Upload
avtarsingh450
View
12
Download
0
Tags:
Embed Size (px)
DESCRIPTION
This contains instructions to install Censor-Net software.
Citation preview
1 © 2009 CensorNet Ltd
Getting Started Guide CensorNet Professional
Copyright © CensorNet Limited, 2005-2010
This document is designed to provide information about the first time configuration and testing of the CensorNet Professional web content filtering software. Every effort has been made to make this document as complete and accurate as possible, but no warranty or fitness is implied. CensorNet Ltd does not accept any liability for poorly designed or malfunctioning networks.
2 © 2009 CensorNet Ltd
CONTENTS
Getting started ....................................................................................................................................................... 6
Logging in to the web control panel ................................................................................................................... 6
Navigation and assistance .................................................................................................................................. 7
Product activation .............................................................................................................................................. 8
Common problems ......................................................................................................................................... 9
Trial mode ......................................................................................................................................................... 10
Downloading the URL database (CSRV) ............................................................................................................ 10
Common problems ....................................................................................................................................... 11
Locale settings ...................................................................................................................................................... 12
Time zone ......................................................................................................................................................... 12
Common problems ....................................................................................................................................... 12
Language ........................................................................................................................................................... 13
Parent proxy configuration ............................................................................................................................... 13
Web browser configuration .................................................................................................................................. 14
Securing the network ........................................................................................................................................... 15
User authentication .............................................................................................................................................. 16
Transparent Kerberos ....................................................................................................................................... 17
Configuring Transparent Kerberos authentication ....................................................................................... 17
Verify that Transparent Kerberos is working ................................................................................................ 19
Common problems with Transparent Kerberos ........................................................................................... 20
Transparent NTLM ............................................................................................................................................ 20
Configuring transparent NTLM authentication ............................................................................................ 21
Verify that NTLM authentication is working ................................................................................................. 22
Common problems with NTLM ..................................................................................................................... 23
Censornet Active Directory Agent .................................................................................................................... 24
Installing the Censornet Active Directory Agent .......................................................................................... 24
Configuring the CensorNet Active Directory Agent ...................................................................................... 24
Verify that user identification is working with the Active Directory Agent .................................................. 25
3 © 2009 CensorNet Ltd
Active Directory (Kerberos) .............................................................................................................................. 25
Configuring Active Directory (Kerberos) ....................................................................................................... 26
Verify that Active Directory (Kerberos) authentication is working............................................................... 26
Common problems ....................................................................................................................................... 27
Windows NT or SAMBA server ......................................................................................................................... 28
Configuring Windows NT or SAMBA server authentication ......................................................................... 28
Verify that Windows NT or SAMBA server authentication is working ......................................................... 29
NetwareNDS (E-Directory) ................................................................................................................................ 30
LDAP server authentication .............................................................................................................................. 30
Internal authentication ..................................................................................................................................... 31
Managing user accounts ............................................................................................................................... 32
Managing user passwords ............................................................................................................................ 33
No user authentication ..................................................................................................................................... 34
Global user authentication settings .................................................................................................................. 34
Active Directory integration ................................................................................................................................. 36
Synchronising with Active Directory ................................................................................................................. 36
Installing the Censornet Synchronisation Service......................................................................................... 36
Configuring the CensorNet Synchronisation Service .................................................................................... 36
Verify that the CensorNet Synchronisation Service is working .................................................................... 37
Replicating the Active Directory structure ....................................................................................................... 37
Replicating by Organisational Unit (OU) ....................................................................................................... 38
Replicating by Primary Group ....................................................................................................................... 40
Computer identification ....................................................................................................................................... 43
Configuring the computer identification method ............................................................................................ 43
MAC Address method ....................................................................................................................................... 44
Import computers automatically .................................................................................................................. 44
Import computers from CSV ......................................................................................................................... 45
Common problems ....................................................................................................................................... 45
IP Address method ........................................................................................................................................... 46
4 © 2009 CensorNet Ltd
Import computers automatically .................................................................................................................. 46
Hostname method ............................................................................................................................................ 47
Import computers automatically .................................................................................................................. 47
SSL Intercept mode ............................................................................................................................................... 49
Enabling SSL Intercept mode ............................................................................................................................ 49
Installing web browser SSL certificate .......................................................................................................... 49
Bypassing SSL intercept mode .......................................................................................................................... 49
Completely bypass SSL web sites.................................................................................................................. 50
Disabling SSL intercept mode ........................................................................................................................... 50
Filtering policies .................................................................................................................................................... 52
Default policy .................................................................................................................................................... 52
The default policy explained ............................................................................................................................. 52
Creating new policies ........................................................................................................................................ 54
Applying policies to groups of users or Computers .......................................................................................... 55
Global filtering modules ................................................................................................................................... 56
Custom URL module ............................................................................................................................................. 57
Creating a Custom URL category ...................................................................................................................... 57
Adding Custom URLs ......................................................................................................................................... 57
Custom URL Patterns .................................................................................................................................... 58
Administrators ...................................................................................................................................................... 59
Bypassing non-proxy-aware sites / applications .................................................................................................. 60
Common error messages ...................................................................................................................................... 61
The upstream proxy did not respond in time ................................................................................................... 61
Unable to retrieve MAC address of the peer .................................................................................................... 61
The authenticity of the web site could not be verified .................................................................................... 61
Content length exceeded ................................................................................................................................. 61
Unable to establish an outbound connection to csrv.censornet.com 2200 ..................................................... 61
Troubleshooting ................................................................................................................................................... 62
Allow or block instant messaging applications ................................................................................................. 62
5 © 2009 CensorNet Ltd
Web sites such as youtube no longer stream correctly .................................................................................... 62
Web pages do not load correctly – missing styles and images......................................................................... 62
Problem authenticating users using Apple OSX ............................................................................................... 62
Intermittent access to web sites or slow web Sites .......................................................................................... 62
Citrix notes ............................................................................................................................................................ 63
Summary ............................................................................................................................................................... 64
Technical support ................................................................................................................................................. 65
6 © 2009 CensorNet Ltd
GETTING STARTED
This document is designed to guide you through the steps needed to set up and configure CensorNet
Professional for the first time. It is not meant to be an exhaustive reference to all the features and
functionality available – this can be found within the product documentation under the HELP menu or in our
online KNOWLEDGE BASE.
LOGGING IN TO THE WEB CONTROL PANEL
The CensorNet product is administered using a Web based graphical user interface, known as the “CONTROL
PANEL”.
To access the Control Panel, you will need to use a Web browser on a machine that is on the same network as
the CensorNet server.
Open the Web browser, and in the address bar type:
HTTP://IP.OF.CENSORNET/
Where “IP.OF.CENSORNET” is replaced with the IP address you configured for the CensorNet server, e.g.
http://192.168.1.1/
You will be presented with the CONTROL PANEL LOGIN SCREEN, as shown in the figure below.
The default credentials are:-
Username admin
Password password
N.B. Case sensitivity is important
7 © 2009 CensorNet Ltd
NAVIGATION AND ASSISTANCE
CensorNet has been designed to be easy to use and entirely manageable from a Web browser. Navigating to
the various sections of the application is achieved via the drop down menu at the top of the browser window,
as shown below:-
IF YOU NAVIGATE AWAY FROM A PAGE WITHOUT SAVING THE SETTINGS, THEN THE
SETTINGS WILL BE LOST. AT THE BOTTOM OF EVERY PAGE THERE IS A “SET OPTIONS”
BUTTON WHICH CAN BE USED TO SAVE CHANGES.
The product manual is integrated into the product and from each page you can click the help icon to be
taken to the relevant page of the manual based on the current page you are viewing.
Tooltips are also available next to each option and provide a quick way to understand what should be entered
in the required text box. Simply roll the mouse pointer over the field name to reveal the tooltip, as shown
below:-
Additional help can also be found in the HELP menu where you can access the full product manual, visit the
KNOWLEDGE BASE or access the LIVE SUPPORT DESK where you can speak to an operator in real time for
assistance. See the Technical Support section for more details.
8 © 2009 CensorNet Ltd
PRODUCT ACTIVATION
It is necessary to activate CensorNet with a valid license in order to start the proxy service and accept
connections. You can activate the CensorNet software for 10 days by using the activation code that was issued
to you when you downloaded the software. If you have lost the activation code, please contact Technical
Support.
To activate the software:-
1. Enter the Activation Code which was issued to you when you downloaded the software. 2. Click “ACTIVATE FOR 10 DAYS”. Activation can take up to 30 seconds.
Once activated, you will see the green dialogue box below, indicating that the 10 day license has been installed
successfully.
After a few seconds you will see the CensorNet proxy service attempting to start. As there is no local URL
database installed, CensorNet will attempt to contact one of the online lookup servers.
9 © 2009 CensorNet Ltd
If successful, the Filtering Proxy will change from orange to green and TRIAL MODE will be active. Please see
the section on Trial Mode below.
