Web Protection Connector
Transcript of Web Protection Connector
-
7/27/2019 Web Protection Connector
1/22
WDS ConnectorSM
Installation Guide
Product Version: 6.9
Document Date:
02/2011
Proprietary and Confidential
-
7/27/2019 Web Protection Connector
2/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 2
TABLE OF CONTENTS
1 INTRODUCTION ...................................................................................................................... 31.1 Requirements for installation ............................................................................................. 31.2 Download the WDS Connector Setup Wizard .................................................................. 51.3 Run the WDS Connector Setup Wizard ............................................................................ 81.4 Set up users for the WDS Connector .............................................................................. 11
2 REINSTALLING THE WDS CONNECTOR........................................................................... 133 AD CONFIG EDITOR ............................................................................................................ 154 UNINSTALLING THE WDS CONNECTOR .......................................................................... 185 MANAGING THE WDS CONNECTOR LOGS ...................................................................... 19
5.1Turning on the WDS Connector Logs ............................................................................. 195.2 Viewing the WDS Connector Logs .................................................................................. 19
6 ENABLING NTLM ON WINDOWS CLIENTS ....................................................................... 21
-
7/27/2019 Web Protection Connector
3/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 3
1 IntroductionThe WDS ConnectorSM, which is an enhancement to the Web Protection Service, allowsusers to access the web through Web Protection using existing local network domaincredentials. This capability, known as transparent authentication, eliminates the need for
Web Protection to authenticate a user each time the user opens a browser. Instead, WebProtection validates the user automatically whenever the user opens a browser.Administrators of the Web Protection service can continue to apply group policies to users,as well as track individual web usage, threats, and more.
1.1 Requirements for installation
Before you install WDS Connector, ensure that the following requirements are met:
Web Protection service must be enabled. A Domain Controller must reside within the customers Intranet and must be running
Active Directory. You need the DNS name or IP address of this controller. Each user that WDS Connector authenticates must have an account in Active
Directory. That account must contain the same email address that the WebProtection Control Console contains. You must have Customer Administrator or higher privileges on the Web Protection
Control Console. The local Intranet must contain a Windows server that can run the WDS Connector
software and serve as a proxy server. This server must meet the followingrequirements:. The server must be running Windows Server 2003 or higher software and
Microsoft Management Console (MMC) Services snap-in. All available updates for the servers version of Windows must also be installed.
The firewall on the proxy server must allow access by user clients. Specifically, port3128 tcp must be open outbound to the internet.
The proxy settings in Internet Explorer on the proxy server must be turnedofffor
installation. The time clock of the proxy server must be reasonably accurate, at least within one
hour of the actual time within its time zone. It is recommended that your LAN use aNetwork Time Server to ensure this synchronization.
The proxy server must be running .NET 2.0 or higher. If the server is not running.NET 2.0 or higher, the installer notifies you during the initial setup and installs .NETfor you.
NTLM enabled Browser (FF
-
7/27/2019 Web Protection Connector
4/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 4
Determine Web Protection
Authentication
The Access Controls window allows you to define the manner in which users will
be authenticated when accessing the Web. For example, you can register a listof accepted IP addresses for your organization.
There are three mechanisms provided that allows you into the Web Protection
system.
Note: More than one authentication can be used in conjunction, if desired.
IP Range AuthenticationAdvantages: No user login required
No passwords need to be maintained for users
No software to install Can be deployed at the edge of the network using routing
Disadvantages: Group policies cannot be applied (all users have one policy)
No individual reporting, all reporting is grouped by the external IP address
Explicit User AuthenticationAdvantages: Group policies can be applied (different users can have different policies)
Individual reporting on a per user basis
No software to install
Disadvantages: Requires users to log in once per browser session
Passwords must be maintained and/or authenticated against corporate
server.
Transparent Authentication (WDS Connector)Advantages: No user login required
No passwords need to be maintained for users in the Web Protection system
Group policies can be applied (different users can have different policies)
Individual reporting on a per user basis
Disadvantages: Requires software to be installed on the corporate infrastructure
Requires Active Directory and NTLM authentication to recognize users
Requires that each user has an email address in active directory that
matches a corresponding email address in the Web Protection Control
Console.
