Web Filter - Forcepointkb.websense.com/pf/12/webfiles/WBSN Documentation... · install Web Filter....

Web Filter

www.surfcontrol.com The World’s #1 Web & E-mail Filtering Company

SurfControl Web Filter for Cisco CEInstallation Guide

NOTICES

NOTICES

Updates to the SurfControl documentation and software, as well as Support information are available at www.SurfControl.com/support.

Copyright ©1998-2005 SurfControl plc. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owner.

SurfControl is a registered trademark and SurfControl and the SurfControl logo are trademarks of SurfControl plc. All other trademarks are property of their respective owners.

Version 5 printed May 2006.

SurfControl Web Filter for Cisco CE Installation Guide i

NOTICES

ii Installation Guide SurfControl Web Filter for Cisco CE

CONTENTS

CONTENTS

Notices.......................................................................................................................................................................................i

PRE-INSTALLATION ...................................................................................................1Introduction ..............................................................................................................................................................................2

Pass-through filtering technology ........................................................................................................................2Requirements ............................................................................................................................................................................3

Web Filter System Requirements .........................................................................................................................3Before you install Web Filter ................................................................................................................................4Cisco CE Requirements .........................................................................................................................................4

Where to install.........................................................................................................................................................................5Installation decisions ..............................................................................................................................................5Network considerations .........................................................................................................................................6Installation considerations .....................................................................................................................................7

User name resolution...............................................................................................................................................................9EUM .........................................................................................................................................................................10Installing EUM ........................................................................................................................................................11X-Authenticated-User ............................................................................................................................................12

Database options......................................................................................................................................................................13MSDE Database .....................................................................................................................................................13SQL Server ..............................................................................................................................................................14Database authentication ........................................................................................................................................15

Other considerations ...............................................................................................................................................................17E-mail notifications ................................................................................................................................................17

INSTALLATION .........................................................................................................19Installation order ......................................................................................................................................................................20

Installation procedures ..........................................................................................................................................20Installing Web Filter ................................................................................................................................................................22

Flow chart ................................................................................................................................................................23

FURTHER CONFIGURATION .........................................................................................39Configuring Services................................................................................................................................................................40Database creation.....................................................................................................................................................................41

Creating a SQL Server Database ..........................................................................................................................41Virtual Control Agent..............................................................................................................................................................45

Installation ...............................................................................................................................................................45Configuring the VCA .............................................................................................................................................46Upgrading the VCA ...............................................................................................................................................47

Performance Tuning................................................................................................................................................................48System Workload Issues ........................................................................................................................................48Distributing Services and Multiple Collectors ....................................................................................................49

Troubleshooting .......................................................................................................................................................................50Troubleshooting EUM Issues ..............................................................................................................................50

SurfControl Web Filter for Cisco CE Installation Guide ii

CONTENTS

CISCO CONFIGURATION .............................................................................................51Specifics .....................................................................................................................................................................................52

Installation of the Cisco CE running ACNS* ....................................................................................................52Setting Up the Rules on the Content Engine for the Joint Solution** ..........................................................52Types of Content Served in an ACNS Network** ...........................................................................................53Content Caching Service with Filtering and Access Control*** .....................................................................53

Sample Deployments...............................................................................................................................................................57Customer Expectations .........................................................................................................................................57Content Engine Local Deployment Scenarios ***** ........................................................................................57

iii Installation Guide SurfControl Web Filter for Cisco CE

Chapter 1 Pre-Installation

Introduction page 2Requirements page 3Where to install page 5User name resolution page 9Database options page 13Other considerations page 17

PRE-INSTALLATIONIntroduction1

IntroductionSurfControl Web Filter for Cisco CE:

• uses pass-through technology.

• filters HTTP.

PASS-THROUGH FILTERING TECHNOLOGYHistorically, pass-through technology was the first technology developed for Internet filtering. Filtering software is installed on a device at the choke point for all outbound and inbound traffic. The application works like customs: all packets are stopped and inspected before being allowed to enter the country. Only approved HTTP requests are allowed to continue.

The inspection can be based on source or destination address, source or destination TCP ports and others. Because this technology inspects every HTTP request, you may see network latency. In most cases, the optimization of modern software and the availability of high performance hardware makes this latency negligible.

2 Installation Guide SurfControl Web Filter for Cisco CE

PRE-INSTALLATIONRequirements 1

Requirements

WEB FILTER SYSTEM REQUIREMENTSYou should check that the machines you will be using meet the minimum system requirements outlined in the table below:

The requirements above represent the minimum system requirements for SurfControl. If you are deploying SurfControl into a network that has a high volume of Internet traffic, you can see performance improvements by installing the software onto a server with a faster CPU, additional RAM, and a SCSI drive system.

We also recommend that you run ACNS v5.2.3 for the best performance.

Table 1-1 System Requirements

Component Requirement

Operating System Microsoft Windows 2000 Server (SP3) or

Microsoft Windows 2000 Advanced Server (SP3)

Microsoft Windows Server 2003

Processor Pentium III or above

Memory 512 MB minimum

Disk space 1 Gbyte free space

Network 1 Ethernet Card

Optional Netware user name support

If you plan to monitor traffic based on Netware user information, you must have the latest version of the Novell Client installed on the SurfControl machine prior to installing the SurfControl software.

Optional Windows user name support

If you plan to monitor users based on Windows user names, then you must be using MS NT 4 or Active Directory domain controllers.

Web Reporting Microsoft Internet Explorer 5.0 or later

OR

Netscape Communicator 4.75 or later

SurfControl Web Filter for Cisco CE Installation Guide 3

PRE-INSTALLATIONRequirements1

BEFORE YOU INSTALL WEB FILTERIn order to use the X-Authenticated-User header for User Name Resolution, which is recommended, you should configure the following before installing Web Filter:

• Authentication on the Content Engine - this must be configured and tested before you install Web Filter. The following simple sample configuration shows how this might be done using an example domain name of ‘surfqa’ and an example domain controller IP address of: 10.1.0.1:

1 Log in to the Content Engine’s CLI.

2 Execute the following commands: CiscoCE# config CiscoCE(config)# ntlm server enable CiscoCE(config)# ntlm server domain surfqa CiscoCE(config)# ntlm server host 10.1.0.1 CiscoCE(config)# ntlm allow-domain enable CiscoCE(config)# ntlm allow-domain domain surfqa CiscoCE(config)# exit CiscoCE# write memory

The CE should now be able to send user name information to SurfControl in the x-authenticated-user header once it is configured to do so. Once you confirm that authentication with the CE is working, then you can install Web Filter. After the Web Filter is installed, you can go through the steps of configuring the ICAP client on the CE as you have documented. (See section 11-5 of the ‘Cisco ACNS Software Configuration Guide for Locally Managed Deployments’ for more information on X-Authenticated-User configuration in ACNS v5.2.3).

• HTTP request authentication - Cisco support four types of HTTP request authentication but currently only NTLM is supported by Web Filter. Information on configuring NTLM authentication of HTTP Requests can be found in Chapter 9 of the ‘Cisco ACNS Software Configuration Guide for Locally Managed Deployments’.

CISCO CE REQUIREMENTSBefore installation, make sure the Cisco Content Engine meets the minimum requirements listed in Table 1-2.

Table 1-2 Cisco CE Requirements


Cisco CE Cisco CE 500 or 7300 series

Supported ACNS Branch Versions

5.2.7 or later

5.3.5 or later

5.4.1 or later


PRE-INSTALLATIONWhere to install 1

Where to install

INSTALLATION DECISIONSThis section discusses the decisions you must make before installing SurfControl and is divided into the following sections:

Network considerations

Installation considerations:

• Do you want to automatically monitor new users?

• Do you want to enable user name support?

• Where do you want to install VCA?

User name resolution:

• How do you want SurfControl to handle user-name resolution?

• How do you want to monitor users (IP address, workstation name, EUM, NetwareEUM, X-Authenticated-User)?

Database options:

• What database do you plan to use (MSDE or SQL)?

• How do you want SurfControl to connect to the database (Windows authentication or SQL authentication)?

Other considerations:

• Content information

• Which e-mail notifications should SurfControl send?

• What administrative privileges do you need to set up?


PRE-INSTALLATIONWhere to install1

NETWORK CONSIDERATIONSWhen the Cisco CE receives an HTTP request (over port 8080), it sends an ICAP request to the SurfControl Web Filter (over port 1344).

SurfControl WF checks the category or the site and writes the relevant data to the database.

