CensorNet-GettingStartedGuide-1.8

1 © 2009 CensorNet Ltd

Getting Started Guide CensorNet Professional

Copyright © CensorNet Limited, 2005-2010

This document is designed to provide information about the first time configuration and testing of the CensorNet Professional web content filtering software. Every effort has been made to make this document as complete and accurate as possible, but no warranty or fitness is implied. CensorNet Ltd does not accept any liability for poorly designed or malfunctioning networks.


CONTENTS

Getting started ....................................................................................................................................................... 6

Logging in to the web control panel ................................................................................................................... 6

Navigation and assistance .................................................................................................................................. 7

Product activation .............................................................................................................................................. 8

Common problems ......................................................................................................................................... 9

Trial mode ......................................................................................................................................................... 10

Downloading the URL database (CSRV) ............................................................................................................ 10

Common problems ....................................................................................................................................... 11

Locale settings ...................................................................................................................................................... 12

Time zone ......................................................................................................................................................... 12

Common problems ....................................................................................................................................... 12

Language ........................................................................................................................................................... 13

Parent proxy configuration ............................................................................................................................... 13

Web browser configuration .................................................................................................................................. 14

Securing the network ........................................................................................................................................... 15

User authentication .............................................................................................................................................. 16

Transparent Kerberos ....................................................................................................................................... 17

Configuring Transparent Kerberos authentication ....................................................................................... 17

Verify that Transparent Kerberos is working ................................................................................................ 19

Common problems with Transparent Kerberos ........................................................................................... 20

Transparent NTLM ............................................................................................................................................ 20

Configuring transparent NTLM authentication ............................................................................................ 21

Verify that NTLM authentication is working ................................................................................................. 22

Common problems with NTLM ..................................................................................................................... 23

Censornet Active Directory Agent .................................................................................................................... 24

Installing the Censornet Active Directory Agent .......................................................................................... 24

Configuring the CensorNet Active Directory Agent ...................................................................................... 24

Verify that user identification is working with the Active Directory Agent .................................................. 25


Active Directory (Kerberos) .............................................................................................................................. 25

Configuring Active Directory (Kerberos) ....................................................................................................... 26

Verify that Active Directory (Kerberos) authentication is working............................................................... 26

Common problems ....................................................................................................................................... 27

Windows NT or SAMBA server ......................................................................................................................... 28

Configuring Windows NT or SAMBA server authentication ......................................................................... 28

Verify that Windows NT or SAMBA server authentication is working ......................................................... 29

NetwareNDS (E-Directory) ................................................................................................................................ 30

LDAP server authentication .............................................................................................................................. 30

Internal authentication ..................................................................................................................................... 31

Managing user accounts ............................................................................................................................... 32

Managing user passwords ............................................................................................................................ 33

No user authentication ..................................................................................................................................... 34

Global user authentication settings .................................................................................................................. 34

Active Directory integration ................................................................................................................................. 36

Synchronising with Active Directory ................................................................................................................. 36

Installing the Censornet Synchronisation Service......................................................................................... 36

Configuring the CensorNet Synchronisation Service .................................................................................... 36

Verify that the CensorNet Synchronisation Service is working .................................................................... 37

Replicating the Active Directory structure ....................................................................................................... 37

Replicating by Organisational Unit (OU) ....................................................................................................... 38

Replicating by Primary Group ....................................................................................................................... 40

Computer identification ....................................................................................................................................... 43

Configuring the computer identification method ............................................................................................ 43

MAC Address method ....................................................................................................................................... 44

Import computers automatically .................................................................................................................. 44

Import computers from CSV ......................................................................................................................... 45

Common problems ....................................................................................................................................... 45

IP Address method ........................................................................................................................................... 46



Hostname method ............................................................................................................................................ 47


SSL Intercept mode ............................................................................................................................................... 49

Enabling SSL Intercept mode ............................................................................................................................ 49

Installing web browser SSL certificate .......................................................................................................... 49

Bypassing SSL intercept mode .......................................................................................................................... 49

Completely bypass SSL web sites.................................................................................................................. 50

Disabling SSL intercept mode ........................................................................................................................... 50

Filtering policies .................................................................................................................................................... 52

Default policy .................................................................................................................................................... 52

The default policy explained ............................................................................................................................. 52

Creating new policies ........................................................................................................................................ 54