Requires that users log on to the domain interactively.
-
7/27/2019 Web Protection Connector
5/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 5
Installing WDS Connector on a Windows server, perform the following steps:
1.2 Download the WDS Connector Setup Wizard
You must first download the WDS Connector Setup Wizard from your Web ProtectionControl Console.
1. Ensure that the proxy settings in Internet Explorer on the proxy server are turnedoff.
2. Log in to the Web Protection Control Console.
The Web Protection Control Console appears.
3. Click the Setup tab.The Web Protection Setup screen appears.
If your Web Protection includes IP Address Range Authentication, the WebProtection Setup screen appears as follows.
If your Web Protection does not include IP Address Range Authentication, then only
the Web Protection Setup screen appears.
4. Click the Download WDS Connectorlink
A Run screen appears and asks if you want to Run or Save the installation program.
-
7/27/2019 Web Protection Connector
6/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 6
5. Depending on the computer from which you accessed the Web Protection ControlConsole, perform the steps for one of the following two scenarios:
If you accessed the Web Protection Control Console from the Windows serverthat will be the proxy server, do the following:
A. Select Run .
The installer checks for Windows updates and the presence of .NET 2.0. If .NET
2.0 is not installed, the installer installs it.The installer redisplays a Run screen.
NOTE: If all applicable Windows updates are not installed, the installationfails.
B. Select Run again.
The WDS Connector Setup Wizard opens.
C. Continue with the Run the WDS Connector Setup Wizard section.
If you logged into the Web Protection Control Console from a computer other thanthe proxy server, do the following:
A. Select Save.
B. Transfer the files you downloaded to the proxy server using a memory stick,a CD-ROM or some other means.
C. On the proxy server, locate the file you downloaded and double-click to run it.
A Run screen appears, asking if you want to Run or Save the installation files.
D. Select Run .
The installer checks for Windows updates and the presence of .NET 2.0. If .NET2.0 is not installed, the installer performs an installation of .NET.
-
7/27/2019 Web Protection Connector
7/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 7
The installer redisplays a Run screen.
NOTE: If all applicable Windows updates are not installed, the installationfails.
E. Select Run again.
The WDS Connector Setup Wizard opens.
F. Continue with the Run theWDS Connector Setup Wizard section.
At tention: If your system receives the following error message during theWeb Protection Setup, it means Short File Names are disabled. Continuewith the following steps to enable this information.
1. Click OKThe following WDS Connector Install screen displays.
2. Click OK to continue the Web Protection installer setup.
The WDS Connector Installation screen displays.
3. Click Close to exit your installer and reboot your system to continue the WebProtection installer setup.
-
7/27/2019 Web Protection Connector
8/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 8
Note: After completing these steps you have to reboot your system andbegin to install the WDS Connector from the start.
1.3 Run the WDS Connector Setup WizardAfter you download the installation package and select Run, the following screen appears.Complete the steps that follow to set up WDS Connector.
1. Click Next.
The License Agreement page appears.
2. Select I Agree, and click Next.
The Select Installation Folder screen appears.
-
7/27/2019 Web Protection Connector
9/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 9
3. Use the default folder or click theBrowse button to select a different folder for theWDS Connector software.
4. Click Next.
An installation confirmation screen appears.
5. Click Next.
The installation of software begins. When the software has been installed, a WDSConnector Login configuration screen appears.
6. Enter the username and password you normally use to access the Web ProtectionAdmin Console, and click Next.
The Setting Active Directory Connection Information screen appears.
-
7/27/2019 Web Protection Connector
10/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 10
7. In the AD Hostname FQDN field, enter the fully-qualified domain name (FQDN) of theActive Directory domain controller in the local intranet.
NOTE: Although an FQDN is preferred because it minimizes network requests, anon-FQDN domain name is also allowed in this field.