COMMON PROBLEMS
• If the activation fails, it may be for a number of reasons:-
1. The CensorNet server does not have access to the Internet. Please double check DNS and gateway settings by using the “SETUP” program. Refer to the Installation Guide for network configuration.
2. You have already used the activation code on a different machine. Once the activation code has been used on a particular machine, you cannot use it again on a different piece of hardware. Contact Technical Support for a new activation code.
• Activation is successful but you receive the error “UNABLE TO ESTABLISH AN OUTBOUND CONNECTION
TO CSRV.CENSORNET.COM ON PORT 2200”. Please see this Knowledge Base article.
10 © 2009 CensorNet Ltd
TRIAL MODE
During the evaluation period CensorNet will operate in TRIAL MODE. This is a special mode that CensorNet
uses when it does not have a locally installed copy of the URL database. When in TRIAL MODE, CensorNet will
connect to the nearest online database server and use that instead. As a result, during TRIAL MODE web
access may seem delayed by 1-3 seconds due to each web request being passed to one of the online servers.
It is possible to exit TRIAL MODE during your evaluation period by requesting to download the URL database
using the link within the green dialogue box. You will be required to complete a short form with your contact
details and then a username/password will be issued to you within 24hrs.
The database is 2.5GB and may take several hours to download depending on the speed of your Internet
connection. If you require the database on DVD please contact Technical Support. At least 2GB of RAM is
required (preferably 4GB for larger networks) in order for the database to run effectively.
DOWNLOADING THE URL DATABASE (CSRV)
Once you receive your username and password, you will need to configure CensorNet to download the
database. To do this:-
1. Go to the FILTERS menu and select URL DATABASE UPDATES.
2. Set the Update Mode to DOWNLOAD ALL UPDATES 3. Select the closest geographical download site from the Source list.
11 © 2009 CensorNet Ltd
4. Enter the username and password provided to you. 5. Select an update time for daily updates to occur. It is recommended that these updates happen
outside of office hours. 6. Click SET OPTIONS and then click UPDATE NOW.
You can verify that the download has started by refreshing the System Overview page. To do this, go to the
SYSTEM menu and then select OVERVIEW and scroll down to the URL DATABASE UPDATE SUBSCRIPTION
panel, as shown below.
Whilst the database is downloading please do not switch off or reboot the CensorNet server. The update
status will change to DATABASE UPDATE COMPLETE when successful.
COMMON PROBLEMS
• The message “Update failed” appears instead of the download status.
1. Check that the CensorNet server has Internet access – ensure DNS and gateway settings are correct. Try pinging csrv.censornet.com and if it doesn’t reply, look again at the network configuration.
2. Double check the username and password entered and click UPDATE NOW again. 3. Do you have to use a parent / upstream proxy server for web access? If so, you must configure this
under System -> Configuration -> Parent Proxy settings before attempting to download the database. Once configured, attempt the download again.
4. If the problem persists, try a different update Source. 5. Contact Technical Support for assistance.
• The message “Download in progress” is displayed but there is no % complete. This usually happens when a
parent proxy is being used because CensorNet is unable to generate a progress counter. It is working; it just
cannot tell you how much has been downloaded.
12 © 2009 CensorNet Ltd
LOCALE SETTINGS
It is important to configure the locale settings for your CensorNet server. These may have been set during
installation however you should verify they are correct and make any changes that you need to now.
TIME ZONE
Time is very important to CensorNet. Everything relies on accurate time therefore you should verify the date,
time and time zone is correct. To do this, go to SYSTEM -> CONFIGURATION -> TIME ZONE.
Current Timezone – this is the time zone that CensorNet is currently using and is based on the time zone selected during installation. If this is incorrect, select the correct time zone from the drop down list and press Set Options.
Current Server Local Time – this is the current time and date based on the clock in the CensorNet
server. It is important to check that the date and time are correct and that they stay correct. If you
need to change the time, alter it here and press Set Date & Time and then monitor it to ensure the
clock stays correct.
COMMON PROBLEMS
The clock keeps drifting on a virtual machine – this is common especially on Virtual Machines which do not have the required tools installed to synchronise the virtual clock with the host machine. Please see this Knowledge Base article: http://wiki.censornet.com/foswiki/bin/view/Main/VMWareClockDrift
The clock drifts on a physical server – on some hardware, there is a problem with Linux communicating with the real time clock. Please see this Knowledge Base article: http://wiki.censornet.com/foswiki/bin/view/Main/RepeatFail
13 © 2009 CensorNet Ltd
LANGUAGE
CensorNet supports viewing the Web control panel in different languages. The language can be chosen when
you login to the control panel or a default language can be set for all users. To select the default language, go
to SYSTEM -> CONFIGURATION -> LANGUAGE.
Click SET OPTIONS to set the default language. You will need to logout and log back for the changes to take
effect.
PARENT PROXY CONFIGURATION
If there is an existing proxy server on the network or a proxy server upstream at your ISP, and you are forced
to use it, then you should configure the proxy server on CensorNet.
To do this, go to SYSTEM -> CONFIGURATION -> PARENT PROXY SETTINGS.
14 © 2009 CensorNet Ltd
WEB BROWSER CONFIGURATION
NOTE: IF YOU HAVE CONFIGURED CENSORNET IN “INLINE” MODE IT IS NOT NECESSARY TO
CONFIGURE YOUR WEB BROWSER PROXY SETTINGS. PLEASE IGNORE THIS SECTION.
In order to use the CensorNet proxy server you need to configure your web browser to use CensorNet. This is a
straightforward step which you can do individually on each browser or automatically using Active Directory
Group Policy or Web Proxy Auto Discovery (WPAD).
For the purposes of this guide, the following steps can be followed to configure Internet Explorer to use
CensorNet:
Start Internet Explorer Select the TOOLS menu and then INTERNET OPTIONS Click the CONNECTIONS tab and then LAN SETTINGS Tick the box to USE A PROXY SERVER and enter in the CensorNet IP address into the ADDRESS field.
Enter port 8080 into the PORT field. Tick the box to BYPASS PROXY SERVER FOR LOCAL ADDRESSES Click the ADVANCED button Enter the IP of CensorNet into the EXCEPTIONS box. Click OK, OK and OK on each dialogue box to return to the browser window.
15 © 2009 CensorNet Ltd
SECURING THE NETWORK
Please review this Knowledge Base article on securing the network so that users cannot bypass the proxy:-
http://wiki.censornet.com/foswiki/bin/view/Main/EnforceProxyUse
16 © 2009 CensorNet Ltd
USER AUTHENTICATION
CensorNet can identify users browsing the web, apply different policies to them and include the usernames in
reports. To achieve this, you must configure a method of user authentication for CensorNet to use. The
following methods are supported:-
Transparent Kerberos – for networks with Windows Server 2003 and above with clients running Internet Explorer 7 or above. Transparent Kerberos is a single sign-on authentication method compatible with the latest Windows Server and Windows desktop operating systems (Vista, Windows 7). Compatible with Citrix or Terminal Services environments and SIDEWAYS mode where you do not want users to be prompted to login when they open a Web browser.
Transparent NTLM (pre Windows Server 2003) – CensorNet creates a trust relationship with the Active Domain controller and transparently authenticates users using the NTLM protocol. This is particularly useful in Citrix or Terminal Services networks and in SIDEWAYS mode where you do not want users to be prompted to login when they open a Web browser. NTLM is only supported by Internet Explorer and Firefox web browsers. This authentication method is not available when operating in Inline mode.
CensorNet Active Directory Agent – The Agent is a small piece of software that is installed on your Active Directory domain controller(s) that provides user identification between CensorNet and the Active Directory agent. The agent runs as a system service and must be installed on all domain controllers for the domain. The agent is ideal for providing user identification when in INLINE mode, however is not suitable for Citrix or Terminal Services networks. For Citrix or Terminal Services please use Transparent NTLM. For further information about the agent please visit http://www.censornet.com/adagent/
Windows NT or Samba – for use with Windows NT or Samba (Linux or Apple). CensorNet will prompt for a username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode.
Netware NDS (eDirectory) – for use with Novell NDS or eDirectory. CensorNet will prompt for a username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode.
LDAP – for use with OpenLDAP and similar directories. CensorNet will prompt for a username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode.
Internal Authentication – allows you to create a list of usernames and passwords on the CensorNet server which are used to login with when a web browser is opened. Useful if you require user identification but do not have a domain controller. This authentication method is not available when operating in INLINE mode.
No User Authentication – Do not require users to authenticate to access the Web.
17 © 2009 CensorNet Ltd
TRANSPARENT KERBEROS
Transparent Kerberos is a single sign-on authentication method compatible with Windows Server 2003 and
above. This method supersedes NTLM Authentication and is compatible with the latest Windows desktop
operating systems such as Vista and Windows 7. Transparent Kerberos allows users to authenticate with
CensorNet without prompting to re-enter network login credentials.
