Download ePaper

Webwasher 6.7.2 System Configuration Guide - McAfee

Webwasher 6.7.2 System Configuration Guide - McAfee Webwasher 6.7.2 System Configuration Guide - McAfee

from kc.mcafee.com More from this publisher

18.07.2013 Views

SYSTEM CONFIGURATION GUIDE Webwasher Web Gateway Security Version 6.7.2

SYSTEM CONFIGURATION GUIDE

Webwasher

Web Gateway Security

Version 6.7.2

Part Number: 86-0948728-A

reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent

in writing from Secure Computing Corporation. Every effort has been made to ensure the accuracy of this

manual. However, Secure Computing Corporation makes no warranties with respect to this documentation

and disclaims any implied warranties of merchantability and fitness for a particular purpose. Secure Computing

Corporation shall not be liable for any error or for incidental or consequential damages in connection with

the furnishing, performance, or use of this manual or the examples herein. The information in this document

is subject to change without notice. Webwasher, MethodMix, AV PreScan, Live Reporting, Content Reporter,

ContentReporter, Real-Time Classifier are all trademarks or registered trademarks of Secure Computing Corporation

in Germany and/or other countries. Microsoft, Windows NT, Windows 2000 are registered trademarks

of Microsoft Corporation in the United States and/or other countries. McAfee is a business unit of Network

Associates, Inc. CheckPoint, OPSEC, and FireWall-1 are trademarks or registered trademarks of CheckPoint

Software Technologies Ltd. or its affiliates. Sun and Solaris are trademarks or registered trademarks of Sun

Microsystems, Inc. in the United States and other countries. Squid is copyrighted by the University of California,

San Diego. Squid uses some code developed by others. Squid is Free Software, licensed under the terms

of the GNU General Public License. The Mozilla SpiderMonkey and NSPR libraries distributed with Webwasher

are built from the original Mozilla source code, without modifications (MPL section 1.9). The source code is

available under the terms of the Mozilla Public License, Version 1.1. NetCache is a registered trademark of

Network Appliances, Inc. in the United States and other countries. Linux is a registered trademark of Linus

Torvalds. Other product names mentioned in this guide may be trademarks or registered trademarks of their

respective companies and are the sole property of their respective manufacturers.

Secure Computing Corporation

Webwasher – A Secure Computing Brand

Vattmannstrasse 3, 33100 Paderborn, Germany

Phone: +49 5251 8717 000

Fax: +49 5251 8717 311

info@webwasher.com

www.webwasher.com

www.securecomputing.com

European Hotline

Phone: +49 5251 8717 660

US Hotline

Phone: +1 800 700 8328, +1 651 628 1500

Contents

Chapter 1 Introduction ........................................................................................ 1–1

1.1 About This Guide............................................................................. 1–2

1.2 What Else Will You Find in This Introduction? ........................................ 1–2

1.3

1.3.1

1.3.2

1.3.3

Using Webwasher............................................................................

First Level Tabs...............................................................................

Configuring a Sample Setting.............................................................

General Features of the Web Interface.................................................

1–3

1–4

1–5

1–7

1.4

1.4.1

1.4.2

Other Documents ...........................................................................

Documentation on Main Products......................................................

Documentation on Special Products ..................................................

1–11

1–12

1–13

1.5 The Webwasher Web Gateway Security Products ................................ 1–14

Chapter 2 User Management ............................................................................... 2–1

2.1 Overview ....................................................................................... 2–2

2.2

2.2.1

2.2.2

2.2.3

Administrators.................................................................................

Accounts........................................................................................

LDAP/Radius Authentication ..............................................................

Role Definition ..............................................................................

2–2

2–3

2–8

2–10

2.3

2.3.1

2.3.2

2.3.3

2.3.4

Policy Management........................................................................

Concept.......................................................................................

Management ................................................................................

Web Mapping ...............................................................................

E-Mail Mapping .............................................................................

2–15

2–16

2–18

2–20

2–25

2.4

2.4.1

2.4.2

2.4.3

2.4.4

User Database..............................................................................

Import .........................................................................................

LDAP Synchronization....................................................................

Backup & Restore..........................................................................

2–27

2–28

2–31

2–35

2–41

2.5

2.5.1

Authentication Server .....................................................................

2–42

2–43

2.6

2.6.1

2.6.2

Windows Domain Membership .........................................................

NTLM Authentication Test................................................................

2–55

2–60

2.7

2.7.1

2.7.2

Languages ...................................................................................

Import Language Pack....................................................................

2–62

2–63

2–69

Chapter 3 Reporting ............................................................................................ 3–1

3.1 Overview ....................................................................................... 3–2

3.2

3.2.1

View Live Reports (For Policy)............................................................

View Live Reports............................................................................

3–2

3–3

3.3

3.3.1

3.3.2

Log File Management.......................................................................

Activate Log Files ...........................................................................

Auto-Rotation................................................................................

3–6

3–7

3–10

System Configuration Guide

ii

3.3.3

3.3.4

3.3.5

3.3.6

Auto-Deletion................................................................................

Auto-Pushing................................................................................

Content Reporter...........................................................................

Configuring Log File Processing for SmartReporter...............................

3–13

3–16

3–21

3–22

3.4

3.4.1

View Log Files ..............................................................................

3–28

3.5

3.5.1

3.5.2

3.5.3

Live Report Management ................................................................

Report Activation ...........................................................................

Load Reports................................................................................

Anonymization ..............................................................................

3–31

3–32

3–38

3–40

3.6

3.6.1

3.6.2

3.6.3

View Live Reports (Overall Reporting)................................................

View Live Reports..........................................................................

View Load ....................................................................................

System Statistics ...........................................................................

3–41

3–42

3–45

3–46

3.7

3.7.1

4-Eyes-Principle ............................................................................

3–47

3–48

3.8

3.8.1

Deanonymization...........................................................................

3–49

Chapter 4 Caching ............................................................................................... 4–1

4.1 Overview ....................................................................................... 4–2

4.2

4.2.1

Quick Snapshot...............................................................................

4–2

4–4

4.3

4.3.1

4.3.2

HTTP Caching ................................................................................

Cachable Objects List.......................................................................

4–5

4–6

4–8

4.4

4.4.1

4.4.2

Cache Settings..............................................................................

Cache Rules.................................................................................

4–12

4–14

4.5

4.5.1

Flush Cache .................................................................................

4–17

4–18

Chapter 5 Proxies ................................................................................................ 5–1

5.1 Overview ....................................................................................... 5–2

5.2

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

HTTP Proxy....................................................................................

Settings .........................................................................................

Next Hop Proxies...........................................................................

Authentication...............................................................................

ICAP Services...............................................................................

Transparent Setup .........................................................................

5–3

5–4

5–13

5–21

5–40

5–47

5.3

5.3.1

5.3.2

5.3.3

5.3.4

HTTPS Proxy................................................................................

Settings .......................................................................................

Next Hop Proxies...........................................................................

Authentication...............................................................................

ICAP Services...............................................................................

5–52

5–53

5–60

5–69

5–74

5.4

5.4.1

5.4.2

5.4.3

5.4.4

FTP Proxy....................................................................................

Settings .......................................................................................

Next Hop Proxies...........................................................................

Authentication...............................................................................

ICAP Services...............................................................................

5–76

5–77

5–83

5–91

5–95

5.5

5.5.1

5.5.2

5.5.3

E-Mail Gateway.............................................................................

Gateway Settings ..........................................................................

ICAP Services..............................................................................

Notifications.................................................................................

5–98

5–99

5–104

5–106

Contents

5.5.4 ESMTP Extensions ....................................................................... 5–109

5.6

5.6.1

5.6.2

5.6.3

Delivery Options...........................................................................

Routing Rules ..............................................................................

Secure Mail Delivery List................................................................

5–113

5–114

5–117

5–123

5.7

5.7.1

Queue Configuration .....................................................................

5–126

5.8

5.8.1

5.8.2

5.8.3

Relay Protection...........................................................................

Allowed Domains..........................................................................

IP Networks.................................................................................

Recipient LDAP Check ..................................................................

5–128

5–129

5–132

5–135

5.9

5.9.1

5.9.2

5.9.3

5.9.4

5.9.5

5.9.6

Exception Lists.............................................................................

IP White List ................................................................................

IP Black List ................................................................................

Client Domain Black List ................................................................

Sender Black List..........................................................................

Recipient Black List.......................................................................

TrustedSource .............................................................................

5–138

5–141

5–143

5–146

5–149

5–152

5.10

5.10.1

Load Limits..................................................................................

5–154

5.11

5.11.1

POP3 Access ..............................................................................

5–160

5.12

5.12.1

5.12.2

5.12.3

5.12.4

ICAP(S) Server ............................................................................

Server Settings ............................................................................

REQMOD Settings........................................................................

RESPMOD Settings ......................................................................

5–162

5–163

5–166

5–172

5–178

5.13

5.13.1

Progress Indication Methods...........................................................

5–181

5.14

5.14.1

Own Host Name...........................................................................

5–186

5.15

5.15.1

5.15.2

IFP ............................................................................................

Settings ......................................................................................

ICAP Services..............................................................................

5–190

5–191

5–193

5.16

5.16.1

WCCP........................................................................................

5–195

5–196

Chapter 6 Configuration ...................................................................................... 6–1

6.1 Overview ....................................................................................... 6–2

6.2

6.2.1

6.2.2

6.2.3

6.2.4

6.2.5

6.2.6

Update Manager..............................................................................

General Options ..............................................................................

URL Filter ....................................................................................

AV Engine ....................................................................................

Spam Filter...................................................................................

Proactive Scanning ........................................................................

CRLs ..........................................................................................

6–3

6–4

6–14

6–19

6–23

6–26

6–29

6.3

6.3.1

6.3.2

6.3.3

Central Management......................................................................

Node Settings ...............................................................................

Master Settings .............................................................................

Site Settings .................................................................................

6–31

6–32

6–40

6–43

6.4

6.4.1

6.4.2

6.4.3

6.4.4

Appliance.....................................................................................

General .......................................................................................

Interfaces.....................................................................................

Routes ........................................................................................

Time and Date ..............................................................................

6–47

6–48

6–50

6–52

6–54

iii

System Configuration Guide

iv

6.4.5

6.4.6

6.4.7

Reboot/Shutdown ..........................................................................

Update ........................................................................................

High Availability.............................................................................

6–57

6–58

6–62

6.5

6.5.1

6.5.2

6.5.3

Web Interfaces..............................................................................

Ports...........................................................................................

Sessions......................................................................................

Dashboard / Quick Snapshots ..........................................................

6–71

6–72

6–79

6–81

6.6

6.6.1

Secure Administration Shell .............................................................

General Settings............................................................................

6–83

6–84

6.7

6.7.1

6.7.2

6.7.3

6.7.4

6.7.5

SNMP Interface.............................................................................

Agent ..........................................................................................

Communities ................................................................................

SNMPv3 Users .............................................................................

Trap Sinks...................................................................................

MIB Browser................................................................................

6–89

6–90

6–94

6–98

6–101

6–103

6.8

6.8.1

Global Command Center................................................................

6–106

6–107

6.9

6.9.1

6.9.2

6.9.3

6.9.4

Certificate Management .................................................................

Webwasher Root CA .....................................................................

Private Key Handling.....................................................................

Known Certificate Authorities ..........................................................

Client Certificates .........................................................................

6–110

6–111

6–114

6–118

6–122

6.10

6.10.1

DNS Cache .................................................................................

6–123

6–124

6.11

6.11.1

6.11.2

6.11.3

6.11.4

Backup & Restore.........................................................................

Configuration ...............................................................................

Error Files ...................................................................................

Share Folder................................................................................

Proxy PAC ..................................................................................

6–125

6–126

6–128

6–130

6–131

6.12

6.12.1

6.12.2

6.12.3

Action Editor................................................................................

Notifications.................................................................................

Action Definition ...........................................................................

6–133

6–134

6–137

6–139

6.13

6.13.1

6.13.2

6.13.3

Wizards ......................................................................................

Reporting Configuration .................................................................

Spam Filter Setup.........................................................................

LDAP Configuration ......................................................................

6–145

6–146

6–147

6–148

6.14

6.14.1

6.14.2

6.14.3

6.14.4

6.14.5

Debugging ..................................................................................

Tracing .......................................................................................

Adjust Filter List............................................................................

Analyse Object Filtering .................................................................

E-Mail Troubleshooting ..................................................................

6–149

6–152

6–153

6–156

6–158

Introduction

Chapter 1

Welcome to the Webwasher® System Configuration Guide. It provides you

with information about how to configure Webwasher features that do not belong

to particular filters, but need to be set in order to run Webwasher as a whole.

Configuring Webwasher to run as a proxy server or as an e-mail gateway are

topics that are dealt with in this guide, as well as user management, reporting

features and update procedures.

1–1

Introduction

1.1

About This Guide

The following overview lists the chapters of this guide and explains briefly what

they are about:

System Configuration Guide – Webwasher Web Gateway Security

Introduction Provides introductory information.

User Management Describes the features that are configured with regard to the users

working with Webwasher.

Reporting Describes the reporting features provided by Webwasher.

Caching Describes the caching features provided by Webwasher.

Proxies Describes how to set up Webwasher for running as a proxy server,

as an e-mail gateway and for communicating with the ICAP server

or using the IFP protocol.

Configuration Describes other system configurations features such as, e. g. the

update manager or the action editor.

1.2

What Else Will You Find in This Introduction?

1–2

In addition to the overview that was given in the previous section, this introduction

also:

• Explains how to handle the Web interface that is provided for using Webwasher,

see 1.3.

• Informs you about the other documents that are provided for users of Webwasher,

see 1.4.

• Provides a list of the Webwasher Web Gateway Security products and

gives a brief description for each of them, see 1.5.

1.3

Using Webwasher

Introduction

A user-friendly, task-oriented Web interface has been designed for handling

the Webwasher features. It looks like this:

The following sections provide some information to make you familiar with this

interface. These sections:

• List the first level tabs of this interface and explain their meanings, see

1.3.1.

• Describe a sample procedure showing how a setting is configured for a

Webwasher feature, see 1.3.2.

• Explain more about the general features of this interface, see 1.3.3.

1–3

Introduction

1.3.1

First Level Tabs

1–4

The Web interface displays a number of tabs and sections for configuring the

features provided by Webwasher. On the topmost level, there are these eleven

tabs:

• Home, Common, URL Filter, Anti Malware, Anti Spam, SSL Scanner, User

Management, Reporting, Caching, Proxies, and Configuration

Only the tabs mentioned in the following are described in this guide.

User Management, Reporting, Caching, Proxies, Configuration –

These are tabs for configuring features that adapt Webwasher to the system

environment it is running in.

Note that the Caching tab and feature are only available with appliance versions

of Webwasher.

The following tabs are not described in this document:

Home, Common – These tabs are for configuring basic and other features

that are used by each of the Webwasher products, e. g. system alerts, licensing

features, media type filters, etc.

They are described in each of the User’s Guides.

URL Filter, Anti Malware, Anti Spam, SSL Scanner – These tabs are

for configuring the features of the individual Webwasher products. Note that

the Anti Malware tab is used for both the Webwasher Anti-Malware and the

Webwasher Anti-Virus product.

For a description of these tabs, see the corresponding User’s Guides.

1.3.2

Configuring a Sample Setting

Introduction

This section explains how to configure a sample setting of a Webwasher feature.

The feature chosen here for explanation is Timeout Prevention.

In order to avoid timeouts on the connections to its clients, Webwasher can

send data lines in certain intervals.

For this sample setting, just suppose you want to enable this feature for HTTP

connections and send an empty line every 15 seconds.

The following overview shows the main steps you need to complete in order to

configure the feature in this way:

Configuring Timeout Prevention – Overview

Step 1 Navigate to the section.

2 Configure settings.

3 Make settings effective.

In more detail, these steps include the following activities:

1. Navigate to the section

a. Select the Proxies tab:

b. In the navigation area on the left, select HTTP Proxy, which is located

under Web Proxies:

c. From the tabs provided for configuring the HTTP Proxy options, select

the Settings tab:

1–5

Introduction

1–6

The Timeout Prevention section is located on this tab:

2. Configure settings

a. Enable the feature. To do this, mark the checkbox next to the section

heading.

b. Enter 15 in the input field labeled Webwasher should send every

... seconds.

c. Check the radio button labeled an empty line.

Note: To get help information on these settings, click on the question

mark in the top right corner of the section.

The section should now look like this:

3. Make settings effective

Click on the Apply Changes button:

This completes the sample configuration.

1.3.3

General Features of the Web Interface

Introduction

This section explains more about the features that are provided in the Web

interface for solving general tasks, e. g. applying changes to the Webwasher

settings or searching for a term on the tabs of the interface.

The following features are explained here:

• Apply Changes

• Click History

• Information Update

• Logout

• Main Feature Enabling

• Search

• Session Length

• System Information

Apply Changes

After modifying the settings in one or more of the sections on a tab, you need to

click on the Apply Changes button to make effective what you have modified.

The Apply Changes button is located in the top right corner of the Web interface

area:

When modifying settings that belong only to a particular filtering policy, you can

make the modified settings apply to all policies nevertheless.

An arrow is displayed next to the Apply Changes button on each tab where

policy-dependent settings can be configured:

Clicking on this arrow will display a button, which you can use to apply changes

to all policies.

After clicking on this button, your modifications will be valid for settings of all

policies.

1–7

Introduction

1–8

When you are attempting to leave a tab after modifying its settings, but without

clicking on Apply Changes, an alert is displayed to remind you to save your

changes:

Answer the alert by clicking Yes or No according to what you intend to do about

your changes. This will take you to the tab you invoked before the alert was

displayed.

Clicking on Cancel will make the alert disappear, so you can continue your

configuration activities on the current tab.

Click History

The tabs you visited while configuring settings are recorded on the top left

corner of the Web interface area. They are recorded together with the paths

leading to them.

The current tab and path are always visible in the display field, e. g.:

Clicking on the arrow to the right of the path display will show the “click history”,

i. e. a list of the tabs you visited prior to this one:

Clicking on any of the entries displayed in the list will take you to the corresponding

tab.

The click history is only recorded for the current session, i. e. until you log out.

After logging in for a new session, the recording of tabs and paths will start all

over again.

Information Update

Introduction

Some parts of the information that is provided on the tabs of the Web interface

will change from time to time. In these cases, the information display is updated

automatically every three seconds by Webwasher.

So, e. g. you might have performed a manual update of the anti-virus engines.

This means that the information provided in the Current Status and Log File

Content sections on the corresponding AV Engine tab will begin to change

continuously over a certain period of time until the update is completed.

These sections are then updated automatically every three seconds to reflect

the status of the update process.

Logout

To logout from a Webwasher session, click on the logout link, which is located

in middle position at the top of the Web interface area.

After logging out, the login page is displayed, where you can login again and

start a new session.

