br />
• LDAP language attribute<br />
In the input field provided here, enter the attribute that should be searched<br />
for on the LDAP server when the LDAP method is used for selecting languages.<br />
If it can be found within the entries stored for a client on this server, <strong>Webwasher</strong><br />
will use the corresponding language for sending messages to this<br />
client.<br />
2–67
User Management<br />
2–68<br />
Note that this method and attribute can only be configured for e-mail traffic.<br />
Below this input field, there is a link that takes you to the Recipient LDAP<br />
Check tab, where you can configure more settings of the LDAP server.<br />
• Language<br />
This column provides a list of the languages <strong>Webwasher</strong> will select from<br />
when sending messages. To determine which language should be selected<br />
in a given situation, you configured methods in the Language Selection<br />
section.<br />
Use the input fields in the columns next to this column to configure parameters<br />
for each of these methods and with regard to each of the languages<br />
in the list:<br />
— IP-Range<br />
Enter the range of client IP addresses here that <strong>Webwasher</strong> should<br />
send messages to in a particular language. This can be done by actually<br />
entering a range of addresses (specifying its beginning and end),<br />
or a single address, or a list of addresses.<br />
Note that configuring this parameter for a language is only meaningful<br />
if you have selected IP as method in the Language Selection section<br />
and that this method works for Web traffic only.<br />
— Email-Match<br />
Enter a regular expression here that must be matched by one of the<br />
attributes of an e-mail. If there is a match, <strong>Webwasher</strong> will send messages<br />
relating to that e-mail in a particular language.<br />
Note that configuring this parameter for a language is only meaningful<br />
if you have selected Email as method in the Language Selection<br />
section and that this method obviously works for e-mail traffic only.<br />
— LDAP-Match<br />
Enter a regular expression here that must be matched by the attributes<br />
entered for a client on an LDAP server. If there is a match, <strong>Webwasher</strong><br />
will send messages to that client in a particular language. Use of this<br />
attribute is made in addition to the language attribute configured above.<br />
Note that configuring this parameter for a language is only meaningful<br />
if you have selected LDAP as method in the Language Selection<br />
section and that this method works for e-mail traffic only.
• Policy<br />
User Management<br />
This column provides a list of the security policies that have been configured<br />
so far under <strong>Webwasher</strong>.<br />
You can configure a language for each of these policies, which will enable<br />
<strong>Webwasher</strong> to use this language for messages relating to a filtering measure,<br />
e. g. Block or Allow, that was triggered under the policy in question.<br />
Use the drop-down lists in this column to do this:<br />
— Language<br />
Select a language for each of the policies listed here from the dropdown<br />
list next to it.<br />
2.7.2<br />
Import Language Pack<br />
The Import Language Pack tablookslikethis:<br />
There is one section on this tab:<br />
• Import Language Pack<br />
It is described in the following.<br />
2–69
User Management<br />
2–70<br />
Import Language Pack<br />
The Import Language Pack section looks like this:<br />
Using this section you can download a language pack from a Web server provided<br />
by Secure Computing and import it into <strong>Webwasher</strong>. This will enable<br />
<strong>Webwasher</strong> to display messages sent to the user, such as error and e-mail<br />
digest messages, in a language other than English.<br />
For information on how to configure the use of other languages, see the Languages<br />
tab and the corresponding online help pages.<br />
Note that the language information for French, German and Japanese is<br />
shipped with <strong>Webwasher</strong>, so no import of a language pack is required for<br />
these languages. Language packs are available for the following languages:<br />
Spanish, Portuguese, Italian, Chinese, and Korean.<br />
Before importing a language pack into <strong>Webwasher</strong>, you need to download it<br />
from the <strong>Webwasher</strong> Extranet and store it in a location within your local file<br />
system.<br />
To access the Extranet, you need a user account and password. Within the<br />
Extranet, go to Download > Language Packs to download packages for<br />
languages as required.<br />
After a language pack has been imported, the language in question is displayed<br />
in the Supported Languages section of the Languages tab. To actually enable<br />
support for it, mark the checkbox next to it and click on Apply Changes<br />
(as described in the Supported Languages subsection of 2.6.1).<br />
Use the following items to import a language pack:<br />
• Import language pack from<br />
Specify the file name of the language pack you want to import in this input<br />
field.<br />
To do this, click on the Browse button next to the field and browse to the<br />
location where you have stored the language pack file in question.<br />
• Import<br />
After browsing to the appropriate language pack file, click on this button to<br />
import it into <strong>Webwasher</strong>.
Reporting<br />
Chapter 3<br />
The functions described in this chapter are accessible over the Reporting tab<br />
of the Web interface:<br />
These functions allow you to configure the reporting features provided by <strong>Webwasher</strong><br />
such as, e. g. the viewing of live reports or log file management.<br />
The upcoming sections describe how to handle these functions. The description<br />
begins with an overview.<br />
3–1
Reporting<br />
3.1<br />
Overview<br />
3.2<br />
The following overview shows the sections of this chapter:<br />
<strong>System</strong> <strong>Configuration</strong> <strong>Guide</strong> – <strong>Webwasher</strong> Web Gateway Security<br />
Introduction<br />
User Management<br />
Reporting Overview –thissection<br />
Caching<br />
Proxies<br />
<strong>Configuration</strong><br />
Live Reports for<br />
policy<br />
View Live Reports, see 3.2<br />
Overall Reporting Log File Management, see 3.3<br />
View Log Files, see 3.4<br />
Live Report Management, see 3.5<br />
View Live Reports, see 3.6<br />
Miscellaneous 4-Eyes Principle, see 3.7<br />
View Live Reports (For Policy)<br />
3–2<br />
Deanonymization, see 3.8<br />
The View Live Reports options are invoked by clicking on the corresponding<br />
button under Reporting:<br />
These are policy-dependent options, i. e. they are configured for a particular<br />
policy. When you are configuring these options, you need to specify this policy.
Reporting<br />
To do this, select a policy from the drop-down list labeled Live Reports for<br />
policy, which is located above the View Live Reports button:<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• View Live Reports, see 3.2.1<br />
To configure overall View Live Reports options, i. e. options that are not<br />
policy-dependent, see 3.6.<br />
3.2.1<br />
View Live Reports<br />
The View Live Reports tab looks like this:<br />
There are three sections on this tab:<br />
• Policy Statistics<br />
• Policy Summary Reports<br />
• Display Options<br />
3–3
Reporting<br />
3–4<br />
They are described in the following.<br />
Policy Statistics<br />
The Policy Statistics section looks like this:<br />
It allows you to view detailed information on the filtering activities going on<br />
under a particular policy in your corporate network.<br />
To view a particular kind of information, click on the corresponding icon (magnifying<br />
glass with paper).<br />
The following kind of information can be viewed:<br />
• Filter Statistics<br />
Shows the amount of data washed by the Advertising Filter, Privacy Filter,<br />
Security Filter and the Media Type Filter.<br />
• Category Overview<br />
Provides an overview of the number of requests made, broken down by<br />
category, as well as an overview of the number of external and the number<br />
of blocked requests, regardless of whether they were blocked or not.<br />
Policy Summary Reports<br />
The Policy Summary Reports section looks like this:<br />
It allows you to view summary reports on filtering activities performed under a<br />
particular policy in your corporate network.
Reporting<br />
Different reports can be written according to the way <strong>Webwasher</strong> is configured,<br />
i. e. (1) as proxy for client communication, or (2) filtering Web requests and uploads<br />
in REQMOD communication, or (3) filtering Web downloads and e-mail<br />
messages in RESPMOD communication, or in a combination of (2) and (3).<br />
Use the following buttons to perform other activities relating to these reports:<br />
• Export All<br />
Click on this button to export all reports to an Excel format.<br />
• Reset All<br />
Click on this button to reset all reports.<br />
Display Options<br />
The Display Options section looks like this:<br />
It allows you to configure the way reports are displayed.<br />
Specify information regarding this display in the input fields described below.<br />
Then click on Apply Changes to make your settings effective.<br />
The following parameters can be configured here:<br />
• Number of displayed items<br />
Enter the appropriate number of items here. The default number is 10.<br />
• Automatically refresh after ... seconds<br />
Enter the appropriate number of seconds here. The default number is 0, i.<br />
e., no automatic refreshing.<br />
3–5
Reporting<br />
3.3<br />
Log File Management<br />
3–6<br />
The Log File Management options are invoked by clicking on the corresponding<br />
button under Reporting:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Activate Log Files, see 3.3.1<br />
• Auto-Rotation, see 3.3.2<br />
• Auto-Deletion, see 3.3.3<br />
• Auto-Pushing, see 3.3.4<br />
• Content Reporter, see 3.3.5<br />
In addition to these descriptions, a procedure is also described for configuring<br />
the processing of <strong>Webwasher</strong> log data by SmartReporter:<br />
• Configuring Log File Processing for SmartReporter, see 3.3.6<br />
SmartReporter is a component of SmartFilter, which is another Web Gateway<br />
Security product provided by Secure Computing.
3.3.1<br />
Activate Log Files<br />
The Activate Log Files tablookslikethis:<br />
There are two sections on this tab:<br />
• Activate Log Files<br />
• Custom Log Files<br />
They are described in the following.<br />
Reporting<br />
3–7
Reporting<br />
3–8<br />
Activate Log Files<br />
The Activate Log Files section looks like this:<br />
Using this section, you can configure the writing of log files. You can also<br />
determine whether they should be written on the ICAP client or the ICAP server.<br />
Some log files can be configured for ICAP client and server, some only for the<br />
ICAP server and some only for the ICAP client.<br />
Enable the log files you want to have written by marking the corresponding<br />
checkboxes. Then click on Apply Changes to make your settings effective.<br />
To customize a log file, click on the button in the same line, which is labeled<br />
according to the log file name, e. g. Customize Audit Log.<br />
This will take you to another log, where you can configure values for customizing<br />
this log.<br />
You can also configure your own customized log files, see the Custom Log<br />
Files section below.
Custom Log Files<br />
The Custom Log Files section looks like this:<br />
Reporting<br />
Using this section, you can configure custom log files, i. e. log files of your<br />
own, which are written by customized actions.<br />
To create a custom log file, enter a name for it in the New Name input field and<br />
click Create. The custom log file will then be displayed as a new entry in a list<br />
above the input field.<br />
To configure a custom log file, use the following input field:<br />
• New Name<br />
Enter a name for the new log file in this input field. Then click on theCreate<br />
button next to it.<br />
An entry for the new log file is then inserted in the custom log file list, which is<br />
displayed at the top of the section.<br />
Next to each list entry, the following button is provided:<br />
• Define Log Structure<br />
Click on this button to continue configuring the custom log file in question.<br />
This will take you to another tab, where you can specify the appropriate<br />
values.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
3–9
Reporting<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
3.3.2<br />
Auto-Rotation<br />
3–10<br />
Type a filter expression in the input field of the DLog File Name column<br />
and enter it using the Enter key of your keyboard. The list will then display<br />
only entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
The Auto-Rotation tab looks like this:
There is one section on this tab:<br />
• Auto-Rotation<br />
It is described in the following.<br />
Auto-Rotation<br />
The Auto-Rotation section looks like this:<br />
Reporting<br />
Using this section, you can configure the automatic rotation of log files in order<br />
to control log file growth.<br />
The oldest log files are renamed, the current log is moved, and a new log file<br />
is created.<br />
3–11
Reporting<br />
3–12<br />
The frequency of rotation is configured separately for each log file.<br />
Make sure the checkbox next to the section heading is marked if you want to<br />
configure the options provided here.<br />
After configuring these options, click on Apply Changes to make your settings<br />
effective.<br />
Use the following items to configure overall settings for log file rotation:<br />
• Rotate daily at ...<br />
In this input field, enter the time you want the rotation to be performed each<br />
day.<br />
Specify a local time value, using the 00:00 to 23:59 time format (24 hours<br />
clock).<br />
• Rotate Log Files now<br />
Click on this button to rotate all log files immediately, regardless of the<br />
configured time schedule.<br />
Use the following items to configure settings for individual log file rotation:<br />
• Rotate if size exceeds ... MB.<br />
Enable this option and enter a size value (MB) in the input field provided<br />
here to prevent the log file in question from becoming too large. The log<br />
file will be rotated as soon as its size exceeds the configured value.<br />
The minimum size that can be specified here is 1 MB. It can be increased<br />
by single integer steps.<br />
• Rotate daily<br />
Enable this option to configure a daily rotation for the log file in question.<br />
Rotation is performed at midnight in this case.
3.3.3<br />
Auto-Deletion<br />
The Auto-Deletion tab looks like this:<br />
There is one section on this tab:<br />
• Auto-Deletion<br />
It is described in the following.<br />
Reporting<br />
3–13
Reporting<br />
3–14<br />
Auto-Deletion<br />
The Auto-Deletion section looks like this:<br />
Using this section, you can configure the automatic deletion of log files in order<br />
to control log file growth. The frequency of deletion is configured separately<br />
for each log file.<br />
Make sure the checkbox next to the section heading is marked if you want to<br />
configure the options provided here.<br />
After configuring these options, click on Apply Changes to make your settings<br />
effective.
Reporting<br />
Use the following items to configure settings for individual log file deletion:<br />
• Keep only ... old log files at a time.<br />
Enable this option and enter the appropriate number in the input field provided<br />
here.<br />
The oldest log file will be deleted as soon as the number of log files in the<br />
log directory exceeds the configured value.<br />
If this option is enabled together with the option described below, old log<br />
files will be deleted until the configured values are reached for both options.<br />
• Keep only log files of the last ... days<br />
Enable this option and enter the appropriate number in the input field provided<br />
here.<br />
Log files older than the date specified here will be deleted.<br />
If this option is enabled together with the option described above, old log<br />
files will be deleted until the configured values are reached for both options.<br />
3–15
Reporting<br />
3.3.4<br />
Auto-Pushing<br />
3–16<br />
The Auto-Pushing tab looks like this:<br />
If you want to configure any of the options provided on this tab, you need to<br />
mark the following checkbox:<br />
• Enable auto-pushing<br />
The options are grouped in four sections:<br />
• Common Push Target<br />
• Separate Push Targets<br />
• Push log files after rotation<br />
• <strong>System</strong> Notification<br />
They are described in the following.
Common Push Target<br />
The Common Push Target section looks like this:<br />
Reporting<br />
Using this section, you can configure log file pushing as a security feature (for<br />
backup), as well as for analyzing purposes.<br />
Log files stored on the <strong>Webwasher</strong> server can be uploaded to another HTTP,<br />
HTTPS or FTP server. This server is a common push target, i. e. all log files<br />
are uploaded there.<br />
If the upload server demands authentication, you can configure a username<br />
and password to authenticate the file upload process.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective. Note that the Enable auto-pushing checkbox at the<br />
top of this tab must also be checked for these settings to take effect.<br />
Use the following items to configure settings for pushing log files to a common<br />
target:<br />
• Upload to ... every ... hours<br />
In the first of the input fields provided here, enter the name of the upload<br />
server. The input format is:<br />
ftp | http | https)://server[:port][/path/]<br />
In the second input field, enter a number to specify the hourly interval for<br />
pushing log files to this server.<br />
• Authentication<br />
Specify login credentials in the following two input fields, in case the upload<br />
server demands authentication:<br />
— Username<br />
User name to be submitted for authentication to the upload server<br />
— Password<br />
Password to be submitted for authentication to the upload server<br />
3–17
Reporting<br />
3–18<br />
Separate Push Targets<br />
The Separate Push Targets section looks like this:<br />
Using this section, you can configure log file pushing as a security feature (for<br />
backup), as well as for analyzing purposes.<br />
Log files stored on the <strong>Webwasher</strong> server can be uploaded to another HTTP,<br />
HTTPS or FTP server.
Reporting<br />
Differing from the Common Push Target section described above, you can<br />
configure an individual push target, i. e. upload server, for each log file here,<br />
e. g. for the HTTP Access Log, the Security Log etc.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Note that the Enable auto-pushing checkbox at the top of this tab must also<br />
be checked for these settings to take effect.<br />
Use the following items to configure settings for pushing log files individually<br />
and to separate targets:<br />
• Upload to ... every ... hours<br />
In the first of the input fields provided here, enter the name of the upload<br />
server. The input format is:<br />
ftp | http | https)://server[:port][/path/]<br />
In the second input field, enter a number to specify the hourly interval for<br />
pushing log files to this server.<br />
• Push Log Files Now<br />
Click on this button to push all log files to their upload servers immediately,<br />
regardless of the configured time schedule.<br />
Push log files after rotation<br />
The Push log files after rotation section looks like this:<br />
It allows you to configure the pushing of log files after their rotation.<br />
By default, every log file that an upload server was configured for is pushed<br />
after being rotated, either manually or automatically. This does however not<br />
apply to the errors log file. This log file is only pushed according to its upload<br />
interval.<br />
Use the following checkbox to configure log file pushing after rotation:<br />
• Push log files after rotation<br />
Check or uncheck this checkbox to have log files pushed after rotation or<br />
not.<br />
3–19
Reporting<br />
3–20<br />
<strong>System</strong> Notification<br />
The <strong>System</strong> Notification section looks like this:<br />
It allows you configure the sending of e-mail notifications if there was a failure<br />
in pushing log files.<br />
Use the following items to configure these notifications:<br />
• Send notification upon log file pushing failure<br />
Enable this option if you want e-mail notifications to be sent in case of a<br />
log file pushing failure.<br />
• Recipient<br />
In this input field, enter the e-mail address of the recipient the notifications<br />
should be sent to.<br />
• Edit notification mail server<br />
Click on this button to go to a tab where you can configure a mail server<br />
for processing your notifications.<br />
For a description of this window, see the Notification Settings Window<br />
subsection of 5.5.3.<br />
• Send Test Messages<br />
After configuring the sending of e-mail notifications as described above,<br />
click on this button to have test messages sent.
3.3.5<br />
Content Reporter<br />
The Content Reporter tab looks like this:<br />
There is one section on this tab:<br />
• Content Reporter<br />
It is described in the following.<br />
Content Reporter<br />
The Content Reporter section looks like this:<br />
Reporting<br />
It provides some introductory information on the <strong>Webwasher</strong> Content Reporter<br />
product.<br />
3–21
Reporting<br />
For more information on this product, see the Content Reporter Installation and<br />
<strong>Configuration</strong> <strong>Guide</strong> and the Content Reporter User’s <strong>Guide</strong> for Reporting.<br />
3.3.6<br />
Configuring Log File Processing for SmartReporter<br />
3–22<br />
In order to have log files that were created by <strong>Webwasher</strong> processed within<br />
SmartReporter, you need to perform a number of configuration activities.<br />
SmartReporter is set up as a component during the installation of SmartFilter,<br />
which is another one of the Web Gateway Security products provided by Secure<br />
Computing.<br />
The following sections describe this setup and the configuration activities that<br />
need to be performed both on SmartReporter and on <strong>Webwasher</strong>.<br />
Setting up SmartReporter<br />
Setting up SmartReporter is a part of the SmartFilter installation procedure.<br />
When going through this procedure, you can mostly use the default settings.<br />
Note that a Windows 2000/2003 server (English language version) is required<br />
for running SmartFilter with the SmartReporter component.<br />
In order to set up SmartReporter, make sure that the following configuration<br />
activities are performed during the installation procedure:<br />
1. When installing components, make sure the following three are selected:<br />
• SmartFilter Administration Server<br />
• SmartFilter Administration Console<br />
• SmartReporter
Reporting<br />
2. Provide a user name and password for access to the SmartFilter Administration<br />
Console:<br />
3. Specify mail settings for receiving notifications with regard to all SmartFilter<br />
components:<br />
Setting up a Log Processing Account<br />
In order to have SmartReporter process the log files that are sent by <strong>Webwasher</strong>,<br />
a log processing account must be set up within SmartReporter.<br />
To do this, proceed as follows:<br />
1. Log in to SmartReporter, using the user name and password you configured<br />
when installing the SmartFilter components.<br />
3–23
Reporting<br />
3–24<br />
2. Go to Administrator Options > <strong>System</strong> Option.and select the Log<br />
Processing tab.<br />
3. In order to set up a new log processing account, click on the Add button<br />
below the second list field, which is used to display the list of existing log<br />
processing accounts.<br />
This will make the Add Log Processing Account window appear.<br />
4. In the Name field of this window, type <strong>Webwasher</strong> as account name and<br />
select <strong>Webwasher</strong> – Default Format as log format.<br />
Then provide a user name, e. g. admin, and password for access to the<br />
account.<br />
The SmartFilter administration servers will then accept log files that are<br />
sent with this logon information.
Configuring the <strong>Webwasher</strong> Access Log<br />
Reporting<br />
Finally, you need to configure the access log file format within <strong>Webwasher</strong> in<br />
order to make it correspond to the Default Format you selected as part of the<br />
SmartFilter configuration.<br />
To do this, proceed as follows:<br />
1. In the <strong>Webwasher</strong> Web interface, go to Reporting > Log File Management<br />
and select the Activate Log Files tab:<br />
On this tab, click the Customize HTTP Access Log button to make the<br />
HTTP Access Log Customizing tab appear.<br />
2. In the Log File Structure field of this tab, enter the log file structure that<br />
is needed in order to enable SmartReporter to process <strong>Webwasher</strong> log<br />
files.<br />
This structure is as follows:<br />
src_ip - auth_user time_stamp "req_line" status_code<br />
bytes_to_client "referer" "user_agent" block_res<br />
"categories"<br />
3–25
Reporting<br />
3–26<br />
After entering the log file structure in the tab field, click on Apply Changes<br />
to make this setting effective:<br />
3. Go back to Log File Management and select the Auto-Pushing tab.<br />
Use this tab to configure the pushing of the <strong>Webwasher</strong> log files to<br />
SmartReporter.<br />
In the User Name and Password fields, which are provided under Authentication<br />
on this tab, enter the user name and password you configured<br />
in the Add Log Processing Account window of SmartReporter.<br />
A push can be performed using the different protocols. To have it performed<br />
via FTP, the following must be entered in the HTTP Access Log<br />
field under Separate Push Targets:<br />
ftp://username:password@:9021
Reporting<br />
After specifying these settings, click on Apply Changes to make them<br />
effective:<br />
4. To have a push performed immediately, click on the Push Log Files Now<br />
button, which is provided at the bottom of the tab:<br />
Otherwise, you can have a push performed in certain time intervals. To<br />
configure these intervals, enter the number of hours, e. g. 3, in the every<br />
... hours field next to the HTTP Access Log field.<br />
After a push has been performed for the <strong>Webwasher</strong> log files, the corresponding<br />
data for URL categories and Web sites will be displayed by the<br />
Quick View feature within SmartReporter.<br />
Note, however, that after modifying the log file structure, a dummy access.log<br />
file is also created, which contains no data yet.<br />
3–27
Reporting<br />
3.4<br />
View Log Files<br />
The View Log Files options are invoked by clicking on the corresponding<br />
button under Reporting:<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
3.4.1<br />
View Log Files<br />
3–28<br />
• View Log Files, see 3.4.1<br />
The View Log Files tab looks like this:
There is one section on this tab:<br />
• View Log Files<br />
It is described in the following.<br />
View Log Files<br />
The View Log Files section looks like this:<br />
Reporting<br />
It provides a list of the log files that are maintained under <strong>Webwasher</strong>. Using<br />
the icons on the right side of the list, you can view a log file, save it or delete it.<br />
On the left side of the list, there is the following column:<br />
• Log File<br />
This column lists the log files names.<br />
3–29
Reporting<br />
3–30<br />
These may be preceded by different icons, showing whether there has<br />
been a log file rotation for the log in question or not:<br />
Unrotated – There has been no log file rotation for this log yet.<br />
You can view and save the log file listed here, but not delete it.<br />
Rotated – There has been a log file rotation for this log. You can<br />
view and save the log file listed here, but not delete it.<br />
Click on the icon to display the rotated log files.<br />
Displaying Rotated Files – After clicking on the triangle pointing<br />
to the right, this icon is displayed, while the rotated log files<br />
of this log are shown below.<br />
The rotated log files may be viewed, saved and deleted.<br />
Click on the icon to hide the rotated log files.<br />
Use the icons in the columns at the right side of the list as follows:<br />
• View<br />
• Save<br />
• Delete Rotated<br />
Clickonthisicontoviewalogfile.<br />
Clickonthisicontosavealogfile.<br />
Click on this icon to delete a rotated log file.
3.5<br />
Live Report Management<br />
Reporting<br />
The Live Report Management options are invoked by clicking on the corresponding<br />
button under Reporting:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Report Activation, see 3.5.1<br />
• Load Reports, see 3.5.2<br />
• Anonymization, see 3.5.3<br />
3–31
Reporting<br />
3.5.1<br />
Report Activation<br />
3–32<br />
The Report Activation tab looks like this:<br />
There are two sections on this tab:<br />
• SummaryReportActivation<br />
• Summary Report Actions<br />
They are described in the following.
Summary Report Activation<br />
The Summary Report Activation section looks like this:<br />
Using this section, you can configure the writing of summary reports.<br />
Reporting<br />
3–33
Reporting<br />
3–34<br />
Different reports can be written according to the way <strong>Webwasher</strong> is configured:<br />
• (1) as proxy for client communication, or (2) filtering Web requests and<br />
uploads in REQMOD communication, or (3) filtering Web downloads and<br />
e-mail messages in RESPMOD communication, or in a combination of (2)<br />
and (3).<br />
Enable the reports you want to have written by marking the corresponding<br />
checkboxes. Then click on Apply Changes to make your settings effective.<br />
The activities covered by the individual reports are as follows (*** indicate<br />
reports that are only written to the ICAP client):<br />
• Top Attributes by Bytes Transferred***<br />
Shows the amount of bandwidth consumed by the categories/blocked categories<br />
(depending on the configuration).<br />
• TopAttributesbyNumberofRequests***<br />
Shows the number of hits to the categories/blocked categories.<br />
• Top Blocked Categories by Number of Requests<br />
Shows the number of hits to already-blocked categories.<br />
• Top Categories by Bytes Transferred<br />
Shows the amount of bandwidth consumed from accesses to blocked and<br />
unblocked categories.<br />
• Top Categories by Number of Requests<br />
Shows the number of hits to the top categories.<br />
• Top Destinations by Bytes Transferred<br />
Shows the amount of bandwidth consumed by accesses to the top hosts.<br />
• Top Destinations by Number of Requests<br />
Shows the number of hits to these hosts.<br />
• Top E-Mail Attributes by Bytes Transferred<br />
Shows the amount of bandwidth consumed by the categories/blocked categories<br />
of the e-mail.<br />
• Top E-Mail Attributes by Number of Sections***<br />
Shows the number of sections of e-mail attributes.
• Top E-Mail Policies by Bytes Transferred***<br />
Reporting<br />
Shows the amount of bandwidth consumed by the top e-mail policies.<br />
• Top E-Mail Policies by Number of Messages***<br />
Shows the number of messages sent to/from the top e-mail policies.<br />
• Top Media Types by Bytes Transferred<br />
Shows the amount of bandwidth consumed by accesses to the different<br />
media types (not including their extension).<br />
• Top Media Types by Number of Requests<br />
Shows the number of hits on these media types.<br />
• Top Policies by Bytes Transferred<br />
Shows the amount of bandwidth consumed by access to blocked and unblocked<br />
e-mail categories.<br />
• Top Policies by Number of Requests<br />
Shows the number of hits based on policy.<br />
• Top Recipients by Bytes Transferred<br />
Shows the amount of bandwidth consumed by the top recipients of e-mail<br />
messages and/or spam.<br />
• Top Recipients by Number of Messages***<br />
Shows the number of messages sent to the top recipients.<br />
• Top Sender IPs by Bytes Transferred***<br />
Shows the amount of bandwidth consumed by the top sender IP addresses<br />
for e-mail messages and/or spam.<br />
• Top Sender IPs by Number of Messages***<br />
Shows the number of messages sent by the top sender IP addresses.<br />
• Top Senders by Bytes Transferred***<br />
Shows the amount of bandwidth consumed by the top senders of e-mail<br />
messages and/or spam.<br />
• Top Senders by Number of Messages***<br />
Shows the number of messages sent by the top senders.<br />
3–35
Reporting<br />
3–36<br />
• Top Source IPs by Bytes Transferred<br />
Shows the amount of bandwidth consumed by the top sender source IP<br />
addresses for e-mail messages and/or spam.<br />
• Top Source IPs by Number of Requests<br />
Shows the number of messages sent by the top source IP addresses.<br />
• Top Spam Recipients***<br />
Shows the top recipients of spam.<br />
• Top Spam Sender IPs***<br />
Shows the top spam sender IP addresses.<br />
• Top Spam Senders***<br />
Shows the top spam senders.<br />
• Top Top-Level Domains by Bytes Transferred<br />
Shows the amount of bandwidth consumed by accesses to the top-level<br />
domains, e.g. .de, .com, .net, .ca.<br />
• Top Top-Level Domains by Number of Requests<br />
Shows the number of hits made to these domains.<br />
• Top Users by Bytes Transferred<br />
Shows the amount of bandwidth consumed by users accessing the Internet..<br />
• Top Users by Number of Requests<br />
Shows the number of hits based on users.
Summary Report Actions<br />
The Summary Report Actions section looks like this:<br />
Using this section, you can export and reset summary reports.<br />
The following items are provided for performing these activities:<br />
• Export global summary reports<br />
Reporting<br />
Enable this option to export all global summary reports to an Excel-readable<br />
format (CSV).<br />
This can be useful for further processing, such as representation in a piechart<br />
format, or for being able to view all the (up to 500) report items, rather<br />
than the top ten shown in the Web interface.<br />
If you would like to change the single-character delimiter (e.g. to a tab,<br />
or comma) between cells in Excel, this must be done manually in the<br />
global.ini/conf file. In the [LogFiles] section, there is an entry called<br />
ExcelSeparateChar=where you can change the character as desired.<br />
• Export summary reports for all available policies<br />
Enable this option to export the global summary reports as well as all current<br />
policy reports.<br />
• Cells are separated by<br />
In this input field, enter the delimiter you want to use between cells in Excel.<br />
This must be a single character, e. g. a comma.<br />
• Export<br />
Click on this button, to export reports according to the options configured<br />
above.<br />
3–37
Reporting<br />
• Reset global summary reports<br />
Enable this option to reset all global summary reports. This will not reset<br />
the report refresh rate.<br />
• Reset summary reports for all policies<br />
Enable this option to reset the global summary reports as well as all current<br />
policy reports.<br />
• Reset<br />
3.5.2<br />
Load Reports<br />
3–38<br />
Click on this button, to reset reports according to the options configured<br />
above.<br />
The Load Reports tab looks like this:<br />
There is one section on this tab:<br />
• Enable Load Reports<br />
It is described in the following.
Enable Load Reports<br />
The Enable Load Reports section looks like this:<br />
Using this section, you can configure the <strong>Webwasher</strong> load reports.<br />
Reporting<br />
These reports show the load on the various connections established for <strong>Webwasher</strong>,<br />
e. g. the connection between HTTPS clients and proxy, proxy and<br />
server, etc.<br />
To view the reports, go to the <strong>Webwasher</strong> Load section on the View Load<br />
tab under View Live Reports for overall reporting, see 3.6.2.<br />
To enable load reports for a particular connection type, use the connection type<br />
list, which is labeled:<br />
• Count load for connections between<br />
Mark the checkbox next to the connection type you want to enable load<br />
reports for, e. g. HTTP clients – HTTP proxy. You can enable load<br />
reports for more than one connection type.<br />
Then click on Apply Changes to make your settings effective.<br />
3–39
Reporting<br />
3.5.3<br />
Anonymization<br />
3–40<br />
The Anonymization tab looks like this:<br />
There is one section on this tab:<br />
• Anonymization<br />
It is described in the following.<br />
Anonymization<br />
The Anonymization section looks like this:<br />
It allows you to anonymize the names of user names in top ten live reports.<br />
You can decrypt anonymized strings using the Deanonymization section<br />
on the tab with the same name, see 3.8.1. To go to this tab, click on the<br />
Deanonymization link provided above this section.
Use the following options to enable the anonymization of user names:<br />
• Anonymize Web Reports<br />
Reporting<br />
Enable this option to anonymize user names in reports on Web communication.<br />
• Anonymize Mail Reports<br />
Enable this option to anonymize user names in reports on e-mail communication.<br />
3.6<br />
View Live Reports (Overall Reporting)<br />
The View Live Reports options for overall reporting are invoked by clicking<br />
on the corresponding button under Reporting:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• View Live Reports, see 3.6.1<br />
• View Load, see 3.6.2<br />
• <strong>System</strong> Statistics, see 3.6.3<br />
3–41
Reporting<br />
3.6.1<br />
View Live Reports<br />
3–42<br />
The View Live Reports tab looks like this:<br />
There are three sections on this tab:<br />
• Overall Statistics<br />
• Overall Summary Reports<br />
• Display Options<br />
They are described in the following.<br />
Overall Statistics<br />
The Overall Statistics section looks like this:<br />
It allows you to view detailed information on the overall filtering activities going<br />
on in your corporate network, i. e. regardless of any particular policy.
Reporting<br />
To view a particular kind of information, click on the corresponding icon (magnifying<br />
glass with paper).<br />
The following kind of information can be viewed:<br />
• Filter Statistics<br />
Shows the amount of data washed by the Advertising Filter, Privacy Filter,<br />
Security Filter and the Media Type Filter.<br />
• Category Overview<br />
Provides an overview of the number of requests made, broken down by<br />
category, as well as an overview of the number of external and the number<br />
of blocked requests, regardless of whether they were blocked or not.<br />
• ICAP Server Statistics<br />
Shows the overall per client number of REQMOD, RESPMOD, OPTIONS<br />
and PROFILE requests and ICAP responses.<br />
• ICAP Clients Statistics<br />
Shows the overall per server number of REQMOD, RESPMOD, OPTIONS<br />
and PROFILE requests and the status of the server.Shows the overall per<br />
client number of REQMOD, RESPMOD, OPTIONS and PROFILE requests<br />
and ICAP responses.<br />
• SMTP Statistics<br />
Shows the overall number of sent and received e-mail messages as well<br />
as the amount of data transferred (in KB), maximum and average mail size<br />
(KB) and the maximum and average amount of time (in ms) the mail is in<br />
the system.<br />
Overall Summary Reports<br />
The Overall Summary Reports section looks like this:<br />
It allows you to view summary reports on the overall filtering activities performed<br />
in your corporate network, i. e. regardless of any particular policy.<br />
3–43
Reporting<br />
3–44<br />
The reports relate to the way <strong>Webwasher</strong> is configured, i. e. as proxy for client<br />
communication, or filtering Web requests and uploads in REQMOD communication<br />
or Web downloads and e-mail messages in RESPMOD communication,<br />
or in a combination of both.<br />
Display Options<br />
The Display Options section looks like this:<br />
It allows you to configure the way reports are displayed.<br />
Specify information regarding this display in the input fields described below.<br />
Then click on Apply Changes to make your settings effective.<br />
The following parameters can be configured:<br />
• Number of displayed items<br />
Enter the appropriate number of items here. The default number is 10.<br />
• Automatically refresh after ... seconds<br />
Enter the appropriate number of seconds here. The default number is 0, i.<br />
.e, no automatic refreshing.
3.6.2<br />
View Load<br />
The View Load tab looks like this:<br />
There is one section on this tab:<br />
• View Load<br />
It is described in the following.<br />
<strong>Webwasher</strong> Load<br />
The <strong>Webwasher</strong> Load section looks like this:<br />
Reporting<br />
It provides detailed information about the load at the various <strong>Webwasher</strong><br />
connections, such as the connection between HTTP clients and HTTP proxy,<br />
HTTP proxy and HTTP server, and so on.<br />
3–45
Reporting<br />
You can view the current load or the load history. To do this, use the following<br />
links, which are provided next to every type of connection:<br />
• View Current<br />
Click on this link to view the current load.<br />
• View History<br />
3.6.3<br />
<strong>System</strong> Statistics<br />
3–46<br />
Click on this link to view the load history.<br />
The <strong>System</strong> Statistics tab looks like this:<br />
There is one section on this tab:<br />
• <strong>System</strong> Statistics<br />
It is described in the following.
<strong>System</strong> Statistics<br />
The <strong>System</strong> Statistics section looks like this:<br />
Reporting<br />
It provides information on several system statistical issues, such as e. g. the<br />
system name, the number of processors, the number of processes currently<br />
running, etc.<br />
3.7<br />
4-Eyes-Principle<br />
The 4-Eyes-Principle option is invoked by clicking on the corresponding button<br />
under Reporting:<br />
The option is provided under the following tab:<br />
It is described in the upcoming section:<br />
• 4-Eyes-Principle, see 3.7.1<br />
3–47
Reporting<br />
3.7.1<br />
4-Eyes-Principle<br />
3–48<br />
The 4-Eyes-Principle tab looks like this:<br />
On this tab, you can configure the use of two passwords for <strong>Webwasher</strong> settings<br />
that are especially privacy-protected.<br />
In order to protect privacy, some <strong>Webwasher</strong> functions can only be executed<br />
if two passwords are known.<br />
To make use of these kinds of functions that show information about<br />
anonymized users or determine how user-related data will be collected for<br />
reporting, you need to enter two passwords.<br />
Use the following item to configure this special security feature:<br />
• Protect privacy-protected settings by two passwords<br />
Mark the checkbox provided here and click on Apply Changes to make<br />
this setting effective.
3.8<br />
Deanonymization<br />
Reporting<br />
The Deanonymization options are invoked by clicking on the corresponding<br />
button under Reporting:<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• Deanonymization, see 3.8.1<br />
3.8.1<br />
Deanonymization<br />
The Deanonymization tab looks like this:<br />
There is one section on this tab:<br />
• Deanonymization<br />
It is described in the following.<br />
3–49
Reporting<br />
3–50<br />
Deanonymization<br />
The Deanonymization section looks like this:<br />
Using this section, you can resolve anonymous strings found in log files or<br />
reports.<br />
Anonymous strings are strings of characters that do not yet have a variable<br />
name assigned to them.<br />
Use the following items to resolve an anonymous string:<br />
• Anonymous string<br />
Enter the string you would like to have resolved in the input field provided<br />
here and click on the Deanonymize button next to it.<br />
• Personalized string<br />
Depending on the input, this output field shows the real source IP, the real<br />
user name, or the real source host.
Caching<br />
Chapter 4<br />
The features that are described in this chapter are accessible over the Caching<br />
tab of the Web interface:<br />
These features allow you to configure the caching of Web objects that are requested<br />
by users of <strong>Webwasher</strong>, in order to enable a general reduction of the<br />
time that elapses until users are actually able to access the objects.<br />
Note that these features are only available with appliance versions of <strong>Webwasher</strong>.<br />
The upcoming sections describe how to handle these features. The description<br />
begins with an overview.<br />
4–1
Caching<br />
4.1<br />
Overview<br />
4.2<br />
The following overview shows the sections that are in this chapter:<br />
<strong>System</strong> <strong>Configuration</strong> <strong>Guide</strong> – <strong>Webwasher</strong> Web Gateway Security<br />
Introduction<br />
User Management<br />
Reporting<br />
Caching<br />
Proxies<br />
<strong>Configuration</strong><br />
Quick Snapshot<br />
4–2<br />
Overview –thissection<br />
Quick Snapshot, see 4.2<br />
Policy Settings HTTP Caching, see 4.3<br />
Policy-Independent<br />
Settings<br />
Cache Settings, see 4.4<br />
Flush Cache, see 4.5<br />
The Quick Snapshot for the caching functions is invoked by clicking on the<br />
corresponding button under Caching:<br />
The following tab is then provided:<br />
It is described in the upcoming section:<br />
• Quick Snapshot, see 4.2.1<br />
Before this is done, however, the following subsection provides some general<br />
information on this quick snapshot feature.
Handling the Quick Snapshot<br />
Caching<br />
The quick snapshot feature on this tab allows you to view summary information<br />
about the parameters of the <strong>Webwasher</strong> cache at a glance. The information<br />
is displayed with regard to a given time interval.<br />
Percentages are calculated for the various categories of cache parameters.<br />
The percentages are shown by means of a pie chart on the left side of the tab<br />
section.<br />
By hovering over the sections of the pie chart with the mouse cursor, you can<br />
display the individual percentages.<br />
On the right side of the section, parameter values are shown as they developed<br />
in time, using either a stacked or a line mode.<br />
The pie chart and the representation in stacked or line mode are handled in<br />
the same way as on the <strong>Webwasher</strong> dashboard.<br />
You can:<br />
• Select and deselect categories for display by marking and clearing the corresponding<br />
checkboxes:<br />
• Select a time interval for display, using the Show last drop-down list:<br />
• Select stacked or line mode for display by checking the corresponding radio<br />
button:<br />
4–3
Caching<br />
4.2.1<br />
Quick Snapshot<br />
4–4<br />
The Quick Snapshot tab looks like this:<br />
There are four sections on this tab:<br />
• Cache Efficiency<br />
• Cache Bytes<br />
• Cache Objects<br />
• Cache Usage<br />
They are described in the following.
Cache Efficiency<br />
Caching<br />
The Cache Efficiency section displays the number of times requested objects<br />
were found within the <strong>Webwasher</strong> cache (“Hits”) and the number of times requested<br />
objects were not found there (“Misses”) within a given time interval.<br />
Cache Bytes<br />
The Cache Bytes section displays the amount of bytes for requested objects<br />
that were found within the <strong>Webwasher</strong> cache (“Bytes Hits”) and for the requested<br />
objects that were not found there (“Bytes Misses”) within a given time<br />
interval.<br />
Cache Objects<br />
The Cache Objects section displays the number of objects that are stored<br />
in the <strong>Webwasher</strong> cache (“Cachable Objects”) and the number of objects that<br />
were requested by users, but not stored there (“Non-Cachable Objects”) within<br />
a given time interval.<br />
Cache Usage<br />
The Cache Usage section displays the percentage of cache utilization within<br />
a given time interval.<br />
4.3<br />
HTTP Caching<br />
The HTTP Caching options are invoked by clicking on the corresponding button<br />
under Caching:<br />
If you want to enable any of these options, make sure the checkbox on this<br />
button is also marked. The checkbox is marked by default.<br />
After modifying the setting of this checkbox, click on Apply Changes to make<br />
the modification effective.<br />
These are policy-dependent options, i. e. they are configured for a particular<br />
policy. When you are configuring these options, you need to specify this policy.<br />
4–5
Caching<br />
To do this, select a policy from the drop-down list labeled Policy, which is located<br />
above the HTTP Caching button:<br />
Note that you can also configure HTTP caching for every individual proxy port<br />
that is opened by <strong>Webwasher</strong> when it is running as an HTTP proxy.<br />
For more information on this option, see the subsection on Port Settings in<br />
5.2.1.<br />
The HTTP caching options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
4.3.1<br />
HTTP Caching<br />
4–6<br />
• HTTP Caching, see 4.3.1<br />
• Cachable Objects List, see 4.3.2<br />
The HTTP Caching tab looks like this:
There is one section on this tab:<br />
• Policy Dependent Settings<br />
It is described in the following.<br />
Policy Dependent Settings<br />
The Policy Dependent Settings section looks like this:<br />
Caching<br />
Using this section, you can configure actions that should be executed upon<br />
hits and misses of requested objects that are stored in the <strong>Webwasher</strong> cache.<br />
The actions are configured for requests to Web objects.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following items for configuring actions:<br />
• Action on Cache Hit<br />
From the drop-down list provided here, select an action that should be<br />
executed when a requested Web object was found in the cache.<br />
The following actions are available:<br />
— Add X-Cache Header<br />
An X-Cache header is added to the request.<br />
— Allow<br />
The request is allowed. This action is configured by default.<br />
— Block<br />
The request is blocked.<br />
• Action on Cache Miss<br />
From the drop-down list provided here, select an action that should be<br />
executed when a requested Web object was not found in the cache.<br />
For the actions that are available here, see the list under Action on Cache<br />
Hit.<br />
4–7
Caching<br />
4.3.2<br />
Cachable Objects List<br />
4–8<br />
The Cachable Objects List tab looks like this:<br />
There is one section on the tab:<br />
• Cachable Objects<br />
It is described in the following.
Cachable Objects<br />
The Cachable Objects section looks like this:<br />
Caching<br />
Using this section, you can specify the Web objects that should be stored in<br />
the <strong>Webwasher</strong> cache.<br />
To do this, use the area labeled:<br />
• Add new entry<br />
Specify an object or object type using the following items:<br />
— From the drop-down box in the upper line of the area, select String<br />
or International Domain Name. In the input field next to it, enter a<br />
string to specify the object.<br />
You may also use shell expressions to specify an object type.<br />
Select International Domain Name here if you want to enter non-<br />
ASCII characters and the string should be used for the domain part of<br />
an URL<br />
In some countries like Germany, Sweden or Japan, domain names with<br />
non-ASCII characters are allowed.<br />
The IDNA (International Domain Names in Applications) standard describes<br />
how a Web browser should convert such a domain name into<br />
pure ASCII notation used, e. g. by DNS.<br />
<strong>Webwasher</strong> uses the pure ASCII notation as well, therefore all IDN<br />
strings must be converted.<br />
4–9
Caching<br />
4–10<br />
This is done automatically when you select International Domain<br />
Name and enter a string with non-ASCII characters.<br />
Note that you can not use shell expressions with IDN strings.<br />
— From the first drop-down box in the lower line of the area, select an<br />
option to specify the object type that the string entered above should<br />
correspond to.<br />
Select None if you do not want to specify an object type.<br />
Select Web to specify the URL type for an object. Then select one of<br />
the following options from the drop-down box next to the first box:<br />
Any URL<br />
Any type of URL will do for the object that should be stored.<br />
HTTP Request URL<br />
The URL of the object that should be stored must be the one that<br />
is used in the HTTP request made for it.<br />
HTTP Response URL<br />
The URL of the object that should be stored must be the one that<br />
is used in the HTTP response sent upon the request made for it.<br />
— Description<br />
In this input field you may enter a description of the object or object<br />
type that should be stored.<br />
Input in this field is optional.<br />
Then use the following item to complete the configuration procedure:<br />
— Add to Cachable Objects List<br />
After specifying the information for the object, click on this button to<br />
add it to the list. This addition will be valid only under the policy you are<br />
currently configuring.<br />
To add an object to the list for all policies, mark the checkbox labeled<br />
Add to all policies before clicking on the button.<br />
If an object that was configured under another policy is already on the<br />
list, the setting of the Add to all policies checkbox will have no effect.<br />
The configuration activities you are completing here will specify an object<br />
or object type that should be stored on the Cachable Objects List.<br />
Note that you can also specify which objects should not be included in this<br />
list. This is done using the White List.
To go there, click on the Whitelist link provided here.<br />
The Cachable Objects List is displayed at the bottom of this section.<br />
Caching<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using<br />
the Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, type the appropriate text in the corresponding input field.<br />
Then click on Apply Changes to make these settings effective. You can<br />
edit more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
— Filter<br />
Type a filtering term in this input field and enter it using the Enter key<br />
of your keyboard. The list will then display only entries matching the<br />
filter.<br />
— Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox<br />
next to it and click on this button. You can delete more than one entry<br />
in one go.<br />
To delete all entries, mark the Select all checkbox and click on this<br />
button.<br />
— Move Up, Move Down<br />
SelecttheentryyouwishtomovebymarkingtheSelect checkbox<br />
next to it and click on either of these buttons, depending on where you<br />
want to move the entry.<br />
The position an entry takes in the list is important since whenever a<br />
URL is matched by more than one entry, the entry that is first in the list<br />
wins, which means the rule in question is executed while other rules in<br />
the list are ignored.<br />
4–11
Caching<br />
4.4<br />
Cache Settings<br />
The Cache Settings options are invoked by clicking on the corresponding<br />
button under Caching:<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
4.4.1<br />
Cache Settings<br />
4–12<br />
• Cache Settings, see 4.4.1<br />
• Cache Rules, see 4.4.2<br />
The Cache Settings tab looks like this:
There are two sections on this tab:<br />
• Caching<br />
• Complete Fetch Rules<br />
They are described in the following.<br />
Caching<br />
The Caching section looks like this:<br />
Caching<br />
Using this section, you can configure a maximum size that should not be exceeded<br />
by objects that are stored in the <strong>Webwasher</strong> cache.<br />
After specifying the appropriate setting, click on Apply Changes to make it<br />
effective.<br />
Use the following item to configure the size limit:<br />
• Do not cache objects larger than<br />
In the input field provided here, enter the size (in KB) that should not be<br />
exceeded by a cached object.<br />
Using the drop-down list next to the field, you can select the unit: Byte,<br />
KB, MB, orGB. The default size is 5242 KB.<br />
Complete Fetch Rules<br />
The Complete Fetch Rules section looks like this:<br />
Using this section, you can configure <strong>Webwasher</strong> to complete the download of<br />
a requested object after the corresponding client connection has been closed.<br />
If you want to use this feature, make sure the checkbox next to the section<br />
heading is marked. The checkbox is marked by default.<br />
4–13
Caching<br />
4.4.2<br />
Cache Rules<br />
4–14<br />
After modifying this setting or the settings for determining the conditions under<br />
which the download should be completed, click on Apply Changes to make<br />
the modification effective.<br />
Use the following items to configure the size limit:<br />
• <strong>Webwasher</strong> should complete a download even after the client has<br />
cancelled the connection if at least ... % are completed and the<br />
download is bigger than ... KB<br />
In the two input fields provided here enter the percentage of completion and<br />
a minimum size that should be reached to let <strong>Webwasher</strong> fully complete<br />
the download of an object.<br />
Using, the drop-down list next to the byte input field, you can select the<br />
unit: Byte, KB, MB, or GB.<br />
The default percentage is 85% and the default minimum size is 1024 KB.<br />
The Cache Rules tab looks like this:<br />
There is one section on this tab:<br />
• Cache Revalidation Rules<br />
It is described in the following.
Cache Revalidation Rules<br />
The Cache Revalidation Rules section looks like this:<br />
Caching<br />
Using this section, you can configure rules to determine the way Web objects<br />
are cached and delivered by <strong>Webwasher</strong>.<br />
To do this, use the area labeled:<br />
• Add new rule<br />
Specify a rule using the following items:<br />
— URL matches<br />
In this input field enter a string to specify a URL that should be stored in<br />
the cache. You may also use shell expressions to specify a URL type.<br />
— Always validate cache content<br />
If you want a URL to be validated each time it is requested by a user,<br />
make sure this radio button is checked. The radio button is checked by<br />
default.<br />
— Validate content (at least) every ...<br />
To configure the validation of a requested URL after a given time interval<br />
has elapsed, check this radio button.<br />
Note that <strong>Webwasher</strong> will perform a validation whenever either the interval<br />
configured here has elapsed or the expiration date of the URL,<br />
which is determined on the basis of data received from the corresponding<br />
Web server, depending on which of the two events happens earlier.<br />
4–15
Caching<br />
4–16<br />
If neither of the two intervals has elapsed when a URL is requested, no<br />
validation will take place.<br />
To configure the validation interval, select a time unit (seconds, minutes,<br />
hours, days) from the drop-down list provided here and enter the<br />
corresponding number in the input field.<br />
— Override Response Header<br />
If you want <strong>Webwasher</strong> to ignore the expiration date of a URL, mark<br />
this checkbox. This date is determined on the basis of data received<br />
with the response header from the corresponding Web server.<br />
A validation will then only be performed if the URL is requested and the<br />
interval configured under Validate content (at least) every . . .<br />
has elapsed.<br />
— Description<br />
In this input field you may enter a description of the rule you are<br />
presently configuring.<br />
Input in this field is optional.<br />
Then use the following item to complete the configuration procedure:<br />
— Add to Cache Rule List<br />
After specifying the information for a rule, click on this button to add it<br />
to the list.<br />
The Cachable Rule List is displayed at the bottom of this section.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using<br />
the Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
Within the list, you can disable or enable a rule by marking the Enabled<br />
checkbox of the corresponding entry.<br />
After modifying this setting, click on Apply Changes to make it effective.<br />
You can disable or enable more than one entry and make the changes<br />
effective in one go.<br />
To edit an entry, type the appropriate text in the corresponding URL<br />
and Description input fields, specify the validation period using the<br />
corresponding input field and drop-down list under Period, and mark or<br />
clear the Override checkbox.