In order to use Transparent Kerberos authentication your network needs to meet the following requirements:
Windows Server 2003 or above
Internet Explorer 7 or above, Firefox 2 or above or Safari on Mac OSX 10.4 or above on all client
machines.
CONFIGURING TRANSPARENT KERBEROS AUTHENTICATION
IMPORTANT: If you have previously configured CensorNet Professional with NTLM Authentication It is
important that you remove the CensorNet machine account in Active Directory on all domain controllers
before attempting to configure Transparent Kerberos. You can do this from the Windows Server by running
the Active Directory Users & Computers manager and then deleting the CensorNet machine account from the
Computers folder. The machine account name will be same as the CensorNet servers’ hostname. To find this,
login as root and type “hostname” to display the hostname.
To configure Transparent Kerberos, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select
the Transparent Kerberos radio button.
You will need the following information:
Server IP Address – This is the IP address of your Active Directory server or Primary Domain Controller if there are more than one domain controllers on the network.
Server Hostname – This is the hostname of your Active Directory server or Primary Domain Controller. This is just the name of the server, not the fully qualified domain name.
AD Domain – This is the fully qualified Active Directory domain name without the hostname or computer name at the beginning.
Domain Admin Username – This is the username of a user account on the Active Directory server with administrator privileges (member of DOMAIN\ADMINS).
Domain Admin Password – This is the password of the admin username specified in “Domain Admin Username”. The password cannot contain any special characters (e.g. % & $, etc). If your password does contain special characters and you do not wish to change it, create a new user account for CensorNet (e.g. username: censornet) and set its password to something in standard characters. AFTER CREATING THE NEW USER ACCOUNT, RESET ITS PASSWORD AGAIN TO WORK AROUND A KNOWN ISSUE WITH LINUX AND ACTIVE DIRECTORY. The new account is only required to establish the trust relationship and after which can be removed if necessary.
18 © 2009 CensorNet Ltd
Click SET OPTIONS to enable Transparent Kerberos authentication.
After a few seconds, you should receive a SUCCESS message if CensorNet was able to establish a trust
relationship with the Active Directory server (see below).
UPDATE WEB BROWSER PROXY SETTINGS
Transparent Kerberos requires that the proxy server address is specified with its fully qualified domain name
(FQDN) rather than its IP address in the web browser proxy settings. You can find the FQDN by logging into the
CensorNet server as ‘root’ and typing ‘hostname –f’. You should see an output similar to this:
In the above example “censornet.ad2008r2.local” is the FQDN and this should be configured in your browser
proxy server settings – see Web Browser Configuration. On a network, this can be updated using a group policy
object if you use Internet Explorer.
19 © 2009 CensorNet Ltd
Please ensure that the FQDN can be resolved to the IP address of the CensorNet server. You can verify this by
typing “NSLOOKUP CENSORNET.AD2008R2.LOCAL” on a client desktop machine. If it fails to resolve to the
CensorNet server IP address, you will need to create a forward facing DNS record (A) on your internal DNS
server (usually the primary domain controller).
VERIFY THAT TRANSPARENT KERBEROS IS WORKING
IMPORTANT
After configuring Transparent Kerberos authentication it is important that the network user logs out and
logs back into the domain. This will create a new authentication token for the user. This procedure is only
required once.
You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user
account from the Active Directory (the “test user”) and open a Web browser that is configured to use
CensorNet as a proxy server (see section on Web Browser Configuration and ensure if Internet Explorer that it
is using the FQDN described in the note above).
Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser
should not prompt the test user to login – if this happens please see Common Problems below.
If the web site loads as expected, you should now verify that CensorNet has correctly identified the test user
by going to REPORTS -> WHO’S BROWSING within the CensorNet web control panel. This will list the
currently active Internet users – and the test user should appear here – as shown in the example below.
Click on the test user, in this case “foo” to drill-down into the recent web site visits. Here you should see the
test sites that you accessed using the web browser, e.g. www.google.co.uk.
If this is correct, then you should move on to Active Directory Integration for details on how to replicate your
Active Directory structure within CensorNet.
If you do not see any user names in the WHO’S BROWSING report then please read the section Common
Problems below.
20 © 2009 CensorNet Ltd
COMMON PROBLEMS WITH TRANSPARENT KERBEROS
If the trust relationship fails you will receive a FAILURE message (see below). This can happen for a number of reasons.
o The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 MINUTES of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please see: http://wiki.censornet.com/foswiki/bin/natsearch/Main/KnowledgeBase?limit=100&search=clock+drift
o If you have previously configured NTLM on this CensorNet server, you should remove the “censornet” machine account from all the domain controllers on the network.
o The administrator password contains special characters, e.g. å, $, _, \%, ^, £, etc. Please change the administrator password or create a new user account with administrator privileges that does not use these characters.
o If you have created a new administrator account for CensorNet, please ensure you reset its password TWICE to work around a known issue with Linux and Active Directory.
o Please ensure that the hostname on CensorNet does not use a reserved word, such as “internet”. We recommend the CensorNet hostname stays as “cnadmin” to avoid any conflicts.
o Ensure that the hostname of your CensorNet server is not the same as your Windows domain name.
The BROWSER HANGS whenever you try and configure Transparent Kerberos authentication. o This can happen if there is a user or machine account with the same name as the CensorNet
server in Active Directory. Please delete or rename this account and try again.
The trust relationship is SUCCESSFUL but users are prompted to login o Ensure that you have specified the fully qualified domain name (FQDN) in Internet Explorer’s
proxy server settings (see the Important Note under Verify Transparent Kerberos is working) o Ensure that the FQDN can be resolved from client machines. Type: nslookup <FQDN> in a
Command Prompt and ensure it resolves to the CensorNet IP address. If it does not, you will need to add a forward facing A record to your internal DNS server (usually the primary domain controller).
o Ensure the user logs out of the domain and logs back in again the first time Transparent Kerberos is configured.
The web browser hangs whilst trying to set up the trust relationship. This can happen if there is a user account with the same name as the machine account that is created by the trust relationship. Look for the name of the CensorNet machine record and then delete any user accounts with the same name, then retry creating the trust relationship.
TRANSPARENT NTLM
NTLM (NT Lan Manager) is a Microsoft authentication protocol that is supported by Internet Explorer and
Mozilla Firefox as a means to transparently authenticate client browsers with a server side proxy. NTLM uses
the Windows logon network credentials and encodes them within each HTTP request in a 4 way handshake
21 © 2009 CensorNet Ltd
with the proxy server. This provides a transparent way of identifying users without requiring them to login
every time a browser window is opened.
CONFIGURING TRANSPARENT NTLM AUTHENTICATION
To configure Transparent NTLM, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select
the Transparent NTLM radio button.
You will need the following information:
Server IP Address – This is the IP address of your Active Directory server or Primary Domain Controller if there are more than one domain controllers on the network.
Server Hostname – This is the hostname of your Active Directory server or Primary Domain Controller. This is just the name of the server, not the fully qualified domain name.
AD Domain – This is the fully qualified Active Directory domain name without the hostname or computer name at the beginning.
NetBIOS Domain – The short domain name, often called the Pre-Windows 2000 or “workgroup style” name. This is usually the first part of the Active Directory domain name (before the first dot), written in upper case.
Domain Admin Username – This is the username of a user account on the Active Directory server with administrator privileges (member of DOMAIN\ADMINS).
Domain Admin Password – This is the password of the admin username specified in “Domain Admin Username”. The password cannot contain any special characters (e.g. % & $, etc). If your password does contain special characters and you do not wish to change it, create a new user account for CensorNet (e.g. username: censornet) and set its password to something in standard characters. AFTER CREATING THE NEW USER ACCOUNT, RESET ITS PASSWORD AGAIN TO WORK AROUND A KNOWN ISSUE WITH LINUX AND ACTIVE DIRECTORY. The new account is only required to establish the trust relationship and after which can be removed if necessary.
22 © 2009 CensorNet Ltd
Click SET OPTIONS to enable Transparent NTLM authentication.
After a few seconds, you should receive a SUCCESS message if CensorNet was able to establish a trust
relationship with the Active Directory server (see below).
VERIFY THAT NTLM AUTHENTICATION IS WORKING
You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user
account from the Active Directory (the “test user”) and open a Web browser that is configured to use
CensorNet as a proxy server (see section on Web Browser Configuration).
Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser
should not prompt the test user to login – if this happens please see Common Problems below.
If the web site loads as expected, you should now verify that CensorNet has correctly identified the test user
by going to REPORTS -> WHO’S BROWSING within the CensorNet web control panel. This will list the
currently active Internet users – and the test user should appear here – as shown in the example below.
23 © 2009 CensorNet Ltd
Click on the test user, in this case “foo” to drill-down into the recent web site visits. Here you should see the
test sites that you accessed using the web browser, e.g. www.google.co.uk.