Main Feature Enabling

There are Webwasher settings that cannot only be modified if a corresponding

main feature is disabled. So, e. g. if you want to modify the settings of the

Phishing Filter section on the Settings tab under Anti-Spam > Message

Filters, you need to make sure the Message Filter feature itself is also enabled.

If you attempt to modify settings while the corresponding main feature is not

enabled, an alert is displayed to make you aware of this situation:

1–9

Introduction

1–10

Search

A Search input field and button are located in the top right corner of the Web

interface area.

Using these, you can start keyword queries of the entire Web interface by entering

a search term in the input field and clicking on the Search button:

The search output will be presented in a separate window, which displays a

list of the tabs the search term was found on and the paths leading to them:

Clicking on any of the entries displayed in the list will take you to the corresponding

tab.

Note: In order to be able to use the search function, make sure JavaScript is

enabled.

Session Length

When working with the Web interface, you need to mind the session length.

This interval can be configured in the Session Options section of the Sessions

tab under Configuration > Web Interfaces.

1.4

Introduction

After modifying the interval specified there, click on Apply Changes to make

the modification effective.

When a session has timed out, the following notification is displayed:

Click OK to acknowledge the notification. After clicking on a tab or button of

the Web interface, the login window opens, where you can login again and

start a new session.

System Information

At the top of the Web interface area, system information is provided on the

current Webwasher session. This information includes:

• Version and build of the Webwasher software

• Name of the system Webwasher is running on

• Name of the user logged in for the current session, e. g. Admin

• Role assigned to this user, e. g. Super Administrator

• Permissions granted to this user, e. g. read/write

Other Documents

This guide belongs to a series of documents provided for users of the

Webwasher Web Gateway Security products. The following sections give an

overview of them.

The Webwasher user documentation can be viewed after navigating to the

Manuals tab of the Web interface.

It can also be viewed on the Webwasher Extranet and in the Secure Computing

Resource Center.

1–11

Introduction

The following is provided in this section for the Webwasher Web Gateway Security

products:

• An overview of the documents on the main products, see 1.4.1

• An overview of the documents on products for special tasks and environments,

see 1.4.2

1.4.1

Documentation on Main Products

1–12

This section introduces the user documentation on the main Webwasher Web

Gateway Security products.

Document Group Document Name What about?

General Documents Deployment Planning Guide Is Webwasher suited to my environment?

Installation Guide How to install Webwasher?

Quick Configuration Guide First steps to get Webwasher

running.

System Configuration Guide

– this document

Advanced Configuration

Guide

Features for configuring Webwasher

within the system environment.

More sophisticated configuration

tasks.

Upgrade Guide What should I know when upgrading

to a new Webwasher release?

Product Documents User’s Guide URL Filter Features for configuring URL filtering

policies.

Reference Document

User’s Guide Anti-Virus Features for configuring anti-virus

filtering policies.

User’s Guide Anti-Malware Features for configuring

anti-malware filtering policies.

User’s Guide Anti-Spam Features for configuring anti-spam

filtering policies.

User’s Guide SSL Scanner Features for configuring

SSL-encrypted traffic filtering

policies.

Reference Guide Items concerning more than product,

e. g. features for customizing actions

or log files.

1.4.2

Documentation on Special Products

Introduction

This section introduces the user documentation on the Webwasher Web Gateway

Security products for special tasks and environments.

Document Group Document Name What about?

Content Reporter

Documents

Instant Message

Filter Documents

Special Environment

Documents

Appliances

Documents

Content Reporter Installation

and Configuration Guide

Content Reporter User’s

Guide for Reporting

Instant Message Filter

Installation and Configuration

Guide

User’s Guide Instant

Message Filter

Setting Up Webwasher on

Microsoft ISA Server

Setting Up Webwasher with

Blue Coat

Setting Up NetCache with

ICAP

Installing and configuring the

Webwasher Content Reporter, which

is done separately from the main

products.

Creating reports.

Installing and configuring the

Webwasher Instant Message Filter,

which is done separately from the

main products.

Description of features.

Setting up Webwasher or a

product running with it in a special

environment.

See above.

NTML Agent Set-up Guide Setting up an additional Webwasher

product to enable authentication

using the NTLM method on platforms

other than Windows.

HSM Agent Set-up Guide Setting up an additional Webwasher

product to enable use of a HSM

(High Security Module) device.

Appliances Installation and

Configuration Guide

Installing and configuring the

Webwasher appliances.

Appliances Upgrade Guide What should I know when upgrading

to a new release of the Webwasher

appliances?

1–13

Introduction

1.5

The Webwasher Web Gateway Security Products

1–14

The Webwasher Web Gateway Security products provide an optimal solution

for all your needs in the field of Web gateway security.

They are unique in that they offer best-of-breed security solutions for individual

threats and at the same time a fully integrated architecture that affords in-depth

security and cost/time savings through inter-operability.

A brief description of these products is given in the following.

Webwasher®

URL Filter

Webwasher®

Anti-Virus

Webwasher®

Anti-Malware

Webwasher®

Anti-Spam

Webwasher®

SSL Scanner

Helps you boost productivity by reducing non-business related

surfing to a minimum, thus curbing your IT costs. Suppresses

offensive sites and prevents downloads of inappropriate files, thus

minimizing risks of legal liabilities.

Combines the strength of multiple anti-virus engines concurrently

scanning all Web and e-mail traffic. The Proactive Scanning

filtering technology additionally detects and blocks unknown

malicious code, not relying on time-delayed virus pattern updates.

This combination provides in-depth security against a multitude of

threats while offering unmatched performance through use of the

Anti-Virus PreScan technology.

Offers in-depth security against all kinds of malicious code, such

as aggressive viruses, potentially unwanted programs, spyware,

day-zero attacks and blended threats not covered by traditional

anti-virus and firewall solutions. The highly efficient anti-malware

engine is used in combination with the Proactive Scanning filtering

technology.

Offers complete protection of the central Internet gateway. The

highly accurate spam detection filters stem the flood of unwanted

spam mail before it reaches the user’s desktop. Your systems

will not be impaired, the availability of valuable internal mail

infrastructures, such as group servers, is thus maintained.

Helps you protect your network against attacks via the HTTPS

protocol and prevents the disclosure of confidential corporate data,

as well as infringements of Internet usage policies, thus ensuring

that no one is illicitly sharing sensitive corporate materials.

See next page

Introduction

These two products have their own user interfaces, which are described in the

corresponding documents:

Webwasher®

Content

Reporter

Features a library of rich, customizable reports based on built-in

cache, streaming media, e-mail activity, Internet access and

content filtering queries, all supported by unmatched convenience

and performance features.

Webwasher® Detects, reports and selectively blocks the unauthorized use

Instant of high-risk and evasive P2P and IM from enterprise networks

Message Filter and scans network traffic for characteristics that match the

corresponding protocol signatures.

1–15

User Management

Chapter 2

The functions described in this chapter are accessible over the User

Management tab of the Web interface:

The user management functions allow you to administer users with regard to

the permissions they are granted for configuring and operating Webwasher.

Furthermore, they allow you to map users to the various security policies that

have been set up under Webwasher and configure authentication and language

settings for users.

The upcoming sections describe how to handle these functions. The description

begins with an overview.

2–1

User Management

2.1

Overview

2.2

The following overview shows the sections that are in this chapter:

System Configuration Guide – Webwasher Web Gateway Security

Introduction

User Management Overview –thissection

Reporting

Caching

Proxies

Configuration

Administrators

2–2

Administrators, see 2.2

Policy Management, see 2.3

User Database, see 2.4

Authentication Server, see 2.5

Windows Domain Membership, see 2.6

Languages, see 2.7

The Administrators options are invoked by clicking on the corresponding button

under User Management:

The options are arranged under the following tabs:

They are described in the upcoming sections:

• Accounts, see 2.2.1

• LDAP/Radius Authentication, see2.2.2

• Role Definition, see 2.2.3

2.2.1

Accounts

The Accounts tab looks like this:

There is one section on this tab:

• Account Overview

It is described in the following.

User Management

2–3

User Management

2–4

Account Overview

The Account Overview section looks like this:

Using this section you can configure accounts for administrators and assign

different rights and access privileges to them.

To add an account to the list, use the area labeled:

• Define new account

Specify the information concerning an account using the following items:

— Login

In this input field, enter the login name for an administrator.

— Password

In this input field, enter the password the administrator is to submit.

— Role

From this drop-down list, select the role that is assigned to an administrator.

You can select from the roles that are available for you under

your current role. Only these roles are shown here.

The pre-configured roles, which are Super Administrator, Policy

Administrator and Administrator, cannot be modified.

Go to the Role Definition tab to view the permissions for the preconfigured

roles and create or edit user-configured roles, see 2.2.3.

— SSH Public Key

User Management

In this input field, enter the SSH Public Key assigned to an administrator.

To do this, click on the Browse button next to this field and browse

for the key file you want to specify here.

— Allowed policies

From this drop-down list, select the policy that the administrator is allowed

access to. Select All to allow access to all policies.

Note that you can only select policies that you have access to yourself,

according to your account settings. Only these policies are shown here.

— Read only

Mark this checkbox to allow only reading access to Webwasher for an

administrator.

• Add New Account

After specifying the appropriate values for the new account, click on this

button to add it to the list.

If this action was successful, the account is added to the list, which is displayed

at the bottom of this section.

To display only a particular number of list entries at a time, type this number

in the input field labeled Number of entries per page and enter it using the

Enter key of your keyboard. If the number of entries is higher than this number,

the remaining entries are shown on successive pages.

A page indicator is then displayed, where you can select a particular page by

clicking on the appropriate arrow symbols.

Use the following items to perform other activities relating to the list:

• Filter

Type a filter expression in the input field of the Account or Role column or

in both and enter it using the Enter key of your keyboard. The list will then

display only entries matching the filter.

• Delete Selected

Select the entry you wish to delete by marking the Select checkbox next

to it and click on this button. You can delete more than one entry in one go.

To delete all entries, mark the Select all checkbox and click on this button.

To view and edit an account, click on the View + Edit Details button next to

it.

2–5

User Management

2–6

This will open a window where you can edit the settings that have been configured

for the various accounts:

For the meaning of these settings, see the description that was given at the

beginning of this subsection.

An additional description of the Account Preferences section of this windows

is provided further below in this subsection.

After editing the account settings, click on Apply Changes to make your

changes effective.

With an account that has been assigned one of the pre-configured roles, e.

g. Super Administrator, you can only change its password. Click on the

Change Password button next to it, to open the editing window and perform

this change.

The meaning of the settings in the Account Preferences settings is described

in the following.

Account Preferences

User Management

Using this section, you can configure the preferred settings for an administrator

account.

After modifying these settings, click on Apply Changes to make the modification

effective.

Use the following checkboxes to configure the preferred settings:

• Read only

Mark this checkbox to configure a read-only permission.

• View web related settings

To have only Web-related settings displayed, make sure this checkbox is

marked. The checkbox is marked by default.

• View mail related settings

To have only mail-related settings displayed, make sure this checkbox is

marked. The checkbox is marked by default.

• Show change warner dialog

If you want to have a dialog window displayed that warns you to save your

changes after modifying any settings, make sure this checkbox is marked.

The checkbox is marked by default.

• Show configuration hash

Mark this checkbox to have the hash value for the current configuration

displayed in the system information lines at the top of the Web interface

display area.

• No LDAP/Radius check (only local password check)

If no LDAP or Radius authentication should be required for the administrator

will then be sufficient for accessing Webwasher.

This setting may be used to configure an administrator account that is available

for login whenever the LDAP or Radius servers are down.

2–7

User Management

2.2.2

LDAP/Radius Authentication

2–8

The LDAP/Radius Authentication tab looks like this:

There are two sections on this tab:

• Use LDAP to Authenticate Administrator

• Use Radius to Authenticate Administrator

They are described in the following.

Use LDAP to Authenticate Administrator

The Use LDAP to Authenticate Administrator section looks like this:

It allows you to use the settings stored on an LDAP server for authenticating

an administrator.

If you want to use this feature, mark the checkbox next to the section heading.

Then configure the items described below and click on Apply Changes to

make your settings effective.

User Management

Use the following items to configure the use of the LDAP server settings for

administrator authentication:

• Use LDAP settings for HTTP Proxy

If you want to use the LDAP server settings with Webwasher configured

as HTTP proxy, make sure this radio button is checked. The radio button

is checked by default.

• Use LDAP settings for ICAP server

Click on this radio button to use the LDAP server settings with Webwasher

configured as ICAP server.

• Check Status

To view status information on the LDAP server settings, click on this button.

This may be information, e. g. on whether a connection to an LDAP server

has been configured or whether the server is available.

• Use local account definition if LDAP authentication fails

Mark this checkbox at the bottom of the tab to use local account information

for authenticating an administrator in case LDAP and Radius authentication

both fail.

Use Radius to Authenticate Administrator

The Use Radius to Authenticate Administrator section looks like this:

This section allows you to use the settings stored on a Radius server for authenticating

an administrator.

If you want to use this kind of authentication, mark the checkbox next to the

section heading and click on Apply Changes to make this setting effective.

To go to the page where the Radius server settings are configured, click on the

Define Proxy Authentication Options button provided here.

Mark the checkbox at the bottom of the tab to use local account information for

authenticating an administrator in case LDAP and Radius authentication both

fail.

2–9

User Management

2.2.3

Role Definition

2–10

The Role Definition tab looks like this:

There is one section on this tab:

• Role Definition Editor

It is described in the following.

Role Definition Editor

The Role Definition Editor section looks like this:

User Management

Using this section you can view the role permissions assigned to the administrator

roles that are pre-configured within Webwasher, as well as create and

edit new roles.

To create a new administrator role, use the items provided in the following area:

• Create role

The meaning and usage of these items is as follows:

— New role name

In this input field, enter the name of the new role you want to create.

The name must begin with an alphabetical character (A-Z). The number

of the following characters is not prescribed. However, only alphabetical

and numerical characters, dashes, underscores, and spaces are

allowed here.

— Role to duplicate

If you want to use an existing role as starting point for your configuration

of a new role, select one from the drop-down list provided here.

— Create Role

After entering a role name, click on this button to add the new role to

the roles list. Also, if you have selected and renamed an existing role

as starting point, click on this button to add the role to the list.

2–11

User Management

2–12

The administrator roles list is displayed at the bottom of the section. You can

view and edit the roles contained in this list, with the exception of the three

pre-configured roles, i. e. Super Administrator, Administrator and Policy

Administrator. These you can only view.

To display only a particular number of entries at a time, type this number in the

input field labeled Number of entries per page and enter it using the Enter

key of your keyboard.

If the number of entries is higher than this number, the remaining entries are

shown on successive pages. A page indicator is then displayed, where you

can select a particular page by clicking on the appropriate arrow symbols.

Use the following items to perform other activities relating to the list:

• Filter

Type a filtering term in the input field of the Role column and enter it using

the Enter key of your keyboard. The list will then display only entries

matching the filter.

• View Role Permissions

Click on this button, which is provided for each of the three pre-configured

roles, to view the permissions assigned to any of them.

This will open a window where the permissions are displayed.

For a description of this window, see the subsection further below.

• Edit Role Permissions

Click on this, button, which is provided for each user-configured role, to

view and edit the permissions assigned to any of them.

This will open a window where the permissions are displayed and can be

edited.

For a description of this window. see the subsection further below.

• Delete Selected

Select the role you wish to delete by marking the Select checkbox next to

it and click on this button. You can delete more than one role in one go,

but not any of the three pre-configured roles.

To delete all user-configured roles, mark the Select all checkbox and click

on this button.

Role Permissions Window

The Role Permissions window looks like this:

User Management

Note that this is the version for viewing and editing permissions. The version

for viewing only has no Save button in the top right corner.

By default, all permissions that can be configured in this window are granted.

The seniority level is by default set to 100.

To deny or grant a permission for the role you are configuring, clear or mark

the corresponding checkbox. Then click on the Save button to make the modification

effective.

For further information on what it means to configure the seniority level, as well

as allowed other roles, see the next subsections.

2–13

User Management

2–14

Seniority

The seniority level is measured by a value between 0 and 100.

It is important for determining who can deny access privileges to another administrator

while being logged in a the same time. As an administrator, you

can only deny privileges to administrators with seniority levels lower than your

own level.

So, if your seniority level is 80 and two other administrators are logged in with

seniority levels of 60 and 50, you can deny them simultaneous access or restrict

it to read-only. If an administrator with a seniority level of 100 is logged

in at the same time, you cannot deny this administrator anything. This administrator

may, however, exclude you from reading or writing or from both.

Note that there are three pre-configured roles with administrator levels of 100,

80 and 50, respectively. These pre-configured roles cannot be changed or

deleted. To view the seniority levels and other permissions for these roles,

click on the View Role Permissions button next to the role in question.

The permissions for administrators who are logged in at the same time are

configured using the Access Permissions sectiononthePreferences tab

under Home > Preferences.

After specifying the appropriate value here, click on the Save button in the top

right corner of the window to make this setting effective.

Use the following input field to configure the seniority level for an administrator

role:

• Seniority

Enter a value between 0 and 100 here according to the level required for

this role.

Allowed other roles

This section allows you to configure the roles that can be assigned to another

user account by a user with this role.

So, e. g. if the Administrator role is assigned to a user account and Administrator

and Policy Administrator are configured as allowed other roles

for this role, the user in question can only assign one of these two roles when

creating a new user account.

The user cannot, in this case, assign the Super Administrator role to the

account, or any other role that may be listed in this section, but is not selected.

User Management

To configure a role as allowed for being assigned by this role, select it in the

list by marking the corresponding checkbox.

After configuring all other settings in the Permissions for role ... window as

required, click on the Save button in the top right corner to make your settings

effective.

This will also close the window.

2.3

Policy Management

The Policy Management options are invoked by clicking on the corresponding

button under User Management:

The options are arranged under the following tabs:

They are described in the upcoming sections:

• Concept, see 2.3.1

• Management, see 2.3.2

• Web Mapping, see 2.3.3

• E-Mail Mapping, see 2.3.4

2–15

User Management

2.3.1

Concept

2–16

The Concept tab looks like this:

There is one section on this tab:

• Policy Concept

It is described in the following.

Policy Concept

User Management

The Policy Concept section looks uses several textst and a diagram to explain

the concept underlying the Webwasher policy management.

The diagram looks like this:

Using visual means, it represents the threefold structure of policy management

as it is performed under Webwasher:

• Selecting input

• Performingalookup

• Mapping to policy

2–17

User Management

2.3.2

Management

2–18

The Management tab looks like this:

There are three sections on this tab:

• Modify Policy

• Create New Policy

• Duplicate Policy

They are described in the following.

Modify Policy

The Modify Policy section looks like this:

It allows you to reset the settings of an existing policy to their default values

and to delete policies altogether.

User Management

To perform these activities for a policy, select it from the drop-down list provided

here and click on one of the following buttons:

• Reset to default

Click on this button to reset the selected policy to its default values.