Applying policies to groups of users or Computers .......................................................................................... 55

Global filtering modules ................................................................................................................................... 56

Custom URL module ............................................................................................................................................. 57

Creating a Custom URL category ...................................................................................................................... 57

Adding Custom URLs ......................................................................................................................................... 57

Custom URL Patterns .................................................................................................................................... 58

Administrators ...................................................................................................................................................... 59

Bypassing non-proxy-aware sites / applications .................................................................................................. 60

Common error messages ...................................................................................................................................... 61

The upstream proxy did not respond in time ................................................................................................... 61

Unable to retrieve MAC address of the peer .................................................................................................... 61

The authenticity of the web site could not be verified .................................................................................... 61

Content length exceeded ................................................................................................................................. 61

Unable to establish an outbound connection to csrv.censornet.com 2200 ..................................................... 61

Troubleshooting ................................................................................................................................................... 62

Allow or block instant messaging applications ................................................................................................. 62


Web sites such as youtube no longer stream correctly .................................................................................... 62

Web pages do not load correctly – missing styles and images......................................................................... 62

Problem authenticating users using Apple OSX ............................................................................................... 62

Intermittent access to web sites or slow web Sites .......................................................................................... 62

Citrix notes ............................................................................................................................................................ 63

Summary ............................................................................................................................................................... 64

Technical support ................................................................................................................................................. 65


GETTING STARTED

This document is designed to guide you through the steps needed to set up and configure CensorNet

Professional for the first time. It is not meant to be an exhaustive reference to all the features and

functionality available – this can be found within the product documentation under the HELP menu or in our

online KNOWLEDGE BASE.

LOGGING IN TO THE WEB CONTROL PANEL

The CensorNet product is administered using a Web based graphical user interface, known as the “CONTROL

PANEL”.

To access the Control Panel, you will need to use a Web browser on a machine that is on the same network as

the CensorNet server.

Open the Web browser, and in the address bar type:

HTTP://IP.OF.CENSORNET/

Where “IP.OF.CENSORNET” is replaced with the IP address you configured for the CensorNet server, e.g.

http://192.168.1.1/

You will be presented with the CONTROL PANEL LOGIN SCREEN, as shown in the figure below.

The default credentials are:-

Username admin

Password password

N.B. Case sensitivity is important

http://192.168.1.1/censornet/


NAVIGATION AND ASSISTANCE

CensorNet has been designed to be easy to use and entirely manageable from a Web browser. Navigating to

the various sections of the application is achieved via the drop down menu at the top of the browser window,

as shown below:-

IF YOU NAVIGATE AWAY FROM A PAGE WITHOUT SAVING THE SETTINGS, THEN THE

SETTINGS WILL BE LOST. AT THE BOTTOM OF EVERY PAGE THERE IS A “SET OPTIONS”

BUTTON WHICH CAN BE USED TO SAVE CHANGES.

The product manual is integrated into the product and from each page you can click the help icon to be

taken to the relevant page of the manual based on the current page you are viewing.

Tooltips are also available next to each option and provide a quick way to understand what should be entered

in the required text box. Simply roll the mouse pointer over the field name to reveal the tooltip, as shown

below:-

Additional help can also be found in the HELP menu where you can access the full product manual, visit the

KNOWLEDGE BASE or access the LIVE SUPPORT DESK where you can speak to an operator in real time for

assistance. See the Technical Support section for more details.


PRODUCT ACTIVATION

It is necessary to activate CensorNet with a valid license in order to start the proxy service and accept

connections. You can activate the CensorNet software for 10 days by using the activation code that was issued

to you when you downloaded the software. If you have lost the activation code, please contact Technical

Support.

To activate the software:-

1. Enter the Activation Code which was issued to you when you downloaded the software. 2. Click “ACTIVATE FOR 10 DAYS”. Activation can take up to 30 seconds.

Once activated, you will see the green dialogue box below, indicating that the 10 day license has been installed

successfully.

After a few seconds you will see the CensorNet proxy service attempting to start. As there is no local URL

database installed, CensorNet will attempt to contact one of the online lookup servers.


If successful, the Filtering Proxy will change from orange to green and TRIAL MODE will be active. Please see

the section on Trial Mode below.