Figure 1-1 shows a SurfControl Web Filter deployment.

Figure 1-1 Sample Web Filter Deployment


PRE-INSTALLATIONWhere to install 1

INSTALLATION CONSIDERATIONSDuring installation, you can set the following options for SurfControl’s basic behavior:

• Automatically Monitor New Users

• Enable User name Support

• Install Virtual Control Agent

Automatically monitor new usersEach time SurfControl detects a request from a workstation it hasn’t seen before, it adds the workstation data to the database and attempts to identify the real name of the workstation and the name of the user logged into that PC.

By choosing the Automatically Monitor New Users option during installation and configuring the ICAP client, SurfControl automatically monitors HTTP traffic for all users. If unchecked, SurfControl builds a user list (for use in creating rules), but does not monitor any users.

Enable user name support

SurfControl monitors Internet usage based on user name, workstation name, or IP address. Checking Enable User Name Support option enables monitoring by user name rather than workstation name or IP address.

Install Virtual Control Agent

Note: SurfControl can not monitor new users until the ICAP client is configured. See procedure 7 for information on how to do this.

Note: You must enable user name support if you plan to install EUM.

Note: SurfControl recommends installing VCA onto a computer other than the SurfControl server


PRE-INSTALLATIONWhere to install1

SurfControl offers an adaptive reasoning technology called the Virtual Control Agent (VCA). VCA uses artificial intelligence to categorize None sites into one of SurfControl’s categories. Before installation, make sure the server where VCA is installed meets the minimum requirements for VCA (listed in Table 1-3).

During installation, you can choose to install and register VCA or install it for a 30-day evaluation period.

Table 1-3 Minimum VCA system requirements


Operating System

Microsoft Windows 2000 Server (SP3) or Microsoft Windows 2000 Advanced Server (SP3) Windows 2003 Server

Processor Pentium III or above

Memory 512 MB minimum

Disk space 1 Gbyte free space

Applications SurfControl Web Filter for Cisco CE v5.0 or later


PRE-INSTALLATIONUser name resolution 1

User name resolutionBy default, SurfControl monitors users by IP address. However, if you want to monitor users by user name, SurfControl includes the Enterprise User Monitor (EUM) utility for resolving IP addresses to user names. Alternatively, you may choose to monitor on Novell user names.

SurfControl recommends monitoring by user because:

• monitoring by workstation name only identifies the machine requesting the data, not the user who originated the request.

• monitoring by user names is more convenient in a workplace where employees share or swap machines frequently.

• monitoring by user names allows you to filter users based on NT or NetWare Users and Groups.

• monitoring by user name makes it easier to track users that frequently login to multiple machines.

SurfControl places data on the Monitor with the following precedence:

1 User name based on X-Authenticated-User.

2 User name resolved with EUM or NetwareEUM.

3 Workstation ID.

4 IP address.

Note: SurfControl supports three monitoring methods: user name, workstation name, or IP address.

Note: If Web Filter receives an ICAP request that contains the X-Authenticated-User header, it will decode and use the user name even if the Username Resolution setting is set to ‘None’. If you do not wish to use usernames, though this is not recommended, you must not append the X-Authenticated-User header.


PRE-INSTALLATIONUser name resolution1

EUM

By accessing Windows NT and Windows 2000 security auditing data to resolve user names, EUM gives SurfControl the ability to monitor traffic on a routed network by user name. EUM provides SurfControl with continuous, accurate reporting of logon activity by user name.

For example, when jsmith attempts to access http://www.cnn.com, SurfControl sees jsmith’s IP address in the HTTP request. EUM provides the missing link by receiving data from the domain controllers regarding jsmith’s identity.

EUM on Windows NT domain controllersSurfControl installs the EUM agent onto Windows NT domain controllers as a service (SurfControl User Agent service; ScUserAgent.exe). During EUM installation, SurfControl configures NT domain controllers to record Successful Logons to the security log (event 528). If you make changes to this audit policy and disable event 528 logs (Successful Logon), EUM will no longer operate properly.

Confirm that event 528 logs are enabled by performing the following:

1 From the SurfControl server, select Programs/Administrative Tools/User Manager for Domains from the Start menu.

2 Select Policies then Audit. Make sure that Audit these Events is checked.

Before installationPrior to installing the EUM UA onto an NT domain controller, ensure the trust relationships are set up for multiple domain environments (in this case, SurfControl is Trusted, all other domains are Trusting).

EUM on Windows 2000 domain controllersThe EUM agent installs onto Windows 2000/3 domain controllers as a dll (ScSubAuth.dll).

When EUM is installed onto a Windows 2000 server, SurfControl uses Microsoft’s Sub-Authentication to resolve user names. After installing EUM on a Windows 2000 domain controller, you must reboot the domain controller.

Note: SurfControl recommends using X-Authenticated-User for user name resolution unless you are using Novell Netware. If you ARE using Netware then X-Authenticated user will NOT work.

Note: Ensure security logs are set to overwrite as needed. Do not manually clear the security logs.


PRE-INSTALLATIONUser name resolution 1

INSTALLING EUMInstall EUM from the SurfControl server. During installation, SurfControl installs the EUM UA onto each domain controller. Before installing EUM, ensure the following:

• The SurfControl server must have a static IP address.

• The installer must be logged into the SurfControl server as a user with domain administration rights.

• In order for a successful automatic installation, SurfControl must be able to see the domains that require EUM. Make sure the SurfControl is located in the appropriate domain.

– In a two-way trusted environment, the SurfControl server can be located in any domain.

– If a one-way model is in use, the SurfControl server should be located in the master domain (this allows SurfControl to see all other domains).

• For Windows NT domain controllers, make sure the security logs of all domain controllers are set to overwrite events as needed.

• By default, EUM uses port 61695 to communicate with the SurfControl server. Perform the following steps to change the port:

• SurfControl recommends installing EUM when there are few or no users on the network or when a forced logoff can be scheduled.

• During installation, you’ll be prompted to specify specific user accounts that UA should ignore; you should only use the ignore option for accounts similar to SMS.

Procedure 1-1: Insta l l ing EUMStep Action

1 Add the following key to the SurfControl registry:

HKEY_LOCAL_MACHINE\SOFTWARE\JSB\SurfControlScout\ UserAgentPort

2 Add the key as a DWORD, specify a decimal value (default is 61695).

3 Stop and start the Web Filter service.

4 Update the scua.ini file on the domain controllers to reflect the port changes.

Note: Ignoring valid user accounts will result in incorrect identification.


PRE-INSTALLATIONUser name resolution1

Netware EUMSurfControl also provides the ability to monitor users by their Novell Netware user name. The Novell version of EUM is called NetwareEUM. NetwareEUM works in the same way as EUM. SurfControl installs a User Agent onto each Novell NDS Tree Server.

Before installing NetwareEUM, ensure the following:

• Before installing SurfControl, install the latest Novell Client (with TCP/IP as the preferred protocol) onto the server.

• Network must be using Novell 5 or 6 over IP.

• The SurfControl server must have a static IP address.

• By default, NetwareEUM uses port 61696 to communicate with the SurfControl server. Perform the following steps to change the port:

• SurfControl recommends installing NetwareEUM when there are few or no users on the network or when a forced logoff can be scheduled.

X-AUTHENTICATED-USERThe x-authenticated-user ICAP header is a way for the ICAP client to pass user name information to the ICAP server. This option is disabled by default. The icap append-x-headers x-authenticated-user option enables this option, and inserts the x-authenticated-user information into the ICAP request to the ICAP server.

For more information on the configuration of the x-authenticated-user header see 11-5 of the ‘Cisco ACNS Software Configuration Guide for Locally Managed Deployments’.

Note: SurfControl does not support Novell 4.x. If you need to resolve Novell4.x users, authenticate all users on an NT or 2000 domain controller and use EUM to resolve the user names.

Procedure 1-2: Insta l l ing Netware EUMStep Action

1 Add the following key to the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\JSB\SurfControl Scout\NWUserAgentPort

2 Add the key as a DWORD, specify a decimal value (default is 61696).

3 Stop and start the Web Filter service.

4 Update the scua.ini file on the NetWare server to reflect the port changes. For details about installing the NetWare EUM User Agent (UA) see Procedure 3 ‘Install NetWare EUM’ in the Installation section.


PRE-INSTALLATIONDatabase options 1

Database optionsSurfControl ships with Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), but can also create the data structure in a fully-licensed version of Microsoft SQL7.0 or SQL 2000. If you plan to use a fully-licensed version of SQL, make sure the software is installed and running before attempting to install SurfControl.