• Delete Policy

Click on this button to delete the selected policy.

Create New Policy

The Create New Policy section looks like this:

Using this section, you can begin to configure a new policy by creating it first.

To configure settings for this policy use the tabs provided by this Web interface

for virus scanning, spam filtering, etc. Together with these tabs, policy lists are

provided, which will also include the new policy.

Select it from these lists when you are configuring the various settings, to make

sure they become part of this policy.

Use the following items to create a new policy:

• New policy name

Enter the name for the new policy in this input field. Then click on the

Create button next to it.

The new policy will then appear on the policy lists that are provided on the

tabs for configuring policy-dependent settings.

Duplicate Policy

The Duplicate Policy section looks like this:

2–19

User Management

Using this section, you can configure a new policy by duplicating an existing

one first and taking it as the starting point for configuring further settings.

2.3.3

Web Mapping

2–20

Use the following items to duplicate an existing policy:

• Policy to duplicate

From this drop-down list, select the policy you want to duplicate.

• New policy name

Enter the new name here you want to give the duplicated policy. Then click

on the Duplicate button next to it.

The duplicated new policy will then appear under its new name on the policy

lists that are provided on the tabs for configuring policy-dependent settings.

The Web Mapping tab looks like this:

There are three sections on this tab:

• Mapping Process

• Mapping Options

• Mapping Cache

They are described in the following.

Mapping Process

The Mapping Process section looks like this:

User Management

Using this section, you can configure mapping rules to assign policies to ICAP

requests received in Web communication according to the user information

provided in these requests.

To retrieve this information, various methods are applied, e. g. processing the

user name or, the name of the user group, or the IP address.

Furthermore, a lookup on an LDAP or NTLM server, or on a Novell eDirectory

server can be configured with some methods.

2–21

User Management

2–22

You can also configure the use of an emergency policy that will overrule all

mapping rules configured here in case of an emergency, e. g. the outbreak of

a new virus.

Specify the appropriate information using the items described in the following.

Then click on Apply Changes to make your settings effective.

Use the following items to configure mapping rules for Web communication:

• Use emergency policy ... overwriting all methods

Select an emergency policy from the drop-down list provided here. This

policy will be applied whenever an emergency situation occurs, e. g. the

outbreak of a new virus.

It will overrule all policies that would otherwise be applied according to the

rules and methods configured here.

• Mapping method order for REQMOD

Use the items provided in this area to configure a mapping method, which

will include specifications on what is mapped (map from: IP address, user

or group name), using what authentication method (map via: lookup on an

LDAP or NTLM server, or a Novell eDirectory server), and what rule.

The rule will in turn specify the policy that is applied to the mapped object.

You can configure more than rule for a method.

You can also configure more than one method. Methods will then be applied

in the order you position them here. Up to five methods can be configured

this way.

The specifications made in this are valid for REQMOD communication.

They can be applied also to RESPMOD communication, otherwise methods

and rules for RESPMOD communication can be configured separately

in an area below this one.

The following items are provided to configure mapping methods for REQ-

MOD communication:

— Map from

From this drop-down list, select what you want to map: IP, User, or

Group.

— Map via

From this drop-down list, select whether you want to map directly, e. g.

a user name or an IP address to a policy, or if you want there to be a

lookup first, e. g. a lookup on an LDAP or NTML server, or on a Novell

eDirectory server.

— Using these rules

User Management

The drop-down list provided here displays the name of the rule or rules

belonging to this mapping method. The name is a combination of the

information specified in the Map from and Map via fields, e. g. User-

LDAP-1.

In order to specify more information for a rule, click on the Apply

Changes button first to make the settings specified so far effective.

Then click on the Edit rules and options button next to the rules

entry in question. This will take you to another tab where you can

specify the appropriate information.

To add another rule under the same name, e. g. User-LDAP-2, and

specify information for it, select Create new rules from the list and

click on the Edit rules and options button.

— Use REQMOD mapping also for RESPMOD

Make sure this option is enabled if you want the same methods and

rules to be applied in RESPMOD and in REQMOD communication. The

option is enabled by default.

— Determine RESPMOD policy during REQMOD

Enable this option to make use of authentication information that is

missing in RESPMOD, but availableinREQMOD,alsoforRESPMOD.

The setting of this option does not depend on what has been configured

for the Use REQMOD mapping also for RESPMOD option above.

When, e. g. a mapping method is configured based on the user name,

the corresponding information may be retrieved from the Proxy Authorization

header (Standard Request header). If the SSL Scanner is to be

used at the same time, the Proxy Authorization header will be included

only in the first REQMOD message, i. e. in the CONNECT request,

and not in any of the further requests, which are encrypted.

In this case, you can enable the option described here to retrieve the

missing information also for the RESPMOD messages.

• Mapping method order for RESPMOD

Use the items provided here to configure mapping methods and rules for

RESPMOD communication. The items are only made available if you have

disabled the UseREQMODmappingalsoforRESPMODoption.

Use the items in the same way as described above for REQMOD communication

mapping.

2–23

User Management

2–24

Mapping Options

The Mapping Options section looks like this:

Using this section, you can configure what should happen if the mapping

process fails for a user request.

After modifying this setting, click on Apply Changes to make the modification

effective.

Use the following radio buttons to configure the action in case of a mapping

failure:

• Block request

If you want to block the request, make sure this radio button is checked.

The radio button is checked by default.

• Allow request and use default policy

Check this radio button to allow the request and use the default policy for

further processing.

Mapping Cache

The Mapping Cache section looks like this:

Using this section, you can configure a time interval for keeping data on

mapped users in the cache. The data can be kept there even if the corresponding

requests failed.

The mapping cache stores user names and IP addresses as input data and a

policy names as the corresponding output data.

This stored information can be re-used, rather than each time repeating external

server requests for input data. Looking up cached information is faster,

which enhances system performance.

User Management

After specifying the appropriate settings, click on Apply Changes to make

them effective.

Use the following items to configure the mapping cache:

2.3.4

E-Mail Mapping

• Time to keep users in cache: ... minutes

In the input field provided here, enter the time interval (in minutes) for keeping

user data in the mapping cache. The default time is 30 minutes.

• Cache failed requests

Mark this checkbox to cache also data retrieved from requests that were

not allowed.

The E-Mail Mapping tab looks like this:

There are two sections on this tab:

• Mapping Process

• Mapping Options

They are described in the following.

2–25

User Management

2–26

Mapping Process

The Mapping Process section looks like this:

Using this section, you can configure mapping rules to assign policies to e-mail

messages according to the information provided in these messages. To retrieve

this information, an internal scheme or an LDAP lookup can be applied.

Specify the appropriate information using the items described in the following.

Then click on Apply Changes to make your settings effective.

Use the items provided under this heading to configure mapping rules for e-mail

communication:

• Mapping method order for filtering e-mails (RESPMOD)

The following items are provided here:

Use the items provided in this area to configure a mapping method, which

will include specifications on what is mapped (map from: IP address, user

or group name), using what authentication method (map via: LDAP or

NTLM lookup), and what rule. The rule will in turn specify the policy that

is applied to the mapped object. You can configure more than rule for a

method.

You can also configure more than one method. Methods will then be applied

in the order you position them here. Up to five methods can be configured

this way.

The specifications made in this are valid for REQMOD communication.

They can be applied also to RESPMOD communication, otherwise methods

and rules for RESPMOD communication can be configured separately

in an area below this one.

The following items are provided to configure mapping methods for e-mail

messages RESPMOD communication:

— Mapping scheme

From this drop-down list, select the scheme you want to be used for

the mapping method: Internal or LDAP.

2.4

User Management

You can configure more than one method. Methods will then be applied

in the order you position them here. Up to two methods can be

configured this way.

In order to specify more information for a mapping scheme, click on

the Apply Changes button first to make the settings specified so far

effective. Then click on the Edit rules and options button next to the

scheme entry in question.

This will take you to another tab where you can specify the appropriate

information.

Mapping Options

The Mapping Options section looks like this:

It allows you configure the use of all the methods that were selected in the

Mapping Process section above for policy mapping purposes.

Usethefollowingitemtodothis:

• Use all selected methods to assign policies

User Database

Enable this option to have all methods selected above applied. Then click

on Apply Changes to make this setting effective.

The Languages options are invoked by clicking on the corresponding button

under User Management:

The options are arranged under the following tabs:

They are described in the upcoming sections:

• User Database, see 2.4.1

• Import, see 2.4.2

2–27

User Management

2.4.1

User Database

2–28

• LDAP Synchronization, see 2.4.3

• Backup & Restore, see 2.4.4

The User Database tab looks like this:

There are two sections on this tab:

• LDAP Synchronization

• User Database

They are described in the following.

LDAP Synchronization

The LDAP Synchronization section looks like this:

Using this section, you can configure synchronization of the user data base

provided by Webwasher with an LDAP server.

User Management

If users have been able to authenticate themselves on the LDAP server, their

credentials are added to the user database.

After specifying this setting in an appropriate way, click on Apply Changes to

make it effective.

Use the checkbox labeled as follows to configure LDAP synchronization:

• Allow new Users to add themself to the User Database if they can

authenticate at the LDAP Server

Mark this checkbox to enable LDAP synchronization in the way described

here.

User Database

The User Database section looks like this:

It allows you to add users to the Webwasher User Database and edit user

entries in that database.

It allows you to enter user data in the Webwasher user database.

To enter this data, use the items provided in the following area:

• Add new user

Specify the following information about the new user:

2–29

User Management

2–30

— Login Name

— Real Name

Real name of the new user

Input in this field is optional.

— Group(s)

User group or groups you want to assign the new user to

Input in this field is optional.

— E-Mail address

E-mail address of the new user

Input in this field is optional.

— Language

Language to be used for messages to the new user

Select the language from the drop-down list provided here. Input in this

field is optional.

— Password

Password the new user is to submit for authentication.

— Password (retype)

Retype the password in this input field.

— Password must be changed at next login

Mark this checkbox to enforce a password change at the next login by

the new user.

• Add new user

After specifying the appropriate information in the area above, click on this

button to add the new user to the list.

The user list is displayed at the bottom of the section.

To display only a particular number of entries at a time, type this number in the

input field labeled Number of entries per page and enter it using the Enter

key of your keyboard.

If the number of entries is higher than this number, the remaining entries are

shown on successive pages. A page indicator is then displayed, where you

can select a particular page by clicking on the appropriate arrow symbols.

2.4.2

Import

User Management

To edit an entry, type the appropriate text in the corresponding input field of the

Real Name, Group(s) or EMail column, or select a different language from

the corresponding drop-down list.

To edit the password for a user entry, click on the corresponding Edit button.

This will open a separate window, where you can edit the password.

Note that the login name of a user entry cannot be edited.

Use the following items to perform other activities relating to the list:

• Filter

Type a filter expression in the input field of the Login Name, Real Name,

Group(s) or Email column or any combination of these and enter this

using the Enter key of your keyboard. The list will then display only entries

matching the filter.

• Delete Selected

Select the entry you wish to delete by marking the Select checkbox next

to it and click on this button. You can delete more than one entry in one go.

To delete all user entries, mark the Select all checkbox and click on this

button.

The Import tab looks like this:

2–31

User Management

2–32

There is one section on this tab:

• Import User Database

It is described in the following.

Import User Database

The Import User Database section looks like this:

It allows you to import a file providing information about users into the user

database. Furthermore, you can configure a number of settings relating to this

file.

Use the following items to configure this file and import it into the user database:

• Import from

Specify the file containing the user information here. To do this, click on

the Browse button next to the input field and browsetothisfile.

Within this file, each line must contain information about one user only.

A line must consist of six entries separated by the column separator, with

each entry providing information as follows:

1. Login Name

The unique login name of the user

2. Full Name

Full name of the user

3. Groups

The groups that the user is a member of.

User Management

If the user is a member of more than one group, separate group name

by commas.

4. E-mail address

The e-mail address of the user

5. Preferred language

The language to be used for error template texts.

If you want this information to be processed, you need to configure a

corresponding language selection method.

This is done in the Language Selection section on the Languages

tab under User Management > Languages. The method you need

to select there is User Database.

6. Password

Password for the user.

This entry depends on the values you configure using the four radio

buttons under Password options in this section, see below for their

description.

• Column separator character

In the input field provided here, enter a character to be used for separating

entries in the user import file, i. e. the file that is imported into the user

database.

The default separator is the | (pipe sign).

• Password options

Specify the options for the user password here.

The first four options, which are configured using radio buttons, will determine

the password entry in the user import file, i. e. the file that is imported

into the user database.

2–33

User Management

2–34

The meaning of these options is as follows:

— Set random password and mail it to given email address

This will create a random password with a length of eight characters.

The password is sent to the address specified in the user import file.

— Password column contains clear text password name

If this option is enabled, the password will be taken from the plain text

entered in the user import file.

— Set password

The groups that the user is a member of.

If the user is a member of more than one group, separate group name

by commas.

— Password column contains NTLM hash (16 Bytes)

This will put a 16 Byte NTLM hash in place of each password specified

in the user import file. This hash is calculated as MD4 checksum based

on the unicode values of the password in question.

It is written into the user database, which will then also contain entries

for existing passwords that were encrypted.

— Password must be changed at next login

Enable this option to enforce a password change at the next login of a

user.

For this option to work, you need to specify an end user port in the End

User Port Settings section on the Ports tab under Configuration >

Web Interfaces.

• Overwrite existing entries

Enable this option to allow the overwriting of existing user entries in the

user database.

Otherwise, the attempt to overwrite existing entries will result in an error.

• Mail password to user

Enable this option to have the password sent to the corresponding user by

e-mail.

The option is always enabled and cannot be disabled if the first of the Password

options is also enabled, i. e. Set random password and mail it

to given email address.

User Management

Vice versa, it is always disabled and cannot be enabled if Password columncontainsNTLMhash(16Bytes)is

enabled.

• Import User

Click on this button to import the specified user import file with the settings

configured here.

2.4.3

LDAP Synchronization

The LDAP Synchronization tab looks like this:

There are three sections on this tab:

• LDAP Connection Details

• Attribute Details

• LDAP Authentication

They are described in the following.

2–35

User Management

2–36

LDAP Connection Details

The LDAP Connection Details section looks like this:

Using this section, you can configure some basic settings of the LDAP connection

for the user database.

After specifying the appropriate settings, click on Apply Changes to make

them effective.

Use the following input fields to configure this connection:

• LDAP server(s)

Enter the IP address of the LDAP server here.

You can add the port number after a colon, e. g. 192.168.0.5:389.

You can specify more than one server. In this case, separate the IP addresses

by spaces.

Webwasher will then try to do load balancing based on a round-robin algorithm

(server configurations must be the same).

• WW’s user name

Enter the name here that is used by Webwasher itself to get authenticated

when logging in to the LDAP server.

• WW’s password

Enter the password used by Webwasher here.

Attribute Details

The Attribute Details section looks like this:

User Management

Using this section, you can specify where the data needed for authentication

should be extracted from.

To do this, use the items provided in the following area:

• Select where attributes originate

Authentication information can be extracted from user attributes or from

the attributes of the group a user belongs.

Select User or Group object to have information extracted from the corresponding

attributes and specify the appropriate information using following

input fields and buttons:

— User

Mark the checkbox provided here if you want to extract information from

user attributes and specify the following information:

Attributes to extract

Specify the attribute or attributes that should be extracted here ,

separating attributes by commas.

The default attribute to be extracted is cn.

2–37

User Management

2–38

Concatenation string

If more than one attribute is specified here, they will be concatenated

using the string specified here.

So, e. g. when attributes a and b are extracted and / (slash) is

specified as concatenation string, then if Webwasher gets the values

a1, a2, a3 for attribute a and b1 for attribute b, the output list

will be as follows:

a1/b1

a2/b1

a3/b1

• Group object

Mark the checkbox provided here if you want to extract information from

group attributes and specify the following information:

— Attributes to extract

Specify the attribute or attributes that should be extracted here , separating

attributes by commas.

The default attribute to be extracted is cn.

— Concatenation string

If more than one attribute is specified here, they will be concatenated

using the string specified here.

So, e. g. when attributes a and b are extracted and / (slash) is specified

as concatenation string, then if Webwasher gets the values a1, a2, a3

for attribute a and b1 for attribute b, the output list will be as follows:

a1/b1

a2/b1

a3/b1

— Base DN to group objects

Enter the Base DN (distinguishing name) for the group objects here.

This is the name of the path leading to the location where the search

for a group name should begin.

— Group member attribute name

Make sure this radio button is checked if you want enable use of the

group member attribute name and enter a name in the input field next

in the same line.

The radio button is checked by default.

User Management

The group member attribute name is the unique key of an entry for a

group name stored on the authentication server.

Note that the value specified for this name must be equal to the one

specified under Base DN to group objects.

The default name is uniquemember.

— Object class for groups

Specify an object class for groups here.

This will limit the search for group attributes to those objects that are

instances of this class.

The default class name is groupofuniquenames.

— Filter

Check this radio button if you want use a filter and enter a filtering term

in the input field in the same line.

This will limit the search for group attributes to objects with names

matching the filter.

• Real Name

Enter the real name of the user here that will be authenticated using the

attributes specified above.

• E–Mail Address

Enter the e-mail address of the user here that will be authenticated using

the attributes specified above.

• Language

Enter the language here that should be used for message to the use that

will be authenticated using the attributes specified above.

You can also specify a default language that will be used if no user is configured.

To do this, use the drop-down list labeled as follows:

— or . . . (if no mapping given or not specified for User)

Select the default language for messages to the user here.

2–39

User Management

2–40

LDAP Authentication

The LDAP Authentication section looks like this:

Using this section, you can configure It allows you to enter user data in the

Webwasher user database.

After specifying the appropriate settings, click on Apply Changes to make

them effective.

Use the following input fields to configure these settings:

• Base DN to user object

Enter the Base DN (distinguishing name) for the user here.

This is the name of the path leading to the location where the search for a

user name should begin.

• UID attribute name

Make sure this radio button is checked if you want enable use of the group

member attribute name and enter a name in the input field next in the same

line.

The radio button is checked by default.

The UID attribute name is the unique key of an entry for a user name stored

on the authentication server.

• Filter

Check this radio button if you want to use a filter and enter a filtering term

in the input field in the same line.

This will limit the search for user attributes to objects with names matching

the filter.

2.4.4

Backup & Restore

The Backup & Restore tab looks like this:

There is one section on this tab:

• Backup & Restore

It is described in the following.

Backup & Restore

The Backup & Restore section looks like this:

It allows you to download a user database file and to restore it.

Use the following items to do this:

• Download User Database File

Click on this button to download the current user database file.

User Management

2–41

User Management

2.5

• Restore configuration from file

To restore a configuration with a particular user database file enter the file

name in this input field or browse to it using the Browse button next to the

this field.

Then click on Restore to restore the configuration.