COMMON PROBLEMS

• If the activation fails, it may be for a number of reasons:-

1. The CensorNet server does not have access to the Internet. Please double check DNS and gateway settings by using the “SETUP” program. Refer to the Installation Guide for network configuration.

2. You have already used the activation code on a different machine. Once the activation code has been used on a particular machine, you cannot use it again on a different piece of hardware. Contact Technical Support for a new activation code.

• Activation is successful but you receive the error “UNABLE TO ESTABLISH AN OUTBOUND CONNECTION

TO CSRV.CENSORNET.COM ON PORT 2200”. Please see this Knowledge Base article.

http://wiki.censornet.com/foswiki/bin/view/Main/UnableToEstablishAnOutboundConnectionToCsrvCensornetComOnPort2200


TRIAL MODE

During the evaluation period CensorNet will operate in TRIAL MODE. This is a special mode that CensorNet

uses when it does not have a locally installed copy of the URL database. When in TRIAL MODE, CensorNet will

connect to the nearest online database server and use that instead. As a result, during TRIAL MODE web

access may seem delayed by 1-3 seconds due to each web request being passed to one of the online servers.

It is possible to exit TRIAL MODE during your evaluation period by requesting to download the URL database

using the link within the green dialogue box. You will be required to complete a short form with your contact

details and then a username/password will be issued to you within 24hrs.

The database is 2.5GB and may take several hours to download depending on the speed of your Internet

connection. If you require the database on DVD please contact Technical Support. At least 2GB of RAM is

required (preferably 4GB for larger networks) in order for the database to run effectively.

DOWNLOADING THE URL DATABASE (CSRV)

Once you receive your username and password, you will need to configure CensorNet to download the

database. To do this:-

1. Go to the FILTERS menu and select URL DATABASE UPDATES.

2. Set the Update Mode to DOWNLOAD ALL UPDATES 3. Select the closest geographical download site from the Source list.


4. Enter the username and password provided to you. 5. Select an update time for daily updates to occur. It is recommended that these updates happen

outside of office hours. 6. Click SET OPTIONS and then click UPDATE NOW.

You can verify that the download has started by refreshing the System Overview page. To do this, go to the

SYSTEM menu and then select OVERVIEW and scroll down to the URL DATABASE UPDATE SUBSCRIPTION

panel, as shown below.

Whilst the database is downloading please do not switch off or reboot the CensorNet server. The update

status will change to DATABASE UPDATE COMPLETE when successful.

COMMON PROBLEMS

• The message “Update failed” appears instead of the download status.

1. Check that the CensorNet server has Internet access – ensure DNS and gateway settings are correct. Try pinging csrv.censornet.com and if it doesn’t reply, look again at the network configuration.

2. Double check the username and password entered and click UPDATE NOW again. 3. Do you have to use a parent / upstream proxy server for web access? If so, you must configure this

under System -> Configuration -> Parent Proxy settings before attempting to download the database. Once configured, attempt the download again.

4. If the problem persists, try a different update Source. 5. Contact Technical Support for assistance.

• The message “Download in progress” is displayed but there is no % complete. This usually happens when a

parent proxy is being used because CensorNet is unable to generate a progress counter. It is working; it just

cannot tell you how much has been downloaded.


LOCALE SETTINGS

It is important to configure the locale settings for your CensorNet server. These may have been set during

installation however you should verify they are correct and make any changes that you need to now.

TIME ZONE

Time is very important to CensorNet. Everything relies on accurate time therefore you should verify the date,

time and time zone is correct. To do this, go to SYSTEM -> CONFIGURATION -> TIME ZONE.

Current Timezone – this is the time zone that CensorNet is currently using and is based on the time zone selected during installation. If this is incorrect, select the correct time zone from the drop down list and press Set Options.

Current Server Local Time – this is the current time and date based on the clock in the CensorNet

server. It is important to check that the date and time are correct and that they stay correct. If you

need to change the time, alter it here and press Set Date & Time and then monitor it to ensure the

clock stays correct.