4.5<br />
Flush Cache<br />
Caching<br />
Then click on Apply Changes to make these settings effective. You can<br />
edit more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
— Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox<br />
next to it and click on this button. You can delete more than one entry<br />
in one go.<br />
To delete all entries, mark the Select all checkbox and click on this<br />
button.<br />
— Move Up, Move Down<br />
SelecttheentryyouwishtomovebymarkingtheSelect checkbox<br />
next to it and click on either of these buttons, depending on where you<br />
want to move the entry.<br />
The position an entry takes in the list is important since whenever a<br />
URL is matched by more than one entry, the entry that is first in the list<br />
wins, which means the rule in question is executed while other rules in<br />
the list are ignored.<br />
The Flush Cache options are invoked by clicking on the corresponding button<br />
under Caching:<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• Flush Cache, see 4.5.1<br />
4–17
Caching<br />
4.5.1<br />
Flush Cache<br />
4–18<br />
The Flush Cache tab looks like this:<br />
There is one section on this tab:<br />
• Flush Cache<br />
It is described in the following.<br />
Flush Cache<br />
The Flush Cache section looks like this:
Caching<br />
Using this section, you can configure the settings for the flushing of the <strong>Webwasher</strong><br />
cache and perform a flush.<br />
Use the items provided under the following heading to configure the cache<br />
flush settings:<br />
• Clear HTTP Cache of<br />
The settings that you can configure here are as follows:<br />
— URLs matching<br />
Check this radio button to restrict the cache flush to particular URLs. In<br />
the input field provided here enter one or more URLs.<br />
You may also use the following shell expressions to specify a URL type:<br />
* and ?.<br />
— cached files bigger than<br />
Check this radio button to restrict the cache flush to objects exceeding<br />
a given size limit. In the input field provided here enter this size (in KB).<br />
The default size is 1024 KB.<br />
— cached files older than<br />
Check this radio button to restrict the cache flush to objects older than<br />
a given period of time. In the input field provided here enter the number<br />
of hours to specify this time. The default time is 24 hours.<br />
— cached files of mediatype<br />
Check this radio button to restrict the cache flush to particular media<br />
type. From the drop-down list here select the media type, e. g. application/1bk.<br />
— everything<br />
If you want to flush the cache completely, make sure this radio button<br />
is checked. The radio button is checked by default..<br />
After specifying the appropriate settings, use the following item to complete<br />
the flushing procedure:<br />
• Flush<br />
Click on this button to perform the flush.<br />
4–19
Proxies<br />
Chapter 5<br />
The functions described in this chapter are accessible over the Proxies<br />
tab of the Web interface:<br />
They allow you to set up <strong>Webwasher</strong> for running as a proxy server or an e-mail<br />
gateway, for communicating with the ICAP server, and for using the IFP or<br />
WCCP protocol.<br />
Note that two more functional groups are available here when the license that<br />
<strong>Webwasher</strong> is running with does not include the Anti-Spam product:<br />
• Queue Handling<br />
• Message Handling<br />
These are usually available under the Anti Spam tab, which is then not visible.<br />
If they are available under the Proxies tab, corresponding buttons are added<br />
to the navigation panel on the left side of the interface area.<br />
They are grouped there with the E-Mail-Gateway buttons.<br />
For a description of these functions, see sections 4. 11 and 4.12 of the User’s<br />
<strong>Guide</strong> <strong>Webwasher</strong> Anti-Spam.<br />
The upcoming sections describe how to handle the functions of the Proxies<br />
tab. The description begins with an overview.<br />
5–1
Proxies<br />
5.1<br />
Overview<br />
5–2<br />
The following overview shows the sections of this chapter:<br />
<strong>System</strong> <strong>Configuration</strong> <strong>Guide</strong> – <strong>Webwasher</strong> Web Gateway Security<br />
Introduction<br />
User Management<br />
Reporting<br />
Caching<br />
Proxies Overview –thissection<br />
<strong>Configuration</strong><br />
Web Proxies HTTP Proxy, see 5.2<br />
HTTPS Proxy, see 5.3<br />
FTP Proxy, see 5.4<br />
E-Mail Gateway E-Mail Gateway, see 5.5<br />
Delivery Options, see 5.6<br />
Queue <strong>Configuration</strong>, see 5.7<br />
Relay Protection, see 5.8<br />
Exception Lists, see 5.9<br />
Load Limits, see 5.10<br />
POP3 Access, see 5.11<br />
Queue Handling<br />
These functions are available here when the<br />
Anti-Spam product is not included in your<br />
license, see the beginning of this chapter.<br />
Message Handling<br />
The information provided under Queue<br />
Handling applies here as well.<br />
ICAP Server ICAP(S) Server, see 5.12<br />
Other Protocols IFP, see 5.15<br />
Progress Indication Methods, see 5.13<br />
Own Host Name, see 5.14<br />
WCCP, see 5.16<br />
Note that the options described in this section<br />
are only available in an appliance version of<br />
<strong>Webwasher</strong>
5.2<br />
HTTP Proxy<br />
Proxies<br />
The HTTP Proxy options are invoked by clicking on the corresponding button<br />
under Proxies:<br />
If you want to enable any of these options, make sure the checkbox on this<br />
button is also marked. The checkbox is marked by default.<br />
After modifying the setting of this checkbox, click on Apply Changes to make<br />
the modification effective.<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Settings, see 5.2.1<br />
• Next Hop Proxies, see 5.2.2<br />
• Authentication, see 5.2.3<br />
• ICAP Services, see 5.2.4<br />
• Transparent Setup, see 5.2.5<br />
Note that this tab is only available for appliance versions of <strong>Webwasher</strong>.<br />
5–3
Proxies<br />
5.2.1<br />
Settings<br />
5–4<br />
The Settings tab looks like this:<br />
There are four sections on this tab:<br />
• Port Settings<br />
• Proxy Options<br />
• Timeout Prevention<br />
• IP Forwarding<br />
They are described in the following.
Port Settings<br />
The Port Settings section looks like this:<br />
Proxies<br />
This section displays a list of the ports that are opened by <strong>Webwasher</strong> as listener<br />
ports for the ICAP client when <strong>Webwasher</strong> is configured as an HTTP<br />
proxy.<br />
Note that this section is also used for configuring <strong>Webwasher</strong> as HTTPS proxy.<br />
You can add entries to the list and edit or delete them.<br />
The default port has the port number 9090. This port is entered by default in<br />
the list and cannot be deleted. You may, however, change the port number.<br />
Use the following button to add a port to the list:<br />
• Add Proxy Port<br />
Click on this button to open a window where you can specify information<br />
on a new listener port and enter it in the list.<br />
For a description of this window, see the Port Settings subsection below.<br />
The following information is provided in the list for each listener port:<br />
• Address<br />
IP address and port number of the listener port.<br />
The specification of the IP address is optional and may therefore not be<br />
displayed here.<br />
• Allow access from<br />
IP addresses of the sites that should have access to the listener port.<br />
An * in this field means that every site is allowed access.<br />
5–5
Proxies<br />
5–6<br />
• Policy<br />
Policy that will be applied during communication with the ICAP client over<br />
the listener port.<br />
This is not part of the authentication process for a client, but of the policy<br />
mapping that maps this client to a particular policy.<br />
If no policy is selected here, there will be no particular policy for communication<br />
with a client over this listener port. Instead, the policy that was<br />
configured for the ICAP server will be used.<br />
• Transparent Proxy<br />
Information whether <strong>Webwasher</strong> is configured as a transparent proxy during<br />
communication with the ICAP client over the listener port.<br />
• HTTP Caching<br />
Information whether the caching feature is enabled. This feature is enabled<br />
by default.<br />
Note that the feature is only available with appliance versions of <strong>Webwasher</strong>.<br />
Otherwise, this checkbox is not displayed here.<br />
To edit an entry, type the appropriate text in the input fields of the Address and<br />
Allow access from columns, select a policy from the Policy drop-down list in<br />
the same line and mark or clear the corresponding Transparent Proxy and<br />
HTTP Caching checkboxes as required.<br />
Then click on Apply Changes to make these settings effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following item to delete entries that are in the list:<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next to<br />
it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, with the exception of the default listener port, mark the<br />
Select all checkbox and click on this button.
Port Settings<br />
Proxies<br />
The Port Settings window opens after clicking on the Add Proxy Port button.<br />
It looks like this:<br />
Using this window you can add a port to the list of listener ports that are opened<br />
by <strong>Webwasher</strong> for communication with the ICAP client when <strong>Webwasher</strong> is<br />
configured as HTTP or HTTPS proxy.<br />
Use the following items of this window to configure the port settings and add<br />
the port the list:<br />
• Port<br />
In this input field, specify the IP address and the port number of the port.<br />
The input format is:<br />
[IP]: port<br />
Note that for security reasons, <strong>Webwasher</strong> runs under plain user rights (as<br />
opposed to root rights). Hence you can’t choose a privileged port (below<br />
1024) at runtime.<br />
If you choose a privileged port, you have to restart <strong>Webwasher</strong> to make it<br />
available.<br />
• Allow access from<br />
In this input field, specify the IP addresses of the sites that should have<br />
access to the listener port. The input format is:<br />
(IP|IP/NetMask|IPrange)[,(IP|IP/NetMask | IP range)]*.<br />
Entering an * in this field means to allow every site access.<br />
5–7
Proxies<br />
5–8<br />
• Use Policy<br />
From the drop-down list provided here, select a policy that will be applied<br />
during communication with the ICAP client over the listener port..<br />
• Serve non-proxy requests (transparent proxy)<br />
Mark this checkbox to configure <strong>Webwasher</strong> as transparent proxy during<br />
communication with the ICAP client over the listener port.<br />
• Use Port for HTTP Caching<br />
If you want to use the port you are configuring here for HTTP caching, make<br />
sure this checkbox is marked. The checkbox is marked by default.<br />
Note that this item is only displayed with appliance versions of <strong>Webwasher</strong>.<br />
• Add<br />
After specifying the appropriate information about a listener port, click on<br />
this button to add it to the list.<br />
If the addition was successful, a corresponding message is displayed in<br />
this window. You can then go on to add another port to the list.<br />
• Close<br />
Click on this button to close the window and return to the Settings tab.<br />
Proxy Options<br />
The Proxy Options sectionlookslikethis:
Proxies<br />
Using this section, you can specify a number of settings for the ICAP client<br />
communicating with <strong>Webwasher</strong> when it is configured as HTTP proxy.<br />
Note that this section is also used for configuring <strong>Webwasher</strong> as HTTPS proxy.<br />
So, whenever HTTP is mentioned in the following, the statement in question<br />
is valid also with regard to an HTTPS configuration.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following items to configure these proxy options:<br />
• ... retries on server overload when connected directly<br />
Select a number from the drop-down list provided here to configure how<br />
many times a retry will be performed over a direct connection when the<br />
server is overloaded.<br />
• Add ’Via’ header to HTTP header<br />
Select this option to let <strong>Webwasher</strong> add a Via header to the REQUEST<br />
and RESPONSE headers.<br />
The Via header is used to track message forwards, avoid request loops,<br />
and identify the protocol capabilities (HTTP 1.0 or 1.1) of all senders along<br />
the request/response chain.<br />
• Treat FTP over HTTP as native FTP<br />
If this option is enabled, while <strong>Webwasher</strong> is being used as a proxy server,<br />
no user data will be transmitted, unless username and password are already<br />
provided by the URL<br />
There are two kinds of FTP requests: those coming from a native FTP client<br />
using the real FTP, and those coming via HTTP but for URLs beginning with<br />
ftp://.<br />
For the latter, the last HTTP proxy in the chain has to convert the HTTP<br />
commands into native FTP in order to connect to the FTP server. <strong>Webwasher</strong><br />
can establish direct connections, as well as make use of parent<br />
HTTP and FTP proxies.<br />
Native FTP requests will always use the configured next hop FTP proxy (if<br />
any) or direct FTP connections.<br />
FTP request over HTTP usually check for the HTTP proxy settings and use<br />
the next hop HTTP proxy (if any) or direct FTP connections.<br />
5–9
Proxies<br />
5–10<br />
Enabling the present option will change this behavior and let an FTP request<br />
that came in via HTTP use the next hop FTP proxy settings, while<br />
the next hop HTTP proxy settings are ignored.<br />
This means that these requests will use the configured next hop FTP proxy<br />
(if any) or direct FTP connections.<br />
• Persistent connection timeout<br />
In the input field provided here, enter the time interval (in seconds) for a<br />
persistent connection timeout.<br />
If this interval elapses without any communication activities having occurred<br />
on the connection between <strong>Webwasher</strong> and the client, the connection<br />
is closed down.<br />
• Dead client timeout<br />
In the input field provided here, enter the time interval (in seconds) for a<br />
persistent connection timeout.<br />
If this interval elapses without any communication activities having occurred<br />
on the connection from the side of the client, the connection is closed<br />
down.<br />
• Maximum header length<br />
In the input field provided here, enter the maximum length (in bytes) for the<br />
header of a request sent by the client to <strong>Webwasher</strong>.<br />
If this length is exceeded, the request is denied by <strong>Webwasher</strong>.<br />
• Ports allowed for CONNECT requests<br />
In the input field provided here, enter the port or ports you want to allow for<br />
CONNECT requests. Separate multiple entries by commas.<br />
To allow all ports for CONNECT requests, enter an *.<br />
Note that CONNECT is the only method used to connect to the HTTP port<br />
of 443.<br />
Port 443 is the port that an SSL server usually listens on. There are, however,<br />
SSL servers that will not listen on this port.<br />
In this case, you also need to modify the global.conf (global.ini) configuration<br />
file in order to enable communication. Enter the following line in the<br />
file:<br />
PortsTreatedAsSSL=’443, ’
Then restart <strong>Webwasher</strong> to make the modification effective.<br />
Timeout Prevention<br />
The Timeout Prevention section looks like this:<br />
Proxies<br />
Using this section, you can configure methods for preventing timeouts on client<br />
connections.<br />
<strong>Webwasher</strong> tries to forward data as soon as it becomes available, but there are<br />
situations in which this philosophy does not hold: an antivirus scanner needs<br />
to see the complete file for many file types before it can scan for viruses.<br />
This means that the HTTP proxy server cannot forward any data to the browser<br />
until the complete file is received on the gateway and the scan process is complete.<br />
Depending on the length of the file and the network connection, it can take a<br />
long time, while a browser connection could even time out (other third-party<br />
ICAP servers attached to the HTTP proxy RESPMOD pipe could also show<br />
the behavior of not returning any data before the complete file is received).<br />
For situations such as these, <strong>Webwasher</strong> provides methods for preventing<br />
timeouts, by sending either an empty line or an HTTP header line every n<br />
seconds. This feature should be used depending on your network configuration<br />
and your filter settings.<br />
The Timeout Prevention feature is not enabled by default. To enable it mark<br />
the checkbox next to the section heading. After configuring its settings, click<br />
on Apply Changes to make them effective.<br />
Use the following items to configure timeout prevention:<br />
• <strong>Webwasher</strong> should send every . . . seconds<br />
Enter the number of seconds here to determine the frequency of applying<br />
the methods configured below.<br />
• an empty line<br />
This method sends empty lines before the HTTP response.<br />
5–11
Proxies<br />
5–12<br />
It works with many Internet browsers, but could fail with intermediate proxy<br />
servers (between <strong>Webwasher</strong> and the client) because it does not strictly<br />
follow the HTTP standard protocol.<br />
• an HTTP header line<br />
This method is fully backed by the HTTP standard. According to this, the<br />
first line of the reply header (the status line) is sent at the beginning, and<br />
then some additional header lines are sent to keep the connection alive.<br />
There is, however, no guarantee that all intermediate proxies accept a<br />
header that is split into many TCP frames.<br />
A second disadvantage is that <strong>Webwasher</strong> already replied with a special<br />
status code and is not able to change this again, e. g. after a virus was<br />
detected.<br />
In this case, the user would see an error message, but it would be transferredwitha200<br />
OK reply code, which is not ideal.<br />
IP Forwarding<br />
The IP Forwarding sectionlookslikethis:<br />
Using this section, you can configure the forwarding of a client IP address.<br />
Another proxy in the chain may need information about this address. So, you<br />
can tell <strong>Webwasher</strong> to include the client IP address as an HTTP header field.<br />
This will determine where the client IP address is forwarded, e. g. to the next<br />
hop proxy, Web server, etc.<br />
The IP Forwarding option is not enabled by default. To enable it, mark the<br />
checkbox next to the section heading. After specifying a header field name,<br />
click on Apply Changes to make this setting effective.<br />
Use the following input field to configure IP forwarding:<br />
• as . . . header<br />
Enter the header field name here that will determine where a Client IP address<br />
is forwarded.<br />
By default, this field name is X-Forwarded-For.
5.2.2<br />
Next Hop Proxies<br />
The Next Hop Proxies tab looks like this:<br />
There is one section on this tab:<br />
• Use Next Hop Proxies<br />
It is described in the following.<br />
Proxies<br />
5–13
Proxies<br />
5–14<br />
Use Next Hop Proxies<br />
The Use Next Hop Proxies section looks like this:<br />
Using this section, you can configure next hop proxies for HTTP connections.<br />
You can specify the URLs that next hop proxies should be used for, as well as<br />
the mode of this usage and the next hop proxies to be used.<br />
The Use Next Hop Proxies feature is not enabled by default. To enable it,<br />
mark the checkbox next to the section heading. Then click on Apply Changes<br />
to make this setting effective.<br />
Furthermore, use the following items to configure next hop proxies:<br />
• Do not use Next Hops for local addresses<br />
Enable this option to prevent the use of next hop proxies for local addresses.<br />
Then click on Apply Changes to make this setting effective.<br />
Local addresses have no dots (.) within their specifications.<br />
So, after enabling this option, you can fine-tune <strong>Webwasher</strong> in an intranet<br />
and enter the name of a local server in the browser, e. g. server_name,<br />
instead of typing a URL, e. g. http://server_name.fooo.com.<br />
<strong>Webwasher</strong> will then contact this local server directly without using the configured<br />
proxy.<br />
Using this option speeds up internal connections and reduces load on the<br />
proxy server.
• if URL matches<br />
Proxies<br />
This input field is the first of severals items provided for specifying information<br />
on the next hop proxies you want to configure.<br />
Enter a matching term here. If an URL matches this term, it will use the<br />
next hop proxies specified further below in the usage mode that is also<br />
specified further below.<br />
• use mode<br />
From this drop-down list, select the mode to be used for the URLs and next<br />
hop proxies specified here. The following modes are available:<br />
— None<br />
This mode uses no next hop proxies. Direct connections will be used<br />
instead.<br />
— specific<br />
In this mode, one specific next hop is set for the URLs configured<br />
above.<br />
— failover<br />
In this mode, the first next hop given in the participants list is tried first.<br />
If it fails, it will be retried until the configured retry maximum for it has<br />
been reached.<br />
Then the second next hop proxy in the participants list is tried, etc.<br />
— round robin<br />
In this mode, the next hop proxy is used that is next in the participants<br />
list to the one that was used last.<br />
This means also that the participants is used in a circular manner: If<br />
the end of the list has been reached, selection of next hop proxies will<br />
restart from the beginning.<br />
• participating next hops<br />
In this input field, enter the next hop proxies that should be used for the<br />
URLs specified here.<br />
To do this, type a proxy name or select one from the drop-down list to the<br />
right of this input field. You can add more than one proxy by repeating this<br />
operation.<br />
The drop-down lists shows select one to add as its topmost entry. If no<br />
next hop proxies have been configured yet, the topmost entry reads no<br />
Next Hops defined.<br />
5–15
Proxies<br />
5–16<br />
To configure next hop proxies, click on the Define Next Hop Proxies<br />
button, which is located further to the right.<br />
This will open a window, where you can specify the information required to<br />
configure a next hop proxy.<br />
For the description of this window, see the Available Proxies subsection<br />
further below.<br />
• Add Entry to List<br />
After specifying the appropriate information about a next hop proxy, click<br />
on this button to add it to the list.<br />
The list of next hop proxies is displayed at the bottom of this section. For each<br />
entry, it provides the information that is specified when a new entry is added.<br />
You can edit list entries, move them up and down in the list, or delete them.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key on your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, type the appropriate text in the input fields of the URL, use<br />
mode and participating next hops columns. Then click on Apply Changes<br />
to make this setting effective. You can edit more than one entry and make the<br />
changes effective in one go.<br />
The list also contains an entry with * as value for the URL parameter. It is<br />
always in last position within the list and cannot be deleted. By editing this<br />
entry, you can configure a next hop proxy setting for all URLs that are not<br />
represented by a particular entry in the list.<br />
Since the * entry is last in the list, it becomes effective only after all other list<br />
entries were read by <strong>Webwasher</strong> and used for establishing next hop proxy<br />
connections.<br />
By default none is specified as mode for the * entry, which means that there<br />
will be no next hop proxy connections for URLs that are not otherwise included<br />
in the list.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field above the URL, use mode or<br />
participating next hops or in a combination of them and enter this using<br />
the Enter key of your keyboard.
The list will then display only entries matching the filter.<br />
• Delete Selected<br />
Proxies<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Move Up, Move Down<br />
SelecttheentryyouwishtomovebymarkingtheSelect checkbox next<br />
to it and click on either of these buttons, depending on where you want to<br />
move the entry.<br />
The position an entry takes in the list is important since whenever there is<br />
more than one entry in the list containing information on a particular URL<br />
or next hop proxy, the entry that is first in the list wins.<br />
Available Proxies<br />
The section in this window allows you to configure next hop proxies for all kinds<br />
of connections. These will then be available for selection on the Use Next Hop<br />
Proxies tab.<br />
After specifying the appropriate settings for a next hop proxy, it is added to the<br />
list of available next proxies by clicking on the Add button.<br />
The list is displayed at the bottom of the section. You can modify the settings<br />
for each proxy that is shown in the list.<br />
Use the following items for configuring available next hop proxies:<br />
• Name<br />
In this input field, enter the name of the next hop proxy you want to configure.<br />
If you leave the field empty, a name will be generated by <strong>Webwasher</strong>,<br />
e. g. pxy1, and inserted in this field after clicking on the Add button.<br />
The name can be modified after the new proxy has been included in the<br />
list.<br />
• Proxy server address<br />
In the input fields provided here, enter the address of the server you want<br />
to make available as next hop proxy:<br />
— Host<br />
Enter the IP address or URL of this server here.<br />
5–17
Proxies<br />
5–18<br />
— Port<br />
Enter the port number of the port for connecting to this server here.<br />
• Proxy authorization<br />
In the input fields provided here, enter the credentials that <strong>Webwasher</strong><br />
should use for authentication at the next hop proxy:<br />
— Username<br />
Enter the IP address or URL of this server here.<br />
— Password<br />
Enter the password here.<br />
• Connection behavior<br />
Use the items provided here to configure the connection behavior:<br />
— Retry . . . times on failure for this proxy<br />
From the drop-down list provided here, select the number of retries you<br />
want to configure for a next hop proxy. You can configure up to three<br />
retries.<br />
When the maximum number of retries has been reached, <strong>Webwasher</strong><br />
will try to establish a connection using another next hop proxy, according<br />
to what has been configured on the Use Next Hop Proxies tab,<br />
e. g. failover or round robin.<br />
— Donotretryproxyfor...minuteswhenithasreached...<br />
times within 10 seconds its maximum number of retries<br />
In the input fields provided here, enter the time information that will<br />
cause a connection break, i. e. an interval during which <strong>Webwasher</strong><br />
will not retry a next hop proxy after a connection to it could not be established<br />
in a given situation.<br />
In the first input field, enter the time (in minutes) that the connection<br />
break should last.<br />
In the second input field, specify how often the maximum number of retries<br />
must have been reached within 10 seconds before the connection<br />
break is started.<br />
— use persistent connections<br />
If you want <strong>Webwasher</strong> to use persistent connections to the next hop<br />
proxies, make sure this checkbox is marked. The checkbox is marked<br />
by default.<br />
<strong>Webwasher</strong> will try to meet this requirement by establishing persistent<br />
connections, but may fail to do so in some situations.
• Add<br />
Proxies<br />
You will then see that the failed counter in the list of available next<br />
proxies displays an increased value for the connection to the next hop<br />
proxy in question.<br />
In this case, you might clear the checkbox to disable the option. Note,<br />
however, that this will reduce performance.<br />
After specifying the appropriate information for the server you want to make<br />
available as next hop proxy, click on this button to add it to the list of available<br />
next hop proxies.<br />
The list of available next hop proxies is displayed at the bottom of this section.<br />
For each entry, it provides the information that is specified when a new entry<br />
is added. Furthermore statistical figures are displayed on the reliability of next<br />
hop proxies.<br />
You can edit list entries, delete them and reset the statistics.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, click on the View Details and Edit link in the same line. This<br />
will reopen the window and this section with the information concerning the<br />
next hop proxy in question, so you can modify it.<br />
After completing the modification, click on the Modify button, which is provided<br />
now instead of the Add button, to make it effective. If you want to clear the<br />
information before modifying the settings for a next hop proxy, click on the<br />
Clear Input button.<br />
Apart from the information that was specified when a new entry was added to<br />
the list, such as the proxy name and address, the list displays statistical figures<br />
on the reliability of each next hop proxy.<br />
The following information is provided in the columns of the list:<br />
• reliability<br />
Reliability of a next hop proxy<br />
The reliability is calculated as the percentage of attempts to establish a<br />
connection to the next hop proxy that were successful in relation to the<br />
overall number of attempts.<br />
5–19
Proxies<br />
5–20<br />
• tried<br />
Number of times that <strong>Webwasher</strong> tried to establish a connection to a proxy<br />
• failed<br />
Number of times that an attempt by <strong>Webwasher</strong> to establish a connection<br />
toaproxyfailed<br />
• last fail<br />
Date and time of the last time that an attempt by <strong>Webwasher</strong> to establish<br />
a connection to a proxy failed<br />
• do not retry reached<br />
Date and time of the last time that a situation was reached where <strong>Webwasher</strong><br />
did not retry a next hop proxy over a given period of time.<br />
The length of this period depends on what you configured under Do not<br />
retry proxy for . . . minutes when it has reached . . . times<br />
within 10 seconds its maximum number of retries, see above.<br />
If the do not retry situation is still on, i. e. <strong>Webwasher</strong> will currently not retry<br />
the next hop proxy in question, the date and time values are displayed in<br />
red.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input fields above the Name, Proxy or Port<br />
columns or in a combination of them and enter this using the Enter key of<br />
your keyboard. The list will then display only entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Reset Statistics<br />
Click on this button to reset the statistical figures shown in the list for reliability<br />
of next hop proxies.<br />
• Reset do not retry<br />
Click on this button to reset the statistics only for the do not retry reached<br />
parameter, see above.
To return to the Next Hop Proxies tab, click on the Close button.<br />
Proxies<br />
The next hop proxy you added to the list, will also appear and be available in<br />
the list of next hop proxies, which is displayed at the bottom of the Use Next<br />
Hop Proxies section on that tab.<br />
5.2.3<br />
Authentication<br />
The Authentication tab looks like this:<br />
At the top of this tab, there is a button labeled:<br />
• Define Proxy Authentication Options<br />
Click on this button to configure some additional options relating to all kinds<br />
of proxies. This will open a window where you can specify the appropriate<br />
information.<br />
It is described after the Configuring the eDirectory Authentication<br />
Method subsection (see below).<br />
Furthermore, there are five sections on this tab:<br />
• Authentication Process<br />
• Authentication Options<br />
5–21
Proxies<br />
5–22<br />
• NTLM and NTLM-Agent Authentication Options<br />
• User Database Authentication Options<br />
• IP Forwarding<br />
They are described in the following.<br />
In addition to this, a sample procedure is described for the eDirectory authentication<br />
method, after the Authentication Process subsection:<br />
• Configuring the eDirectory Authentication Method<br />
This is followed by the Define Proxy Authentication Options subsection<br />
that was already mentioned above.<br />
Authentication Process<br />
The Authentication Process section looks like this:<br />
Using this section, you can configure where users are authenticated. The authentication<br />
process may involve an LDAP or NTLM server, a Radius server,<br />
or the User Database provided by <strong>Webwasher</strong>.<br />
Furthermore, there is also an option for configuring the use of a Novell eDirectory<br />
server, which will then take the role of an LDAP server, in order to<br />
authenticate users.<br />
On this server, information is stored about the IP addresses of authenticated<br />
users, which can be extracted and used by <strong>Webwasher</strong> for the authentication<br />
process.<br />
The name of the field where the IP address of a user is stored is<br />
NetworkAddress. The port number can be stored there with the address.<br />
The field is in binary format, which means that no wildcard queries can be performed<br />
for user addresses. Instead, <strong>Webwasher</strong> periodically polls the eDirectory<br />
to retrieve the addresses of the users that logged in since the last request.<br />
The structure of this search is reflected in a filtering term, which is configured<br />
together with the settings for the LDAP method, see further below.<br />
Make sure the NetworkAddress field is visible when the user information is<br />
looked at via the LDAP server interface. Otherwise, <strong>Webwasher</strong> will not be<br />
able to extract the information.
Proxies<br />
You can select two of the methods mentioned above and configure them for<br />
user authentication here. The methods are applied in the order you configure<br />
them.<br />
A user is successfully authenticated as soon as one of the configured methods<br />
produces a match.<br />
After selecting a method, you can specify further settings that are relevant to<br />
this method in other sections of this tab, and in the window that appears after<br />
clicking on the Define Proxy Authentication Options buttoninthetoparea<br />
of this tab.<br />
For the NTLM and NTLM-Agent methods, this can be done in the NTLM and<br />
NTLM-Agent Authentication Options section, and for the User Database<br />
method in the Userdatabase Authentication Options section. Both these<br />
sections are on this tab.<br />
For the LDAP method, there is the LDAP Authentication section in the Define<br />
Proxy Authentication Options window, where you also find the Radius Authentication<br />
section for the Radius server method.<br />
If you select eDirectory as method, you can also configure the use of a filter<br />
for searching the user information that is needed in the authentication process.<br />
This is done in the Novell eDirectory IP Filter input field, which is provided<br />
in the LDAP Authentication section of the Define Proxy Authentication<br />
Options window.<br />
A filtering term has been entered in this field, which should not be altered since<br />
this will prevent <strong>Webwasher</strong> from extracting the appropriate user information.<br />
The name of the storage field on the eDirectory server has also been preconfigured<br />
as one of the additional settings of the LDAP method and should likewise<br />
not be altered.<br />
Furthermore, you can configure the eDirectory option as part of the Web mapping<br />
process. There will be a lookup of these addresses then on the eDirectory<br />
server before they are mapped to security policies configured within <strong>Webwasher</strong>.<br />
Use the Mapping Process section on the Web Mapping tab under User<br />
Management > Policy Mapping to configure these settings.<br />
After specifying the appropriate settings here, click on Apply Changes to<br />
make them effective.<br />
Use the following drop-down lists to configure user authentication:<br />
• Authentication methods list 1<br />
Select a method for user authentication from this drop-down list.<br />
5–23
Proxies<br />
5–24<br />
If you select an additional method from the second list, they are applied<br />
according to their order. If the first method fails, a user may still be authenticated<br />
by the second.<br />
The following methods are available: NTLM, NTLM Agent, LDAP, eDirectory,<br />
User Database and Radius.<br />
• Authentication methods list 2<br />
Select a method for user authentication in the same way as described<br />
above from this drop-down list.<br />
You may also select None here, and have just one method for authenticating<br />
users.<br />
Configuring the eDirectory Authentication Method<br />
The following procedure describes how to configure an authentication method<br />
that uses the information stored on a Novell eDirectory server.<br />
This method is then configured as part of a Web mapping that maps users of<br />
a given group to a particular policy.<br />
It is also shown how to specify the appropriate settings for the LDAP server<br />
configuration.<br />
Proceed as follows:<br />
1. In the Authentication Process section of the Authentication tab, select<br />
eDirectory as method from the first drop-down list.<br />
2. Click on Apply Changes to make this setting effective.<br />
3. Go to the Web Mapping tab under User Management > Policy Management.<br />
4. In the Mapping Process section of that tab, set up a mapping method<br />
that maps users based on their IP addresses and using the eDirectory<br />
authentication method.<br />
To do this, select the following in the first line under Mapping Order for<br />
REQMOD:<br />
• From the Map from drop-down list, select IP.<br />
• From the Map via drop-down list, select via eDirectory.<br />
The resulting scheme is then displayed under Using these rules.<br />
5. Click on Edit rules and options in the same line. This will take you<br />
to the IP based mapping tab, where you can set up mapping rules for<br />
authenticated users.
Proxies<br />
6. On this tab, leave the default settings of the first three sections as they<br />
are.<br />
Note that using the Standard Meta (ICAP) Header (X-Client-IP) for the<br />
IP address search will work fine as long as <strong>Webwasher</strong> is configured as<br />
proxy.<br />
7. In the Add Rule section, add a rule that maps the users of a given group<br />
to a particular policy:<br />
• Select a policy from the drop-down list provided here, e. g. edirpolicy.<br />
If no existing policy suits your needs, configure a new one, using the<br />
Create New Policy section on the Management tab under User<br />
Management > Policy Management.<br />
• Type the name of the user group in the input field next to the list, e. g.<br />
edirgroup.<br />
The users of this group must be stored on the eDirectory server together<br />
with information specifying the group.<br />
8. Click on Add First to add the rule to the rules list, which is displayed<br />
below the Add Rule section under Current Rules.<br />
9. Click on Configure LDAP Server at the top of this tab, to go to the<br />
LDAP Connection tab, where you can configure the eDirectory server<br />
that takes the role of an LDAP server in this configuration.<br />
10. On this tab, enter the following in the LDAP Connection Details section:<br />
• In the LDAP server(s) field, type the host name or IP address of the<br />
eDirectory server.<br />
• In the WW’s user name field, specify a user name, e. g. admin,<br />
and where to begin the search for it in the eDirectory, e. g. under<br />
edirfolder. Use the format required for LDAP configuration: cn=admin,<br />
o=edirfolder.<br />
• IntheWW’s password field, type a password for the user name configured<br />
above.<br />
11. In the Attribute Details section, proceed as follows:<br />
• Leave the User checkbox blank and mark the Group object checkbox.<br />
This setting is required to configure group-based mapping, which this<br />
procedure is about. To configure user-based mapping, do it the other<br />
way round.<br />
Note that you cannot configure both kinds of mapping at the same<br />
time.<br />
For user-based mapping, you would also have to leave cn as value<br />
in the Attributes to extract field, see below.<br />
5–25
Proxies<br />
5–26<br />
• Make sure that cn is the value in the Attributes to extract field.<br />
According to the LDAP format, this is the code for the attribute that<br />
contains the group name in a search for user groups (or the user name<br />
in a search for individual users). It is also the default value here.<br />
• In the Base DN to group objects field, specify where to begin the<br />
search for the users of a given group within the eDirectory, e. g. under<br />
edirfolder.<br />
Use the LDAP format again: o=edirfolder.<br />
• In the Group member attribute name field, leave uniquemember,<br />
and in the Object class for groups field, leave groupofuniquenames<br />
as default values.<br />
12. In the LDAP Authentication section, enter the following:<br />
• IntheBase DN to user object field, type o=edirfolder again. Note<br />
that this setting and the following are also required for user-based<br />
mapping.<br />
• In the UID attribute name field, type cn.<br />
13. Click on Apply Changes to make these settings effective.<br />
This completes the sample procedure.<br />
You can now login as user of a group, e. g. edirgroup, that is stored on the<br />
eDirectory server, e. g. under edirfolder, to see if the mapping was performed<br />
successfully.<br />
The mapping was successful if you can now access Web objects as is allowed<br />
under the settings of edirpolicy.
Define Proxy Authentication Options Window<br />
The Define Proxy Authentication Options window looks like this:<br />
Proxies<br />
It enables you to configure further settings for some of the authentication methods<br />
that are configured in the Authentication Process section.<br />
These settings are valid for all kinds of proxies and also for transparent authentication.<br />
There are four sections in this window:<br />
• NTLM Agent Setup<br />
• LDAP Authentication<br />
• Radius Authentication<br />
• Login Window Name<br />
They are described in the following.<br />
5–27
Proxies<br />
5–28<br />
NTLM Agent Setup<br />
<strong>Webwasher</strong> can run on Microsoft Windows as well as on other operating systems<br />
such as Linux or Solaris. If it is running on Windows, it can directly do<br />
NTLM authentication with the domain controller.<br />
If you want to use NTLM authentication with <strong>Webwasher</strong> on a different operating<br />
system, you can do this via <strong>Webwasher</strong>’s NTLM Agent.<br />
The NTLM Agent may also be useful for Windows deployments if the connection<br />
between <strong>Webwasher</strong> and the domain controller is limited by a firewall,<br />
because the connection to this agent requires only a single free definable port<br />
to be opened.<br />
The NTLM Agent is an application you can download from the Resource Center<br />
(or the <strong>Webwasher</strong> Extranet). It must be installed on the domain controller or<br />
on any other system of the domain that can communicate with the domain<br />
controller via NTLM.<br />
You can set up more than one NTLM Agent for high availability and/or to handle<br />
NTLM authentication with multiple separated domains.<br />
<strong>Webwasher</strong> is using a proprietary protocol to communicate with the NTLM<br />
Agent. By default, connections to the NTLM Agents are encrypted. This can<br />
be changed by unchecking the checkbox labeled Use encrypted connections<br />
to NTLM Agents within the NTLM Agent Setup section.<br />
If the clients use NTLM challenge response with <strong>Webwasher</strong>, no passwords<br />
are transmitted, but only the response to the challenge. The request still contains<br />
the user name and possibly group information.<br />
If the clients use Basic authentication with <strong>Webwasher</strong>, the password is transmitted,<br />
and <strong>Webwasher</strong> passes it on to the NTLM Agent.<br />
We therefore recommend to use encrypted connections with the NTLM Agent.<br />
The SSL connection switch is common to all NTLM Agents specified.<br />
You must also switch off the SSL connection switch at the NTLM Agents to get<br />
a successful connection.<br />
The status of the NTLM Agent connections is shown on the corresponding Web<br />
interface page and (in case of an error) also on the home page of this interface.<br />
In case of an error, more status information may be available in the errors log<br />
file and at the NTLM agent’s user interface.<br />
If the NTML Agent is not running on the domain controller, you should make<br />
sure that the service pack version installed on the system it is running on is the<br />
same as that on the domain controller.
To set up an NTML Agent, proceed as follows:<br />
Proxies<br />
1. Within the Web interface, go to the Authentication tab under Proxies<br />
> HTTP Proxy.<br />
2. In the Authentication Process section, select NTML-Agent as authentication<br />
method.<br />
This option is offered in each of two drop-down lists. Priority will be given<br />
to the authentication method selected from the first list.<br />
3. Specify a list of the NTLM Agents that <strong>Webwasher</strong> should connect to.<br />
To specify an NTML Agent, enter the IP address of the system running<br />
this agent in the input field within the NTML Agent Setup section.<br />
Also specify a port number in case the default port 9531 is not used.<br />
Example 1: 192.168.42.100 (specifies a connection to the NTLM Agent<br />
running on 192.168.42.100 on default port 9531).<br />
Example 2: 192.168.42.101:1234 (specifies a connection to the NTLM<br />
Agent running on 192.168.42.101 on port 1234).<br />
If you are deploying multiple NTLM Agents for the same domain, list their<br />
IP addresses and ports in a comma-separated list.<br />
Example 3: 192.168.42.100,192.168.42.101:1234<br />
<strong>Webwasher</strong> will use a round robin load balancing scheme to connect to<br />
these agents.<br />
If you want to use a list of NTLM Agents only for a special domain, type<br />
the @ sign and the domain name after the NTLM Agents list.<br />
Example 4: 192.168.42.100,192.168.42.101:1234@example.org.<br />
If the domain name is omitted, the agents of the list are connected for all<br />
domains that are not specified in other lists.<br />
To separate multiple NTLM Agents domain lists, use the ; (semicolon).<br />
Example 5: 192.168.42.100,192.168.42.101:1234@example.org;<br />
192.168.42.200@example2.org;102.168.42.222:2345<br />
This example will use the two agents on the systems with IPs .100 and<br />
.101 in round robin load balancing with all requests for the example.org<br />
domain. It will use the agent on the system with IP .200 for the example2.org<br />
domain, and the agent on IP .222 for all other domains.<br />
If you are deploying multiple NTLM Agents for the same domain, list their<br />
IP addresses and ports in a comma-separated list.<br />
5–29
Proxies<br />
5–30<br />
Example 6: 192.168.42.100,192.168.42.101:1234.<br />
4. Click on Apply Changes to make your settings effective.<br />
LDAP Authentication<br />
Using this section, you can configure a number of settings that are needed<br />
when LDAP is used as a group policy method for authentication on the ICAP<br />
server and HTTP proxy.<br />
Note that the ICAP client usually receives a list of attributes from the LDAP<br />
server and the ICAP server only assigns a policy. But if you select LDAP as<br />
authentication method on the ICAP server, this data will be retrieved twice, first<br />
by the HTTP proxy and then by the ICAP server.<br />
Configuring the settings as described below enables you to avoid this doubled<br />
effort.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the items in the following two areas to configure LDAP authentication settings:<br />
• Specify connection details<br />
In this area, use the following input fields to enter details of the connection<br />
to the LDAP server:<br />
— LDAP server(s)<br />
Enter the host name or IP address of the LDAP server here. The port<br />
number may also be specified, after a colon, e. g. 192.168.0.5:389.<br />
You can specify more than one server, separated by spaces. In this<br />
case, <strong>Webwasher</strong> will try to perform load balancing based on a roundrobin<br />
algorithm (all servers need to be configured in the same way for<br />
this).<br />
Note that no failover is performed by <strong>Webwasher</strong>. If <strong>Webwasher</strong> is<br />
already running and an LDAP server is working, but then becomes unavailable,<br />
a request to this server will fail.<br />
If you start <strong>Webwasher</strong> and an LDAP server is not responding from the<br />
beginning, it will be removed from the list and only the other servers<br />
will be used.<br />
— Username for <strong>Webwasher</strong> to log into LDAP server<br />
Enter the name here <strong>Webwasher</strong> should use to authenticate itself when<br />
trying to access the information stored on the LDAP server.
Proxies<br />
If the server permits even an anonymous user to access this information,<br />
no input is required here.<br />
Note that when several instances of <strong>Webwasher</strong> are running in a cluster,<br />
one of them is configured as master.<br />
If the LDAP authentication method is used within this cluster, site instances<br />
can only connect to the master if a user admin has been configured<br />
for it.<br />
This means that you need to enter admin as user name here if the<br />
<strong>Webwasher</strong> instance you specify it for is the master of the cluster.<br />
— <strong>Webwasher</strong>’s password<br />
Enter the password here that goes with the user name specified for<br />
<strong>Webwasher</strong>.<br />
• Select where user attributes originate from<br />
In this area, use the following input fields to specify where to look for the<br />
attributes that are needed to authenticate a user:<br />
— Base DN to user object<br />
Enter the path name here that leads to the location where the search<br />
for a user name entry should begin on the LDAP server.<br />
— UID attribute name<br />
If you want to use the UID attribute name, which is a unique key, in the<br />
search for a user name entry on the LDAP server, make sure this radio<br />
button is checked. The radio button is checked by default.<br />
In the input field provided here, enter the key. If a user name submitted<br />
for authentication matches this key, the user is authenticated successfully.<br />
By selecting this option you enable a simple search relying only on the<br />
attribute name.<br />
To enable a complex search, use the Filter option described below, or<br />
the Novell eDirectory IP Filter option (if you have configured eDirectory<br />
as authentication method).<br />
— Filter<br />
If you want to enable a complex search for a user name entry on the<br />
LDAP server, check this radio button.<br />
This search is compatible with all kinds of LDAP servers, using query<br />
filters for the following attributes: user name, user group name and<br />
mail group name.<br />
5–31
Proxies<br />
5–32<br />
In the input field provided here, enter a complex filter condition.<br />
Example: A complex filter condition relying on the user name and the<br />
user group name could be specified as follows:<br />
(&(groupid=internet)(uid=%u))<br />
With this sample condition, the user name needs to match the UID,<br />
but it must also be a member of the internet user group, which might<br />
have been configured to include all users that are allowed access to<br />
the Internet.<br />
All other users are blocked by the authentication process.<br />
The variable used to represent the user name must be %u, as shown<br />
above. No other variables are allowed here for this.<br />
— Novell eDirectory IP Filter<br />
A complex search for a user attributes on the Novell eDirectory server is<br />
performed with the following filtering condition, which has been entered<br />
in this field and should not be altered:<br />
(&(objectClass=user)(loginTime>%u)<br />
Within this condition, the %u variable represents the time of the last<br />
update in the search for user attributes performed by <strong>Webwasher</strong>.<br />
The complete condition searches for entries that are of the user object<br />
class and have been stored since that last update.<br />
— Novell eDirectory network address attribute<br />
This attribute is the name of the field where the IP address of a user is<br />
stored on the eDirectory server. It is NetworkAddress and must not<br />
be altered.<br />
Radius Authentication<br />
Using this section, you can configure the connection to the Radius server,<br />
where the user data is stored that can be looked up for authentication purposes.<br />
The protocols supported on this connection are PAP/SPAP.<br />
In order to enable a failover, you can configure a primary and a secondary<br />
Radius server.<br />
Furthermore, you can configure the use of group information within the authentication<br />
process.
Proxies<br />
Note that <strong>Webwasher</strong> does not use the failover configured here to do load<br />
balancing, but only to perform a retry in case a problem occurs while authenticating<br />
a user.<br />
Depending on the type of problem, <strong>Webwasher</strong> proceeds in the following way:<br />
1. If authentication fails, although communication itself went on correctly, e.<br />
g. in case of a wrong password, no retry is performed.<br />
2. If communication fails, e. g. when an error message was received after<br />
sending the user credentials or a given time interval elapsed with no response<br />
from the Radius server, the secondary server is tried using the<br />
same credentials.<br />
Note that the Radius server timeout is 5 seconds by default, and that it<br />
cannot be configured within this Web interface, but only using the command<br />
line interface.<br />
3. <strong>Webwasher</strong> counts the number of errors that occurred on each server.<br />
If the secondary server has fewer errors than the primary server, <strong>Webwasher</strong><br />
will try the secondary server first for the next instances of user<br />
authentication.<br />
After a given time, or if the error number ratio changes, <strong>Webwasher</strong> will<br />
bring the primary and the secondary server back to their originally configured<br />
order.<br />
This procedure is only performed, however, when authenticating ordinary<br />
users. Administrator authentication always starts with a fresh Radius<br />
server setup, and the primary server is always tried before the secondary<br />
server in this case.<br />
In order to include information on the group that a user belongs to in the authentication<br />
process, you can specify the appropriate attributes of the Radius<br />
server response. This is done using coded values as they are defined in RFC<br />
2865.<br />
An attribute that is specified in this way may either be a simple attribute or a<br />
vendor specific attribute.<br />
According to RFC 2865, 25 is the value for the Class attribute, which may be<br />
filled in the server’s response with a user group name. This is an example of<br />
how a simple attribute could be used for the authentication process.<br />
Note that the Radius server can also be configured to let a different attribute<br />
with a different code value contain the group name, even if this code is not<br />
defined in RFC 2865.<br />
The code value defined for a vendor specific attribute in RFC 2865 is 26.<br />
5–33
Proxies<br />
5–34<br />
However, for the structure of this attribute, it is only defined that it should begin<br />
with the vendor ID (which is needed because there may be attributes belonging<br />
to different vendors in a Radius server response) and that this ID should be<br />
followed by a number of sub-attributes, the code values and content types of<br />
which are defined by the vendor in question.<br />
While it cannot be taken for granted that all vendors will actually adhere to<br />
this sub-attribute structure, <strong>Webwasher</strong> is able to find all information contained<br />
within the sub-attributes of a vendor specific attribute.<br />
The value you need to configure for this is 0 (see also below).<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following input fields to configure the Radius server connection:<br />
• Primary Radius server<br />
Enter the server address and port number for the primary Radius server<br />
here.<br />
The input format is:<br />
host[:port]<br />
The default port is 1812.<br />
• Secondary Radius server<br />
Enter the server address and port number for the secondary Radius server<br />
here.<br />
The input format is:<br />
host[:port]<br />
The default port is 1812.<br />
• Shared Secret<br />
Enter the string here, e. g. password1, that should be used as password<br />
for Radius authentication. Note that this password will be valid for both the<br />
primary and the secondary server.<br />
• Default domain name<br />
Enter the name of the domain here that a user account should belong to<br />
by default when Radius authentication is performed.<br />
This may be the account of an ordinary user or an administrator account.
• GroupnameinRadiusresponseattribute<br />
Proxies<br />
Use the following items to specify the attribute that contains the user group<br />
information in a response from a Radius server:<br />
— no group name<br />
If you do not want to include user group information in the authentication<br />
process, make sure this radio button is checked. The radio button is<br />
checked by default.<br />
— value of attribute with code<br />
Check this radio button to include user group information in the authentication<br />
process that is contained in a simple attribute.<br />
In the input field provided here, enter the value for the attribute code.<br />
Enter, e. g. 25, to specify the Class attribute, as defined in RFC 2865,<br />
but note that other codes may also be used here, even such as are not<br />
defined in RFC 2865. The default code value is 0.<br />
— vendor specific attribute with vendor ID<br />
Check this radio button to include user group information in the authentication<br />
process that is contained in a vendor specific attribute, consisting<br />
of a vendor ID as main attribute and one or more sub-attributes.<br />
In the input field provided here, enter the vendor ID.<br />
The code value for this main attribute, which is 26, will then be added<br />
by <strong>Webwasher</strong>. The default value in this field is 0, which means no<br />
vendor ID is configured.<br />
Note, however, that a vendor ID is required to provide any vendor specific<br />
information.<br />
— and sub-attribute type<br />
In this input field, enter a numeric value to specify the type of subattributes<br />
following the vendor ID.<br />
Note, however, that a particular vendor may not use an attribute structure<br />
consisting of sub-attributes.<br />
To enable <strong>Webwasher</strong> to find all the information contained in a vendor<br />
specific attribute, regardless of its structure, make sure 0 is entered<br />
here. This is also the default value.<br />
5–35
Proxies<br />
5–36<br />
Login Window Name<br />
Using this section, you can configure the realm parameter in the header of an<br />
authentication message <strong>Webwasher</strong> is forwarding to perform proxy authentication.<br />
This parameter is also known as Login Window Name.<br />
Furthermore, you can configure that a protocol is appended to the real parameter.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following items to configure the Login Window Name:<br />
• Realm value<br />
In this input field, enter the value for the realm parameter.<br />
The default value is <strong>Webwasher</strong>.<br />
• Append protocol to Realm<br />
Mark this checkbox to have a protocol appended to the realm parameter.<br />
Authentication Options<br />
The Authentication Options section looks like this:<br />
Using this section, you can configure options with regard to whether authentication<br />
is required or not for a client and what to do in case the authentication<br />
server is down.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following checkboxes to configure authentication options:<br />
• Always authenticate client<br />
Mark this checkbox to make authentication required for any client request.<br />
<strong>Webwasher</strong> will then try to authenticate the client until it is successful or<br />
until it finds that the authentication server is down. In this latter case, the<br />
setting of the option described below will apply.
• Allow Internet access when authentication server is down<br />
Proxies<br />
Mark this checkbox to allow a client request in case <strong>Webwasher</strong> has found<br />
that the authentication server is down.<br />
NTLM and NTLM-Agent Authentication Options<br />
The NTLM and NTLM-Agent Authentication Options section looks like<br />
this:<br />
Using this section, you can configure the NTLM authentication method, which<br />
retrieves information that is stored in the database of a Windows domain controller<br />
in order to authenticate users.<br />
This method can be used by browsers, proxies and servers. It offers more<br />
security than other methods because the user password can be transmitted in<br />
an encrypted format.<br />
You can also use an agent application, the NTLM Agent, for enabling this authentication<br />
method. The settings that are configured here will also apply to<br />
this agent application.<br />
There is a basic and an integrated way of applying this authentication method.<br />
With basic authentication, the client browser sends the user name and password<br />
in plain text (less secure). Integrated authentication encrypts messages<br />
going from the client browser to the server and back.<br />
In the process of user authentication, <strong>Webwasher</strong> contacts the corresponding<br />
domain controller and retrieves a list of global domain groups that this user is<br />
a member of, or a list of local groups on the domain controller, or both.<br />
You can also specify a default domain that is used to verify membership of a<br />
user if no other information is available.<br />
The ICAP server can retrieve information on user groups to perform policy<br />
mapping. A list of these groups must be provided by the ICAP client.<br />
Note that the user and user group information required for policy mapping<br />
should not be stored in a subdirectory of the domain controller since it may<br />
not be possible to retrieve it from there.<br />
5–37
Proxies<br />
5–38<br />
It should be stored, e. g., in \company.com rather than in \company.com\e-mail<br />
aliases.<br />
Note also that if you are using the NTLM Agent, a tool like NTLMTest.exe will<br />
enable you to view a list of the groups the domain controller actually sends to<br />
the NTLM Agent, which forwards it to <strong>Webwasher</strong>.<br />
Ask your support team for this tool and install it on the system the NTML Agent<br />
is running on.<br />
After specifying the appropriate information here, click on Apply Changes to<br />
make your settings effective.<br />
Use the following items to configure the NTLM and NTLM-Agent authentication<br />
methods:<br />
• Enable integrated authentication<br />
If you want to use the integrated authentication method, make sure this<br />
checkbox is marked. The checkbox is marked by default.<br />
• Enable basic authentication<br />
If you want to use the basic authentication method, mark this checkbox.<br />
• Default domain<br />
In this input field, type the name of the domain that should be used as<br />
default in the process of user authentication.<br />
• Select what groups to get from Domain Controller<br />
From the drop-down list provided here, select what groups should be retrieved<br />
from the domain controller: Global, Local or both.<br />
User Database Authentication Options<br />
The User Database Authentication Options section looks like this:<br />
Using this section, you can configure authentication by means of using the<br />
information stored in a user database.<br />
There is a basic and an integrated method of authenticating users.