Using a fully-licensed version of SQL (rather than MSDE) allows more flexibility and the ability to fine-tune database performance. SurfControl performs extremely well in either case.

SurfControl connects to the database using a fully-qualified connection string. This string contains all the details required to connect to a database including database type, name of the server, user id, password, and database name. Using a connection string does not require the creation of DSNs. Therefore, any SurfControl client or server on the network can access the database without creating a link through the ODBC.

MSDE DATABASEIf you are not using a SQL Server database, you have the option of installing MSDE during the installation process. MSDE allows a seamless upgrade to a SQL database in the future. Access MSDE data tables using the OSQL utility.

If you install MSDE onto the SurfControl server, make sure the server meets the minimum resources listed in Table 1-4.

Note: Microsoft states that the maximum size of an MSDE database is 2 GB.

Table 1-4 Minimum requirements for MSDE on SurfControl server

# Users Machine Specification

<500 Pentium IV, 2 GB RAM, 1.2 GHz processor, 10 GB hard drive

500-1000 Pentium IV, 3 GB RAM, 1.4 GHz processor, 20 GB hard drive

1000-3000 SurfControl recommends a full SQL installation on a dedicated SQL server.



10000+ SurfControl recommends a full SQL installation on a dedicated SQL server.


PRE-INSTALLATIONDatabase options1

SQL SERVER

If you have a Microsoft SQL Server database on your network, you should plan to create the database on that server (you can create and configure the database during the installation process).

If you plan to use a SQL database, but have not installed it, complete the following tasks before installing SurfControl:

1 Install the SQL Server Client Connectivity Pack onto the server where you install SurfControl.

2 Install SQL Server on the designated server; this can be the same machine as SurfControl server.

3 Make sure your server has the minimum resources listed in Table 1-5.

4 Configure SQL to limit memory and processors when running both SurfControl and SQL on the same computer.

Note: SurfControl recommends installing SQL onto a dedicated server.

Note: Install SQL server with the default setting of case insensitivity, including case insensitivity for Dictionary Order. Choosing case sensitivity may cause problems when installing SurfControl.

Table 1-5 Minimum requirements for SQL server on SurfControl server







10000+ Pentium IV, 7 GB RAM, 1.8 GHz processor, 60 GB hard drive

Note: There should only be one database owner (db_owner) per database

Note: If you need to have multiple user accounts with database access, the other users should only have db_datareader and db_datawriter permissions.


PRE-INSTALLATIONDatabase options 1

Reasons to install SQL Server onto a dedicated serverSurfControl supports SQL7.0 and SQL2000. Use a fully-licensed version of SQL on a dedicated server if your company:

• plans to store large amounts of data (i.e., you have a large number of users, high Internet activity, or need to retain data for an extended period of time)

• requires SurfControl to write data to a database that is not resident on the SurfControl server.

• requires more than one SurfControl server (collectors) to consolidate data in a single database.

• plans to store SurfControl IM Filter, SurfControl Web Filter, and SurfControl E-mail Filter data on the same SQL installation.

Considerations for large environments

In large environments with a high volume of Internet traffic, real-time updates to the database can take up valuable bandwidth resources. Therefore, you can configure SurfControl to write data to a flat-file and schedule automatic updates.

Make sure your dedicated SQL server has the minimum resources listed in Table 1-6.

DATABASE AUTHENTICATIONSurfControl supports both Windows Authentication and SQL Authentication. For more information on authentication see Chapter 9 of the ‘Cisco ACNS Software Configuration Guide for Locally Managed Deployments’.

Windows authenticationIf you choose to use Windows Authentication, make sure domain rights are correctly configured between the SurfControl server and the SQL server. Also, the SurfControl installer account requires SQL Server database creator rights.

Note: The Monitor only shows data that has been written to the database. Therefore, the Monitor won’t show the data written to flat files until it has been transferred to the database.

Table 1-6 Minimum SQL system requirements for large environments







10000+ Pentium IV, 6 GB RAM, 1.8 GHz processor, 60 GB hard drive


PRE-INSTALLATIONDatabase options1

SQL authenticationIf you choose to use SQL Authentication, you’ll need to create a SQL Server login specifically for SurfControl. This login is required for creating the database and should be used for all SurfControl database activities.

If you choose to connect to the SQL database using SQL authentication, make sure the SQL server is configured to support SQL Server and Windows NT authentication.


PRE-INSTALLATIONOther considerations 1

Other considerationsThis section contains general information that you should be aware of when installing SurfControl.

ContentSurfControl’s Category List is the premier category database in the filtering industry and provides the most accurate, current, and relevant content listing available. The Category List includes:

• 47 well-organized categories.

• over 9 million sites, including more than 1.2 billion web pages.

• international content, including 65 languages and over 200 countries.

• daily updates (more than 35,000 new sites a week).

The Category List is stored in an encrypted, size-optimized Aura file called SurfControl Categories.csf. Incremental updates (up to 60 MB) are stored in an encrypted file called SurfControl Categories.cdb. With SurfControl, you can re-categorize sites; these updates are managed by the SurfControl Manual Categories.cdb file. SurfControl checks the categorization files in the following order:

1 Manually-categorized (includes VCA, managed by the SurfControl Manual Categories.cdb file)

2 Incremental updates (SurfControl Categories.cdb)

3 Category List (SurfControl Categories.csf)

E-MAIL NOTIFICATIONSSurfControl includes the ability to automatically notify the system administrator when any of the following events occur:

• Service running status change - if one of the SurfControl services stops running. This is an optional notification.

• Scheduled task failures - if a scheduled task fails to run. This is an optional notification.

• Category list license reminders - when the Category List license is close to expiring. This is an optional notification.

• Unregistered product reminders - when you haven’t registered the product. This is a default reminder and will be sent if you choose to enable the feature (by identifying a mail server and recipient).

• Loss of database connectivity - when SurfControl loses communication with the database. This is a default reminder and will be sent if you choose to enable the feature (by identifying a mail server and recipient).

If you decide to enable this feature, you will need to know the IP address of your mail server and will need to identify an administrator that will receive the notifications.

Note: Use the Scheduler to create recurring Category Database Update events.


PRE-INSTALLATIONOther considerations1

If you choose not to enable this feature, then SurfControl will not send notifications for any of the events listed above.

Administrative privilegesSystem administrators can remotely administer SurfControl by installing the Remote Administration Client. From the Client installation you can:

• view monitored traffic.

• create and edit rules.

• run reports.

• start and stop the Web Filter Service.

• set up scheduled events.

You will not be able to use the real-time monitor.

Before installation, make sure the administrator computer meets the minimum requirements listed in Table 1-7.

Table 1-7 Minimum system requirements


Processor Intel Pentium III

Memory 256 Mbytes RAM

512 Mbytes RAM recommended if you plan to install VCA or to use the Web Reporting feature.

OS Windows 2000 Professional or Server or

Windows 2000 Advanced Server (SP1) or

Windows XP or Windows 2003 Server

Network Ethernet card

Disk space 5 Gbyte free

Web Reporting Microsoft Internet Explorer 5.0 or higher


Chapter 2 Installation

Installation order page 20Installation procedures page 20Installing Web Filter page 22

INSTALLATIONInstallation order2

Installation orderSurfControl recommends installing in the following order:

1 If you plan to monitor Netware user names, install the Novell client onto the SurfControl server.

2 If you are using MSDE 2000 as your database, SurfControl recommends installing MSDE prior to installing SurfControl.

3 If you are using SQL7.0 or SQL2000 as your database, install the SQL client onto the SurfControl server.

4 Install the Complete Product onto the SurfControl server

5 If you plan to monitor Windows users by user name, install EUM onto all domain controllers.

6 If you plan to monitor Netware user names, install NetwareEUM onto all NDS servers.

7 Configure the ICAP Client on the Cisco CE.

8 Install Remote Administration software and VCA, if required

INSTALLATION PROCEDURESThis sections contains the following procedures:

1 Installing MSDE (optional)

2 Installing SurfControl Web Filter for Cisco CE

3 Installing EUM (optional)

4 Installing NetwareEUM (optional)

5 Automatically loading NLM (optional)

6 Unloading NLM (optional)

7 Enabling the ICAP Client on a Cisco CE

8 Installing SurfControl Administration client and VCA

9 Serializing SurfControl

10 Serializing VCA Cisco CE


INSTALLATIONInstallation order 2

Changes to the serverInstalling SurfControl makes the following changes to your server:

• SurfControl places an icon in the system tray at startup.