Authentication Server

2–42

The Authentication Server options are invoked by clicking on the corresponding

button under User Management:

The options are arranged under the following tab:

They are described in the upcoming section:

• Authentication Server, see2.5.1

2.5.1

Authentication Server

The Authentication Server tablookslikethis:

At the top of this tab, there is a button labeled:

• Define Authentication Options

User Management

Click on this button to configure some general options relating to authentication.

This will open a window where you can specify the appropriate

information.

The options of this window are described in 5.2.3.

Furthermore, there are five sections on this tab:

• Authentication Server Settings

• Authentication Process

• NTLM and NTLM-Agent Authentication Options

• User Database Authentication Options

• Propagate Authentication Options

They are described in the following.

2–43

User Management

2–44

Authentication Server Settings

The Authentication Server Settings section looks like this:

Using this section, you can enable the authentication server and configure a

port on this server, as well as some additional settings for it. More settings can

be configured in the remaining sections of the Authentication Server tab.

The authentication server is used for performing the transparent authentication

of users. Configuring this kind of authentication involves several sections and

tabs of the Web interface. A description of this is given in the Transparent

Authentication subsection below.

If you want to use the authentication server, make sure the checkbox next to

the section heading is marked.

After modifying this setting or any other setting in this section, click on Apply

Changes to make these settings effective.

Use the following items to configure the authentication server:

• Port

In this input field, specify the port used on the authentication server. The

input format is:

[IP]: port

The default port number is 9094.

• Use SSL

Make sure this checkbox is marked if you want use of SSL enycryption for

communication with the authentication server. The checkbox is marked by

default.

This will protect your password against being intercepted during the authentication

process. Your password is also protected, even without SSL

encryption, if you configure use of the Webwasher user database with integrated

authentication.

User Management

ThiscanbedoneintheAuthentication Process and User Database

Authentication Options sections on this tab.

Configuring NTLM or the NTLM Agent in the Authentication Process

section and integrated authentication in the section labeled NTLM and

NTLM-Agent Authentication Options will protect your password in the

same way.

• Append parameter to avoid redirection loops

Make sure this checkbox is marked if you want to append the parameter.

The checkbox is marked by default.

Make sure this checkbox is marked if you want use of SSL enycryption for

communication with the authentication server. The checkbox is marked by

default.

This will help avoid redirection loops in situation like the following: The

browser requests URL A. The ICAP server sends a redirect to B and the

authentication server sends another redirect to A. Firefox treats this as an

endless loop and stops the request, while the Internet Explorer does not

recognise it.

Webwasher appends a dummy parameter to A by default, which will end

the loop: A->B->A2. The parameter is removed, however, in REQMOD

communication.

• Authentication expires after ... seconds

In the input field provided here, enter the time interval (in seconds) that an

authentication is to last. The default interval is 120 seconds.

After the interval configured here has expired, the ICAP server will send

another redirect for the next request, in order to renew the mapping and

authentication interval.

The disadvantage of configuring a longer interval here is that user switches

on one system or a new assignment of the IP address to another system

using DHCP will not be recognized, which makes the mapping less accurate.

On the other hand, smaller intervals lead to frequent redirects.

2–45

User Management

2–46

Transparent Authentication

The following subsection provides you with some general information on the

method of transparent authentication and describes a configuration procedure

to set up this method on Webwasher.

At the end some notes are given providing additional information.

General Information

The transparent authentication method can be configured as one of several

methods to retrieve user credentials and authenticate users based on these

credentials. It is usually incorporated in the process of mapping users to particular

policies.

Transparent authentication relies on a mapping between IP addresses and

users, whereas other methods map users and connections or requests. With

this address-based method, however, it is not possible to distinguish between

multiple users on a single system. The user names can be searched for in the

Webwasher user database, which has been provided for this purpose, or on

an LDAP or NTLM server.

Configuring transparent authentication may be appropriate in a situation where

thereisnoproxy in your configuration, but you still want to have authentication

or policy mapping, or where there is a proxy, but it is not capable of performing

the demanded authentication method.

Configuration Procedure

Configuring transparent authentication involves two kinds of steps:

• Steps that are required to configure the authentication server –

These include configuring the settings of the Authentication Server Settings

section, i. e. the section that this online help page is relating to.

• Steps that are required to configure a policy mapping rule – These

steps are required because transparent authentication is usually configured

within the process of policy mapping. They need to be performed

even if the intention is to configure only authentication and no policy mapping.

Both kinds of steps are described in the following.

User Management

Configuring the authentication server – This part of the procedure begins

withgoingtotheAuthentication Server tab under User Management >

Authentication Server, i. e. to the tab you have currently selected, and

configuring the settings of the Authentication Server Settings section.

It is continued by configuring the settings of the remaining sections on this tab.

To get more detailed information about a setting, click on the question mark in

the corresponding section.

To configure the authentication server proceed as follows:

1. Use the Authentication Server Settings section to enable the authentication

server and to configure a port on it, as well as some additional

parameters:

• Make sure the checkbox next to the section heading is marked. This

is required to have the authentication server enabled.

• In the Port input field, specify the port used on the authentication

server.

• Make sure the Use SSL checkbox is marked.

Clear it if you want to do without SSL encryption.

• In the input field labeled Transparent authentication expires after

... seconds, enter an interval (in seconds).

2. In the Authentication Process section, select an authentication method

from the first drop-down list provided here.

You may also select one of the other methods in second position. A further

option is to mark the checkbox labeled Use login page to get credentials,

and then. This will enable the use of a login page.

3. In the Authentication Process section, select an authentication method

from the first drop-down list provided here.

According to the method you selected under Authentication Process,

configure the corresponding options in the NTML and NTML-Agent Authentication

Options or the User Database Authentication Options

section.

2–47

User Management

2–48

Configuring a policy mapping rule – This part of the procedure will configure

the settings required for a policy mapping rule that includes the use of the

transparent authentication method.

To get more detailed information about a setting, click on the question mark in

the corresponding section.

To configure a policy mapping rule including transparent authentication, proceed

as follows:

1. Go to the Web Mapping tab under User Management > Policy Mapping.

2. Use the Mapping Process section to configure a rule for Web mapping.

Select User Name and map directly if you want to configure a policy

intended for a single user, or Group Name and map directly for a policy

based on the membership of a user in a particular group.

3. Click on the Edit rules and options button. This will take you to the

User based Mapping tab.

4. In the User Name Location section, select Transparent Authentication

from the drop-down list labeled Extract user information from.

5. From the drop-down list labeled Accepted Authenticated methods,

select a method, e. g. Local, orAny to allow all methods.

6. In the Add Rule section, add a rule for policy mapping.

Notes

A rule that might be added here is default = *, which will allow all authenticated

users.

To specify this rule, select default from the drop-down list of policies provided

here and enter an * in the input field next to it. Then click on the

Add first button to add this rule to the list.

The following should be kept in mind when configuring transparent authentication:

• POST requests will fail when the ICAP server sends a redirect to the authentication

server, which is only done, however for the renewal of a mapping.

This is because for the browser the request was successful and the POST

body will not be sent again after the final redirect.

• When authentication is done on a server, which is the authentication server

in this case, over a proxy connection, the Internet Explorer will not send the

credentials.

User Management

The following might be configured as a workaround here:

— Use a login page for authentication.

— Configure the Internet Explorer not to use a proxy for the authentication

server. This means that if Webwasher has been set up as a cluster, all

IP addresses must be excluded.

Authentication Process

The Authentication Process section looks like this:

Using this section, you can configure where users are authenticated. You can

also configure the use of a login page for retrieving user credentials.

The login page is a template, which is stored in the conf\errors folder of the

Webwasher program files. You can create different language versions of this

template.

Note that to configure a method for selecting the appropriate language template

you can only select methods that are available before the authentication

process. These methods are IP and Browser. They are configured in the

Language Selection section of the Languages tab under User Management

> Languages.

The authentication process may involve an LDAP or NTLM server, a Radius

server, or the User Database provided by Webwasher.

Furthermore, there is also an option for configuring the use of a Novell eDirectory

server, which will then take the role of an LDAP server, in order to

authenticate users.

On this server, information is stored about the IP addresses of authenticated

users, which can be extracted and used by Webwasher for the authentication

process.

The name of the field where the IP address of a user is stored is

NetworkAddress. The port number can be stored there with the address.

The field is in binary format, which means that no wildcard queries can be performed

for user addresses. Instead, Webwasher periodically polls the eDirectory

to retrieve the addresses of the users that logged in since the last request.

2–49

User Management

2–50

The structure of this search is reflected in a filtering term, which is configured

together with the settings for the LDAP method, see further below.

Make sure the NetworkAddress field is visible when the user information is

looked at via the LDAP server interface. Otherwise, Webwasher will not be

able to extract the information.

You can configure one or two methods of user authentication. They are applied

in the order you specify them. A user is successfully authenticated as soon as

one of the configured methods produces a match.

After selecting a method, you can specify further settings that are relevant to

this method in other sections of this tab, and in the window that appears after

clicking on the Define Authentication Options buttoninthetopareaofthis

tab.

For the NTLM and NTLM-Agent methods, this can be done in the NTLM and

NTLM-Agent Authentication Options section, and for the User Database

method in the Userdatabase Authentication Options section. Both these

sections are on this tab.

For the LDAP method, there is the LDAP Authentication section in the Define

Authentication Options window, where you also find the Radius Authentication

section for the Radius server method.

If you select eDirectory as method, you can also configure the use of a filter

for searching the user information that is needed in the authentication process.

This is done in the Novell eDirectory IP Filter input field, which is provided

in the LDAP Authentication section of the Define Authentication Options

window.

A filtering term has been entered in this field, which should not be altered since

this will prevent Webwasher from extracting the appropriate user information.

The name of the storage field on the eDirectory server has also been preconfigured

as one of the additional settings of the LDAP method and should likewise

not be altered.

Furthermore, you can configure the eDirectory option as part of the Web mapping

process. There will be a lookup of these addresses then on the eDirectory

server before they are mapped to security policies configured within Webwasher.

Use the Mapping Process section on the Web Mapping tab under User

Management > Policy Mapping to configure these settings.

After specifying the appropriate settings here, click on Apply Changes to

make them effective.

User Management

Use the following checkbox and drop-down lists to configure methods for user

authentication:

• Use login page to get credentials, and then

Mark this checkbox to have a login page presented to a user for entering

the user credentials. After this has been completed, the authentication

process will begin, using the methods configured below.

The login page will be presented when the user tries to get authenticated

for the first time and whenever the authentication interval has expired.

If no login page is used, user credentials need to be submitted only when

authentication is requested by a user for the first time, or, with integrated

authentication on Windows, not at all. These methods are not less secure

than using a login page, but clearly more comfortable.

• Authentication process methods list 1

Select a method for user authentication from this drop-down list. If you

select an additional method from the second list, they are applied according

to their order. If the first method fails, a user may still be authenticated by

the second.

The following methods are available: NTLM, NTLM Agent, LDAP, eDirectory,

User Database and Radius.

• Authentication process methods list 2

Select a method for user authentication in the same way as described

above from this drop-down list. You may also select None here, and have

just one method for authenticating users.

NTLM and NTLM-Agent Authentication Options

The NTLM and NTLM-Agent Authentication Options section looks like

this:

2–51

User Management

2–52

Using this section, you can configure options for an authentication method that

performs an NTLM lookup in order to authenticate users.

NTLM is an authentication method used by Microsoft browsers, proxies and

servers. It is more secure than other methods because the user password is

not transmitted as plain text.

The user of the NT domain is a member of several domain groups. The ICAP

server can use these groups to do the policy mapping. A list of groups must

be provided by the ICAP client.

Only Internet Explorer supports NTLM for this kind of configuration, but there

are additional utilities available for other browsers, such as Mod_NTLM for

Apache, or MSNT for Squid.

If you want to do NTLM authentication on an operating system other than Windows,

you can use an agent application, called the NTLM Agent, to enable

this. The settings configured here will apply also for the agent application.

There is a basic and an integrated method of authenticating users.

With basic authentication, the browser sends the user name and password

as plain text (less secure) to Webwasher, who plays the role of the client to

exchange authentication messages with the authentication server, so Webwasher

uses the NTLM method to authenticate the user.

Integrated authentication encrypts messages going from the client browser to

the authentication server and back. In this situation, Webwasher acts as the

proxy server and forwards authentication server messages to the client.

After specifying the appropriate information, click on Apply Changes to make

your settings effective.

Use the following items to configure this kind of authentication:

• Enable integrated authentication

Enable this option to use the integrated authentication method.

• Enable basic authentication

Enable this option to use the basic authentication method and enter the

default domain used for basic authentication in the input field provided here.

This is the default option.

• Select what groups to get from Domain Controller

From the drop-down list provided here, select what groups should be

fetched from the domain controller: Global, Local or both.

User Database Authentication Options

User Management

The User Database Authentication Options section looks like this:

This section allows you to configure the method used for authentication with

the Webwasher user database. This method can be either integrated or basic

authentication.

Integrated authentication is a challenge and response method that does not

allow to recover the password during the authentication process over a sniffed

connection. The password hash will be calculated with two random values,

one chosen by the client and one by the server.

With basic authentication, the client puts together user name and password

and sends them as a base64 encoded request header to the corresponding

destination, i. e. the proxy, the server, etc.

After modifying the settings in this section, click on Apply Changes to make

the modification effective.Using this section, you can configure authentication

by means of using the information stored in a user database.

There is a basic and an integrated method of authenticating users.

With basic authentication, the browser sends the user name and password

as plain text (less secure) to Webwasher (who plays the role of the client to

exchange authentication messages with the authentication server), so Webwasher

uses the information stored in the user database to authenticate the

user.

Integrated authentication encrypts messages going from the client browser to

the authentication server and back. In this situation, Webwasher acts as the

proxy server and forwards authentication server messages to the client.

After specifying the appropriate information, click on Apply Changes to make

this setting effective.

Use the following checkboxes to configure an authentication method for the

Webwasher user database:

• Enable integrated authentication

Mark this checkbox if you want to use integrated authentication.

2–53

User Management

2–54

• Enable basic authentication

Make sure this checkbox is marked if you want to use basic authentication.

The checkbox is marked by default.

Propagate Authentication Options

The Propagate Authentication Options section looks like this:

Using this section, you can configure the propagation of information on authenticated

users in a cluster. The submaster will propagate this information to the

master.

This way, a user that has been authenticated successfully on a site instance

needs not renew thes authentication if redirected for any reason to another site

instance.

If the cluster is running in a big network and is configured in a way that there

are lots of sub-masters with each of them being responsible for a sub-net, this

may cause problems because IP addresses that are unique locally may not be

unique in the whole cluster.

For this reason, there is the option to stop propagating authenticated users at

sub-master level. If this feature is enabled, a sub-master will only propagate

information on authenticated users to the site instances that are subscribed to

it and will not them to its master. It will also does not retrieve such information

from the master.

After modifying the setting configured here, click on Apply Changes to make

the modification effective.

Use the following checkbox to configure the propagation of user information:

• Sub master propagates authenticated users up to master

If this checkbox is marked, information on authenticated users will be propagated

from the sub-master instance in a cluster to its master.

The checkbox is marked by default.

2.6

Windows Domain Membership

User Management

The Windows Domain Membership options are invoked by clicking on the

corresponding button under User Management:

Note that these options are only available for instances of Webwasher running

on UNIX systems, such as Linux or Solaris.

The options are arranged under the following tabs:

They are described in the upcoming sections:

• Windows Domain Membership, see2.6.1

• NTLM Authentication Test, see2.6.2

2.6.1

Windows Domain Membership

The Windows Domain Membership tab looks like this:

2–55

User Management

2–56

There is one section on this tab:

• NTLM Authentication

It is described in the following.

NTLM Authentication

The NTLM Authentication section looks like this:

Using this section, you can configure an account within one or more Windows

domains for an instance of Webwasher that is running on a particular system.

An account like this is also known under the name of "machine account" or

“computers”. It is used to forward user authentication requests received by

Webwasher to the domain controller.

The domain controller checks the user credentials to verify whether a particular

user is an authenticated user within the domain, using the information stored

in its database, and sends the result back to Webwasher.

Depending on the result, a user who submitted an authentication request is

allowed or denied access to the system Webwasher is running on.

Note that you need to configure an individual account for every instance of

Webwasher that is running on a particular system.

User Management

This is also required if the Webwasher instance is a member of a cluster in a

central management or a high-availability environment since the settings described

here are not distributed within the cluster.

Furthermore, note again that this section and tab are only available for instances

of Webwasher running on UNIX systems, such as Linux or Solaris.

Use the following items to configure a Webwasher account in a Windows domain:

• Windows domain name

In this input field, type the name of the Windows domain that the Webwasher

account should be joined to.

Note that you need to type the name without extension, e. g. securecomputing,

instead of securecomputing.com.

• Webwasher account name

In this input field, type the Webwasher account name, which is the “machine”

name or “computer” name of the system Webwasher is running on.

Note that this name must not be longer than 15 characters.

Remember that you need to specify an individual account name for every

Webwasher instance and also need to repeat the procedure of configuring

all the settings described here for every instance, even if it is a member of

a central management or a high-availability cluster.

• Overwrite existing account

Mark this checkbox to have the account you are presently configuring overwrite

an account that existed before under the same name.

In this case, you should make sure that the existing account is actually not

needed anymore.

• Configured Domain Controller(s)

In this input field, specify one or more domain controllers. This should be

done by typing their host name or names.

IP addresses may also be used here, but this could in some cases lead

to problems with correctly assigning users to their domains. This means

that a user would have to submit a domain name together with the usual

credentials in order to be authenticated.

When specifying more than one controller here, separate entries by commas.

Note also that any host name you specify here must be resolvable.

Note, furthermore, that Webwasher will connect only to one domain controller

at a time.

2–57

User Management

2–58

If more than one controller is configured, Webwasher will try to connect to

the first in the list, and in case this one is down, go through the list retrying

until a connection has been established successfully.

• Administrator name

In this input field, type the name of an administrator account that has permission

to execute the configuration activities required for setting up Webwasher

accounts in a Window domain.

Note that the information you specify here is only used once to complete

the configuration procedure and is not stored afterwards.

• Password

In this input field, type the password for the above administrator account.

Note that also this information is only used once and not stored.

• Join domain

After specifying the appropriate information, click on this button to let a

Webwasher account join a Windows domain.

If this action was successful, a corresponding entry is added to the list of

accounts, which is displayed at the bottom of the section.

To display only a particular number of list entries at a time, type this number

in the input field labeled Number of entries per page and enter it using the

Enter key of your keyboard.

If the number of entries is higher than this number, the remaining entries are

shown on successive pages. A page indicator is then displayed, where you

can select a particular page by clicking on the appropriate arrow symbols.

To filter the list output, type a filtering term in input field at the top of the

Domain column and enter it using the Enter key of your keyboard. The

list will then only display entries with domain names matching this term.

