Blue Coat OPT-1000-2499-3YR User Manual

OPTENET WEB FILTER Server 5.27 Windows/Linux/Solaris/Aix/MacOS User’s Manual Rev 28-06-2006

10 Next, select the default web based administration language: (Administration, web, Report tools, logs etc.). Click on Next and the installe

100 When authenticating users, the command in which the servers have been defined is followed. 2.3.3.1. Delauthencache delauthencac

101 2.3.4.2. Adduserurl adduserurl CATEGORY LIST URL CATEGORY: One of OPTENET Server categories LIST: "Yes", "Not"

102 FROM_IP: First IP of IP range TO_IP: Last IP of IP range 2.3.5.7. Savecat savecat RULE_NAME CAT1 CAT2 ... CATN RULE_NAME: Name of the r

103 HOUR_INTERVAL: Time range (8:30-19:37) The second setting is a time interval, and it is important to follow the format that

104 2.3.7. Administrator identification In order to ensure the privacy of the configuration and administration, the web server requires the user t

105 2.3.8. Working with cluster OPTENET Server allows multiple instances of OPTENET Server to be managed that are being executed on different mach

106 2.3.8.7. Delserver delserver SERVER_NAME CLUSTER_NAME SERVER_NAME: Name of server CLUSTER_NAME: Server's cluster name 2.3.9. Reports OPT

107 3. OPTENET PROXY CONFIGURATION The Optenet proxy has certain user configurable parameters such as the listening port, and the address of a sec

108 3.3. Port configuration (Port Proxy) To modify the port the proxy uses to listen to user request on select this option and enter the new port:

109 12. Bomb-making: Web pages on how to make explosive. 13. Shopping: Web pages where goods and services may be bought. 14. Web mail: Web sites

11 Finally you will be asked if you want to install OPTENET Reporter. If you do not wish to, you will be asked to restart the computer. OPTENET S

110 31. Logos/Ringtones: Pictures or Songs (monophonic or polyphonic melodies) downloaded by mobile phone users. 32. White list: Web pages

111 48. P2P Servers: Sites where these programmes are registered to give the service and the pages related to them. 49. Spyware: Pages that contai

112 5. ICAP NOW NetCache implements a different ICAP method called icap now. It is different from the normal icap methods in that the ICAP reques

113 To be able to use this new service properly, you must indicate to OPTENET Server that it must launch more threads in order to handle

114 6. SNMP MONITORING (ONLY LINUX ENVIRONMENT) The filter can be monitored using the SNMP protocol, which can be easily integrated into the monit

115 6.2. Automatic start If you want the SNMP agent to start automatically with the filter, it will be necessary to edit the “RunOPTENET” and “fi

116 7.3. System information in text mode (/cgi-bin/sysinfotxt) This option means that the filter returns the information of its status in text for

117 In the same way, if we attempt to update the product database, either manually or via any of the automatic attempts made by the product, it w

118 For the product to access the licensing central correctly, the MICROSFT ISA SERVER 2004 needs to be authorised for this address: http://www

119 8.3. ACCESS TO THE DEFAULT BLOCKING PAGE The default setting for the MICROSOFT ISA SERVER 2004 is to have all accesses cut off, so if a cli

12 DownloadContent Flag that indicates to OPTENET Server whether it must request the content when it is integrated with PIX, Border Manager

120 Because no rule has been defined to allow this port to be reached, requests for blocking will not display correctly, and a page like this one

121 Thus we can be blocked and reach the correct blocking page.

13 - HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\OPTENET Proxy The data required so that OPTENET proxy can be executed as a service. In

14 The second element of OPTENET Server is a Windows service/process that analyses the requests that are received from OPTENET Server plug in insta

15 Microsoft Web Proxy Microsoft Web Proxy is the proxy that is installed with Microsoft ISA Server. It is a Windows service and

16 With this data the OPTENET Server service checks the filtering rules that are configured and decides if the request should be allowed or not. D

17 3.2.1.2. Integration with Microsoft Proxy Server For OPTENET Server to work correctly with a Microsoft Proxy Server, the Proxy Server should b

18 3.2.1.5. Specific information for Windows 98 and Windows Me In Windows 98 and Me the system services concept is different, both OPTENET Serve

19 editing the squid/etc/squid.conf file in the installation directory and modifying the label http_port. The squid/etc/squid.conf file allows you

2

20 3.2.3. Under Mac OS X Under Mac OS X, the distribution of OPTENET involves the following files: ♦ optenet-5.21.dmg ♦ OPTENETManual.pdf – use

21 Next, you need to select the target volume. OPTENET must be installed on the volume corresponding to the operating system, which is indicated

22 The software is installed. OPTENET and its Squid proxy are launched automatically when the system is started up. 3.2.4. System for files inst