• From this icon, you can start and stop the Web Filter service, the Scheduler service, and the Report Service. You can also serialize the product.

• Adds SurfControl executables to the Start menu (Programs > SurfControl Web Filter)

• Adds necessary registry entries

• Creates the SurfControl_WebFilter database

• Adds the following services:

– Web Filter service

– Scheduler service

– Report service

– Remote Administration service

– SurfControl Web Filter ICAP Service


INSTALLATIONInstalling Web Filter2

Installing Web FilterThis section contains instructions for a successful installation of SurfControl Web Filter for Cisco CE. The flowchart and descriptions explain what you should do at each stage of the installation process.

Procedure 2-1: Insta l l ing MSDE (opt ional )Step Action

1 If you plan to use an MSDE database. SurfControl recommends installing MSDE prior to performing the SurfControl WF installation. You can download our recommended version of MSDE at www.surfcontrol.com from the Downloads > Free Trial of SurfControl > Web Filter menu. You will need to register first to access this download.

2 Locate the downloaded file (setup.exe).

3Double-click setup.exe to start the installation process.

4 When prompted, make sure to enter a password for the SA account.

5 You will need to restart the server before installing the SurfControl Web Filter.


INSTALLATIONInstalling Web Filter 2

FLOW CHARTThe following flowchart shows the processes involved when installing SurfControl Web Filter.:



Procedure 2-2 : Insta l l ing SurfContro l Web F i l terStep Action

1 Locate the downloaded SurfControl Web Filter executable file (setup.exe)

2 Double-click setup.exe to start the installation process.

3 The InstallShield Wizard loads.

Sur fContro l Web F i l te r Setup sc reen

4 Welcome to SurfControl Web Filter

5 Click Next to continue.

L i cense Agreement screen

6 Read the License Agreement

7 Do you agree to the terms?

• Yes, select I accept...Click Next to continue.

• No, select I disagree...Click Cancel to exit the installation process.

D isp lay Readme F i le

SurfControl recommends you view the readme file. Click Yes to open the file. Click Next to continue after

viewing the readme.

Setup Type

8 You have the option to install a version of Web Filter that meets legislation in some European countries that forbids user browsing details to be viewed without express management and union permission. Select this option if you wish to use this version of Web Filter. For more details see Chapter 5 - Privacy Edition of the Administrator’s Guide.

9 Click Next to Continue.

(Sheet 1 of 6)



Customer Informat ion sc reen

10 Enter a name into the User Name field.

11 Enter your company’s name in the Company Name field.

12 Enter the Serial Number for Web Filter and VCA, if available. If you are evaluating the product, leave these blank. You have 30 days to evaluate the product.


Choose Dest inat ion Locat ion sc reen

14 Select the folder where setup will install files. The default is:

C:\Program Files\SurfControl\Web Filter.

Choose another location by selecting Browse and navigating to a different location.


Setup Type screen

16 Select Complete Product.



(Sheet 2 of 6)



Se lect Server Ins ta l la t ion Opt ions screen

18 If you want Web Filter to automatically monitor new users (recommended), select Automatically Monitor New Users.

19 If you want Web Filter to attempt to resolve user names based on the requesting IP address, select Enable User Name Support.

20 If you want to install VCA onto the Web Filter server, select Install Virtual Control Agent.

Note: SurfControl recommends installing VCA onto a different computer than the Web Filter server.

21 Select SurfControl Mobile Filter Administrator, if you want to be able to manage the Mobile Filter server from this computer.

Note: you must have the SurfControl Mobile Filter server installed on your network for the Administrator to work correctly.

22 If you want to install SurfControl Report Central, select Install SurfControl Web Filter Report Central. The installation of Report Central will start automatically after Web Filter has installed.


Star t Copy ing F i les sc reen

24 Review your settings before starting the installation.


Setup Status screen

26 Web Filter Setup is performing the requested operations.


(Sheet 3 of 6)



Se lect MSDE/SQL Server Database sc reen

27 From the drop-down list, choose the server where the SQL database is running. You can also enter the name of a server here.

28 Select the Authentication method.

Note: SurfControl recommends using Windows authentication.

Note: If you choose Windows authentication, both the Web Filter server and the SQL server must be members of the same domain.



30 Choose the database you want to create.

Note: In most cases, you should use the default database (SurfControl_WebFilter); you can enter a new name, if necessary.


32 Did you choose Windows Authentication to connect to a remote SQL Server database?

If Yes go to Step 33

If No go to Step 35

Se lect Account for Web F i l te r Serv ice

33 Choose the domain account you want Web Filter to use when connecting to the remote SQL Server database when using Windows Authentication.



(Sheet 4 of 6)



System Adminis t rator Not i f i cat ions sc reen

35 Enter the e-mail server name or IP address.

36 Enter the recipient’s e-mail address.

37 Enter the ‘from’ e-mail address (using the default address supplied is suitable).

38 Choose the types of notification you want to receive.


Note: You can change these settings following installation from the Web Filter Service Settings. See the Web Filter Service chapter of the Administrator’s Guide for more details.

Sur fContro l Report Centra l ins ta l la t ion

40 The installation of Report Central will now start.

Sur fContro l Report Centra l Report Admin is t rator setup

41 You need to set up an initial Report Administrator level user for Report Central. This user can then add other users and configure Report Central to suit your organization.

Enter a User name and a Password, which you need to confirm.


Report Centra l Database update

43 For Report Central to give accurate results, its database needs to be updated before reports are run. You can perform this as part of the installation process, or from the Configuration > Database Connections > Update Tasks tab from Report Central.


Setup Status

45 Report Central is performing the requested operations.


(Sheet 5 of 6)



Ins ta l l Sh ie ld Wizard Complete

46 The installation of Web Filter is complete.

47 Click Finish.

Informat ion

48 You are now asked to complete your registration details for URL Category List updates.

Click OK to continue.

Sur fContro l P roduct Reg is t rat ion Screen

49 Complete the fields in the form

50 Click Register.

Sur fContro l Scheduler

51 You will see a dialog box informing you that a scheduled event has been created for your URL Category List updates.

P rocedure 2-3: Insta l l ing EUMStep Action

1 Make sure that the SurfControl WF server has a static IP address.

2 Make sure you have administrative privileges on all domain controllers where the UserAgent will be installed.

(Sheet 1 of 3)


(Sheet 6 of 6)



3 Make sure the SurfControl WF server is located in the correct domain.

4 Make sure the firewall or router allows traffic through the provisioned port (default is 61695).

5 For Windows NT domain controllers, make sure the security logs of the domain controllers are set to overwrite events, as needed.

6 Try to perform this procedure when there are few or no users on the network, or when a forced logoff can be scheduled. This ensures the fastest, most accurate detection of users.

Beg in Insta l la t ion

7 Launch the EUM installation ( Programs > SurfControl Web Filter > Enterprise User Monitoring > Install Enterprise User Monitoring).

SurfContro l Enterpr i se User Moni tor ing Insta l la t ion sc reen

8 Click the Next button to start the installation.

Hostname screen

9 Enter the IP address of the SurfControl WF server.

Note: SurfControl recommends entering the IP address instead of the hostname.

10 Enter the port the User Agent and SurfControl WF service should use to communicate (default is 61695).


Domain L i s t sc reen

12 Select the domains you want to receive user data from.

13 Click Next to continue

Ignore User Accounts sc reen

14 Select the user accounts whose logon/logoffs do not need to be reported to SurfControl WF (i.e., SMS accounts).


16 Select the domain controllers whose user’s logon/logoff activity SurfControl needs to monitor (this identifies the domain controllers where the UA will be installed).

Note: Failure to install EUM on all domain controllers can compromise the accuracy of user name resolution. If a domain controller is authenticating users, but not passing that data to SurfControl, user activity may be recorded under another user name.


18 Installation onto Microsoft Windows 2000 domain controllers requires a reboot; SurfControl recommends performing a manual reboot.

P rocedure 2-3: Insta l l ing EUMStep Action

(Sheet 2 of 3)



19 You have successfully installed Enterprise User Monitoring.

Procedure 2-4 : Insta l l Netware EUMStep Action

1 Ensure Novell Client was installed on the SurfControl server prior to Web Filter installation.

2 From SurfControl server, log on to the Novell server with administrative rights.

3 Go to the SYS volume and create a directory (for example, nweum)

Note: When creating the directory, use DOS8.3 naming conventions.