If this is correct, then you should move on to Active Directory Integration for details on how to replicate your
Active Directory structure within CensorNet.
If you do not see any user names in the WHO’S BROWSING report then please read the section Common
Problems below.
COMMON PROBLEMS WITH NTLM
If the trust relationship fails you will receive a FAILURE message (see below). This can happen for a number of reasons.
o The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 MINUTES of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please see: http://wiki.censornet.com/foswiki/bin/natsearch/Main/KnowledgeBase?limit=100&search=clock+drift
o The administrator password contains special characters, e.g. å, $, _, \%, ^, £, etc. Please change the administrator password or create a new user account with administrator privileges that does not use these characters.
o If you have created a new administrator account for CensorNet, please ensure you reset its password TWICE to work around a known issue with Linux and Active Directory.
o Please ensure that the hostname on CensorNet does not use a reserved word, such as “internet”. We recommend the CensorNet hostname stays as “censornet” to avoid any conflicts.
24 © 2009 CensorNet Ltd
o Ensure that the hostname of your CensorNet server is not the same as your Windows domain name.
If the web browser prompts you to login even though the trust was successful, it is usually due to the following:
o The clock has drifted more than 5 minutes apart from the Active Directory clock. Please see the Common Problems section above for more detail.
o The web browser is using NTLMv2 rather than NTLMv1. This is the default on Windows Vista and Windows 7 computers. You can roll back the version of NTLM using a group policy registry edit. For further information please see: http://wiki.censornet.com/foswiki/bin/natsearch/Main/KnowledgeBase?limit=100&search=ntlm+problem
CENSORNET ACTIVE DIRECTORY AGENT
The CensorNet Active Directory Agent is a system service that sends network login credentials to CensorNet
for the purposes of identifying users and computers. The software should be installed on Windows 2000, 2003
or 2008 domain controller(s) and will run as a system service with administrator rights. Currently the software
supports a single domain.
The CensorNet Active Directory agent can provide user identification when CensorNet is running in Inline
mode and it can also provide a faster alternative to NTLM.
NOTE: THE SERVICE IS NOT DESIGNED TO WORK IN CITRIX / TERMINAL SERVICES
ENVIRONMENTS. IN THIS CASE, PLEASE CONFIGURE TRANSPARENT KERBEROS OR
TRANSPARENT NTLM AS THE USER AUTHENTICATION OPTION WITHIN CENSORNET.
INSTALLING THE CENSORNET ACTIVE DIRECTORY AGENT
Please visit http://www.censornet.com/adagent/ for download and installation instructions.
Please make a note of the secret key that you set during installation.
CONFIGURING THE CENSORNET ACTIVE DIRECTORY AGENT
After installing the Active Directory agent on each of your Windows Domain Controllers you will need to
configure the “secret” within the CensorNet server.
To do this, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and enter the secret key as shown
below. The secret keys must match exactly on both the Agent and the CensorNet server for the
authentication to work.
25 © 2009 CensorNet Ltd
Press SET OPTIONS to enable the use of the CensorNet Active Directory Agent.
VERIFY THAT USER IDENTIFICATION IS WORKING WITH THE ACTIVE DIRECTORY AGENT
On the domain controllers, use the Start menu to find and open the CENSORNET AUTHENTICATION SERVICE
MONITOR. The status should show as RUNNING, as shown below:-
NOTE: THE CENSORNET ACTIVE DIRECTORY AGENT ACTS AS THE PRIMARY
AUTHENTICATION METHOD FOR CENSORNET. YOU CAN ALSO CONFIGURE A SECONDARY
AUTHENTICATION METHOD USING ANY OF THE OTHER SUPPORTED METHODS (E.G. NTLM,
LDAP, ETC). IF THE AGENT FAILS FOR ANY REASON, CENSORNET WILL FALL BACK TO THE
SECONDARY METHOD OF AUTHENTICATION. PLEASE SEE THE SECTION CONFIGURING USER
AUTHENTICATION FOR THE AVAILABLE SECONDARY METHODS.
ACTIVE DIRECTORY (KERBEROS)
26 © 2009 CensorNet Ltd
CensorNet supports standard Kerberos authentication with Active Directory. This is useful if you require users
from Active Directory to log in with a username and password when they open a web browser.
CONFIGURING ACTIVE DIRECTORY (KERBEROS)
To configure Active Directory authentication using Kerberos, go to SYSTEM -> CONFIGURATION -> USER
AUTHENTICATION and select the Active Directory (Kerberos) radio button.
You will need the following information:
Server IP Address – This is the IP address of the primary Active Directory server on the network.
Server Hostname – This is the computer name of the primary Active Directory server. This is just the
computer name and not the fully qualified domain name.
AD Domain – The full Active Directory domain name without the computer name or hostname
included at the start.
Press SET OPTIONS to enable the use of Active Directory (Kerberos) authentication.
VERIFY THAT ACTIVE DIRECTORY (KERBEROS) AUTHENTICATION IS WORKING
You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user
account from the Active Directory (the “test user”) and open a Web browser that is configured to use
CensorNet as a proxy server (see section Web Browser Configuration).
Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser
should prompt the test user to login – see below – and after you enter a valid username and password access
to the Web page should be granted.
27 © 2009 CensorNet Ltd
If the web site loads as expected, you should now verify that CensorNet has correctly identified the test user
by going to REPORTS -> WHO’S BROWSING within the CensorNet web control panel. This will list the
currently active Internet users – and the test user should appear here – as shown in the example below.
Click on the test user, in this case “FOO” to drill-down into the recent web site visits. Here you should see the
test sites that you accessed using the web browser, e.g. www.google.co.uk.
COMMON PROBLEMS
After entering the username and password three times you receive a LOGIN FAILED message:
28 © 2009 CensorNet Ltd
The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 minutes of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please see: http://wiki.censornet.com/foswiki/bin/natsearch/Main/KnowledgeBase?limit=100&search=clock+drift
The user account on the Active Directory server has been set to “Change password on next logon”. This will cause CensorNet to fail the authentication until the password has been reset.
The username or password provided is actually incorrect.
WINDOWS NT OR SAMBA SERVER
CensorNet supports authentication with Windows NT or Samba servers using the SMB protocol. This should be
used in legacy environments where Active Directory is not yet available or Samba does not support NTLM
(some Linux and Apple networks).
CONFIGURING WINDOWS NT OR SAMBA SERVER AUTHENTICATION
To configure Windows NT or Samba Authentication, go to SYSTEM -> CONFIGURATION -> USER
AUTHENTICATION and select the Windows NT or Samba Server radio button
You will need the following information:
PDC Address – This is the IP address of the Primary Domain Controller.
BDC Address – This is the IP of the Backup Domain Controller (optional)
Domain Name – This is the Windows Domain on your network.
Click SET OPTIONS to enable Windows NT or Samba authentication.
29 © 2009 CensorNet Ltd
VERIFY THAT WINDOWS NT OR SAMBA SERVER AUTHENTICATION IS WORKING
You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user
account from the domain (the “test user”) and open a Web browser that is configured to use CensorNet as a
proxy server (see section Web Browser Configuration).
Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser
should prompt the test user to login – see below – and after you enter a valid username and password access
to the Web page should be granted.
If the web site loads as expected, you should now verify that CensorNet has correctly identified the test user
by going to REPORTS -> WHO’S BROWSING within the CensorNet web control panel. This will list the
currently active Internet users – and the test user should appear here – as shown in the example below.
Click on the test user, in this case “FOO” to drill-down into the recent web site visits. Here you should see the
test sites that you accessed using the web browser, e.g. www.google.co.uk.
30 © 2009 CensorNet Ltd
NETWARENDS (E-DIRECTORY)
CensorNet supports NDS authentication against a Novell Netware directory server, such as Netware 6.5.
To configure Windows NT or Samba Authentication, go to SYSTEM -> CONFIGURATION -> USER
AUTHENTICATION and select the Netware NDS (e-Directory) radio button
You will need the following information:
Server IP address – the IP address of the main Netware server used to authenticate users on your network.
Click SET OPTIONS to enable Netware NDS authentication.
LDAP SERVER AUTHENTICATION
The LDAP Server Authentication method enables the use of a vanilla (non-Active Directory) LDAP server, such
as Open LDAP, as a source for user authentication.
To configure Windows NT or Samba Authentication, go to SYSTEM -> CONFIGURATION -> USER
AUTHENTICATION and select the LDAP Server Authentication radio button
31 © 2009 CensorNet Ltd
You will need the following information:
Server IP address - The address of the server running the LDAP service.
Server Port number - The port that the LDAP server is listening on. The default is port 389
Base DN - This is the “root” of the directory tree. For example “dc=ldap, dc=example, dc=com”. You should enter the correct values for your LDAP server. Queries from the CensorNet server to your LDAP server will start from here.