8. In the Domain\Username field, enter a user name for the domain controller, usingstandard Windows domain user name format. Standard Windows user name formatincludes the domain name, followed by a backslash (\), followed by the username (forexample, acme-domain\johndoe).
NOTE:The user name you enter must have read access to the Active Directory.
9. Enter a password for the user name in the Password field.10. Click Next. A confirmation information screen displays
NOTE: The Test button can be used to validate your AD settings. For moreinformation regarding this functionality see Chapter 4 for more details.
The Account setup screen appears.
11. Select Local System account or enter a User name and password for a unique
WDS Connector account.
NOTE: If you set up a unique account for WDS Connector, you must alsoadminister the account on the Active Directory domain controller.
12. Click Next.
The installation is complete.
13. Click Close.
-
7/27/2019 Web Protection Connector
11/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 11
14. To verify that WDS Connector is running, access your Windows services screen.
15. Go to Start > All Programs > Administrative Tools > Component Services
For most Windows systems, you access the Windows services screen throughWindows Control Panel.
16. Check the screen to verify that the WDS Connector has started.
1.4 Set up users for the WDS Connector
The browser settings on each users personal computer must be administered for the newproxy server. These settings must include port 3128 as the browsers access port on theproxy server.
For example, to manually set the Windows Internet Explorer browser for an individual P.C.,you access the Local Area Network (LAN) Settings screen in Internet Explorer andadminister the Proxy Server section for the following:
The use of a proxy server by the browser The IP address or host name of the proxy server Port 3128 for the proxy server connection
-
7/27/2019 Web Protection Connector
12/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 12
Contact your local support Web site or local support personnel for information on variousmethods of configuring browser proxy settings to point to the WDS Connector.
Important: For the WDS Connector to authenticate a user, the user must alreadyhave an account in Active Directory (AD), and the AD account must include an emailaddress that matches an email address in the Web Protection Control Console.
If Microsoft Exchange is installed and running on the AD server and the user alreadyhas an Exchange account, the users email address is automatically populated in ADwhen the users AD account is created. However, when Exchange isn't alreadyrunning on the proxy server, or when Exchange is running on a different server, theusers email must be added manually into the users AD account.
-
7/27/2019 Web Protection Connector
13/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 13
2 Reinstalling the WDS ConnectorIf, for some reason, you must reinstall the WDS Connector, the installation software checksthat the WDS Connector is not running before the installation software resumes theinstallation.
During the reinstallation sequence, you might see the following screen:
In this case, do the following steps:
1. Click No.
A number of screens may appear and disappear as the WDS Connector shuts down.
Then, the following screen appears.
2. Select the default Repair WDS Connector option, and click Cancel.
The wizard prompts for confirmation on exit.
3. Click No.
The Welcome screen appears again.
-
7/27/2019 Web Protection Connector
14/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 14
4. Click Finish.
Continue with the installation as in the Run the WDS Connector Setup Wizardsection of this document.
-
7/27/2019 Web Protection Connector
15/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 15
3 AD Config EditorIf you wish to edit your Change Settings for Web Protection including the:
Host Name
Domain
Password
Go toAl l Program > WDS Connector > AD Config Editor
The Edit Active Directory Connection screen displays.
1. Type the changes you wish to make.
2. Click Test
A Success Information window displays.
-
7/27/2019 Web Protection Connector
16/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 16
3. Click OK and then Click Save.4. Restart your Connector. To Restart your Connector go to Go toStart > All Programs >
Administrat ive Tools > Component Services.
In the event that your AD Hostname is invalid, the following Failure Information pop-updisplays to alert you to one of these issues:
This is an invalid AD Hostname
The AD Hostname is not visible to this machine
The AD is not running on that machine
The AD Hostname machine is down.
5. Click OK to edit your information.6. Click Test and if successful, Click OK and Save.7. Restart your Connector. To Restart your Connector go to Go toStart > All Programs >
Administrat ive Tools > Component Services.