4 Under this directory, copy the files nweum.nlm and scua.ini from the SurfControl server to the Novell server.

5 From the Netware Server console, load the NLM by typing:

Load sys:\nweum\nweum.nlm

and pressing enter

Note: The system will not allow you to load the NLM if a copy is already running.

Procedure 2-3: Insta l l ing EUMStep Action

(Sheet 3 of 3)



Procedure 2-5 : Automat ica l ly loading NLMStep Action

1 To automatically load the NLM every time the server is rebooted edit the sys:\system\autoexec.ncf file.

2 You can edit this file using any text editor from the workstation or from the Netware Server by typing:

Load edit sys:\system\autoexec.ncf

3 Add the following line at the end of the file:

Load sys:\nweum\nweum.nlm

4 Save the file.

P rocedure 2-6: Unloading NLMStep Action

1 From the Netware Server console, type:

unload nweum.nlm



Procedure 2-7: Enabl ing the ICAP C l ient on the C isco CEStep Action

1 Go to the command line interface of the Cisco CE.

2 Enter the configuration mode:

ContentEngine# config

3 Enable ICAP:

Content Engine (config)# icap apply all

4 Configure ICAP client to append the x-client-ip header: ContentEngine(config)# icap append-x-headers x-client-ip

5 Configure ICAP client to append the x-server-ip header: ContentEngine(config)# icap append-x-headers x-server-ip

6 Configure ICAP client to append the X-authenticated-User Header (optional): ContentEngine(config)# icap append-x-headers x-authenticated-user

Note: Your Content Engine must be configured to authenticate requests, if this is to work.

7 Enable ICAP logging (optional):

ContentEngine(config)# icap logging enable

8 Create the SurfControl ICAP Service:

ContentEngine(config)# icap service SurfControl

9 Enable the SurfControl ICAP Service:

ContentEngine(config-icap-service)# enable

10 Set the Cisco CE to return error on ICAP failure (optional):

ContentEngine(config-icap-service)# enable error-handling return-error

11 Set the ICAP vector point to reqmod-precache:

ContentEngine(config-icap-service)# vector-point reqmod-precache

12 Set the SurfControl ICAP Service Server:

ContentEngine(config-icap-service)# server

icap://<ip address>:<port number>/SWFICAP

Note: where<ip address> is the ip address of the machine on which SurfControl Web Filter for Cisco CE is installed, and <port number> is the port configured in the SurfControl Web Filter for Cisco CE. Insert the correct information into these places. Example: icap://192.168.1.10:1344/SWFICAP

13 Exit the configuration mode:

ContentEngine(config-icap-service)# exit

14 Write the configuration changes to memory:

ContentEngine# write memory



Procedure 2-8 : Insta l l ing the Web F i l ter Admin ist rat ion C l ientStep Action

1 Locate the downloaded SurfControl Web Filter executable file (setup.exe)

2 Double-click setup.exe to start the installation process.

3 The InstallShield Wizard loads.

Sur fContro l Web F i l te r Setup sc reen

4 Welcome to SurfControl Web Filter


L i cense Agreement screen

6 Read the License Agreement

7 Do you agree to the terms?

• Yes, select I accept...Click Next to continue.

• No, select I disagree...Click Cancel to exit the installation process.

D isp lay Readme F i le

SurfControl recommends you view the readme file. Click Yes to open the file. Click Next to continue after

viewing the readme.

Setup Type

8 You have the option to install a version of Web Filter that meets legislation in some European countries that forbids user browsing details to be viewed without express management and union permission. Select this option if you wish to use this version of Web Filter. For more details see Chapter 5 - Privacy Edition of the Administrator’s Guide.

9 Click Next to Continue.

(Sheet 1 of 4)



Customer Informat ion sc reen

10 Enter a name into the User Name field.

11 Enter your company’s name in the Company Name field.

12 Enter the Serial Number for Web Filter and VCA, if available. If you are evaluating the product, leave these blank. You have 30 days to evaluate the product.


Choose Dest inat ion Locat ion sc reen

14 Select the folder where setup will install files. The default is:

C:\Program Files\SurfControl\Web Filter.

Choose another location by selecting Browse and navigating to a different location.


Setup Type screen

16 Select Remote Administration.



(Sheet 2 of 4)



Se lect Server Ins ta l la t ion Opt ions screen

18 If you want Web Filter to automatically monitor new users (recommended), select Automatically Monitor New Users.

19 If you want Web Filter to attempt to resolve user names based on the requesting IP address, select Enable User Name Support.

20 If you want to install VCA onto the Web Filter server, select Install Virtual Control Agent.

Note: SurfControl recommends installing VCA onto a different computer than the Web Filter server.

21 Select SurfControl Mobile Filter Administrator, if you want to be able to manage the Mobile Filter server from this computer.

Note: you must have the SurfControl Mobile Filter server installed on your network for the Administrator to work correctly.

22 If you want to install SurfControl Report Central, select Install SurfControl Web Filter Report Central. The installation of Report Central will start automatically after Web Filter has installed.


Star t Copy ing F i les sc reen

24 Review your settings before starting the installation.


Setup Status screen

26 Web Filter Setup is performing the requested operations.


(Sheet 3 of 4)




27 From the drop-down list, choose the server where the SQL database is running. You can also enter the name of a server here.

28 Select the Authentication method.

Note: SurfControl recommends using Windows authentication.

Note: If you choose Windows authentication, both the Web Filter server and the SQL server must be members of the same domain.



30 Choose the database you want to create.

Note: In most cases, you should use the default database (SurfControl_WebFilter); you can enter a new name, if necessary.


Ins ta l l Sh ie ld Wizard Complete

32 The installation of Web Filter is complete.

33 Click Finish.


(Sheet 4 of 4)



Procedure 2-9 : Ser ia l i z ing SurfContro l WFStep Action

1 From the system tray, right-click on the SurfControl WF icon and select About.

2 Click Serialize.

3 Enter the serial number.

4 Click OK to continue.


6 You have successfully serialized SurfControl WF.

Procedure 2-10: Ser ia l i z ing VCAStep Action

1 Launch the VCA (Programs > SurfControl Web Filter > Virtual Control Agent).

2 From the title bar, right-click the VCA icon and select About SurfControl Virtual Control Agent.

3 Click Serialize.

4 Enter the serial number.



7 You have successfully serialized VCA.


Chapter 3 Further Configuration

Configuring Services page 40Database creation page 41Virtual Control Agent page 45Performance Tuning page 48Troubleshooting page 50

FURTHER CONFIGURATIONConfiguring Services3

Configuring ServicesTo enable the ICAP service for Cisco CE and SurfControl Web Filter to connect to each other, various settings may need to be configured within SurfControl Web Filter. To change the default settings, access the Service Settings dialog box in the following way:

Procedure 3-1: Set t ing up the ICAP ServerStep Action

1 Right-click on the Web Filter icon in the system tray .

2 Select the Advanced tab and select the ‘Monitor to flat file (manual update)’ option. This will optimize network speed.

Note: for detailed information about this and the other tabs on the Service Settings dialog, see the Web Filter Services section of the Administrator’s guide

3 Stop and start the service for the changes to take effect


FURTHER CONFIGURATIONDatabase creation 3

Database creationThis section explains how to set up a new SurfControl Web Filter Database.

CREATING A SQL SERVER DATABASEIn order to create a SQL Server database to be used by SurfControl you need a valid SQL account on the SQL Server. You can create the database using the built in sa account, using the password that you specified during installation (if you opted to change it) and in this instance you would create a database in the same way as you would if creating a MSDE database (see section 3.2.2 Creating a MSDE Database for more details). If, however, you are unable or unwilling to use the ‘sa’ account for whatever reason, then you must create a new user account before creating the SQL database:

Procedure 3-2: Creat ing the AccountStep Action

1 First stop the SurfControl Web Filter service and make sure that you have all of the SurfControl components (Monitor, Rules Administrator etc.) closed.

2 Open the SQL Enterprise Manager from the Microsoft SQL Server Start menu.

3 Click on the ‘+’ sign in front of the SQL server name to expand the tree.

4 Click on the ‘+’ sign in front of Security and choose Logins from the expanded tree. Right-click on ‘Logins’ and select ‘New Login’.

5 In the dialog that follows:

- Select the General tab and enter a name for your new account.

- Select the ‘SQL Server authentication’ radio button and enter a password in the ‘Password’ edit field.

- Select the ‘Server Roles’ tab. Check the Database Creators key.