Bind DN - This is an entity authorised to query the LDAP tree. All queries from CensorNet to the LDAP server will use this entity. NOTE: Ensure the BINDDN entity has suitable rights on the LDAP server.
Bind DN Password - The password associated with the Bind DN entity.
Login Attribute - This attribute within the LDAP tree specifies the username. Most Unix installations use the uid attribute, though it is possible to configure an alternate one. Consequently, CensorNet permits a choice of which attribute is to be used to define the users. NOTE: This attribute must be correct in order for CensorNet to retrieve users from the tree.
Object Class Filter - In most installations, this field can safely be left blank. It is provided for those users who have a more complex LDAP configuration.
INTERNAL AUTHENTICATION
Internal Authentication allows CensorNet to store a list of usernames and passwords to authenticate users
when they attempt to browse the web. This is useful for environments where there is no central domain
controller or other suitable user authentication source.
When in Internal Authentication mode, CensorNet also provides a portal for users themselves to manage their
own passwords.
To configure Internal Authentication, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and
select the Internal Authentication radio button.
Click SET OPTIONS to enable Internal Authentication.
32 © 2009 CensorNet Ltd
With Internal Authentication enabled, users will be prompted to login when they open a web browser, as
shown in the following screenshot.
MANAGING USER ACCOUNTS
You must create user accounts on the CensorNet server for each of the users that require access to the
Internet.
To create a new user account, go to OBJECTS -> USERS -> NEW USER.
You will be prompted for the following information:
33 © 2009 CensorNet Ltd
Username – this is a unique username for the account.
Group – this is the group that the new user account will belong to. If there are no groups defined, you will be asked to create one.
Password – this is the password for the new account.
Confirm Password – this is the password for the new account.
Click ADD USER to create the new user account. You should then test that you can access the Web by entering
the new username and password when prompted.
To change the password or delete the user, go to OBJECTS -> USERS -> MANAGE USERS and find the
username in the list of accounts, e.g.
To delete the account, click the tick box and click COMMIT CHANGES.
To move the account, select the new group from the groups drop down list and then click COMMIT CHANGES.
To change the password, click the CHANGE PASSWORD button and enter a new password.
MANAGING USER PASSWORDS
CensorNet includes a self-service password management page, which makes managing passwords easier. To
access the password page, point a web browser at:
HTTP://X.X.X.X/CENSORNET/PASSWORD.PHP
Where X.X.X.X is the IP address or hostname of the CensorNet server.
34 © 2009 CensorNet Ltd
The password page will be displayed:
This page can be used by a user to reset their own password without needing to contact the network
administrator. Furthermore, only users that have an existing account that know their own password can use
this page.
NO USER AUTHENTICATION
It is possible to configure CensorNet without any user authentication or identification at all. In this mode,
filtering policies will be applied based on the computer information. The reports will not contain any user
details.
To enable this mode, go to System -> CONFIGURATION -> USER AUTHENTICATION and click the “No User
Authentication” radio button and then click SET OPTIONS.
GLOBAL USER AUTHENTICATION SETTINGS
CensorNet has two global authentication settings which are enabled by default:
35 © 2009 CensorNet Ltd
Multiple Login Detection – selecting this option prevents the same username from being used to browse the Internet from more than one computer at once. There is a 5 minute timeout, so after finishing a browsing session on one computer users must wait 5 minutes before browsing from another computer.
Anonymous Browsing on Inline Intercepted Connections – applies to Inline mode only. Selecting this option allows anonymous browsing which effectively disables all the authentication options except for the CensorNet Active Directory Agent. For further information please refer to this Knowledge Base article: http://wiki.censornet.com/foswiki/bin/view/Main/AnonBrowsingInLine
36 © 2009 CensorNet Ltd
ACTIVE DIRECTORY INTEGRATION
CensorNet is compatible with Active Directory running on:
Windows 2000 Server
Windows 2003, 2003r2 Server
Windows 2008, 2008r2 (64-bit) Server
It is possible to synchronise or replicate your Active Directory structure with CensorNet.
Synchronise (Windows Server 2003 and above) – this requires the CensorNet Synchronisation Service
to be installed on your domain controller and the structure of your Active Directory will be
automatically imported and then kept synchronised on CensorNet. If you create, delete or move user
accounts on your Active Directory, CensorNet will automatically update with the changes.
Replicate – this does not require any software installing on the domain controller. Replication is a
manual process of importing the Active Directory structure into CensorNet. Each time a change is
made to the Active Directory, you should replicate the structure within CensorNet again.
SYNCHRONISING WITH ACTIVE DIRECTORY
The CensorNet Synchronisation Service is a system service that runs on Windows Server 2003 and above. The
purpose of the service is to synchronise the Active Directory structure with the CensorNet server, specified
during installation. With the service running, you do not need to manually update CensorNet with changes to
the Active Directory (users, groups, etc).
The service can synchronise based on Organisational Unit (OU) or Primary Group.
INSTALLING THE CENSORNET SYNCHRONISATION SERVICE
Please visit http://www.censornet.com/adsync/ for download and installation instructions.
CONFIGURING THE CENSORNET SYNCHRONISATION SERVICE
After installing the CensorNet Synchronisation Service on your domain controller you will need to configure a
shared secret key on the CensorNet server.
To do this, go to OBJECTS -> SYNCHRONISE -> WITH ACTIVE DIRECTORY and enter a secret key as shown
below. The secret keys must match exactly on both the Synchronisation Service and the CensorNet server for
the synchronisation to work.
Press SET OPTIONS to enable the use of the CensorNet Synchronisation Service.
37 © 2009 CensorNet Ltd
On the domain controller, go to START -> ALL PROGRAMS -> CENSORNET SYNCHRONISATION MONITOR to
configure the service.
Enter the IP address of the CensorNet server, the shared secret key (exactly as you set it on the CensorNet
server), select the domain to synchronise and the method to group users by. Then press START SERVICE.
If the service fails to start, check the IP address and shared secret are correct and try again.
VERIFY THAT THE CENSORNET SYNCHRONISATION SERVICE IS WORKING
After a few seconds, the service will synchronise CensorNet with Active Directory. Please check the user
manager under OBJECTS -> USERS -> MANAGE GROUPS to verify that the Active Directory structure has been
synchronised. Any changes that are made to the Active Directory server will be visible within CensorNet a few
seconds later.
You are now ready to apply filtering policies to the group or make changes to the group name and/or its
members if required.
REPLICATING THE ACTIVE DIRECTORY STRUCTURE
It is possible to replicate your Active Directory structure within CensorNet. This makes it easy to apply policies
to your existing groups. If you change the structure, move users between groups or add new users to groups,
you should re synchronise with CensorNet. For automatic synchronization please see Synchronising with Active
Directory.
You should configure an appropriate User Authentication method before attempting to import user and group
information from Active Directory.
38 © 2009 CensorNet Ltd
You can replicate your Active Directory structure based on OU or Primary Group. Most Active Directories use
OU containers so this is the most common method.
REPLICATING BY ORGANISATIONAL UNIT (OU)
Go to OBJECTS -> IMPORT -> USERS FROM ACTIVE DIRECTORY BY OU.
You will be prompted to enter the following details:
Server Address – this is the IP address of the primary Active Directory server on your network.
Active Directory Domain – this is the full Active Directory domain for the network excluding the hostname or server name of the Active Directory.
Admin Username – this is a username that has administrator rights on the Active Directory server.
Admin Password – this is the password for the username specified in Admin Username.
Press SYNCHRONISE USER LIST to start the replication.
39 © 2009 CensorNet Ltd
If the credentials have been entered correctly, CensorNet will display a list of OU groups and users within
those groups. Review the list and ensure they are correct and then press CREATE/MOVE USERS AS ABOVE. If
the list is empty, try using the Import by Primary Group method instead.
You will be prompted to confirm this action, which will create new groups and users as per the structure
shown above.
The replication may take several seconds depending on the size and complexity of your Active Directory
server. You will receive a confirmation message, like the one below, once the replication has completed.
40 © 2009 CensorNet Ltd
Click CONTINUE to view the newly imported groups and users.
You are now ready to apply filtering policies to the group or make changes to the group name and/or its
members if required.
REPLICATING BY PRIMARY GROUP
Go to OBJECTS -> IMPORT -> USERS FROM ACTIVE DIRECTORY BY PRIMARY GROUP.
You will be prompted to enter the following details:
Server Address – this is the IP address of the primary Active Directory server on your network.
Active Directory Domain – this is the full Active Directory domain for the network excluding the hostname or server name of the Active Directory.
Admin Username – this is a username that has administrator rights on the Active Directory server.
Admin Password – this is the password for the username specified in Admin Username.
Press SYNCHRONISE USER LIST to start the replication.
41 © 2009 CensorNet Ltd
If the credentials have been entered correctly, CensorNet will display a list of Primary Groups and users within
those groups. Review the list and ensure they are correct and then press CREATE/MOVE USERS AS ABOVE. If
the list is empty, try using the Import by OU method instead.