-
7/27/2019 Web Protection Connector
17/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 17
If the User Name or Password is invalid, the following Failure Information pop-up displays.
8. Click OK to edit your information.9. Click Test and if successful, Click OK and Save10. Restart your Connector. To Restart your Connector go to Go toStart > All Programs >
Administrat ive Tools > Component Services.
-
7/27/2019 Web Protection Connector
18/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 18
4 Uninstall ing the WDS ConnectorTo remove the WDS Connector program from your server, perform the following steps:
1. From theStart button on the P.C., selectAl l Programs.
The list of programs appears.
2. Select WDS Connectorfrom the list. Then select WDS Connector Uninstall fromthe pop-up menu.
A confirmation page appears.
3. Click Yes.
The WDS Connector is removed from your server.
-
7/27/2019 Web Protection Connector
19/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 19
5 Managing the WDS Connector logsThe WDS Connector can generate logs of activity. These logs are turned off by default,but for troubleshooting purposes in conjunction with support personnel, you might want toturn the logs on.
CAUTION: The logs can generate a lot of data. You should only turn on the WDSConnector logs for troubleshooting purposes. Otherwise, the logs quickly begin totake up disk space.
5.1 Turning on the WDS Connector Logs
To turn on the logs, perform the following steps:
1. From theStart button on the Windows Task Bar, selectAl l Programs.
The list of programs appears.
2. Select WDS Connectorfrom the list. Then select WDS Connector ConfigurationManagerfrom the pop-up menu.
The WDS Connector Configuration Manager page appears.
3. Click Turn Logging On.
The button changes to Turn Logging Off. WDS Connector is ready to send data toits logs.
5.2 Viewing the WDS Connector Logs
To view the WDS Connector Logs, perform the following steps:
1. In your Window Explorer, locate the directory in which you installed WDS Connector.
The default location is within the Program Files directory atC:\Program Files\WDSConnector.
2. From the WDS Connector directory, access the following path:
WDS Connector Proxy\var\logs
The logs directory appears.
-
7/27/2019 Web Protection Connector
20/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 20
3. Double-click any file name to view its contents.
-
7/27/2019 Web Protection Connector
21/22
WDS ConnectorSM Installation Guide - Product Version: 6.9
Proprietary and Confidential02/11 Page 21
6 Enabling NTLM on Windows clients
The WDS Connector requires NTLM information and the client must be configured to use
NTLM. Unfortunately, newer versions of Windows operating systems (Vista and beyond)do not inherently provide NTLM information when used in conjunction with newer versionsof Windows Server (2008 and beyond).
To enable NTLM on a Windows client, the following entry must be added to the Windowsregistry:
Wi ndows Regi st r y Edi t or Ver si on 5. 00
[ HKEY_LOCAL_MACHI NE\ SYSTEM\ Curr ent Cont r ol Set \ Cont r ol \ Lsa]"LmCompat i bi l i t yLevel "=dwor d: 00000000
This can be automated by using a login script to add the entry to the client machines uponlogin. A .reg file must be created and then called from a batch file. In the script folder ofthe Windows Domain Controller machine, create a new text file and call it something likeWDS_Connector_Fix.reg for convenience. This file should contain the following text (theblank line is necessary):
Wi ndows Regi st r y Edi t or Ver si on 5. 00
[ HKEY_LOCAL_MACHI NE\ SYSTEM\ Curr ent Cont r ol Set \ Cont r ol \ Lsa]"LmCompat i bi l i t yLevel "=dwor d: 00000000
An associated batch file must contain the line similar to the one below (replace the Domain
Controller Host and script share to include a valid UNC path to the script folder):r egedi t / s \ \ \ \ WDS_Cont r ol l er _Fi x. r eg
This batch file also needs to be added to the appropriate domain in the Group PolicyEditor.
WARNING: McAfee recommends using caution when editing the registry on anycomputer. While the change suggested is relatively low risk, please note that changing theWindows Registry may have unexpected consequences. Be sure to back up all work priorto executing any changes.
-
7/27/2019 Web Protection Connector
22/22