Proxies<br />
With basic authentication, the browser sends the user name and password<br />
as plain text (less secure) to <strong>Webwasher</strong> (who plays the role of the client to<br />
exchange authentication messages with the authentication server), so <strong>Webwasher</strong><br />
uses the information stored in the user database to authenticate the<br />
user.<br />
Integrated authentication encrypts messages going from the client browser to<br />
the authentication server and back. In this situation, <strong>Webwasher</strong> acts as the<br />
proxy server and forwards authentication server messages to the client.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
this setting effective.<br />
Use the following items to configure this kind of authentication:<br />
• Enable integrated authentication<br />
Enable this option to use the integrated authentication method. This is the<br />
default option.<br />
• Enable basic authentication<br />
Enable this option to use the basic authentication method.<br />
IP Forwarding<br />
The IP Forwarding sectionlookslikethis:<br />
Using this section, you can configure the header that is forwarded to the ICAP<br />
server and also to the Web server or next hop proxy if required.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following items to configure the forwarding of headers:<br />
• IP from header ...<br />
If you want the IP address that is forwarded to the ICAP server to be taken<br />
from a particular header, make sure this checkbox is marked and enter this<br />
header in the input field provided here.<br />
The checkbox is marked by default. The default header is<br />
X-Forwarded-For.<br />
5–39
Proxies<br />
• Client IP<br />
5.2.4<br />
ICAP Services<br />
5–40<br />
Mark this checkbox if you want to the IP address of the client to be forwarded<br />
to the ICAP server.<br />
The ICAP Services tab looks like this:<br />
There are three sections on this tab:<br />
• Services<br />
• List of Available ICAP Services<br />
• Bypass ICAP Server<br />
They are described in the following.<br />
Furthermore, there is a description of the ICAP Service Definition window<br />
after the List of Available ICAP Services section:<br />
• ICAP Service Definition Window
Services<br />
The Services section looks like this:<br />
Proxies<br />
Using this section, you can configure the ICAP client services that should be<br />
used for REQMOD and RESPMOD communication.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following input fields to configure ICAP client services:<br />
• REQMOD services<br />
Type the ICAP client services that should be used for REQMOD communication<br />
in this field. If there is more than one service, separate them by the<br />
| (pipe sign).<br />
You can also enter a service by selecting it from the drop-down list next to<br />
this input field.<br />
• RESPMOD services<br />
Type the ICAP client services that should be used for RESPMOD communication<br />
in this field. If there is more than one service, separate them by<br />
the | (pipe sign).<br />
You can also enter a service by selecting it from the drop-down list next to<br />
this input field.<br />
List of Available ICAP Services<br />
The List of Available ICAP Services section looks like this:<br />
5–41
Proxies<br />
5–42<br />
It displays a list of the services that are available for being configured in the<br />
Services section above.<br />
To add a service to the list, click on the ICAP Service Definition link that is<br />
provided here.<br />
This will open a window for adding services. It is described in the upcoming<br />
subsection.<br />
ICAP Service Definition Window<br />
The ICAP Service Definition window looks like this:<br />
It allows you to add an ICAP service to the list and displays this list.<br />
For these purposes, two sections are provided in the window:<br />
• Add Service Name and URI<br />
• Service Name List<br />
They are described in the following.
Add Service Name and URI<br />
Proxies<br />
Using the section labeled AddServiceNameandURI, you can specify information<br />
on an ICAP service and add it to the services list.<br />
Note that the settings you configure here will apply to the HTTP, HTTPS and<br />
FTP proxies, as well as to the e-mail gateway.<br />
The services that are added here are particular ICAP services used in addition<br />
to the internal services. These include services for virus scanning, content<br />
filtering, as well as for <strong>Webwasher</strong> services on remote machines, e. g. when<br />
load balancing is performed.<br />
You can also configure services for use of the ICAP client set up.<br />
When adding a service, a Uniform Resource Identifier (URI, also known as<br />
URL) is specified.<br />
This is a short string that identifies resources in the Web such as documents,<br />
images, downloadable files, services, electronic mailboxes, and other resources.<br />
It makes resources available under a variety of naming schemes and access<br />
methods such as HTTP, HHTPS, and FTP, and makes e-mails addressable in<br />
the same way.<br />
Furthermore, you can configure additional options to enable bypassing in case<br />
of connection errors, limit the use of an ICAP server when no message body<br />
needs to be filtered, and ensure that not more connections are activated than<br />
the ICAP server can handle at the same time.<br />
Use the following items to specify and add a service:<br />
• Service Name<br />
In this input field, enter the name of the ICAP service.<br />
• URIs<br />
In this input field, enter one or more URIs for the service. Begin a new line<br />
for each of them. The input format for a URI is:<br />
icap://192.168.3.6:1344/wwreqmod<br />
• Enable bypass on ICAP server error<br />
Mark this checkbox to enable a bypass in case there is an error due to the<br />
ICAP server connection.<br />
5–43
Proxies<br />
5–44<br />
• Limit ICAP usage to encapsulated (HTTP(S)/FTP) requests/responses<br />
that have a body<br />
Mark this checkbox to limit the use of an ICAP server. The server will only<br />
be used then for processing HTTP, HTTPS or FTP requests or responses<br />
if these have a message body encapsulated.<br />
This way, you can configure an ICAP service on a client for use with particular<br />
Data Leakage Prevention (DLP) products that do not need to see<br />
non-body traffic.<br />
Note that enabling this option is well suited for ICAP communication in<br />
REQMOD mode, where most messages have no body, but rather not in<br />
RESPMOD mode.<br />
Make sure, however, not to enable the option in REQMOD mode for an<br />
ICAP service that is used under <strong>Webwasher</strong>.<br />
This would have an impact on filtering since <strong>Webwasher</strong> filters such as<br />
the URL Filter or the Generic Header Filter would then only be applied to<br />
requests with a body.<br />
• Respect max concurrent connections limit of ICAP server<br />
Mark this checkbox to prevent <strong>Webwasher</strong> as ICAP client from setting up<br />
more connections at the same time than the ICAP server is capable of<br />
handling.<br />
This maximum value is configured on the ICAP server and communicated<br />
to the client when responding to an OPTIONS request.<br />
• Add<br />
After specifying the appropriate information for an ICAP service, click on<br />
this button to add it to the list.<br />
The list is displayed in the ServiceNameListsectionfurther below in<br />
this window.
ServiceNameList<br />
The ServiceNameListsection displays a list of the ICAP services.<br />
Proxies<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, mark or clear the checkbox next to the service name in order to<br />
activate or deactivate it, type the appropriate information in the corresponding<br />
URIs input field, and mark or clear the Bypass enabled, Limit ICAP Usage,<br />
and Respect Connection Limit checkboxes in the same line.<br />
Then click on Apply Changes to make these settings effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Note that you cannot change the settings for internal services, which are also<br />
displayed in this list, except for the Bypass enabled and Limit ICAP Usage<br />
options.<br />
To close the window and return to the ICAP Services tab, click Close.<br />
To edit an entry, type the appropriate text in the input field of the URIs column<br />
and mark or clear the Bypass enabled checkbox.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filtering term in the input field of the Service Name or URIs column<br />
or in both and enter this using the Enter key of your keyboard. The list will<br />
then display only entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
5–45
Proxies<br />
5–46<br />
Bypass ICAP Server<br />
The Bypass ICAP Server section looks like this:<br />
Using this section, you can configure a bypassing of the ICAP Server for requests<br />
made to particular hosts. These hosts are entered in a bypass list.<br />
To add a host to the list, use the input field provided here. Enter the IP address,<br />
host name or URL, omitting http://.<br />
Then click on the Add button.<br />
The bypass list is displayed at the bottom of this section.<br />
To display only a particular number of list entries at a time, type this number in<br />
the input field labeled Number of entries per page and enter it using the Enter<br />
key of you keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, type the appropriate text in the input field of the corresponding<br />
line.<br />
Then click on Apply Changes to make the modification effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field above the list and enter it using the<br />
Enter key of your keyboard. The list will then display only entries matching<br />
the filter.
• Delete Selected<br />
Proxies<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
5.2.5<br />
Transparent Setup<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
The Transparent Setup tab looks like this:<br />
Note that this tab is only available for appliance versions of <strong>Webwasher</strong>.<br />
There is one section on this tab:<br />
• Packet forwarding<br />
It is described in the following.<br />
5–47
Proxies<br />
5–48<br />
Packet forwarding<br />
The Packet forwarding section looks like this:<br />
Using this section, you can configure the source IP address and port number<br />
of the server that data packets should be forwarded, i. e. redirected to, by<br />
<strong>Webwasher</strong> under the HTTP or HTTPS protocol.<br />
The server addresses that may be specified here are the addresses of the<br />
network interfaces of your <strong>Webwasher</strong> appliance.<br />
You can also specify a source IP for traffic that should be included in the forwarding,<br />
as well as a source IP for traffic that should be excluded.<br />
To configure these settings may be useful when <strong>Webwasher</strong> is running on<br />
your appliance as the default gateway that provides a proxy port for HTTP<br />
and HTTPS clients.<br />
This proxy port must be configured in transparent mode, which can be done<br />
by adding it on the Settings tab under Proxies > HTTP Proxy with the Transparent<br />
Proxy option enabled.<br />
Under Allow access from, you can enter the IP addresses of the clients you<br />
want to allow access over this proxy port, according to where you expect relevant<br />
traffic from.<br />
Note that <strong>Webwasher</strong> can only handle this kind of packet forwarding under the<br />
HTTP and HTTPS protocols, i. e. not under protocols such as FTP or SMTP.<br />
Furthermore, there are some limitations when using the SSL Scanner here.<br />
For more information on these, see the next section.<br />
If you want to use this feature, mark the checkbox next to the section heading.<br />
After specifying this and other settings of this section, click on Apply Changes<br />
to make them effective.
Proxies<br />
Note that you also need to reboot the <strong>Webwasher</strong> appliance in order to let any<br />
specification or modification of settings take effect.<br />
A Reboot button is provided here for this purpose.<br />
Use the following items to configure packet forwarding under HTTP and<br />
HTTPS:<br />
• Inbound device<br />
From this drop-down list, select the interface that inbound traffic will use for<br />
accessing the <strong>Webwasher</strong> appliance.<br />
• Source IP include<br />
In this input field, enter a source IP address for data packets that should<br />
be redirected in any case.<br />
A data packet will then be redirected only if its address matches the one<br />
specified here and, furthermore, not the one specified under Source IP<br />
exclude..<br />
Input in this field is optional, but if it is entered, its format must be like this:<br />
10.120.22.0/24<br />
The last two digits are the network mask. You may also enter a part of a<br />
source IP address.<br />
• Source IP exclude<br />
In this input field, enter a source IP address for data packets that should<br />
not be redirected.<br />
A data packet will then be redirected only if its address does not match<br />
the one specified here and, furthermore, matches the one specified under<br />
Source IP include.<br />
Input in this field is optional, but if it is entered, its format must be like this:<br />
10.120.22.0/24<br />
The last two digits are the network mask. You may also enter a part of a<br />
source IP address.<br />
• Original destination ports<br />
In this input field, enter the port numbers that data packets should have in<br />
their destination addresses in order to be redirected.<br />
Redirection will then be performed only for packets where the destination<br />
addresses match one of the values configured here.<br />
5–49
Proxies<br />
5–50<br />
If you enter more than one port number here, separate them by commas.<br />
• Redirect to<br />
From the drop-down lists provided here, select the IP address of the server<br />
that packets should be redirected to, as well as a port number on this server.<br />
You may choose from the addresses of all the interface devices the <strong>Webwasher</strong><br />
appliance is equipped with, as well as from the addresses of the<br />
proxy ports that are currently configured.<br />
The proxy ports are configured on the Settings tab under Proxies > HTTP<br />
Proxy. Make sure to enable the Transparent Proxy option when configuring<br />
a proxy there.<br />
• Reboot<br />
After specifying the appropriate information, click on this button to reboot<br />
the appliance and make your settings effective.<br />
Transparent SSL<br />
This section provides additional information on the use of the SSL Scanner<br />
when <strong>Webwasher</strong> is running on an appliance.<br />
The SSL Scanner can be used on this appliance if <strong>Webwasher</strong> has been configured<br />
to act as transparent proxy. <strong>Webwasher</strong> will be able to provide transparent<br />
SSL scanner functions then if the corresponding data packets are redirected<br />
to the proxy port.<br />
This can either be achieved by using the WCCP protocol (Web Cache Communication<br />
Protocol) or by configuring <strong>Webwasher</strong> as default gateway and enabling<br />
the transparent proxy mode.<br />
In this mode, the proxy port that the packages are redirected to will be able to<br />
handle transparent requests.<br />
Note that you need version 2 of WCCP if you want to use this protocol to enable<br />
transparent SSL functions under <strong>Webwasher</strong>.<br />
To configure a proxy port for handling transparent requests, go to the Settings<br />
tab under Proxies > HTTP proxy.<br />
In the Port Settings section of this tab, add a proxy port with the Transparent<br />
Proxy option enabled.<br />
By default, <strong>Webwasher</strong> will treat requests with original destination port 443 as<br />
SSL encoded traffic.
Proxies<br />
If you want to have <strong>Webwasher</strong> treat also requests with other destination<br />
ports this way, you need to enter these ports in the global.ini (Windows) or<br />
global.conf (Linux and Solaris) configuration file.<br />
With these settings configured, <strong>Webwasher</strong> will add a pseudo-CONNECT<br />
header to the address of the original destination host (original_dst_IP:<br />
original_dst_Port) and pass this on to further processing.<br />
When <strong>Webwasher</strong> issues a certificate, it copies the data from the original<br />
server certificate.<br />
The usual security measures, including decryption, certificate verification, content<br />
scanning, and encryption, all work, but there are the following limitations:<br />
• If the REQMOD server blocks the pseudo-CONNECT header, there will<br />
usually be a Common Name mismatch in the certificate that <strong>Webwasher</strong><br />
returns.<br />
The client asks for /www.name.de/, but gets the IP address back as<br />
Common Name.<br />
This may happen, e. g. when using the <strong>Webwasher</strong> URL Filter.<br />
When transparent authentication has expired, there will even be two Common<br />
Name mismatches:<br />
— The REQMOD request will be blocked and the redirect to the authentication<br />
server will contain the IP address (client requests name, but gets<br />
IP address – first mismatch)<br />
— After successful authentication, there will be a redirect to the IP address.<br />
When executing this redirect, the REQMOD request will pass and <strong>Webwasher</strong><br />
will return a certificate with the copied subject name of the<br />
server certificate (client requests IP address, but gets name – second<br />
mismatch).<br />
• <strong>Webwasher</strong> will not check the server certificate for a Common Name mismatch.<br />
This check is disabled.<br />
• As <strong>Webwasher</strong> copies the subject information from the original certificate,<br />
the client may observe a Common Name mismatch (this would also be the<br />
case without <strong>Webwasher</strong>).<br />
• If the certificate check wizard is used to enter a certificate in the global<br />
certificate list, this will only be found during filtering if entered via IP.<br />
If there is an incident and you are using the incident manager to fill the lists,<br />
e. g. by setting up a Block & Log Incident action, it will also be found.<br />
5–51
Proxies<br />
5.3<br />
HTTPS Proxy<br />
5–52<br />
The HTTPS Proxy options are invoked by clicking on the corresponding button<br />
under Proxies:<br />
If you want to enable any of these options, make sure the checkbox on this<br />
button is also marked. The checkbox is marked by default.<br />
After modifying the setting of this checkbox, click on Apply Changes to make<br />
the modification effective.<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Settings, see 5.3.1<br />
• Next Hop Proxies, see 5.3.2<br />
• Authentication, see 5.3.3<br />
• ICAP Services, see 5.3.4
5.3.1<br />
Settings<br />
The Settings tab looks like this:<br />
Proxies<br />
There are six sections on this tab. These vary according to whether the instance<br />
of <strong>Webwasher</strong> you are currently running is an appliance version or not:<br />
• SSL Protocol Versions<br />
• Supported Ciphers<br />
• Transparent SSL Scanning Setup<br />
This feature is only provided with appliance versions of <strong>Webwasher</strong>. It is<br />
not shown on the above screenshot, but see the corresponding subsection<br />
further below.<br />
5–53
Proxies<br />
5–54<br />
• SSL Session Cache<br />
• Proxy Options<br />
• SSL Accelerator Card<br />
This feature is not provided with appliance versions of <strong>Webwasher</strong>.<br />
• Bypass SSL Scanner<br />
The sections are described in the following.<br />
Note that the same port settings and options are configured for <strong>Webwasher</strong> as<br />
HTTPS proxy or HTTP proxy.<br />
The Port Settings and Port Options sections are therefore not shown on this<br />
tab, but can be navigated to using the HTTP Proxy Settings link at the top.<br />
For a description of these sections, see 5.2.1.<br />
SSL Protocol Versions<br />
The SSL Protocol Versions section looks like this:<br />
Using this section, you can configure protocol versions for SSL communication.<br />
You can configure different protocols with regard to the communication between<br />
a client browser and <strong>Webwasher</strong>, and between <strong>Webwasher</strong> and the<br />
requested server.<br />
After specifying the appropriate settings for both kinds of communication, click<br />
on Apply Changes to make them effective.
Use the following checkboxes to configure protocols:<br />
• TLS version 1<br />
Proxies<br />
This checkbox allows you to configure a protocol version for both kinds<br />
of communication that can be described as follows: “The TLS protocol<br />
provides communications privacy over the Internet. The protocol allows<br />
client/server applications to communicate in a way that is designed to prevent<br />
eavesdropping, tampering, or message forgery.“ (taken from RFC<br />
2246).<br />
This is the strictest of the protocol versions available here. If you want to<br />
use it, make sure the checkboxes are marked accordingly. The checkboxes<br />
are marked by default for both kinds of communication.<br />
• SSL version 3<br />
This checkbox allows you to configure a protocol version that is the current<br />
standard for creating an encrypted link between a Web server and a<br />
browser.<br />
If you want to use it, make sure the checkboxes are marked accordingly.<br />
The checkboxes are marked by default for both kinds of communication.<br />
• SSL version 2<br />
This checkbox allows you to configure an earlier version of 3.0. Since there<br />
are several vulnerabilities with this version, its use is not recommended.<br />
Supported Ciphers<br />
The Supported Ciphers section looks like this:<br />
Using this section, you can configure a cipher string. This may be used for<br />
several of the activities that are performed in the process of SSL scanning,<br />
such as encryption, exchange of keys and authentication.<br />
Ciphers are symbols used for encrypting and decrypting the data traffic that is<br />
conducted according to the SSL and TSL network protocols.<br />
To read an explanation of the cipher string format and view a list of permitted<br />
cipher strings, go to http://www.openssl.org/docs/apps/ciphers.html. This is<br />
one of the Web pages provided by the OpenSSL project.<br />
After specifying this setting, click on Apply Changes to make it effective.<br />
5–55
Proxies<br />
5–56<br />
Use the following input field to configure a cipher string:<br />
• Cipher list<br />
Enter an appropriate cipher string here. For the string format, see the page<br />
mentioned above. The default string is:<br />
ALL:!ADH:+RC4:@STRENGTH<br />
Transparent SSL Scanning Setup<br />
The Transparent SSL Scanning Setup section looks like this:<br />
Note that this section is only provided with appliance versions of <strong>Webwasher</strong>.<br />
Using it, you can configure the ports that should be treated as SSL secured by<br />
<strong>Webwasher</strong>.<br />
After specifying this setting, click on Apply Changes to make it effective.<br />
Use the following input field to configure SSL-secured ports:<br />
• Ports treated as SSL<br />
Enter the destination port numbers of the connections here that <strong>Webwasher</strong><br />
should treat as SSL secured.<br />
Separate port numbers by commas.<br />
SSL Session Cache<br />
The SSL Session Cache section looks like this:<br />
Using this section, you can configure the time period over which the settings<br />
ofanSSLsessioncanbestoredinasessioncache.<br />
Settings stored in a cache can be used to establish the corresponding connections<br />
for further sessions. Using the stored settings will considerably reduce<br />
the time needed for establishing a connection.
Proxies<br />
After specifying this setting, click on Apply Changes to make it effective.<br />
Use the following input field to configure a cache storing period:<br />
• TTL ... seconds<br />
Specify an appropriate storing time period (in seconds) here.<br />
Proxy Options<br />
The Proxy Options sectionlookslikethis:<br />
Using this section, you can configure a number of settings for <strong>Webwasher</strong><br />
when it is configured as HTTPS proxy.<br />
After specifying this setting, click on Apply Changes to make it effective.<br />
Use the following drop-down list to configured these proxy options:<br />
• ... retries on server overload when connected directly<br />
Select a number from the drop-down list provided here to configure how<br />
many times a retry will be performed over a direct connection when the<br />
server is overloaded.<br />
The default number is 2.<br />
• Perform REQMOD request for CONNECT header<br />
If a REQMOD request is performed:<br />
— In a transparent environment, the IP address of a connection (not the<br />
host name) will be inspected with regard to the informationstoredin<br />
the URL Filter Database.<br />
It may happen that the IP address is not categorized within that database,<br />
whereas the host name is.<br />
In this case, a request may be blocked in a transparent configuration,<br />
but allowed in a proxy deployment.<br />
— The request will only be done with the host or IP address as URL.<br />
This may cause unexpected behavior if the host has a different categorization<br />
than the accessed path.<br />
5–57
Proxies<br />
5–58<br />
If a REQMOD request is performed:<br />
• Contacting the Web server is always required, even for requests that are<br />
blocked.<br />
• The Tunneling by Category function is not available then, nor are hostbased<br />
actions on the (global) certificate list.<br />
• Some authentication scenarios require that the initial REQMOD request is<br />
performed.<br />
If you want to have a REQMOD request performed, make sure this checkbox<br />
is marked. The checkbox is marked by default.<br />
SSL Accelerator Card<br />
The SSL Accelerator Card section looks like this:<br />
Note that this section is not provided with appliance versions of <strong>Webwasher</strong>.<br />
The section allows you to configure the use of an SSL accelerator card.<br />
This may be helpful for time-consuming public-key cryptography operations.<br />
Depending on the type of accelerator card and on your system, CPU load will<br />
be reduced and speed may increase due to the additional hardware making<br />
the public-key algorithm (also known as RSA) computations.<br />
There are also SSL accelerator cards enabling you to store private keys.<br />
After specifying this setting, click on Apply Changes to make it effective.<br />
Use the following drop-down list to configure the use of an SSL accelerator<br />
card:<br />
• SSL Accelerator card used<br />
Select the appropriate card from this list.<br />
The default is None, i.e.nocardisused.
Bypass SSL Scanner<br />
The Bypass SSL Scanner section looks like this:<br />
Proxies<br />
Using this section, you can configure a bypassing of the SSL Scanner for requests<br />
that were sent from the hosts that are specified here.<br />
There will be no decryption or certificate verification for these requests.<br />
Specify a host you want to configure a bypass for in the input field provided<br />
here. Enter a host name or an IP address, omitting HTTPS://.<br />
Then use the following button to add the host to the bypass list:<br />
• Add<br />
Click on this button to add a host to the list.<br />
The bypass list is displayed at the bottom of the section.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, type the appropriate text in the input field of the Connection<br />
column. Then click on Apply Changes to make this setting effective. You can<br />
edit more than one entry and make the changes effective in one go.<br />
5–59
Proxies<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filtering term in the input field of the Connection column and enter it<br />
using the Enter key of your keyboard. The list will then display only entries<br />
matching the filter.<br />
• Delete Selected<br />
5.3.2<br />
Next Hop Proxies<br />
5–60<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
The Next Hop Proxies tab looks like this:<br />
There is one section on this tab:<br />
• Use Next Hop Proxies<br />
It is described in the following.
Use Next Hop Proxies<br />
The Use Next Hop Proxies section looks like this:<br />
Proxies<br />
Using this section, you can configure next hop proxies for HTTPS connections.<br />
You can specify the URLs that next hop proxies should be used for, as well as<br />
the mode of this usage and the next hop proxies to be used.<br />
The Use Next Hop Proxies feature is not enabled by default. To enable it,<br />
mark the checkbox next to the section heading. Then click on Apply Changes<br />
to make this setting effective.<br />
Furthermore, use the following items to configure next hop proxies:<br />
• Do not use Next Hops for local addresses<br />
Enable this option to prevent the use of next hop proxies for local addresses.<br />
Then click on Apply Changes to make this setting effective.<br />
Local addresses have no dots (.) within their specifications.<br />
So, after enabling this option, you can fine-tune <strong>Webwasher</strong> in an intranet<br />
and enter the name of a local server in the browser, e. g. server_name,<br />
instead of typing a URL, e. g. https://server_name.fooo.com.<br />
<strong>Webwasher</strong> will then contact this local server directly without using the configured<br />
proxy.<br />
Using this option speeds up internal connections and reduces load on the<br />
proxy server.<br />
5–61
Proxies<br />
5–62<br />
• if URL matches<br />
This input field is the first of severals items provided for specifying information<br />
on the next hop proxies you want to configure.<br />
Enter a matching term here. If an URL matches this term, it will use the<br />
next hop proxies specified further below in the usage mode that is also<br />
specified further below.<br />
• use mode<br />
From this drop-down list, select the mode to be used for the URLs and next<br />
hop proxies specified here. The following modes are available:<br />
— None<br />
This mode uses no next hop proxies. Direct connections will be used<br />
instead.<br />
— specific<br />
In this mode, one specific next hop is set for the URLs configured<br />
above.<br />
— failover<br />
In this mode, the first next hop given in the participants list is tried first.<br />
If it fails, it will be retried until the configured retry maximum for it has<br />
been reached.<br />
Then the second next hop proxy in the participants list is tried, etc.<br />
— round robin<br />
In this mode, the next hop proxy is used that is next in the participants<br />
list to the one that was used last.<br />
This means also that the participants is used in a circular manner: If<br />
the end of the list has been reached, selection of next hop proxies will<br />
restart from the beginning.<br />
• participating next hops<br />
In this input field, enter the next hop proxies that should be used for the<br />
URLs specified here.<br />
To do this, type a proxy name or select one from the drop-down list to the<br />
right of this input field.<br />
You can add more than one proxy by repeating this operation.<br />
The drop-down lists shows select one to add as its topmost entry. If no<br />
next hop proxies have been configured yet, the topmost entry reads no<br />
Next Hops defined.
Proxies<br />
To configure next hop proxies, click on the Define Next Hop Proxies<br />
button, which is located further to the right.<br />
This will open a window, where you can specify the information required to<br />
configure a next hop proxy.<br />
For the description of this window, see the Available Proxies subsection<br />
further below.<br />
• Add Entry to List<br />
After specifying the appropriate information about a next hop proxy, click<br />
on this button to add it to the list.<br />
The list of next hop proxies is displayed at the bottom of this section. For each<br />
entry, it provides the information that is specified when a new entry is added.<br />
You can edit list entries, move them up and down in the list, or delete them.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key on your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, type the appropriate text in the input fields of the URL, use<br />
mode and participating next hops columns. Then click on Apply Changes<br />
to make this setting effective.<br />
You can edit more than one entry and make the changes effective in one go.<br />
The list also contains an entry with * as value for the URL parameter. It is<br />
always in last position within the list and cannot be deleted. By editing this<br />
entry, you can configure a next hop proxy setting for all URLs that are not<br />
represented by a particular entry in the list.<br />
Since the * entry is last in the list, it becomes effective only after all other list<br />
entries were read by <strong>Webwasher</strong> and used for establishing next hop proxy<br />
connections.<br />
By default none is specified as mode for the * entry, which means that there<br />
will be no next hop proxy connections for URLs that are not otherwise included<br />
in the list.<br />
5–63
Proxies<br />
5–64<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field above the URL, use mode or<br />
participating next hops or in a combination of them and enter this using<br />
the Enter key of your keyboard.<br />
The list will then display only entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Move Up, Move Down<br />
SelecttheentryyouwishtomovebymarkingtheSelect checkbox next<br />
to it and click on either of these buttons, depending on where you want to<br />
move the entry.<br />
The position an entry takes in the list is important since whenever there is<br />
more than one entry in the list containing information on a particular URL<br />
or next hop proxy, the entry that is first in the list wins.<br />
Available Proxies<br />
The section in this window allows you to configure next hop proxies for all kinds<br />
of connections. These will then be available for selection on the Use Next Hop<br />
Proxies tab.<br />
After specifying the appropriate settings for a next hop proxy, it is added to the<br />
list of available next proxies by clicking on the Add button.<br />
The list is displayed at the bottom of the section. You can modify the settings<br />
for each proxy that is shown in the list.<br />
Use the following items for configuring available next hop proxies:<br />
• Name<br />
In this input field, enter the name of the next hop proxy you want to configure.<br />
If you leave the field empty, a name will be generated by <strong>Webwasher</strong>, e. g.<br />
pxy1, and inserted in this field after clicking on the Add button.
Proxies<br />
The name can be modified after the new proxy has been included in the<br />
list.<br />
• Proxy server address<br />
In the input fields provided here, enter the address of the server you want<br />
to make available as next hop proxy:<br />
— Host<br />
Enter the IP address or URL of this server here.<br />
— Port<br />
Enter the port number of the port for connecting to this server here.<br />
• Proxy authorization<br />
In the input fields provided here, enter the credentials that <strong>Webwasher</strong><br />
should use for authentication at the next hop proxy:<br />
— Username<br />
Enter the IP address or URL of this server here.<br />
— Password<br />
Enter the password here.<br />
• Connection behavior<br />
Use the items provided here to configure the connection behavior:<br />
— Retry . . . times on failure for this proxy<br />
From the drop-down list provided here, select the number of retries you<br />
want to configure for a next hop proxy. You can configure up to three<br />
retries.<br />
When the maximum number of retries has been reached, <strong>Webwasher</strong><br />
will try to establish a connection using another next hop proxy, according<br />
to what has been configured on the Use Next Hop Proxies tab,<br />
e. g. failover or round robin.<br />
— Donotretryproxyfor...minuteswhenithasreached...<br />
times within 10 seconds its maximum number of retries<br />
In the input fields provided here, enter the time information that will<br />
cause a connection break, i. e. an interval during which <strong>Webwasher</strong><br />
will not retry a next hop proxy after a connection to it could not be established<br />
in a given situation.<br />
In the first input field, enter the time (in minutes) that the connection<br />
break should last.<br />
5–65
Proxies<br />
5–66<br />
In the second input field, specify how often the maximum number of retries<br />
must have been reached within 10 seconds before the connection<br />
break is started.<br />
— use persistent connections<br />
• Add<br />
If you want <strong>Webwasher</strong> to use persistent connections to the next hop<br />
proxies, make sure this checkbox is marked. The checkbox is marked<br />
by default.<br />
<strong>Webwasher</strong> will try to meet this requirement by establishing persistent<br />
connections, but may fail to do so in some situations.<br />
You will then see that the failed counter in the list of available next<br />
proxies displays an increased value for the connection to the next hop<br />
proxy in question.<br />
In this case, you might clear the checkbox to disable the option. Note,<br />
however, that this will reduce performance.<br />
After specifying the appropriate information for the server you want to make<br />
available as next hop proxy, click on this button to add it to the list of available<br />
next hop proxies.<br />
The list of available next hop proxies is displayed at the bottom of this section.<br />
For each entry, it provides the information that is specified when a new entry<br />
is added.<br />
Furthermore statistical figures are displayed on the reliability of next hop proxies.<br />
You can edit list entries, delete them and reset the statistics.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, click on the View Details and Edit link in the same line. This<br />
will reopen the window and this section with the information concerning the<br />
next hop proxy in question, so you can modify it.<br />
After completing the modification, click on the Modify button, which is provided<br />
now instead of the Add button, to make it effective.<br />
If you want to clear the information before modifying the settings for a next hop<br />
proxy, click on the Clear Input button.
Proxies<br />
Apart from the information that was specified when a new entry was added to<br />
the list, such as the proxy name and address, the list displays statistical figures<br />
on the reliability of each next hop proxy.<br />
The following information is provided in the columns of the list:<br />
• reliability<br />
Reliability of a next hop proxy<br />
The reliability is calculated as the percentage of attempts to establish a<br />
connection to the next hop proxy that were successful in relation to the<br />
overall number of attempts.<br />
• tried<br />
Number of times that <strong>Webwasher</strong> tried to establish a connection to a proxy<br />
• failed<br />
Number of times that an attempt by <strong>Webwasher</strong> to establish a connection<br />
toaproxyfailed<br />
• last fail<br />
Date and time of the last time that an attempt by <strong>Webwasher</strong> to establish<br />
a connection to a proxy failed<br />
• do not retry reached<br />
Date and time of the last time that a situation was reached where <strong>Webwasher</strong><br />
did not retry a next hop proxy over a given period of time.<br />
The length of this period depends on what you configured under Do not<br />
retry proxy for . . . minutes when it has reached . . . times<br />
within 10 seconds its maximum number of retries, see above.<br />
If the do not retry situation is still on, i. e. <strong>Webwasher</strong> will currently not retry<br />
the next hop proxy in question, the date and time values are displayed in<br />
red.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input fields above the Name, Proxy or Port<br />
columns or in a combination of them and enter this using the Enter key of<br />
your keyboard.<br />
The list will then display only entries matching the filter.<br />
5–67
Proxies<br />
5–68<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Reset Statistics<br />
Click on this button to reset the statistical figures shown in the list for reliability<br />
of next hop proxies.<br />
• Reset do not retry<br />
Click on this button to reset the statistics only for the do not retry reached<br />
parameter, see above.<br />
To return to the Next Hop Proxies tab, click on the Close button.<br />
The next hop proxy you added to the list, will also appear and be available in<br />
the list of next hop proxies, which is displayed at the bottom of the Use Next<br />
Hop Proxies section on that tab.
5.3.3<br />
Authentication<br />
The Authentication tab looks like this:<br />
At the top of this tab, there is a button labeled:<br />
• Define Proxy Authentication Options<br />
Proxies<br />
Click on this button to configure some additional options relating to all kinds<br />
of proxies. This will open a window where you can specify the appropriate<br />
information.<br />
The options of this window are described in the Define Proxy Authentication<br />
Options Window subsection of 5.2.3.<br />
Furthermore, there are five sections on this tab:<br />
• Authentication Process<br />
• Authentication Options<br />
• NTLM and NTLM-Agent Authentication Options<br />
• User Database Authentication Options<br />
• IP Forwarding<br />
They are described in the following.<br />
5–69
Proxies<br />
5–70<br />
For a sample procedure to configure the eDirectory authentication method, see<br />
also 5.2.3.<br />
Authentication Process<br />
The Authentication Process section looks like this:<br />
Using this section, you can configure the order authentications methods are<br />
applied during the authentication process.<br />
Specify the appropriate order and click on Apply Changes to make your settings<br />
effective.<br />
To specify this order, select the authentication method you want to be applied<br />
first from the first of the two drop-down lists provided here.<br />
From the second drop-down list, select the method you want to be applied<br />
afterwards.<br />
More information on the authentication process methods is provided in the Authentication<br />
Process subsection of 5.2.3 , and also in the subsections below.<br />
Authentication Options<br />
The Authentication Options section looks like this:<br />
Using this section, you can configure options with regard to whether authentication<br />
is required or not and what to do in case the authentication server is<br />
down.<br />
Specify the appropriate information and click on Apply Changes to make your<br />
settings effective.
Use the following items to configure these authentication options:<br />
• Always authenticate client<br />
Proxies<br />
Enable this option if you want authentication to be required for any client<br />
request.<br />
<strong>Webwasher</strong> will then try to authenticate the client until it is successful or<br />
until it finds that the authentication server is down.<br />
In this latter case, the setting of the option described below will apply.<br />
• Allow Internet access when authentication server is down<br />
Enable this option if you want to allow a client request in case <strong>Webwasher</strong><br />
has found that the authentication server is down.<br />
NTLM and NTLM-Agent Authentication Options<br />
The NTLM and NTLM-Agent Authentication Options section looks like<br />
this:<br />
Using this section, you can configure the NTLM authentication method, which<br />
retrieves information that is stored in the database of a Windows domain controller<br />
in order to authenticate users.<br />
This method can be used by browsers, proxies and servers. It offers more<br />
security than other methods because the user password can be transmitted in<br />
an encrypted format.<br />
You can also use an agent application, the NTLM Agent, for enabling this authentication<br />
method. The settings that are configured here will also apply to<br />
this agent application.<br />
There is a basic and an integrated way of applying this authentication method.<br />
With basic authentication, the client browser sends the user name and password<br />
in plain text (less secure). Integrated authentication encrypts messages<br />
going from the client browser to the server and back.<br />
5–71
Proxies<br />
5–72<br />
In the process of user authentication, <strong>Webwasher</strong> contacts the corresponding<br />
domain controller and retrieves a list of global domain groups that this user is<br />
a member of, or a list of local groups on the domain controller, or both.<br />
You can also specify a default domain that is used to verify membership of a<br />
user if no other information is available.<br />
The ICAP server can retrieve information on user groups to perform policy<br />
mapping. A list of these groups must be provided by the ICAP client.<br />
Note that the user and user group information required for policy mapping<br />
should not be stored in a subdirectory of the domain controller since it may<br />
not be possible to retrieve it from there.<br />
It should be stored, e. g., in \company.com rather than in \company.com\e-mail<br />
aliases.<br />
Note also that if you are using the NTLM Agent, a tool like NTLMTest.exe will<br />
enable you to view a list of the groups the domain controller actually sends to<br />
the NTLM Agent, which forwards it to <strong>Webwasher</strong>.<br />
Ask your support team for this tool and install it on the system the NTML Agent<br />
is running on.<br />
After specifying the appropriate information here, click on Apply Changes to<br />
make your settings effective.<br />
Use the following items to configure the NTLM and NTLM-Agent authentication<br />
methods:<br />
• Enable integrated authentication<br />
If you want to use the integrated authentication method, make sure this<br />
checkbox is marked. The checkbox is marked by default.<br />
• Enable basic authentication<br />
If you want to use the basic authentication method, mark this checkbox.<br />
• Default domain<br />
In this input field, type the name of the domain that should be used as<br />
default in the process of user authentication.<br />
• Select what groups to get from Domain Controller<br />
From the drop-down list provided here, select what groups should be retrieved<br />
from the domain controller: Global, Local or both.
User Database Authentication Options<br />
The User Database Authentication Options section looks like this:<br />
Proxies<br />
Using this section, you can configure authentication by means of using the<br />
information stored in a user database.<br />
There is a basic and an integrated method of authenticating users.<br />
With basic authentication, the browser sends the user name and password<br />
as plain text (less secure) to <strong>Webwasher</strong> (who plays the role of the client to<br />
exchange authentication messages with the authentication server), so <strong>Webwasher</strong><br />
uses the information stored in the user database to authenticate the<br />
user.<br />
Integrated authentication encrypts messages going from the client browser to<br />
the authentication server and back. In this situation, <strong>Webwasher</strong> acts as the<br />
proxy server and forwards authentication server messages to the client.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
this setting effective.<br />
Use the following items to configure this kind of authentication:<br />
• Enable integrated authentication<br />
Enable this option to use the integrated authentication method. This is the<br />
default option.<br />
• Enable basic authentication<br />
Enable this option to use the basic authentication method.<br />
IP Forwarding<br />
The IP Forwarding sectionlookslikethis:<br />
5–73
Proxies<br />
Using this section, you can configure which header is forwarded to the ICAP<br />
server and also to the Web server or next hop proxy if required.<br />
Specify the appropriate information and click on Apply Changes to make this<br />
setting effective.<br />
Use the following items to configure the forwarding of headers:<br />
• IP from header ...<br />
Make sure this option is enabled if you want to use it, and enter a header<br />
in the input field provided here.<br />
The IP address that is forwarded to the ICAP server is then taken from this<br />
header.<br />
The option is enabled by default. The default header is X-Forwarded-For.<br />
• Client IP<br />
5.3.4<br />
ICAP Services<br />
5–74<br />
Enable this option if you want to the IP address of the client to be forwarded<br />
to the ICAP server.<br />
The ICAP Services tab looks like this:<br />
There are two sections on this tab:<br />
• Services<br />
• List of Available ICAP Services<br />
They are described in the following.
Services<br />
The Services section looks like this:<br />
Proxies<br />
Using this section, you can configure the ICAP client services to be used for<br />
REQMOD, CERTVERIFYand RESPMOD communication.<br />
The following input fields are provided in this section:<br />
• REQMOD services<br />
Enter the ICAP client services to be used for REQMOD communication<br />
here. If you enter more than one service, separate them by the | (pipe<br />
sign).<br />
You can also enter a service by selecting it from the drop-down list next to<br />
this input field.<br />
• CERTVERIFY services<br />
Enter the ICAP client services to be used for CERTVERIFY communication<br />
here. If you enter more than one service, separate them by the | (pipe sign).<br />
You can also enter a service by selecting it from the drop-down list next to<br />
this input field.<br />
• RESPMOD services<br />
Enter the ICAP client services to be used for RESPMOD communication<br />
here. If you enter more than one service, separate them by the | (pipe sign).<br />
You can also enter a service by selecting it from the drop-down list next to<br />
this input field.<br />
5–75
Proxies<br />
5.4<br />
FTP Proxy<br />
5–76<br />
List of Available ICAP Services<br />
The List of Available ICAP Services section looks like this:<br />
It displays a list of the services that are available for being configured in the<br />
Services section above.<br />
To add a service to the list, click on the ICAP Service Definition link that is<br />
provided here.<br />
This will open a window for adding services. For a description of this window,<br />
see the ICAP Service Definition Window subsection of 5.2.4.<br />
The FTP Proxy options are invoked by clicking on the corresponding button<br />
under Proxies:<br />
If you want to enable any of these options, you also need to mark the checkbox<br />
that is on this button.<br />
Then click on Apply Changes to make this setting effective.<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Settings, see 5.4.1<br />
• Next Hop Proxies, see 5.4.2<br />
• Authentication, see 5.4.3<br />
• ICAP Services, see 5.4.4
5.4.1<br />
Settings<br />
The Settings tab looks like this:<br />
There are two sections on this tab:<br />
• Port Settings<br />
• FTP Options<br />
They are described in the following.<br />
Proxies<br />
5–77
Proxies<br />
5–78<br />
Port Settings<br />
The Port Settings section looks like this:<br />
This section displays a list of the ports that are opened by <strong>Webwasher</strong> as listener<br />
ports for the ICAP client when <strong>Webwasher</strong> is configured as FTP proxy.<br />
You can add entries to the list and edit or delete them. Furthermore, you can<br />
configure the data port.<br />
FTP uses a control connection (where all replies are sent) that is always initiated<br />
by the client as in any classic TCP/IP client-server protocol.<br />
But as soon as some file or directory content is downloaded, a second connection<br />
(the data connection) is set up, where the data transfer occurs.<br />
Use the following button to add a port to the list:<br />
• Add Proxy Port<br />
Click on this button to open a window where you can specify information<br />
on a new listener port and enter it in the list.<br />
For a description of this window, see the Port Settings subsection below.<br />
The default port has the port number 2121. This port is entered by default in<br />
the list and cannot be deleted. You may, however, change the port number.<br />
The following information is provided in the list for each listener port:<br />
• Address<br />
IP address and port number of the listener port.<br />
The specification of the IP address is optional and may therefore not be<br />
displayed here.<br />
• Allow access from<br />
IP addresses of the sites that should have access to the listener port.
An * in this field means that every site is allowed access.<br />
• Policy<br />
Proxies<br />
Policy that will be applied during communication with the ICAP client over<br />
the listener port.<br />
This is not part of the authentication process for a client, but of the policy<br />
mapping that maps this client to a particular policy.<br />
If no policy is selected here, there will be no particular policy for communication<br />
with a client over this listener port. Instead, the policy that was<br />
configured for the ICAP server will be used.<br />
To edit an entry, type the appropriate text in the input fields of the Address and<br />
Allow access from columns, and select a policy from the Policy drop-down<br />
list in the same line as required.<br />
Then click on Apply Changes to make these settings effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following item to delete entries that are in the list:<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, with the exception of the default listener port, mark the<br />
Select all checkbox and click on this button.<br />
Use the following item to configure the FTP data port:<br />
• Data Port<br />
Specify the data port here. The input format is as follows:<br />
port<br />
The default port number is 2020.<br />
Note that for security reasons, <strong>Webwasher</strong> runs under plain user rights (as<br />
opposed to root rights). Hence you can’t choose a privileged port (below<br />
1024) at runtime.<br />
If you choose a privileged port, you have to restart <strong>Webwasher</strong> to make it<br />
available.<br />
5–79
Proxies<br />
5–80<br />
Port Settings<br />
The Port Settings window opens after clicking on the Add Proxy Port button.<br />
It looks like this:<br />
Using this window you can add a port to the list of listener ports that are opened<br />
by <strong>Webwasher</strong> for communication with the ICAP client when <strong>Webwasher</strong> is<br />
configured as FTP proxy.<br />
Use the following items of this window to configure the port settings and add<br />
the port the list:<br />
• Port<br />
In this input field, specify the port by entering an IP address and a port<br />
number. The input format is:<br />
[IP]: port<br />
Note that for security reasons, <strong>Webwasher</strong> runs under plain user rights (as<br />
opposed to root rights). Hence you can’t choose a privileged port (below<br />
1024) at runtime.<br />
If you choose a privileged port, you have to restart <strong>Webwasher</strong> to make it<br />
available.<br />
• Allow access from<br />
In this input field, specify the IP addresses of the sites that should have<br />
access to the listener port. The input format is:<br />
(IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]*.<br />
Entering an * in this field means to allow every site access.
• Use Policy<br />
Proxies<br />
From the drop-down list provided here, select a policy that will be applied<br />
during communication with the ICAP client over the listener port.<br />
This is not part of the authentication process for a client, but of the policy<br />
mapping that maps this client to a particular policy.<br />
If no policy is selected here, there will be no particular policy for communication<br />
with a client over this listener port. Instead, the policy that was<br />
configured for the ICAP server will be used.<br />
On the other hand, if a policy is selected here, the policy that was configured<br />
for the ICAP server will no longer be used.<br />
• Add<br />
After specifying the appropriate information about a listener port, click on<br />
this button to add it to the list.<br />
If the addition was successful, a corresponding message is displayed in<br />
this window. You can then go on to add another port to the list.<br />
• Close<br />
Click on this button to close the window and return to the Settings tab.<br />
FTP Options<br />
The FTP Options section looks like this:<br />
Using this section, you can configure the handling of FTP requests.<br />
The following options are provided in this section:<br />
• Allow clients to use passive FTP connections<br />
If this option is enabled, <strong>Webwasher</strong> will allow the client to use the passive<br />
connection mode for data connections between the client and <strong>Webwasher</strong>.<br />
The option is enabled by default. Active connections are always allowed.<br />
5–81
Proxies<br />
5–82<br />
FTP uses a control connection initiated by the client as in any classic<br />
TCP/IP client-server protocol. But whenever some file or directory content<br />
is downloaded, a second connection (the data connection) is set up.<br />
The default is for FTP to have an active data connection, where the server<br />
initiates the data connection to the client.<br />
This may, however, cause problems for a firewall policies, which usually do<br />
not allow external connections into the corporate network.<br />
A passive data connection is initiated by the client over the port the client<br />
received in response to its PASV command. The passive mode is optional,<br />
as not all clients and servers support it.<br />
Since <strong>Webwasher</strong> is a proxy itself, it connects to both the client and the<br />
server.<br />
• <strong>Webwasher</strong> uses passive FTP connections<br />
If this option is enabled, <strong>Webwasher</strong> will issue the PASV command in order<br />
to initiate a passive data connection to the FTP server. If the FTP server<br />
does not support this, no data connection will be possible.<br />
The option is enabled by default. It may be used in case a firewall policy<br />
does not allow active connections.<br />
• Anonymous password<br />
This option can be used in case FTP over HTTP is enabled and <strong>Webwasher</strong><br />
has been configured as proxy server.<br />
No user data is then transmitted unless the username and password are<br />
not already provided in the URL.<br />
In the input field provided here, enter a password, which is the e-mail address.<br />
This will enable you to continue as usual, by logging on to a remote FTP<br />
server as anonymous and submitting your password.
5.4.2<br />
Next Hop Proxies<br />
The Next Hop Proxies tab looks like this:<br />
There is one section on this tab:<br />
• Use Next Hop Proxies<br />
It is described in the following.<br />
Proxies<br />
5–83
Proxies<br />
5–84<br />
Use Next Hop Proxies<br />
The Use Next Hop Proxies section looks like this:<br />
Using this section, you can configure next hop proxies for FTP connections.<br />
You can specify the URLs that next hop proxies should be used for, as well as<br />
the mode of this usage and the next hop proxies to be used.<br />
The Use Next Hop Proxies feature is not enabled by default. To enable it,<br />
mark the checkbox next to the section heading. Then click on Apply Changes<br />
to make this setting effective.<br />
Furthermore, use the following items to configure next hop proxies:<br />
• Do not use Next Hops for local addresses<br />
Enable this option to prevent the use of next hop proxies for local addresses.<br />
Then click on Apply Changes to make this setting effective.<br />
Local addresses have no dots (.) within their specifications.<br />
So, after enabling this option, you can fine-tune <strong>Webwasher</strong> in an intranet<br />
and enter the name of a local server in the browser, e. g. server_name,<br />
instead of typing a URL, e. g. ftp://server_name.fooo.com.<br />
<strong>Webwasher</strong> will then contact this local server directly without using the configured<br />
proxy.<br />
Using this option speeds up internal connections and reduces load on the<br />
proxy server.
• if URL matches<br />
Proxies<br />
This input field is the first of severals items provided for specifying information<br />
on the next hop proxies you want to configure.<br />
Enter a matching term here. If an URL matches this term, it will use the<br />
next hop proxies specified further below in the usage mode that is also<br />
specified further below.<br />
• use mode<br />
From this drop-down list, select the mode to be used for the URLs and next<br />
hop proxies specified here. The following modes are available:<br />
— None<br />
This mode uses no next hop proxies. Direct connections will be used<br />
instead.<br />
— specific<br />
In this mode, one specific next hop is set for the URLs configured<br />
above.<br />
— failover<br />
In this mode, the first next hop given in the participants list is tried first.<br />
If it fails, it will be retried until the configured retry maximum for it has<br />
been reached.<br />
Then the second next hop proxy in the participants list is tried, etc.<br />
— round robin<br />
In this mode, the next hop proxy is used that is next in the participants<br />
list to the one that was used last.<br />
This means also that the participants is used in a circular manner: If<br />
the end of the list has been reached, selection of next hop proxies will<br />
restart from the beginning.<br />
• participating next hops<br />
In this input field, enter the next hop proxies that should be used for the<br />
URLs specified here.<br />
To do this, type a proxy name or select one from the drop-down list to the<br />
right of this input field. You can add more than one proxy by repeating this<br />
operation.<br />
The drop-down lists shows select one to add as its topmost entry. If no<br />
next hop proxies have been configured yet, the topmost entry reads no<br />
Next Hops defined.<br />
5–85
Proxies<br />
5–86<br />
To configure next hop proxies, click on the Define Next Hop Proxies<br />
button, which is located further to the right.<br />
This will open a window, where you can specify the information required to<br />
configure a next hop proxy.<br />
For the description of this window, see the Available Proxies subsection<br />
further below.<br />
• Add Entry to List<br />
After specifying the appropriate information about a next hop proxy, click<br />
on this button to add it to the list.<br />
The list of next hop proxies is displayed at the bottom of this section. For each<br />
entry, it provides the information that is specified when a new entry is added.<br />
You can edit list entries, move them up and down in the list, or delete them.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key on your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, type the appropriate text in the input fields of the URL, use<br />
mode and participating next hops columns. Then click on Apply Changes<br />
to make this setting effective.<br />
You can edit more than one entry and make the changes effective in one go.<br />
The list also contains an entry with * as value for the URL parameter. It is<br />
always in last position within the list and cannot be deleted.<br />
By editing this entry, you can configure a next hop proxy setting for all URLs<br />
that are not represented by a particular entry in the list.<br />
Since the * entry is last in the list, it becomes effective only after all other list<br />
entries were read by <strong>Webwasher</strong> and used for establishing next hop proxy<br />
connections.<br />
By default none is specified as mode for the * entry, which means that there<br />
will be no next hop proxy connections for URLs that are not otherwise included<br />
in the list.
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Proxies<br />
Type a filter expression in the input field above the URL, use mode or<br />
participating next hops or in a combination of them and enter this using<br />
the Enter key of your keyboard.<br />
The list will then display only entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Move Up, Move Down<br />
SelecttheentryyouwishtomovebymarkingtheSelect checkbox next<br />
to it and click on either of these buttons, depending on where you want to<br />
move the entry.<br />
The position an entry takes in the list is important since whenever there is<br />
more than one entry in the list containing information on a particular URL<br />
or next hop proxy, the entry that is first in the list wins.<br />
Available Proxies<br />
The section in this window allows you to configure next hop proxies for all kinds<br />
of connections. These will then be available for selection on the Use Next Hop<br />
Proxies tab.<br />
After specifying the appropriate settings for a next hop proxy, it is added to the<br />
list of available next proxies by clicking on the Add button.<br />
The list is displayed at the bottom of the section. You can modify the settings<br />
for each proxy that is shown in the list.<br />
Use the following items for configuring available next hop proxies:<br />
• Name<br />
In this input field, enter the name of the next hop proxy you want to configure.<br />
If you leave the field empty, a name will be generated by <strong>Webwasher</strong>,<br />
e. g. pxy1, and inserted in this field after clicking on the Add button.<br />
The name can be modified after the new proxy has been included in the<br />
list.<br />
5–87
Proxies<br />
5–88<br />
• Proxy server address<br />
In the input fields provided here, enter the address of the server you want<br />
to make available as next hop proxy:<br />
— Host<br />
Enter the IP address or URL of this server here.<br />
— Port<br />
Enter the port number of the port for connecting to this server here.<br />
• Proxy authorization<br />
In the input fields provided here, enter the credentials that <strong>Webwasher</strong><br />
should use for authentication at the next hop proxy:<br />
— Username<br />
Enter the IP address or URL of this server here.<br />
— Password<br />
Enter the password here.<br />
• Connection behavior<br />
Use the items provided here to configure the connection behavior:<br />
— Retry . . . times on failure for this proxy<br />
From the drop-down list provided here, select the number of retries you<br />
want to configure for a next hop proxy. You can configure up to three<br />
retries.<br />
When the maximum number of retries has been reached, <strong>Webwasher</strong><br />
will try to establish a connection using another next hop proxy, according<br />
to what has been configured on the Use Next Hop Proxies tab,<br />
e. g. failover or round robin.<br />
— Donotretryproxyfor...minuteswhenithasreached...<br />
times within 10 seconds its maximum number of retries<br />
In the input fields provided here, enter the time information that will<br />
cause a connection break, i. e. an interval during which <strong>Webwasher</strong><br />
will not retry a next hop proxy after a connection to it could not be established<br />
in a given situation.<br />
In the first input field, enter the time (in minutes) that the connection<br />
break should last.<br />
In the second input field, specify how often the maximum number of retries<br />
must have been reached within 10 seconds before the connection<br />
break is started.