COMMON PROBLEMS

The clock keeps drifting on a virtual machine – this is common especially on Virtual Machines which do not have the required tools installed to synchronise the virtual clock with the host machine. Please see this Knowledge Base article: http://wiki.censornet.com/foswiki/bin/view/Main/VMWareClockDrift

The clock drifts on a physical server – on some hardware, there is a problem with Linux communicating with the real time clock. Please see this Knowledge Base article: http://wiki.censornet.com/foswiki/bin/view/Main/RepeatFail

http://wiki.censornet.com/foswiki/bin/view/Main/VMWareClockDrift

http://wiki.censornet.com/foswiki/bin/view/Main/RepeatFail


LANGUAGE

CensorNet supports viewing the Web control panel in different languages. The language can be chosen when

you login to the control panel or a default language can be set for all users. To select the default language, go

to SYSTEM -> CONFIGURATION -> LANGUAGE.

Click SET OPTIONS to set the default language. You will need to logout and log back for the changes to take

effect.

PARENT PROXY CONFIGURATION

If there is an existing proxy server on the network or a proxy server upstream at your ISP, and you are forced

to use it, then you should configure the proxy server on CensorNet.

To do this, go to SYSTEM -> CONFIGURATION -> PARENT PROXY SETTINGS.


WEB BROWSER CONFIGURATION

NOTE: IF YOU HAVE CONFIGURED CENSORNET IN “INLINE” MODE IT IS NOT NECESSARY TO

CONFIGURE YOUR WEB BROWSER PROXY SETTINGS. PLEASE IGNORE THIS SECTION.

In order to use the CensorNet proxy server you need to configure your web browser to use CensorNet. This is a

straightforward step which you can do individually on each browser or automatically using Active Directory

Group Policy or Web Proxy Auto Discovery (WPAD).

For the purposes of this guide, the following steps can be followed to configure Internet Explorer to use

CensorNet:

Start Internet Explorer Select the TOOLS menu and then INTERNET OPTIONS Click the CONNECTIONS tab and then LAN SETTINGS Tick the box to USE A PROXY SERVER and enter in the CensorNet IP address into the ADDRESS field.

Enter port 8080 into the PORT field. Tick the box to BYPASS PROXY SERVER FOR LOCAL ADDRESSES Click the ADVANCED button Enter the IP of CensorNet into the EXCEPTIONS box. Click OK, OK and OK on each dialogue box to return to the browser window.

http://wiki.censornet.com/foswiki/bin/view/Main/ForceBrowserProxySettings

http://wiki.censornet.com/foswiki/bin/view/Main/ForceBrowserProxySettings

http://www.censornet.com/pdf/WPAD-Configuration-Guide-v2.pdf


SECURING THE NETWORK

Please review this Knowledge Base article on securing the network so that users cannot bypass the proxy:-

http://wiki.censornet.com/foswiki/bin/view/Main/EnforceProxyUse

http://wiki.censornet.com/foswiki/bin/view/Main/EnforceProxyUse


USER AUTHENTICATION

CensorNet can identify users browsing the web, apply different policies to them and include the usernames in

reports. To achieve this, you must configure a method of user authentication for CensorNet to use. The

following methods are supported:-

Transparent Kerberos – for networks with Windows Server 2003 and above with clients running Internet Explorer 7 or above. Transparent Kerberos is a single sign-on authentication method compatible with the latest Windows Server and Windows desktop operating systems (Vista, Windows 7). Compatible with Citrix or Terminal Services environments and SIDEWAYS mode where you do not want users to be prompted to login when they open a Web browser.

Transparent NTLM (pre Windows Server 2003) – CensorNet creates a trust relationship with the Active Domain controller and transparently authenticates users using the NTLM protocol. This is particularly useful in Citrix or Terminal Services networks and in SIDEWAYS mode where you do not want users to be prompted to login when they open a Web browser. NTLM is only supported by Internet Explorer and Firefox web browsers. This authentication method is not available when operating in Inline mode.

CensorNet Active Directory Agent – The Agent is a small piece of software that is installed on your Active Directory domain controller(s) that provides user identification between CensorNet and the Active Directory agent. The agent runs as a system service and must be installed on all domain controllers for the domain. The agent is ideal for providing user identification when in INLINE mode, however is not suitable for Citrix or Terminal Services networks. For Citrix or Terminal Services please use Transparent NTLM. For further information about the agent please visit http://www.censornet.com/adagent/

Windows NT or Samba – for use with Windows NT or Samba (Linux or Apple). CensorNet will prompt for a username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode.

Netware NDS (eDirectory) – for use with Novell NDS or eDirectory. CensorNet will prompt for a username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode.