To edit an entry, type the appropriate information in the corresponding input

field of the Domain Controller(s) column and click on Apply Changes

to make the modification effective.

You can edit more than one entry at a time and make the modification

effective in one go.

Note that you cannot edit the information in the Domain and Account

columns.

User Management

The indicator in the Status column shows the status for each entry. It can

take different colors, which have the following meanings:

— Gray

The account is joined to the domain, but so far no authentication request

has been submitted through this account, so it is unclear whether

it is currently possible to connect to the domain controller.

The gray color is also shown when a new domain was added to the

configuration, regardless of whether the red or green color was previously

shown for the account.

— Red

The account is joined to the domain, but there is a problem with the

connection to the domain controller.

— Green

The connection between account and domain controller is working without

any problems.

To remove an account from the domain it is currently joined to, use the following

button, which is provided for each entry:

• Leave domain

Click on this button to make an account leave its configured domain.

2–59

User Management

2.6.2

NTLM Authentication Test

2–60

The NTLM Authentication Test tab looks like this:

There is one section on this tab:

• NTLM Authentication

It is described in the following.

NTLM Authentication

The NTLM Authentication section looks like this:

User Management

Using this section, you can test the settings you configured for NTLM authentication

of a user in a Windows domain.

If the test is passed successfully, information is displayed on the connection

status, the authentication result for a given user, and the groups that this user

is a member of within the domain.

Use the following items to perform the authentication test:

• Domain

In this input field, enter the domain that the user should be authenticated

for

• User

In this input field, enter the user name

• Password

In this input field, enter the password for the above user name

2–61

User Management

2.7

• Authenticate user

After submitting information in the three fields above, click on this button to

perform the authentication test.

If the test was passed successfully, you will see the following information in the

area below the button:

• Connection status

Status of the connection to the domain controller

• Active DC

Languages

2–62

Name of the domain controller that a connection has been established to

• Authentication result

Information whether the authentication process was performed successfully

for the user in question

• User groups

Number of groups within the Windows domain that this user is a member

of

A list of these groups is provided below the User groups line.

The Languages options are invoked by clicking on the corresponding button

under User Management:

The options are arranged under the following tabs:

They are described in the upcoming section:

• Languages, see 2.7.1

• Import Language Pack, see 2.7.2

2.7.1

Languages

The Languages tab looks like this:

There are three sections on this tab:

• Supported Languages

• Language Selection

• Language Selection Parameters

They are described in the following.

User Management

2–63

User Management

2–64

Supported Languages

The Supported Languages section looks like this:

This section displays all languages that have been configured for sending messages

to users of Webwasher, e. g. error messages or notifications. From

these, you can select the languages that are actually used for sending messages.

Webwasher will not support languages that have not been selected

here.

This is especially useful if you are customizing messages, but do not want to

customize them in all available languages.

The languages that are available for Webwasher and displayed here must have

been entered in the global.ini (Windows) or global.conf (Linux/Solaris) configuration

file.

For a description of how to add more languages to this file, see Chapter 7,

Language Configuration, of the Webwasher Reference Guide.

Note that the following languages are displayed here by default: German,

English, French, and Japanese. These are also the languages that user

message templates are delivered for with the Webwasher software.

You can implement the use of additional languages by importing sets of user

message templates, known as "Language Packs", into Webwasher. Language

packs are available for Italian, Spanish, Portuguese, Chinese, and Korean.

Use the items on the Import Language Packs tab under User Management

> Languages to import these.

If you want Webwasher to support other languages than those mentioned so

far, you need to provide own translations of the corresponding user message

templates. For information on how to implement them within Webwasher, see

also Chapter 7 of the Reference Guide.

You can select more than one language here, which enables you to configure

different languages for different users, e. g. with regard to their IP addresses

or the security policies they have been mapped to.

In the Language Selection section, you can configure methods to establish

the language that is appropriate for sending messages to a particular user under

particular circumstances.

The Language Selection Parameters section is provided to configure settings

for these methods. A configuration example is given on the online help

page for this section.

User Management

After specifying the appropriate settings here, click on Apply Changes to

make them effective.

Use the following items to configure the supported languages:

• German [de], English [en], etc.

Mark the checkbox of the languages you want to be supported for user

messages.

The English checkbox is marked by default.

Language Selection

The Language Selection section looks like this:

Using this section, you can configure methods to establish which language is

appropriate for sending messages to a particular user.

Methods are applied in the order you configure them here. If no supported

language is found by applying the first method, Webwasher uses the second

method in the list to look up the language, and so on. If none of the selected

methods yields a supported language, the default language is used.

Note that some of these methods and corresponding parameters can be configured

with regard to Web or e-mail traffic only.

After specifying the appropriate settingss, click on Apply Changes to make

them effective.

Use the following items to configure methods for language selection:

• Default language

From this drop-down list, select the language Webwasher should use as

default. By default, English is the default language.

2–65

User Management

2–66

• 1.Method, 2.Method, etc.

From the drop-down lists provided here, select the methods you want Webwasher

to apply for determining which language should be used in a message

to a particular user.

The method you select from the first list will be applied first, and so on.

By default, only one method is selected from the first list, which is Browser,

whereas no methods are selected from the remaining lists.

The following methods can be selected here:

— Browser

Webwasher uses the browser language of a client that sent a request

for sending any messages back to this client.

— IP

The language Webwasher uses for sending messages to a client depends

on the range of IP addresses the client lies within. Languages

are assigned to particular ranges in the Language Selection Parameters

section.

Note that this is a method for Web traffic only.

— Email

The language Webwasher uses for sending messages depends on particular

attributes of the e-mails the messages are related to. These attributes

are configured in the Language Selection Parameters section.

Note that this is obviously a method for e-mail traffic only.

— Policy

The language Webwasher uses for sending messages depends on the

policies configured for the filtering measures that caused the messages

to be sent. Languages are assigned to particular policies in the Language

Selection Parameters section.

— LDAP

The language Webwasher uses for sending messages to a client depends

on the language attribute and other attributes that have been

stored on an LDAP server for this client. These attributes are configured

in the Language Selection Parameters section.

Note that this is a method for e-mail traffic only.

— User Database

User Management

The language Webwasher uses for sending messages to a particular

user depends on the language configured for this user in the Webwasher

User Database, see 2.4.1.

Language Selection Parameters

The Language Selection Parameters section looks like this:

Using this section, you can configure parameters relating to the methods of

the Language Selection section.

Note that some of these methods and corresponding parameters can be configured

with regard to Web or e-mail traffic only.

After specifying the appropriate settings, click on Apply Changes to make

them effective.

Use the following items to configure language selection parameters:

• LDAP language attribute

In the input field provided here, enter the attribute that should be searched

for on the LDAP server when the LDAP method is used for selecting languages.

If it can be found within the entries stored for a client on this server, Webwasher

will use the corresponding language for sending messages to this

client.

2–67

User Management

2–68

Note that this method and attribute can only be configured for e-mail traffic.

Below this input field, there is a link that takes you to the Recipient LDAP

Check tab, where you can configure more settings of the LDAP server.

• Language

This column provides a list of the languages Webwasher will select from

when sending messages. To determine which language should be selected

in a given situation, you configured methods in the Language Selection

section.

Use the input fields in the columns next to this column to configure parameters

for each of these methods and with regard to each of the languages

in the list:

— IP-Range

Enter the range of client IP addresses here that Webwasher should

send messages to in a particular language. This can be done by actually

entering a range of addresses (specifying its beginning and end),

or a single address, or a list of addresses.

Note that configuring this parameter for a language is only meaningful

if you have selected IP as method in the Language Selection section

and that this method works for Web traffic only.

— Email-Match

Enter a regular expression here that must be matched by one of the

attributes of an e-mail. If there is a match, Webwasher will send messages

relating to that e-mail in a particular language.

Note that configuring this parameter for a language is only meaningful

if you have selected Email as method in the Language Selection

section and that this method obviously works for e-mail traffic only.

— LDAP-Match

Enter a regular expression here that must be matched by the attributes

entered for a client on an LDAP server. If there is a match, Webwasher

will send messages to that client in a particular language. Use of this

attribute is made in addition to the language attribute configured above.

Note that configuring this parameter for a language is only meaningful

if you have selected LDAP as method in the Language Selection

section and that this method works for e-mail traffic only.

• Policy

User Management

This column provides a list of the security policies that have been configured

so far under Webwasher.

You can configure a language for each of these policies, which will enable

Webwasher to use this language for messages relating to a filtering measure,

e. g. Block or Allow, that was triggered under the policy in question.

Use the drop-down lists in this column to do this:

— Language

Select a language for each of the policies listed here from the dropdown

list next to it.

2.7.2

Import Language Pack

The Import Language Pack tablookslikethis:

There is one section on this tab:

• Import Language Pack

It is described in the following.

2–69

User Management

2–70

Import Language Pack

The Import Language Pack section looks like this:

Using this section you can download a language pack from a Web server provided

by Secure Computing and import it into Webwasher. This will enable

Webwasher to display messages sent to the user, such as error and e-mail

digest messages, in a language other than English.

For information on how to configure the use of other languages, see the Languages

tab and the corresponding online help pages.

Note that the language information for French, German and Japanese is

shipped with Webwasher, so no import of a language pack is required for

these languages. Language packs are available for the following languages:

Spanish, Portuguese, Italian, Chinese, and Korean.

Before importing a language pack into Webwasher, you need to download it

from the Webwasher Extranet and store it in a location within your local file

system.

To access the Extranet, you need a user account and password. Within the

Extranet, go to Download > Language Packs to download packages for

languages as required.

After a language pack has been imported, the language in question is displayed

in the Supported Languages section of the Languages tab. To actually enable

support for it, mark the checkbox next to it and click on Apply Changes

(as described in the Supported Languages subsection of 2.6.1).

Use the following items to import a language pack:

• Import language pack from

Specify the file name of the language pack you want to import in this input

field.

To do this, click on the Browse button next to the field and browse to the

location where you have stored the language pack file in question.

• Import

After browsing to the appropriate language pack file, click on this button to

import it into Webwasher.

Reporting

Chapter 3

The functions described in this chapter are accessible over the Reporting tab

of the Web interface:

These functions allow you to configure the reporting features provided by Webwasher

such as, e. g. the viewing of live reports or log file management.

The upcoming sections describe how to handle these functions. The description

begins with an overview.

3–1

Reporting

3.1

Overview

3.2

The following overview shows the sections of this chapter:

System Configuration Guide – Webwasher Web Gateway Security

Introduction

User Management

Reporting Overview –thissection

Caching

Proxies

Configuration

Live Reports for

policy

View Live Reports, see 3.2

Overall Reporting Log File Management, see 3.3

View Log Files, see 3.4

Live Report Management, see 3.5

View Live Reports, see 3.6

Miscellaneous 4-Eyes Principle, see 3.7

View Live Reports (For Policy)

3–2

Deanonymization, see 3.8

The View Live Reports options are invoked by clicking on the corresponding

button under Reporting:

These are policy-dependent options, i. e. they are configured for a particular

policy. When you are configuring these options, you need to specify this policy.

Reporting

To do this, select a policy from the drop-down list labeled Live Reports for

policy, which is located above the View Live Reports button:

The options are arranged under the following tab:

They are described in the upcoming section:

• View Live Reports, see 3.2.1

To configure overall View Live Reports options, i. e. options that are not

policy-dependent, see 3.6.

3.2.1

View Live Reports

The View Live Reports tab looks like this:

There are three sections on this tab:

• Policy Statistics

• Policy Summary Reports

• Display Options

3–3

Reporting

3–4

They are described in the following.

Policy Statistics

The Policy Statistics section looks like this:

It allows you to view detailed information on the filtering activities going on

under a particular policy in your corporate network.

To view a particular kind of information, click on the corresponding icon (magnifying

glass with paper).

The following kind of information can be viewed:

• Filter Statistics

Shows the amount of data washed by the Advertising Filter, Privacy Filter,

Security Filter and the Media Type Filter.

• Category Overview

Provides an overview of the number of requests made, broken down by

category, as well as an overview of the number of external and the number

of blocked requests, regardless of whether they were blocked or not.

Policy Summary Reports

The Policy Summary Reports section looks like this:

It allows you to view summary reports on filtering activities performed under a

particular policy in your corporate network.

Reporting

Different reports can be written according to the way Webwasher is configured,

i. e. (1) as proxy for client communication, or (2) filtering Web requests and uploads

in REQMOD communication, or (3) filtering Web downloads and e-mail

messages in RESPMOD communication, or in a combination of (2) and (3).

Use the following buttons to perform other activities relating to these reports:

• Export All

Click on this button to export all reports to an Excel format.

• Reset All

Click on this button to reset all reports.

Display Options

The Display Options section looks like this:

It allows you to configure the way reports are displayed.

Specify information regarding this display in the input fields described below.

Then click on Apply Changes to make your settings effective.

The following parameters can be configured here:

• Number of displayed items

Enter the appropriate number of items here. The default number is 10.

• Automatically refresh after ... seconds

Enter the appropriate number of seconds here. The default number is 0, i.

e., no automatic refreshing.

3–5

Reporting

3.3

Log File Management

3–6

The Log File Management options are invoked by clicking on the corresponding

button under Reporting:

The options are arranged under the following tabs:

They are described in the upcoming sections:

• Activate Log Files, see 3.3.1

• Auto-Rotation, see 3.3.2

• Auto-Deletion, see 3.3.3

• Auto-Pushing, see 3.3.4

• Content Reporter, see 3.3.5

In addition to these descriptions, a procedure is also described for configuring

the processing of Webwasher log data by SmartReporter:

• Configuring Log File Processing for SmartReporter, see 3.3.6

SmartReporter is a component of SmartFilter, which is another Web Gateway

Security product provided by Secure Computing.

3.3.1

Activate Log Files

The Activate Log Files tablookslikethis:

There are two sections on this tab:

• Activate Log Files

• Custom Log Files

They are described in the following.

Reporting

3–7

Reporting

3–8

Activate Log Files

The Activate Log Files section looks like this:

Using this section, you can configure the writing of log files. You can also

determine whether they should be written on the ICAP client or the ICAP server.

Some log files can be configured for ICAP client and server, some only for the

ICAP server and some only for the ICAP client.

Enable the log files you want to have written by marking the corresponding

checkboxes. Then click on Apply Changes to make your settings effective.

To customize a log file, click on the button in the same line, which is labeled

according to the log file name, e. g. Customize Audit Log.

This will take you to another log, where you can configure values for customizing

this log.

You can also configure your own customized log files, see the Custom Log

Files section below.

Custom Log Files

The Custom Log Files section looks like this:

Reporting

Using this section, you can configure custom log files, i. e. log files of your

own, which are written by customized actions.

To create a custom log file, enter a name for it in the New Name input field and

click Create. The custom log file will then be displayed as a new entry in a list

above the input field.

To configure a custom log file, use the following input field:

• New Name

Enter a name for the new log file in this input field. Then click on theCreate

button next to it.

An entry for the new log file is then inserted in the custom log file list, which is

displayed at the top of the section.

Next to each list entry, the following button is provided:

• Define Log Structure

Click on this button to continue configuring the custom log file in question.

This will take you to another tab, where you can specify the appropriate

values.

To display only a particular number of list entries at a time, type this number

in the input field labeled Number of entries per page and enter it using the

Enter key of your keyboard.

If the number of entries is higher than this number, the remaining entries are

shown on successive pages. A page indicator is then displayed, where you

can select a particular page by clicking on the appropriate arrow symbols.

3–9

Reporting

Use the following items to perform other activities relating to the list:

• Filter

3.3.2

Auto-Rotation

3–10

Type a filter expression in the input field of the DLog File Name column

and enter it using the Enter key of your keyboard. The list will then display

only entries matching the filter.

• Delete Selected

Select the entry you wish to delete by marking the Select checkbox next

to it and click on this button. You can delete more than one entry in one go.

To delete all entries, mark the Select all checkbox and click on this button.

The Auto-Rotation tab looks like this:

There is one section on this tab:

• Auto-Rotation

It is described in the following.

Auto-Rotation

The Auto-Rotation section looks like this:

Reporting

Using this section, you can configure the automatic rotation of log files in order

to control log file growth.

The oldest log files are renamed, the current log is moved, and a new log file

is created.

3–11

Reporting

3–12

The frequency of rotation is configured separately for each log file.

Make sure the checkbox next to the section heading is marked if you want to

configure the options provided here.

After configuring these options, click on Apply Changes to make your settings

effective.

Use the following items to configure overall settings for log file rotation:

• Rotate daily at ...

In this input field, enter the time you want the rotation to be performed each

day.

Specify a local time value, using the 00:00 to 23:59 time format (24 hours

clock).

• Rotate Log Files now

Click on this button to rotate all log files immediately, regardless of the

configured time schedule.

Use the following items to configure settings for individual log file rotation:

• Rotate if size exceeds ... MB.

Enable this option and enter a size value (MB) in the input field provided

here to prevent the log file in question from becoming too large. The log

file will be rotated as soon as its size exceeds the configured value.

The minimum size that can be specified here is 1 MB. It can be increased

by single integer steps.

• Rotate daily

Enable this option to configure a daily rotation for the log file in question.

Rotation is performed at midnight in this case.

3.3.3

Auto-Deletion

The Auto-Deletion tab looks like this:

There is one section on this tab:

• Auto-Deletion

It is described in the following.

Reporting

3–13

Reporting

3–14

Auto-Deletion

The Auto-Deletion section looks like this:

Using this section, you can configure the automatic deletion of log files in order

to control log file growth. The frequency of deletion is configured separately

for each log file.

Make sure the checkbox next to the section heading is marked if you want to

configure the options provided here.

After configuring these options, click on Apply Changes to make your settings

effective.

Reporting

Use the following items to configure settings for individual log file deletion:

• Keep only ... old log files at a time.

Enable this option and enter the appropriate number in the input field provided

here.

The oldest log file will be deleted as soon as the number of log files in the

log directory exceeds the configured value.

If this option is enabled together with the option described below, old log

files will be deleted until the configured values are reached for both options.

• Keep only log files of the last ... days

Enable this option and enter the appropriate number in the input field provided

here.

Log files older than the date specified here will be deleted.

If this option is enabled together with the option described above, old log

files will be deleted until the configured values are reached for both options.

3–15

Reporting

3.3.4

Auto-Pushing

3–16

The Auto-Pushing tab looks like this:

If you want to configure any of the options provided on this tab, you need to

mark the following checkbox:

• Enable auto-pushing

The options are grouped in four sections:

• Common Push Target

• Separate Push Targets

• Push log files after rotation

• System Notification

They are described in the following.

Common Push Target

The Common Push Target section looks like this:

Reporting

Using this section, you can configure log file pushing as a security feature (for

backup), as well as for analyzing purposes.

Log files stored on the Webwasher server can be uploaded to another HTTP,

HTTPS or FTP server. This server is a common push target, i. e. all log files

are uploaded there.