— use persistent connections<br />
• Add<br />
Proxies<br />
If you want <strong>Webwasher</strong> to use persistent connections to the next hop<br />
proxies, make sure this checkbox is marked. The checkbox is marked<br />
by default.<br />
<strong>Webwasher</strong> will try to meet this requirement by establishing persistent<br />
connections, but may fail to do so in some situations.<br />
You will then see that the failed counter in the list of available next<br />
proxies displays an increased value for the connection to the next hop<br />
proxy in question.<br />
In this case, you might clear the checkbox to disable the option. Note,<br />
however, that this will reduce performance.<br />
After specifying the appropriate information for the server you want to make<br />
available as next hop proxy, click on this button to add it to the list of available<br />
next hop proxies.<br />
The list of available next hop proxies is displayed at the bottom of this section.<br />
For each entry, it provides the information that is specified when a new entry<br />
is added.<br />
Furthermore statistical figures are displayed on the reliability of next hop proxies.<br />
You can edit list entries, delete them and reset the statistics.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, click on the View Details and Edit link in the same line.<br />
This will reopen the window and this section with the information concerning<br />
the next hop proxy in question, so you can modify it.<br />
After completing the modification, click on the Modify button, which is provided<br />
now instead of the Add button, to make it effective.<br />
If you want to clear the information before modifying the settings for a next hop<br />
proxy, click on the Clear Input button.<br />
5–89
Proxies<br />
5–90<br />
Apart from the information that was specified when a new entry was added to<br />
the list, such as the proxy name and address, the list displays statistical figures<br />
on the reliability of each next hop proxy.<br />
The following information is provided in the columns of the list:<br />
• reliability<br />
Reliability of a next hop proxy<br />
The reliability is calculated as the percentage of attempts to establish a<br />
connection to the next hop proxy that were successful in relation to the<br />
overall number of attempts.<br />
• tried<br />
Number of times that <strong>Webwasher</strong> tried to establish a connection to a proxy<br />
• failed<br />
Number of times that an attempt by <strong>Webwasher</strong> to establish a connection<br />
toaproxyfailed<br />
• last fail<br />
Date and time of the last time that an attempt by <strong>Webwasher</strong> to establish<br />
a connection to a proxy failed<br />
• do not retry reached<br />
Date and time of the last time that a situation was reached where <strong>Webwasher</strong><br />
did not retry a next hop proxy over a given period of time.<br />
The length of this period depends on what you configured under Do not<br />
retry proxy for . . . minutes when it has reached . . . times<br />
within 10 seconds its maximum number of retries, see above.<br />
If the do not retry situation is still on, i. e. <strong>Webwasher</strong> will currently not retry<br />
the next hop proxy in question, the date and time values are displayed in<br />
red.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input fields above the Name, Proxy or Port<br />
columns or in a combination of them and enter this using the Enter key of<br />
your keyboard.<br />
The list will then display only entries matching the filter.
• Delete Selected<br />
Proxies<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Reset Statistics<br />
Click on this button to reset the statistical figures shown in the list for reliability<br />
of next hop proxies.<br />
• Reset do not retry<br />
Click on this button to reset the statistics only for the do not retry reached<br />
parameter, see above.<br />
To return to the Next Hop Proxies tab, click on the Close button.<br />
The next hop proxy you added to the list, will also appear and be available in<br />
the list of next hop proxies, which is displayed at the bottom of the Use Next<br />
Hop Proxies section on that tab.<br />
5.4.3<br />
Authentication<br />
The Authentication tab looks like this:<br />
5–91
Proxies<br />
5–92<br />
At the top of this tab, there is button labeled:<br />
• Define Proxy Authentication Options<br />
Click on this button to configure some additional options relating to all kinds<br />
of proxies. This will open a window where you can specify the appropriate<br />
information.<br />
The options of this window are described in the Define Proxy Authentication<br />
Options Window subsection of 5.2.3.<br />
Furthermore, there are three sections on this tab:<br />
• Authentication Process<br />
• Authentication Options<br />
• NTLM and NTLM-Agent Authentication Options<br />
They are described in the following.<br />
For a sample procedure to configure the eDirectory authentication method, see<br />
also 5.2.3.<br />
Authentication Process<br />
The Authentication Process section looks like this:<br />
Using this section, you can configure the order authentications methods are<br />
applied during the authentication process.<br />
Specify the appropriate order and click on Apply Changes to make your settings<br />
effective.<br />
To specify this order, select the authentication method you want to be applied<br />
first from the first of the two drop-down lists provided here.<br />
From the second drop-down list, select the method you want to be applied<br />
afterwards.<br />
More information on the authentication process methods is provided in the Authentication<br />
Process subsection of 5.2.3 , and also in the subsections below.
Authentication Options<br />
The Authentication Options section looks like this:<br />
Proxies<br />
Using this section, you can configure what to do in case the authentication<br />
server is down.<br />
The following item is provided here for this purpose:<br />
• Allow Internet access when authentication server is down<br />
Enable this option if you want to allow a client request in case <strong>Webwasher</strong><br />
has found that the authentication server is down.<br />
Then click on Apply Changes to make this setting effective.<br />
NTLM and NTLM-Agent Authentication Options<br />
The NTLM and NTLM-Agent Authentication Options section looks like<br />
this:<br />
Using this section, you can configure options for an authentication method that<br />
performs an NTLM lookup in order to authenticate users.<br />
NTLM is an authentication method used by browsers, proxies and servers. It is<br />
more secure than other methods because the user password is not transmitted<br />
as plain text.<br />
The user of the NT domain is a member of several domain groups. The ICAP<br />
server can use these groups to do the policy mapping. A list of groups must<br />
be provided by the ICAP client.<br />
If you want to do NTLM authentication and the operating system <strong>Webwasher</strong><br />
is running on is not Windows, you can use an agent application, the NTLM<br />
Agent, to enable this.<br />
The settings configured here will apply also for the agent application. For this<br />
application, see also the settings in the NTML Agent Setup field.<br />
There is a basic and an integrated method of authenticating users.<br />
5–93
Proxies<br />
5–94<br />
With basic authentication, the browser sends the user name and password<br />
as plain text (less secure) to <strong>Webwasher</strong>, who plays the role of the client to<br />
exchange authentication messages with the authentication server, so <strong>Webwasher</strong><br />
uses the NTLM method to authenticate the user.<br />
With the FTP protocol, only this authentication method can be configured.<br />
Integrated authentication encrypts messages going from the client browser to<br />
the authentication server and back. In this situation, <strong>Webwasher</strong> acts as the<br />
proxy server and forwards authentication server messages to the client.<br />
This can be useful if <strong>Webwasher</strong> does user authentication, applies policies and<br />
forwards requests to the caching proxy.<br />
After authenticating the user, <strong>Webwasher</strong> contacts the corresponding Domain<br />
Controller and can retrieve either a list of global (domain) groups that the user<br />
is a member of, a list of local groups on the domain controller, or both.<br />
NTLM authentication can be configured as part of a policy mapping based on<br />
user and user group information. Information about user groups is stored in a<br />
directory on the domain controller.<br />
It is important that this information should not be stored in a subdirectory since<br />
it may not be possible to retrieve it from there.<br />
So, it should be stored, e. g., in \COMPANY.com rather than in \COM-<br />
PANY.com\E-Mail Aliases.<br />
Note that if you are using the NTLM Agent, a tool like NTLMTest.exe will<br />
enable you to view a list of the groups the domain controller actually sends to<br />
the NTLM Agent, which forwards it to <strong>Webwasher</strong>.<br />
Ask your support team for this tool and install it on the system the NTML Agent<br />
is running on.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following items to configure NTLM and NTLM-Agent authentication:<br />
• Enable basic authentication<br />
Enable this option to use the basic authentication method and enter the<br />
default domain used for basic authentication in the input field provided here.<br />
• Select what groups to get from Domain Controller<br />
From the drop-down list provided here, select what groups are to be fetched<br />
from the domain controller: Global, Local or both.
5.4.4<br />
ICAP Services<br />
The ICAP Services tab looks like this:<br />
There are three sections on this tab:<br />
• Services<br />
• List of Available Services<br />
• Bypass ICAP Server<br />
They are described in the following.<br />
Services<br />
The Services section looks like this:<br />
Proxies<br />
Using this section, you can configure the ICAP client services to be used for<br />
REQMOD and RESPMOD communication.<br />
5–95
Proxies<br />
5–96<br />
The following input fields are provided in this section:<br />
• REQMOD services<br />
Enter the ICAP client services to be used for REQMOD communication<br />
here. If you enter more than one service, separate them by the | (pipe<br />
sign).<br />
You can also enter a service by selecting it from the drop-down list next to<br />
this input field.<br />
• RESPMOD services<br />
Enter the ICAP client services to be used for RESPMOD communication<br />
here. If you enter more than one service, separate them by the | (pipe sign).<br />
You can also enter a service by selecting it from the drop-down list next to<br />
this input field.<br />
List of Available ICAP Services<br />
The List of Available ICAP Services section looks like this:<br />
It displays a list of the services that are available for being configured in the<br />
Services section above.<br />
To add a service to the list, click on the ICAP Service Definition link that is<br />
provided here.<br />
This will open a window for adding services. For a description of this window,<br />
see the ICAP Service Definition Window subsection of 5.2.4.
Bypass ICAP Server<br />
The Bypass ICAP Server section looks like this:<br />
Proxies<br />
Using this section, you can configure a bypassing of the ICAP Server for requests<br />
made to particular hosts. These hosts are entered in a bypass list.<br />
To add a host to the list, use the input field provided here. Enter the IP address,<br />
host name or URL, omitting ftp://.<br />
Then click on the Add button.<br />
The bypass list is displayed at the bottom of this section.<br />
To display only a particular number of list entries at a time, type this number in<br />
the input field labeled Number of entries per page and enter it using the Enter<br />
key of you keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, type the appropriate text in the input field of the corresponding<br />
line.<br />
Then click on Apply Changes to make the modification effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field above the list and enter it using<br />
the Enter key of your keyboard.<br />
The list will then display only entries matching the filter.<br />
5–97
Proxies<br />
5.5<br />
• Delete Selected<br />
E-Mail Gateway<br />
5–98<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
The E-Mail Gateway options are invoked by clicking on the corresponding<br />
button under Proxies:<br />
If you want to enable any of these options, make sure the checkbox on this<br />
button is also marked. The checkbox is marked by default.<br />
After modifying the setting of this checkbox, click on Apply Changes to make<br />
the modification effective.<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Gateway Settings, see 5.5.1<br />
• ICAP Services, see 5.5.2<br />
• Notifications, see 5.5.3<br />
• ESMTP Extensions, see 5.5.4
5.5.1<br />
Gateway Settings<br />
The Gateway Settings tablookslikethis:<br />
There are six sections on this tab:<br />
• Port Settings<br />
• SMTP Welcome Message<br />
• HELO Name<br />
• Relaxed Domain Name<br />
• Address to Policy Mapping Options<br />
• Release using Policy<br />
They are described in the following.<br />
Proxies<br />
5–99
Proxies<br />
5–100<br />
Port Settings<br />
The Port Settings section looks like this:<br />
It allows you to configure the listening port for the e-mail server.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
this setting effective.<br />
Use the following input field to configure the listening port:<br />
• Port<br />
Enter the port number of the listener port here. The default port number is<br />
25. It is highly recommended not to change it, since many mail clients do<br />
not allow it to be configured.<br />
You may also enter the IP address of the e-mail server.<br />
The input format is:<br />
[IP:]Port<br />
SMTP Welcome Message<br />
The SMTP Welcome Message section looks like this:<br />
It allows you to configure a welcome message that will be sent to every connected<br />
e-mail client in order to identify the server.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
this setting effective.<br />
Use the following input field to configure a welcome message.<br />
• Message<br />
Enter a text string for the welcome message here. The default message is<br />
WW SMTP server ready.
HELO Name<br />
The HELO Name section looks like this:<br />
Proxies<br />
It allows you to configure the name that is used in the HELO request <strong>Webwasher</strong><br />
sends to the mail server to identify itself when delivering e-mails.<br />
After sending a HELO request to this server, <strong>Webwasher</strong> waits for the server<br />
response.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
this setting effective.<br />
Use the following input field to configure the HELO name:<br />
• Name<br />
Enter the HELO name here. A fully qualified domain name is required as<br />
input in this field.<br />
The field is left blank by default. With no input here, <strong>Webwasher</strong> will use<br />
the name of the system it is currently running on.<br />
Relaxed Domain Name<br />
The Relaxed Domain Name section looks like this:<br />
It allows you to configure the special characters that should be allowed in a<br />
domain name, e. g. the _ (underscore).<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following input field to do configure special characters in a domain<br />
name:<br />
• Characters<br />
Enter the special characters you want to allow for domain names here.<br />
5–101
Proxies<br />
5–102<br />
Address to Policy Mapping Options<br />
The section labeled Address to Policy Mapping Options looks like this:<br />
It allows you to configure actions that are to performed when a request to map<br />
an e-mail to particular policy fails.<br />
A PROFILE request, which is a non-standard ICAP method, is made to map<br />
the sender or recipient of an e-mail to a particular policy. This request may fail<br />
because the ICAP server is down or was replaced by another server.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following radio buttons to configure an action:<br />
• Use default policy<br />
If this radio button is checked, the default policy is used for the e-mail in<br />
question regardless of its recipient.<br />
The radio button is checked by default.<br />
• Don’t filter e-mail<br />
If this radio button is checked, the e-mail is not filtered.<br />
• Repeat address mapping request later<br />
If this radio button is checked, the request to map the e-mail to the policy<br />
that was configured for it will be repeated at the next attempt to filter e-mails.
Release Using Policy<br />
The Release Using Policy section looks like this:<br />
Proxies<br />
It allows you to configure the policy that should be applied to an e-mail upon<br />
being released.<br />
After specifying this setting, click on Apply Changes to make it effective<br />
Use the following drop-down list to configure a release policy:<br />
• Policy<br />
Select a policy from this list. After being released, an e-mail will then be<br />
moved to the inbound queue and processed according to this policy. Selecting<br />
None means an e-mail is moved directly to the outbound queue<br />
after being released.<br />
By default, AVonly is selected here as a policy, which will ensure all e-mails<br />
are virus-checked before being released.<br />
5–103
Proxies<br />
5.5.2<br />
ICAP Services<br />
5–104<br />
The ICAP Services tab looks like this:<br />
There are two sections on this tab:<br />
• ICAP Services<br />
• List of Available ICAP Services<br />
They are described in the following.<br />
ICAP Services<br />
The ICAP Services section looks like this:<br />
Using this section, you can configure the ICAP client services that should be<br />
used in PROFILES and RESPMOD communication.<br />
The e-mail gateway uses ICAP requests tin RESPMOD mode to filter e-mail<br />
messages. PROFILES is a non-standard ICAP method for selecting user policies<br />
that are applied to e-mail messages.
Proxies<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following input fields to configure ICAP client services:<br />
• PROFILES services<br />
Enter the ICAP client services to be used for PROFILES communication<br />
here. You can enter more than one service. The default service is internal.<br />
The input format is:<br />
service1[ | service2]<br />
• REQMOD services<br />
Enter the ICAP client services to be used for RESPMOD communication<br />
here. You can enter more than one service. The default service is internal.<br />
The input format is:<br />
service1[ | service2]<br />
List of Available ICAP Services<br />
The List of Available ICAP Services section looks like this:<br />
It displays a list of the services that are available for being configured in the<br />
Services section above.<br />
To have a service from this list included in the group of services that are actually<br />
used for e-mail communication, click on one of these buttons in the corresponding<br />
line:<br />
• Add to Profiles<br />
ClickonthisbuttontomoveaservicetotheProfiles services group.<br />
• Add to Respmod<br />
Clickonthisbuttontomoveaservicetothe Respmod services group.<br />
5–105
Proxies<br />
5.5.3<br />
Notifications<br />
5–106<br />
To add a service to this list, click on the ICAP Service Definition link that is<br />
provided here.<br />
This will open a window for adding services. For a description of this window,<br />
see the subsection of 5.2.4.<br />
The Notifications tab looks like this:<br />
There is one section on this tab:<br />
• <strong>System</strong> Notifications<br />
It is described in the following. Furthermore, a description is given of the window<br />
that opens after clicking on the Edit Notification Mail Server button in<br />
this section:<br />
• Notification Settings Window
<strong>System</strong> Notifications<br />
The <strong>System</strong> Notifications section looks like this:<br />
Proxies<br />
Using this section, you can configure e-mail notifications relating to special<br />
events, which are sent to the e-mail address of a recipient.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following items to configure e-mail notifications:<br />
• Send notification if a problem with SMTP Gateway detected<br />
To send a notification in this situation, mark the checkbox provided here<br />
and enter the recipient of the notification in the Recipient input field.<br />
• Send notification if a non processable mail detected<br />
To send a notification in this situation, mark the checkbox provided here.<br />
The recipient is the same as specified above.<br />
• Send notification if SMTP Gateway stopped due to high recovery<br />
rate<br />
To send a notification in this situation, mark the checkbox provided here.<br />
The recipient is the same as specified above.<br />
• Send notification if mail is being processed more than ... minutes<br />
To send a notification in this situation, mark the checkbox provided here.<br />
In the input field, enter the number of minutes that must elapse before a<br />
notification is sent. The default number is 10.<br />
The recipient is the same as specified above.<br />
5–107
Proxies<br />
5–108<br />
• Edit Notification Mail Server<br />
To configure the settings for the server used to process notifications, click<br />
on this button.<br />
This will open a window where you can enter the appropriate values. It is<br />
described in the subsection below.<br />
• Send Test Messages<br />
After configuring notifications, click on this button to send test messages.<br />
Notification Settings Window<br />
After clicking on the button labeled Edit Notification Mail Server in the <strong>System</strong><br />
Notifications section, the Notification Settings window opens:<br />
In this window, you can specify the settings of the mail server that is used to<br />
send the notifications you configured on the Notifications tab.<br />
After configuring these settings, click on OK to make them effective. Click on<br />
Cancel to close the window without configuring any server settings.<br />
Use the following input fields to configure the server settings:<br />
• SMTP server address<br />
Enter the IP address of the server here.<br />
• SMTP server port<br />
Enter the port number here of the port that is used on the server for sending<br />
the notifications.<br />
The default port number is 25.
• HELO name<br />
Proxies<br />
Enter the name here that <strong>Webwasher</strong> should send in a HELO request to<br />
the notification mail server in order to identify itself.<br />
• Sender<br />
Enter the sender address of the e-mails here that are sent as notifications.<br />
The default address is <strong>Webwasher</strong>@localhost.<br />
5.5.4<br />
ESMTP Extensions<br />
The ESMTP Extensions tab looks like this:<br />
5–109
Proxies<br />
5–110<br />
There is one section on this tab:<br />
• ESMTP Extensions<br />
It is described in the following.<br />
ESMTP Extensions<br />
The ESMTP Extensions section looks like this:<br />
Using this section, you can configure ESMTP extensions. After configuring an<br />
extension, the communication between the client and the <strong>Webwasher</strong> server<br />
will be conducted in Enhanced SMTP (ESMTP) mode.<br />
If an extension has been configured, this is announced to the client in the welcome<br />
message it receives from the <strong>Webwasher</strong> server.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.
The meaning and usage of the ESMTP extensions is as follows:<br />
• SIZE Extension<br />
Proxies<br />
There is a size limit for sending messages to the <strong>Webwasher</strong> server. In the<br />
welcome message, the client is notified of this.<br />
• 8BIT MIME Extension<br />
The <strong>Webwasher</strong> server accepts messages with Body Type = 8 bit. In<br />
the welcome message, the client is notified of this.<br />
Note: The target server may, however, not accept messages with this<br />
body type. In this case, the <strong>Webwasher</strong> server is unable to deliver the<br />
client message.<br />
• DSN Extension<br />
The <strong>Webwasher</strong> server may generate a Delivery Status Notification (DSN)<br />
after forwarding a message from the client. In the welcome message, the<br />
client is notified of this.<br />
The notification mode must be specified by the client. The client can specify<br />
any the following options (combinations of the last three options are<br />
permitted):<br />
never - No notifications will be sent to the client.<br />
relayed - The client is notified after a message has been forwarded to the<br />
target server.<br />
delayed - The client is notified if a message has been forwarded to the<br />
target server, but is delayed, i. e. it is unknown so far whether the target<br />
server received this message.<br />
failed - The client is notified if the delivery of a message to the target server<br />
has failed.<br />
Another option is provided for notifications to the postmaster:<br />
— Send a copy to postmaster<br />
Enable this option if you want a copy of every notification to be sent to<br />
the postmaster.<br />
To specify the postmaster’s address, i. e. the address the notifications<br />
are sent to, invoke the Notifications tab.<br />
In the <strong>System</strong> Notifications section, enter the address in the Recipient<br />
input field provided together with the option labeled Send notification<br />
if a problem with SMTP Gateway detected.<br />
5–111
Proxies<br />
5–112<br />
— Add original subject to the generated notification<br />
Enable this option if you want the subject of the e-mail in question to<br />
be included in the notification to the postmaster.<br />
• STARTTLS Extension<br />
The TLS (Transport-Layer Security) method will be used for communication<br />
between the <strong>Webwasher</strong> server and the client. This is a method enabling<br />
private, authenticated communication within the Internet.<br />
Whenever a client wants to establish an SSL-secured connection, <strong>Webwasher</strong><br />
sends a server certificate to identify itself. You can either have<br />
<strong>Webwasher</strong> issue the certificate or import an externally issued certificate.<br />
You can also enforce the use of this extension for particular servers. To<br />
specify them, the following input field is provided:<br />
— Enforce TLS for ...<br />
Enter the server or servers here that you want to enforce the use of<br />
TLS for. The input format is:<br />
IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]* )<br />
If you specify an *, all servers will be forced to use TLS.<br />
To configure the certificate <strong>Webwasher</strong> sends to the client for authentication,<br />
use the input fields and buttons of the following area:<br />
— Certificate Options<br />
The following options are provided here:<br />
Use <strong>Webwasher</strong> generated certificate with CN ...<br />
This is the default option. <strong>Webwasher</strong> will issue the certificate and<br />
sign it with its own CA. In the input field provided here, enter the<br />
name of the certificate file.<br />
This will work well as long as only well-known clients will connect<br />
that have the <strong>Webwasher</strong> Root CA installed. The private key handling<br />
is done as has been configured for the SSL Scanner and<br />
HTTPS Web interface and digest. To change these settings, go<br />
to <strong>Configuration</strong> > Certificate Management > Private Key<br />
Handling.<br />
Externally issued certificate<br />
This option enables you to use a certificate issued by an external<br />
CA.
5.6<br />
Delivery Options<br />
Proxies<br />
Use the Browse button next to the input field labeled Import certificate<br />
to browse for this certificate, and click on the Importbutton<br />
to import it.<br />
To view the certificate, click on the certificate link provided here.<br />
There are two options of configuring the decrypting of the handshake<br />
for an imported certificate:<br />
by this <strong>Webwasher</strong> instance<br />
With this option, the handshake will be done by the <strong>Webwasher</strong><br />
instance that a client connects to. Use the Browse button next<br />
to the input field labeled Import private key to browse to a<br />
private key for the handshake.<br />
Furthermore, you need to provide a passphrase in the<br />
Passphrase input field. Then click on the Import button to<br />
import the private key.<br />
by remote service using HSM Agent with key<br />
With this option, the handshake will be done by a remote service,<br />
which is handled by the <strong>Webwasher</strong> HSM Agent. Enter a<br />
key ID in the input field provided here to specify the key that is<br />
required for the remote service to perform the handshake.<br />
You also need to configure the HSM Agent connection in order<br />
to be able to use this option. To do this, go to <strong>Configuration</strong><br />
> Certificate Management > Private Key Handling.<br />
The Delivery Options are invoked by clicking on the corresponding button<br />
under Proxies:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Delivery Options, see 5.6.1<br />
• Routing Rules, see 5.6.2<br />
• Secure Mail Delivery List, see 5.6.3<br />
5–113
Proxies<br />
5.6.1<br />
Delivery Options<br />
5–114<br />
The Delivery Options tab looks like this:<br />
There are two sections on this tab:<br />
• E-Mail Delivery Options<br />
• Secure E-Mail Delivery<br />
They are described in the following.<br />
E-Mail Delivery Options<br />
The E-Mail Delivery Options section looks like this:<br />
Using this section, you can configure how <strong>Webwasher</strong> should deliver scanned<br />
e-mails. This can be done using DNS and routing rules or using an another<br />
gateway.
Proxies<br />
The routing rules are configured on the Routing Rules tab under Delivery<br />
Options.<br />
After specifying the appropriate settings here, click on Apply Changes to<br />
make them effective.<br />
Use the following items to configure e-mail delivery:<br />
• Use DNS and routing rules<br />
Check this radio button to configure the use of DNS and routing rules.<br />
• Use another gateway for e-mail delivery<br />
Check this radio button to configure the use of another gateway. Specify<br />
this gateway by entering the appropriate information in the following input<br />
fields:<br />
— Gateway address<br />
Enter the IP address or URL of the gateway you want to use in this<br />
input field. You can specify more than one gateway here.<br />
The input format is as follows:<br />
IP or URL [:port] [, IP or URL [:port], ...]<br />
— Port of that gateway<br />
In this input field, enter the port number for this gateway. The default<br />
port number is 25.<br />
— Number of retries on gateway overload<br />
From the drop-down list provided here, select a number to configure<br />
how many times <strong>Webwasher</strong> should retry to deliver an e-mail when the<br />
first attempt failed due to a gateway overload.<br />
Secure E-Mail Delivery<br />
The Secure E-Mail Delivery section looks like this:<br />
5–115
Proxies<br />
5–116<br />
It allows you to configure if <strong>Webwasher</strong> should use encrypted connections to<br />
deliver e-mails.<br />
For the encryption, the TLS (Transport Layer Security) feature is used. You<br />
can have <strong>Webwasher</strong> look up in a list whether TLS encryption is to be used for<br />
connections to destination servers or intermediate gateways, or let it depend<br />
on the ability of a remote system to use TLS encryption.<br />
Note that <strong>Webwasher</strong> will not check the server certificate for a connection,<br />
which means that the connection is encrypted, but not authenticated.<br />
Enable the options provided here according to your requirements and click on<br />
Apply Changes to make effective what you configured. The meaning of these<br />
options is as follows:<br />
• Use secure mail delivery list<br />
<strong>Webwasher</strong> will look up in this list whether a connection to an individual<br />
server or a domain or to a gateway must be TLS encrypted or not. If there<br />
is more than one entry in the list relating to a particular system, the first<br />
match wins.<br />
If TLS encryption must be used, but the remote mail server does not support<br />
it, the e-mail in question will stay in the outbound queue. You can configure<br />
<strong>Webwasher</strong> to send a notification to the administrator in this case.<br />
Enable the following option to do this:<br />
— Send notification if TLS is required, but not supported by remote<br />
mail server<br />
A notification will be sent to the address you enter in the Recipient<br />
input field.<br />
Note that to be able to send notifications you need to configure the notification<br />
mail server. Clicking on the button labeled Edit Notification<br />
Mail server will open window where you can do this.<br />
For a description of this window, see the Notification Settings Window<br />
subsection of 5.5.3.<br />
To test the settings you have configured, click on the Send Test Message<br />
button.<br />
• Use TLS if it is supported by remote mail server<br />
<strong>Webwasher</strong> will use TLS encrypted connections if this is supported by the<br />
remote mail server, but this will only be done if the server was not found in<br />
the secure delivery list or the lookup for this list is deactivated.
5.6.2<br />
Routing Rules<br />
The Routing Rules tab looks like this:<br />
There are four sections on this tab:<br />
• LDAP Lookup<br />
• List Options<br />
• Add Rule<br />
• Current Rules<br />
They are described in the following.<br />
Proxies<br />
5–117
Proxies<br />
5–118<br />
LDAP Lookup<br />
The LDAP Lookup section looks like this:<br />
It allows you to perform an LDAP lookup before an e-mail is delivered to a<br />
recipient.<br />
The LDAP server will then be searched for entries concerning particular attributes<br />
of this recipient.<br />
To perform the lookup, mark the checkbox next to the section heading and<br />
specify the attributes you want to be searched for. You can specify the following<br />
attributes:<br />
• Recipient attribute<br />
Attribute of an individual user listed on the LDAP server.<br />
This is a user within your network who is allowed to receive e-mails.<br />
• Group attribute<br />
Attribute of a user group listed on the LDAP server.<br />
The users of this group are within your network and are allowedtoreceive<br />
e-mails.<br />
• Mail group attribute<br />
Attribute of a mail group listed on the LDAP server.<br />
The users of this group are within your network and are allowed to receive<br />
e-mails.<br />
To specify an attribute, check the attribute type and enter the attribute name in<br />
the corresponding input field.
Proxies<br />
You can apply additional rules to the result of this query, using the following<br />
option:<br />
• Apply static rules to the result of LDAP query<br />
Mark this checkbox to apply rules that are configured using the Add Rule<br />
section, which is located also on this tab. If any rules have been set up so<br />
far, they are listed in the Current Rules section below Add Rule<br />
These rules map mail servers to domains. An e-mail that is sent to a recipient<br />
within a particular domain is then routed to the mail server that has<br />
been configured for it. By applying these rules to the result of the LDAP<br />
query, you can improve the routing process.<br />
So, e. g. the following rules may have been set up:<br />
mail_server_for_germany = germany<br />
mail_server_for_usa = usa<br />
An LDAP lookup where user location was specified as recipient attribute<br />
might yield the value Germany as the result for a particular e-mail. Application<br />
of the rules would then route this e-mail to the mail_server_<br />
for_germany mail server.<br />
Check this option if you want apply these rules. Then click on Apply Changes<br />
to make your settings effective.<br />
You can also specify a list of domains for the LDAP lookup. The attribute search<br />
will then be restricted to these domains. Click on the word here at the bottom<br />
of the section to go to the Recipient LDAP Check tab, which is used for specifying<br />
the domains.<br />
This tab is located under Proxies > Relay Protection. It also provides a link<br />
that takes you to a tab for configuring more LDAP server settings.<br />
List Options<br />
The List Options section looks like this:<br />
Using this section, you can configure some additional options for specifying<br />
domain names.<br />
5–119
Proxies<br />
5–120<br />
You can enable shell expressions in these names and specify the separator<br />
that is used when more than one domain name is listed.<br />
Use the following checkbox and input field to configure these options:<br />
• Enable shell expressions in domain names<br />
Mark this checkbox to enable shell expressions in domain names.<br />
• Values separation string<br />
In this input field, enter the character you want to use for separating domain<br />
names.<br />
By default, the , (comma) is used for this purpose, but you may want to<br />
configure a different separator, e. g. in order to allow commas within domain<br />
names.<br />
Add Rule<br />
The Add Rule section looks like this:<br />
Using this section, you can configure rules for mapping mail servers to domains.<br />
If you would like, e. g., to have all e-mails that are addressed to<br />
somedomain.net sent to your corporate mail server, enter a rule like<br />
mailserver=somedomain.net.<br />
If <strong>Webwasher</strong> processes incoming mails addressed to yourcompany.com,<br />
you may create a rule to send these mails directly to the mail server, or <strong>Webwasher</strong><br />
may ask the DNS server, resolve yourcompany.com toalistofmail<br />
servers, and send it to itself.<br />
Another solution may be to have a local DNS server, with a local MX entry for<br />
your domain.<br />
On a method to configure a routing for e-mails that overrules the existing routing<br />
rules, see the Adding the X-WW-Route Header subsection below.<br />
Use the input field provided here to add a rule to the rules list. The input format<br />
is:<br />
IP or URL [:port] [, IP or URL [:port], ...] = domain
Proxies<br />
After entering a rule, click on the Add First or Add Last button, to add it at the<br />
corresponding position of the list.<br />
Note that the position an entry takes in this list is important since whenever<br />
there is more than one entry containing information on a particular mail server<br />
or domain, the entry that is first in the list wins.<br />
You can, however, change the position of an entry after adding it, by editing<br />
the list in the Current Rules List section below this section. Note that it is<br />
only displayed if at least one rule has been configured.<br />
Adding the X-WW-Route Header<br />
In some situations, you may want to overrule the settings that have been configured<br />
for routing e-mails, and route an e-mail to a particular mail server.<br />
This can be done by creating a customized action that adds a header to the<br />
e-mail in order to send it to that server.<br />
Another way to achieve this would be to configure the Generic Header Filter<br />
accordingly.<br />
The name of the additional header that overrules existing routing rules is<br />
X-WW-Route. To have this header added to an e-mail as part of a customized<br />
action, go to <strong>Configuration</strong> > Action Editor. Create a new action,<br />
and from the parameter list provided on the Action Definition tab select<br />
Custom Headers.<br />
Add this parameter to the action, and configure it further by entering X-WW-<br />
Route in the Name input field on the Action Parameter tab. In the Value<br />
input field enter the domain name, the IP address, or the fully qualified name<br />
of the server that the e-mails should be sent to.<br />
If you want to use the Generic Header Filter for configuring the addition of<br />
the X-WW-Route Header, go to the corresponding tab under Common ><br />
Generic Header Filter and enter the following values in the input fields provided<br />
there:<br />
Condition Header: X-WW-To<br />
Condition Value: <br />
Result Header: X-WW-Route<br />
Result Value: <br />
Furthermore, make sure that None is selected under Action on Match and<br />
that the SMTP and Mail checkboxes are both marked.<br />
5–121
Proxies<br />
5–122<br />
Current Rules<br />
The Current Rules section looks like this:<br />
It displays a list of the rules that are currently configured for domain routing.<br />
You can edit entries in the list, move them up and down and also delete them.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, type the appropriate text in the input fields of the Rule column.<br />
Then click on Apply Changes to make this setting effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following items to perform various activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field of the Rule column and enter it<br />
using the Enter key of your keyboard. The list will then display only entries<br />
matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Move Up, Move Down<br />
SelecttheentryyouwishtomovebymarkingtheSelect checkbox next<br />
to it and click on either of these buttons, depending on where you want to<br />
move the entry.
Proxies<br />
The position an entry takes in the list is important since whenever there is<br />
more than one entry in the list containing information on a particular mail<br />
server or domain, the entry that is first in the list wins.<br />
5.6.3<br />
Secure Mail Delivery List<br />
The Secure Mail Delivery List tab looks like this:<br />
There is one section on this tab:<br />
• Secure Mail Delivery List<br />
It is described in the following.<br />
5–123
Proxies<br />
5–124<br />
Secure Mail Delivery List<br />
The Secure Mail Delivery List sectionlookslikethis:<br />
It provides a list of mail servers, server domains and gateways that <strong>Webwasher</strong><br />
can relay e-mails to. The list also shows whether a TLS encrypted connection<br />
must be used or not when relaying e-mails to one of the systems entered here.<br />
You can add entries to the list, and also edit them, move them up and down or<br />
delete them.<br />
To add an entry to the list, use the area labeled:<br />
• Add new entry to the list<br />
Specify the information concerning the system you want to enter in the list<br />
using the following items:<br />
— Domain<br />
In this input field, enter a domain or host name or an IP address to<br />
specify the remote system that <strong>Webwasher</strong> should relay e-mails to.<br />
— Description<br />
Input in this field is optional. You can enter a text string here describing<br />
the system entered above.
— use encrypted communication<br />
Proxies<br />
Mark the checkbox next to these words if a TLS encrypted connection<br />
is required for relaying e-mails to this system.<br />
After specifying the appropriate information, click on the Add Entry button to<br />
add the new entry to the list.<br />
If this action was successful, the entry is added to the list, which is displayed<br />
at the bottom of this section. For each entry, the list provides the information<br />
that is specified when a new entry is added (see above).<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, type the appropriate text in the input fields of the Domain or<br />
Comment column or enable or disable the checkbox in the column labeled<br />
Use TLS. Then click on Apply Changes to make this setting effective. You<br />
can edit more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field of the Domain or Comment column<br />
or in both and enter it using the Enter key of your keyboard. The list<br />
will then display only entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Move Up, Move Down<br />
SelecttheentryyouwishtomovebymarkingtheSelect checkbox next<br />
to it and click on either of these buttons, depending on where you want to<br />
move the entry.<br />
The position an entry takes in the list is important since whenever there is<br />
more than one entry in the list containing information on a particular mail<br />
server or gateway, the entry that is first in the list wins.<br />
5–125
Proxies<br />
This means, e. g., that if the first entry for a particular mail server has<br />
the Use TLS feature disabled, no TLS encryption will be used for relaying<br />
e-mails to this server, although there may be an entry later on in the list for<br />
this same server with TLS encryption enabled.<br />
5.7<br />
Queue <strong>Configuration</strong><br />
The Queue <strong>Configuration</strong> options are invoked by clicking on the corresponding<br />
button under Proxies:<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• Queue <strong>Configuration</strong>, see 5.7.1<br />
5.7.1<br />
Queue <strong>Configuration</strong><br />
5–126<br />
The Queue <strong>Configuration</strong> tablookslikethis:
There is one section on this tab:<br />
• Queue <strong>Configuration</strong><br />
It is described in the following.<br />
Queue <strong>Configuration</strong><br />
The Queue <strong>Configuration</strong> section looks like this:<br />
Proxies<br />
Using this section, you can configure the message queues for the SMTP gateway.<br />
A list of existing queues is displayed here. You can edit queues, create<br />
new ones, move them up and down within the list and delete them.<br />
Note that for any changes to take effect, you have to restart <strong>Webwasher</strong> manually.<br />
Use the following items to configure message queues:<br />
• Filter<br />
Type a filter expression in the input field of the Queue Name column and<br />
enter it using the Enter key of your keyboard. The list will then display only<br />
entries matching the filter.<br />
• Edit<br />
Click on this button to edit the corresponding queue. This will take you to<br />
another tab, where you can specify the appropriate changes.<br />
5–127
Proxies<br />
• Delete Selected<br />
Select the queue you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one queue in one<br />
go.<br />
To delete all queues, mark the Select all checkbox and click on this button.<br />
• Create New<br />
After clicking on this button a new queue is added to the list, which is named<br />
NewQueue. ClickontheEdit button to go to another tab, where you can<br />
specify further information regarding this queue.<br />
• Move Up Selected, Move Down Selected<br />
Select the queue you wish to move by marking the Select checkbox next<br />
to it and click on either of these buttons, depending on where you want to<br />
move the entry.<br />
The position a queue takes in the list is important since whenever there are<br />
queues in the list that have been configured to accept incoming e-mails, the<br />
first queue in the list wins, which means that incoming e-mails are directed<br />
to it and not to the queues following it in the list.<br />
So, you might have configured a Problemincoming queue for processing<br />
e-mails, where the sender domain cannot be resolved. At the same<br />
time, there is the Inbound queue, which accepts all incoming e-mails. If<br />
the Inbound queue is placed in the list before Problemincoming queue,<br />
no e-mails will ever reach the Problemincoming queue because the Inbound<br />
queue gets all incoming e-mails, the unresolvables, as well as any<br />
others.<br />
5.8<br />
Relay Protection<br />
5–128<br />
The Relay Protection Options options are invoked by clicking on the corresponding<br />
button under Proxies:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Allowed Domains, see 5.8.1
• IP Networks, see 5.8.2<br />
• Recipient LDAP Check, see 5.8.3<br />
5.8.1<br />
Allowed Domains<br />
The Allowed Domains tab looks like this:<br />
At the top of this tab is a button labeled:<br />
• Define IP Networks<br />
ClickonthisbuttontogototheIP Networks tab.<br />
Proxies<br />
When configuring mapping rules for allowed domains, networks need also<br />
to be configured. This is done on the IP Networks tab.<br />
Furthermore, there are three sections on this tab:<br />
• Shell Expressions<br />
• Add Rule<br />
• Current Rules<br />
They are described in the following.<br />
5–129
Proxies<br />
5–130<br />
Shell Expressions<br />
The Shell Expressions section looks like this:<br />
It allows you to configure the use of shell expressions when specifying the<br />
domains that are allowed to be relayed. Furthermore, you can configure a<br />
string for separating domain entries here.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
To enable the use of shell expressions, mark the checkbox next to the section<br />
heading.<br />
To configure a separator, use the following input field:<br />
• Values separation string<br />
Enter the string you want to use for separating domain entries here.<br />
The default separator is the , (comma).<br />
Add Rule<br />
The Add Rule section looks like this:<br />
Using this section, you can configure the domains that incoming e-mail messages<br />
may be relayed to.<br />
After mapping these domains to client IPs, messages sent from there will be<br />
accepted by <strong>Webwasher</strong>. If no mapping is configured here only messages sent<br />
from the local host will be accepted.<br />
In order to be mapped, a client IP must also have been configured in the Add<br />
Rule section of the IP Networks tab, see 5.8.2.
Proxies<br />
So, e. g. if all incoming messages should be relayed to your corporate network<br />
by <strong>Webwasher</strong>, the rule could be as follows:<br />
internet=yourcompany.com<br />
In order to make this a valid rule, however, you also need to configure internet<br />
on the IP Networks tab, e. g. using an * (asterisk) to include all client IPs.<br />
Enter a mapping rule you want to configure in the input field provided here.<br />
The input format is:<br />
IP network = (domain [, domain] | *)<br />
After entering a rule, click on the Add First or Add Last button. The rule will<br />
then be added to the list in the corresponding position.<br />
The list is displayed in the Current Rules section, see below.<br />
Current Rules<br />
The Current Rules section looks like this:<br />
It displays a list of the rules that have been configured to map networks to<br />
domains for relay protection.<br />
You can edit rules, move them up and down in the list, or delete them.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard. If the number of entries is higher than this number,<br />
the remaining entries are shown on successive pages. A page indicator is then<br />
displayed, where you can select a particular page by clicking on the appropriate<br />
arrow symbols.<br />
To edit a rule, type the appropriate text in the input field of the Rule column.<br />
Then click on Apply Changes to make this setting effective. You can edit<br />
more than one rule and make the changes effective in one go.<br />
5–131
Proxies<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
5.8.2<br />
IP Networks<br />
5–132<br />
Type a filter expression in the input field below the Rule column and enter it<br />
using the Enter key of your keyboard. The list will then display only entries<br />
matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Move Up, Move Down<br />
SelecttheentryyouwishtomovebymarkingtheSelect checkbox next<br />
to it and click on either of these buttons, depending on where you want to<br />
move the entry.<br />
The position an entry takes in the list is important since whenever there is<br />
more than one entry in the list containing information on a particular network<br />
or domain, the entry that is first in the list wins.<br />
The IP Networks tab looks like this:
There are two sections on this tab:<br />
• Add Rule<br />
• Current Networks<br />
They are described in the following.<br />
Add Rule<br />
The Add Rule section looks like this:<br />
Proxies<br />
Using this section, you can configure networks my mapping them to client IP<br />
adresses.<br />
Networks that have been configured in this way, may be specified when configuring<br />
mapping rules for domains on the Allowed Domains tab, see 5.8.1.<br />
Enter a mapping rule you want to configure in the input field provided here.<br />
The input format is:<br />
network = (IP [, IP] | IP/NetMask | IP range | *)<br />
network=* means that the provided network name will be mapped to all possible<br />
IP addresses, i. e.. 1.0.0.0 – 233.255.255.255.<br />
After entering a rule, click on the Add First or Add Last button. The rule will<br />
then be added to the list in the corresponding position.<br />
The list is displayed in the Current Rules section, see below.<br />
5–133
Proxies<br />
5–134<br />
Current Networks<br />
The Current Networks section looks like this:<br />
It displays a list of the rules that have been configured to map networks to IP<br />
addresses.<br />
You can edit rules, move them up and down in the list, or delete them.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit a rule, type the appropriate text in the input field of the Rule column.<br />
Then click on Apply Changes to make this setting effective. You can edit<br />
more than one rule and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field below the Rule column and enter<br />
it using the Enter key of your keyboard.<br />
The list will then display only entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.
• Move Up, Move Down<br />
Proxies<br />
SelecttheentryyouwishtomovebymarkingtheSelect checkbox next<br />
to it and click on either of these buttons, depending on where you want to<br />
move the entry.<br />
The position an entry takes in the list is important since whenever there is<br />
more than one entry in the list containing information on a particular network<br />
or domain, the entry that is first in the list wins.<br />
5.8.3<br />
Recipient LDAP Check<br />
The Recipient LDAP Check tab looks like this:<br />
At the top of this tab, there is a checkbox and a button<br />
• Enable recipient LDAP check<br />
Enable this option to configure an LDAP check for recipient domains, using<br />
the items provided in the section below.<br />
• Configure LDAP Server<br />
To configure an LDAP server, which is needed in order to perform a recipient<br />
LDAP check, click on this button. This will take you to the LDAP<br />
Connection tab, where you can configure thes server.<br />
The options of this tab correspond to that of the LDAP Synchronization<br />
tab, see 2.4.3.<br />
5–135
Proxies<br />
5–136<br />
In addition to the options that are described there, the LDAP Connection<br />
tab includes the UID value prefix option when provided for configuring<br />
settings of the e-mail gateway.<br />
This value is prefixed by some servers to the e-mail address that is an attribute<br />
of the user information stored on the LDAP server in order to specify<br />
the protocol. The default for it is SMTP.<br />
Furthermore, there is one section on this tab:<br />
• Domain for LDAP check<br />
It is described in the following.<br />
Domain for LDAP Check<br />
The Domain for LDAP check section looks like this:<br />
Using this section, you can add a domain to the list of domains that an LDAP<br />
check is performed for.<br />
To add a recipient domain to the list, use the area labeled:<br />
• Add new recipient domain<br />
Enter the domain you want to have an LDAP check performed for in the<br />
input field provided here, e. g. company.mail.<br />
Configure also the following two options, i. e. enable or disable them:<br />
— deactivate<br />
Enable this option if you want to just enter the domain in the list, but<br />
not yet activate the checking function.
Proxies<br />
This may be done later by marking the corresponding checkbox in the<br />
list, see below.<br />
— do not reject<br />
Enable this option to have e-mails from all senders of the configured<br />
domain rejected, with the exception of the sender specified here.<br />
This option can also be modified by editing the list, see below.<br />
Then click on the Add to Domain List button.<br />
If this action was successful, the entry is added to the list, which is displayed<br />
at the bottom of this section.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To sort the list in ascending or descending order, click on the symbol next to<br />
the Domain column heading.<br />
To edit an entry, type the appropriate text in the input field of the Domain<br />
column and enable or disable the deactivate and do not reject checkboxes.<br />
Then click on Apply Changes to make these settings effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field of the Domain column and enter it<br />
using the Enter key of your keyboard. The list will then display only entries<br />
matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
5–137
Proxies<br />
5.9<br />
Exception Lists<br />
5.9.1<br />
IP White List<br />
5–138<br />
The Exception Lists options are invoked by clicking on the corresponding<br />
button under Proxies:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• IP White List, see 5.9.1<br />
• IP Black List, see 5.9.2<br />
• Client Domain Black List, see 5.9.3<br />
• Sender Black List, see 5.9.4<br />
• Recipient Black List, see 5.9.5<br />
• TrustedSource, see 5.9.6<br />
The IP White List tab looks like this:
There are two sections on this tab:<br />
• Add Rule<br />
• Current Networks<br />
They are described in the following.<br />
Add Rule<br />
The Add Rule section looks like this:<br />
Proxies<br />
It allows you to add an address or a range of addresses to the White List for<br />
the SMTP gateway. If an IP address is on this list, it means that a client with<br />
this address will always be allowed to connect to the gateway.<br />
Enter the rule you want to add to the list in the input field provided here. The<br />
input format is:<br />
network = ( IP [, IP] | IP/NetMask | IP range) | *<br />
After entering a value, click on the Add First or Add Last button. A new entry<br />
will then be added to the list in the corresponding position.<br />
The list is displayed in the Current Networks section below.<br />
Current Networks<br />
The Current Networks section looks like this:<br />
5–139
Proxies<br />
5–140<br />
It displays a list of the IP addresses or ranges of addresses that have been<br />
included in the White List for the SMTP gateway.<br />
For each entry, it provides the information that is specified when a new entry<br />
is added (see above). You can edit list entries, move them up and down in the<br />
list, or delete them.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard. If the number of entries is higher than this number, the<br />
remaining entries are shown on successive pages. A page indicator is then<br />
displayed, where you can select a particular page by clicking on the appropriate<br />
arrow symbols.<br />
To edit an entry, type the appropriate text in the input field of the Rule column.<br />
Then click on Apply Changes to make this setting effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field below the Rule column and enter it<br />
using the Enter key of your keyboard. The list will then display only entries<br />
matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Move Up, Move Down<br />
SelecttheentryyouwishtomovebymarkingtheSelect checkbox next<br />
to it and click on either of these buttons, depending on where you want to<br />
move the entry.<br />
The position an entry takes in the list is important since whenever there<br />
is more than one entry in the list containing information on a particular IP<br />
address, the entry that is first in the list wins.
5.9.2<br />
IP Black List<br />
The IP Black List tab looks like this:<br />
There are two sections on this tab:<br />
• Add Rule<br />
• Current Networks<br />
They are described in the following.<br />
Add Rule<br />
The Add Rule section looks like this:<br />
Proxies<br />
It enables you to add an IP address or a range of addresses to the Black List<br />
for the SMTP gateway. If an IP address is on this list, it means that a client<br />
with this address will not be allowed to connect to the gateway.<br />
Enter the address you want to have blacklisted in the input field provided here.<br />
5–141
Proxies<br />
5–142<br />
The input format is:<br />
network = ( IP [, IP] | IP/NetMask | IP range) | *<br />
After entering a value, click on the Add First or Add Last button. A new entry<br />
will then be added to the list in the corresponding position.<br />
The list is displayed in the Current Networks section below.<br />
Current Networks<br />
The Current Networks section looks like this:<br />
It displays a list of the IP addresses or ranges of addresses that have been<br />
included in the Black List for the SMTP gateway.<br />
For each entry, it provides the information that is specified when a new entry<br />
is added (see above). You can edit list entries, move them up and down in the<br />
list, or delete them.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard. If the number of entries is higher than this number, the<br />
remaining entries are shown on successive pages. A page indicator is then<br />
displayed, where you can select a particular page by clicking on the appropriate<br />
arrow symbols.<br />
To edit an entry, type the appropriate text in the input field of the Rule column.<br />
Then click on Apply Changes to make this setting effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field below the Rule column and enter it<br />
using the Enter key of your keyboard. The list will then display only entries<br />
matching the filter.
• Delete Selected<br />
Proxies<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Move Up, Move Down<br />
SelecttheentryyouwishtomovebymarkingtheSelect checkbox next<br />
to it and click on either of these buttons, depending on where you want to<br />
move the entry.<br />
The position an entry takes in the list is important since whenever there<br />
is more than one entry in the list containing information on a particular IP<br />
address, the entry that is first in the list wins.<br />
5.9.3<br />
Client Domain Black List<br />
The Client Domain Black List tab looks like this:<br />
There is one section on this tab:<br />
• Client Domain Black List<br />
It is described in the following.<br />
5–143
Proxies<br />
5–144<br />
Client Domain Black List<br />
The Client Domain Black List section looks like this:<br />
It allows you to add a domain to the Client Domain Black List for the SMTP<br />
gateway.<br />
If a domain is on this list, a client with an IP address belonging to this domain<br />
will be treated in one of the following two ways when sending a request:<br />
• The client is not allowed to connect to the server.<br />
• The client is allowed to connect to the server, but e-mails sent using this<br />
connection are not accepted.<br />
Which of these two methods is used, depends on a parameter that is set in the<br />
Load Limits section of the Load Limits tab, see 5.10.1.<br />
The parameter is labeled Do not accept connection if client domain is in<br />
theblacklistorserverisoverloaded.Ifitisenabled, the first of the two<br />
methods is used, otherwise the second is used.<br />
A reverse DNS lookup is performed to determine whether a client address belongs<br />
to particular domain.<br />
Note: The Client Domain Black List allows to easily block e-mails from dial-up<br />
users, e. g. mails from tisdip.tiscali.de, which is a dial-up domain used by<br />
Tiscali, or from dip0.t-ipconnect.de and dip.t-dialin.net, which are dial-up<br />
domains for Telekom. In general, users will use mail servers that have been<br />
set up by their providers, rather than running their own SMTP servers on their<br />
home computers. So, e. g., Telekom users would use one of the following<br />
servers: smtprelay.t-online.de, securesmtp.t-online.de or smtpmail.tonline.de,<br />
and Tiscali users would use smtp.tiscalinet.de.