LDAP – for use with OpenLDAP and similar directories. CensorNet will prompt for a username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode.

Internal Authentication – allows you to create a list of usernames and passwords on the CensorNet server which are used to login with when a web browser is opened. Useful if you require user identification but do not have a domain controller. This authentication method is not available when operating in INLINE mode.

No User Authentication – Do not require users to authenticate to access the Web.

http://www.censornet.com/adagent/


TRANSPARENT KERBEROS

Transparent Kerberos is a single sign-on authentication method compatible with Windows Server 2003 and

above. This method supersedes NTLM Authentication and is compatible with the latest Windows desktop

operating systems such as Vista and Windows 7. Transparent Kerberos allows users to authenticate with

CensorNet without prompting to re-enter network login credentials.

In order to use Transparent Kerberos authentication your network needs to meet the following requirements:

Windows Server 2003 or above

Internet Explorer 7 or above, Firefox 2 or above or Safari on Mac OSX 10.4 or above on all client

machines.

CONFIGURING TRANSPARENT KERBEROS AUTHENTICATION

IMPORTANT: If you have previously configured CensorNet Professional with NTLM Authentication It is

important that you remove the CensorNet machine account in Active Directory on all domain controllers

before attempting to configure Transparent Kerberos. You can do this from the Windows Server by running

the Active Directory Users & Computers manager and then deleting the CensorNet machine account from the

Computers folder. The machine account name will be same as the CensorNet servers’ hostname. To find this,

login as root and type “hostname” to display the hostname.

To configure Transparent Kerberos, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select

the Transparent Kerberos radio button.

You will need the following information:

Server IP Address – This is the IP address of your Active Directory server or Primary Domain Controller if there are more than one domain controllers on the network.

Server Hostname – This is the hostname of your Active Directory server or Primary Domain Controller. This is just the name of the server, not the fully qualified domain name.

AD Domain – This is the fully qualified Active Directory domain name without the hostname or computer name at the beginning.

Domain Admin Username – This is the username of a user account on the Active Directory server with administrator privileges (member of DOMAIN\ADMINS).

Domain Admin Password – This is the password of the admin username specified in “Domain Admin Username”. The password cannot contain any special characters (e.g. % & $, etc). If your password does contain special characters and you do not wish to change it, create a new user account for CensorNet (e.g. username: censornet) and set its password to something in standard characters. AFTER CREATING THE NEW USER ACCOUNT, RESET ITS PASSWORD AGAIN TO WORK AROUND A KNOWN ISSUE WITH LINUX AND ACTIVE DIRECTORY. The new account is only required to establish the trust relationship and after which can be removed if necessary.


Click SET OPTIONS to enable Transparent Kerberos authentication.

After a few seconds, you should receive a SUCCESS message if CensorNet was able to establish a trust

relationship with the Active Directory server (see below).

UPDATE WEB BROWSER PROXY SETTINGS

Transparent Kerberos requires that the proxy server address is specified with its fully qualified domain name

(FQDN) rather than its IP address in the web browser proxy settings. You can find the FQDN by logging into the

CensorNet server as ‘root’ and typing ‘hostname –f’. You should see an output similar to this:

In the above example “censornet.ad2008r2.local” is the FQDN and this should be configured in your browser

proxy server settings – see Web Browser Configuration. On a network, this can be updated using a group policy

object if you use Internet Explorer.


Please ensure that the FQDN can be resolved to the IP address of the CensorNet server. You can verify this by

typing “NSLOOKUP CENSORNET.AD2008R2.LOCAL” on a client desktop machine. If it fails to resolve to the

CensorNet server IP address, you will need to create a forward facing DNS record (A) on your internal DNS

server (usually the primary domain controller).

VERIFY THAT TRANSPARENT KERBEROS IS WORKING

IMPORTANT

After configuring Transparent Kerberos authentication it is important that the network user logs out and

logs back into the domain. This will create a new authentication token for the user. This procedure is only

required once.

You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user

account from the Active Directory (the “test user”) and open a Web browser that is configured to use

CensorNet as a proxy server (see section on Web Browser Configuration and ensure if Internet Explorer that it

is using the FQDN described in the note above).

Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser

should not prompt the test user to login – if this happens please see Common Problems below.