If the upload server demands authentication, you can configure a username

and password to authenticate the file upload process.

After specifying the appropriate information, click on Apply Changes to make

your settings effective. Note that the Enable auto-pushing checkbox at the

top of this tab must also be checked for these settings to take effect.

Use the following items to configure settings for pushing log files to a common

target:

• Upload to ... every ... hours

In the first of the input fields provided here, enter the name of the upload

server. The input format is:

ftp | http | https)://server[:port][/path/]

In the second input field, enter a number to specify the hourly interval for

pushing log files to this server.

• Authentication

Specify login credentials in the following two input fields, in case the upload

server demands authentication:

— Username

User name to be submitted for authentication to the upload server

— Password

Password to be submitted for authentication to the upload server

3–17

Reporting

3–18

Separate Push Targets

The Separate Push Targets section looks like this:

Using this section, you can configure log file pushing as a security feature (for

backup), as well as for analyzing purposes.

Log files stored on the Webwasher server can be uploaded to another HTTP,

HTTPS or FTP server.

Reporting

Differing from the Common Push Target section described above, you can

configure an individual push target, i. e. upload server, for each log file here,

e. g. for the HTTP Access Log, the Security Log etc.

After specifying the appropriate information, click on Apply Changes to make

your settings effective.

Note that the Enable auto-pushing checkbox at the top of this tab must also

be checked for these settings to take effect.

Use the following items to configure settings for pushing log files individually

and to separate targets:

• Upload to ... every ... hours

In the first of the input fields provided here, enter the name of the upload

server. The input format is:

ftp | http | https)://server[:port][/path/]

In the second input field, enter a number to specify the hourly interval for

pushing log files to this server.

• Push Log Files Now

Click on this button to push all log files to their upload servers immediately,

regardless of the configured time schedule.

Push log files after rotation

The Push log files after rotation section looks like this:

It allows you to configure the pushing of log files after their rotation.

By default, every log file that an upload server was configured for is pushed

after being rotated, either manually or automatically. This does however not

apply to the errors log file. This log file is only pushed according to its upload

interval.

Use the following checkbox to configure log file pushing after rotation:

• Push log files after rotation

Check or uncheck this checkbox to have log files pushed after rotation or

not.

3–19

Reporting

3–20

System Notification

The System Notification section looks like this:

It allows you configure the sending of e-mail notifications if there was a failure

in pushing log files.

Use the following items to configure these notifications:

• Send notification upon log file pushing failure

Enable this option if you want e-mail notifications to be sent in case of a

log file pushing failure.

• Recipient

In this input field, enter the e-mail address of the recipient the notifications

should be sent to.

• Edit notification mail server

Click on this button to go to a tab where you can configure a mail server

for processing your notifications.

For a description of this window, see the Notification Settings Window

subsection of 5.5.3.

• Send Test Messages

After configuring the sending of e-mail notifications as described above,

click on this button to have test messages sent.

3.3.5

Content Reporter

The Content Reporter tab looks like this:

There is one section on this tab:

• Content Reporter

It is described in the following.

Content Reporter

The Content Reporter section looks like this:

Reporting

It provides some introductory information on the Webwasher Content Reporter

product.

3–21

Reporting

For more information on this product, see the Content Reporter Installation and

Configuration Guide and the Content Reporter User’s Guide for Reporting.

3.3.6

Configuring Log File Processing for SmartReporter

3–22

In order to have log files that were created by Webwasher processed within

SmartReporter, you need to perform a number of configuration activities.

SmartReporter is set up as a component during the installation of SmartFilter,

which is another one of the Web Gateway Security products provided by Secure

Computing.

The following sections describe this setup and the configuration activities that

need to be performed both on SmartReporter and on Webwasher.

Setting up SmartReporter

Setting up SmartReporter is a part of the SmartFilter installation procedure.

When going through this procedure, you can mostly use the default settings.

Note that a Windows 2000/2003 server (English language version) is required

for running SmartFilter with the SmartReporter component.

In order to set up SmartReporter, make sure that the following configuration

activities are performed during the installation procedure:

1. When installing components, make sure the following three are selected:

• SmartFilter Administration Server

• SmartFilter Administration Console

• SmartReporter

Reporting

2. Provide a user name and password for access to the SmartFilter Administration

Console:

3. Specify mail settings for receiving notifications with regard to all SmartFilter

components:

Setting up a Log Processing Account

In order to have SmartReporter process the log files that are sent by Webwasher,

a log processing account must be set up within SmartReporter.

To do this, proceed as follows:

1. Log in to SmartReporter, using the user name and password you configured

when installing the SmartFilter components.

3–23

Reporting

3–24

2. Go to Administrator Options > System Option.and select the Log

Processing tab.

3. In order to set up a new log processing account, click on the Add button

below the second list field, which is used to display the list of existing log

processing accounts.

This will make the Add Log Processing Account window appear.

4. In the Name field of this window, type Webwasher as account name and

select Webwasher – Default Format as log format.

Then provide a user name, e. g. admin, and password for access to the

account.

The SmartFilter administration servers will then accept log files that are

sent with this logon information.

Configuring the Webwasher Access Log

Reporting

Finally, you need to configure the access log file format within Webwasher in

order to make it correspond to the Default Format you selected as part of the

SmartFilter configuration.

To do this, proceed as follows:

1. In the Webwasher Web interface, go to Reporting > Log File Management

and select the Activate Log Files tab:

On this tab, click the Customize HTTP Access Log button to make the

HTTP Access Log Customizing tab appear.

2. In the Log File Structure field of this tab, enter the log file structure that

is needed in order to enable SmartReporter to process Webwasher log

files.

This structure is as follows:

src_ip - auth_user time_stamp "req_line" status_code

bytes_to_client "referer" "user_agent" block_res

"categories"

3–25

Reporting

3–26

After entering the log file structure in the tab field, click on Apply Changes

to make this setting effective:

3. Go back to Log File Management and select the Auto-Pushing tab.

Use this tab to configure the pushing of the Webwasher log files to

SmartReporter.

In the User Name and Password fields, which are provided under Authentication

on this tab, enter the user name and password you configured

in the Add Log Processing Account window of SmartReporter.

A push can be performed using the different protocols. To have it performed

via FTP, the following must be entered in the HTTP Access Log

field under Separate Push Targets:

ftp://username:password@:9021

Reporting

After specifying these settings, click on Apply Changes to make them

effective:

4. To have a push performed immediately, click on the Push Log Files Now

button, which is provided at the bottom of the tab:

Otherwise, you can have a push performed in certain time intervals. To

configure these intervals, enter the number of hours, e. g. 3, in the every

... hours field next to the HTTP Access Log field.

After a push has been performed for the Webwasher log files, the corresponding

data for URL categories and Web sites will be displayed by the

Quick View feature within SmartReporter.

Note, however, that after modifying the log file structure, a dummy access.log

file is also created, which contains no data yet.

3–27

Reporting

3.4

View Log Files

The View Log Files options are invoked by clicking on the corresponding

button under Reporting:

The options are arranged under the following tab:

They are described in the upcoming section:

3.4.1

View Log Files

3–28

• View Log Files, see 3.4.1

The View Log Files tab looks like this:

There is one section on this tab:

• View Log Files

It is described in the following.

View Log Files

The View Log Files section looks like this:

Reporting

It provides a list of the log files that are maintained under Webwasher. Using

the icons on the right side of the list, you can view a log file, save it or delete it.

On the left side of the list, there is the following column:

• Log File

This column lists the log files names.

3–29

Reporting

3–30

These may be preceded by different icons, showing whether there has

been a log file rotation for the log in question or not:

Unrotated – There has been no log file rotation for this log yet.

You can view and save the log file listed here, but not delete it.

Rotated – There has been a log file rotation for this log. You can

view and save the log file listed here, but not delete it.

Click on the icon to display the rotated log files.

Displaying Rotated Files – After clicking on the triangle pointing

to the right, this icon is displayed, while the rotated log files

of this log are shown below.

The rotated log files may be viewed, saved and deleted.

Click on the icon to hide the rotated log files.

Use the icons in the columns at the right side of the list as follows:

• View

• Save

• Delete Rotated

Clickonthisicontoviewalogfile.

Clickonthisicontosavealogfile.

Click on this icon to delete a rotated log file.

3.5

Live Report Management

Reporting

The Live Report Management options are invoked by clicking on the corresponding

button under Reporting:

The options are arranged under the following tabs:

They are described in the upcoming sections:

• Report Activation, see 3.5.1

• Load Reports, see 3.5.2

• Anonymization, see 3.5.3

3–31

Reporting

3.5.1

Report Activation

3–32

The Report Activation tab looks like this:

There are two sections on this tab:

• SummaryReportActivation

• Summary Report Actions

They are described in the following.

Summary Report Activation

The Summary Report Activation section looks like this:

Using this section, you can configure the writing of summary reports.

Reporting

3–33

Reporting

3–34

Different reports can be written according to the way Webwasher is configured:

• (1) as proxy for client communication, or (2) filtering Web requests and

uploads in REQMOD communication, or (3) filtering Web downloads and

e-mail messages in RESPMOD communication, or in a combination of (2)

and (3).

Enable the reports you want to have written by marking the corresponding

checkboxes. Then click on Apply Changes to make your settings effective.

The activities covered by the individual reports are as follows (*** indicate

reports that are only written to the ICAP client):

• Top Attributes by Bytes Transferred***

Shows the amount of bandwidth consumed by the categories/blocked categories

(depending on the configuration).

• TopAttributesbyNumberofRequests***

Shows the number of hits to the categories/blocked categories.

• Top Blocked Categories by Number of Requests

Shows the number of hits to already-blocked categories.

• Top Categories by Bytes Transferred

Shows the amount of bandwidth consumed from accesses to blocked and

unblocked categories.

• Top Categories by Number of Requests

Shows the number of hits to the top categories.

• Top Destinations by Bytes Transferred

Shows the amount of bandwidth consumed by accesses to the top hosts.

• Top Destinations by Number of Requests

Shows the number of hits to these hosts.

• Top E-Mail Attributes by Bytes Transferred

Shows the amount of bandwidth consumed by the categories/blocked categories

of the e-mail.

• Top E-Mail Attributes by Number of Sections***

Shows the number of sections of e-mail attributes.

• Top E-Mail Policies by Bytes Transferred***

Reporting

Shows the amount of bandwidth consumed by the top e-mail policies.

• Top E-Mail Policies by Number of Messages***

Shows the number of messages sent to/from the top e-mail policies.

• Top Media Types by Bytes Transferred

Shows the amount of bandwidth consumed by accesses to the different

media types (not including their extension).

• Top Media Types by Number of Requests

Shows the number of hits on these media types.

• Top Policies by Bytes Transferred

Shows the amount of bandwidth consumed by access to blocked and unblocked

e-mail categories.

• Top Policies by Number of Requests

Shows the number of hits based on policy.

• Top Recipients by Bytes Transferred

Shows the amount of bandwidth consumed by the top recipients of e-mail

messages and/or spam.

• Top Recipients by Number of Messages***

Shows the number of messages sent to the top recipients.

• Top Sender IPs by Bytes Transferred***

Shows the amount of bandwidth consumed by the top sender IP addresses

for e-mail messages and/or spam.

• Top Sender IPs by Number of Messages***

Shows the number of messages sent by the top sender IP addresses.

• Top Senders by Bytes Transferred***

Shows the amount of bandwidth consumed by the top senders of e-mail

messages and/or spam.

• Top Senders by Number of Messages***

Shows the number of messages sent by the top senders.

3–35

Reporting

3–36

• Top Source IPs by Bytes Transferred

Shows the amount of bandwidth consumed by the top sender source IP

addresses for e-mail messages and/or spam.

• Top Source IPs by Number of Requests

Shows the number of messages sent by the top source IP addresses.

• Top Spam Recipients***

Shows the top recipients of spam.

• Top Spam Sender IPs***

Shows the top spam sender IP addresses.

• Top Spam Senders***

Shows the top spam senders.

• Top Top-Level Domains by Bytes Transferred

Shows the amount of bandwidth consumed by accesses to the top-level

domains, e.g. .de, .com, .net, .ca.

• Top Top-Level Domains by Number of Requests

Shows the number of hits made to these domains.

• Top Users by Bytes Transferred

Shows the amount of bandwidth consumed by users accessing the Internet..

• Top Users by Number of Requests

Shows the number of hits based on users.

Summary Report Actions

The Summary Report Actions section looks like this:

Using this section, you can export and reset summary reports.

The following items are provided for performing these activities:

• Export global summary reports

Reporting

Enable this option to export all global summary reports to an Excel-readable

format (CSV).

This can be useful for further processing, such as representation in a piechart

format, or for being able to view all the (up to 500) report items, rather

than the top ten shown in the Web interface.

If you would like to change the single-character delimiter (e.g. to a tab,

or comma) between cells in Excel, this must be done manually in the

global.ini/conf file. In the [LogFiles] section, there is an entry called

ExcelSeparateChar=where you can change the character as desired.

• Export summary reports for all available policies

Enable this option to export the global summary reports as well as all current

policy reports.

• Cells are separated by

In this input field, enter the delimiter you want to use between cells in Excel.

This must be a single character, e. g. a comma.

• Export

Click on this button, to export reports according to the options configured

above.

3–37

Reporting

• Reset global summary reports

Enable this option to reset all global summary reports. This will not reset

the report refresh rate.

• Reset summary reports for all policies

Enable this option to reset the global summary reports as well as all current

policy reports.

• Reset

3.5.2

Load Reports

3–38

Click on this button, to reset reports according to the options configured

above.

The Load Reports tab looks like this:

There is one section on this tab:

• Enable Load Reports

It is described in the following.

Enable Load Reports

The Enable Load Reports section looks like this:

Using this section, you can configure the Webwasher load reports.

Reporting

These reports show the load on the various connections established for Webwasher,

e. g. the connection between HTTPS clients and proxy, proxy and

server, etc.

To view the reports, go to the Webwasher Load section on the View Load

tab under View Live Reports for overall reporting, see 3.6.2.

To enable load reports for a particular connection type, use the connection type

list, which is labeled:

• Count load for connections between

Mark the checkbox next to the connection type you want to enable load

reports for, e. g. HTTP clients – HTTP proxy. You can enable load

reports for more than one connection type.

Then click on Apply Changes to make your settings effective.

3–39

Reporting

3.5.3

Anonymization

3–40

The Anonymization tab looks like this:

There is one section on this tab:

• Anonymization

It is described in the following.

Anonymization

The Anonymization section looks like this:

It allows you to anonymize the names of user names in top ten live reports.

You can decrypt anonymized strings using the Deanonymization section

on the tab with the same name, see 3.8.1. To go to this tab, click on the

Deanonymization link provided above this section.

Use the following options to enable the anonymization of user names:

• Anonymize Web Reports

Reporting

Enable this option to anonymize user names in reports on Web communication.

• Anonymize Mail Reports

Enable this option to anonymize user names in reports on e-mail communication.

3.6

View Live Reports (Overall Reporting)

The View Live Reports options for overall reporting are invoked by clicking

on the corresponding button under Reporting:

The options are arranged under the following tabs:

They are described in the upcoming sections:

• View Live Reports, see 3.6.1

• View Load, see 3.6.2

• System Statistics, see 3.6.3

3–41

Reporting

3.6.1

View Live Reports

3–42

The View Live Reports tab looks like this:

There are three sections on this tab:

• Overall Statistics

• Overall Summary Reports

• Display Options

They are described in the following.

Overall Statistics

The Overall Statistics section looks like this:

It allows you to view detailed information on the overall filtering activities going

on in your corporate network, i. e. regardless of any particular policy.

Reporting

To view a particular kind of information, click on the corresponding icon (magnifying

glass with paper).

The following kind of information can be viewed:

• Filter Statistics

Shows the amount of data washed by the Advertising Filter, Privacy Filter,

Security Filter and the Media Type Filter.

• Category Overview

Provides an overview of the number of requests made, broken down by

category, as well as an overview of the number of external and the number

of blocked requests, regardless of whether they were blocked or not.

• ICAP Server Statistics

Shows the overall per client number of REQMOD, RESPMOD, OPTIONS

and PROFILE requests and ICAP responses.

• ICAP Clients Statistics

Shows the overall per server number of REQMOD, RESPMOD, OPTIONS

and PROFILE requests and the status of the server.Shows the overall per

client number of REQMOD, RESPMOD, OPTIONS and PROFILE requests

and ICAP responses.

• SMTP Statistics

Shows the overall number of sent and received e-mail messages as well

as the amount of data transferred (in KB), maximum and average mail size

(KB) and the maximum and average amount of time (in ms) the mail is in

the system.

Overall Summary Reports

The Overall Summary Reports section looks like this:

It allows you to view summary reports on the overall filtering activities performed

in your corporate network, i. e. regardless of any particular policy.

3–43

Reporting

3–44

The reports relate to the way Webwasher is configured, i. e. as proxy for client

communication, or filtering Web requests and uploads in REQMOD communication

or Web downloads and e-mail messages in RESPMOD communication,

or in a combination of both.

Display Options

The Display Options section looks like this:

It allows you to configure the way reports are displayed.

Specify information regarding this display in the input fields described below.

Then click on Apply Changes to make your settings effective.

The following parameters can be configured:

• Number of displayed items

Enter the appropriate number of items here. The default number is 10.

• Automatically refresh after ... seconds

Enter the appropriate number of seconds here. The default number is 0, i.

.e, no automatic refreshing.

3.6.2

View Load

The View Load tab looks like this:

There is one section on this tab:

• View Load

It is described in the following.

Webwasher Load

The Webwasher Load section looks like this:

Reporting

It provides detailed information about the load at the various Webwasher

connections, such as the connection between HTTP clients and HTTP proxy,

HTTP proxy and HTTP server, and so on.

3–45

Reporting

You can view the current load or the load history. To do this, use the following

links, which are provided next to every type of connection:

• View Current

Click on this link to view the current load.

• View History

3.6.3

System Statistics

3–46

Click on this link to view the load history.

The System Statistics tab looks like this:

There is one section on this tab:

• System Statistics

It is described in the following.

System Statistics

The System Statistics section looks like this:

Reporting

It provides information on several system statistical issues, such as e. g. the

system name, the number of processors, the number of processes currently

running, etc.

3.7

4-Eyes-Principle

The 4-Eyes-Principle option is invoked by clicking on the corresponding button

under Reporting:

The option is provided under the following tab:

It is described in the upcoming section:

• 4-Eyes-Principle, see 3.7.1

3–47

Reporting

3.7.1

4-Eyes-Principle

3–48

The 4-Eyes-Principle tab looks like this:

On this tab, you can configure the use of two passwords for Webwasher settings

that are especially privacy-protected.

In order to protect privacy, some Webwasher functions can only be executed

if two passwords are known.

To make use of these kinds of functions that show information about

anonymized users or determine how user-related data will be collected for

reporting, you need to enter two passwords.