23 -categoryuserex.edu File with the description of the categories added by the administrator. - logs directory: Where, by default, the

24 - a file in the Microsoft ISA Server installation directory (by default C:\Program files\Microsoft ISA Server). This file is called

25 The two parts of OPTENET Server are independent and they can be started or stopped separately, however, in order for the filtering to be produ

26 The two parts of OPTENET Server are independent and they can be started or stopped separately, however, in order for the filtering to be prod

27 If you have difficulties with the installation, please e-mail use at [email protected] for technical support. 3.3.3. Under Mac OS X To star

28 You can check that OPTENET has been installed as a service with the command: #chkconfig –list On Linux systems without chkconfig: # cp /usr/l

29 In “ICAP version” you must assign version 1.0 of ICAP. In the “Service URL” sections you must specify the URL against which the ICAP requests

3 INDEX 1. INTRODUCTION... 5 2. NEW CHARACTERISTICS OF VERSION 5.27 ...

30 SG 2.1.07 onwards) to activate in the ICAP message the sending of the IP address of the client that made the request. 3.5.2. Creating a respon

31 3.5.3. Establishing a web access policy Once the ICAP services have been defined, we must indicate that all the requests are to be redirected

32 And configure the action of the new policy so that all the requests from all the clients use the ICAP service that we have called opten

33 And configure the action of the new policy so that the contents of all the requests from all the clients use the ICAP service that we have ca

34 3.6. Configuring NetCache to use OPTENET as the filtering system Below we describe how to configure NetCache to use OPTENET as the filtering s

35 3.6.2. Creating a response modification service (RESPMOD) Create a new Service Farm a shown in the following figure: In the services box the

36 That is to say, by applying the filter to all requests, http, https and ftp requests. Lastly you simply have to activate the ICAP service fr

37

38 4. BASIC CONCEPTS Some basic concepts will be explained below, which are necessary in order to be able to properly administer OPTENET. These c

39 4.4. URL This is the abbreviation for Uniform Resource Locator. It is the address of a site or source, normally a directory or

4 2. ADMINISTRATION OF OPTENET VIA THE COMMAND LINE (OPTENET CLI V1.0) 95 2.1. INTRODUCTION...

40 the addresses that we consider belong to a specific category and the Not list contains the addresses we consider do NOT belong to this category.

41 5. ADMINISTRATION Once OPTENET server is installed, it is necessary to set up a minimum configuration. OPTENET Server incorporates a web server

42 It gives a brief introduction about OPTENET. If you would like the administration web in another language you simply have to click on the flag o

43 5.2. Documentation Shows the documentation in HTML format. 5.3. Configuration Within this option, you can configure aspects such as

44 5.3.1. Filter Status The filter currently allows three states: ♦ ON: active state, the filter processes all the requests applying the

45 The HTML response pages can be generated dynamically through a CGI or an ASP page. In this case, we must indicate the complete URL of

46 5.3.4.3. Number of days’ information to be saved Here the user can configure the number of complete days’ log information that he/she wishes the

47 5.4. Authentication If you wish to establish filtration rules by users or by groups of users, the proxy or appliance needs to

48 Clicking on the LDAP button, you will access the configuration window for LDAP servers. 5.4.1.1.1. List of LDAP servers In this section,

49 • Administrator: DN and access code of the LDAP server. If the LDAP server allows anonymous listening, they may be left empty. • Base: base fo

5 1. INTRODUCTION OPTENET is a filtering system that enables a company’s Internet resources and the time used on the Internet to be optimised. B

50 There follows an example of an LDAP server configuration. In this example, the users consist of objects of inetOrgPerson type and their

51 5.4.1.2. Windows domains Select the Windows Domain options if they manage user and group accounts in your organisation with Windows Domain, b

52 From this option, a new OPTENET DCAgent may be added, modified or an existing one erased and also their order may be set. 5.4.1.2.2. Window

53 5.4.1.3. OPTENET Proxy Select the OPTENET proxy option if OPTENET server has been installed in a Windows system and the OPTENET proxy

54 5.4.1.4. Squid NCSA Select the Squid NCSA option if OPTENET server has been installed in a UNIX environment (Solaris, Aix, FreeBSD

55 the client certificate, using secure SSL communication. To do so, the LDAP database field to be queried has to be indicated for the certificate’

56 This box is only valid if the user authentication has been activated. In order for OPTENET to be able to authenticate the LDAP users, the server

57 5.4.7. Using client certificates As we have mentioned above, OPTENET can obtain authentication credentials from client certificate data. To do s

58 5.5. Categories OPTENET Server allows you to create and manage your own categories. In order to do so, you need only indicate the name and the

59 established categories in the filter and those added by the administrator may not total more than 128 categories in all. 5.6. URL classifica