6 Click OK.

Procedure 3-3: Creat ing the DatabaseStep Action

1 Choose Database Tools/Create MSDE SQL Server Database from the SurfControl Start menu.

2 This will launch the Create SurfControl Web Filter Database Wizard that will guide you through the steps involved in creating a SQL Server database for use with SurfControl Web Filter.


FURTHER CONFIGURATIONDatabase creation3

Procedure 3-4 : Sett ing up Access to the DatabaseStep Action

1 Open the SQL Enterprise Manager from the Microsoft SQL Server Start menu.

2 Click on the ‘+’ sign in front of the SQL Server name to expand the tree.

3 Click on the ‘+’ sign in front of Security and choose Logins from the expanded tree.

4 Right-click on your newly created login from the list of available logins and select Properties.

5 Select the Database Access tab in the dialog that follows then select your newly created SurfControl database.

6 In the ‘Database Roles’ section ensure that both ‘Public’ and ‘db_owner’ are checked.

7 Click OK.

Procedure 3-5: Access ing your new databaseStep Action

1 On the machine that you wish to access the database select Database Tools/Select Database on the SurfControl Start menu. You will now see the Select SurfControl Database dialog:

• If you wish to set this as the default database to be used by the SurfControl Monitor select the Monitor tab.

• If you wish to set this as the default database to be used by the Surf Control Rules Administrator, select the Rules Administrator tab.

2 Click the Browse button.

3 This will launch the SQL Server Login where you can navigate to your new database. Click Connect to SQL Database to expand the dialog. The expanded dialog will enable you to enter details of the machine where your database is located.

4 In the ‘Server’ edit field enter the name of the server where the database is installed. This name will be saved in the list for ease of access next time. Up to ten names can be stored in this way.

5 Select your new database from the ‘Database’ list. Click OK.


FURTHER CONFIGURATIONDatabase creation 3

Creating the SQL Server Account

After you install both SQL Server and SurfControl Web Filter, you must provide a SQL Server login for SurfControl to use when connecting to the database.

Note: You must use this SQL Server login to create the SQL database. Furthermore if users are to use the Select Database utility then they must again use this account rather than the sa account. This is the only account that should be used with the Rules Administrator.

Procedure 3-6: Create a SurfContro l Web F i l ter User AccountStep Action

1 On the server that is running Microsoft SQL Server, choose Microsoft SQL Server Enterprise Manager on the Start menu.

2 In the Management console, open the tree properties until you can select the icon for the server you are working from. Under there should be a list of folders including two called Databases and Security.

3 Open the Security folder and select the Logins property. You should see in the right pane a list of the current logins available for SQL Server.

4 Right-click in the space below and select New Login from the dialog box. From here you can create a new user account for SurfControl to use when connecting to the database.

5 At the top of the first page add the new name for the login (e.g.: surfadmin). You will need to choose a form of authentication. Select the SQL Server authentication and then you can either choose to add a password or leave it blank. If you add a password you will be requested to confirm this later on. From the third option on this page, 'Defaults', select from the database menu the SurfControl Web Filter database. Leave the language option set to default. The second tab on this dialog, titled 'Server Roles', should be left with no properties highlighted.

6 In the Database Access tab, select the SurfControl database and then in the menu below 'Permit in Database Role' select the top two options: 'public' and 'db-owner'. No other properties need to be selected. Click OK to create the new user account.

7 Next you will need to modify the SurfControl database. Right-click on the previously created database in the databases folder and select properties.

8 Go to the 'Options’ tab and select the ‘Restrict Access' check box. Click OK. You will now be able to open the SurfControl monitor using the new user login.

Procedure 3-7: Creat ing a MSDE DatabaseStep Action

1 Select Database Tools/Create MSDE SQL Server Database from the SurfControl Start menu.

2 This starts the Database Creation Wizard that will guide you through the steps involved in creating a MSDE database for use with SurfControl.


FURTHER CONFIGURATIONDatabase creation3

3 The first information that you will be asked for is the server where you wish to create the database and the type of authentication that this machine requires:

• Use Trusted Authentication- selecting this check box will mean that your Window’s user name and password will be used.

• SQL authentication - if you don’t select the ‘Use Trusted Authentication’ check box’ you will need to enter a valid SQL account name and password.

4 Enter a name for the new database then check the remaining options as required:

• Use default file locations - this will store the database file and the transaction log file on the server. If you wish to store these files elsewhere then you need to uncheck this option and specify a location for these files in the dialog that follows.

• Set as the Web Filter Service default database - the Web Filter Service will set this database as the default for the Monitor and Rules Administrator applications.

• Restart the Web Filter Service with this database - the Web Filter Service will automatically start to write to this database once you have created it.

Populate with sample monitored data - shows a full database of sample data that can be used to try out reports and Monitor settings. This is useful when you are getting to know the product and either do not have or do not wish to use an existing full database.

5 The Finish dialog will indicate that you have created a new database.

Procedure 3-7: Creat ing a MSDE DatabaseStep Action


FURTHER CONFIGURATIONVirtual Control Agent 3

Virtual Control Agent

INSTALLATIONThe default option during a Remote Administrator installation is to not install the VCA as you should only have one VCA installation per Monitor database. If you did not install the Virtual Control Agent when installing Web Filter, or wish to uninstall it, highlight the SurfControl Web Filter entry in the Add/Remove Programs menu from the Windows Control Panel and clicking the Change/Remove button. Choose the Modify option from the first screen. Click Next and the VCA should be selected (to install). Clear the check box to uninstall. Click Next and follow the prompts.

If you need to enter the VCA Serial Number, you can do so while the VCA window is open.

Note: You should stop the SurfControl Web Filter service and all other applications before installing or uninstalling the VCA.

Procedure 3-8 : Post Insta l la t ion Act ivat ionStep Action

1 Select VCA from the SurfControl Web Filter group on the Start menu.

2 Right-click on the VCA icon in the upper-left corner of the VCA window, then select About SurfControl Web Filter Virtual Control Agent from the pop-up menu.

3 Click Serialize in the About box.

4 Enter the serial number in the dialog, then click OK.

Note: SurfControl Web Filter VCA running in evaluation mode will not update the SurfControl Web Filter database. However, it will give feedback on totals of sites that would be catego-rized when activated.


FURTHER CONFIGURATIONVirtual Control Agent3

CONFIGURING THE VCAConfiguration of the VCA is carried out within the Settings tab of the SurfControl VCA dialog. Within this dialog you can configure the following:

• Spider Settings

• Proxy Settings

The Spider SettingsThe Settings tab enables you to control how the VCA will handle connections and pages during classification runs.

Observe Robot Exclusion Policy - some sites contain a text file that describes exactly what each spider (or robot) can access on the site. If you choose to ignore this policy then the spider will try to access unauthorized areas on the site. This may result in your IP address being banned by the site.

Impersonate Internet Explorer - if you select this item the VCA will identify itself as Internet Explorer when making requests to servers. If you uncheck this item then the VCA will identify itself as SurfControl Web Filter. Some sites are inaccessible unless you impersonate Internet Explorer. Alternatively, sites can also ignore requests that originate from SurfControl Web Filter.

Cache retrieved web pages - adds any pages directly retrieved during the VCA run to the local web page cache, if available.

Retrieve pages from cache - enables VCA to use locally cached versions of pages on a site, rather than having to go out and retrieve current versions directly from the site to be classified.

The Proxy SettingsThe Proxy Settings are available on the Settings tab of the VCA.

If the VCA will be accessing the Internet through a Microsoft Proxy Server, you should select the ‘Use Proxy’ setting check box.

The General Settings sectionThe General Settings section contains a check box entitled 'Submit details of VCA categorized sites to SurfControl'. If you check this box then as VCA categorizes 'None' sites it will send these sites with their new categorization to SurfControl.

Research staff examine these sites to check that the categorization applied by VCA is correct. Once these categorizations are verified the URLs are added to the Category Database to ensure that it always contains the most comprehensive and up-to-date information.

Note: If you want the VCA to use NT Authentication when going through the Proxy Server, check the Use NT Authentication box setting. If you do not want to use NT Authentication then supply a User Name and Password.


FURTHER CONFIGURATIONVirtual Control Agent 3

UPGRADING THE VCAIf you did not have VCA installed on a previous version of SurfControl Web Filter and you now wish to upgrade this version then VCA will not be installed during the normal upgrade process. VCA will need to be installed manually.