Use the following item to configure this special security feature:

• Protect privacy-protected settings by two passwords

Mark the checkbox provided here and click on Apply Changes to make

this setting effective.

3.8

Deanonymization

Reporting

The Deanonymization options are invoked by clicking on the corresponding

button under Reporting:

The options are arranged under the following tab:

They are described in the upcoming section:

• Deanonymization, see 3.8.1

3.8.1

Deanonymization

The Deanonymization tab looks like this:

There is one section on this tab:

• Deanonymization

It is described in the following.

3–49

Reporting

3–50

Deanonymization

The Deanonymization section looks like this:

Using this section, you can resolve anonymous strings found in log files or

reports.

Anonymous strings are strings of characters that do not yet have a variable

name assigned to them.

Use the following items to resolve an anonymous string:

• Anonymous string

Enter the string you would like to have resolved in the input field provided

here and click on the Deanonymize button next to it.

• Personalized string

Depending on the input, this output field shows the real source IP, the real

user name, or the real source host.

Caching

Chapter 4

The features that are described in this chapter are accessible over the Caching

tab of the Web interface:

These features allow you to configure the caching of Web objects that are requested

by users of Webwasher, in order to enable a general reduction of the

time that elapses until users are actually able to access the objects.

Note that these features are only available with appliance versions of Webwasher.

The upcoming sections describe how to handle these features. The description

begins with an overview.

4–1

Caching

4.1

Overview

4.2

The following overview shows the sections that are in this chapter:

System Configuration Guide – Webwasher Web Gateway Security

Introduction

User Management

Reporting

Caching

Proxies

Configuration

Quick Snapshot

4–2

Overview –thissection

Quick Snapshot, see 4.2

Policy Settings HTTP Caching, see 4.3

Policy-Independent

Settings

Cache Settings, see 4.4

Flush Cache, see 4.5

The Quick Snapshot for the caching functions is invoked by clicking on the

corresponding button under Caching:

The following tab is then provided:

It is described in the upcoming section:

• Quick Snapshot, see 4.2.1

Before this is done, however, the following subsection provides some general

information on this quick snapshot feature.

Handling the Quick Snapshot

Caching

The quick snapshot feature on this tab allows you to view summary information

about the parameters of the Webwasher cache at a glance. The information

is displayed with regard to a given time interval.

Percentages are calculated for the various categories of cache parameters.

The percentages are shown by means of a pie chart on the left side of the tab

section.

By hovering over the sections of the pie chart with the mouse cursor, you can

display the individual percentages.

On the right side of the section, parameter values are shown as they developed

in time, using either a stacked or a line mode.

The pie chart and the representation in stacked or line mode are handled in

the same way as on the Webwasher dashboard.

You can:

• Select and deselect categories for display by marking and clearing the corresponding

checkboxes:

• Select a time interval for display, using the Show last drop-down list:

• Select stacked or line mode for display by checking the corresponding radio

button:

4–3

Caching

4.2.1

Quick Snapshot

4–4

The Quick Snapshot tab looks like this:

There are four sections on this tab:

• Cache Efficiency

• Cache Bytes

• Cache Objects

• Cache Usage

They are described in the following.

Cache Efficiency

Caching

The Cache Efficiency section displays the number of times requested objects

were found within the Webwasher cache (“Hits”) and the number of times requested

objects were not found there (“Misses”) within a given time interval.

Cache Bytes

The Cache Bytes section displays the amount of bytes for requested objects

that were found within the Webwasher cache (“Bytes Hits”) and for the requested

objects that were not found there (“Bytes Misses”) within a given time

interval.

Cache Objects

The Cache Objects section displays the number of objects that are stored

in the Webwasher cache (“Cachable Objects”) and the number of objects that

were requested by users, but not stored there (“Non-Cachable Objects”) within

a given time interval.

Cache Usage

The Cache Usage section displays the percentage of cache utilization within

a given time interval.

4.3

HTTP Caching

The HTTP Caching options are invoked by clicking on the corresponding button

under Caching:

If you want to enable any of these options, make sure the checkbox on this

button is also marked. The checkbox is marked by default.

After modifying the setting of this checkbox, click on Apply Changes to make

the modification effective.

These are policy-dependent options, i. e. they are configured for a particular

policy. When you are configuring these options, you need to specify this policy.

4–5

Caching

To do this, select a policy from the drop-down list labeled Policy, which is located

above the HTTP Caching button:

Note that you can also configure HTTP caching for every individual proxy port

that is opened by Webwasher when it is running as an HTTP proxy.

For more information on this option, see the subsection on Port Settings in

5.2.1.

The HTTP caching options are arranged under the following tabs:

They are described in the upcoming sections:

4.3.1

HTTP Caching

4–6

• HTTP Caching, see 4.3.1

• Cachable Objects List, see 4.3.2

The HTTP Caching tab looks like this:

There is one section on this tab:

• Policy Dependent Settings

It is described in the following.

Policy Dependent Settings

The Policy Dependent Settings section looks like this:

Caching

Using this section, you can configure actions that should be executed upon

hits and misses of requested objects that are stored in the Webwasher cache.

The actions are configured for requests to Web objects.

After specifying the appropriate settings, click on Apply Changes to make

them effective.

Use the following items for configuring actions:

• Action on Cache Hit

From the drop-down list provided here, select an action that should be

executed when a requested Web object was found in the cache.

The following actions are available:

— Add X-Cache Header

An X-Cache header is added to the request.

— Allow

The request is allowed. This action is configured by default.

— Block

The request is blocked.

• Action on Cache Miss

From the drop-down list provided here, select an action that should be

executed when a requested Web object was not found in the cache.

For the actions that are available here, see the list under Action on Cache

Hit.

4–7

Caching

4.3.2

Cachable Objects List

4–8

The Cachable Objects List tab looks like this:

There is one section on the tab:

• Cachable Objects

It is described in the following.

Cachable Objects

The Cachable Objects section looks like this:

Caching

Using this section, you can specify the Web objects that should be stored in

the Webwasher cache.

To do this, use the area labeled:

• Add new entry

Specify an object or object type using the following items:

— From the drop-down box in the upper line of the area, select String

or International Domain Name. In the input field next to it, enter a

string to specify the object.

You may also use shell expressions to specify an object type.

Select International Domain Name here if you want to enter non-

ASCII characters and the string should be used for the domain part of

an URL

In some countries like Germany, Sweden or Japan, domain names with

non-ASCII characters are allowed.

The IDNA (International Domain Names in Applications) standard describes

how a Web browser should convert such a domain name into

pure ASCII notation used, e. g. by DNS.

Webwasher uses the pure ASCII notation as well, therefore all IDN

strings must be converted.

4–9

Caching

4–10

This is done automatically when you select International Domain

Name and enter a string with non-ASCII characters.

Note that you can not use shell expressions with IDN strings.

— From the first drop-down box in the lower line of the area, select an

option to specify the object type that the string entered above should

correspond to.

Select None if you do not want to specify an object type.

Select Web to specify the URL type for an object. Then select one of

the following options from the drop-down box next to the first box:

Any URL

Any type of URL will do for the object that should be stored.

HTTP Request URL

The URL of the object that should be stored must be the one that

is used in the HTTP request made for it.

HTTP Response URL

The URL of the object that should be stored must be the one that

is used in the HTTP response sent upon the request made for it.

— Description

In this input field you may enter a description of the object or object

type that should be stored.

Input in this field is optional.

Then use the following item to complete the configuration procedure:

— Add to Cachable Objects List

After specifying the information for the object, click on this button to

add it to the list. This addition will be valid only under the policy you are

currently configuring.

To add an object to the list for all policies, mark the checkbox labeled

Add to all policies before clicking on the button.

If an object that was configured under another policy is already on the

list, the setting of the Add to all policies checkbox will have no effect.

The configuration activities you are completing here will specify an object

or object type that should be stored on the Cachable Objects List.

Note that you can also specify which objects should not be included in this

list. This is done using the White List.

To go there, click on the Whitelist link provided here.

The Cachable Objects List is displayed at the bottom of this section.

Caching

To display only a particular number of list entries at a time, type this number

in the input field labeled Number of entries per page and enter it using

the Enter key of your keyboard.

If the number of entries is higher than this number, the remaining entries are

shown on successive pages. A page indicator is then displayed, where you

can select a particular page by clicking on the appropriate arrow symbols.

To edit an entry, type the appropriate text in the corresponding input field.

Then click on Apply Changes to make these settings effective. You can

edit more than one entry and make the changes effective in one go.

Use the following items to perform other activities relating to the list:

— Filter

Type a filtering term in this input field and enter it using the Enter key

of your keyboard. The list will then display only entries matching the

filter.

— Delete Selected

Select the entry you wish to delete by marking the Select checkbox

next to it and click on this button. You can delete more than one entry

in one go.

To delete all entries, mark the Select all checkbox and click on this

button.

— Move Up, Move Down

SelecttheentryyouwishtomovebymarkingtheSelect checkbox

next to it and click on either of these buttons, depending on where you

want to move the entry.

The position an entry takes in the list is important since whenever a

URL is matched by more than one entry, the entry that is first in the list

wins, which means the rule in question is executed while other rules in

the list are ignored.

4–11

Caching

4.4

Cache Settings

The Cache Settings options are invoked by clicking on the corresponding

button under Caching:

The options are arranged under the following tab:

They are described in the upcoming section:

4.4.1

Cache Settings

4–12

• Cache Settings, see 4.4.1

• Cache Rules, see 4.4.2

The Cache Settings tab looks like this:

There are two sections on this tab:

• Caching

• Complete Fetch Rules

They are described in the following.

Caching

The Caching section looks like this:

Caching

Using this section, you can configure a maximum size that should not be exceeded

by objects that are stored in the Webwasher cache.

After specifying the appropriate setting, click on Apply Changes to make it

effective.

Use the following item to configure the size limit:

• Do not cache objects larger than

In the input field provided here, enter the size (in KB) that should not be

exceeded by a cached object.

Using the drop-down list next to the field, you can select the unit: Byte,

KB, MB, orGB. The default size is 5242 KB.

Complete Fetch Rules

The Complete Fetch Rules section looks like this:

Using this section, you can configure Webwasher to complete the download of

a requested object after the corresponding client connection has been closed.

If you want to use this feature, make sure the checkbox next to the section

heading is marked. The checkbox is marked by default.

4–13

Caching

4.4.2

Cache Rules

4–14

After modifying this setting or the settings for determining the conditions under

which the download should be completed, click on Apply Changes to make

the modification effective.

Use the following items to configure the size limit:

• Webwasher should complete a download even after the client has

cancelled the connection if at least ... % are completed and the

download is bigger than ... KB

In the two input fields provided here enter the percentage of completion and

a minimum size that should be reached to let Webwasher fully complete

the download of an object.

Using, the drop-down list next to the byte input field, you can select the

unit: Byte, KB, MB, or GB.

The default percentage is 85% and the default minimum size is 1024 KB.

The Cache Rules tab looks like this:

There is one section on this tab:

• Cache Revalidation Rules

It is described in the following.

Cache Revalidation Rules

The Cache Revalidation Rules section looks like this:

Caching

Using this section, you can configure rules to determine the way Web objects

are cached and delivered by Webwasher.

To do this, use the area labeled:

• Add new rule

Specify a rule using the following items:

— URL matches

In this input field enter a string to specify a URL that should be stored in

the cache. You may also use shell expressions to specify a URL type.

— Always validate cache content

If you want a URL to be validated each time it is requested by a user,

make sure this radio button is checked. The radio button is checked by

default.

— Validate content (at least) every ...

To configure the validation of a requested URL after a given time interval

has elapsed, check this radio button.

Note that Webwasher will perform a validation whenever either the interval

configured here has elapsed or the expiration date of the URL,

which is determined on the basis of data received from the corresponding

Web server, depending on which of the two events happens earlier.

4–15

Caching

4–16

If neither of the two intervals has elapsed when a URL is requested, no

validation will take place.

To configure the validation interval, select a time unit (seconds, minutes,

hours, days) from the drop-down list provided here and enter the

corresponding number in the input field.

— Override Response Header

If you want Webwasher to ignore the expiration date of a URL, mark

this checkbox. This date is determined on the basis of data received

with the response header from the corresponding Web server.

A validation will then only be performed if the URL is requested and the

interval configured under Validate content (at least) every . . .

has elapsed.

— Description

In this input field you may enter a description of the rule you are

presently configuring.

Input in this field is optional.

Then use the following item to complete the configuration procedure:

— Add to Cache Rule List

After specifying the information for a rule, click on this button to add it

to the list.

The Cachable Rule List is displayed at the bottom of this section.

To display only a particular number of list entries at a time, type this number

in the input field labeled Number of entries per page and enter it using

the Enter key of your keyboard.

If the number of entries is higher than this number, the remaining entries are

shown on successive pages. A page indicator is then displayed, where you

can select a particular page by clicking on the appropriate arrow symbols.

Within the list, you can disable or enable a rule by marking the Enabled

checkbox of the corresponding entry.

After modifying this setting, click on Apply Changes to make it effective.

You can disable or enable more than one entry and make the changes

effective in one go.

To edit an entry, type the appropriate text in the corresponding URL

and Description input fields, specify the validation period using the

corresponding input field and drop-down list under Period, and mark or

clear the Override checkbox.

4.5

Flush Cache

Caching

Then click on Apply Changes to make these settings effective. You can

edit more than one entry and make the changes effective in one go.

Use the following items to perform other activities relating to the list:

— Delete Selected

Select the entry you wish to delete by marking the Select checkbox

next to it and click on this button. You can delete more than one entry

in one go.

To delete all entries, mark the Select all checkbox and click on this

button.

— Move Up, Move Down

SelecttheentryyouwishtomovebymarkingtheSelect checkbox

next to it and click on either of these buttons, depending on where you

want to move the entry.

The position an entry takes in the list is important since whenever a

URL is matched by more than one entry, the entry that is first in the list

wins, which means the rule in question is executed while other rules in

the list are ignored.

The Flush Cache options are invoked by clicking on the corresponding button

under Caching:

The options are arranged under the following tab:

They are described in the upcoming section:

• Flush Cache, see 4.5.1

4–17

Caching

4.5.1

Flush Cache

4–18

The Flush Cache tab looks like this:

There is one section on this tab:

• Flush Cache

It is described in the following.

Flush Cache

The Flush Cache section looks like this:

Caching

Using this section, you can configure the settings for the flushing of the Webwasher

cache and perform a flush.

Use the items provided under the following heading to configure the cache

flush settings:

• Clear HTTP Cache of

The settings that you can configure here are as follows:

— URLs matching

Check this radio button to restrict the cache flush to particular URLs. In

the input field provided here enter one or more URLs.

You may also use the following shell expressions to specify a URL type:

* and ?.

— cached files bigger than

Check this radio button to restrict the cache flush to objects exceeding

a given size limit. In the input field provided here enter this size (in KB).

The default size is 1024 KB.

— cached files older than

Check this radio button to restrict the cache flush to objects older than

a given period of time. In the input field provided here enter the number

of hours to specify this time. The default time is 24 hours.

— cached files of mediatype

Check this radio button to restrict the cache flush to particular media

type. From the drop-down list here select the media type, e. g. application/1bk.

— everything

If you want to flush the cache completely, make sure this radio button

is checked. The radio button is checked by default..

After specifying the appropriate settings, use the following item to complete

the flushing procedure:

• Flush

Click on this button to perform the flush.

4–19

Proxies

Chapter 5

The functions described in this chapter are accessible over the Proxies

tab of the Web interface:

They allow you to set up Webwasher for running as a proxy server or an e-mail

gateway, for communicating with the ICAP server, and for using the IFP or

WCCP protocol.

Note that two more functional groups are available here when the license that

Webwasher is running with does not include the Anti-Spam product:

• Queue Handling

• Message Handling

These are usually available under the Anti Spam tab, which is then not visible.

If they are available under the Proxies tab, corresponding buttons are added

to the navigation panel on the left side of the interface area.

They are grouped there with the E-Mail-Gateway buttons.

For a description of these functions, see sections 4. 11 and 4.12 of the User’s

Guide Webwasher Anti-Spam.

The upcoming sections describe how to handle the functions of the Proxies

tab. The description begins with an overview.

5–1

Proxies

5.1

Overview

5–2

The following overview shows the sections of this chapter:

System Configuration Guide – Webwasher Web Gateway Security

Introduction

User Management

Reporting

Caching

Proxies Overview –thissection

Configuration

Web Proxies HTTP Proxy, see 5.2

HTTPS Proxy, see 5.3

FTP Proxy, see 5.4

E-Mail Gateway E-Mail Gateway, see 5.5

Delivery Options, see 5.6

Queue Configuration, see 5.7

Relay Protection, see 5.8

Exception Lists, see 5.9

Load Limits, see 5.10

POP3 Access, see 5.11

Queue Handling

These functions are available here when the

Anti-Spam product is not included in your

license, see the beginning of this chapter.

Message Handling

The information provided under Queue

Handling applies here as well.

ICAP Server ICAP(S) Server, see 5.12

Other Protocols IFP, see 5.15

Progress Indication Methods, see 5.13

Own Host Name, see 5.14

WCCP, see 5.16

Note that the options described in this section

are only available in an appliance version of

Webwasher

5.2

HTTP Proxy

Proxies

The HTTP Proxy options are invoked by clicking on the corresponding button

under Proxies:

If you want to enable any of these options, make sure the checkbox on this

button is also marked. The checkbox is marked by default.

After modifying the setting of this checkbox, click on Apply Changes to make

the modification effective.

The options are arranged under the following tabs:

They are described in the upcoming sections:

• Settings, see 5.2.1

• Next Hop Proxies, see 5.2.2

• Authentication, see 5.2.3

• ICAP Services, see 5.2.4

• Transparent Setup, see 5.2.5

Note that this tab is only available for appliance versions of Webwasher.

5–3

Proxies

5.2.1

Settings

5–4

The Settings tab looks like this:

There are four sections on this tab:

• Port Settings

• Proxy Options

• Timeout Prevention

• IP Forwarding

They are described in the following.

Port Settings

The Port Settings section looks like this:

Proxies

This section displays a list of the ports that are opened by Webwasher as listener

ports for the ICAP client when Webwasher is configured as an HTTP

proxy.

Note that this section is also used for configuring Webwasher as HTTPS proxy.

You can add entries to the list and edit or delete them.

The default port has the port number 9090. This port is entered by default in

the list and cannot be deleted. You may, however, change the port number.

Use the following button to add a port to the list:

• Add Proxy Port

Click on this button to open a window where you can specify information

on a new listener port and enter it in the list.

For a description of this window, see the Port Settings subsection below.

The following information is provided in the list for each listener port:

• Address

IP address and port number of the listener port.

The specification of the IP address is optional and may therefore not be

displayed here.

• Allow access from

IP addresses of the sites that should have access to the listener port.

An * in this field means that every site is allowed access.