To add a domain to the list, use the area labeled:<br />
• Add new domain<br />
Proxies<br />
Enter the domain you want to have blacklisted in the input field provided<br />
here, e. g. company.mail.<br />
Configure also the following two options, i. e. enable or disable them:<br />
— deactivate<br />
Enable this option if you want to just enter the sender in the list, but not<br />
yet activate the filtering function.<br />
This may be done later by marking the corresponding checkbox in the<br />
list (see below).<br />
— do not reject<br />
Enable this option to have e-mails from all senders of the configured<br />
domain rejected, with the exception of the sender specified here.<br />
This option can also be modified by editing the list (see below).<br />
Then click on the Add to Blacklist button.<br />
If this action was successful, the entry is added to the list, which is displayed<br />
at the bottom of this section.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To sort the list in ascending or descending order, click on the symbol next to<br />
the Domain column heading.<br />
To edit an entry, type the appropriate text in the input field of the Domain<br />
column and enable or disable the deactivate and do not reject checkboxes.<br />
Then click on Apply Changes to make these settings effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field of the Domain column and enter it<br />
using the Enter key of your keyboard. The list will then display only entries<br />
matching the filter.<br />
5–145
Proxies<br />
• Delete Selected<br />
5.9.4<br />
Sender Black List<br />
5–146<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
The Sender Black List tab looks like this:<br />
There is one section on this tab:<br />
• Sender Black List<br />
It is described in the following.
Sender Black List<br />
The Sender Black List section looks like this:<br />
Proxies<br />
It allows you to add a sender to the Sender Black List for the SMTP gateway.<br />
If a sender is on this list, e-mails from this sender will be rejected even before<br />
they are accepted.<br />
To add a sender to the list, use the area labeled:<br />
• Add new sender<br />
Enter the sender you want to have blacklisted in the input field provided<br />
here, e. g. company.mail.<br />
Configure also the following two options, i. e. enable or disable them:<br />
— deactivate<br />
Enable this option if you want to just enter the sender in the list, but not<br />
yet activate the filtering function.<br />
This may be done later by marking the corresponding checkbox in the<br />
list (see below).<br />
— do not reject<br />
Enable this option to have e-mails from all senders of the configured<br />
domain rejected, with the exception of the sender specified here.<br />
This option can also be modified by editing the list (see below).<br />
Then click on the Add to Sender Black List button.<br />
5–147
Proxies<br />
5–148<br />
If this action was successful, the sender is added to the list, which is displayed<br />
at the bottom of this section.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To sort the list in ascending or descending order, click on the symbol next to<br />
the Domain column heading.<br />
To edit an entry, type the appropriate text in the input field of the Domain<br />
column and enable or disable the deactivate and do not reject checkboxes.<br />
Then click on Apply Changes to make these settings effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field of the Domain column and enter it<br />
using the Enter key of your keyboard. The list will then display only entries<br />
matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.
5.9.5<br />
Recipient Black List<br />
The Recipient Black List tab looks like this:<br />
There is one section on this tab:<br />
• Recipient Black List<br />
It is described in the following.<br />
Proxies<br />
5–149
Proxies<br />
5–150<br />
Recipient Black List<br />
The Recipient Black List section looks like this:<br />
It allows you to add a recipient to the Recipient Black List for the SMTP gateway.<br />
If a recipient is on this list, e-mails to this recipient will be rejected even before<br />
they are accepted.<br />
To add a recipient to the list, use the area labeled:<br />
• Add new recipient<br />
Enter the recipient you want to have blacklisted in the input field provided<br />
here, e. g. company.mail.<br />
Configure also the following two options, i. e. enable or disable them:<br />
— deactivate<br />
Enable this option if you want to just enter the recipient in the list, but<br />
not yet activate the filtering function.<br />
This may be done later by marking the corresponding checkbox in the<br />
list (see below).<br />
— do not reject<br />
Enable this option to have e-mails from all recipients of the configured<br />
domain rejected, with the exception of the recipient specified here.<br />
This option can also be modified by editing the list (see below).<br />
Then click on the Add to Recipient Black List button.
Proxies<br />
If this action was successful, the recipient is added to the list, which is displayed<br />
at the bottom of this section.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To sort the list in ascending or descending order, click on the symbol next to<br />
the Domain column heading.<br />
To edit an entry, type the appropriate text in the input field of the Domain<br />
column and enable or disable the deactivate and do not reject checkboxes.<br />
Then click on Apply Changes to make these settings effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field of the Domain column and enter it<br />
using the Enter key of your keyboard. The list will then display only entries<br />
matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
5–151
Proxies<br />
5.9.6<br />
TrustedSource<br />
5–152<br />
The TrustedSource tab looks like this:<br />
There is one section on this tab:<br />
• TrustedSource Score<br />
It is described in the following.
TrustedSource Score<br />
The TrustedSource Score section looks like this:<br />
Proxies<br />
Using this section, you can configure the rejection of e-mails depending on<br />
an evaluation of their sender IP addresses. This evaluation is performed using<br />
DNS queries that are sent to the TrustedSource server, from where a reputation<br />
score is returned.<br />
This feature is not enabled by default. If you want to use it, mark the checkbox<br />
next to the section heading. After specifying this setting or after modifying the<br />
score setting, click on Apply Changes to make these settings effective.<br />
Use the following input field to modify the TrustedSource score:<br />
• Reject connection if score is more than<br />
Enter a value here for the reputation score. If the TrustedSource server<br />
returns a score higher than this value for a sender IP address, the e-mail<br />
in question will be rejected.<br />
A score higher than 80 means that no legitimate traffic is to be expected<br />
from a sender. For this reason, 80 is the default value.<br />
5–153
Proxies<br />
5.10<br />
Load Limits<br />
5.10.1<br />
Load Limits<br />
5–154<br />
The Load Limits options are invoked by clicking on the corresponding button<br />
under Proxies:<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• Load Limits, see 5.10.1<br />
The Load Limits tab looks like this:
There are three sections on this tab:<br />
• Load Limits<br />
• DoS Attack<br />
• Gateway Performance<br />
They are described in the following.<br />
Load Limits<br />
The Load Limits section looks like this:<br />
Proxies<br />
Using this section, you can configure load limits to determine when the server is<br />
overloaded. Limits may depend on various criteria, such as the size of e-mails<br />
sent to the server, the volume of mail queues, or the number of recipients of<br />
an e-mail.<br />
After reaching a configured load limit, the server is overloaded. If a client sends<br />
an e-mail to the overloaded server, the connection is accepted, but a message<br />
will be sent in return informing the client about this overload. The e-mail sent<br />
by the client will not be accepted.<br />
If the server is overloaded, it continues with processing e-mails that were accepted<br />
so far. This means the number of e-mails still in the queues will eventually<br />
reach a level below the configured load limits. As soon as this is the case,<br />
new connections and e-mails will be accepted.<br />
So, if a configured load limit of, e. g. 10,000 e-mails has been reached for<br />
the inbound queue, and the server processes one e-mail, the actual load is<br />
reduced to 9,999. Then the next time a client tries to connect to the server to<br />
send an inbound e-mail, it will be accepted.<br />
After modifying any of the settings in this section, click on Apply Changes to<br />
make the modification effective.<br />
5–155
Proxies<br />
5–156<br />
Use the following checkboxes and input fields to configure load limits:<br />
• Do not accept connection if client domain is in the black list or<br />
server is overloaded<br />
Mark this checkbox if you do not want to allow a client sending an e-mail to<br />
connect to the server in case of a server overload. The connection is then<br />
dropped and even the return message mentioned above will not be sent.<br />
Furthermore, the client will not be allowed to connect to the server if its IP<br />
address belongs to a domain that has been entered in the Client Domain<br />
Black List. A reverse DNS lookup is performed to establish the domain an<br />
IP address belongs to.<br />
• Do not accept mails bigger than . . . KB<br />
Make sure the checkbox provided here is marked if you want the server<br />
overload to depend on the size of an e-mail. The checkbox is marked by<br />
default.<br />
Accept the default size, or enter a different value (in KB) in the corresponding<br />
input field. The default size is 10240 KB.<br />
• Do not accept mails if there are more than . . . mails in the . . .<br />
queue<br />
Make sure the checkbox provided here is marked if you want the server<br />
overload to depend on the number of e-mails in a particular queue, e. g.<br />
the Inbound queue. The checkbox is marked by default. The default<br />
values are 10000 and Inbound.<br />
Accept the default number and queue, or enter different values in the corresponding<br />
input fields.<br />
• Do not accept mails if there are more than . . . mails in the . . .<br />
queue<br />
Make sure the checkbox provided here is marked if you want the server<br />
overload to depend on the number of e-mails in yet another queue, e. g.<br />
the Outbound queue. The checkbox is marked by default.<br />
Accept the default number and queue, or enter different values in the corresponding<br />
input fields. The default values are 10000 and Outbound.<br />
• Donotacceptmailsiftherearemorethan...recipients<br />
Make sure the checkbox provided here is marked if you want the server<br />
overload to depend on the number of the recipients of an e-mail. The<br />
checkbox is marked by default.<br />
Accept the default number and queue, or enter a different value in the corresponding<br />
input field. The default number is 200.
DoS Attack<br />
The DoS Attack section looks like this:<br />
Proxies<br />
Using this section, you can configure actions that will be taken in case a DoS<br />
(Denial of Service) attack has been attempted against the SMTP gateway.<br />
You can also configure a time interval and volumes with regard to an attack.<br />
Depending on these, the configured actions will take effect.<br />
After modifying any of the settings in this section, click on Apply Changes to<br />
make the modification effective.<br />
Use the following checkboxes and input fields to configure DoS attack options:<br />
• Block Gateway for . . . minutes in case of multiple clients attack<br />
Mark this checkbox if you want to block the gateway for some time after<br />
DoS attack by more than one client. For this time interval, accept the default<br />
number of minutes, or enter a different number in the input field. The<br />
default number is 6.<br />
If there are any further requests during this time, the clients that made these<br />
requests will not be allowed to connect to the gateway.<br />
• Add single client to IP black list<br />
Mark this checkbox in case a DoS attack is launched by only one client and<br />
you want to add the client IP address to a black list.<br />
This means that from now on, a client with this address will not be allowed<br />
to connect to the gateway when sending a request.<br />
To have the action executed, the attack must consist of more than a given<br />
number of requests within a given time interval. For the corresponding<br />
parameters, see further below.<br />
5–157
Proxies<br />
5–158<br />
• Enablemessagetobewrittentosystemlog<br />
Mark this checkbox if you want to have a message written to the system<br />
log after a DoS attack has been launched either by a single client or by<br />
multiple clients.<br />
Accept the default text in the Message text input field, or enter a new one.<br />
The default text is %d by %u (generated %t by %o).<br />
To have the action executed, the attack must consist of more than a given<br />
number of requests within a given time interval. For the corresponding<br />
parameters, see further below.<br />
• Action taken when, within a time span of . . . seconds<br />
Accept the default interval required for a DoS attack, i. e. the interval within<br />
which a given number of requests must have been exceeded in order to<br />
have this classified as a DoS attack, or enter a different value in the input<br />
field. The default interval is 60 seconds.<br />
— a single client sends more than . . . requests<br />
In the input field provided here, enter the number of requests sent by<br />
a single client that must have been exceeded within the above time<br />
interval in order to have this classified as a DoS attack. The default<br />
number is 300.<br />
— all clients send more than . . . requests<br />
In the input field provided here, enter the total number of requests sent<br />
by more than one client that must have been exceeded within the above<br />
time interval in order to have this classified as a DoS attack. The default<br />
number is 10000.<br />
Gateway Performance<br />
The Gateway Performance section looks like this:
Proxies<br />
Using this section, you can configure load limits and other measures to improve<br />
the gateway performance.<br />
After modifying any of the settings in this section, click on Apply Changes to<br />
make the modification effective.<br />
Use the following input fields and checkboxes to configure limits and other<br />
parameters for a better gateway performance:<br />
• Max number of filtering processes at one time<br />
Accept the default number for these processes, or enter a different value<br />
in this input field. The default number is 50.<br />
• Max number of mail delivery processes at one time<br />
Accept the default number for these processes, or enter a different value<br />
in this input field. The default number is 50.<br />
• Max number of mail export processes at one time<br />
Accept the default number for these processes, or enter a different value<br />
in this input field. The default number is 50.<br />
• Max number of DNS check processes at one time<br />
Accept the default number for these processes, or enter a different value<br />
in this input field. The default number is 50.<br />
• Adjust number of threads depending on the current load<br />
Mark the checkbox provided here to adjust thread numbers.<br />
• Stop gateway after . . . recoveries within last 10 minutes<br />
Mark the checkbox provided here and accept the default number of gateway<br />
restarts that must be exceeded before the gateway is shut down, or<br />
enter a different value in the input field.The default number is 5.<br />
5–159
Proxies<br />
5.11<br />
POP3 Access<br />
The POP3 Access options are invoked by clicking on the corresponding button<br />
under Proxies:<br />
If you want to enable any of these options, you also need to mark the checkbox<br />
that is on this button.<br />
5.11.1<br />
POP3 Access<br />
5–160<br />
Then click on Apply Changes to make this setting effective.<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• POP3 Access, see 5.11.1<br />
The POP3 Access tab looks like this:
There is one section on this tab:<br />
• Port Settings<br />
It is described in the following.<br />
Port Settings<br />
The Port Settings section looks like this:<br />
Proxies<br />
Using this section, you can configure access to the POP3 server for your preferred<br />
mail client. You need to configure the listener port for this server and<br />
specify the IP addresses you want restrict access to the server to (if there are<br />
any).<br />
If you would like to use your preferred mail client to manage queues, you should<br />
first enable POP3 Access in the navigation bar, then define the listener port for<br />
the POP3 server and finally restrict access to specific IP addresses if necessary.<br />
You also need to configure your mail client by setting up an Internet account<br />
for it and specifying the incoming mail server, in this case, the <strong>Webwasher</strong> IP<br />
address or the name of the system <strong>Webwasher</strong> is running on. Furthermore,<br />
you need to configure the outgoing mail server.<br />
The account name is the same as the queue name configured in the<br />
conf/smtpqueues.dat configuration file, e. g. spam, infected, policy, etc.<br />
The rest of the settings needs to be done in this conf/smtpqueues.dat file,<br />
where a password will be required for each queue accessible via POP3.<br />
After specifying the appropriate information here, click on Apply Changes to<br />
make these settings effective.<br />
Use the following input fields to configure access to the POP3 server:<br />
• Port<br />
Enter the port number for listener port on the POP3 server here.<br />
The default port number is 110. It is highly recommended not to change it,<br />
since many mail clients do not allow it to be configured.<br />
5–161
Proxies<br />
5.12<br />
• Allow access from<br />
ICAP(S) Server<br />
5–162<br />
In this input field, enter the IP addresses that you want to restrict access to<br />
the POP3 server to.<br />
The input format is as follows:<br />
(IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]*.<br />
Entering an * here would mean that every site is allowed access.<br />
The ICAP(S) Server options are invoked by clicking on the corresponding<br />
button under Proxies:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• ICAP(S) Server, see 5.12.1<br />
• Server Settings, see 5.12.2<br />
• REQMOD Settings, see 5.12.3<br />
• RESPMOD Settings, see 5.12.4
5.12.1<br />
ICAP(S) Server<br />
The ICAP(S) Server tab looks like this:<br />
There are three sections on this tab:<br />
• Port Settings (ICAP)<br />
• Port Settings (ICAPS)<br />
• Client Authentication<br />
They are described in the following.<br />
Port Settings (ICAP)<br />
The Port Settings section for ICAP server settings looks like this:<br />
Proxies<br />
5–163
Proxies<br />
5–164<br />
Above this section is a checkbox labeled:<br />
• Enable ICAP server<br />
Make sure this checkbox is marked if you want to configure the ICAP server<br />
functions for <strong>Webwasher</strong>.<br />
Using this Port Settings section, you can configure the listener port for the<br />
ICAP server and who is allowed access over this port.<br />
After specifying the appropriate settings, click on Apply Changes to make them<br />
effective.<br />
Use the following input fields to configure the port settings for the ICAP server:<br />
• Port<br />
Specify the listener port here. The input format is:<br />
[IP]: port<br />
The default port number is 1344.<br />
• Allow access from<br />
Specify the IP addresses here that should have access to the listener port.<br />
The input format is:<br />
(IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]*.<br />
Note: Type * to allow everyone access.<br />
Port Settings (ICAPS)<br />
The Port Settings section for ICAPS server settings looks like this:<br />
Above this section is a checkbox labeled:<br />
• Enable ICAPS server<br />
Mark this checkbox is marked if you want to configure the ICAPS server functions<br />
for <strong>Webwasher</strong>.
Proxies<br />
Using this Port Settings section, you can configure the listener port for the<br />
ICAPS server and who is allowed access over this port.<br />
After specifying the appropriate settings, click on Apply Changes tomake<br />
them effective.<br />
Use the following input fields to configure the port settings for the ICAPS server:<br />
• Port<br />
Specify the listener port here. The input format is:<br />
[IP]: port<br />
The default port number is 11344.<br />
• Allow access from<br />
Specify the IP addresses here that should have access to the listener port.<br />
The input format is:<br />
(IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]*.<br />
Note: Type * to allow everyone access.<br />
Client Authentication<br />
The Client Authentication section looks like this:<br />
Using this section, you can configure a restriction for certificates that are submitted<br />
for client authentication. You can select a Certificate Authority (CA) and<br />
have only certificates issued by this CA accepted.<br />
Note that this restriction can only be configured when you are using the ICAPS<br />
server.<br />
If you want to use this feature, mark the checkbox next to the section heading.<br />
After specifying this setting and selecting the CA, click on Apply Changes to<br />
make these settings effective.<br />
Use the following drop-down list to configure client authentication:<br />
• Accept only certificates issued by<br />
Select the CA you want to trust here.<br />
5–165
Proxies<br />
5.12.2<br />
Server Settings<br />
5–166<br />
The Server Settings tab looks like this:<br />
There are three sections on this tab:<br />
• ICAP Options<br />
• Additional ICAP Headers<br />
• Remember Infected URLs<br />
They are described in the following.
ICAP Options<br />
The ICAP Options section looks like this:<br />
Proxies<br />
Using this section, you can configure a number of options with regard to ICAP<br />
communication.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following items to configure ICAP communication:<br />
• Never split ICAP headers<br />
Mark this checkbox to forbid the splitting of ICAP headers for ICAP clients<br />
that cannot handle ICAP responses with encapsulated HTTP headers and<br />
ICAP response headers sent in separate TCP/IP packets.<br />
• Wait for complete ICAP request<br />
Check one of the radio buttons provided under this option to enable waiting<br />
for the complete ICAP request in different modes.<br />
This may be required for ICAP clients that are not able to receive parts of<br />
the filtered HTTP response, while other parts of the same file are still being<br />
sent to <strong>Webwasher</strong>.<br />
<strong>Webwasher</strong>’s normal behavior is to try to filter HTTP data chunk by chunk<br />
to reduce the latency time.<br />
<strong>Webwasher</strong> prefers this option to be disabled, while NetCache 5.2 FCS<br />
users running ICAP/1.0 in RESPMOD need to enable it.<br />
NetCache 5.2R1 and later releases allow the disabling of this option.<br />
5–167
Proxies<br />
5–168<br />
If you are running <strong>Webwasher</strong> together with Blue Coat’s Security Gateway<br />
using ICAP, the option also needs to be enabled, which means you should<br />
configure Always as value for this kind of configuration.<br />
Use the radio buttons provided here to configure values for the Wait ...option<br />
as follows:<br />
— Never<br />
Never wait for the complete ICAP request.<br />
This value is configured by default.<br />
— Only for FTP requests<br />
Only wait for the complete ICAP request in case of FTP requests.<br />
— Only for REQMOD requests<br />
Only wait for the complete ICAP request if the ICAP client is a Bluecoat<br />
ProxySG Appliance and at the same time the filtering of REQMOD uploads<br />
is not enabled. Otherwise, this option is not needed for the Bluecoat<br />
client.<br />
To verify if the filtering of REQMOD uploads is enabled, go to the RE-<br />
QMOD Settings tab and see if the option labeled Apply configured<br />
filters on uploaded and posted data is enabled.<br />
Note that if you configure this value, data trickling and progress pages<br />
will not be activated.<br />
— Always<br />
Always wait for the complete ICAP request.<br />
Note that if you configure this value, data trickling and progress pages<br />
will not be activated.<br />
• Do not send early 204 responses<br />
Mark this checkbox to forbid the sending of these responses for ICAP<br />
clients that support 204 responses at the end of ICAP messages, but do<br />
not handle them if sent before the end of a request.<br />
If the ICAP client supports early 204 responses (as all built-in <strong>Webwasher</strong><br />
ICAP clients do) you should not configure this values for better performance.<br />
• Strict ICAP RFC compliance<br />
Mark this checkbox to ensure that the ICAP server communication strictly<br />
adheres to the mode specified in the corresponding RFC document.<br />
The strict mode is, however, not supported by some ICAP clients.
• Preferred preview size<br />
Proxies<br />
In the input field provided here, enter the number of bytes for the preferred<br />
preview size.<br />
This size equals the number of bytes <strong>Webwasher</strong> shows in the OPTIONS<br />
response. An ICAP client should send this number of bytes in a REQMOD<br />
or RESPMOD request first.<br />
The client should then wait for <strong>Webwasher</strong> to either indicate that the rest<br />
of the data is also needed, or <strong>Webwasher</strong> is not interested in seeing the<br />
data, and the file is allowed unfiltered.<br />
The default value is 30 bytes. A value of 0 bytes means that only the ICAP<br />
header is sent in response modification before the ICAP client waits for a<br />
response.<br />
To disable the option, enter a negative value here.<br />
• Maximum chunk size<br />
In the input field provided here, enter the maximum chunk size that should<br />
be used in ICAP communication.<br />
The default size is 5120 KB.<br />
• ISTag: ...<br />
Click on the Change ISTag Now button provided here to change the<br />
ISTag.<br />
The ISTag is similar to a version number for an ICAP service. Whenever<br />
the version changes, the ICAP client will no longer use responses that<br />
<strong>Webwasher</strong> has previously given, but will ask <strong>Webwasher</strong> again for each<br />
request or response.<br />
<strong>Webwasher</strong> does not increment the version number when you change<br />
<strong>Webwasher</strong> settings or update the URL filter database, because the<br />
changes often are not relevant enough to be applied to everyone in your<br />
network at once.<br />
You may prefer to configure the caching parameters, so the time span in<br />
question does not grow too much before cached responses are automatically<br />
invalidated.<br />
If you decide, however, that all cached responses should be invalidated at<br />
once, click on the button to change the ISTag, but be aware that this could<br />
generate a higher load until the cache gets refilled.<br />
5–169
Proxies<br />
5–170<br />
Additional ICAP Headers<br />
The Additional ICAP Headers section looks like this:<br />
Using this section, you can configure the logging of URL categories at the ICAP<br />
client site.<br />
Categories will appear in a log file field named Attribute, according to the<br />
logging range you configure here<br />
Furthermore, the field will contain information on whether the blocking was due<br />
to RTC or the Access Control List.<br />
Note that there is also a log file field named categories, which is not used to<br />
store these categories and is not available at the client site.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following radio buttons and checkbox to configure the logging of URL<br />
categories:<br />
• Do not send categories to the ICAP client<br />
If you do not want to have categories sent to the ICAP client make sure<br />
this radio button is checked. The radio button is checked by default.<br />
• Send all categories to the ICAP client<br />
Check this radio button to have all categories sent to the ICAP client.<br />
• Send only the blocked categories to the ICAP client<br />
Check this radio button to have only blocked categories sent to the ICAP<br />
client.<br />
• Send range of values of the ’X-Attribute’ header in OPTIONS response<br />
Mark this checkbox to enable this compatibility setting, which simplifies the<br />
co-operation between ICAP server and client.
Proxies<br />
The X-Attribute header is a type of REQMOD/RESPMOD header. Some<br />
ICAP clients may require a range of values of this header in the OPTIONS<br />
response.<br />
So, if you are using a client that relies on this data, as is the case e. g. with<br />
Blue Coat, you should enable this option.<br />
Remember Infected URLs<br />
The Remember Infected URLs section looks like this:<br />
It allows you configure a time interval for storing the names of virus-infected<br />
files. These files will be rejected immediately by <strong>Webwasher</strong>.<br />
Use the following item to configure this interval:<br />
• Virus-infected file names will be stored for ... seconds<br />
Enter a value for the time interval (in seconds) in the input field provided<br />
here. The default interval is 1800 seconds.<br />
5–171
Proxies<br />
5.12.3<br />
REQMOD Settings<br />
5–172<br />
The REQMOD Settings tab looks like this:<br />
There are three sections on this tab:<br />
• REQMOD Options<br />
• REQMOD Response Caching<br />
• Additional REQMOD Response Headers<br />
They are described in the following.
REQMOD Options<br />
The REQMOD Options section looks like this:<br />
Proxies<br />
Using this section, you can configure the way ICAP requests are modified.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following items to configure ICAP request modification:<br />
• Handle internal requests in REQMOD<br />
Enable this option to handle internal request in REQMOD.<br />
Due to restrictions in version 1.0 of the ICAP protocol, internal requests,<br />
such as access to the <strong>Webwasher</strong> Web interface, can usually not be handled<br />
in REQMOD communication.<br />
These are requests that address <strong>Webwasher</strong> under the name of<br />
-web.washer-. If your ICAP client is able to accept non-error HTML data<br />
in REQMOD satisfaction responses, you can use the option described<br />
here to handle these requests also in REQMOD communication.<br />
• Apply configured filters on uploaded and posted data<br />
Enable this option to apply configured filters on uploaded and posted data.<br />
This will let the REQMOD server look into the body of a request, which is<br />
a useful feature for URL filtering on parameters, Anti Virus scanning and<br />
blocking files by media type.<br />
• Retain original ’User Agent’ field<br />
Enable this option to retain the original User Agent field.<br />
5–173
Proxies<br />
5–174<br />
Retaining this field means not to change the text string used by programs to<br />
identify themselves towards HTTP, e-mail and news servers. This identification<br />
is needed for usage tracking and other purposes, such as displaying<br />
Web pages in a way that is best suited to the properties of your browser.<br />
• Suppress unsupported content encodings<br />
Enable this option to suppress unsupported content encodings.<br />
The most common content encodings are UTF-8 (utf-8), andLatin-1<br />
(iso-8859-1). There may, however, be others that are not supported, so<br />
you can suppress them using this option.<br />
• Forbid partial downloads (HTTP)<br />
Enable this option to forbid partial downloads for HTTP requests.<br />
Partial downloads can be useful when a download was aborted for one<br />
reason or other. In this case, a client could continue the download from<br />
where it was interrupted, rather than starting from the beginning.<br />
Partial downloads may, however cause problems when <strong>Webwasher</strong> uses<br />
filters such as, e. g. the Anti Virus filter since it may not be able to find a<br />
virus in an incomplete file. Successful virus scanning might therefore be<br />
impeded, due to partial downloads.<br />
Unintentional partial downloads may occur when both Anti Virus and data<br />
trickling are enabled. <strong>Webwasher</strong> may have started forwarding bytes to a<br />
client before the connection is aborted due to a virus being found in the file.<br />
The client becomes aware of this abort, and attempts a partial download of<br />
the rest of that file, which may leave <strong>Webwasher</strong> unable to detect the virus.<br />
If magic byte matching is enforced, some partial downloads may be blocked<br />
due to an untypical file header, which also limits virus scanning capabilities.<br />
It is therefore recommended to forbid partial HTTP downloads while the<br />
<strong>Webwasher</strong> content security filters are enabled.<br />
• Forbid partial file transfers (FTP)<br />
Enable this option to forbid partial downloads for file transfers.<br />
For the reasons given in the description of the Forbid partial downlloads<br />
(HTTP) optio, it is also recommended to forbid partial FTP downloads while<br />
the <strong>Webwasher</strong> content security filters are enabled.<br />
• REQMOD resource name<br />
In this input field, enter the name of the resource used for REQMOD communication.
Proxies<br />
This name should correspond to the resource name for request modification<br />
that has been configured on the ICAP client.<br />
• Max REQMOD connections<br />
In the input field provided here, enter the number of connections an ICAP<br />
client is allowed to open as a maximum<br />
<strong>Webwasher</strong> does not have a limit for the connection count, but there may<br />
be restrictions due to the hardware or operating system you are using.<br />
Also, the more filters are enabled and the more connections are open at the<br />
same time, the more time <strong>Webwasher</strong> needs to handle an individual ICAP<br />
request. So if this value is set very high, an ICAP client might think that<br />
<strong>Webwasher</strong> is no longer responding since the response time has grown<br />
too much.<br />
In case your ICAP client tells you that it cannot handle more connections,<br />
but your ICAP server is not on very high load, increase this value.<br />
If your ICAP client believes that <strong>Webwasher</strong> is down although it is still running,<br />
decrease this value.<br />
REQMOD Response Caching<br />
The REQMOD Response Caching section looks like this:<br />
Using this section, you can configure the way REQMOD response are cached.<br />
The ICAP server either sends a modified version of the request back to the<br />
ICAP client, a valid HTTP response such as an error message saying access<br />
to a particular URL is not allowed, or, if the client indicates that it supports 204<br />
responses, an indication that no modification is required.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
5–175
Proxies<br />
5–176<br />
Use the following items to configure REQMOD response caching:<br />
• Cacheability<br />
From the drop-down list provided here, select a value to let the ICAP client<br />
cache responses for everyone at all times, for the current user group, or<br />
for a single user only.<br />
When running multiple <strong>Webwasher</strong> group policies, a REQMOD response<br />
may not be valid for everybody. By default, <strong>Webwasher</strong> determines for<br />
what group the response is valid by the chosen policy method. By selecting<br />
a different value here, you can override <strong>Webwasher</strong>.<br />
Note that a response cannot be cached if the HTTP request was modified<br />
by the Cookie Filter, the Referer Filter or the appended User Agent.<br />
• Default Caching Age<br />
In the input field provided here, enter a time interval to determine how long<br />
a response is cached.<br />
The caching age is usually determined by the time schemes that have been<br />
set for a given URL filter database category. If a category is allowed until 3<br />
p.m., the response for a URL falling in this category will also be valid until 3<br />
p.m. If a URL is not in the URL filter database, the caching value configure<br />
here is used for it.<br />
Note that a response cannot be cached if the HTTP request was modified<br />
by the Cookie Filter, the Referer Filter or the appended user agent.<br />
• Min Caching Age<br />
In the input field provided here, enter a time interval to determine how long<br />
a response is cached at least.<br />
Use this option to make sure a given URL is not requested again and again<br />
in very short intervals, although it is not cacheable. Regardless of what was<br />
calculated, the caching interval will never be smaller than this value.<br />
Note that this could disable privacy filters if caching is forced to get responses<br />
that should not be cached.<br />
To disable the <strong>Webwasher</strong> cache-control feature, specify a negative value<br />
for this option, as well as for Max Caching Age, see below.<br />
• Max Caching Age<br />
In the input field provided here, enter a time interval to determine how long<br />
a response is cached as a maximum.<br />
Use this option limit the time responses are cached. Regardless of what<br />
was calculated, the caching interval will not be greater than this value.
Proxies<br />
This can be very useful if you do not like changing the ISTag with every to<br />
<strong>Webwasher</strong> or URL filter database change. The ICAP client will ask <strong>Webwasher</strong><br />
after this maximum value has been set to re-validate the response.<br />
To disable the <strong>Webwasher</strong> cache-control feature, specify a negative value<br />
for this option, as well as for Min Caching Age, see above<br />
Enter the ICAP client services to use for RESPMOD here. You can enter<br />
multiple services, separated by a |.<br />
Additional REQMOD Response Headers<br />
The Additional REQMOD Response Headers section looks like this:<br />
Using this section, you can configure one or more additional REQMOD response<br />
headers. These will provide additional information, such as date, size,<br />
server data, etc,. that a Web server sends back to a client browser in response<br />
to receiving an HTTP request.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following input field to configure additional headers:<br />
• Header Definition<br />
Specify the additional REQMOD response headers here. The input format<br />
is:<br />
Header = Value[, Header = Value]<br />
5–177
Proxies<br />
5.12.4<br />
RESPMOD Settings<br />
5–178<br />
The RESPMOD Settings tab looks like this:<br />
There are two sections on this tab:<br />
• RESPMOD Options<br />
• Additional RESPMOD Response Headers<br />
They are described in the following.<br />
RESPMOD Options<br />
The RESPMOD Options section looks like this:<br />
Using this section, you can configure the way ICAP responses are modified.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.
Use the following items to configure ICAP response modification:<br />
• Use URL Filtering in RESPMOD (HTTP, FTP)<br />
Proxies<br />
Enable this option to perform URL filtering in RESPMOD (HTTP, FTP) communication.<br />
This will increase system load compared to filtering URLs in REQMOD<br />
communication, but is still an option in case REQMOD communication is<br />
not available on your preferred ICAP client.<br />
You can also enable the following sub-option:<br />
— but determine categories only<br />
With this sub-option enabled, disallowed categories will only be written<br />
to the log files. If the sub-option is not enabled, these categories will<br />
be blocked.<br />
• Support ’X-Hash-Id’ calculation<br />
Enable this option to support X-hash-ID calculation.<br />
With this option enabled, NetCache is able to detect if an object is equal<br />
to another object that was rejected according to a different policy, so Net-<br />
Cache would not unnecessarily store another copy of it.<br />
This feature uses a combination of information on policies and a hash over<br />
the object in question.<br />
• RESPMOD resource name<br />
In this input field, enter the name of the resource used for RESPMOD communication.<br />
This name should correspond to the resource name for request modification<br />
that has been configured on the ICAP client.<br />
• Max RESPMOD connections<br />
In the input field provided here, enter the number of connections an ICAP<br />
client is allowed to open as a maximum<br />
<strong>Webwasher</strong> does not have a limit for the connection count, but there may<br />
be restrictions due to the hardware or operating system you are using.<br />
Also, the more filters are enabled and the more connections are open at the<br />
same time, the more time <strong>Webwasher</strong> needs to handle an individual ICAP<br />
request. So if this value is set very high, an ICAP client might think that<br />
<strong>Webwasher</strong> is no longer responding since the response time has grown<br />
too much.<br />
5–179
Proxies<br />
5–180<br />
In case your ICAP client tells you that it cannot handle more connections,<br />
but your ICAP server is not on very high load, increase this value.<br />
If your ICAP client believes that <strong>Webwasher</strong> is down although it is still running,<br />
decrease this value.<br />
Additional RESPMOD Response Headers<br />
The Additional RESPMOD Response Headers section looks like this:<br />
Using this section, you can configure one or more additional RESPMOD response<br />
headers. These will provide additional information, such as date, size,<br />
server data, etc,. that a Web server sends back to a client browser in response<br />
to receiving an HTTP request.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following input field to configure additional headers:<br />
• Header Definition<br />
Specify the additional RESPMOD response headers here. The input format<br />
is:<br />
Header = Value[, Header = Value]<br />
The following input field is provided in this section:<br />
• Do not use ICAP service for URLs that match<br />
When a request is made for a site that is entered here, the ICAP server will<br />
not be bypassed. Specify a site by entering its IP address, host name, or<br />
URL.<br />
Separate multiple entries by beginning each of them in a new line.
5.13<br />
Progress Indication Methods<br />
Proxies<br />
The Progress Indication Methods options are invoked by clicking on the<br />
corresponding button under Proxies:<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• Progress Indication Methods, see 5.13.1<br />
5.13.1<br />
Progress Indication Methods<br />
The Progress Indication Methods tab looks like this:<br />
There are four sections on this tab:<br />
• Progress Indication Options<br />
• Progress Pages<br />
• Data Trickling<br />
5–181
Proxies<br />
5–182<br />
• Handle Progress Queries<br />
They are described in the following.<br />
Progress Indication Options<br />
The Progress Indication Options section looks like this:<br />
It allows you to configure the time interval that is to elapse before progress<br />
indication starts. This applies to all progress indication methods configured<br />
under <strong>Webwasher</strong>.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
this setting effective.<br />
Use the following input field to configure this interval:<br />
• Start progress indication after ... seconds<br />
Enter the appropriate time interval (in seconds) here.<br />
The default interval is 5 seconds.<br />
Progress Pages<br />
The Progress Pages section looks like this:<br />
Using this section, you can configure the use of progress pages as method<br />
of progress indication. Progress pages indicate to a client the progress made<br />
when an object is downloaded and filtered.
Proxies<br />
On a progress page, there are two buttons to stop a download or to stop it and<br />
return to the starting page:<br />
• Cancel<br />
Clicking on this button will stop a download that is in progress immediately.<br />
• Back<br />
Clicking on this button will stop a download that is in progress after 12 to<br />
20 seconds and return to the page from where it was started.<br />
If the <strong>Webwasher</strong> Internet Explorer Plugin is installed, no progress pages will<br />
be displayed, see the Handle Progress Queries section below.<br />
To configure progress pages, make sure the checkbox next to the section heading<br />
is marked. After specifying the appropriate information, click on Apply<br />
Changes to make your settings effective.<br />
Use the following items to configure progress pages:<br />
• Use progress pages only for these clients<br />
Specify the clients you want to configure progress pages for in this input<br />
field.<br />
Enter user agent names to specify clients and separate them by the | (pipe<br />
sign).<br />
• Update Interval ... seconds<br />
In the input field provided here, enter the time (in seconds) that is to elapse<br />
before the next update of a progress page is performed.<br />
The default interval is 5 seconds.<br />
• Force sending progress page before filtering archives bigger than<br />
... KB<br />
Use this option to specify that progress pages are used before the filtering<br />
of an archive begins, whenever its size exceeds a given value.<br />
Enter this value (in KB) in the input field provided here.<br />
5–183
Proxies<br />
5–184<br />
Data Trickling<br />
The Data Trickling section looks like this:<br />
Using this section, you can configure the use of the data trickling method.<br />
This method allows you to determine the number of bytes that should be sent<br />
to the <strong>Webwasher</strong> ICAP server in one go.<br />
Since some browsers do not display anything at all when only very few bytes<br />
are transferred, you can configure the size of the first forwarded chunk of data.<br />
To configure data trickling, make sure the checkbox next to the section heading<br />
is marked. The checkbox is marked by default.<br />
After specifying the appropriate information, click on Apply Changes to make<br />
your settings effective.<br />
Use the following items to configure data trickling:<br />
• Size of first forwarded chunk ... bytes<br />
In the input field provided, here enter a byte value to specify the size of the<br />
first chunk that is forwarded when data trickling is enabled.<br />
• Forward ... bytes for every ... KBs received<br />
Use this option, to specify the sizes of the data chunk (in bytes) that is<br />
forwarded after receiving a data chunk of a given size (in KB).<br />
Use the two drop-down lists provided here to select the corresponding values.<br />
• Continue trickling during filtering<br />
Enable this option to ensure that data trickling is continued during the filtering<br />
process.<br />
• Ensure trickling during filtering archives bigger than ... KB<br />
Enable this option, to ensure that data trickling is used whenever the size<br />
of an archive that is being filtered exceeds a given value.
Enter a value for this size (in KB) in the input field provided here.<br />
Handle Progress Queries<br />
The Handle Progress Queries section looks like this:<br />
Proxies<br />
Using this section, you can configure an alternative progress dialog, showing<br />
the download progress made on the <strong>Webwasher</strong> server.<br />
To implement this dialog, you need to install the <strong>Webwasher</strong> Internet Explorer<br />
Plugin. If it is installed, the pages described in the Progress Pages section<br />
above will not be shown.<br />
Progress queries are requests that a client sends to <strong>Webwasher</strong> to inquire<br />
about the download progress of a pending file.<br />
In order to enable progress queries mark the checkbox next to the section<br />
heading and click on Apply Changes to make this setting effective.<br />
The plugin mentioned above can be obtained from the <strong>Webwasher</strong> extranet.<br />
To go there, click on the link provided here.<br />
After its installation, the plugin will display the download progress in three<br />
stages:<br />
• First, <strong>Webwasher</strong> downloads a file from the Internet and, depending on the<br />
media type, starts scanning it. During this stage, the built-in download dialog<br />
of the browser will proceed slow (given that Data Trickling is enabled<br />
at all), but the <strong>Webwasher</strong> progress dialog allows to track how far the file<br />
has been downloaded to the <strong>Webwasher</strong> server.<br />
• When the <strong>Webwasher</strong> progress dialog shows the download as completed,<br />
the <strong>Webwasher</strong> server may still be scanning the file. This stage may take<br />
a while for some large archives.<br />
• As soon as <strong>Webwasher</strong> has completed scanning, the file will be completely<br />
delivered to the client system and the built-in browser download dialog will<br />
begin to proceed very fast.<br />
The plugin supports Internet Explorer versions 5.0, 5.5 and 6.0 running on<br />
Windows 98/Me and Windows NT/2000/XP.<br />
When deploying it to client systems via NT logon script or Windows 2000 Group<br />
Policy, you can run a setup package, e. g. wwieplugin100-1066.exe /s,<br />
for unattended installation.<br />
5–185
Proxies<br />
5.14<br />
Own Host Name<br />
The Own Host Name options are invoked by clicking on the corresponding<br />
button under Proxies:<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• Own Host Name, see 5.14.1<br />
5.14.1<br />
Own Host Name<br />
5–186<br />
The Own Host Name tab looks like this:<br />
There are three sections on this tab:<br />
• Internal Requests<br />
• End User Requests<br />
• Proactive Scanning
They are described in the following.<br />
Internal Requests<br />
The Internal Requests section looks like this:<br />
Proxies<br />
Using this section, you can configure the use of an own host name for <strong>Webwasher</strong>.<br />
This may be needed, e.g. in the default error messages for including the <strong>Webwasher</strong><br />
icon or in cleaned-up HTML code to insert place holder items. Depending<br />
on the network configuration, <strong>Webwasher</strong> can then be accessed one<br />
or the other way.<br />
Use the radio buttons described below to configure an own host name for <strong>Webwasher</strong>.<br />
Then click on Apply Changes to make your settings effective.<br />
The following options can be configured:<br />
• Use IP address of machine running <strong>Webwasher</strong><br />
The IP address of the machine running <strong>Webwasher</strong> can be used inmost<br />
environments and is the default option for deployments with external ICAP<br />
clients.<br />
<strong>Webwasher</strong> can then be accessed using an address and path name, such<br />
as, e. g.:<br />
http://127.0.0.1:9090/wwfile?name=images/logo_ww.gif<br />
• Use the internal Host -web.washer-<br />
This internal URL can be used when <strong>Webwasher</strong> is addressed as a proxy<br />
server from all clients.<br />
<strong>Webwasher</strong> can then be accessed using an address and path name, such<br />
as, e. g.:<br />
http://-web.washer-/wwfile?name=images/logo_ww.gif<br />
The -web.washer- part of the address will direct the browser to the <strong>Webwasher</strong><br />
proxy.<br />
5–187
Proxies<br />
5–188<br />
Note: This option will only work for REQMOD communication, which<br />
means that a REQMOD service must have been enabled on the client in<br />
question. Furthermore, the server must be told to handle internal requests<br />
in REQMOD.<br />
To configure this, go to the REQMOD Settings tab under Proxies ><br />
ICAP(S) Server. IntheREQMOD Options section, make sure the option<br />
labeled Handle internal requests in REQMOD is enabled, see 5.12.3.<br />
• Use the internal Path -web.washer-<br />
This internal path can be used when <strong>Webwasher</strong> is addressed as a transparent<br />
proxy server from all clients. In this case, it may not be possible to<br />
connect to the <strong>Webwasher</strong> application directly.<br />
<strong>Webwasher</strong> can then be accessed using an address and path name, such<br />
as, e. g.:<br />
/-web.washer-/wwfile?name=images/logo_ww.gif<br />
In this case, the browser would not know that it is actually addressing <strong>Webwasher</strong>,<br />
and only a relative path name is given. Again, the -web.washerpart<br />
of the address will ensure that the appropriate location is reached.<br />
Note: This option will only work for REQMOD communication, which<br />
means that a REQMOD service must have been enabled on the client in<br />
question. Furthermore, the server must be told to handle internal requests<br />
in REQMOD.<br />
To configure this, go to the REQMOD Settings tab under Proxies ><br />
ICAP(S) Server. IntheREQMOD Options section, make sure the option<br />
labeled Handle internal requests in REQMOD is enabled, see 5.12.3.<br />
• Use other host or URL<br />
Another host or URL should only be used if there is no contact from the<br />
intranet to the system <strong>Webwasher</strong> is running on, or if you know the <strong>Webwasher</strong><br />
address better than <strong>Webwasher</strong> itself.<br />
If <strong>Webwasher</strong> cannot be contacted, enter any other accessible Web server<br />
here, as well as a path on that server in order to specify the location that<br />
files need to be copied to from the <strong>Webwasher</strong> installation.<br />
Please contact the <strong>Webwasher</strong> support team for further information.
End User Requests<br />
The End User Requests section looks like this:<br />
Proxies<br />
Using this section, you can configure a host name for end users to contact<br />
<strong>Webwasher</strong> upon receiving an SMTP digest.<br />
If an SMTP Digest is distributed, the recipients need to contact <strong>Webwasher</strong> to<br />
have their messages released or deleted. Depending on the network configuration,<br />
<strong>Webwasher</strong> can be accessed one or the other way.<br />
Use the radio buttons described below to configure a host name for <strong>Webwasher</strong>.<br />
Then click on Apply Changes to make your settings effective.<br />
The following options can be configured:<br />
• Use IP address of machine running <strong>Webwasher</strong><br />
The IP address of the machine running <strong>Webwasher</strong> can be used in most<br />
environments and is the default option for deployments with external ICAP<br />
clients.<br />
• Use the internal URL -web.washer-<br />
The internal URL can be used by all clients for addressing <strong>Webwasher</strong> as<br />
a proxy server.<br />
• Use other host or URL<br />
Another host or URL should only be used if there is no connection from<br />
the intranet to the system <strong>Webwasher</strong> is running on, or if you know the<br />
<strong>Webwasher</strong> address better than <strong>Webwasher</strong> itself.<br />
If <strong>Webwasher</strong> cannot be contacted, enter any other accessible Web server<br />
here, as well as a path on that server in order to specify the location that<br />
files need to be copied to from the <strong>Webwasher</strong> installation.<br />
Please contact the <strong>Webwasher</strong> support team for further information.<br />
5–189
Proxies<br />
5.15<br />
IFP<br />
5–190<br />
Proactive Scanning<br />
The Proactive Scanning section looks like this:<br />
Using this section, you can configure a host specification for requests directed<br />
to the Proactive Scanning filter of <strong>Webwasher</strong>.<br />
After specifying this information, click on Apply Changes to make this setting<br />
effective.<br />
Use the following radio buttons and input field to specify a host for Proactive<br />
Scanning requests:<br />
• Use IP address of machine running <strong>Webwasher</strong><br />
If you want to use the IP address of the machine running <strong>Webwasher</strong> for<br />
specifying the host, make sure this radio button is checked. The radio button<br />
is checked by default. The IP address can be used in transparent proxy<br />
mode, for deployments with external ICAP clients, and in other configurations.<br />
• Use host ...<br />
Specify another host name you want to configure in the input field provided<br />
here.<br />
The -web.washer- host name when <strong>Webwasher</strong> is immediately addressed<br />
as proxy server. It is the default name for this option.<br />
The IFP options are invoked by clicking on the corresponding button under<br />
Proxies:<br />
The options are arranged under the following tabs:
5.15.1<br />
Settings<br />
They are described in the upcoming sections:<br />
• Settings, see 5.15.1<br />
• ICAP Services, see 5.15.2<br />
The Settings tab looks like this:<br />
There are two sections on this tab:<br />
• TCP Port Settings<br />
• Filter Message Mode<br />
They are described in the following.<br />
TCP Port Settings<br />
The TCP Port Settings section looks like this:<br />
Proxies<br />
5–191
Proxies<br />
5–192<br />
Using this section, you can configure the listener port of an IFP server and who<br />
is allowed access over this port.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following input fields to configure these port settings:<br />
• Port<br />
Specify the listener port here. The input format is:<br />
[IP]: port<br />
The default port number is 4005.<br />
• Allow access from<br />
Use this field to configure the IP addresses that should have access to<br />
each listener port that is opened by <strong>Webwasher</strong>.<br />
The input format is:<br />
(IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]*.<br />
Note: Type * to allow everyone access.<br />
Filter Message Mode<br />
The Filter Message Mode section looks like this:<br />
Using this section, you can configure the sending of filter messages to the user.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following items to configure the filter message mode:<br />
• Send directly<br />
Enable this option to send the content of a filter message to the IFP client,<br />
from where it is forwarded to its final destination.<br />
This is the preferred method since it is more efficient with regard to time<br />
and memory. It is also the default option.
5.15.2<br />
ICAP Services<br />
Proxies<br />
In the following situations, however, a direct sending may fail:<br />
— An error page + HTTP header is larger than 3071 bytes.<br />
— An IFP client fails to forward data because there are ASCII 0 characters<br />
in between.<br />
This may occur if:<br />
Content encoding GZIP is used for filter messages.<br />
Customer-defined filter messages are sent in UTF-16 or other encodings.<br />
• Use redirect mechanism<br />
Enable this option to save the content of a filter message locally, i. e. on<br />
the IFP server, and send its URL for access to this content to the IFP client,<br />
from where it is again forwarded to the user.<br />
The user needs to send another request in order to retrieve the message<br />
content.<br />
The ICAP Services tab looks like this:<br />
There are two sections on this tab:<br />
• Services<br />
• List of Available ICAP Services<br />
5–193
Proxies<br />
5–194<br />
They are described in the following.<br />
Services<br />
The Services section looks like this:<br />
Using this section, you can configure services for the IFP server communication.<br />
Since the IFP protocol provides only the requested URL and no other<br />
header, body or protocol information, only REQMOD services may be configured.<br />
Note that due to the limitations of the IFP protocol, some <strong>Webwasher</strong> filters will<br />
not be available when this protocol is used:<br />
• Parts of the Safe Search enforcer<br />
• Cookie filter<br />
• Header filter<br />
• Filters working with the body of a request, e. g. the Web Upload filter, the<br />
Anti-Virus filter and parts of the Filter-By-Expression filter<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following input field to configure ICAP services for the IFP protocol:<br />
• REQMOD services<br />
Specify the service you want to configure, e. g. internal, in this input field.<br />
To do this, type its name or select a service by selecting it from the dropdown<br />
list next to this field. You can specify more than one services here.<br />
The input format is:<br />
service1 [ | service2]
5.16<br />
WCCP<br />
List of Available ICAP Services<br />
The List of Available ICAP Services section looks like this:<br />
Proxies<br />
It displays a list of the services that are available for being configured in the<br />
Services section above.<br />
The WCCP options (WCCP = Web Cache Communication Protocol) are invoked<br />
by clicking on the corresponding button under Proxies:<br />
If you want to enable any of these options, check the checkbox on this button.<br />
Then click on Apply Changes to make this setting effective.<br />
Note that the WCCP options are only available under <strong>Webwasher</strong> when it is<br />
running on an appliance.<br />
Furthermore, these options can be used for redirecting traffic under <strong>Webwasher</strong><br />
with HTTP as basic protocol and version 1 or 2 of WCCP. To use them<br />
with the HTTPS protocol, you need to have version 2 of WCCP.<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• WCCP, see 5.16.1<br />
5–195
Proxies<br />
5.16.1<br />
WCCP<br />
5–196<br />
The WCCP tab looks like this:<br />
There are three sections on this tab:<br />
• WCCP<br />
• WCCP Current Status<br />
• Packet Forwarding<br />
They are described in the following.