6 ♦ Filtering based on lists predefined by the actual users. In addition, OPTENET Server offers the following features: ♦ Automatic updating of

60 From this screen, a URL can be inserted in various categories at the same time. This can happen because the categories are not exclusive

61 It is possible to indicate that a single page does or does not belong to a category by entering a complete URL, for example, http://www.dangero

62 Moreover, on this screen it is possible to enquire as to which categories apply to a particular URL. With this function it is v

63 After the Filtering Rules option has been selected, the next window appears where we can see all of the rules that we have defined on the syst

64 5.7.2. Action The action indicates if this rule will be to allow or to deny the accesses to the categories that are selected in this rule

65 It is also possible to create rules that apply to all requests that the filter system is unable to categorise because the requested URL do

66 For this option, we must take into account the following: if we do not indicate an IP, then this rule will act on all requests that reach it f

67 In order to establish rules by users you must configure your proxy or appliance to carry out the user authentication or force OPTENET to perform

68 5.7.7. User groups In this option, you will be able to add and delete User Groups to which the rule will be applied. In order for the groups of

69 5.7.9. Time Schedules In this option, you will be able to add, delete and change the days of the week and the time intervals as the criteria of

7 3. INSTALLATION This section describes the installation of OPTENET and the necessary requirements of the Windows, Linux o Solaris sy

70 5.7.11. URLs Not In this option, you will be able to add, delete and modify Not URLs as the criteria of a rule. The Not list contains the UR

71 select any categories. In other words, we have created a rule that is only applicable to the manager and which is to allow. Allow what? Since we

72 5.8.1. Via proxy Select this option if the server where OPTENET is installed cannot access Internet directly and needs to do so via

73 5.9. Reports When you click on this option, another browser window opens connected to OPTENET Reporter. OPTENET Reporter is the tool that enabl

74 5.10. Administrator Identification OPTENET Server establishes a number of levels of administration as the following table shows: Administrato

75 The data of the default users that are present in the installation can be modified for each profile and new users can be added or delete

76 By default, this option is deactivated, to activate it simply select whether the users are identified by name (user authentication) or

77 This screen will show a list featuring all the users that are currently blocked. A specific user can be unblocked by selecting same and clicking

78 5.11.2.1. Enabling Skype detection By default, the Skype detection option is disabled. To enable it, simply check the correspondin

79 • Blocking those requests that cannot be analysed due to the maximum number of simultaneous connections having been reached: when a req

8 ♦ The equipment involved depends on the number of users. However, it is recommended that a G4 processor and 256 MB of RAM be used. 3

80 The administrator can pass nodes from one list to the other by selecting an entry from one of them and clicking on the corresponding button. Li

81 When it is deactivated, it works in conventional way, which means that only one OPTENET Server is handled and the changes are onl

82 5.12.2. Clusters He we can find the buttons to edit clusters and at all times an updated list is shown with the clusters created. For all o

83 5.12.2.4. Connect It establishes connections to all the servers of the selected cluster and shows the report window of the following section.

84 5.12.3.1. New To insert a new server the following window is shown: The parameters in order to create a new entry of an installation of OPTE

85 5.12.3.2. Edit The same window as in the previous operation is shown but with the server parameters in the text boxes. If you are working w

86 The result of the connection can be: ‘Connection Accepted’: OPTENET Server is being run. ‘Error Connection not made’: OPTENET Server is

87 5.13. License If you have a license code that you could not register during the installation, you can register it at any time from the web admin

88 ♦ Last correct connection to the DB server: the date and time of the last time the filter successfully contacted a URL database server. ♦ Stat

89 6. FREQUENT PROBLEMS This section describes the most common problems and how to solve them. 6.1. The optenet server error message... appears

9 Clicking on next will allow you to select the communications protocol that the OPTENET server should use to communicate with the proxy. The pr

90 6.3. The users do not appear when the refresh button is pressed In order for the users to appear when the refresh button is pressed

91 To solve this problem, right-click on ‘My Computer’ and select ‘Properties. Then click on the ‘Advanced Options’ tab and then click on ‘Confi

92

93 ANNEX

94 1. ADMINISTRATION OF OPTENET SERVER TROUGH A SECURE CONNECTION (ONLY LINUX ENVIRONMENT) The OPTENET filter can be administered through a s

95 If using multiple OPTENET Server installations with cluster management the OPTENET Server itself takes care of securing the communications. 2

96 The OPTENET CLI welcome message will be displayed. Now you are on the command line of OPTENET CLI, and the commands that you type in will be in

97 • Type in the name of the command followed by its settings as shown by OPTENET CLI. If the command typed in is correct, and moreover

98 It is important to keep in mind that the format of the requests of a script file is exactly the same as if it were typed in. The format of a s

99 2.3.1. Configuration Within this option, we can configure the status of the filter, establish the blocking page or establish the directory where