To install the VCA manually:

If you did install VCA on a version of SurfControl Web Filter that you now wish to upgrade then VCA will be upgraded along with the rest of the Web Filter product. However this will only happen if the version of VCA that you have is the following: SurfControl Virtual Control Agent 4.0.2.2

Procedure 3-9: Running the Upgrade processStep Action

1 Navigate to the SurfControl Web Filter installation directory where you will find a folder containing the VCA components.

2 Double-click the VCA setup.exe file.

3 Follow the on-screen prompts to install the VCA.


FURTHER CONFIGURATIONPerformance Tuning3

Performance TuningThere are a number of factors to take into account when deploying SurfControl Web Filter on your network, which relate to the choice of server, number and locations of servers, and configuration options. The first thing to understand is the components within a server that affect performance:

• CPU - A faster CPU or multiple CPUs will improve processing throughput.

• RAM - A Larger amount of memory will improve performance through better buffering.

• Disk Subsystem - Probably the most important factor, a faster disk system (SCSI, SCSI II etc.) will improve throughput.

• Virus checkers and services - Disable any that are not needed.

SYSTEM WORKLOAD ISSUESWhat size and strength of system your monitoring requires depends on the amount of traffic (packets per second) that you need to monitor since the biggest impact on performance is the recording of monitored packets to the SurfControl database. Understanding the volume of network traffic, the mix of protocols, and the level of detail you want to monitor will help in sizing the correct system.

As a hypothetical example, a network might have on average 600 packets a second passing by the SurfControl Monitor. These could break down into the following percentages:

• HTTP (web access) - 70%

• FTP - 15%

• Telnet - 10%

• SMTP - 5%

Monitoring OptionsIf you are not interested in monitoring telnet, you can disable this protocol in the SurfControl Web Filter Monitor. Doing this reduces the workload for SurfControl Web Filter.

You can further reduce the workload by deciding not to monitor certain workstations (this does not stop your ability to control those workstations access from the Rules Administrator). This can be done through the Monitor User interface. For instance if you have a web server inside your firewall you may not wish to see all the traffic associated with that system.

You can also reduce the amount of monitoring for each connection by recording only the top-level domain and not individual graphics that typically get accessed.

Other Performance OptionsYou can also control other performance factors, such as:

• Disable the monitor all HTTP traffic setting (will only monitor top level domain information).

• Disable SmartScan.


FURTHER CONFIGURATIONPerformance Tuning 3

• Disable username support (if you have not implemented NT or NDS user names across your network you may only require a hostname).

• Lengthen the time between checking if a new user has logged in on a workstation.

If you have workstations on your network that don't have an entry in your DNS Server, you will suffer a performance penalty. SurfControl Web Filter will attempt to resolve the workstation name, which ultimately results in a timeout from the DNS Server that will slow the service. This applies not only to internal workstations, but also to external workstations that enter your network. You may see a lot of external workstations registering in the Monitor if you have a Web Server, FTP Server or E-mail Server on the monitored network. You can disable the workstation name resolution to speed up performance by deselecting the Enable Workstation name resolution option.

Performance FactorsThere are other factors that come into play, and other options you can deploy in tuning the system. The size of the monitored database can also impact performance. Another factor is the demand for reporting as well as recording; high reporting requirements can impact system performance.

DISTRIBUTING SERVICES AND MULTIPLE COLLECTORSYour network may have such a large volume of traffic that no one system can handle it. In these instances you can deploy multiple Servers. These Servers can be physically deployed on different segments if you have a switched network, or they can be configured to only monitor certain subnets (using the SurfControl Web Filter Service). You are then able to balance the load across Servers.

This will result in separate monitor databases on each Server. This may be a good solution if you want to delegate control to departments or groups, as they will be able to monitor and control their own Internet Access Policy.

However, if you wish to use a single database to view and produce reports, you will need to consolidate the information. This can be done in one of two ways:

• Use flat files at each of the SurfControl Servers (in this case known as collectors). Then use the SurfControl 'Database Updater' process to write the flat files from each of the 'collectors' to a single database.

• Configure both collectors to simultaneously write directly to the single database.

When you initially configured a standalone Content Engine, you chose an initial interface and either configured it for DHCP, or gave it a static IP address. You can configure the Content Engine to load-balance ICAP requests to multiple Web Filter servers. For information on how to do this see Chapter 15 of the ‘Cisco ACNS Software Configuration Guide for Locally Managed Deployments.’

Note: with SurfControl WF for Cisco CE you can load balance multiple Web Filter servers. See “ICAP service Load balanced” on page 55 for an example on how to do this.


FURTHER CONFIGURATIONTroubleshooting3

TroubleshootingThis section covers some problems that may occur during or after installation of SurfControl.

TROUBLESHOOTING EUM ISSUESIf you are having difficulties making EUM work correctly, please check these items before contacting SurfControl Support:

• After installing the EUM agent, make sure that all domain users log out and then back into the domain because the agent will not pick up previously logged-in users.

• Check the security logs on the domain controllers to ensure that the user has indeed logged on.

• Ensure that the agent is installed on all domain controllers that authenticate users.

Procedure 3-10: What to do i f no data i s be ing co l lectedStep Action

1 Check that the Web Filter service is running. The SurfControl Web Filter icon in the System Tray should appear in color. If it is grayed out, the service is not running.

2 To start the service, right-click on the SurfControl icon in the Windows taskbar status area and select Start Web Filter Service on the popup menu.

3 If the service will still not start or you experience further problems, please contact SurfControl Support.


Chapter 4 Cisco Configuration

Specifics page 52Sample Deployments page 56

CISCO CONFIGURATIONSpecifics4

SpecificsThe following sections have been taken from Cisco documentation.

INSTALLATION OF THE CISCO CE RUNNING ACNS*The focus of the installation discussion is intended for administrators who want to configure, manage, and monitor locally deployed Content Engines that are running the Cisco Application and Content Networking System (ACNS) 5.2.3 software. The administrator should be familiar with Cisco router and switch configuration. An understanding of caching concepts is also necessary.

The Content Engine GUI allows an organization to remotely configure, manage, and monitor locally deployed Content Engines through its browser. The Content Engine CLI allows an organization to configure, manage, and monitor a locally deployed Content Engine through a console connection or a terminal emulation program. The Content Engine GUI or CLI can be used to configure and manage a locally deployed Content Engine. The Content Engine GUI has context-sensitive online help that can be accessed by clicking the Help button.

*Cisco Documentation: Cisco ACNS Caching & Streaming Configuration Guide Release 5.1

SETTING UP THE RULES ON THE CONTENT ENGINE FOR THE JOINT SOLUTION**From a Cisco perspective, content is the fundamental element of the ACNS network as it represents all the data that the ACNS network handles. Content can be static application data or a media stream and can be associated with a file type and file extension. Categorically, content can also be on-demand, pre-loaded, pre-positioned or live.

Content caching with filtering and access control is defined as the saving and storing of information locally. Copies of recently requested content are stored temporarily on a Content Engine in locations topologically closer to the web client (the end user who is requesting the content). The content is readily available to be reused for subsequent client requests for the same content. Content Engines that have ACNS 5.2.3 software installed support content caching with filtering and access control. Content caching is also referred to as “network caching”.

**Cisco Documentation: Cisco ACNS Caching & Streaming Configuration Guide Release 5.1, chapter 1

Note: To initially configure a Content Engine as a locally deployed device, it is necessary to turn off the autoregistration feature so that the Content Engine will not automatically regis-ter with the Content Distribution Manager, and thereby can be individually managed through the ACNS software command-line interface (CLI) or the Content Engine graphical user interface (GUI) as a locally deployed device.


CISCO CONFIGURATIONSpecifics 4

TYPES OF CONTENT SERVED IN AN ACNS NETWORK** Cisco categorizes content served in an ACNS network as being one of the following three choices:

On demand: - Content that is acquired, cached and delivered because of a user request (client-triggered demand). When the first client request is made for the content, it is retrieved from the origin web server and is served to the client by way of the best-suited Content Engine, which also stores or caches the content.

Preloaded: - Content that is retrieved and stored on an individual Content Engine because the administrator of that Content Engine scheduled a retrieval of specific content in anticipation of user requests for that content. Content Engines can be configured to preload specific content items using HTTP. Web sites are scanned several link levels down for content. The product scans for content 10 levels down for the initial website link. Preloaded content can be configured with specified bandwidth limits for better control of network usage. Content that is retrieved and distributed through a network of centrally managed Content Engines because the ACNS network administrator has configured acquisition and distribution of content in anticipation of user requests. Used as a means of distributing content to populate Content Engines in a centrally managed ACNS network environment.