WCCP<br />
The WCCP section looks like this:<br />
Proxies<br />
Using this section, you can configure some basic settings for using WCCP<br />
within <strong>Webwasher</strong>, such as the settings of the router that will redirect traffic<br />
under this protocol, or of the ports to which traffic should be addressed in order<br />
to get redirected.<br />
WCCP (Web Cache Communication Protocol) can be used with a router for<br />
redirecting traffic to another server, which may then serve as cache or for antivirus<br />
protection purposes. Packets that should be redirected are identified by<br />
the router using the port numbers in their destination addresses. Packets with<br />
non-matching port numbers will not be redirected.<br />
The router encapsulates packets using the GRE (Generic Routing Encapsulation)<br />
method. The <strong>Webwasher</strong> appliance receives the data and forwards it<br />
to one of its proxy ports. The IP source address of a packet must pass the<br />
<strong>Webwasher</strong> filter in order to get redirected.<br />
In order to be able to use this router, you also need to configure a number of<br />
settings that are not described here, but can be found in the documentation<br />
delivered with it by CISCO, who are the manufacturers providing the router.<br />
WCCP is a protocol for additional use with basic protocols, e. g. the HTTP<br />
protocol. Note that under <strong>Webwasher</strong> it can be used with this basic protocol<br />
only, i. e. not with HTTPS, FTP or SMTP. Furthermore, WCCP is available<br />
under <strong>Webwasher</strong> only when it is running on an appliance.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective. Note that for any modification of the port settings you also need<br />
to reboot the <strong>Webwasher</strong> appliance to let the changes take effect. A Reboot<br />
button is provided for this purpose in the last section on this tab.<br />
Use the following items to configure basic WCCP settings within <strong>Webwasher</strong>:<br />
• Router<br />
In this input field, enter the IP address or DNS name of the router that<br />
should be used for redirecting traffic.<br />
5–197
Proxies<br />
5–198<br />
• WCCP v2<br />
If you want to use version 2 of WCCP, check this radio button. Use the<br />
following items to configure further settings for WCCP:<br />
— Service ID<br />
In this input field, enter a service ID, which is required for using version<br />
2 of WCCP. The default service ID is 51.<br />
— Ports to be forwarded<br />
In this input field, enter the port numbers of the ports that packets<br />
should have in their destination addresses to let the router know these<br />
packets should be redirected.<br />
The forwarding service that is configured under version 2 of WCCP can<br />
provide redirection for up to 8 ports in packet destination addresses.<br />
Note that for communication with an SSL server, you need to enter port<br />
number 443 here since an SSL server usually listens on this port.<br />
There are, however, SSL servers that will not listen on this port. In this<br />
case, you also need to modify the global.conf (global.ini) configuration<br />
file in order to enable communication. Enter the following line in<br />
the file:<br />
PortsTreatedAsSSL=’443, ’<br />
Then restart <strong>Webwasher</strong> to make the modification effective.<br />
— MD5 authentication key<br />
In this input field, enter a key for authentication of WCCP data packets<br />
using the MD5 digest algorithm. Use of this key is optional.<br />
Note that this option is provided under version 2 of WCCP only.<br />
• WCCP v1<br />
If you want to use version 1 of WCCP, make sure this radio button is<br />
checked. The radio button is checked by default.<br />
Only one port is configured under this version of the protocol, which is port<br />
80. Only packets that have this port number in their destination addresses<br />
will be redirected.<br />
Note also that no authentication key is used here.
WCCP Current Status<br />
The WCCP Current Status section looks like this:<br />
Proxies<br />
This section provides information on some non-persistent communication parameters<br />
of WCCP. This includes the times and dates of messages that are<br />
exchanged between router and <strong>Webwasher</strong> appliance to handle the redirection<br />
of data packets.<br />
Data packets are assembled under WCCP into groups called "buckets" when<br />
redirected for load balancing purposes. The buckets that are currently handled<br />
by <strong>Webwasher</strong> are also displayed in this section.<br />
If a cluster of <strong>Webwasher</strong> instances has been configured, buckets can be handled<br />
by different instances. In this case, the instance with the lowest IP address<br />
assigns the buckets to the other instances. This need not necessarily be the<br />
master of the cluster.<br />
Information is updated every few seconds by <strong>Webwasher</strong>.<br />
The following information is displayed:<br />
• Current time<br />
Date and time of the information displayed in the fields below.<br />
• Last ’HereIam’ sent<br />
Date and time when this protocol message was last sent.<br />
• Last ’ISeeYou’ received<br />
Date and time when this protocol message was last received.<br />
• Last ’Bucket assignment’ sent<br />
Date and time of the information when an assignment of buckets, i. e.<br />
groups of data packets, was last sent by the <strong>Webwasher</strong> instances in a<br />
cluster.<br />
5–199
Proxies<br />
5–200<br />
• Last change in group membership<br />
Date and time of the information when the grouping of data packets into<br />
buckets was last changed.<br />
• This <strong>Webwasher</strong> assigns buckets<br />
Information as to whether or not the current instance of <strong>Webwasher</strong> is the<br />
one that assigns buckets, i. e. groups of data packets, to the other instances<br />
in a cluster.<br />
• Buckets assigned to<br />
IP address of a <strong>Webwasher</strong> instance and the buckets, i. e. groups of<br />
packets, that are currently assigned to it.<br />
If there is a cluster of <strong>Webwasher</strong> instances, a list of all the corresponding<br />
IP addresses and the buckets assigned to them is displayed.<br />
Packet Forwarding<br />
The Packet Forwarding section looks like this:<br />
Using this section, you can configure the IP address and port number of the<br />
server that data packets should be forwarded, i. e. redirected to, by <strong>Webwasher</strong><br />
under WCCP. This configuration is required if you want to use this<br />
protocol for <strong>Webwasher</strong>. The server addresses that may be specified here are<br />
the addresses of the network interfaces of your <strong>Webwasher</strong> appliance.<br />
You can also specify a source IP for traffic that should be included in the forwarding,<br />
as well as a source IP for traffic that should be excluded.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective. Note that after modifying any of the settings in this section you<br />
also need to reboot the <strong>Webwasher</strong> appliance in order to let the changes take<br />
effect. A Reboot button is provided here for this purpose.
Use the following items to configure data forwarding under WCCP:<br />
• Source IP included<br />
Proxies<br />
In this input field, enter a source IP address for data packets that should<br />
be redirected in any case. A data packet will then be redirected only if<br />
its address matches the one specified here and, furthermore, not the one<br />
specified under Source IP exclude.<br />
Input in this field is optional, but if it is entered, its format must be like this:<br />
10.120.22.0/24<br />
The last two digits are the network mask. You may also enter a part of a<br />
source IP address.<br />
• Source IP excluded<br />
In this input field, enter a source IP address for data packets that should be<br />
not be redirected. A data packet will then be redirected only if its address<br />
does not match the one specified here and, furthermore, matches the one<br />
specified under Source IP include<br />
Input in this field is optional, but if it is entered, its format must be like this:<br />
10.120.22.4/32<br />
The last two digits are the network mask. You may also enter a part of a<br />
source IP address.<br />
• Redirect to<br />
From the drop-down lists provided here, select the IP address of the server<br />
that packets should be redirected to, as well as a port number on this server.<br />
You may choose from the addresses of all the interface devices the <strong>Webwasher</strong><br />
appliance is equipped with, as well as from the addresses of the<br />
proxy ports that are currently configured.<br />
The proxy ports are configured on the Settings tab under Proxies > HTTP<br />
Proxy. Remember to enable the Transparent Proxy option when configuring<br />
a proxy there.<br />
• Reboot<br />
After specifying the settings in this section, or changing the port settings<br />
in the WCCP section above, click on this button in order to make these<br />
settings effective.<br />
5–201
<strong>Configuration</strong><br />
Chapter 6<br />
The functions described in this chapter are accessible over the <strong>Configuration</strong><br />
tab of the Web interface:<br />
These functions allow you to configure features that are provided in addition to<br />
the system configuration features already described here. Additional features<br />
include, e. g. the update manager, central management, the action editor and<br />
debugging.<br />
The upcoming sections describe how to handle these functions. The description<br />
begins with an overview.<br />
6–1
<strong>Configuration</strong><br />
6.1<br />
Overview<br />
6–2<br />
The following overview shows the sections that are in this chapter:<br />
<strong>System</strong> <strong>Configuration</strong> <strong>Guide</strong> – <strong>Webwasher</strong> Web Gateway Security<br />
Introduction<br />
User Management<br />
Reporting<br />
Caching<br />
Proxies<br />
<strong>Configuration</strong> Overview –thissection<br />
Update Manager, see 6.2<br />
Central Management, see 6.3<br />
Appliance, see 6.4<br />
Note that the options described in this section<br />
are only available in an appliance version of<br />
<strong>Webwasher</strong>.<br />
Web Interfaces, see 6.5<br />
Secure Administration Shell, see 6.6<br />
SNMP Interface, see 6.7<br />
Global Command Center, see 6.8<br />
Certificate Management, see 6.9<br />
DNS Cache, see 6.10<br />
Backup & Restore, see 6.11<br />
Action Editor, see 6.12<br />
Wizards, see 6.13<br />
Debugging, see 6.14
6.2<br />
Update Manager<br />
<strong>Configuration</strong><br />
The Update Manager options are invoked by clicking on the corresponding<br />
button under <strong>Configuration</strong>:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• General Options, see 6.2.1<br />
• URL Filter, see 6.2.2<br />
• AV Engine, see 6.2.3<br />
• Spam Filter, see 6.2.4<br />
• Proactive Scanning, see 6.2.5<br />
• CRLs, see 6.2.6<br />
6–3
<strong>Configuration</strong><br />
6.2.1<br />
General Options<br />
6–4<br />
The General Options tablookslikethis:<br />
There are five sections on this tab:<br />
• Update Server Summary<br />
• Centralized Update<br />
• Write <strong>System</strong> Log<br />
• Connection Options<br />
• <strong>System</strong> Notifications<br />
They are described in the following.
Update Server Summary<br />
The Update Server Summary section looks like this:<br />
<strong>Configuration</strong><br />
This section shows the addresses and locations of the download servers that<br />
are currently in use for <strong>Webwasher</strong>.<br />
Centralized Update<br />
The Centralized Update section looks like this:<br />
Using this section, you can configure the distribution of updates in a cluster of<br />
<strong>Webwasher</strong> instances by the master.<br />
Note that this will only work in a homogeneous cluster, i. e. in a cluster where<br />
all instances of <strong>Webwasher</strong> run under the same operating system and have<br />
the same version.<br />
With this update method, master and sites instances in a <strong>Webwasher</strong> cluster<br />
will behave as follows: The master distributes regular updates to the site instances.<br />
The updates are retrieved from the <strong>Webwasher</strong> download server.<br />
After a new update has been downloaded, the master broadcasts an update<br />
notification to the site instances.<br />
Before the site instances perform an update, which may be a regular update<br />
or an update initiated manually by the user, or after receiving an update notification<br />
from the master, they connect to the master requesting this update.<br />
If the request fails, which can be seen from a status code other than 200 or<br />
304, the site instances try to connect to the <strong>Webwasher</strong> download server themselves<br />
in order to get the update.<br />
If you want to use this update method, mark the checkbox next to the section<br />
heading.<br />
Then click on Apply Changes to make this setting effective.<br />
6–5
<strong>Configuration</strong><br />
6–6<br />
Write <strong>System</strong> Log<br />
The Write <strong>System</strong> Log section looks like this:<br />
Using this section, you can configure that information on update activities of<br />
<strong>Webwasher</strong> is always written to a system log file. The name of this file is<br />
update.log.<br />
If you want to have this information written to the log file, mark the checkbox<br />
next to the section heading.<br />
Then click on Apply Changes to make this setting effective.<br />
Connection Options<br />
The Connection Options section looks like this:<br />
Using this section, you can configure the connections to the update server.<br />
You can configure a direct connection to this server or use a proxy.<br />
Furthermore, you can specify how many times a retry should be performed in<br />
case of a server overload.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following items to configure the update server connections:<br />
• Use direct connection to update server<br />
If you want to use a direct connection to the update server, make sure this<br />
radio button is checked. The radio button is checked by default.<br />
To specify the number of retries, use the following drop-down list:<br />
— Retries on server overload
<strong>Configuration</strong><br />
Select the number here that a retry should be performed if the update<br />
server does not respond due to being overloaded.<br />
You can select up to three retries.<br />
• Use update proxy<br />
If you want to use an update proxy, check this radio button.<br />
From the drop-down list provided here select the connection mode for this<br />
proxy.<br />
The following modes are available:<br />
— none<br />
In this mode, no proxy is used.<br />
— specific<br />
In this mode, one specific proxy is used, which is specified in the input<br />
field next to this drop-down list.<br />
— failover<br />
In this mode, the first of the proxies specified in the input field next to<br />
this drop-down list is also tried first.<br />
If it fails, it will be retried until the configured retry maximum has been<br />
reached. Then the second proxy is tried, and so on.<br />
— round robin<br />
In this mode, the proxy is used that is next to the one that was used<br />
last.<br />
If the last proxy has been reached among those that were specified,<br />
selection of proxies will restart from the beginning.<br />
In the input field next to the drop-down list, enter the proxy or proxies that<br />
should be used for connecting to the update server.<br />
To do this, type a proxy name or select an entry from the drop-down list to the<br />
right. If you want to use more than one proxy, repeat the selection.<br />
The drop-down list should show select one to add as its topmost entry. If<br />
no next hop proxies have been configured yet, the topmost entry reads no<br />
proxies defined.<br />
To configure proxies, click on the button labeled Define Next Hop Proxies.<br />
This will open a window for configuring these proxies.<br />
The window is described in the next subsection.<br />
6–7
<strong>Configuration</strong><br />
6–8<br />
Available Proxies<br />
The section in this window allows you to configure next hop proxies for all kinds<br />
of connections. These will then be available for selection on the Use Next Hop<br />
Proxies tab.<br />
After specifying the appropriate settings for a next hop proxy, it is added to the<br />
list of available next proxies by clicking on the Add button.<br />
The list is displayed at the bottom of the section. You can modify the settings<br />
for each proxy that is shown in the list.<br />
Use the following items for configuring available next hop proxies:<br />
• Name<br />
In this input field, enter the name of the next hop proxy you want to configure.<br />
If you leave the field empty, a name will be generated by <strong>Webwasher</strong>,<br />
e. g. pxy1, and inserted in this field after clicking on the Add button.<br />
The name can be modified after the new proxy has been included in the<br />
list.<br />
• Proxy server address<br />
In the input fields provided here, enter the address of the server you want<br />
to make available as next hop proxy:<br />
— Host<br />
Enter the IP address or URL of this server here.<br />
— Port<br />
Enter the port number of the port for connecting to this server here.<br />
• Proxy authorization<br />
In the input fields provided here, enter the credentials that <strong>Webwasher</strong><br />
should use for authentication at the next hop proxy:<br />
— Username<br />
Enter the IP address or URL of this server here.<br />
— Password<br />
Enter the password here.<br />
• Connection behavior<br />
Use the items provided here to configure the connection behavior:<br />
— Retry . . . times on failure for this proxy
<strong>Configuration</strong><br />
From the drop-down list provided here, select the number of retries you<br />
want to configure for a next hop proxy. You can configure up to three<br />
retries.<br />
When the maximum number of retries has been reached, <strong>Webwasher</strong><br />
will try to establish a connection using another next hop proxy, according<br />
to what has been configured on the Use Next Hop Proxies tab,<br />
e. g. failover or round robin.<br />
— Donotretryproxyfor...minuteswhenithasreached...<br />
times within 10 seconds its maximum number of retries<br />
In the input fields provided here, enter the time information that will<br />
cause a connection break, i. e. an interval during which <strong>Webwasher</strong><br />
will not retry a next hop proxy after a connection to it could not be established<br />
in a given situation.<br />
In the first input field, enter the time (in minutes) that the connection<br />
break should last.<br />
In the second input field, specify how often the maximum number of retries<br />
must have been reached within 10 seconds before the connection<br />
break is started.<br />
— use persistent connections<br />
• Add<br />
If you want <strong>Webwasher</strong> to use persistent connections to the next hop<br />
proxies, make sure this checkbox is marked. The checkbox is marked<br />
by default.<br />
<strong>Webwasher</strong> will try to meet this requirement by establishing persistent<br />
connections, but may fail to do so in some situations.<br />
You will then see that the failed counter in the list of available next<br />
proxies displays an increased value for the connection to the next hop<br />
proxy in question.<br />
In this case, you might clear the checkbox to disable the option. Note,<br />
however, that this will reduce performance.<br />
After specifying the appropriate information for the server you want to make<br />
available as next hop proxy, click on this button to add it to the list of available<br />
next hop proxies.<br />
The list of available next hop proxies is displayed at the bottom of this section.<br />
For each entry, it provides the information that is specified when a new entry<br />
is added. Furthermore statistical figures are displayed on the reliability of next<br />
hop proxies.<br />
You can edit list entries, delete them and reset the statistics.<br />
6–9
<strong>Configuration</strong><br />
6–10<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard. If the number of entries is higher than this number, the<br />
remaining entries are shown on successive pages.<br />
A page indicator is then displayed, where you can select a particular page by<br />
clicking on the appropriate arrow symbols.<br />
To edit an entry, click on the View Details and Edit link in the same line. This<br />
will reopen the window and this section with the information concerning the<br />
next hop proxy in question, so you can modify it.<br />
After completing the modification, click on the Modify button, which is provided<br />
now instead of the Add button, to make it effective. If you want to clear the<br />
information before modifying the settings for a next hop proxy, click on the<br />
Clear Input button.<br />
Apart from the information that was specified when a new entry was added to<br />
the list, such as the proxy name and address, the list displays statistical figures<br />
on the reliability of each next hop proxy.<br />
The following information is provided in the columns of the list:<br />
• reliability<br />
Reliability of a next hop proxy<br />
The reliability is calculated as the percentage of attempts to establish a<br />
connection to the next hop proxy that were successful in relation to the<br />
overall number of attempts.<br />
• tried<br />
Number of times that <strong>Webwasher</strong> tried to establish a connection to a proxy<br />
• failed<br />
Number of times that an attempt by <strong>Webwasher</strong> to establish a connection<br />
toaproxyfailed<br />
• last fail<br />
Date and time of the last time that an attempt by <strong>Webwasher</strong> to establish<br />
a connection to a proxy failed<br />
• do not retry reached<br />
Date and time of the last time that a situation was reached where <strong>Webwasher</strong><br />
did not retry a next hop proxy over a given period of time.
<strong>Configuration</strong><br />
The length of this period depends on what you configured under Do not<br />
retry proxy for . . . minutes when it has reached . . . times<br />
within 10 seconds its maximum number of retries, see above.<br />
If the do not retry situation is still on, i. e. <strong>Webwasher</strong> will currently not retry<br />
the next hop proxy in question, the date and time values are displayed in<br />
red.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input fields above the Name, Proxy or Port<br />
columns or in a combination of them and enter this using the Enter key of<br />
your keyboard. The list will then display only entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Reset Statistics<br />
Click on this button to reset the statistical figures shown in the list for reliability<br />
of next hop proxies.<br />
• Reset do not retry<br />
Click on this button to reset the statistics only for the do not retry reached<br />
parameter, see above.<br />
To return to the Next Hop Proxies tab, click on the Close button.<br />
The next hop proxy you added to the list, will also appear and be available in<br />
the list of next hop proxies, which is displayed at the bottom of the Use Next<br />
Hop Proxies section on that tab.<br />
6–11
<strong>Configuration</strong><br />
6–12<br />
<strong>System</strong> Notifications<br />
The <strong>System</strong> Notifications section looks like this:<br />
Using this section, you can configure e-mail notifications to be sent to a recipient’s<br />
e-mail address. There are the following options:<br />
• Send notification upon URL filter database update failure or category<br />
enhancements<br />
Enter the recipient for this notification in the Recipient input field.<br />
• Send notification upon AntiVirus engine and signature update failure<br />
Enter the recipient for this notification in the Recipient input field.<br />
• Send notification upon Anti Spam rule set update failure<br />
Enter the recipient for this notification in the Recipient input field.<br />
Furthermore, you can configure the following options for sending an SNMP<br />
trap:<br />
• Send an SNMP trap if a database update has been successful or<br />
was not required<br />
Clicking on the SNMP trap link will take you to a page where you can<br />
configure the settings for the trap sink, i. e. the SNMP recipient
• Send an SNMP trap if a database update failed<br />
<strong>Configuration</strong><br />
Clicking on the SNMP trap link will take you to a page where you can<br />
configure the settings for the trap sink, i. e. the SNMP recipient.<br />
Mark the options for the notifications you want to be sent. Then click on Apply<br />
Changes to make your settings effective.<br />
To configure the settings for the server used to process notifications, click on<br />
the button labeled Edit Notification Mail Server.<br />
This will open a window where you can enter values for these settings.<br />
For a description of this window, see the Notification Settings Window subsection<br />
of 5.5.3.<br />
6–13
<strong>Configuration</strong><br />
6.2.2<br />
URL Filter<br />
6–14<br />
The URL Filter tab looks like this:<br />
There are four sections on this tab:<br />
• Current Status<br />
• Log File Contents<br />
• Automatic Update<br />
• Manual Update<br />
They are described in the following.
Current Status<br />
The Current Status section looks like this:<br />
<strong>Configuration</strong><br />
This section shows the current status of the URL Filter Database. The following<br />
information is provided:<br />
• Database version<br />
Version of the URL Filter Database<br />
• Status<br />
Status of the URL Filter Database<br />
Prior to the completion of the database update, there may be the following<br />
messages:<br />
— OK<br />
Everything is working.<br />
— Preparing URL lists<br />
Building lists internally.<br />
— Updating URL lists<br />
Incorporating incremental list in order to update.<br />
— Saving list<br />
An internal list was created and is being saved on the hard disk.<br />
— Error during update<br />
In this case, you need to look for a new list, or retry later on.<br />
— Unknown Error<br />
A failure of another type has occurred in one of the above processes.<br />
Upon completion of the database update, there may be the following messages:<br />
— Downloading files<br />
File download is in progress.<br />
6–15
<strong>Configuration</strong><br />
6–16<br />
— Server authentication failed<br />
This may be due to a licensing problem.<br />
— Error during file download<br />
An error stopped the files from downloading, retry later on.<br />
• Time of last update<br />
Time when the last update of the URL Filter Database was performed<br />
Log File Contents<br />
The Log File Contents section looks like this:<br />
It displays the last 10 lines of the URL Filter Database update log file.<br />
Automatic Update<br />
The Automatic Update section looks like this:<br />
Using this section, you can configure the time range for an automatic update<br />
of the URL Filter Database.<br />
Mark the checkbox provided here if you want to do this and fill in the input<br />
fields as required. After configuring these settings, click on Apply Changes<br />
to make them effective.
Use the following input fields to configure an automatic update:<br />
• Check and perform updates every ... hours<br />
<strong>Configuration</strong><br />
In this input field, enter the number of hours that are to elapse before a new<br />
update is performed.<br />
• If update fails, repeat it after ... minutes.<br />
In this input field, enter the number of minutes for the retry interval.<br />
Manual Update<br />
The Manual Update section looks like this:<br />
This section allows you to perform a manual update of the URL Filter Database.<br />
Use the following items to perform this update:<br />
• Incremental update<br />
Check this radio button to update the incremental lists on demand without<br />
affecting the automatic update settings.<br />
• Full update<br />
Check this radio button to update the entire database from the Internet.<br />
• Local update from ’C:\Programme\<strong>Webwasher</strong> CSM\conf\smartfilter\’<br />
Check this radio button to manually update lists from another source, e. g.<br />
from a SmartFilter list that is located in a corresponding folder as displayed<br />
here.<br />
For this kind of update, you need to make sure that the list file itself, as well<br />
as a number of other files are stored in this folder.<br />
6–17
<strong>Configuration</strong><br />
6–18<br />
You need different kind of files for a full and an incremental update:<br />
— For a full update, you need to store the following files in the SmartFilter<br />
folder:<br />
sfcontrol.download – This file contains the list of for a full update<br />
sfcontrol.download.info – Input in this file is optional. You may<br />
insert text providing information on the update in there.<br />
— For an incremental update, you need to store the following files in the<br />
SmartFilter folder:<br />
sfcontrol.download.info – Input in this file is optional. You may<br />
insert text providing information on the update in there.<br />
sfcontrol.download.current – This file must contain one single<br />
line of text stating the version of the SmartFilter list you want to<br />
update to.<br />
Furthermore, you need to store several incremental update files in this<br />
folder. The name for all of them is sfcontrol.download.,<br />
with varying in the following way: First you need an update<br />
file with a number for the version of the SmartFilter list that is currently<br />
used by <strong>Webwasher</strong>, but this number increased by one. So if<br />
the current version is, e. g. 1000, you a file named sfcontrol.download.1001.<br />
Then you need a particular number of update files, with the initial number<br />
increased by one until you reach the number of the list version<br />
you want to update to. If you want to update to, e. g. version 1008,<br />
you need to store the update files sfcontrol.download.1001, sfcontrol.download.1002,<br />
and so on, until sfcontrol.download.1008.<br />
The complete list of incremental files would then, e. g. look like this:<br />
• Do It Now<br />
sfcontrol.download.1001<br />
sfcontrol.download.1002<br />
sfcontrol.download.1003<br />
sfcontrol.download.1004<br />
sfcontrol.download.1005<br />
sfcontrol.download.1006<br />
sfcontrol.download.1007<br />
sfcontrol.download.1008<br />
After specifying the appropriate information using the items described<br />
above, click on this button to perform the manual update.
6.2.3<br />
AV Engine<br />
The AV Engine tab looks like this:<br />
There are five sections on this tab:<br />
• Current Status<br />
• Log File Contents<br />
• ISTAG Change<br />
• Automatic Update<br />
• Restart<br />
They are described in the following.<br />
<strong>Configuration</strong><br />
6–19
<strong>Configuration</strong><br />
6–20<br />
Current Status<br />
The Current Status section looks like this:<br />
This section shows the current status of the anti virus engines and signature<br />
files. The following information is provided:<br />
• Anti Virus Engine<br />
Versions of the anti virus engines that have been configured to run under<br />
<strong>Webwasher</strong>.<br />
• Update Status<br />
Status of the updates that have been performed for the anti virus engines.<br />
• Time of last update<br />
Time when the last update was performed for an anti virus engine.
Log File Contents<br />
The Log File Contents section looks like this:<br />
It displays the last 10 lines of the anti virus update file.<br />
ISTAG Change<br />
The ISTAG Change section looks like this:<br />
<strong>Configuration</strong><br />
It allows you to configure an ISTAG change to be performed after each update,<br />
which will lead to a clearing of the cache content.<br />
The ISTAG version is a kind of version number for an ICAP service. Whenever<br />
this version changes, the ICAP client no longer uses responses previously<br />
given by <strong>Webwasher</strong>, but asks again for each request and response.<br />
By changing the ISTAG after each update of the signature file, the ICAP client,<br />
e. g. a NetCache client, is told to clear all cached content after the update has<br />
been completed.<br />
If you want to have an ISTAG change performed, make sure the checkbox<br />
provided here is marked. It is marked by default.<br />
6–21
<strong>Configuration</strong><br />
6–22<br />
Automatic Update<br />
The Automatic Update section looks like this:<br />
Using this section, you can configure the time range for an automatic update of<br />
the anti virus signature file. <strong>Webwasher</strong> will check according to the configured<br />
range, whether a new version is available and will download this version if this<br />
is the case.<br />
The usage of the checkbox, input field and button provided here is as follows:<br />
• Check and perform updates every ... minutes<br />
Mark the checkbox provided here if you want to configure an automatic<br />
update. In the input field, enter the number of minutes that are to elapse<br />
before a new update is performed.<br />
• Do It Now<br />
Click on this button to perform the update immediately.<br />
Restart<br />
The Restart section looks like this:<br />
It provides the following button:<br />
• Restart AV Engine<br />
Click on this button to restart the anti virus engine after changing a local<br />
antivirus file.
6.2.4<br />
Spam Filter<br />
The Spam Filter tab looks like this:<br />
There are four sections on this tab:<br />
• Current Status<br />
• Log File Contents<br />
• Automatic Update<br />
• Manual Update<br />
They are described in the following.<br />
Current Status<br />
The Current Status section looks like this:<br />
<strong>Configuration</strong><br />
6–23
<strong>Configuration</strong><br />
6–24<br />
This section shows the current status of the spam filter database. The following<br />
information is provided:<br />
• Database Version<br />
Version of the database containing the spam filter rules.<br />
• SpamCatcher Engine version<br />
Version of the engine used for spam filtering.<br />
• Status<br />
Status of the updates that have been performed for the spam filter rules.<br />
• Time of last update<br />
Time when the last update was performed for the spam filter rules.<br />
Log File Contents<br />
The Log File Contents section looks like this:<br />
It displays the last 10 lines of the spam filter rules update log file.<br />
Automatic Update<br />
The Automatic Update section looks like this:<br />
Using this section, you can configure the time range for an automatic update<br />
of the spam filter rules.
<strong>Configuration</strong><br />
<strong>Webwasher</strong> will check according to the configured range, whether a new version<br />
is available and will download this version if this is the case.<br />
There is a checkbox provided here, which is labeled:<br />
• Check and perform updates every ... minutes<br />
Mark this checkbox if you want to configure an automatic update. In the<br />
input field, enter the number of minutes that are to elapse before a new<br />
update is performed.<br />
Manual Update<br />
The Manual Update section looks like this:<br />
Using this section, you can perform a manual update of the spam filter rules.<br />
The following buttons are provided in this section:<br />
• Incremental update<br />
Check this radio button to perform an incremental update of the spam filter<br />
rules.<br />
• Full update<br />
Check this radio button to perform a full update of the spam filter rules.<br />
• Local update from ’C:\Programme\<strong>Webwasher</strong> CSM\conf\spamequator\’<br />
Check this radio button to perform an update using the source specified<br />
here.<br />
• Do It Now<br />
Click on this button to perform the configured update option immediately.<br />
6–25
<strong>Configuration</strong><br />
6.2.5<br />
Proactive Scanning<br />
6–26<br />
The Proactive Scanning tab looks like this:<br />
There are five sections on this tab:<br />
• Current Status<br />
• Log File Contents<br />
• ISTAG Change<br />
• Automatic Update<br />
• Manual Update<br />
They are described in the following.
Current Status<br />
The Current Status section looks like this:<br />
<strong>Configuration</strong><br />
This section shows the current status of the Proactive Scanning database and<br />
its updates. In this database, a set of detection rules for the mobile code filter is<br />
stored. These rules are applied in order to counteract hitherto unknown mobile<br />
code seeking to exploit vulnerabilities as it emerges.<br />
The following information is provided in this section:<br />
• Version<br />
Version of the Proactive Scanning database.<br />
• Update Status<br />
Status of the updates that have been performed for the Proactive Scanning<br />
database.<br />
• Time of last update<br />
Time when the last update was performed for the Proactive Scanning database.<br />
Log File Contents<br />
The Log File Contents section looks like this:<br />
It displays the last 10 lines of the Proactive Scanning update log file.<br />
6–27
<strong>Configuration</strong><br />
6–28<br />
ISTAG Change<br />
The ISTAG Change section looks like this:<br />
It enables you to make sure that cached content on an ICAP client is invalidated<br />
after an update. The ISTAG method is used in ICAP communication to indicate<br />
significant changes.<br />
If you want to have an ISTAG change performed, mark the checkbox provided<br />
here and click on Apply Changes.<br />
Automatic Update<br />
The Automatic Update section looks like this:<br />
Using this section, you can configure the time range for an automatic update<br />
of the Proactive Scanning database. <strong>Webwasher</strong> will check according to the<br />
configured range, whether a new version is available and will download this<br />
versionifthisisthecase.<br />
Mark the checkbox provided here if you want to configure an automatic update.<br />
The usage of the input field and button below is as follows:<br />
• Check and perform updates every ... minutes<br />
In this input field enter the number of minutes that are to elapse before a<br />
new update is performed.<br />
• Do It Now<br />
Click on this button to perform the update immediately.
6.2.6<br />
CRLs<br />
Manual Update<br />
The Manual Update section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can perform a manual update of the Proactive Scanning<br />
database.<br />
For this purpose, input fields and a button are provided in this section. Their<br />
usage and meaning are as follows:<br />
• Perform local update to version ... from<br />
In the upper input field after version, enter the version number that you<br />
want to update to. In the lower input field, enter the location of the file you<br />
want to use for the update.<br />
• Do It Now<br />
Click on this button to perform the configured update option immediately.<br />
The CRLs tab looks like this:<br />
6–29
<strong>Configuration</strong><br />
6–30<br />
There are three sections on this tab:<br />
• Current Status<br />
• Log File Contents<br />
• Automatic Update<br />
They are described in the following.<br />
Current Status<br />
The Current Status section looks like this:<br />
This section shows the current status of the CRLs (Certificate Revocation Lists)<br />
update. The following information is provided:<br />
• Status<br />
Status of the CRLs updates.<br />
• Time of last update<br />
Time when the last CRLs update was performed.<br />
Log File Contents<br />
The Log File Contents section looks like this:<br />
It displays the last 10 lines of the CRLs update log file.
Automatic Update<br />
The Automatic Update section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can configure the time range for an automatic CRLs<br />
update. <strong>Webwasher</strong> will check according to the configured range, whether a<br />
new version is available and will download this version if this is the case.<br />
Mark the checkbox provided here if you want to configure an automatic update.<br />
The usage of the drop-down list and button below is as follows:<br />
• Daily at ... (local system time)<br />
From the drop-down list provided here, select an hour to specify a time for<br />
the daily update.<br />
• Do It Now<br />
Click on this button to perform the update immediately.<br />
6.3<br />
Central Management<br />
The Central Management options are invoked by clicking on the corresponding<br />
button under <strong>Configuration</strong>:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Node Settings, see 6.3.1<br />
• Master Settings, see 6.3.2<br />
• Site Settings, see 6.3.3<br />
6–31
<strong>Configuration</strong><br />
6.3.1<br />
Node Settings<br />
6–32<br />
The Node Settings tab looks like this:<br />
There are three sections on this tab:<br />
• Current Instance Status<br />
• Instance Role<br />
• Proxy Server Options<br />
They are described in the following.<br />
Current Instance Status<br />
The Current Instance Status section looks like this:<br />
In this section, information is displayed about the status of the current instance,<br />
i. e. the <strong>Webwasher</strong> instance you are presently configuring.<br />
You are told how this instance has been configured and if it has been configured<br />
correctly. The information is displayed with a square in green, yellow or<br />
orange color, and a message text.
<strong>Configuration</strong><br />
A green square means that the instance has been configured correctly. A yellow<br />
or orange square means that there is something missing in the configuration,<br />
with the orange color indicating a more serious fault.<br />
Messages that can appear in this section are, e. g.:<br />
• Green square - This <strong>Webwasher</strong> instance is running as a standalone server<br />
• Green square - 2 site instances are subscribed at this master<br />
• Yellow square - No site instances are subscribed at this master<br />
• Orange square - The master of this site instance has not been configured<br />
or is unreachable<br />
Instance Role<br />
The Instance Role section looks like this:<br />
Using this section, you can configure a role for an instance of <strong>Webwasher</strong>.<br />
In a group of multiple servers (nodes) running <strong>Webwasher</strong> (called a "Cluster"),<br />
one <strong>Webwasher</strong> instance can act as the master instance, which means that<br />
all configuration changes are to be performed on this system. The other <strong>Webwasher</strong><br />
instances in this cluster can then be configured as site instances. Since<br />
site instances retrieve their configuration from the master, every configuration<br />
task you perform on the master instance is replicated to all site instances.<br />
In addition to the options of configuring <strong>Webwasher</strong> as a master or a site instance,<br />
you can configure it to take the role of a sub-master. A sub-master<br />
performs the roles of master and site instance at the same time. So, other site<br />
instances can subcribe themselves at a sub-master like they can at a master.<br />
Optionally, a sub-master can take over the role of the master in case the master<br />
goes offline, and there will be a failover of the <strong>Webwasher</strong> administration from<br />
the master to the sub-master as soon as this happens.<br />
Furthermore, you can configure <strong>Webwasher</strong> for running on a standalone<br />
server, i. e. a system that is not participating in a cluster at all.<br />
6–33
<strong>Configuration</strong><br />
6–34<br />
Note: You can exclude settings from being transferred from the master to the<br />
site instances, and also protect settings that have been configured on a site<br />
instance against being overwritten by settings transferred from the master. If<br />
settings on a site instance are protected in this way, they can only be changed<br />
on this instance.<br />
The meaning of the options provided in this section is as follows:<br />
• Yes, act as a cluster node of the following role:<br />
Configures this instance of <strong>Webwasher</strong> for running in a <strong>Webwasher</strong> cluster.<br />
— Master instance<br />
Configures this instance of <strong>Webwasher</strong> to run as a master.<br />
Take over sub-master’s configuration in case it has been<br />
changed while this master was offline<br />
Configures the taking over of <strong>Webwasher</strong> settings from a sub-master.<br />
— Site Instance<br />
Configures this instance of <strong>Webwasher</strong> to run as a site instance.<br />
— Sub-Master instance (act as both master and site)<br />
Configures this instance of <strong>Webwasher</strong> to run as a sub-master instance.<br />
Notify the parent master’s site instances whenever its availability<br />
changes<br />
Configures a notification to be sent to the site instances of the master<br />
whose role this sub-master is to take over. The notification will be sent<br />
each time the master goes offline or goes online again.<br />
• No, act as a standalone server<br />
Configures this instance of <strong>Webwasher</strong> for not running in a <strong>Webwasher</strong><br />
cluster.<br />
This is the default option.<br />
Check the options you want to configure for the current <strong>Webwasher</strong> instance.<br />
Then click on Apply Changes to make your settings effective.
Proxy Server Options<br />
The Proxy Server Options section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can specify whether a proxy server should be used for<br />
communication between this instance of <strong>Webwasher</strong> and its master instance<br />
(given it is a site instance), or its site instances (given it is a master instance).<br />
After specifying the appropriate settings click on Apply Changes to make<br />
them effective.<br />
Use the following items to configure a proxy server:<br />
• Do not use a proxy server<br />
No proxy server will be used and the instance will communicate directly<br />
with its master instance or its site instances.<br />
• Use next hop proxies as specified for ...<br />
The server that has been configured as Web proxy will be used as next<br />
hop proxy. This is the default option.<br />
Click on the link provided here to view or change the proxy server that has<br />
been configured so far.<br />
• (For using other next hop proxies)<br />
If you want to use other next hop proxies, check this radio button and configure<br />
them here. To do this, proceed as follows:<br />
From the drop-down list select the connection mode. The following modes<br />
are available:<br />
— none<br />
In this mode, no proxy is used.<br />
— specific<br />
In this mode, one specific proxy is used, which is specified in the input<br />
field next to this drop-down list.<br />
6–35
<strong>Configuration</strong><br />
6–36<br />
— failover<br />
In this mode, the first of the proxies specified in the input field next to<br />
this drop-down list is also tried first.<br />
If it fails, it will be retried until the configured retry maximum has been<br />
reached. Then the second proxy is tried, and so on.<br />
— round robin<br />
In this mode, the proxy is used that is next to the one that was used<br />
last.<br />
If the last proxy has been reached among those that were specified,<br />
selection of proxies will restart from the beginning.<br />
In the input field next to the drop-down list, enter the next hop proxy or proxies<br />
that should be used. To do this, type their names or select an entry from the<br />
drop-down list to the right. If you want to use more than one proxy, repeat the<br />
selection.<br />
The drop-down list should show select one to add as its topmost entry. If<br />
no next hop proxies have been configured yet, the topmost entry reads no<br />
proxies defined.<br />
To configure next hop proxies, click on the button labeled Define Next Hop<br />
Proxies. This will open a window for configuring these proxies.<br />
The window is described in the subsection below.<br />
Available Proxies<br />
The section in this window allows you to configure next hop proxies for all kinds<br />
of connections. These will then be available for selection on the Use Next Hop<br />
Proxies tab.<br />
After specifying the appropriate settings for a next hop proxy, it is added to the<br />
list of available next proxies by clicking on the Add button.<br />
The list is displayed at the bottom of the section. You can modify the settings<br />
for each proxy that is shown in the list.<br />
Use the following items for configuring available next hop proxies:<br />
• Name<br />
In this input field, enter the name of the next hop proxy you want to configure.<br />
If you leave the field empty, a name will be generated by <strong>Webwasher</strong>,<br />
e. g. pxy1, and inserted in this field after clicking on the Add button.
<strong>Configuration</strong><br />
The name can be modified after the new proxy has been included in the<br />
list.<br />
• Proxy server address<br />
In the input fields provided here, enter the address of the server you want<br />
to make available as next hop proxy:<br />
— Host<br />
Enter the IP address or URL of this server here.<br />
— Port<br />
Enter the port number of the port for connecting to this server here.<br />
• Proxy authorization<br />
In the input fields provided here, enter the credentials that <strong>Webwasher</strong><br />
should use for authentication at the next hop proxy:<br />
— Username<br />
Enter the IP address or URL of this server here.<br />
— Password<br />
Enter the password here.<br />
• Retry . . . times on failure for this proxy<br />
From the drop-down list provided here, select the number of retries you<br />
want to configure for a next hop proxy. You can configure up to three retries.<br />
When the maximum number of retries has been reached, <strong>Webwasher</strong><br />
will try to establish a connection using another next hop proxy, according<br />
to what has been configured on the Use Next Hop Proxies tab, e. g.<br />
failover or round robin.<br />
• Do not retry proxy for . . . minutes when it has reached . . .<br />
times within 10 seconds its maximum number of retries<br />
In the input fields provided here, enter the time information that will cause<br />
a connection break, i. e. an interval during which <strong>Webwasher</strong> will not retry<br />
a next hop proxy after a connection to it could not be established in a given<br />
situation.<br />
In the first input field, enter the time (in minutes) that the connection break<br />
should last.<br />
In the second input field, specify how often the maximum number of retries<br />
must have been reached within 10 seconds before the connection break is<br />
started.<br />
6–37
<strong>Configuration</strong><br />
6–38<br />
• Add<br />
After specifying the appropriate information for the server you want to make<br />
available as next hop proxy, click on this button to add it to the list of available<br />
next hop proxies.<br />
The list of available next hop proxies is displayed at the bottom of this section.<br />
For each entry, it provides the information that is specified when a new entry<br />
is added. Furthermore statistical figures are displayed on the reliability of next<br />
hop proxies.<br />
You can edit list entries, delete them and reset the statistics.<br />
To display only a particular number of entries at a time, type this number in the<br />
input field labeled Number of entries per page and enter it using the Enter<br />
key of your keyboard. If the number of entries is higher than this number, the<br />
remaining entries are shown on successive pages. A page indicator is then<br />
displayed, where you can select a particular page by clicking on the appropriate<br />
arrow symbols.<br />
To edit an entry, click on the View Details and Edit link in the same line. This<br />
will reopen the window and this section with the information concerning the<br />
next hop proxy in question, so you can modify it.<br />
After completing the modification, click on the Modify button, which is provided<br />
now instead of the Add button, to make it effective. If you want to clear the<br />
information before modifying the settings for a next hop proxy, click on the<br />
Clear Input button.<br />
Apart from the information that was specified when a new entry was added to<br />
the list, such as the proxy name and address, the list displays statistical figures<br />
on the reliability of each next hop proxy.<br />
The following information is provided in the columns of the list:<br />
• reliability<br />
Reliability of a next hop proxy<br />
The reliability is calculated as the percentage of attempts to establish a<br />
connection to the next hop proxy that were successful in relation to the<br />
overall number of attempts.<br />
• tried<br />
Number of times that <strong>Webwasher</strong> tried to establish a connection to a proxy<br />
• failed<br />
Number of times that an attempt by <strong>Webwasher</strong> to establish a connection<br />
toaproxyfailed
• last fail<br />
<strong>Configuration</strong><br />
Date and time of the last time that an attempt by <strong>Webwasher</strong> to establish<br />
a connection to a proxy failed<br />
• do not retry reached<br />
Date and time of the last time that a situation was reached where <strong>Webwasher</strong><br />
did not retry a next hop proxy over a given period of time.<br />
The length of this period depends on what you configured under Do not<br />
retry proxy for . . . minutes when it has reached . . . times<br />
within 10 seconds its maximum number of retries, see above.<br />
If the do not retry situation is still on, i. e. <strong>Webwasher</strong> will currently not retry<br />
the next hop proxy in question, the date and time values are displayed in<br />
red.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input fields above the Name, Proxy or Port<br />
columns or in a combination of them and enter this using the Enter key of<br />
your keyboard. The list will then display only entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Reset Statistics<br />
Click on this button to reset the statistical figures shown in the list for reliability<br />
of next hop proxies.<br />
• Reset do not retry<br />
Click on this button to reset the statistics only for the do not retry reached<br />
parameter, see above.<br />
To return to the Next Hop Proxies tab, click on the Close button.<br />
The next hop proxy you added to the list, will also appear and be available in<br />
the list of next hop proxies, which is displayed at the bottom of the Use Next<br />
Hop Proxies section on that tab.<br />
6–39
<strong>Configuration</strong><br />
6.3.2<br />
Master Settings<br />
6–40<br />
The Master Settings tab looks like this:<br />
There are three sections on this tab:<br />
• Local Master Settings<br />
• Allow Incompatible Site Versions<br />
• List of Subscribed Sites<br />
They are described in the following.
Local Master Settings<br />
The Local Master Settings section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can specify the settings that will not be replicated from<br />
the master to the site instances.<br />
When running several instances of <strong>Webwasher</strong>, you can apply configuration<br />
changes on just one instance, i. e. the master instance, while changes will be<br />
replicated to all the instances that have subscribed to the master instance, i.<br />
e. the site instances.<br />
Whenever you perform an action using the Web interface of the master instance,<br />
a corresponding action is performed on each site instance. Thus all<br />
settings are applied to these instances, unless they are configured to be excluded<br />
from this procedure.<br />
Note that settings related to licensing, the master/site configuration itself, and<br />
Web interface passwords are never replicated to site instances.<br />
Mark the checkboxes for the settings you do not want to be replicated. Then<br />
click on Apply Changes to make this configuration effective.<br />
Allow Incompatible Site Versions<br />
The section labeled Allow Incompatible Site Versions looks like this:<br />
Using this section, you can specify that site instances in a cluster are allowed<br />
to subscribe at the master even if they are running a <strong>Webwasher</strong> version that is<br />
older or newer than the one running currently on the master, e. g. <strong>Webwasher</strong><br />
6.5.0.<br />
6–41
<strong>Configuration</strong><br />
6–42<br />
By default, the master does no allow sites that are incompatible in this sense.<br />
The default is set this way because synchronizing the configuration of the master<br />
to that of a site might damage the configuration of this site.<br />
A site is incompatible as soon as the <strong>Webwasher</strong> version running on it differs<br />
from the master’s version on a major, medium, or minor level. So, a 6.5.1<br />
version would make the site in question incompatible to a master running 6.5.0.<br />
To allow incompatible site versions, mark the checkbox next to the section<br />
heading. Then click on Apply Changes to make this setting effective.<br />
List of Subscribed Sites<br />
The List of Subscribed Sites section looks like this:<br />
This section lists all the site instances that have subscribed to the master instance.<br />
Any changes effected on the master instance will simultaneously be applied to<br />
these instances.<br />
Sites instance will not appear in this list whenever the master is unable to log<br />
on to these sites.
6.3.3<br />
Site Settings<br />
The Site Settings tablookslikethis:<br />
There are four sections on this tab:<br />
• Master Instance Addresses<br />
• Authentication<br />
• Contact Interval<br />
• Local Site Settings<br />
They are described in the following.<br />
<strong>Configuration</strong><br />
6–43
<strong>Configuration</strong><br />
6–44<br />
Master Instance Addresses<br />
The Master Instance Addresses section looks like this:<br />
In order to obtain settings from the <strong>Webwasher</strong> master instance for a site instance,<br />
you need to specify the master instance in this section. You can specify<br />
more than one master instance.<br />
The meaning of the input fields and the checkbox provided for this purpose is<br />
as follows:<br />
HTTPS to communicate with this master instance. The following input fields<br />
and buttons are provided in this section:<br />
• Host Names or IPs<br />
Name or IP address of the master instance. More than one instance may<br />
be entered here. The format is:<br />
Host|IP)[,(Host|IP)]*<br />
• Web interface port<br />
Port number of the host that is to be the master instance. The default port<br />
number is 0.<br />
• Use HTTPS to communicate with the master instance<br />
Enable this option if you have configured HTTPS connections to be used<br />
for communication between master and site instances.<br />
After configuring these settings, click on Apply Changes to make them effective.
Authentication<br />
The Authentication section looks like this:<br />
<strong>Configuration</strong><br />
Since site instances need to authenticate themselves as admin, whichisthe<br />
administrator account of the master instance when subscribing for change notifications,<br />
the admin password of the master instance must be configured on<br />
the individual site instances as well.<br />
To allow the master instance to log back on to a site instance whenever there<br />
is a configuration activity on the master instance, the admin password of the<br />
site instance is sent to the master instance, along with the subscription. It is<br />
sent in encrypted form, but using HTTPS is also recommended.<br />
Specify a password for the admin accounts on both the master and the site<br />
instance. Then click Apply Changes to make these settings effective.<br />
Contact Interval<br />
The Contact Interval section looks like this:<br />
Using this section, you can configure a time interval for reconnecting to the<br />
master instance, should the master instance be down or unavailable for any<br />
reason.<br />
Furthermore, you can configure a time interval for requesting a configuration<br />
update from the master instance.<br />
6–45
<strong>Configuration</strong><br />
6–46<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following input fields to configure these intervals:<br />
• Contact master instance every ... minutes<br />
Enter the time interval (in minutes) here that should elapse before the site<br />
instance contacts the master again.<br />
• Request the whole configuration every ... minutes from master<br />
Enter the time interval (in minutes) here that should elapse before the site<br />
instance requests an update of the configuration settings from the master.<br />
The value that you enter is rounded to achieve a multiple of the value you<br />
entered under Contact master instance every ... minutes.<br />
The minimum value is 30 minutes. Enter 0 to let the site never request a<br />
configuration update from the master.<br />
Local Site Settings<br />
The Local Site Settings section looks like this:<br />
Using this section, you can specify the settings that a site instance should not<br />
retrieve from its master instance.<br />
Note that settings related to licensing, the master/site configuration itself, and<br />
Web interface passwords are never retrieved from the master instance.<br />
Mark the checkboxes for the settings you do not want to be obtained from the<br />
master instance. Then click on Apply Changes to make this configuration<br />
effective.
6.4<br />
Appliance<br />
<strong>Configuration</strong><br />
The Appliance options are invoked by clicking on the corresponding button<br />
under <strong>Configuration</strong>:<br />
Note that these options are only available in an appliance version of <strong>Webwasher</strong>.<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• General, see 6.4.1<br />
• Interfaces, see 6.4.2<br />
• Routes, see 6.4.3<br />
• Time and Date, see 6.4.4<br />
• Reboot/Shutdown, see 6.4.5<br />
• Update, see 6.4.6<br />
• High Availability, see 6.4.7<br />
6–47
<strong>Configuration</strong><br />
6.4.1<br />
General<br />
6–48<br />
The General tab looks like this:<br />
There is one section on this tab:<br />
• General<br />
It is described in the following.<br />
General<br />
The General section looks like this:<br />
It allows you to configure some general settings for an appliance.
<strong>Configuration</strong><br />
After modifying these settings, you need to commit them and reboot the appliance<br />
in order to make the modification effective.<br />
For this purpose, corresponding buttons are provided on the Commit Settings<br />
tab.<br />
Use the following items to configure the general settings:<br />
• Host Name<br />
Name of a <strong>Webwasher</strong> appliance<br />
• Default Gateway IP Address<br />
IP address of the network gateway that a <strong>Webwasher</strong> appliance has been<br />
configured for<br />
• First Name Server<br />
IP address of the first name server that is used by a <strong>Webwasher</strong> appliance<br />
• Second Name Server<br />
IP address of the second name server that is used by a <strong>Webwasher</strong> appliance<br />
The second name server will be used as a fallback system in case the first<br />
name server is not available for some reason or other.<br />
6–49
<strong>Configuration</strong><br />
6.4.2<br />
Interfaces<br />
6–50<br />
The Interfaces tab looks like this:<br />
There is one section on this tab:<br />
• Network Interfaces<br />
It is described in the following.<br />
Network Interfaces<br />
The Network Interfaces section looks like this:
<strong>Configuration</strong><br />
It allows you to configure and activate the network interfaces within your system.<br />
After specifying the appropriate settings for these interfaces, you need to commit<br />
them and reboot the appliance in order to make them effective.<br />
For this purpose, corresponding buttons are provided on the Commit Settings<br />
tab.<br />
Use the following checkboxes and input fields to configure the network interfaces:<br />
• Activate<br />
If you want to activate a particular interface, mark this checkbox in the<br />
corresponding line.<br />
• IP Address<br />
In this input field, enter the IP address for the corresponding interface.<br />
• Network Mask<br />
In this input field, enter the network mask for the corresponding interface.<br />
• Media<br />
If you want to use a media option for a particular interface, enter it in this<br />
field.<br />
You should, however, do this only if you are sure that it will have no unforeseen<br />
impact on your configuration.<br />
The following media types are available as options:<br />
— 100baseT4<br />
— 100baseTx-FD<br />
— 100baseTx-HD<br />
— 10baseT-FD<br />
— 10baseT-HD<br />
• Description<br />
Use this input field to enter a text describing the interface in the same line.<br />
Input in this field is optional.<br />
6–51
<strong>Configuration</strong><br />
6.4.3<br />
Routes<br />
6–52<br />
The Routes tab looks like this:<br />
There is one section on this tab:<br />
• Static Routes<br />
It is described in the following.<br />
Static Routes<br />
The Static Routes section looks like this:
<strong>Configuration</strong><br />
It allows you to configure static routes for communication towards particular<br />
destinations via a particular gateways and interfaces. After specifying the values<br />
for a new static route, you add it to a list of routes.<br />
If you want to configure a static route as default route, you need to enter the<br />
corresponding gateway address in the Default Gateway IP Address input<br />
field on the General tab.<br />
You should also make sure that you configure static routes only if really needed.<br />
With an incorrectly configured route, it may be impossible to connect to the appliance<br />
over the network. In this case you would have to log in at the appliance<br />
directly in order to correct a configuration error.<br />
After adding a route to the list, you need to commit these settings and reboot<br />
the appliance in order to make the settings effective.<br />
For this purpose, corresponding buttons are provided on the Commit Settings<br />
tab.<br />
Use the following items to configure static routes:<br />
• Destination<br />
In this input field, add the IP address of a destination.<br />
• Gateway<br />
In this input field, add the IP address of the gateway that should be used<br />
to reach the destination.<br />
• Interface<br />
From this drop-down list, select an interface on the gateway that is used to<br />
reach the destination.<br />
• Description<br />
In this input field, you can enter a text describing the static route.<br />
Input in this field is optional.<br />
• Add Route<br />
After specifying the appropriate information in the fields above, click on this<br />
button to add the new static route to the list.<br />
The list is displayed at the bottom of this section.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard.<br />
6–53
<strong>Configuration</strong><br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an entry, type the appropriate text in the input fields of the Destination<br />
Gateway or Description columns or select an interface from the Interface<br />
drop-down list.<br />
Then click on Apply Changes to make these settings effective. You can edit<br />
more than one entry and make the changes effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filtering term in the input field of the Destination column and enter<br />
it using the Enter key of your keyboard. The list will then display only route<br />
entries matching the filter.<br />
• Delete Selected<br />
6.4.4<br />
Time and Date<br />
6–54<br />
Select the route entry you wish to delete by marking the Select checkbox<br />
next to it and click on this button. You can delete more than one entry in<br />
one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
The Time and Date tab looks like this:
There is one section on this tab:<br />
• Time and Date<br />
It is described in the following.<br />
Time and Date<br />
The Time and Date section looks like this:<br />
<strong>Configuration</strong><br />
It allows you to configure the system time for your appliance. You can set a<br />
date, a time and a timezone. Furthermore, you can configure the use of NTP<br />
for determining the system time of your appliance.<br />
The current system time is displayed at the top of this section. By default, the<br />
UTC timezone is used.<br />
After modifying these settings, you need to commit them and reboot the appliance<br />
in order to make the modification effective.<br />
For this purpose, corresponding buttons are provided on the Commit Settings<br />
tab.<br />
Use the following items to configure the system time:<br />
• Set manually<br />
If you want to set the system time of your appliance manually, make sure<br />
the radio button provided here is checked. The radio button is checked by<br />
default.<br />
6–55
<strong>Configuration</strong><br />
6–56<br />
Then use the items in this area for a manual setting of date and time:<br />
— New <strong>System</strong> Date<br />
Select a month, a day, and a year from the drop-down lists provided<br />
here. Then click on the Set button in the same line.<br />
Note that the new system date is then set immediately and no rebooting<br />
of the appliance is required.<br />
— New <strong>System</strong> Time<br />
Select an hour,, a minute, and a second from the drop-down lists provided<br />
here. Then click on the Set button in the same line.<br />
Note that the new system time is then set immediately and no rebooting<br />
of the appliance is required.<br />
Note that the 24-hours-format is used here (1 p. m. = 13:00).<br />
• Use NTP to synchronize system time<br />
If you want to synchronize the system time of your appliance with NTP<br />
time, check the radio button provided here. Then use the following items<br />
for NTP synchronization:<br />
— Primary NTP<br />
In this input field enter the primary NTP system.<br />
— Secondary NTP<br />
In this input field enter the secondary NTP system.<br />
— Select Timezone<br />
From the drop-down list provided here, select the timezone that should<br />
be valid for the system time of your appliance.<br />
Then click on Apply Changes to make this setting effective. Note that<br />
no rebooting of the appliance is required in this case.