You will be prompted to confirm this action, which will create new groups and users as per the structure
shown above.
The replication may take several seconds depending on the size and complexity of your Active Directory
server. You will receive a confirmation message, like the one below, once the replication has completed.
42 © 2009 CensorNet Ltd
Click CONTINUE to view the newly imported groups and users.
You are now ready to apply filtering policies to the group or make changes to the group name and/or its
members if required.
43 © 2009 CensorNet Ltd
COMPUTER IDENTIFICATION
CensorNet is capable of logging and filtering based on the computer credentials as well as the user credentials.
A computer can be identified in a number of ways and it is worthwhile deciding on the best method to use up
front, as changing the mode later will require you to import the computers again. CensorNet can identify
computers in three ways:-
Method When to use
MAC Address (default) On a LAN when using DHCP
IP Address On a WAN or with multiple subnets
Hostname On a LAN/WAN with DNS to resolve computers to hostname
The COMPUTER IDENTIFICATION methods are described in detail in this section.
CONFIGURING THE COMPUTER IDENTIFICATION METHOD
To set the Computer Identification method, go to SYSTEM -> CONFIGURATION -> COMPUTER
IDENTIFICATION.
Press SET OPTIONS to enable the specified Identification Method.
NOTE: CHANGING THE COMPUTER IDENTIFICATION MODE WILL REMOVE ANY EXISTING
COMPUTER OBJECTS FROM CENSORNET
44 © 2009 CensorNet Ltd
MAC ADDRESS METHOD
By default, CensorNet is configured to identify computers by their MAC address.
In order for computer details to appear in the reports and to apply filtering rules specifically to computers, you
must tell CensorNet about the computers on your network.
There are two ways you can do this. The first is an automatic PROBE LAN which will scan the entire subnet and
attempt to auto-detect any computers that are connected to the network and add their MAC address and
hostname. The second way is to import the computer information from a compatible file, such as CSV.
IMPORT COMPUTERS AUTOMATICALLY
You must have at least one computer group defined. To create a new group, go to OBJECTS -> COMPUTERS ->
NEW GROUP.
Group Name – this should be a plain text name for the group, e.g. Computers.
Require User Authentication – Select “Yes” to force authentication when accessing the Internet from computers in this group (if you have enabled User Authentication, see section User Authentication). Select “No” if you do not require authentication for this group of computers, for example, if it is a suite of guest computers or public access computers.
Click ADD GROUP to create the new computer group.
To probe the network for computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN.
Scan on interface – select the network Interface to use for scanning the network. If your CensorNet server has more than one NIC then you can select which one to use for the probe.
Import into group – select the group to import computer information into. All automatically discovered computers will appear in this group. Later, you can move the computers into different groups if you require different filtering rules for different groups of machines.
Click RUN PROBE to start the automatic detection. The progress bar will be shown on the screen:
45 © 2009 CensorNet Ltd
NOTE: IF YOUR SUBNET IS PARTICULARLY LARGE, THE PROBE MAY TAKE A WHILE TO RUN
AND MAY CAUSE AN UNEXPECTED PEAK IN NETWORK TRAFFIC.
After the probe has completed you will be able to view the computers that have been detected.
Go to OBJECTS ->COMPUTERS -> MANAGE COMPUTER page to make changes to the hostnames, MAC
address information and group membership for the imported computers.
IMPORT COMPUTERS FROM CSV
CensorNet supports a number of CSV formats for importing computer information.
HOSTNAME,MAC ADDRESS – this is a simple CSV format containing the hostname and MAC address separated by a comma, one per line, without any header. E.g.
samurai,00:0C:29:7F:5F:6F
sword,00:02:E3:0A:8F:72
ANGRYIP – AngryIP is a free network scanner that can probe the network for connected devices and export the contents to CSV. This CSV file can be imported directly into CensorNet.
CSVDE – CSVDE is a tool provided by Microsoft to export user and computer information from Active
Directory. The exported file can be imported directly into CensorNet.
COMMON PROBLEMS
The Probe LAN option does not detect all of the computers on the network – this can happen for a number of reasons:
46 © 2009 CensorNet Ltd
o Ensure that all the computers are powered on and connected to the network and re-run the probe.
o If the computers do not respond to NetBIOS requests then the Probe cannot detect them. You will need to enter the hostname and MAC address manually or import them from CSV (see Import Computers from CSV).
o If the computers have a secure firewall running this may block the NetBIOS requests.
The Probe LAN takes too long – If your subnet is larger than 255.255.252.0 then we recommend that you import computer information via CSV.
IP ADDRESS METHOD
IP address mode can be used if you have a network topology consisting of multiple routers, VLANs, VPNs or
you identify computers based on static IP addresses rather than DHCP.
In order for computer information to appear in the reports you must import all or part of the subnet into
CensorNet.
IMPORT COMPUTERS AUTOMATICALLY
To automatically import computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN.
You can import by IP address range or by subnet. This allows you to import different ranges into different
groups if required. Optionally, CensorNet can attempt to resolve the IP address to a hostname using NetBIOS.
If this is selected, the import will take slightly longer.
PLEASE NOTE: IF YOU TICK TO USE NETBIOS AND THE IP ADDRESS CANNOT BE RESOLVED IT
WILL NOT BE ADDED TO CENSORNET.
47 © 2009 CensorNet Ltd
Go to OBJECTS ->COMPUTERS -> MANAGE COMPUTER page to make changes to the hostnames, IP address
information and group membership for the imported computers.
HOSTNAME METHOD
The Hostname method should be used on networks with single or multiple subnets where the internal DNS
servers are configured to return a hostname for each IP address on the network. If the IP address does not
resolve to a hostname, CensorNet will deny access to the Internet from this computer as a security measure.
In order for computer information to appear in the reports you must import all or part of the subnet into
CensorNet.
IMPORT COMPUTERS AUTOMATICALLY
To automatically import computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN.
You can import by IP address range or by subnet. This allows you to import different ranges into different
groups if required. CensorNet will attempt to resolve all IP addresses to a hostname.
48 © 2009 CensorNet Ltd
NOTE: IF CENSORNET CANNOT RESOLVE THE IP ADDRESS TO A HOSTNAME IT WILL NOT
IMPORT IT AND THE COMPUTER MAY BE DENIED ACCESS TO THE INTERNET UNTIL THERE IS
A VALID PTR RECORD, OR YOU MANUALLY ADD THE INFORMATION TO CENSORNET
49 © 2009 CensorNet Ltd
SSL INTERCEPT MODE
CensorNet has the ability to intercept, decrypt and filter secure SSL web sites. This option is off by default
when CensorNet is configured in SIDEWAYS mode and on by default when CensorNet is configured in INLINE
mode.
SSL sites can harbour web based threats such as anonymous proxy servers and malware. They are also used
legitimately to transfer confidential and secure information. You should decide whether you wish to allow SSL
completely with no filtering (bypass), block it completely, or allow CensorNet to intercept and filter it
regardless of the type of content on the site.
ENABLING SSL INTERCEPT MODE
To enable SSL Intercept mode, go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT MODE. Select “Enabled”
and press SET OPTIONS.
INSTALLING WEB BROWSER SSL CERTIFICATE
The act of SSL interception replaces the requested Web server certificate with a certificate signed by the
CensorNet server. This causes a browser warning to appear when viewing SSL web sites. It is necessary for you
to install the CensorNet root certificate authority (CA) into each of the browsers on your network to avoid the
browser warning from appearing. This can be achieved in one of two ways:
Using an Active Directory group policy update to install the certificate (see Knowledge Base article)
Manual installation
Please refer to the guide “SSL Certificate Installation” for detailed information and installation instructions.
http://www.censornet.com/pdf/SSL-Certificate-Installation.pdf
BYPASSING SSL INTERCEPT MODE
If you do not want to filter any SSL web sites you can configure CensorNet to completely ignore any SSL
enabled web requests (e.g. https://). This is a global setting and will apply to all users and computers. It is also
possible to allow or deny SSL sites on a per policy basis, please see the section on Policies.
50 © 2009 CensorNet Ltd
COMPLETELY BYPASS SSL WEB SITES
First of all, you should disable the SSL Intercept Mode. Go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT
MODE, select “Disabled” and press SET OPTIONS.
Next, you need to create a Bypass rule to ignore SSL sites. GO TO FILTERS -> FILTER BYPASS MODULE ->
BYPASS CATEGORIES.
WARNING: This will allow all HTTPS/SSL enabled web sites regardless of their content which may be legitimate
or harmful.
Create a new category called “SSL Bypass” and click ADD.
Click on the category name from the EXISTING CATEGORIES list.
Add the pattern: “:443” to the new category (without the quotes) and press ADD URL, as shown below:
DISABLING SSL INTERCEPT MODE
Disabling SSL mode will prevent CensorNet from intercepting and filtering SSL enabled web sites. As a result,
by default, CensorNet will block all SSL web sites unless you specifically allow access to them in a filtering
policy.