5–5

Proxies

5–6

• Policy

Policy that will be applied during communication with the ICAP client over

the listener port.

This is not part of the authentication process for a client, but of the policy

mapping that maps this client to a particular policy.

If no policy is selected here, there will be no particular policy for communication

with a client over this listener port. Instead, the policy that was

configured for the ICAP server will be used.

• Transparent Proxy

Information whether Webwasher is configured as a transparent proxy during

communication with the ICAP client over the listener port.

• HTTP Caching

Information whether the caching feature is enabled. This feature is enabled

by default.

Note that the feature is only available with appliance versions of Webwasher.

Otherwise, this checkbox is not displayed here.

To edit an entry, type the appropriate text in the input fields of the Address and

Allow access from columns, select a policy from the Policy drop-down list in

the same line and mark or clear the corresponding Transparent Proxy and

HTTP Caching checkboxes as required.

Then click on Apply Changes to make these settings effective. You can edit

more than one entry and make the changes effective in one go.

Use the following item to delete entries that are in the list:

• Delete Selected

Select the entry you wish to delete by marking the Select checkbox next to

it and click on this button. You can delete more than one entry in one go.

To delete all entries, with the exception of the default listener port, mark the

Select all checkbox and click on this button.

Port Settings

Proxies

The Port Settings window opens after clicking on the Add Proxy Port button.

It looks like this:

Using this window you can add a port to the list of listener ports that are opened

by Webwasher for communication with the ICAP client when Webwasher is

configured as HTTP or HTTPS proxy.

Use the following items of this window to configure the port settings and add

the port the list:

• Port

In this input field, specify the IP address and the port number of the port.

The input format is:

[IP]: port

Note that for security reasons, Webwasher runs under plain user rights (as

opposed to root rights). Hence you can’t choose a privileged port (below

1024) at runtime.

If you choose a privileged port, you have to restart Webwasher to make it

available.

• Allow access from

In this input field, specify the IP addresses of the sites that should have

access to the listener port. The input format is:

(IP|IP/NetMask|IPrange)[,(IP|IP/NetMask | IP range)]*.

Entering an * in this field means to allow every site access.

5–7

Proxies

5–8

• Use Policy

From the drop-down list provided here, select a policy that will be applied

during communication with the ICAP client over the listener port..

• Serve non-proxy requests (transparent proxy)

Mark this checkbox to configure Webwasher as transparent proxy during

communication with the ICAP client over the listener port.

• Use Port for HTTP Caching

If you want to use the port you are configuring here for HTTP caching, make

sure this checkbox is marked. The checkbox is marked by default.

Note that this item is only displayed with appliance versions of Webwasher.

• Add

After specifying the appropriate information about a listener port, click on

this button to add it to the list.

If the addition was successful, a corresponding message is displayed in

this window. You can then go on to add another port to the list.

• Close

Click on this button to close the window and return to the Settings tab.

Proxy Options

The Proxy Options sectionlookslikethis:

Proxies

Using this section, you can specify a number of settings for the ICAP client

communicating with Webwasher when it is configured as HTTP proxy.

Note that this section is also used for configuring Webwasher as HTTPS proxy.

So, whenever HTTP is mentioned in the following, the statement in question

is valid also with regard to an HTTPS configuration.

After specifying the appropriate settings, click on Apply Changes to make

them effective.

Use the following items to configure these proxy options:

• ... retries on server overload when connected directly

Select a number from the drop-down list provided here to configure how

many times a retry will be performed over a direct connection when the

server is overloaded.

• Add ’Via’ header to HTTP header

Select this option to let Webwasher add a Via header to the REQUEST

and RESPONSE headers.

The Via header is used to track message forwards, avoid request loops,

and identify the protocol capabilities (HTTP 1.0 or 1.1) of all senders along

the request/response chain.

• Treat FTP over HTTP as native FTP

If this option is enabled, while Webwasher is being used as a proxy server,

no user data will be transmitted, unless username and password are already

provided by the URL

There are two kinds of FTP requests: those coming from a native FTP client

using the real FTP, and those coming via HTTP but for URLs beginning with

ftp://.

For the latter, the last HTTP proxy in the chain has to convert the HTTP

commands into native FTP in order to connect to the FTP server. Webwasher

can establish direct connections, as well as make use of parent

HTTP and FTP proxies.

Native FTP requests will always use the configured next hop FTP proxy (if

any) or direct FTP connections.

FTP request over HTTP usually check for the HTTP proxy settings and use

the next hop HTTP proxy (if any) or direct FTP connections.

5–9

Proxies

5–10

Enabling the present option will change this behavior and let an FTP request

that came in via HTTP use the next hop FTP proxy settings, while

the next hop HTTP proxy settings are ignored.

This means that these requests will use the configured next hop FTP proxy

(if any) or direct FTP connections.

• Persistent connection timeout

In the input field provided here, enter the time interval (in seconds) for a

persistent connection timeout.

If this interval elapses without any communication activities having occurred

on the connection between Webwasher and the client, the connection

is closed down.

• Dead client timeout

In the input field provided here, enter the time interval (in seconds) for a

persistent connection timeout.

If this interval elapses without any communication activities having occurred

on the connection from the side of the client, the connection is closed

down.

• Maximum header length

In the input field provided here, enter the maximum length (in bytes) for the

header of a request sent by the client to Webwasher.

If this length is exceeded, the request is denied by Webwasher.

• Ports allowed for CONNECT requests

In the input field provided here, enter the port or ports you want to allow for

CONNECT requests. Separate multiple entries by commas.

To allow all ports for CONNECT requests, enter an *.

Note that CONNECT is the only method used to connect to the HTTP port

of 443.

Port 443 is the port that an SSL server usually listens on. There are, however,

SSL servers that will not listen on this port.

In this case, you also need to modify the global.conf (global.ini) configuration

file in order to enable communication. Enter the following line in the

file:

PortsTreatedAsSSL=’443, ’

Then restart Webwasher to make the modification effective.

Timeout Prevention

The Timeout Prevention section looks like this:

Proxies

Using this section, you can configure methods for preventing timeouts on client

connections.

Webwasher tries to forward data as soon as it becomes available, but there are

situations in which this philosophy does not hold: an antivirus scanner needs

to see the complete file for many file types before it can scan for viruses.

This means that the HTTP proxy server cannot forward any data to the browser

until the complete file is received on the gateway and the scan process is complete.

Depending on the length of the file and the network connection, it can take a

long time, while a browser connection could even time out (other third-party

ICAP servers attached to the HTTP proxy RESPMOD pipe could also show

the behavior of not returning any data before the complete file is received).

For situations such as these, Webwasher provides methods for preventing

timeouts, by sending either an empty line or an HTTP header line every n

seconds. This feature should be used depending on your network configuration

and your filter settings.

The Timeout Prevention feature is not enabled by default. To enable it mark

the checkbox next to the section heading. After configuring its settings, click

on Apply Changes to make them effective.

Use the following items to configure timeout prevention:

• Webwasher should send every . . . seconds

Enter the number of seconds here to determine the frequency of applying

the methods configured below.

• an empty line

This method sends empty lines before the HTTP response.

5–11

Proxies

5–12

It works with many Internet browsers, but could fail with intermediate proxy

servers (between Webwasher and the client) because it does not strictly

follow the HTTP standard protocol.

• an HTTP header line

This method is fully backed by the HTTP standard. According to this, the

first line of the reply header (the status line) is sent at the beginning, and

then some additional header lines are sent to keep the connection alive.

There is, however, no guarantee that all intermediate proxies accept a

header that is split into many TCP frames.

A second disadvantage is that Webwasher already replied with a special

status code and is not able to change this again, e. g. after a virus was

detected.

In this case, the user would see an error message, but it would be transferredwitha200

OK reply code, which is not ideal.

IP Forwarding

The IP Forwarding sectionlookslikethis:

Using this section, you can configure the forwarding of a client IP address.

Another proxy in the chain may need information about this address. So, you

can tell Webwasher to include the client IP address as an HTTP header field.

This will determine where the client IP address is forwarded, e. g. to the next

hop proxy, Web server, etc.

The IP Forwarding option is not enabled by default. To enable it, mark the

checkbox next to the section heading. After specifying a header field name,

click on Apply Changes to make this setting effective.

Use the following input field to configure IP forwarding:

• as . . . header

Enter the header field name here that will determine where a Client IP address

is forwarded.

By default, this field name is X-Forwarded-For.

5.2.2

Next Hop Proxies

The Next Hop Proxies tab looks like this:

There is one section on this tab:

• Use Next Hop Proxies

It is described in the following.

Proxies

5–13

Proxies

5–14

Use Next Hop Proxies

The Use Next Hop Proxies section looks like this:

Using this section, you can configure next hop proxies for HTTP connections.

You can specify the URLs that next hop proxies should be used for, as well as

the mode of this usage and the next hop proxies to be used.

The Use Next Hop Proxies feature is not enabled by default. To enable it,

mark the checkbox next to the section heading. Then click on Apply Changes

to make this setting effective.

Furthermore, use the following items to configure next hop proxies:

• Do not use Next Hops for local addresses

Enable this option to prevent the use of next hop proxies for local addresses.

Then click on Apply Changes to make this setting effective.

Local addresses have no dots (.) within their specifications.

So, after enabling this option, you can fine-tune Webwasher in an intranet

and enter the name of a local server in the browser, e. g. server_name,

instead of typing a URL, e. g. http://server_name.fooo.com.

Webwasher will then contact this local server directly without using the configured

proxy.

Using this option speeds up internal connections and reduces load on the

proxy server.

• if URL matches

Proxies

This input field is the first of severals items provided for specifying information

on the next hop proxies you want to configure.

Enter a matching term here. If an URL matches this term, it will use the

next hop proxies specified further below in the usage mode that is also

specified further below.

• use mode

From this drop-down list, select the mode to be used for the URLs and next

hop proxies specified here. The following modes are available:

— None

This mode uses no next hop proxies. Direct connections will be used

instead.

— specific

In this mode, one specific next hop is set for the URLs configured

above.

— failover

In this mode, the first next hop given in the participants list is tried first.

If it fails, it will be retried until the configured retry maximum for it has

been reached.

Then the second next hop proxy in the participants list is tried, etc.

— round robin

In this mode, the next hop proxy is used that is next in the participants

list to the one that was used last.

This means also that the participants is used in a circular manner: If

the end of the list has been reached, selection of next hop proxies will

restart from the beginning.

• participating next hops

In this input field, enter the next hop proxies that should be used for the

URLs specified here.

To do this, type a proxy name or select one from the drop-down list to the

right of this input field. You can add more than one proxy by repeating this

operation.

The drop-down lists shows select one to add as its topmost entry. If no

next hop proxies have been configured yet, the topmost entry reads no

Next Hops defined.

5–15

Proxies

5–16

To configure next hop proxies, click on the Define Next Hop Proxies

button, which is located further to the right.

This will open a window, where you can specify the information required to

configure a next hop proxy.

For the description of this window, see the Available Proxies subsection

further below.

• Add Entry to List

After specifying the appropriate information about a next hop proxy, click

on this button to add it to the list.

The list of next hop proxies is displayed at the bottom of this section. For each

entry, it provides the information that is specified when a new entry is added.

You can edit list entries, move them up and down in the list, or delete them.

To display only a particular number of entries at a time, type this number in the

input field labeled Number of entries per page and enter it using the Enter

key on your keyboard.

If the number of entries is higher than this number, the remaining entries are

shown on successive pages. A page indicator is then displayed, where you

can select a particular page by clicking on the appropriate arrow symbols.

To edit an entry, type the appropriate text in the input fields of the URL, use

mode and participating next hops columns. Then click on Apply Changes

to make this setting effective. You can edit more than one entry and make the

changes effective in one go.

The list also contains an entry with * as value for the URL parameter. It is

always in last position within the list and cannot be deleted. By editing this

entry, you can configure a next hop proxy setting for all URLs that are not

represented by a particular entry in the list.

Since the * entry is last in the list, it becomes effective only after all other list

entries were read by Webwasher and used for establishing next hop proxy

connections.

By default none is specified as mode for the * entry, which means that there

will be no next hop proxy connections for URLs that are not otherwise included

in the list.

Use the following items to perform other activities relating to the list:

• Filter

Type a filter expression in the input field above the URL, use mode or

participating next hops or in a combination of them and enter this using

the Enter key of your keyboard.

The list will then display only entries matching the filter.

• Delete Selected

Proxies

Select the entry you wish to delete by marking the Select checkbox next

to it and click on this button. You can delete more than one entry in one go.

To delete all entries, mark the Select all checkbox and click on this button.

• Move Up, Move Down

SelecttheentryyouwishtomovebymarkingtheSelect checkbox next

to it and click on either of these buttons, depending on where you want to

move the entry.

The position an entry takes in the list is important since whenever there is

more than one entry in the list containing information on a particular URL

or next hop proxy, the entry that is first in the list wins.

Available Proxies

The section in this window allows you to configure next hop proxies for all kinds

of connections. These will then be available for selection on the Use Next Hop

Proxies tab.

After specifying the appropriate settings for a next hop proxy, it is added to the

list of available next proxies by clicking on the Add button.

The list is displayed at the bottom of the section. You can modify the settings

for each proxy that is shown in the list.

Use the following items for configuring available next hop proxies:

• Name

In this input field, enter the name of the next hop proxy you want to configure.

If you leave the field empty, a name will be generated by Webwasher,

e. g. pxy1, and inserted in this field after clicking on the Add button.

The name can be modified after the new proxy has been included in the

list.

• Proxy server address

In the input fields provided here, enter the address of the server you want

to make available as next hop proxy:

— Host

Enter the IP address or URL of this server here.

5–17

Proxies

5–18

— Port

Enter the port number of the port for connecting to this server here.

• Proxy authorization

In the input fields provided here, enter the credentials that Webwasher

should use for authentication at the next hop proxy:

— Username

Enter the IP address or URL of this server here.

— Password

Enter the password here.

• Connection behavior

Use the items provided here to configure the connection behavior:

— Retry . . . times on failure for this proxy

From the drop-down list provided here, select the number of retries you

want to configure for a next hop proxy. You can configure up to three

retries.

When the maximum number of retries has been reached, Webwasher

will try to establish a connection using another next hop proxy, according

to what has been configured on the Use Next Hop Proxies tab,

e. g. failover or round robin.

— Donotretryproxyfor...minuteswhenithasreached...

times within 10 seconds its maximum number of retries

In the input fields provided here, enter the time information that will

cause a connection break, i. e. an interval during which Webwasher

will not retry a next hop proxy after a connection to it could not be established

in a given situation.

In the first input field, enter the time (in minutes) that the connection

break should last.

In the second input field, specify how often the maximum number of retries

must have been reached within 10 seconds before the connection

break is started.

— use persistent connections

If you want Webwasher to use persistent connections to the next hop

proxies, make sure this checkbox is marked. The checkbox is marked

by default.

Webwasher will try to meet this requirement by establishing persistent

connections, but may fail to do so in some situations.

• Add

Proxies

You will then see that the failed counter in the list of available next

proxies displays an increased value for the connection to the next hop

proxy in question.

In this case, you might clear the checkbox to disable the option. Note,

however, that this will reduce performance.

After specifying the appropriate information for the server you want to make

available as next hop proxy, click on this button to add it to the list of available

next hop proxies.

The list of available next hop proxies is displayed at the bottom of this section.

For each entry, it provides the information that is specified when a new entry

is added. Furthermore statistical figures are displayed on the reliability of next

hop proxies.

You can edit list entries, delete them and reset the statistics.

To display only a particular number of entries at a time, type this number in the

input field labeled Number of entries per page and enter it using the Enter

key of your keyboard.

If the number of entries is higher than this number, the remaining entries are

shown on successive pages. A page indicator is then displayed, where you

can select a particular page by clicking on the appropriate arrow symbols.

To edit an entry, click on the View Details and Edit link in the same line. This

will reopen the window and this section with the information concerning the

next hop proxy in question, so you can modify it.

After completing the modification, click on the Modify button, which is provided

now instead of the Add button, to make it effective. If you want to clear the

information before modifying the settings for a next hop proxy, click on the

Clear Input button.

Apart from the information that was specified when a new entry was added to

the list, such as the proxy name and address, the list displays statistical figures

on the reliability of each next hop proxy.

The following information is provided in the columns of the list:

• reliability

Reliability of a next hop proxy

The reliability is calculated as the percentage of attempts to establish a

connection to the next hop proxy that were successful in relation to the

overall number of attempts.

5–19

Proxies

5–20

• tried

Number of times that Webwasher tried to establish a connection to a proxy

• failed

Number of times that an attempt by Webwasher to establish a connection

toaproxyfailed

• last fail

Date and time of the last time that an attempt by Webwasher to establish

a connection to a proxy failed

• do not retry reached

Date and time of the last time that a situation was reached where Webwasher

did not retry a next hop proxy over a given period of time.

The length of this period depends on what you configured under Do not

retry proxy for . . . minutes when it has reached . . . times

within 10 seconds its maximum number of retries, see above.

If the do not retry situation is still on, i. e. Webwasher will currently not retry

the next hop proxy in question, the date and time values are displayed in

red.

Use the following items to perform other activities relating to the list:

• Filter

Type a filter expression in the input fields above the Name, Proxy or Port

columns or in a combination of them and enter this using the Enter key of

your keyboard. The list will then display only entries matching the filter.

• Delete Selected

Select the entry you wish to delete by marking the Select checkbox next

to it and click on this button. You can delete more than one entry in one go.

To delete all entries, mark the Select all checkbox and click on this button.

• Reset Statistics

Click on this button to reset the statistical figures shown in the list for reliability

of next hop proxies.

• Reset do not retry

Click on this button to reset the statistics only for the do not retry reached

parameter, see above.

To return to the Next Hop Proxies tab, click on the Close button.

Proxies

The next hop proxy you added to the list, will also appear and be available in

the list of next hop proxies, which is displayed at the bottom of the Use Next

Hop Proxies section on that tab.

5.2.3

Authentication

The Authentication tab looks like this:

At the top of this tab, there is a button labeled:

• Define Proxy Authentication Options

Click on this button to configure some additional options relating to all kinds

of proxies. This will open a window where you can specify the appropriate

information.

It is described after the Configuring the eDirectory Authentication

Method subsection (see below).

Furthermore, there are five sections on this tab:

• Authentication Process

• Authentication Options

5–21

Proxies

5–22

• NTLM and NTLM-Agent Authentication Options

• User Database Authentication Options

• IP Forwarding

They are described in the following.

In addition to this, a sample procedure is described for the eDirectory authentication

method, after the Authentication Process subsection:

• Configuring the eDirectory Authentication Method

This is followed by the Define Proxy Authentication Options subsection

that was already mentioned above.

Authentication Process

The Authentication Process section looks like this:

Using this section, you can configure where users are authenticated. The authentication

process may involve an LDAP or NTLM server, a Radius server,

or the User Database provided by Webwasher.