6.4.5<br />
Reboot/Shutdown<br />
The Reboot/Shutdown tablookslikethis:<br />
There is one section on this tab:<br />
• Commit Settings<br />
It is described in the following.<br />
Commit Settings<br />
The Commit Settings section looks like this:<br />
<strong>Configuration</strong><br />
It allows you to reboot or shutdown an appliance. If an appliance is running in<br />
a cluster of <strong>Webwasher</strong> appliances, you can perform a reboot or shutdown for<br />
all cluster members.<br />
Performing a reboot will also make the settings effective that you have configured<br />
prior to this reboot. The same will happen when you shutdown the<br />
appliance.<br />
Use the following buttons to perform these activities:<br />
6–57
<strong>Configuration</strong><br />
6.4.6<br />
Update<br />
6–58<br />
• Reboot<br />
Click on this button to reboot an appliance.<br />
The appliance will then go into the munix mode to apply the settings to<br />
the system and to reinitialize the RSBAC settings.<br />
Mark the Send to cluster checkbox before clicking on this button if you<br />
want to reboot all <strong>Webwasher</strong> appliances in a cluster.<br />
• Shutdown<br />
Click on this button to shutdown an appliance.<br />
Mark the Send to cluster checkbox before clicking on this button if you<br />
want to shutdown all <strong>Webwasher</strong> appliances in a cluster.<br />
The Update tab looks like this:<br />
There are three sections on this tab:<br />
• Status<br />
• Check for Updates<br />
• Update Log<br />
They are described in the following.
Status<br />
The Status section looks like this:<br />
<strong>Configuration</strong><br />
It displays information on the status of the appliance, including the update status.<br />
The following display fields are provided in this section:<br />
• Appliance Version<br />
Current version of an appliance<br />
• Update Status<br />
Status of the update activities for an appliance<br />
Check for Updates<br />
The Check for Updates section looks like this:<br />
It allows you to contact the update server and view the new software versions<br />
that are currently available.<br />
<strong>Webwasher</strong> provides an update server with a directory structure enabling an<br />
appliance to scan for available updates. To connect to this server, the following<br />
path may be used:<br />
https://appliance.webwasher.com/update<br />
To view new software versions on this server, click on the Contact button:<br />
If no new versions are available, it means that no update is needed for the<br />
appliance. In other words, the appliance is up to date.<br />
6–59
<strong>Configuration</strong><br />
6–60<br />
A corresponding message is then displayed in the Status section on the upper<br />
part of the tab:<br />
If the search results in finding new versions, these will be shown in the Update<br />
Search Results section, which is then displayed on the tab:<br />
The results are listed in the following field:<br />
• Appliance Change Log<br />
The field lists the search results for new versions of software packages that<br />
are part of the appliance software, e. g. kernel.<br />
For each new version of a software package, the features and fixes are<br />
listed that are new in this package compared to the version of the package<br />
currently installed on the appliance.<br />
If a new version of the <strong>Webwasher</strong> application software was found, its new<br />
features and fixes are shown together with the information on other packages.<br />
If the search for new software versions shows that there are actually such versions,<br />
you can download and install them.
<strong>Configuration</strong><br />
For this purpose, the Update Appliance section is then displayed on the tab,<br />
providing a button labeled Download and Install:<br />
To download and install the new versions, click on this button.<br />
If the appliance is running in a cluster <strong>Webwasher</strong> appliance, you can install<br />
the new versions on all cluster members.<br />
To do this, mark the checkbox labeled Send to cluster before clicking on the<br />
button.<br />
The new versions will be installed on all members of the cluster. If a new<br />
version of a software package already exists on a cluster member, however,<br />
no update will be performed for this package.<br />
After clicking on the button, the Downloading New Version section is displayed<br />
on the tab:<br />
It informs you about the status of the download process.<br />
After this process is completed, the appliance reboots itself. With this reboot,<br />
the new software versions are installed on the appliance.<br />
Any update activities that were performed in this way are logged and displayed<br />
in the Update Log section at the bottom of the tab.<br />
6–61
<strong>Configuration</strong><br />
Update Log<br />
The Update Log section looks like this:<br />
It displays the last ten line of the appliance update log file. This file records<br />
any update activities that were performed for an appliance.<br />
6.4.7<br />
High Availability<br />
6–62<br />
The High Availability tab looks like this:<br />
There are three sections on this tab:<br />
• Cluster Status<br />
• Heartbeat<br />
• Cluster IP
They are described in the following.<br />
<strong>Configuration</strong><br />
Furthermore, there is a subsection describing the removal of a node when<br />
there is another node with the same name in the high-availability cluster:<br />
• Removing a Stale Node From the Cluster Information Database<br />
This subsection follows the one on the Heartbeat feature.<br />
Another subsection provides a sample procedure for setting up a high-availability<br />
cluster for two instances of <strong>Webwasher</strong>:<br />
• Configuring Two Nodes in a High-Availability Cluster<br />
It follows the Cluster IP subsection.<br />
Cluster Status<br />
The Cluster Status section looks like this:<br />
This section displays the status of the high-availability cluster that the <strong>Webwasher</strong><br />
appliance you are presently configuring belongs to.<br />
Status information is provided on:<br />
• The number of nodes in the high-availability cluster that are currently online<br />
• The number of resources that have been configured for the high-availability<br />
cluster<br />
Heartbeat<br />
The Heartbeat section looks like this:<br />
6–63
<strong>Configuration</strong><br />
6–64<br />
Using this section, you can configure the settings of the Heartbeat daemon.<br />
This daemon is the core of the high-availability solution that can be run in a<br />
cluster of <strong>Webwasher</strong> instances running on multiple appliances.<br />
A cluster like this is here referred to as high-availability cluster.<br />
The settings include the interface on the appliance in question that is used for<br />
sending and receiving heartbeat messages, as well as the authentication key<br />
that is required for an incoming heartbeat message in order to be accepted.<br />
Furthermore, you can configure that the Heartbeat daemon is started whenever<br />
the appliance is booted.<br />
The Heartbeat daemon uses information from a database of its own, which<br />
is the Cluster Information Database (CIB). This database is replicated across<br />
all nodes in the high-availability cluster, and changes in the information stored<br />
there are distributed by the Heartbeat program to all nodes.<br />
In order to retrieve information from this database, the cibadmin -Q -o resources,<br />
cibadmin -Q -o nodes, and cibadmin -Q -o constraints commands<br />
can be used.<br />
Another task you need to complete in order to achieve high-availability for a<br />
cluster of <strong>Webwasher</strong> instances, is to set up a cluster IP address for all nodes<br />
of the high-availability cluster. This is done in the Cluster IP section.<br />
Note that you can use one network interface for running the Heartbeat system<br />
and another one for managing the cluster IP address.<br />
The online help page for the Cluster IP section provides information on the<br />
settings of the cluster IP address, as well as more information on the highavailability<br />
cluster in general.<br />
You also need to configure the use of a time server since time must be synchronized<br />
for each cluster node. It is recommended to configure a server outside<br />
the cluster for this purpose.<br />
The Use NTP to synchronize system time feature on the Time and Date<br />
tab may be used here.<br />
Note, furthermore, that all nodes participating in the Heartbeat system must be<br />
connected to the same network (broadcast domain), and that the node names<br />
must be unique.<br />
There may be a situation, e. g. after re-installation of a node, where two nodes<br />
with the same name exist in high-availability cluster. Each node still has its own<br />
IP address then, but one of them is offline all the time.<br />
You should remove this "stale" node in order to retain a consistent structure for<br />
your high-availability cluster. How to do this is described in the next subsection.
<strong>Configuration</strong><br />
After modifying the default settings configured in this section, you need to<br />
reboot the appliance to make the modification effective. A link to the Reboot/Shutdown<br />
tab is provided at the bottom of the section.<br />
If you have configured central management for the cluster that the appliance is<br />
a member of, the settings are transferred to all other appliances in the cluster<br />
after the reboot and replicated there.<br />
For configuring central management, use the tabs provided under <strong>Configuration</strong><br />
> Central Management.<br />
Use the following items to configure the Heartbeat daemon:<br />
• Start on Boot<br />
Mark this checkbox to have the Heartbeat daemon started whenever the<br />
appliance is booted.<br />
• Heartbeat Interface<br />
In this input field enter the interface on the appliance that should be used<br />
for sending and receiving heartbeat messages.<br />
• Authentication Key<br />
In this input field enter the authentication key that is required for an incoming<br />
heartbeat message in order to be accepted on the appliance.<br />
Removing a Stale Node From the Cluster Information Database<br />
In a high-availability cluster, there may be two nodes with the same names,<br />
e. g. after re-installation of a node.<br />
Each of these nodes has its own IP address, but one of them is offline all the<br />
time. The Cluster Information Database (CIB) has entries for both nodes.<br />
To remove the "stale" node, you need to delete the corresponding entry in the<br />
database. Proceed as follows:<br />
1. Shutdown the entire high-availability cluster, using the following command:<br />
/etc/init.d/heartbeat stop<br />
2. Remove the host cache file on each node:<br />
rm /var/lib/heartbeat/hostcache<br />
3. Restart the high-availability cluster:<br />
/etc/init.d/heartbeat start<br />
6–65
<strong>Configuration</strong><br />
6–66<br />
4. Delete the entry for the stale node:<br />
cibadmin --cib_delete --obj_type nodes --crm_xml ’’<br />
where is the id of the node that should be removed.<br />
Cluster IP<br />
The Cluster IP section looks like this:<br />
Using this section, you can set up an IP address that is valid for multiple nodes<br />
in a high-availability cluster of <strong>Webwasher</strong> appliances, configure its settings,<br />
enable or disable it, and suspend or resume individual nodes.<br />
The settings include the interface on the appliance where the IP address is<br />
configured, as well as the maximum number of nodes it can be used for.<br />
Furthermore, you can configure a hash algorithm for determining the node that<br />
will be the recipient of a given ICMP/TCP/UDP packet with the cluster IP address<br />
as its destination. This is required since this address is valid for all nodes<br />
in the high-availability cluster.<br />
The hash will make use of information contained in the packet, such as its<br />
source IP address or source port. You can configure which of these two options<br />
should be used for the hash.<br />
Configuring the source IP address ensures that the same <strong>Webwasher</strong> proxy is<br />
always used for a packet with a given source IP address.<br />
Note, however, that this method may cause difficulties when several clients are<br />
"hidden" behind one NAT box or proxy with a single source IP address.<br />
In a NAT environment, using the source IP address plus the source port for the<br />
hash seems to be an adequate solution to avoid ambiguities.<br />
The disadvantage of this method is that it breaks up the processing of progress<br />
pages and quota management, and possibly other functions. So it should not<br />
be used unless the technical limitations caused by it are sufficiently clear.
<strong>Configuration</strong><br />
Load sharing is achieved through an iptables module that uses the hash algorithm<br />
to determine whether a given node should process a packet or not. For<br />
this purpose, the algorithm divides the traffic into portions known as "buckets".<br />
The buckets that a given node is responsible for can be looked up in the<br />
/proc/net/ipt_CLUSTERIP/<br />
Failover is also ensured since in case a node fails, the buckets that this node<br />
was responsible for are migrated to other nodes. Active connection to the<br />
failing node will then break down, of course, and the failing node is taken out<br />
of the high-availability cluster.<br />
The failover can also be performed manually, using the cgctl clusterip --suspend<br />
command on the node in question, which suspends the cluster IP address<br />
for it. The cgctl clusterip --resume command can then be used to<br />
re-enable the cluster IP address.<br />
The same functions can be executed using the Suspend and Resume buttons<br />
in this section, see further below.<br />
After enabling them, the specified settings are made effective for the Heartbeat<br />
daemon that is running on the appliance you are presently configuring.<br />
This daemon must be configured and activated prior to the cluster IP address.<br />
It transfers these settings after enabling to all other appliances in the highavailability<br />
cluster and replicates them there.<br />
The cluster IP address is thus configured for all nodes of the high-availability<br />
cluster, which means it needs to be set up only on one node in order to become<br />
valid also on the other nodes.<br />
To view the address, use the ip addr show command.<br />
Note that configuring a cluster IP address in the way described here is an easy<br />
way to implement load sharing and failover in a small installation.<br />
The number of nodes that is incorporated in this solution should not be higher<br />
than 10, though. Otherwise the administrative overhead caused by implementing<br />
this solution will impede the smooth operation of the high-availability cluster.<br />
For medium and large installations, it is therefore recommended that you use<br />
a dedicated hardware solution to implement load sharing and failover facilities.<br />
When implementing the cluster IP address, you should bear in mind that traffic<br />
for this address will arrive at all nodes of the high-availability cluster, which<br />
means that the bandwidth of the smallest node limits the amount of traffic that<br />
can be processed.<br />
Also with this solution, <strong>Webwasher</strong> can only be configured to run as proxy,<br />
while it is not possible to configure it as ICAP server, or to use the WCCP<br />
protocol, or to set up transparent authentication via the cluster IP address.<br />
6–67
<strong>Configuration</strong><br />
6–68<br />
For troubleshooting a high-availability cluster, the crm_mon command may<br />
be used, as well as several commands for administering the Cluster Information<br />
Database (CIB), which is maintained by the Heartbeat daemon, see the<br />
corresponding online help page.<br />
Furthermore, a sample procedure for configuring two <strong>Webwasher</strong> instances to<br />
run as nodes in a high-availability cluster is described in the next subsection.<br />
Use the following items to configure the cluster IP address in a high-availability<br />
cluster:<br />
• Cluster IP<br />
In this input field enter the IP address.<br />
• Cluster IP Interface<br />
In this input field enter the interface on an appliance that the cluster IP<br />
address is assigned to.<br />
Remember that this interface will be the same for all nodes of the highavailability<br />
cluster.<br />
• Hash Algorithm<br />
From the drop-down list provided here, select a hash algorithm for determining<br />
the node that will be the recipient of a packet with the cluster IP<br />
address as its destination.<br />
There are two algorithms available, differing with regard to the type of<br />
packet information they use for the hash.<br />
On the limitations that exist for both types, see the information provided<br />
further above.<br />
The following can be configured here:<br />
— sourceip<br />
The IP address of the packet source is used for computing the hash<br />
that determines the recipient node.<br />
— sourceip-sourceport<br />
The IP address and port number of the packet source is used for computing<br />
the hash that determines the recipient node.<br />
• Maximum Nodes<br />
In this input field enter the maximum number of nodes that will be included<br />
in the high-availability cluster, using this cluster IP address.
• Enable Cluster IP<br />
<strong>Configuration</strong><br />
After specifying the appropriate information, click on the Enable button<br />
provided here to make the cluster IP address and its settings effective.<br />
• Disable Cluster IP<br />
Click on the Disable button provided here to disable a cluster IP address.<br />
• Suspend Current Node<br />
Click on this button to suspend the current node from being a member of<br />
the high-availability cluster.<br />
• Resume Current Node<br />
Click on this button to resume membership in the high-availability cluster<br />
for the current node.<br />
Configuring Two Nodes in a High-Availability Cluster<br />
The following sample procedure describes how to configure two instances of<br />
<strong>Webwasher</strong> running on different appliances to run as nodes in a high-availability<br />
cluster.<br />
It is recommended to join the two instances in a small central management<br />
cluster before configuring the high-availability settings. This means that one of<br />
the instances is configured as master and the other as site instance.<br />
The high-availability settings are then configured only on the master instance,<br />
from where they are distributed to the site instance.<br />
An alternative way of configuring high-availability for two instances of <strong>Webwasher</strong><br />
would be to join them to an existing central management cluster before<br />
configuring the high-availability settings.<br />
In this case, you would have to configure both instances as site instances of<br />
the existing master instance and then configure the high-availability settings<br />
on that master instance.<br />
To configure two nodes in a newly created high-availability cluster, proceed as<br />
follows:<br />
1. Login to the <strong>Webwasher</strong> instance on the first appliance, and in the Web<br />
interface of that instance go to the Node Settings tab under <strong>Configuration</strong><br />
> Central Management.<br />
2. In the Instance Role section on that tab, check the radio button labeled<br />
Yes, act as a cluster node of the following role, and then the Master<br />
instance radio button.<br />
6–69
<strong>Configuration</strong><br />
6–70<br />
3. Click on Apply Changes to make these settings effective.<br />
Leave the other settings that can be configured for a master instance on<br />
the Master Settings tab at their default values, or modify them according<br />
to your requirements.<br />
For more information on these settings, see the corresponding online help<br />
pages.<br />
4. Login to the <strong>Webwasher</strong> instance on the second appliance, and in the<br />
Web interface of that instance go to the Site Settings tab under <strong>Configuration</strong><br />
> Central Management.<br />
5. On this tab, configure the following settings:<br />
• In the Host Names or IPs input field of the Master Instances Addresses<br />
section, type the host name or IP address of the master instance.<br />
• In the Web Interface Port input field, type the port number of the<br />
port that should be used for communication between the master and<br />
the site instance.<br />
• In the Password input fields of the Authentication section, type a<br />
password to allow the site instance to login to the Web interface of the<br />
master instance and another to allow the master to login on the site<br />
instance.<br />
Retype both passwords.<br />
• IntheContact Interval section, type 30 as value of the time interval<br />
(in minutes) for requesting synchronization from the master. This is<br />
the minimum interval, you may also configure a higher value here.<br />
6. Click on Apply Changes to make these settings effective.<br />
Leave the other settings on this tab at their default values, or modify them<br />
according to your requirements. For more information on these settings,<br />
see the corresponding online help pages.<br />
7. In the Web interface of the instance you configured as master, go the<br />
High-Availability tab under <strong>Configuration</strong> > Appliance, and configure<br />
the following settings in the Heartbeat section of that tab:<br />
• Mark the Start on Boot checkbox to have the Heartbeat daemon<br />
started whenever the appliance is booted.<br />
• IntheHeartbeat interface input field, type the name of the interface<br />
on the appliance that should be used for sending and receiving heartbeat<br />
messages, e. g. eth0.<br />
• In the Authentication Key input field, type the key that is required<br />
for an incoming heartbeat message in order to be accepted on the<br />
appliance, e. g. SuperSecretKeyZZZ.<br />
For more information on these settings, see the corresponding online help<br />
pages.
<strong>Configuration</strong><br />
8. Reboot the appliance that this instance of <strong>Webwasher</strong> is running on to<br />
make the Heartbeat settings effective.<br />
You may use the Reboot button on the Reboot/Shutdown tabtodo<br />
this.<br />
9. In the Cluster IP section, configure the following settings, see the explanations<br />
given above for more information on them:<br />
• In the Cluster IP input field, type the cluster IP address for the highavailability<br />
cluster, e. g. 10.150.34.103.<br />
• In the Cluster IP interface input field, type the name of the interface<br />
on the appliance that the cluster IP address is assigned to, e. g. eth0.<br />
• From the Hash Algorithm drop-down list, select either the sourceip<br />
or the sourceip-sourceport algorithm for determining the node that<br />
will be the recipient of a packet with the cluster IP address as its destination.<br />
• In the Maximum Nodes input field, type the maximum number of<br />
nodes to be included in the high-availability cluster that uses this cluster<br />
IP address, e. g. 2.<br />
10. Click on the Enable button to make the cluster IP address and its settings<br />
effective.<br />
This completes the sample configuration procedure.<br />
After the contact interval that you configured has elapsed, the high-availability<br />
settings should be distributed from the master to the site instance and the highavailability<br />
cluster should be working.<br />
You should then be able to ping both nodes of the high-availability cluster using<br />
the cluster IP address.<br />
6.5<br />
Web Interfaces<br />
The Web Interfaces options are invoked by clicking on the corresponding<br />
button under <strong>Configuration</strong>:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Ports, see 6.5.1<br />
6–71
<strong>Configuration</strong><br />
6.5.1<br />
Ports<br />
6–72<br />
• Sessions, see 6.5.2<br />
• Dashboard / Quick Snapshots, see 6.5.3<br />
The Ports tab looks like this:<br />
There are four sections on this tab:<br />
• Web Interface Port Settings (HTTP)<br />
• Web Interface Port Settings (HTTPS)<br />
• EndUserPortSettings<br />
• Web Interface Options<br />
They are described in the following.
Web Interface Port Settings (HTTP)<br />
<strong>Configuration</strong><br />
The Web Interface Port Settings section for HTTP connections looks like<br />
this:<br />
Using this section, you can configure the Web interface port for HTTP connections.<br />
If you want to use this feature, make sure the checkbox next to the section<br />
heading is marked. The checkbox is marked by default.<br />
After modifying this setting or any other setting in this section, click on Apply<br />
Changes to make the modification effective.<br />
Use the following input fields to configure these port settings:<br />
• Port<br />
Enter the port number of the listener port here, e. g. 9999.<br />
In addition to a port number, you can also enter the IP address of the interface<br />
you want to configure this port for, which means you could enter<br />
e. g. 10.150.34.33:9999.<br />
The default port number is 9090.<br />
If you also enter an IP address, it is checked whether this address is valid,<br />
i. e. whether it is an IP address of a network interface that is known within<br />
your local system. If the address is invalid, a message is displayed to<br />
inform you about it. The port number you entered will not be processed in<br />
this case, and the existing port number will remain in use.<br />
So, to change a port number using this field you need to either enter a valid<br />
IP address with the port number or the port number without an IP address.<br />
A redirect will then be performed in order to use the port number you just<br />
configured for access to the Web interface. This redirect will, however, only<br />
be performed if you are actually using an HTTP connection to access the<br />
Web interface.<br />
6–73
<strong>Configuration</strong><br />
6–74<br />
Note also that when a port number is transferred in a cluster to synchronize<br />
the master’s settings with those of the site instances, only the port number<br />
itself is transferred, which means that if an IP address was also specified,<br />
it is ignored in the synchronization process.<br />
If you want to exclude port numbers from being transferred in this process,<br />
enable the Listener Ports option in the Local Site Settings section on<br />
the Site Settings tab under <strong>Configuration</strong> > Central Management to<br />
forbid synchronization of port numbers on a site instance.<br />
Enable the same option in the Local Master Settings section on the Master<br />
Settings tab to forbid it for port numbers on a master instance.<br />
• Allow access from<br />
Use this field to configure the IP addresses that should have access to<br />
each port that is opened by <strong>Webwasher</strong>.<br />
The input format is:<br />
(IP|IP/NetMask|IPrange)[,(IP|IP/NetMask|IPrange)]*<br />
An asterisk (*) means that everyone is allowed access.<br />
If this the same port is specified here as for the HTTP proxy, this setting<br />
will be ignored.<br />
Web Interface Port Settings (HTTPS)<br />
The Web Interface Port Settings section for HTTPS connections looks like<br />
this:<br />
Using this section, you can configure the Web interface port for HTTPS connections.<br />
If you want to use this feature, make sure the checkbox next to the section<br />
heading is marked. The checkbox is marked by default.<br />
After modifying this setting or any other setting in this section, click on Apply<br />
Changes to make the modification effective.
Use the following input fields to configure these port settings:<br />
• Port<br />
Enter the port number of the listener port here. e. g. 9999.<br />
<strong>Configuration</strong><br />
In addition to a port number, you can also enter the IP address of the interface<br />
you want to configure this port for, which means you could enter<br />
e. g. 10.150.34.33:9999.<br />
The default port number is 9091.<br />
If you also enter an IP address, it is checked whether this address is valid,<br />
i. e. whether it is an IP address of a network interface that is known within<br />
your local system. If the address is invalid, a message is displayed to<br />
inform you about it. The port number you entered will not be processed in<br />
this case, and the existing port number will remain in use.<br />
So, to change a port number using this field you need to either enter a valid<br />
IP address with the port number or the port number without an IP address.<br />
A redirect will then be performed in order to use the port number you just<br />
configured for access to the Web interface. This redirect will, however, only<br />
be performed if you are actually using an HTTPS connection to access the<br />
Web interface.<br />
Note also that when a port number is transferred in a cluster to synchronize<br />
the master’s settings with those of the site instances, only the port number<br />
itself is transferred, which means that if an IP address was also specified,<br />
it is ignored in the synchronization process.<br />
If you want to exclude port numbers from being transferred in this process,<br />
enable the Listener Ports option in the Local Site Settings section on<br />
the Site Settings tab under <strong>Configuration</strong> > Central Management to<br />
forbid synchronization of port numbers on a site instance.<br />
Enable the same option in the Local Master Settings section on the Master<br />
Settings tab to forbid it for port numbers on a master instance.<br />
• Allow access from<br />
Use this field to configure the IP addresses that should have access to<br />
each port that is opened by <strong>Webwasher</strong>.<br />
The input format is:<br />
(IP|IP/NetMask|IPrange)[,(IP|IP/NetMask|IPrange)]*<br />
An asterisk (*) means that everyone is allowed access.<br />
6–75
<strong>Configuration</strong><br />
6–76<br />
End User Port Settings<br />
The End User Port Settings section looks like this:<br />
Using this section, you can configure an internal port that is available for end<br />
users who want to access <strong>Webwasher</strong>. This can be either the Web interface<br />
port, i. e. the port also used by administrators, or an additional port that you<br />
specify here.<br />
Furthermore, you can specify that HTTPS connections must be used for access<br />
to <strong>Webwasher</strong>.<br />
The internal port will be available for end users accessing <strong>Webwasher</strong> in order<br />
to, e. g. change their passwords, handle e-mail digests or edit the e-mail white<br />
list.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Using this section, you can configure options for using the Web interface.<br />
You can enforce the use of basic authentication as a method for access and<br />
specify a login window name that should be used for this purpose.<br />
Note that it does not make sense to configure a session length when basic<br />
authentication is enforced here. Even if your session times out, you will be<br />
automatically authenticated at the next request.<br />
For this reason, there is also no logout link provided at the top of the Web<br />
interface area when basis authentication is enforced.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.
<strong>Configuration</strong><br />
Use the following items to configure an internal port for access to <strong>Webwasher</strong>:<br />
• Use Webinterface Port<br />
If you want to enforce basic authentication for access to the Web interface,<br />
mark this checkbox.<br />
If the Web interface port should be used, make sure this radio button is<br />
checked.<br />
The radio button is checked by default.<br />
• Use Additional Port<br />
If you want to use an additional port, check this radio button. Then specify<br />
the port settings using the following input fields:<br />
— Port<br />
Specify the additional port here. The input format is:<br />
[IP]: port<br />
The default port number is 9093.<br />
— Allow access from<br />
Specify the range of IP addresses that should have access to <strong>Webwasher</strong><br />
here. The input format is:<br />
(IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]|*<br />
Note: Type * to allow everyone access.<br />
• use HTTPS connections<br />
If HTTPS connections should be required for access to <strong>Webwasher</strong>, make<br />
sure this checkbox is marked.<br />
The checkbox is marked by default.<br />
6–77
<strong>Configuration</strong><br />
6–78<br />
Web Interface Options<br />
The Web Interface Options section looks like this:<br />
Using this section, you can configure options for using the Web interface.<br />
You can enforce the use of basic authentication as a method for access and<br />
specify a login window name that should be used for this purpose.<br />
Note that it does not make sense to configure a session length when basic<br />
authentication is enforced here. Even if your session times out, you will be<br />
automatically authenticated at the next request.<br />
For this reason, there is also no logout link provided at the top of the Web<br />
interface area when basis authentication is enforced.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following checkbox and input field to configure these options:<br />
• Force usage of Basic authentication<br />
If you want to enforce basic authentication for access to the Web interface,<br />
mark this checkbox.<br />
• Login window name<br />
Enter the name of the login window here. The default name is <strong>Webwasher</strong><br />
configuration.<br />
After specifying values for these settings, click on Apply Changes to make<br />
them effective.
6.5.2<br />
Sessions<br />
The Sessions tab looks like this:<br />
There are two sections on this tab:<br />
• Session Options<br />
• Session Overview<br />
They are described in the following.<br />
Session Options<br />
The Session Options section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can configure the length of a <strong>Webwasher</strong> session.<br />
This will apply to a session of the Web interface, as well as to one of the SSH<br />
interface.<br />
After specifying this setting, click on Apply Changes to make it effective.<br />
6–79
<strong>Configuration</strong><br />
6–80<br />
Use the following input field to configure the session length:<br />
• Session length ... minutes<br />
Enter a time interval (in minutes) for the session length here.<br />
Session Overview<br />
The Session Overview section looks like this:<br />
This section displays all <strong>Webwasher</strong> sessions that are currently active. For<br />
each session the following information is provided:<br />
• User<br />
User name of the user who is logged in for the session.<br />
• TTL<br />
Time that the session has lasted so far (in minutes and seconds).<br />
• Status<br />
Status the user of a session has with regard to session mode and access<br />
privileges.<br />
• Interface<br />
Protocol used for the session.<br />
• from IP<br />
IP address that the user has logged in from to the session.
6.5.3<br />
Dashboard / Quick Snapshots<br />
The Dashboard / Quick Snapshots tab looks like this:<br />
There are two sections on this tab:<br />
• Enable/Disable<br />
• Frequent Media Types Counter<br />
They are described in the following.<br />
Enable/Disable<br />
The Enable/Disable section looks like this:<br />
<strong>Configuration</strong><br />
6–81
<strong>Configuration</strong><br />
6–82<br />
Using this section, you can configure the display of the dashboard and the<br />
various quick snapshots.<br />
By default, display is enabled for all of these features. To disable or re-enable<br />
display for a feature, clear or mark the corresponding checkbox.<br />
After modifying any of these settings, click on Apply Changes to make the<br />
modification effective.<br />
Display of the following features can be configured here:<br />
• Dashboard<br />
• Common Quick Snapshot<br />
• URL Filter Quick Snapshot<br />
• Anti-Malware Quick Snapshot<br />
• Anti-Spam Quick Snapshot<br />
• SSL Scanner Quick Snapshot<br />
Frequent Media Types Counter<br />
The Frequent Media Types Counter section looks like this:<br />
Usig this section, you can reset the counter that counts frequent media types<br />
processed by the <strong>Webwasher</strong> filters, i. e. set it to zero.<br />
Media types are counted by hits and by volumes. The results of this counter<br />
are displayed in the Frequent Media Types by Hits and Frequent Media<br />
Types by Volumes sections on the Quick Snapshot tab under Common ><br />
Quick Snapshot.<br />
Use the following button to reset the counter:<br />
• Reset Frequent Media Types Counter<br />
Click on this button to reset the counter.
6.6<br />
Secure Administration Shell<br />
<strong>Configuration</strong><br />
The Secure Administration Shell options are invoked by clicking on the<br />
corresponding button under <strong>Configuration</strong>:<br />
If you want to enable any of these options, you also need to mark the checkbox<br />
that is on this button.<br />
Then click on Apply Changes to make this setting effective.<br />
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• General Settings, see 6.6.1<br />
6–83
<strong>Configuration</strong><br />
6.6.1<br />
General Settings<br />
6–84<br />
The General Settings tab looks like this:<br />
There are four sections on this tab:<br />
• Port Settings<br />
• Server Host Keys<br />
• Authentication<br />
• Protocol Options<br />
They are described in the following.
Port Settings<br />
The Port Settings section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can configure the listener port for the administration<br />
shell server. For security reasons, you can also restrict access to this port to<br />
particular IP addresses.<br />
After specifying the appropriate settings, click on Apply Changes to make them<br />
effective.<br />
Use the following input fields to configure these port settings:<br />
• Port<br />
Enter the port number of the listener port for the administration shell server<br />
here. The default port number is 9092.<br />
The input format is:<br />
[IP:] Port<br />
• Allow access from<br />
Enter the IP addresses that should have access to each port opened by<br />
<strong>Webwasher</strong> here.<br />
The input format is:<br />
(IP|IP/NetMask|IPrange)[,(IP|IP/NetMask|IPrange)]*<br />
Entering an * here means that everyone is allowed access.<br />
6–85
<strong>Configuration</strong><br />
6–86<br />
Server Host Keys<br />
The Server Host Keys section looks like this:<br />
Using this section, you can generate the server host key that is needed for<br />
identification of the administration shell server. This key is also known as public<br />
key. It is one of a pair of keys, where the other key is a private key that no one<br />
has access to.<br />
Clients having a copy of this public key can verify whether the server also owns<br />
the corresponding private key, and thereby verify the identity of the server.<br />
The public key and the private key are both encryption keys, with the private<br />
key allowing both encryption and creation of digital signatures. A private key<br />
on a client is only known to the corresponding user. This ensures trustworthy<br />
identification of the server as well as confidentiality of data and digital signatures.<br />
Public and private keys can make use of the RSA (Rivest Shamir Adleman) or<br />
DSA (Digital Signature Algorithm) cryptosystems, on which the Diffie-Hellmann<br />
key type exchange method is applied. With RSA encryption, you need not type<br />
a password when connecting to other hosts on the network that recognize your<br />
public key.<br />
The meaning of the items provided in this section is as follows:<br />
• RSA/DSA Key Type<br />
Use this key type list to select either the RSA or the DSA key type and<br />
generate the corresponding keys by clicking on the Generate button at<br />
the right end of the line in question.<br />
A fingerprint and the bit strength can also be displayed for these keys.
<strong>Configuration</strong><br />
You can also import a private key. To do this, use the following items in the<br />
lower part of the section:<br />
• Key type<br />
Select the type (RSA or DSA) of the private key from the drop-down list<br />
provided here.<br />
• File<br />
Use the Browse button next to this input field to browse for the file containing<br />
the private key.<br />
• Passphrase<br />
In this input field, enter a passphrase for the private key.<br />
Note that the security of your passphrase is extremely important as it it<br />
used to authenticate you to any server you wish to connect to. Be aware<br />
of any unencrypted network connections. Should someone figure out this<br />
passphrase, this person would have access to all the servers you are using.<br />
Passphrases should be between 25 and 80 characters, and can consist of<br />
multiple words (spaces are acceptable) as well as digits, and should not<br />
be something obvious, such as the name of a person, a place name, etc.<br />
• Import<br />
After specifying input for the above fields, click on this button to import the<br />
private key.<br />
Authentication<br />
The Authentication section looks like this:<br />
It allows you to configure authentication methods for administrators with regard<br />
to using logon credentials and public keys.<br />
To configure credentials and keys that can be used here, click on the Administrators<br />
link provided in this section. This will take you to the Accounts tab<br />
under User Management > Administrators.<br />
After modifying any of these settings here, click on Apply Changes to make<br />
the modification effective.<br />
6–87
<strong>Configuration</strong><br />
6–88<br />
Use the following checkboxes to configure authentication methods:<br />
• Password authentication with web interface logon credentials<br />
If you want administrators to authenticate themselves by submitting logon<br />
credentials for access to the Web interface including a password, make<br />
sure this checkbox is marked.<br />
The checkbox is marked by default.<br />
• Public key authentication<br />
If you want administrators to authenticate themselves using a public key,<br />
make sure this checkbox is marked.<br />
The checkbox is marked by default.<br />
Protocol Options<br />
The Protocol Options section looks like this:<br />
Using this section, you can specify methods for negotiations between the administration<br />
shell server and its clients. The methods will be applied in the<br />
order they have been entered in the input fields provided here.<br />
To disable a method delete it from the corresponding input field.<br />
After doing this or specifying any other information, click on Apply Changes<br />
to make these settings effective.<br />
Use the following input fields to configure protocol options:<br />
• Session encryption ciphers<br />
Ciphers are message formats that render communication unreadable except<br />
to the intended recipient, e. g. DES (Data Encryption Standard), AES<br />
(Advanced Encryption Standard), Blowfish, etc.
The input format is:<br />
Method [, Method]*<br />
• Message authentication algorithms<br />
The algorithms used for authenticating messages.<br />
The input format is:<br />
Method [, Method]*<br />
• Key-exchange methods<br />
<strong>Configuration</strong><br />
Includes means for securely distributing encryption keys to all parties involved,<br />
e. g. Diffie-Hellmann algorithm.<br />
The input format is:<br />
Method [, Method]<br />
• Compression<br />
Methods of reducing the size of a given file to something more manageable.<br />
The input format is:<br />
6.7<br />
SNMP Interface<br />
Method | none) [, (Method | none)]<br />
The SNMP Interface options are invoked by clicking on the corresponding<br />
button under <strong>Configuration</strong>:<br />
If you want to enable any of these options, you also need to mark the checkbox<br />
that is on this button.<br />
Then click on Apply Changes to make this setting effective.<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Agent, see 6.7.1<br />
6–89
<strong>Configuration</strong><br />
6.7.1<br />
Agent<br />
6–90<br />
• Communities, see <strong>6.7.2</strong><br />
• SNMPv3 Users, see 6.7.3<br />
• Trap Sinks, see 6.7.4<br />
• MIB Browser, see 6.7.5<br />
The Agent tab looks like this:<br />
There are three sections on this tab:<br />
• Port Settings<br />
• <strong>System</strong> Information<br />
• Protocol Options<br />
They are described in the following.
Port Settings<br />
The Port Settings section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can configure the transport protocol and the listener<br />
port to be used for the SNMP Agent.<br />
The transport protocol is either UDP or TCP. While SNMP agents naturally run<br />
on port 161, <strong>Webwasher</strong> uses port 9161 to allow it to run side-by-side with an<br />
existing SNMP agent (of the operating system).<br />
When running on a UNIX operating system, changing the port to 161 or anything<br />
below 1024 will require a restart of <strong>Webwasher</strong>.<br />
The following options are provided in this section:<br />
• UDP Port<br />
Make sure this option (default) is enabled if you want to use UDP as transport<br />
protocol for the SNMP Agent.<br />
Enter a port number in the corresponding input field if you do not want to<br />
use 9161 (default) as the listener port. The format for specifying a port is:<br />
[IP:] Port<br />
• TCP Port<br />
Enable this option if you want to use TCP as transport protocol for the<br />
SNMP Agent.<br />
Enter a port number in the corresponding input field if you do not want to<br />
use 9161 (default) as the listener port. The format for specifying a port is:<br />
[IP:] Port<br />
• Allow access from<br />
In this input field, enter the IP addresses of the sites you allow to have<br />
access to each port opened by <strong>Webwasher</strong>. The format for specifying IP<br />
addresses is:<br />
6–91
<strong>Configuration</strong><br />
6–92<br />
IP | IP/NetMask | IP range) [,(IP | IP/NetMask | IP range)]*<br />
The default is an asterisk * , which means to allow access to all sites.<br />
<strong>System</strong> Information<br />
The <strong>System</strong> Information section looks like this:<br />
Using this section, you can specify information on the <strong>Webwasher</strong> software<br />
you are currently configuring for use with the SNMP Agent.<br />
The following inout fields are provided here for specifying information:<br />
• Description<br />
Description of the <strong>Webwasher</strong> software.<br />
Here you can, e. g., state the release of this software or the purpose it is<br />
used for on the corresponding system.<br />
• Object ID<br />
Numerical system description of the <strong>Webwasher</strong> software.<br />
This is the description used by the MIB (Management Information Base)<br />
system. Within this system, a numerical description is assigned as an ID<br />
to each of the objects administered by the system. A short form for Object<br />
ID is: OID.<br />
The objects can also be displayed in a MIB tree, see 6.7.5.<br />
Example of an Object ID (OID): 1.3.6.1.4.1.1457.2.1.1.1.13<br />
This is the Object ID of a particular version of the <strong>Webwasher</strong> software.<br />
• Contact Person<br />
E-mail address of the administrator responsible for maintaining the <strong>Webwasher</strong><br />
software.
• Physical location<br />
<strong>Configuration</strong><br />
Physical location of the system the <strong>Webwasher</strong> software is running on.<br />
Here you can enter information specifying a room or a floor in a building<br />
like, e. g. , Delta Building, 1st floor.<br />
Protocol Options<br />
The Protocol Options section looks like this:<br />
It allows you to configure the version of the SNMP protocol to be used for<br />
communication with the SNMP Agent<br />
Specifying more than one version here will enable simultaneous use of the<br />
features provided by each of them.<br />
The following protocol options can be configured:<br />
• Allow SNMP protocol version 1<br />
This option is enabled by default.<br />
• Allow SNMP protocol version 2c<br />
This option is enabled by default.<br />
• Allow SNMP protocol version 3<br />
This version of the SNMP protocol provides a number of new security features,<br />
introducing a comprehensive approach to security issues known as<br />
the User-Based Security Model (USM).<br />
This option is disabled by default. For this reason, access from an SNMPv3<br />
user account is not possible during the setup phase of the SNMP Agent.<br />
6–93
<strong>Configuration</strong><br />
<strong>6.7.2</strong><br />
Communities<br />
6–94<br />
The Communities tab looks like this:<br />
There are two sections on this tab:<br />
• Communities<br />
• Client Lockout<br />
They are described in the following.
Communities<br />
The Communities section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can configure the communities that are allowed access<br />
to the SNMP Agent.<br />
In terms of SNMP communication, a community is a particular host system or<br />
group of systems that is allowed access to the SNMP Agent and to the objects<br />
managed by this agent. Communities are specified through their Internet addresses<br />
or host names.<br />
Access is allowed either as read-only access (public mode) or as unrestricted<br />
access (private mode). Accordingly, passwords are configured for communities,<br />
which are either private or public and are termed “community strings”.<br />
To add a community to the list, use the area labeled:<br />
• Add community<br />
Specify the appropriate information using the following items:<br />
— Community String<br />
Enter a community string (password) for the community you are<br />
presently configuring in this input field.<br />
6–95
<strong>Configuration</strong><br />
6–96<br />
— Allowed from<br />
Specify the community you want to allow access to the SNMP Agent in<br />
this input field.<br />
This is done by entering a host name or an IP address or any other of<br />
the values of the input format. The input format is:<br />
Host|IP/NetMask|default|*<br />
Entering default or an asterisk * will allow access to any community<br />
under the configured community string and access mode (public or private).<br />
— Allow Root OID<br />
Input in this field is optional. You can specify the root ID here that is<br />
assigned to the community as an object managed by the MIB (Management<br />
Information Base) system.<br />
A root ID is specified in the following way:<br />
1.2.6.3 ...<br />
— Read-Only Access<br />
Enable this option to allow read-only access (public mode) for the community<br />
in question.<br />
— Add<br />
After specifying the appropriate information, click on this button to add<br />
the new community to the list.<br />
If this action was successful, there is now an entry for this community in the<br />
communities list, which is displayed at the bottom of the section.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard. If the number of entries is higher than this number,<br />
the remaining entries are shown on successive pages. A page indicator is then<br />
displayed, where you can select a particular page by clicking on the appropriate<br />
arrow symbols.<br />
To edit an entry, type the appropriate text in the input fields provided with each<br />
entry or enable or disable the corresponding Read-Only Access checkbox.<br />
Then click on Apply Changes to make your settings effective. You can edit<br />
more than one entry and make the changes effective in one go.
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
<strong>Configuration</strong><br />
Type a filter expression in the input field of the Community column and<br />
enter it using the Enter key of your keyboard. The list will then display only<br />
entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
Client Lockout<br />
The Client Lockout section looks like this:<br />
Using this section, you can configure options to protect the SNMP Agent<br />
against malicious ways of access.<br />
You can specify the maximum number of authentication failures that is allowed<br />
before access to the SNMP is denied, as well as the duration of this lockout.<br />
A display field shows how many clients have been locked out at a given time.<br />
When configuring options in this section, make sure the checkbox next to the<br />
section heading is marked. After specifying the appropriate values for thes<br />
options, click on Apply Changes to make your settings effective,<br />
The following items are provided in this section:<br />
• Lockout after ... authentication failures<br />
Maximum number of authentication failures before the lockout becomes<br />
effective. The default number is: 15.<br />
• Lock for ... minutes<br />
Duration of the lockout. The default duration is 30 Minutes.<br />
6–97
<strong>Configuration</strong><br />
6.7.3<br />
SNMPv3 Users<br />
6–98<br />
• Number of locked clients<br />
This display field shows the number of clients that have been locked out.<br />
Click on the Reset button next to this field to display its the current value.<br />
The SNMPv3 Users tab looks like this:<br />
There is one section on this tab:<br />
• SNMPv3 Users<br />
It is described in the following.
SNMPv3 Users<br />
The SNMPv3 Users section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can configure the user accounts that are allowed access<br />
to the SNMP Agent according to SNMP protocol version 3 .<br />
In SNMPv3, the User-based Security Model (USM) allows to authenticate<br />
users through password hashes. This means, the password itself is no longer<br />
delivered between peer computer systems, but an irreversible derivative of it,<br />
calculated through either the MD5 or SHA1 hash algorithm.<br />
Optionally, the SNMP Agent can encrypt all data transmitted for this user account,<br />
using either the Digital Encryption Standard (DES) algorithm, as described<br />
in RFC 3414, or the newer Advanced Encryption Standard (AES, also<br />
known as “Rijndael”) algorithm, as described in RFC 3826.<br />
To configure SNMPv3 user accounts, you need to enable the SNMPv3 version<br />
of the SNMP protocol first. To do this, go to the Protocol Options section of<br />
the Agent tab, see 6.7.1.<br />
To add an SNMPv3 user to the list, use the area labeled:<br />
• Add user<br />
Specify the appropriate information using the following items:<br />
— User Name<br />
Enter the name of the user that an account is being configured for in<br />
this input field.<br />
— Password<br />
Enter a password for the user in this field. Note that it has to be at least<br />
8 characters long.<br />
6–99
<strong>Configuration</strong><br />
6–100<br />
This is done by entering a host name or an IP address or any other of<br />
the values of the input format. The input format is:<br />
Host|IP/NetMask|default|*<br />
Entering default or an asterisk * will allow access to any community<br />
under the configured community string and access mode (public or private).<br />
— Allow Root OID<br />
Input in this field is optional. You can specify the root ID here that is<br />
assigned to the user account as an object managed by the MIB (Management<br />
Information Base) system.<br />
A root ID is specified in the following way:<br />
1.2.6.3 ...<br />
— Authentication<br />
Select an authentication method for this user by enabling either the<br />
MD5 (default) or SHA algorithm.<br />
The selected algorithm is used to calculate a hash format of the user<br />
password, which is then transmitted during the authentication procedure.<br />
— Encryption<br />
Select an encryption method for the data transferred from this user account<br />
by enabling either the DES (default) or SHA algorithm.<br />
The selected algorithm is then used as the encryption method. Enable<br />
None if you do not want an encrypted data transfer.<br />
— Read-Only Access<br />
Enable this option to allow read-only access (public mode) for the user<br />
in question. Otherwise access will be unrestricted.<br />
— Add<br />
After specifying the appropriate information, click on this button to add<br />
the new user to the list.<br />
If this action was successful, the community is displayed in the user list, which<br />
is displayed at the bottom of this section.
6.7.4<br />
Trap Sinks<br />
The Trap Sinks tab looks like this:<br />
There is one section on this tab:<br />
• Trap Sinks<br />
It is described in the following.<br />
Trap Sinks<br />
The Trap Sinks section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can configure host systems that are to receive event<br />
notification messages called “traps” in SNMP terminology.<br />
The receiving systems are also known as “trap sinks”.<br />
6–101
<strong>Configuration</strong><br />
6–102<br />
SNMP specifies a procedure for event notification called “trap”. Based on this<br />
procedure, the SNMP Agent can be configured to send a trap whenever a<br />
particular event occurs. The trap is sent to a “trap sink”, which is a host system<br />
providing a trap daemon listening on a particular port to receive the trap.<br />
Usually, this daemon is running on the system as part of an SNMP management<br />
application.<br />
A trap can be sent to each trap sink that has been configured to receive it.<br />
Traps are sent in an asynchronous fashion, which means the sending agent<br />
does not wait for acknowledgment, nor does it perform the retransmission of a<br />
trap.<br />
To add a trap sink to the list, use the area labeled:<br />
• Add Trap Sink<br />
Specify the appropriate information using the following items:<br />
— Host<br />
Specify the host system (the trap sink) that is to receive traps from the<br />
SNMP Agent in this input field. To do this, enter a host name or an IP<br />
address.<br />
— Port<br />
Enter the port number for the port of the host system where a trap daemon<br />
is listening to receive traps.<br />
— Community String<br />
Enter a community string (password) here for access to the host system<br />
that is being configured as a trap sink.<br />
Note that this community string allows only read-access (public mode).<br />
— Send SNMPv2c Traps<br />
Enable this option if you want traps to be sent by the SNMP Agent using<br />
SNMP protocol version 2c. Otherwise traps are only sent using SNMP<br />
protocol version 3.<br />
— Add<br />
After specifying the appropriate information, click on this button to add<br />
the new trap sink to the list.<br />
If this action was successful, the trap sink is displayed in the trap sink list, which<br />
is displayed at the bottom of this section.
6.7.5<br />
MIB Browser<br />
The MIB Browser tab looks like this:<br />
There is one section on this tab:<br />
• MIB Browser<br />
It is described in the following.<br />
<strong>Configuration</strong><br />
6–103
<strong>Configuration</strong><br />
6–104<br />
MIB Browser<br />
The MIB Browser section looks like this:<br />
Using this section, you can view the objects managed by the SNMP Agent in<br />
a MIB tree. To view this tree structure a MIB browser is used.<br />
Within a MIB tree, every individual object is represented under its object type<br />
and assigned to a particular object category. Each object category is itself<br />
assigned to an object category on a higher level, which creates a hierarchical<br />
structure of categories (the MIB tree) ending in a top level category (iso).<br />
So, e. g. the system currently running the SNMP Agent is represented<br />
under the system object type. The categories above this object type are<br />
iso.org.dod.internet.mgmt.mib-2. This means that mib-2 is the category<br />
the system is immediately assigned to.