To disable SSL Intercept, go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT MODE, select “Disabled” and
press SET OPTIONS.
51 © 2009 CensorNet Ltd
NOTE: If you disable SSL Intercept Mode, SSL web sites will be blocked by default unless you bypass filtering
for SSL or add explicit URL’s to allow in the Custom URL module.
52 © 2009 CensorNet Ltd
FILTERING POLICIES
CensorNet provides a powerful and granular way of filtering Web content in the form of policies. Policies are
sets of rules which instruct the filtering modules to act in a certain way (ALLOW / IGNORE / BLOCK) and these
policies can be applied to user groups or computer groups. The filtering modules are plug-in components that
provide a specific type of filtering, e.g. URL matching, image filtering, real time classification, streaming
content, etc. By building a policy, you can control what can be accessed online, by whom and at what time.
Policies can operate in one of five modes. The modes decide the base functionality of the policy and,
depending on the mode, can be further customised by the administrator.
The five filtering modes are:
OPEN – An open mode policy provides unfiltered, but logged, access to the Web.
CLOSED – The closed mode policy prevents access to the Web.
RESTRICTED – The restricted mode policy creates a “walled garden” and only allows access to a specified list of Web sites or web site categories.
FILTERED – The filtered mode policy allows you to specify granular filtering rules for each of the filter modules.
ADVISORY – This is the same as the filtered mode but any web site that is blocked can be overridden by the user. This is a “coaching” mode.
A policy can be applied to more than one group of users or computers, but only one policy can be active at any
one time for any particular group. Combinations of policies can be scheduled to activate and deactivate at
certain times during the week for a specified group.
DEFAULT POLICY
At least one policy must exist on the CensorNet server. CensorNet comes pre-configured with a default policy.
This policy operates in the filtered mode and contains common rules, which you should use as a basis to
customise to meet your exact requirements as an organisation. The default policy is meant to be an example
from which you can build rules to match your requirements.
The default policy is applied to any user or computer that does not already have a policy assigned to their
group or to an unknown user or computer trying to use CensorNet. It is a useful “catch all” policy that will
provide the minimum level of filtering on the network.
THE DEFAULT POLICY EXPLAINED
The default policy is a good starting point to familiarise yourself with how filtering policies work within
CensorNet. Go to POLICIES -> MANAGE POLICIES and click on the “Default Policy” entry.
After a few moments, the rules will load and you will be able to make changes to the policy if you require.
Under the “Policy Details” section there are several import configuration options for the policy, as described
below.
53 © 2009 CensorNet Ltd
Name – this is a plain text name for the policy. It is useful to give meaningful names to the policies as it makes administering them easier.
Description – this is a plain text description of the policy, which is useful to tell other administrators the purpose of the policy.
Colour Label – this is the colour that will identify the policy when you create a policy schedule.
Mode – this defines the filtering mode that this policy will use (please see Policies section for a description of the five modes).
If rules conflict – Web sites can be classified into more than one category by the filtering modules. If a module has conflicting block and allow rules, then CensorNet will use this option to resolve the conflict. The choices are “Block rules override allow rules” or “Allow rules override block rules”.
Dynamic sites – Web sites categorised as having highly dynamic content (e.g. Google, Wikipedia) may contain unsuitable content even though they are in a legitimate category (e.g. Search Engines, Reference). Forcing the real-time analysis will attempt to block adult, obscene or explicit pages that may exist within the dynamic site even though the category they are in has been set to “allow”. The choices are “Force real-time content analysis” or “URL database categories override real-time content analysis”. The latter will disable any real-time analysis of dynamic web sites and allow or deny the web site based upon the rules configured in the Content Classifier module, which is explained below.
Time Quota – a policy can contain a Time Quota for categories of web site that you choose. Every time you access a web site that is in a category which is part of the time quota, the time will be reduced. When the time quota has reached zero, access to the web sites in those categories will be blocked until the next day. The quotas are reset at midnight. NOTE: The Time Quota feature only works if User Authentication is enabled. For more information on Time Quotas please see: http://wiki.censornet.com/foswiki/bin/view/Main/QuotasExplained
The “Filter modules” section provides a way to set the rules for each of the filter modules that are available to
the Filtered Mode policy.
With the exception of the Active Image Control, the modules use “categories” which can be set to trigger
“ALLOW”, “DENY” or “IGNORE”. The “categories” may contain lists of URL’s or represent a single entity, such
as a file extension.
54 © 2009 CensorNet Ltd
The three triggers, “ALLOW”, “DENY” and “IGNORE” are used to instruct CensorNet what to do if it
encounters a match with the category configured in the filtering module.
Allow – allow the request. Processing of the policy stops as soon as a match is triggered.
Block – block the request. Processing of the policy stops as soon as a match is triggered.
Ignore – pass the request to the next filter module and continue running the policy.
Within a policy there are five modules which can be configured:-
Custom URL – The Custom URL module allows you to maintain categories of web site yourself, which override or compliment those provided in the URL database. The Custom URL module uses patterns to match URL’s so you can also use it to block keywords in the URL or to match multiple addresses with a wildcard. Categories that are set to “allow” can also be placed into a Time Quota. For more information on Custom URL patterns please see http://wiki.censornet.com/foswiki/bin/view/Main/URLPatternsExplained
Content Classifier – The Content Classifier allows you to specify which categories from the URL database should be matched as part of the policy and what action should be taken. There are over 70 categories, in multiple languages, which contain over 65,000,000 individual web sites. Categories that are set to “allow” can also be placed into a Time Quota.
File Extension Filter – The File Extension Filter contains a list of file extensions which you can control using the policy.
MIME Type Filter – The MIME Type Filter contains a list of MIME types which you can control using the policy. Setting a MIME type to allow will also allow it to stream properly through CensorNet without being cached first.
Active Image Control – The Active Image Control uses image recognition techniques to attempt to block explicit images from being displayed in the web browser.
Upload Filter – The upload filter inspects any HTTP POST requests for specific file types being uploaded
When a policy is processed, the modules are executed in order from top to bottom as they appear under the
“Filter Modules” section. This means, for example, that if a rule is matched in the Custom URL module to
“block” the request, it will not reach any of the other modules for processing. For further information on policy
parsing please see this Knowledge Base article: http://wiki.censornet.com/foswiki/bin/view/Main/PolicyParser
Any changes that you make to the policy must be confirmed by pressing the UPDATE POLICY button at the
bottom of the page.
CREATING NEW POLICIES
To create a new policy, go to POLICIES -> NEW POLICY.
Alternatively, you can clone an existing policy. Go to POLICIES -> MANAGE POLICIES and click on the policy to
clone. Select a new COLOUR LABEL for the new policy otherwise it will be the same as the existing one, which
could cause confusion when setting up schedules, and then scroll to the bottom of the page and click the
CLONE POLICY button. You will be prompted to provide a name for the new policy.
55 © 2009 CensorNet Ltd
Enter the new name and press enter or click OK. The policy will be cloned and the new policy will appear in the
Manage Policies list.
After creating a new policy you need to apply the policy to a group of users or computers.
APPLYING POLICIES TO GROUPS OF USERS OR COMPUTERS
Policies must be applied to groups in order for them to be active, with the exception of the Default Policy
which is active for any group that does not have a policy assigned to it.
Assigning policies in CensorNet is straight forward. After creating your policy, decide whether you wish to
apply it to a group of users or a group of computers. The method is the same for both; however you should
note that computer policies override user policies.
To apply a policy, go to OBJECTS -> USERS (OR COMPUTERS) -> MANAGE GROUP.
Click the SCHEDULE POLICY button for the group that you wish to apply a policy to.
This will load the SCHEDULE EDITOR.
56 © 2009 CensorNet Ltd
The schedule editor allows you to specify when policies will be active for the chosen group. Each small square
represents a 5 MINUTE TIME PERIOD. Along the bottom of the editor is a legend which shows the policy
names and their associated colours.
From the POLICY PAINT BRUSH drop down box, you can select the policy to apply. You can then apply the
policy in a number of ways:
“Draw” when the policy will be active using the mouse. Hover over a time period, press and hold the left mouse button, and drag the policy until it reaches the end time. The policy will be active between each start and end point on the editor. You can increase the number of time blocks each mouse press will add by using the second drop down list – the default is 5 MINUTE BLOCKS.
Clone a schedule you have drawn for a specific day by clicking the radio button to the right of the day and click “Clone”. This will replicate the day’s schedule on all other days.
To apply the policy all day every day, select the policy to apply and click the “Fill All” button. The policy will be active 24x7 for that group.
To apply the policy to a specific day of the week, click the radio button to the right of the day and click “Fill Selected”.
You must click UPDATE SCHEDULE for the changes to take effect.