Pre-positioned: - Bandwidth-intensive content objects, such as Java applets, Macromedia Flash animations, Shockwave programs, and other file formats can be managed and scheduled for distribution to Content Engines during off-peak hours.

**Cisco Documentation: Cisco ACNS Caching & Streaming Configuration Guide. Release 5.1, chapter 1

CONTENT CACHING SERVICE WITH FILTERING AND ACCESS CONTROL*** Nothing is more frustrating to Internet users than waiting for a web page to load in their browser. A number of factors contribute to slow delivery of web content, including Internet congestion, web server overload, and slow-speed WAN access lines. One cost-effective solution to reduce slow web access and latency is to “push” content out to the edges of the Internet and closer to the end users.

Because of its special position as an “in-line” device between the end user (web clients) and the Internet, Content Engines can be easily configured for network caching. Bandwidth usage and web latency is significantly reduced because frequently accessed Internet content is being locally cached and served by the Content Engine at each location. Content Engines can be configured to provide network caching with filtering and access control.

User Authentication and Content Filtering Content Engines can be configured to perform a number of content filtering services. Once the Content Engine receives a request, it performs the following tasks:

• Passes the IP address of the client to SurfControl Web Filter for Cisco CE. If it is configured to do so, SurfControl Web Filter uses its Enterprise User Monitor (EUM) to correlate the IP address and the user name for windows-based user authentication. The EUM needs to be installed on the Active Directory Server or Netware server in order to communicate with SurfControl Web Filter.

• Passes the request through SurfControl Web Filter for Cisco CE for content filtering

• Compares content against configured rules and either blocks the page or sends back the unmanipulated request.

***Cisco Documentation: Cisco ACNS Caching & Streaming Configuration Guide, Release 5.1, chapter 13


CISCO CONFIGURATIONSpecifics4

Sample Workflow of Configuring ICAP Services on a Content Engine****ICAP can be configured using a telnet connection to the Content Engine.

The following is a sample workflow of how to define and enable ICAP services for SurfControl Web Filter for Cisco Content Engine on a locally deployed Content Engine:

1 Use the icap apply {all | rules-template} command to specify which ICAP services should be performed on which requests that are received by the Content Engine. To configure ICAP service for SurfControl configure icap apply all command to instruct the Content Engine to run all of the ICAP services on all of the HTTP requests that it receives.

2 Use the icap logging enable command to turn on the ICAP-related transaction logging, which is available in the local1/logs/icap/ directory

3 Use the icap append-x-headers command to specify the ICAP extension headers that are passed to the ICAP server with every REQMOD request. Use the x-header x-client-ip to enable sending the source IP address of each HTTP request to the ICAP server (SurfControl Web Filter for Cisco CE). ContentEngine(config)# append-x-headers x-client-ip

4 Use the x-header x-server-ip to enable the sending of the destination IP address of each HTTP request to the ICAP server (SurfControl Web Filter for Cisco CE). ContentEngine(config)# append-x-headers x-server-ip

5 Configure the ICAP client to append the X-Authenticated-User header (this step is optional): ContentEngine(config)# append-x-headers x-authenticated-user

6 Use the icap service service-id command to configure and enable various ICAP services on this Content Engine. #config (config)# icap service surfcontrol (config-icap-service)# enable (config-icap-service)# vector-point reqmod-precache (config-icap-Service)# Server icap//172.19.227.150:1344/SWFICAP (config-icap-Service)# exit (config)# exit


CISCO CONFIGURATIONSpecifics 4

7 The following is a sample workflow of how to define and enable ICAP services for SurfControl Web Filter for Cisco CE on a locally deployed Content Engine: #config (config)# icap apply all (config)# logging enable (config)# icap append-x-headers x-client-ip (config)# icap append-x-headers x-server-ip (config)# icap append-x-headers x-authenticated-user (config)# icap service surfcontrol (config-icap-service)# enable (config-icap-service)# vector-point reqmod-precache (config-icap-service)# server icap://172.19.227.150:1344/SWFICAP (config-icap-Service)# exit (config)# exit

ICAP service Load balancedThere are different configuration options available for load balancing for the Cisco CE.

• Client IP hash - Uses a hash-based algorithm based on the client IP address for load balancing the ICAP servers in the cluster.

• Round-robin - Uses the round-robin method in which ICAP servers take turns processing HTTP requests.

• Server IP hash - Uses a hash-based algorithm based on the server IP address for load balancing among the ICAP servers in the cluster.

• Weighted - Uses a farm of ICAP servers with different load capacities.

The following shows the configuration of load balancing using round robin method:

1 #config (config)# icap apply all (config)# logging enable (config)# icap append-x-headers x-client-ip (config)# icap append-x-headers x-server-ip (config)# icap append-x-headers x-authenticated-user (config)# icap service surfcontrol (config-icap-service)# enable (config-icap-service)# load-balancing round-robin (config-icap-service)# vector-point reqmod-precache (config-icap-service)# server icap://172.19.227.150:1344/SWFICAP (config-icap-service)# server icap://172.19.227.155:1344/SWFICAP (config-icap-Service)# exit (config)# exit

****Reference: Cisco Documentation: Cisco ACNS Caching & Streaming Configuration Guide, Release 5.2,chapter 11


CISCO CONFIGURATIONSample Deployments4

Sample Deployments

CUSTOMER EXPECTATIONSThe combination of SurfControl Web Filter for Cisco CE and the Cisco CE running ACNS 5.2.3. accelerates the availability of appropriate Internet content by incorporating value-added Web services at the edge of an organization’s network with speed, accuracy, reliability and through a standards-based process. This standard form of communication between edge devices and network-based applications provides customers with the efficiency, bandwidth, information system asset protection and communications infrastructure required for the dynamic business climate in which they are involved.

CONTENT ENGINE LOCAL DEPLOYMENT SCENARIOS *****

Transparent CachingIn transparent caching, the user is not aware of the presence of the Content Engine. The user (web client) requests content (web objects) directly from the source (origin web server) by entering the URL of the origin server in a browser. This request is intercepted by a WCCP-enabled router or a Layer 4 CCS switch.

By supporting WCCP Version 2 or by interoperating with Cisco Content Services Switch (CSS) 11000 series switches, a Content Engine can achieve a basic level of transparency that includes:

• Transparent receipt of content traffic

• Fault tolerance

• Scalable clustering

Figure 4-1 shows how transparent caching through a WCCP-enabled router and Content Engine works.

1 A user (web client) requests a web page from a browser.

2 The WCCP-enabled router analyzes the request, and based on the TCP destination port number, determines whether it should transparently redirect the request to the Content Engine.

3 If the request is transparently redirected to the Content Engine, the following occur:

– If the Content Engine does not have the requested content, it sets up a separate TCP connection to the origin web server to retrieve the content.

– The content returns to, and is stored on, the Content Engine.

4 The Content Engine sends the requested content to the web client. Upon subsequent requests for the same content, the Content Engine transparently fulfills the request from its local storage (cache).


CISCO CONFIGURATIONSample Deployments 4

Figure 4-1 Transparent Caching Through WCCP-Enabled Router

Proxy (nontransparent) CachingIn nontransparent (proxy-style) caching, the user (web client) specifically sends all requests to the Content Engine, which acts as a proxy for the web client.

Figure 4-2 shows how the Content Engine caches content in proxy mode.

1 A user (web client) requests a web page from a browser.

2 If the Content Engine does not have the requested content (cache miss) the following occur:

– It sets up a connection to the origin web server to retrieve the content.

– The content returns to, and is stored on, the Content Engine.

3 The Content Engine sends the content to the user.

4 Upon subsequent requests for the same content by the same user or a different user, the Content Engine transparently fulfills the request from its local storage (cache hit).


CISCO CONFIGURATIONSample Deployments4

Figure 4-2 Web Caching with the Content Engine in Proxy Mode

***** Reference:

http://www.cisco.com/univercd/cc/td/doc/product/webscale/uce/acns51/cache51/overview.htm

Note: SurfControl Web Filter has not been tested with Cisco CE in Reverse Proxy mode.


http://www.cisco.com/univercd/cc/td/doc/product/webscale/uce/acns51/cache51/overview.htm

Web Filter - Forcepointkb.websense.com/pf/12/webfiles/WBSN Documentation... · install Web Filter....

Documents

Transcript of Web Filter - Forcepointkb.websense.com/pf/12/webfiles/WBSN Documentation... · install Web Filter....