<strong>Configuration</strong><br />
The individual system represented under system has a number of objects<br />
assigned as attributes to it, which are also displayed in the MIB tree, e. g. the<br />
system name, which is represented under sysName. sysName is preceded<br />
by a little arrow to show there is more information available for this entry. A click<br />
on sysName displays its value, i. e. the actual system name, e. g. lupus.<br />
Other properties of sysName are displayed together with its value.<br />
The properties of attribute objects are shown on the MIB browser tabina<br />
separate area below the MIB tree.<br />
Every category, object type or attribute is also identified within the MIB by<br />
a complex number. They are displayed in brackets behind the name of an<br />
item. So, e. g. 1.3.6.1.2.1.1.5 is the equivalent of iso.org.dod.internet.mgmt.mib-2.system.sysName.<br />
The number and the name chain are<br />
different formats of the object ID (OID) of an object. You can browse for sections<br />
of the MIB tree using a root OID, i. e. an OID not leading completely<br />
down to the object type level. So, browsing for e. g. 1.3.6.1 would display all<br />
objects available within the internet category of the MIB tree.<br />
The meaning and usage of the input field and the display fields provided in this<br />
section is as follows:<br />
• Root OIDs<br />
Enter a root OID in this input field to browse for a particular section of the<br />
MIB tree, e. g. 1.3.6.1. fortheinternet category.<br />
Click on the Browse buttontodisplaythissectionintheMIB Tree Area<br />
below this input field.<br />
• MIB Tree Area<br />
In this area, the MIB tree or a section of it is displayed. The section can<br />
be specified by entering a root ID in the Root OIDs input field above this<br />
area.<br />
To show the items assigned to another item within the MIB tree, expand<br />
its structure by clicking on the + sign preceding it. If an item is preceded<br />
by a little arrow, information about its properties, such as its value or OID,<br />
is available in the Object Properties Area below this area. Click on the<br />
item, to display this information.<br />
Use the Expand All and Collapse All buttons just below the bottom right<br />
corner of this area to expand or collapse a MIB tree section.<br />
• Object Properties Area<br />
In this area, the properties of an object selected from the MIB tree are<br />
displayed. An object can be a scalar or a table object. Accordingly, only<br />
one set of properties is displayed for a scalar object, e. g. ifNumber, the<br />
number of interface available on a system.<br />
6–105
<strong>Configuration</strong><br />
For a table object, a table of property sets is displayed, e. g. ifTable, an<br />
object providing information about several interfaces sorted in rows with<br />
properties for each instance of an interface.<br />
The following properties are shown for an object:<br />
— Name<br />
Name of the object as displayed in the MIB tree, e. g. SNMPv2-<br />
MIB::sysName.0<br />
This is the format for displaying the name of an object. It contains<br />
the category (SNMPv2) of the corresponding object type (system) and<br />
the object name itself (sysName). The last part of the name is a .0<br />
extension, indicating that the end of an OID chain has been reached.<br />
— OID<br />
OID of the object, e. g. 1.3.6.1.2.1.1.5.0<br />
— Value<br />
Value of the object, e. g. lupus. For the example used here, it means<br />
the name of the system running the <strong>Webwasher</strong> software is lupus.<br />
— Type<br />
Type of the data providing the object value, e. g. OCTET STRING.<br />
— Description<br />
Text describing the object, e. g. a name assigned by the administrator<br />
to a managed node. If the name is unknown, the value is a zero-length<br />
string.<br />
6.8<br />
Global Command Center<br />
6–106<br />
The Global Command Center options are invoked by clicking on the corresponding<br />
button under <strong>Configuration</strong>:<br />
If you want to enable any of these options, you also need to mark the checkbox<br />
that is on this button.<br />
Then click on Apply Changes to make this setting effective.
The options are arranged under the following tab:<br />
They are described in the upcoming section:<br />
• Global Command Center, see 6.8.1<br />
6.8.1<br />
Global Command Center<br />
The Global Command Center tab looks like this:<br />
There are five sections on this tab:<br />
• Certificate Creation<br />
• Port Settings<br />
• Server Settings<br />
• Certificate Password<br />
• Device Name<br />
They are described in the following.<br />
<strong>Configuration</strong><br />
6–107
<strong>Configuration</strong><br />
6–108<br />
Certificate Creation<br />
The Certificate Creation section looks like this:<br />
It enables you to create the certificate that is needed for communication between<br />
<strong>Webwasher</strong> and the Global Command Center.<br />
The meaning of the buttons provided in this section is as follows:<br />
• Create Certificate<br />
Click on this button to create a new certificate.<br />
• Reload Certificate<br />
Click on this button to use an already existing certificate.<br />
Port Settings<br />
The Port Settings section looks like this:<br />
It allows you to configure the port used by Global Command Center (GCC) to<br />
contact <strong>Webwasher</strong>. Only change this port if it was changed in GCC as well.<br />
The meaning of the items provided in this section is as follows:<br />
• Port<br />
Port number of the port used by GCC to contact <strong>Webwasher</strong>. The default<br />
port number is 7072.<br />
• Allow access from<br />
Use this field to configure IP addresses that should have access to this<br />
port.
The input format is:<br />
<strong>Configuration</strong><br />
(IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]*.<br />
Note: Type * to allow everyone access.<br />
Server Settings<br />
The Server Settings section looks like this:<br />
It allows you to configure the name and port of the Global Command Center<br />
(GCC) server. The meaning of the input fields provided here is as follows:<br />
• Server Name or IP Address<br />
Name of the GCC server. This can either be a fully qualified domain name<br />
or an IP address (use the same that was specified in the certificate).<br />
• Server Port<br />
Port number of the GCC server port. The default port number is 7443. Only<br />
change this default number if it was changed in GCC as well.<br />
Certificate Password<br />
The Certificate Password section looks like this:<br />
It allows you to configure the password provided in the certificate used to access<br />
Global Command Center.<br />
The following input field is provided here:<br />
• Password<br />
In this input field enter the password needed for use of the certificate (if<br />
any).<br />
6–109
<strong>Configuration</strong><br />
Note: If you used the Create Certificate button of the Certificate Creation<br />
section above or the script provided with <strong>Webwasher</strong> to create the<br />
certificate, no password needs to be used here.<br />
Device Name<br />
The Device Name section looks like this:<br />
It allows you to configure the name of the <strong>Webwasher</strong> object created in Global<br />
Command Center (GCC)..<br />
The following input field is provided here:<br />
• Device Name<br />
In this input field enter the device name that is created for the <strong>Webwasher</strong><br />
object by the Global Command Center (GCC) <strong>Configuration</strong> Manager. Use<br />
exactly the same name as in GCC.<br />
6.9<br />
Certificate Management<br />
6–110<br />
The Certificate Management options are invoked by clicking on the corresponding<br />
button under <strong>Configuration</strong>:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• <strong>Webwasher</strong> Root CA, see 6.9.1<br />
• Private Key Handling, see 6.9.2<br />
• Known Certificate Authorities, see 6.9.3<br />
• Client Certificates, see 6.9.4
6.9.1<br />
<strong>Webwasher</strong> Root CA<br />
The <strong>Webwasher</strong> Root CA tab looks like this:<br />
There are two sections on this tab:<br />
• Import Certificate Authority<br />
• Generate New Certificate Authority<br />
They are described in the following.<br />
<strong>Configuration</strong><br />
6–111
<strong>Configuration</strong><br />
6–112<br />
Import Certificate Authority<br />
The Import Certificate Authority section looks like this:<br />
Using this section, you can import an existing Certificate Authority (CA) for<br />
signing new certificates. You can also import the private key for this CA.<br />
If you are importing a subordinate CA, you can also specify a chain file, i. e.<br />
a file providing information on the complete certificate chain that belongs to<br />
the CA. This information is sent to the client when the SSL handshake is performed.<br />
Use the following input fields and buttons to import a certificate authority:<br />
• Certificate<br />
In this input field enter the certificate you want to import. To do this, browse<br />
for the certificate, which is contained in a *.pem file.<br />
Make sure the certificate you are importing is base64-encoded.<br />
• Private Key<br />
In this input field enter the private key for the certificate. To do this, browse<br />
for the private key certificate, which is contained in a *.pem file.<br />
Make sure the private key you are importing is base64-encoded.<br />
• Password<br />
If the private key is protected by a password, you need to provide here.<br />
• Certificate Chain<br />
Use this input field to specify a certificate chain, i. e. a file providing information<br />
on the complete certificate chain. To do this, browse for this file.<br />
Make sure the file you are importing is base64-encoded.
• Import<br />
<strong>Configuration</strong><br />
After specifying the appropriate information in the input fields described<br />
above, click on this button to import the certificate authority.<br />
Generate New Certificate Authority<br />
The section labeled Generate New Certificate Authority section looks like<br />
this:<br />
Using this section, you can generate a new certificate authority.<br />
The purpose of generating a new root CA (Certificate Authority) for <strong>Webwasher</strong><br />
is to have your own individual root CA containing correct data, rather than sharing<br />
a common root CA with other <strong>Webwasher</strong> customers.<br />
If you do not create a new root CA, administrators of <strong>Webwasher</strong> installations<br />
might be able to decrypt traffic since administrators also know the private key<br />
of domain certificates. Creating or importing a new CA will generate a new<br />
private key for the domain certificates.<br />
To generate a new root CA, fill in the input fields provided in this section, i. e.<br />
Organization*, Organizational Unit, etc.<br />
Input is mandatory for the fields marked with an * (asterisk).<br />
TheclickontheGenerate button, to generate the new certificate authority.<br />
6–113
<strong>Configuration</strong><br />
6.9.2<br />
Private Key Handling<br />
6–114<br />
The Private Key Handling tab looks like this:<br />
There are three sections on this tab:<br />
• HSM Agent Setup<br />
• Certificate Issuing Options<br />
• Handshake Options<br />
They are described in the following.
HSM Agent Setup<br />
The HSM Agent Setup section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can configure settings for the connections to one or<br />
more HSM Agents. Before you proceed with configuring these settings, make<br />
sure you have set up the HSM Agents in question.<br />
Use the following items to configure settings for HSM Agent connections:<br />
• HSM Agents<br />
Enter the IP addresses or host names of the HSM Agents you have set up<br />
in this input field. The input format is as follows:<br />
ip[:port][;ip[:port]]<br />
<strong>Webwasher</strong> then tries to establish the connections, which will result in either<br />
a positive feedback or an error message.<br />
• Use encrypted connections to HSM Agents<br />
Make sure this option is enabled if you want to use SSL-secured communication<br />
with HSM Agents.<br />
• Use client certificate to authenticate to HSM Agents<br />
Make sure this option is enabled if you also want to have two-sided authentication<br />
between an SSL scanner and an HSM Agent.<br />
In this case you have to import the client certificate that was generated with<br />
the HSM Agent in question. An input field is provided here, together with<br />
a button for searching a certificate. The certificate file for an agent can be<br />
found in the SSL2/private folder. Its name is agentcertkey.pem.<br />
Furthermore, there are two buttons for importing a certificate in different<br />
ways:<br />
— Import client certificate<br />
Click on this button to import a client certificate on the current SSL<br />
Scanner node.<br />
6–115
<strong>Configuration</strong><br />
6–116<br />
— Import and distribute client certificate<br />
If the generated certificate is valid for all SSL scanner nodes, click on<br />
this button to have it distributed on all of them. Otherwise, you need to<br />
import a node-specific client certificate on each SSL scanner node.<br />
Note: If you are using client certificate authentication for HSM Agents<br />
in a <strong>Webwasher</strong> cluster, you need to import a valid client certificate on<br />
each new SSL scanner node in case you extend the cluster.<br />
Only in the simple case (one client certificate for all nodes) can this<br />
be done on the master instance by re-importing the existing certificate<br />
and checking this distributing option. In the complex case, you need to<br />
import a certificate on each new node, using the Web interface.<br />
Certificate Issuing Options<br />
The Certificate Issuing Options section looks like this:<br />
Using this section, you can configure the signing of certificates.<br />
You can move the private key of a CA to an HSM Agent for signing a certificate.<br />
Before configuring the ID of this key, make sure a connection to the HSM Agent<br />
has been set up.<br />
Furthermore, you can import the CA, which is usually created by the HSM<br />
Agent, on the SSL scanner.<br />
Use the following items to configure the signing of certificates:<br />
• Signing operation of new server certificates will be done<br />
— by this <strong>Webwasher</strong> instance<br />
Enable this option to have the certificate signed by the current instance<br />
of <strong>Webwasher</strong>.<br />
— by remote service using HSM Agent with key this <strong>Webwasher</strong><br />
Enable this option to have the certificate signed by a remote service<br />
using the HSM Agent.
<strong>Configuration</strong><br />
To configure this option, a key ID must be entered in the input field<br />
provided here. Before enabling the option, import the certificate, see<br />
below.<br />
• Certificates are valid for . . . days<br />
Enter the number of days the certificates issued by this CA should be valid<br />
in the input field provided here. After the certificates have expired, the SSL<br />
scanner will issue them again if required.<br />
This setting can be configured regardless of whether the current <strong>Webwasher</strong><br />
instance or the HSM Agent is used for signing a certificate.<br />
Below this input field, another one is provided for searching and importing<br />
the certificate, using the Browse and Import root certificate buttons<br />
next to it.<br />
Handshake Options<br />
The Handshake Options section looks like this:<br />
Using this section, you can configure the decrypting of the SSL handshake<br />
with the client.<br />
The private key needed for this can also be provided by the HSM Agent.<br />
Before configuring the ID of the key in question, make sure a connection to the<br />
HSM Agent has been set up.<br />
Use the following items to configure handshake decryption:<br />
• Decrypting of handshake will be done<br />
— by this <strong>Webwasher</strong> instance<br />
Enable this option to have the handshake decrypted by the current instance<br />
of <strong>Webwasher</strong>.<br />
— by remote service using HSM Agent with key<br />
Enable this option to have the handshake decrypted by a remote service<br />
using the HSM Agent. To configure this option, a key ID must be<br />
entered in the input field provided here.<br />
6–117
<strong>Configuration</strong><br />
• Send certificate chain in handshake<br />
Enable this option for configuring the SSL scanner to send the certificate<br />
chain during the handshake.<br />
Usually, the certificate chain contains only the <strong>Webwasher</strong> CA. If the <strong>Webwasher</strong><br />
CA is not self-signed, however, the chain contains all certificates<br />
down to the root CA.<br />
If you have rolled out the <strong>Webwasher</strong> CA in your company, there is no need<br />
for sending the chain.Login name for an administrator.<br />
6.9.3<br />
Known Certificate Authorities<br />
6–118<br />
The Known Certificate Authorities tablookslikethis:
There are three sections on this tab:<br />
• View Certificate Authority<br />
• Know Certificate Authorities<br />
• Automatic CRL URL Retrieval<br />
They are described in the following.<br />
View Certificate Authority<br />
The View Certificate Authority section looks like this:<br />
<strong>Configuration</strong><br />
In allows you to view information on a Certificate Authority (CA). This is information<br />
relating to he CA you selected in the Known Certificate Authorities<br />
section below. You can modify one item of this information, i. e., the URL for<br />
CRL download.<br />
The following information is provided here:<br />
• Validtimespan<br />
Time span over which the CA is valid.<br />
• URI for CRL download<br />
URI (URL) that can be downloaded to obtain a Certificate Revocation List<br />
(CRL).<br />
This information can be modified. To do this, type appropriate text in this<br />
field. Then click on the Modify button at the bottom of the section.<br />
• Number of revoked certificates<br />
Number of certificates that have been issued and revoked by this CA.<br />
The number of revoked certificates can only be displayed if it is known<br />
which URL to use for obtaining the CRL.<br />
To provide this URL, you can either enter it or modify its entry in the URI<br />
for CRL download field, or enable the option for automatic URL retrieval.<br />
6–119
<strong>Configuration</strong><br />
6–120<br />
The option for automatic URL retrieval is enabled in the Automatic CRL<br />
URL Retrieval section, which is also located on this tab.<br />
Known Certificate Authorities<br />
The Known Certificate Authorities section looks like this:<br />
Using this section, you can view a list of known Certificate Authorities (CAs)<br />
and import new CAs, which are added to this list.<br />
To import and add new CA, use this area:<br />
• Add certificate(s)<br />
The following items are provided here:<br />
— Certificate(s) file<br />
In this input field, enter the certificate file for the CA you want to import,<br />
using the Browse button next to the field.<br />
Make sure the file you are importing is base64-encoded.
— Import<br />
<strong>Configuration</strong><br />
After browsing to the certificate file, click on this button to import it.<br />
If the certificate file was imported successfully, a corresponding entry is<br />
added to the list, which is displayed at the bottom of this section.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using<br />
the Enter key of your keyboard. If the number of entries is higher than this<br />
number, the remaining entries are shown on successive pages.<br />
A page indicator is then displayed, where you can select a particular page<br />
by clicking on the appropriate arrow symbols.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filter expression in the input field provided here and enter it using the<br />
Enter key of your keyboard. The list will then display only CAs matching<br />
the filter.<br />
• View<br />
To view a CA, click on this icon in the same line of the list.<br />
• Delete Selected<br />
Select the CA you wish to delete by marking the Select checkbox next to<br />
it and click on this button. You can delete more than one CA in one go.<br />
To delete all CAs, mark the Select all checkbox and click on this button.<br />
Automatic CRL URL Retrieval<br />
The Automatic CRL URL Retrieval section looks like this:<br />
It allows you to configure the storing of URLs for downloading CRLs (Certificate<br />
Revocation Lists). These will be extracted from the vendor certificates and the<br />
issuing CAs when the certificate chain is inspected during the verification of a<br />
signature.<br />
If you want to use this option, make sure the checkbox provided here is marked.<br />
Note that a URL will not be overwritten if it has already been stored.<br />
6–121
<strong>Configuration</strong><br />
6.9.4<br />
Client Certificates<br />
6–122<br />
The Client Certificates tab looks like this:<br />
There is one section on this tab:<br />
• Client Certificates<br />
It is described in the following.<br />
Client Certificates<br />
The Client Certificates section looks like this:<br />
Using this section, you can add client certificates to the list of certificates. A<br />
private key and a passphrase must also be specified for this purpose.<br />
The list will be searched in order to authenticate a client that provides a certificate<br />
after being requested by the server to do so.
6.10<br />
DNS Cache<br />
To add a certificate to the list, use the area labeled:<br />
• Add client certificate<br />
<strong>Configuration</strong><br />
Specify the information concerning the system you want to enter in the list<br />
using the following input fields and button:<br />
— Certificate file<br />
Enter the certificate file name here. To do this, browse for a certificate<br />
file, using the Browse button next to this input field.<br />
Make sure the certificate file you want to add is base64-encoded.<br />
— Private key file<br />
Enter the name of the private key file here. To do this, browse for a<br />
private key file, using the Browse button next to this input field.<br />
Make sure the private key file you want to add is base64-encoded.<br />
— Passphrase<br />
Enter a passphrase for the private key here.<br />
— Import<br />
After specifying the appropriate information in the input fields described<br />
above, click on this button to import the certificate.<br />
If the certificate was imported successfully, a corresponding entry is added<br />
to the list, which is displayed at the bottom of this section.<br />
The DNS Cache options are invoked by clicking on the corresponding button<br />
under <strong>Configuration</strong>:<br />
If you want to enable any of these options, you also need to mark the checkbox<br />
that is on this button.<br />
Then click on Apply Changes to make this setting effective.<br />
The options are arranged under the following tab:<br />
6–123
<strong>Configuration</strong><br />
6.10.1<br />
DNS Cache<br />
6–124<br />
They are described in the upcoming section:<br />
• DNS Cache, see 6.10.1<br />
The DNS Cache tab looks like this:<br />
There are two sections on this tab:<br />
• DNS Caching<br />
• Flush DNS Cache<br />
They are described in the following.<br />
DNS Caching<br />
The DNS Caching section looks like this:<br />
Using this section, you can configure the time that entries for requests to a<br />
Domain Name Server (DNS) should be stored in the <strong>Webwasher</strong> cache.
<strong>Configuration</strong><br />
After modifying this setting, click on Apply Changes to make the modification<br />
effective.<br />
Use the following input field to configure the caching time:<br />
• Time to live for DNS entries: . . . sec.<br />
Enter the time (in seconds) here that DNS entries should be stored in the<br />
cache. The default time is 60 seconds.<br />
Flush DNS Cache<br />
The Flush DNS Cache section looks like this:<br />
It allows you to remove all entries for requests to a Domain Name Server (DNS)<br />
from the <strong>Webwasher</strong> cache.<br />
Use the following button to do this:<br />
• Flush DNS Cache<br />
Click on this button to perform the flushing of DNS entries.<br />
6.11<br />
Backup & Restore<br />
The Backup & Restore options are invoked by clicking on the corresponding<br />
button under <strong>Configuration</strong>:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• <strong>Configuration</strong>, see 6.11.1<br />
• Error Files, see 6.11.2<br />
• Share Folder, see 6.11.3<br />
• Proxy PAC, see 6.11.4<br />
6–125
<strong>Configuration</strong><br />
6.11.1<br />
<strong>Configuration</strong><br />
6–126<br />
The <strong>Configuration</strong> tab looks like this:<br />
There are two sections on this tab:<br />
• Backup <strong>Configuration</strong><br />
• Restore <strong>Configuration</strong><br />
They are described in the following.<br />
Backup <strong>Configuration</strong><br />
The Backup <strong>Configuration</strong> section looks like this:
<strong>Configuration</strong><br />
Using this section, you can create and download a configuration backup. You<br />
can include additional in the download, such as the user database, the progressive<br />
lockout data, or the Welcome Page data.<br />
In addition to the data mentioned, a backup configuration contains only configuration<br />
files. It does not contain, e. g. statistics or log files, which need to be<br />
stored separately.<br />
Furthermore, the backup file created here is not meant to be sent to the support<br />
team for troubleshooting. When contacting the support team, please use the<br />
feedback script that is provided for this purpose.<br />
Use the following input fields and button for your backup activities:<br />
• Include User Database<br />
If you want to include this database, make sure this checkbox is marked.<br />
The checkbox is marked by default.<br />
• Include Progressive lock-out data<br />
To include this data, mark this checkbox.<br />
• Include Welcome Page data<br />
To include this data, mark this checkbox. The checkbox is marked by default.<br />
• Download <strong>Configuration</strong> Backup<br />
After specifying the appropriate information, click on this button to create<br />
and download the backup file.<br />
This is a single file containing all configuration files in compressed form.<br />
Restore <strong>Configuration</strong><br />
The Restore <strong>Configuration</strong> section looks like this:<br />
Using this section, you can restore a <strong>Webwasher</strong> configuration that was previously<br />
backed up and stored.<br />
6–127
<strong>Configuration</strong><br />
6.11.2<br />
Error Files<br />
6–128<br />
Use the following input field and buttons for restoring:<br />
• Restore configuration from file<br />
To restore a previously saved configuration, click on the Browse button<br />
next to this input field and select the desired file or enter the complete path<br />
leading to the file. Then click on the Restore button.<br />
Restoring a configuration will not overwrite any configuration files immediately.<br />
For this to happen, you have to restart <strong>Webwasher</strong> manually.<br />
Note that you can only restore a configuration to a <strong>Webwasher</strong> version<br />
running on a particular machine if it was backed up on the same machine.<br />
The Error Files tab looks like this:<br />
There is one section on this tab:<br />
• Manage Error Templates<br />
It is described in the following.
Manage Error Templates<br />
The Manage Error Templates section looks like this:<br />
<strong>Configuration</strong><br />
It allows you to manage the error templates used by <strong>Webwasher</strong>. You can<br />
download templates from the corresponding <strong>Webwasher</strong> folder and upload<br />
them from an external location.<br />
This may be useful, e. g. if you want to modify templates in order to adapt<br />
them to your corporate standards.<br />
Use the following items to perform the download or upload:<br />
• Download all (tar.gz)<br />
Click on this button to download all error templates.<br />
The templates are stored in the conf/errors folder of the <strong>Webwasher</strong> installation<br />
directory. If you are using error templates in different languages,<br />
they will be stored in subfolders with corresponding language short names,<br />
such as en, fr, de, etc.<br />
The download will provide a file in tar.gz format.<br />
• Upload error files from<br />
In this input field, enter the path and file name for an upload of error templates<br />
or browse to it using the Browse button next to this field.<br />
Then click on the Upload button to perform the upload.<br />
6–129
<strong>Configuration</strong><br />
6.11.3<br />
Share Folder<br />
6–130<br />
The Share Folder tab looks like this:<br />
There is one section on this tab:<br />
• Manage Share Folder<br />
It is described in the following.<br />
Manage Share Folder<br />
The Manage Share Folder section looks like this:<br />
This section allows you to manage the files in the <strong>Webwasher</strong> share folder.<br />
You can download files from this folder and upload them to it from an external<br />
location.<br />
This may be useful, e. g. if you want to modify files in order to adapt them to<br />
your corporate standards.
6.11.4<br />
Proxy PAC<br />
<strong>Configuration</strong><br />
Use the following items to perform the download or upload of shared files:<br />
• Download all (tar.gz)<br />
Click on this button to download all files from the share folder.<br />
The templates are stored in the lib/files folder of the <strong>Webwasher</strong> installation<br />
directory under UNIX and in the bin\/files folder of the same directory<br />
under Windows.<br />
The download will provide a file in tar.gz format.<br />
• Upload files from<br />
In this input field, enter the path and file name for an upload of files from<br />
the share folder or browse to this folder it using the Browse button next to<br />
the field.<br />
Then click on the Upload button to perform the upload.<br />
The Proxy PAC tab looks like this:<br />
There is one section on this tab:<br />
• Client <strong>Configuration</strong><br />
It is described in the following.<br />
6–131
<strong>Configuration</strong><br />
6–132<br />
Client <strong>Configuration</strong><br />
The Client <strong>Configuration</strong> section looks like this:<br />
Using this section, you can upload a proxy.pac file to enable central administration<br />
of your proxy configuration. You can also configure the length of time<br />
that a proxy.pac file should be stored for on a client.<br />
Proxy Automatic <strong>Configuration</strong> is a proxy mode where the proxy configuration<br />
is described in a file using JavaScript, called a PAC file, with .pac as file extension.<br />
The file is maintained by the network administrator and requires no<br />
user updating (hence "automatic"). As a browser user, you only need a URL<br />
provided by your administrator.<br />
Proxy Automatic <strong>Configuration</strong> has two advantages over normal configurations:<br />
• Network-based .pac files are centrally administered and easy to update.<br />
Network administrators usually share the .pac files via HTTP. If there are<br />
server changes or network outages, the .pac file can be changed, and your<br />
browser configuration will be automatically updated when the new .pac file<br />
is loaded.<br />
• You can use complicated network environments with a single configuration.<br />
PAC has support for load balancing and failover.<br />
All of today’s current browsers have the facility to use .pac files. The Javascript<br />
contained within a .pac file can perform tasks and make decisions based on<br />
the URL you are browsing to, the IP address of your browser, which proxy<br />
should service the traffic and which other proxies should be used alternatively.<br />
A method that may be used in order to ensure that browsers are able to find the<br />
central proxy .pac file is using the WPAD (Web Proxy Autodiscovery Protocol)<br />
standard. This standard defines two alternative ways for the administrator to<br />
publish the location of a proxy configuration file: DHCP (Dynamic Host <strong>Configuration</strong><br />
Protocol) and DNS (DomainName<strong>System</strong>).<br />
Before fetching its first page, a Web browser implementing the WPAD method<br />
sends the local DHCP server a DHCPINFORM query, and uses the URL from<br />
the WPAD option in the server’s reply. If the DHCP server does not provide<br />
the desired information, DNS is used.
<strong>Configuration</strong><br />
So, if the network name of a user’s system is, e. g. pc.department.branch.example.com,<br />
the browser will try the following URLs<br />
in turn until it finds a proxy configuration file:<br />
• http://wpad.department.branch.example.com/wpad.dat<br />
• http://wpad.branch.example.com/wpad.dat<br />
• http://wpad.example.com/wpad.da<br />
• http://wpad.com/wpad.dat<br />
Note that these are examples and not live URLs.<br />
If you want to make use of the proxy .pac file method, click on the link provided<br />
in this section to access a proxy .pac file, or use the following items to upload<br />
one:<br />
• Upload proxy.pac from ...<br />
In this input field, enter the path and file name for the proxy .pac file. You<br />
can either type this information or use the Browse buttontobrowsetoa<br />
location where a proxy .pac file is stored.<br />
• Upload files from<br />
After specifying a proxy .pac file in the input field, click on this button to<br />
upload it.<br />
To configure the maximum amount of time that a proxy.pac file should remain<br />
stored on a client, use the following input field:<br />
6.12<br />
Action Editor<br />
• Clientsshouldstoreproxy.paconlyfor...seconds<br />
Enter a time length (in seconds) here. The default length is 3600 seconds.<br />
The Action Editor options are invoked by clicking on the corresponding button<br />
under <strong>Configuration</strong>:<br />
The Action Editor is provided for configuring actions of your own, which can<br />
be used in addition to the pre-configured actions <strong>Webwasher</strong> is shipped with.<br />
These are also known as built-in actions.<br />
To view a list of the built-in actions, click on the question mark above the tabs.<br />
The list is also provided in the section 3.1 of the Reference <strong>Guide</strong><br />
6–133
<strong>Configuration</strong><br />
6.12.1<br />
Action Editor<br />
6–134<br />
The options of the Action Editor are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Action Editor, see 6.12.1<br />
• Notifications, see 6.12.2<br />
Furthermore, there is a description of the Action Definition tab.<br />
This tab is provided for configuring further the settings of an action that has<br />
been newly created and for editing existing user-configured actions:<br />
• Action Definition, see6.12.3<br />
The Action Editor tab looks like this:<br />
There is one section on this tab:<br />
• Actions<br />
It is described in the following.
Actions<br />
The Actions section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can configure your own actions and add them to the<br />
list of built-in actions, i. e. the actions <strong>Webwasher</strong> was shipped with. You can<br />
also edit actions you have previously configured yourself.<br />
Note, however, that to make any of the settings you configure here effective,<br />
you need to restart <strong>Webwasher</strong> manually.<br />
The actions can in turn be configured for the various filters of <strong>Webwasher</strong>, and<br />
are executed when a filter applies.<br />
To view a list of the built-in actions, click on the question mark above the tab.<br />
The list is also provided in the section 3.1 of the Reference <strong>Guide</strong>.<br />
In the upper part of this section, a list is displayed of the actions that have been<br />
configured by users so far.<br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To edit an action, click on Edit button next to it. This will take you to the Action<br />
Definition tab, where you can modify the settings of the action. The tab is<br />
described in the next subsection.<br />
6–135
<strong>Configuration</strong><br />
6–136<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filtering term in this input field and enter it using the Enter key of<br />
your keyboard. The list will then display only entries matching the filter.<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the Select checkbox next<br />
to it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
To configure a new action use the following items at the bottom of the section:<br />
• Create New<br />
After clicking on this button, a NewAction entry is displayed in the list of<br />
user-configured actions.<br />
Continue the configuration of the new action by clicking on the Edit button<br />
next to it.<br />
This will take you to the Action Definition tab, where you can modify the<br />
settings of the action. The tab is described in the next subsection.<br />
• Create New From Existing<br />
This button allows you to use an existing action as starting point for configuring<br />
a new action. A drop-down list showing all built-in and user-configured<br />
actions is also provided.<br />
To use one of these actions as starting point, select it and click on the<br />
button. Another entry will then be added to the list named New.<br />
To continue the configuration of this action, click on the Edit button as<br />
described above.
6.12.2<br />
Notifications<br />
The Notifications tablookslikethis:<br />
There is one section on this tab:<br />
• Notification Recipients<br />
It is described in the following.<br />
Notification Recipients<br />
The Notification Recipients section looks like this:<br />
<strong>Configuration</strong><br />
6–137
<strong>Configuration</strong><br />
6–138<br />
Using this section, you can configure the recipients of e-mail notifications. You<br />
can also configure the settings of the notification server and send test e-mails.<br />
Note that these settings will apply only under a particular policy. Select this<br />
policy from the drop-down list above the section.<br />
After specifying the appropriate settings, click on Apply Changes to make<br />
them effective.<br />
Use the following items to configure notifications:<br />
• Recipient for general notifications<br />
In this input field, type the e-mail address of the recipient that notifications<br />
should be sent to on general occasions.<br />
• Recipient for virus notifications<br />
In this input field, type the e-mail address of the recipient that notifications<br />
should be sent to if a virus threat has occurred.<br />
• Postmaster addresses<br />
In this input field, type one or more e-mail addresses for notifications to the<br />
postmaster.<br />
• Edit Notification Mail Server<br />
Click on this button to open a window where you can configure the settings<br />
of the mail server that is used for sending notifications.<br />
For a description of this window, see the Notification Settings Window<br />
subsection of 5.5.3.<br />
• Send Test Messages<br />
After configuring the notification settings, click on this button to send test<br />
e-mail messages.
6.12.3<br />
Action Definition<br />
The Action Definition tab looks like this:<br />
<strong>Configuration</strong><br />
At the top of the tab, there is a link that takes you back to the Actions tab.<br />
Furthermore, there is one section on this tab:<br />
• Action Definition<br />
It is described in the following.<br />
A sample procedure for configuring an action is also described after the Action<br />
Definition subsection:<br />
• Configuring an Action for Dropping E-Mails<br />
This is followed by a subsection that lists and describes shortly the parameters<br />
that can be configured with an action:<br />
• Parameter List<br />
A procedure for configuring an action that exempts overlapping categories with<br />
regard to URL filtering can be found in section 4.4.2 of the URL Filter <strong>Guide</strong>.<br />
6–139
<strong>Configuration</strong><br />
6–140<br />
Action Definition<br />
The Action Definition section looks like this:<br />
Using this section, you can configure the settings of a newly created action or<br />
edit the settings of an already existing user-configured action.<br />
You can specify or edit the name of the action and also what should be executed<br />
for this action with regard to Web and e-mail traffic. Furthermore, you<br />
can configure a number of additional action parameters.<br />
Note, however, that to make any of the settings you configure here effective,<br />
you need to restart <strong>Webwasher</strong> manually.<br />
The action settings are entered in a special configuration file. For more information<br />
about this file, see section 3.3 of the Reference <strong>Guide</strong>.<br />
A sample procedure for a user-configured action is described in the next subsection.<br />
Use the following items to configure an action:<br />
• Name of Action<br />
Use this input field to specify or edit the name of an action.<br />
• Web Action<br />
From this drop-down list, select the activity that should be performed for<br />
Web traffic as part of this action.
• Email Action<br />
<strong>Configuration</strong><br />
From this drop-down list, select the activity that should be performed for<br />
e-mail traffic as part of this action.<br />
• Apply Above Changes<br />
After specifying the appropriate information, click on this button to make<br />
your settings effective.<br />
In the lower part of the section, a list is displayed showing the parameters that<br />
have been configured for the action so far. A short description of the parameters<br />
that are available here is given in the Parameter List subsection further<br />
below.<br />
Next to each parameter name, the current parameter value is shown in brackets<br />
if it is not too long. Note that only non-default parameters are shown here.<br />
If you set the value of a parameter to its default, it will disappear from the list.<br />
Use the following items to delete or edit list entries:<br />
• Delete Selected<br />
Select the entry you wish to delete by marking the checkbox in the Select<br />
column next to it and click on this button. You can delete more than one<br />
entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
• Edit Selected<br />
Select the entry you wish to edit by marking the checkbox in the Select<br />
column next to it and click on this button, or just click on the parameter<br />
name.<br />
This will take you to the Action Parameter tab for that particular parameter,<br />
where you can modify its settings.<br />
After completing the modification, you are returned to this tab, i. e. the Action<br />
Definition tab, and the changed settings are shown in the parameter<br />
list of the action you are currently configuring.<br />
To add a parameter to the list for an action, use the following items at the bottom<br />
of the section:<br />
• Parameters<br />
From the drop-down list provided here, select a parameter you want to<br />
configure for an action.<br />
6–141
<strong>Configuration</strong><br />
6–142<br />
• Add<br />
After selecting a parameter, click on this button. This will take you to the<br />
Action Parameter tab for that particular parameter, where you can configure<br />
its settings.<br />
Upon completion of these configuration activities, you are returned to this<br />
tab, i. e. the Action Definition tab, and the parameter in question is<br />
added to the parameter list of the action you are currently configuring.<br />
Configuring an Action for Dropping E-Mails<br />
The following is a sample procedure for a user-configured action. The action<br />
drops an e-mail if the corresponding filter applies and sends a notification to<br />
the sender of the e-mail.<br />
The first steps of this procedure have already been performed on the Actions<br />
tab. There, you clicked on the Create New and the Edit button, which took<br />
you to the Action Definition page.<br />
Now continue with the following steps:<br />
1. In the Name of Action input field, edit the name of the action. So far it<br />
is NewAction. Enter Drop Mail and Notify Sender as action name.<br />
2. From the Web Action drop-down list, select Block as the action that is<br />
to be executed if the filter applies.<br />
3. From the Email Action drop-down list, select Drop.<br />
4. Click on the Apply Above Changes button to make these initial settings<br />
effective.<br />
5. This step and the following are performed to configure the parameters of<br />
the action.<br />
In most cases, it is a good idea to begin with specifying a value for the<br />
Protocol Selection parameter. This will determine the type of communication<br />
the action is configured for, i. e. Web or e-mail communication.<br />
Select Protocol Selection from the Parameter drop-down list and click<br />
Add. This takes you to the Action Parameter tab, where you can further<br />
configure the parameter settings.<br />
6. In the Action Parameter section of that tab, select Email from the Protocol<br />
drop-down list and click on the Apply Changes and Go Back<br />
button.<br />
This takes you back to the Action Definition tab, where you can continue<br />
with adding another parameter to the action.<br />
On this tab, you will also see the Protocol Selection parameter you have<br />
just added as an entry in the Parameter List.
<strong>Configuration</strong><br />
The value you configured for this parameter, i. e. Email, is displayed in<br />
brackets behind the parameter name.<br />
7. Continue with configuring the Filter Selection parameter. It is used to<br />
determine the filters that the action is intended for.<br />
Accordingly, the action will only be displayed for selection in drop-down<br />
lists on the Web pages that are used for configuring these filters.<br />
Select Filter Selection from the Parameter drop-down list and click<br />
Add. This takes you to the corresponding Action Parameter tab.<br />
8. In the Action Parameter section of that tab, enter the word Spam to<br />
specify the spam filter.<br />
Then click on the Apply Changes and Go Back button. This takes you<br />
back to the Action Definition tab, where you can continue with adding<br />
another parameter to the action.<br />
9. Continue with configuring the Notify parameter. Under this parameter,<br />
you specify who should be notified and what the notification should look<br />
like.<br />
Select Notify from the Parameter drop-down list and click Add. This<br />
takes you to the corresponding Action Parameter tab.<br />
10. In the Action Parameter section of that tab, there is another section<br />
embedded, which is labeled Add Element. Specify the values for the<br />
Notify parameter using the input fields and the drop-down list provided<br />
in the embedded section:<br />
Template Name - This input field is used to enter the name of the template<br />
file that is to appear as a notification. It is entered without an extension.<br />
The template file must have been created before and stored in a folder<br />
under the <strong>Webwasher</strong> program files. On a Windows platform, this would<br />
be the conf\errors folder.<br />
Enter emailblocked as template name.<br />
Email Subject - This input field is used to enter the text that is to appear<br />
as subject line of the notification.<br />
Enter The mail has been blocked as subject line.<br />
Recipient - This input field is used to enter the recipient of the notification.<br />
Variables can be entered here.<br />
Enter %sender as recipient. The notification will then be sent to sender<br />
of the e-mail that was blocked.<br />
6–143
<strong>Configuration</strong><br />
6–144<br />
Option String - This drop-down list provides a number of options for activities<br />
that will be performed together with the notification, e. g. including<br />
the blocked mail or its header with the notification.<br />
Select All as an option. This will cause all available activities to be performed.<br />
11. After specifying the settings for the parameter as described above, click<br />
on the Add button in the embedded section.<br />
The values specified in this section are now displayed in a list further<br />
below this labeled List of Notify Elements.<br />
12. Click on the Apply Changes and Go Back button. This takes you back<br />
to the Action Definition tab.<br />
You will see the Notify parameter added to the Parameter List, but no<br />
values are displayed due to their complexity.<br />
This completes the configuration of the Drop Mail and Notify sample action.<br />
In order to make it available for configuring the filter you specified, i. e. the<br />
spam filter, you need to restart <strong>Webwasher</strong> manually.<br />
Parameter List<br />
The following list provides short descriptions of the parameters that can be<br />
configured with an action:<br />
Parameter Meaning<br />
Custom Headers Add customized header to HTTP/SMTP message<br />
Custom Logs Writetocustomizedlogfile<br />
Custom Meta Headers Add customized meta header to ICAP message<br />
Custom Parameters Add customized parameters to transaction<br />
Delay (SMTP) Delay e-mail<br />
Email Footer Add footer to e-mail<br />
Email Header Add header to e-mail<br />
Error Template Use specific error template<br />
Filter Anti Selection Specify where not to show action in Web interface<br />
Filter Selection Specify where to show action in Web interface<br />
HTTP-Error Change code number for HTTP error<br />
Notify Send notification messages<br />
Notify-Gateway Use non-standard gateway for notifications
6.13<br />
Wizards<br />
Parameter Meaning<br />
Progressive Lock-out Lock out user for increasing time intervals<br />
Protocol Selection Show for Web/e-mail only in Web interface<br />
Queue-Copy Write copy of e-mail to queue<br />
Quota Use time and/or volume quota<br />
Redirect URL Redirect to other URL<br />
Severity Change default severity of action<br />
Sleep Delay action by “sleeping” interval<br />
Subject-Prefix Insert string at beginning of subject<br />
Syslog Write to system log file<br />
Time Scheme Name Applytimeschemetoaction<br />
Trap Event Send SNMP trap message<br />
Warning Template Add coaching/quota template<br />
<strong>Configuration</strong><br />
The <strong>Webwasher</strong> wizards are provided to assist you in completing a number of<br />
configuration tasks. They are invoked by clicking on the corresponding button<br />
under <strong>Configuration</strong>:<br />
Each wizard is arranged under a tab of its own. There are the following tabs<br />
and wizards:<br />
They are described in the upcoming sections:<br />
• Reporting <strong>Configuration</strong>, see 6.13.1<br />
• Spam Filter Setup, see 6.13.2<br />
• LDAP <strong>Configuration</strong>, see 6.13.3<br />
6–145
<strong>Configuration</strong><br />
6.13.1<br />
Reporting <strong>Configuration</strong><br />
6–146<br />
The Reporting <strong>Configuration</strong> tab looks like this:<br />
The Reporting <strong>Configuration</strong> Wizard, which is provided on this tab, simplifies<br />
the process of configuring Live Reports and log files.<br />
After answering either Yes or No to the questions listed, click on the Configure<br />
button. Your answers will be processed and the results will be listed as either<br />
unchanged or updated.<br />
Authentication is required in order to be able work with this wizard. This means<br />
that you have to submit two passwords after clicking on Configure.
6.13.2<br />
Spam Filter Setup<br />
The Spam Filter Setup tab looks like this:<br />
<strong>Configuration</strong><br />
The Spam Filter Setup Wizard, which is provided on this tab, will assist you in<br />
configuring the SMTP gateway for maximum protection against spam.<br />
Using this wizard, you perform this configuration procedure in 8 steps.<br />
After configuring the settings for each step, click on the Save and Continue<br />
button at the bottom of the tab to proceed to the next step.<br />
6–147
<strong>Configuration</strong><br />
6.13.3<br />
LDAP <strong>Configuration</strong><br />
6–148<br />
The LDAP <strong>Configuration</strong> tab looks like this:<br />
The LDAP <strong>Configuration</strong> Wizard, which is provided on this tab, will assist you<br />
in configuring the LDAP settings used for authentication and policy mapping.<br />
There are four kinds of LDAP configuration tasks you can perform with this<br />
wizard:<br />
• LDAP authentication at the HTTP proxy<br />
• LDAP authentication at the ICAP server<br />
• LDAP authenticationat the SMTP gateway.<br />
• LDAP authentication with User Database<br />
The number of steps needed depends on which of these configuration tasks<br />
you wish to complete.<br />
After configuring the settings for each step, click on the Continue button at<br />
the bottom of the tab to proceed to the next step.
6.14<br />
Debugging<br />
6.14.1<br />
Debugging<br />
<strong>Configuration</strong><br />
The Debugging options are invoked by clicking on the corresponding button<br />
under <strong>Configuration</strong>:<br />
The options are arranged under the following tabs:<br />
They are described in the upcoming sections:<br />
• Debugging, see 6.14.1<br />
• Tracing, see 6.14.2<br />
• Adjust Filter List, see 6.14.3<br />
• Analyse Object Filtering, see 6.14.4<br />
• E-Mail Troubleshooting, see 6.14.5<br />
The Debugging tab looks like this:<br />
6–149
<strong>Configuration</strong><br />
6–150<br />
There are four sections on this tab:<br />
• Exception Logging<br />
• SSL Debug Logging<br />
• SMTP Debug Logging<br />
• Notify on Termination<br />
They are described in the following.<br />
Exception Logging<br />
The Exception Logging section looks like this:<br />
Using this section, you can provide a method for tracing <strong>Webwasher</strong>. When<br />
an exception occurs, exception logging writes these (thrown) exceptions to the<br />
exception log file.<br />
Note that this is a time and bandwidth consuming feature. You should therefore<br />
only enable it after consulting the <strong>Webwasher</strong> support team.<br />
To enable exception logging, mark the checkbox next to the section heading.<br />
Then click on Apply Changes to make this setting effective.<br />
SSL Debug Logging<br />
The SSL Debug Logging section looks like this:<br />
Using this section, you can configure SSL debug logging. The logging data<br />
is written in the ssl/log folder. You can select a level of detail for the logging<br />
process.<br />
After selecting a level, click on Apply Changes to make this setting effective.<br />
Use the following drop-down list to configure SSL debug logging:<br />
• Level of detail<br />
Select the level of detail for the SSL debug logging here. There are five<br />
levels, ranging from no logging to verbose logging.
SMTP Debug Logging<br />
The SMTP Debug Logging section looks like this:<br />
<strong>Configuration</strong><br />
Using this section, you can configure SMTP debug logging. The logging data<br />
is written in the SMTP debug log file. You can select a level of detail for the<br />
logging process.<br />
After selecting a level, click on Apply Changes to make this setting effective.<br />
Use the following drop-down list to configure SMTP debug logging:<br />
• Level of detail<br />
Select the level of detail for the SMTP debug logging here. There are seven<br />
levels, ranging from no logging to extremely verbose logging.<br />
Notify On Termination<br />
The section labeled Notify On Termination looks like this:<br />
Using this section, you can configure a notification to be sent to an administrator<br />
upon unexpected program termination.<br />
The activities that are performed if this notification is enabled include sending<br />
an e-mail as well as an SNMP trap notification to the administrator and filing a<br />
syslog entry.<br />
To enable the notification, make sure the checkbox next to section heading is<br />
marked. The checkbox is marked by default.<br />
After modifying this setting, click on Apply Changes to make the modification<br />
effective.<br />
6–151
<strong>Configuration</strong><br />
6.14.2<br />
Tracing<br />
6–152<br />
The Tracing tablookslikethis:<br />
There is one section on this tab:<br />
• Connection Tracing<br />
It is described in the following.<br />
Connection Tracing<br />
The Connection Tracing section looks like this:<br />
Using this section, you can trace the connections used for communication<br />
with <strong>Webwasher</strong>. Since this a is time-consuming and data-intensive feature,<br />
however, you should configure it only after consulting the <strong>Webwasher</strong> support<br />
team.<br />
To enable the feature, mark the checkbox next to the section heading.<br />
After specifying this setting or the setting for the single source IP in this section,<br />
click on Apply Changes to make these settings effective.
<strong>Configuration</strong><br />
You can also restrict the tracing process to one single source IP. To do this,<br />
use the following input field:<br />
• Trace connection only for source IP<br />
Enter the IP address for the connection you want to trace here. Make also<br />
sure that the checkbox provided in this field is marked.<br />
To view a list of the traced connections, click on the list of traced connections<br />
link provided below the input field. The list will be displayed in a separate<br />
browser window.<br />
6.14.3<br />
Adjust Filter List<br />
The Adjust Filter List tab looks like this:<br />
When configuring settings on this tab, you need to specify the policy these<br />
settings are relating to. To do this, select a policy from the drop-down list at<br />
the top of the tab:<br />
There is one section on this tab:<br />
• Filter Tracing<br />
It is described in the following.<br />
6–153
<strong>Configuration</strong><br />
6–154<br />
Filter Tracing<br />
The Filter Tracing section looks like this:<br />
Using this section, you can trace the activities performed by any of the <strong>Webwasher</strong><br />
filters. Since this feature uses a large amount of operating memory<br />
and disk space, it should be turned on only as part of a diagnostic procedure<br />
and turned off promptly when it is no longer required.<br />
The filters tracing folder is found in the filters directory of the <strong>Webwasher</strong> program<br />
files under logs. Should an object be blocked, the reason why it was<br />
blocked is also written into the log file.<br />
Use the items in the following area to configure filter tracing:<br />
• Select a filter<br />
Select a filter from the drop-down list provided here in order to add it to the<br />
list of filters you want to retrieve tracing information for.<br />
If you want detailed information on this filter, mark the Print filter details<br />
checkbox after selecting the filter.<br />
Furthermore, use the following items:<br />
— Add Filter<br />
After specifying the appropriate information, click on this button to add<br />
afiltertothetracinglist.<br />
— Add All Filters<br />
Click on this button to add all filters to the list that are available within<br />
<strong>Webwasher</strong> and can be traced.<br />
If you want detailed information on all these filters, mark the Print details<br />
for all filters checkbox before clicking on the button.<br />
— Delete All Filters<br />
Click on this button to delete all filters on the tracing list.<br />
The filter tracing list is displayed at the bottom of this section.
<strong>Configuration</strong><br />
To display only a particular number of list entries at a time, type this number<br />
in the input field labeled Number of entries per page and enter it using the<br />
Enter key of your keyboard.<br />
If the number of entries is higher than this number, the remaining entries are<br />
shown on successive pages. A page indicator is then displayed, where you<br />
can select a particular page by clicking on the appropriate arrow symbols.<br />
To activate or deactivate tracing or the Print details function for a particular<br />
filter, mark or clear the corresponding checkboxes.<br />
Then click on Apply Changes to make these settings effective. You can edit<br />
more than one filter entry and make your settings effective in one go.<br />
Use the following items to perform other activities relating to the list:<br />
• Filter<br />
Type a filtering term in this input field and enter it using the Enter key of<br />
your keyboard. The list will then display only entries matching the filter.<br />
• Delete Selected<br />
Select an entry you wish to delete by marking the Select checkbox next to<br />
it and click on this button. You can delete more than one entry in one go.<br />
To delete all entries, mark the Select all checkbox and click on this button.<br />
6–155
<strong>Configuration</strong><br />
6.14.4<br />
Analyse Object Filtering<br />
6–156<br />
The Analyse Object Filtering tab looks like this:<br />
There is one section on this tab:<br />
• Analyse Object Filtering<br />
It is described in the following.<br />
Analyse Object Filtering<br />
The Analyse Object Filtering section looks like this:<br />
This section allows you to trace and analyze the filtering that was performed<br />
by <strong>Webwasher</strong> for a particular object.
Use the following items to analyze the filtering of an object:<br />
• URL<br />
<strong>Configuration</strong><br />
In this input field, enter the URL of the object you want to trace filtering for.<br />
• Select policy<br />
From the drop-down list provided here, select the policy the settings of this<br />
sections are relating to.<br />
• Use next hops<br />
Mark this checkbox you want to use a proxy server for the tracing.<br />
Specify this proxy server in the following input fields:<br />
• Analyze Filtering<br />
After specifying the appropriate information,, click on this button to perform<br />
the filtering analysis for the object in question.<br />
• Rotate Filter Log<br />
Click on this button to renew the content of the log file and remove older<br />
entries from it.<br />
6–157
<strong>Configuration</strong><br />
6.14.5<br />
E-Mail Troubleshooting<br />
6–158<br />
The E-Mail Troubleshooting tab looks like this:<br />
Warning: The actions and settings provided in these sections affect the e-mail<br />
gateway directly and are applied immediately without further warning or confirmation.<br />
They should therefore only be used under guidance of the <strong>Webwasher</strong> support<br />
team, as an incorrect usage may result in loss of e-mail or other unwanted<br />
behaviour.<br />
There are two sections on this tab:<br />
• SMTP Gateway<br />
• Queues<br />
They are described in the following.
SMTP Gateway<br />
The SMTP Gateway section looks like this:<br />
<strong>Configuration</strong><br />
It displays the status of the SMTP Gateway and allows you to suspend and<br />
resume this gateway.<br />
The following information on the gateway status is provided:<br />
• Status<br />
Status of the gateway, e. g. Running.<br />
• Mode<br />
Mode the gateway is running in, e. g. Normal.<br />
Use the following buttons to change the gateway status:<br />
• Suspend Gateway<br />
Click on this button to suspend the gateway.<br />
• Resume Gateway<br />
Click on this button to let the gateway resume its activities after being suspended.<br />
Queues<br />
The Queues section looks like this:<br />
This section allows you to manage the e-mail queues maintained by <strong>Webwasher</strong>.<br />
6–159
<strong>Configuration</strong><br />
6–160<br />
A list of the e-mail queues is shown in this section. The meaning and usage<br />
of its columns is as follows:<br />
• Queue Name<br />
Name of an e-mail queue, e. g. Inbound, Infected, etc..<br />
• Actions<br />
This column provides the following action buttons:<br />
— Reset delayed<br />
Click on this button to reset a queue.<br />
— Drop Mails<br />
Click on this button to drop all e-mails in a queue.<br />
— Disable Accept<br />
Click on this button to disable the acceptance of e-mails for a queue.<br />
This is a toggle button. After clicking on it for disabling e-mail acceptance,<br />
it reads Enable Accept and can be used for enabling it.<br />
— Disable Processing<br />
• View<br />
Click on this button to have no more e-mails processed in a queue.<br />
This is a toggle button. After clicking on it for disabling e-mail processing,<br />
it reads Enable Processing and can be used for enabling it.<br />
This column provides the following links:<br />
— Entries<br />
Click on this link to view the entries in a queue.<br />
— Performance<br />
Click on this link to view performance data related to a queue.