GLOBAL FILTERING MODULES
There are three global modules that apply to all policies, which are found under the Filters menu:
Safe Search – enforces Google, Yahoo! and Bing image safe search on regardless of whether the user tries to disable it in their web browser.
On-demand Anti-Virus (optional extra) – powered by AVG, the anti-virus module scans web pages in real time for threats such as viruses, Trojans, spyware, etc.
Filter Bypass – a list of trusted sites that you do not ever want to filter with CensorNet. Sites in the bypass list are not logged and are not authenticated in any way. This list should be kept to a minimum.
57 © 2009 CensorNet Ltd
CUSTOM URL MODULE
The Custom URL module allows you to maintain your own categories of URLs for use within filtering policies.
You can create an unlimited number of categories and they can contain an unlimited number of URL’s. The
Custom URL module is generally used to override the categories provided in the URL database or to control
access to specific URLs from within a filtering policy.
CREATING A CUSTOM URL CATEGORY
Go to FILTERS -> CUSTOM URL MODULE -> CATEGORIES.
Enter the name of the new category and press ADD. The category will appear in the EXISTING CATEGORIES
list where you can click on it to start adding URLs.
ADDING CUSTOM URLS
Go to FILTERS -> CUSTOM URL MODULE -> URL MANAGER or click on a category name from the EXISTING
CATEGORIES list.
NOTE: CUSTOM URLS IN CENSORNET DO NOT USE THE HTTP:// OR HTTPS:// PREFIX
Add the new URL pattern and select a category to add the URL to and then click ADD URL. At this point, the
category containing the URL is just a container for the URL and does not block or allow it. To decide how the
category and its URLs will be handled, the category must be activated within a filtering policy.
Go to POLICIES -> MANAGE POLICIES and select a policy to use the new URL category with, e.g. default policy.
Scroll down to the CUSTOM URL MODULE and the new category will be displayed in the list.
58 © 2009 CensorNet Ltd
By default the URL category is set to IGNORE. To block the URLs in the custom category change the trigger to
BLOCK or to allow the URLs change the trigger to ALLOW. If you allow a category in the Custom URL module
then all URLs within the category will be allowed and no further filtering will take place.
Scroll to the bottom of the policy page and click UPDATE POLICY to save the changes.
CUSTOM URL PATTERNS
For more information on Custom URL patterns please see this Knowledge Base article:
http://wiki.censornet.com/foswiki/bin/view/Main/URLPatternsExplained
59 © 2009 CensorNet Ltd
ADMINISTRATORS
It is possible to define multiple administrator users that can login and administer the CensorNet system. The
administrator users can have different roles and be restricted to only accessing certain parts of the system.
To create a new administrator, go to OBJECTS -> ADMINISTRATORS -> NEW ADMINISTRATOR.
You will be required to enter:
Username – a username for the new administrator.
Password – a password for the new administrator.
Confirm – confirmation of the password for the new administrator.
Rights – select the rights that this administrator should have over the system. At least one right should be applied to the new administrator.
60 © 2009 CensorNet Ltd
BYPASSING NON-PROXY-AWARE SITES / APPLICATIONS
CensorNet is designed to filter any content that conforms to the HTTP protocol whether that is through a web
browser or a different kind of user agent. Depending on the size and complexity of your network there may be
several applications that do not require filtering or will actually malfunction if there is a web filter in operation.
The URI’s (hostname/IP and port) for these services should be added to the CensorNet bypass list so it is a
good idea to make a note of them now in order to avoid any issues when you deploy CensorNet. The follow is
a non-exhaustive list of applications that should be bypassed:-
Local web servers such as Intranet sites Thin client servers such as Citrix Application servers such Microsoft Outlook Web Access Trusted extranet sites Desktop applications that use HTTP/S e.g. GoToMeeting, WebEx.
To bypass these applications, go to FILTERS -> FILTER BYPASS -> BYPASS URL MANAGER.
Please refer to this guide on URL patterns within CensorNet:
http://wiki.censornet.com/foswiki/bin/view/Main/URLPatternsExplained
61 © 2009 CensorNet Ltd
COMMON ERROR MESSAGES
THE UPSTREAM PROXY DID NOT RESPOND IN TIME
This error can occur for a number of reasons.
The DNS server that you have specified is not responding or is running slow. Try specifying a public DNS server as the primary DNS server for CensorNet. You can alter the DNS settings by logging into the console as root and typing “setup” and then choosing “Option 2 – Network Configuration”. Refer to the Installation Guide for network configuration.
You have specified a parent proxy and the details are either incorrect or the parent proxy is offline.
The parent proxy is not responding to CensorNet in time. Try an alternative parent proxy or contact Technical Support for assistance.
UNABLE TO RETRIEVE MAC ADDRESS OF THE PEER
This error occurs if you are on a network with multiple routers and subnets. You should change the “Computer
Identification” method to “IP” or “Hostname”. See the section on Computer Identification for more
information.
THE AUTHENTICITY OF THE WEB SITE COULD NOT BE VERIFIED
This error can occur when SSL INTERCEPT MODE is enabled and CensorNet encounters a web site that has an
invalid certificate, or a certificate that is signed by a root authority that CensorNet does not know about, e.g.
intranet certificate.
The solution is to add the URL to the Filter Bypass module by going to FILTERS -> FILTER BYPASS MODULE ->
BYPASS URL MANAGER.
For further information please refer to this Knowledge Base article:
http://wiki.censornet.com/foswiki/bin/view/Main/TheAuthenticitiyOfTheSecureWebSiteCouldNotBeVerified
CONTENT LENGTH EXCEEDED
For further information please refer to this Knowledge Base article:
http://wiki.censornet.com/foswiki/bin/view/Main/ContentLengthExceeded
UNABLE TO ESTABLISH AN OUTBOUND CONNECTION TO CSRV.CENSORNET.COM 2200
For CensorNet to operate in Trial Mode it needs to connect to CSRV.CENSORNET.COM on port 2200. It is
possible that a firewall is blocking this connection or the network settings on CensorNet are incorrect. Please
refer to this Knowledge Base article:
http://wiki.censornet.com/foswiki/bin/view/Main/UnableToEstablishAnOutboundConnectionToCsrvCensornet
ComOnPort2200
62 © 2009 CensorNet Ltd
TROUBLESHOOTING
ALLOW OR BLOCK INSTANT MESSAGING APPLICATIONS
It is possible to control any application that uses the HTTP protocol using CensorNet, for example Instant
Messenger applications.
Please see the following Knowledge Base article for information on blocking Instant Messaging applications:
http://wiki.censornet.com/foswiki/bin/view/Main/WebMailURL
WEB SITES SUCH AS YOUTUBE NO LONGER STREAM CORRECTLY
To correctly stream media content through the CensorNet proxy server, it is necessary to allow certain MIME
types and URLs related to the streaming media site. Please see this Knowledge Base article for more
information:
http://wiki.censornet.com/foswiki/bin/view/Main/ProblemWithStreamingMediaSitesSuchAsYouTube
WEB PAGES DO NOT LOAD CORRECTLY – MISSING STYLES AND IMAGES
Please see this Knowledge Base article:
http://wiki.censornet.com/foswiki/bin/view/Main/WebPagesDoNotLoadCorrectlyMissingImagesColoursAndSt
yles
PROBLEM AUTHENTICATING USERS USING APPLE OSX
Please see this Knowledge Base article:-
http://wiki.censornet.com/foswiki/bin/view/Main/UserAuthenticationOnAppleMac
INTERMITTENT ACCESS TO WEB SITES OR SLOW WEB SITES
Please see this Knowledge Base article:-
http://wiki.censornet.com/foswiki/bin/view/Main/IntermittentAccessToWebSitesOrSlowBrowsingForCertainSi
tes
63 © 2009 CensorNet Ltd
CITRIX NOTES
CensorNet is used by many organisations, of varying sizes, that have implemented Citrix or Terminal Services.
To identify users within a Citrix environment, you should configure Transparent Kerberos or Transparent NTLM
authentication.
In addition, to allow certain Citrix servers and applications to communicate through CensorNet, you should
add rules to the FILTER BYPASS module. Please see the following Knowledge Base articles for more
information:
http://wiki.censornet.com/foswiki/bin/view/Main/CitrixPortNumbers
http://wiki.censornet.com/foswiki/bin/view/Main/CitrixServerConnection
64 © 2009 CensorNet Ltd
SUMMARY
This guide has taken you through the key elements of setting up and configuring CensorNet Professional for
the first time. You should now be in a position to use, test and familiarise yourself with the product and its
extensive features.
For further information please consult the product documentation under HELP -> HELP CONTENTS or review
the Knowledge Base.
65 © 2009 CensorNet Ltd
TECHNICAL SUPPORT
Telephone +44 (0) 845 230 9592
E-mail [email protected]
Live Support Desk http://www.censornet.com/support/
Knowledge Base http://wiki.censornet.com