If the web site loads as expected, you should now verify that CensorNet has correctly identified the test user

by going to REPORTS -> WHO’S BROWSING within the CensorNet web control panel. This will list the

currently active Internet users – and the test user should appear here – as shown in the example below.

Click on the test user, in this case “foo” to drill-down into the recent web site visits. Here you should see the

test sites that you accessed using the web browser, e.g. www.google.co.uk.

If this is correct, then you should move on to Active Directory Integration for details on how to replicate your

Active Directory structure within CensorNet.

If you do not see any user names in the WHO’S BROWSING report then please read the section Common

Problems below.

http://www.google.co.uk/



COMMON PROBLEMS WITH TRANSPARENT KERBEROS

If the trust relationship fails you will receive a FAILURE message (see below). This can happen for a number of reasons.

o The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 MINUTES of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please see: http://wiki.censornet.com/foswiki/bin/natsearch/Main/KnowledgeBase?limit=100&search=clock+drift

o If you have previously configured NTLM on this CensorNet server, you should remove the “censornet” machine account from all the domain controllers on the network.

o The administrator password contains special characters, e.g. å, $, _, \%, ^, £, etc. Please change the administrator password or create a new user account with administrator privileges that does not use these characters.

o If you have created a new administrator account for CensorNet, please ensure you reset its password TWICE to work around a known issue with Linux and Active Directory.

o Please ensure that the hostname on CensorNet does not use a reserved word, such as “internet”. We recommend the CensorNet hostname stays as “cnadmin” to avoid any conflicts.

o Ensure that the hostname of your CensorNet server is not the same as your Windows domain name.

The BROWSER HANGS whenever you try and configure Transparent Kerberos authentication. o This can happen if there is a user or machine account with the same name as the CensorNet

server in Active Directory. Please delete or rename this account and try again.

The trust relationship is SUCCESSFUL but users are prompted to login o Ensure that you have specified the fully qualified domain name (FQDN) in Internet Explorer’s

proxy server settings (see the Important Note under Verify Transparent Kerberos is working) o Ensure that the FQDN can be resolved from client machines. Type: nslookup <FQDN> in a

Command Prompt and ensure it resolves to the CensorNet IP address. If it does not, you will need to add a forward facing A record to your internal DNS server (usually the primary domain controller).

o Ensure the user logs out of the domain and logs back in again the first time Transparent Kerberos is configured.

The web browser hangs whilst trying to set up the trust relationship. This can happen if there is a user account with the same name as the machine account that is created by the trust relationship. Look for the name of the CensorNet machine record and then delete any user accounts with the same name, then retry creating the trust relationship.

TRANSPARENT NTLM

NTLM (NT Lan Manager) is a Microsoft authentication protocol that is supported by Internet Explorer and

Mozilla Firefox as a means to transparently authenticate client browsers with a server side proxy. NTLM uses

the Windows logon network credentials and encodes them within each HTTP request in a 4 way handshake

http://wiki.censornet.com/foswiki/bin/natsearch/Main/KnowledgeBase?limit=100&search=clock+drift



with the proxy server. This provides a transparent way of identifying users without requiring them to login

every time a browser window is opened.

CONFIGURING TRANSPARENT NTLM AUTHENTICATION

To configure Transparent NTLM, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select

the Transparent NTLM radio button.


Server IP Address – This is the IP address of your Active Directory server or Primary Domain Controller if there are more than one domain controllers on the network.

Server Hostname – This is the hostname of your Active Directory server or Primary Domain Controller. This is just the name of the server, not the fully qualified domain name.

AD Domain – This is the fully qualified Active Directory domain name without the hostname or computer name at the beginning.

NetBIOS Domain – The short domain name, often called the Pre-Windows 2000 or “workgroup style” name. This is usually the first part of the Active Directory domain name (before the first dot), written in upper case.

Domain Admin Username – This is the username of a user account on the Active Directory server with administrator privileges (member of DOMAIN\ADMINS).

Domain Admin Password – This is the password of the admin username specified in “Domain Admin Username”. The password cannot contain any special characters (e.g. % & $, etc). If your password does contain special characters and you do not wish to change it, create a new user account for CensorNet (e.g. username: censornet) and set its password to something in standard characters. AFTER CREATING THE NEW USER ACCOUNT, RESET ITS PASSWORD AGAIN TO WORK AROUND A KNOWN ISSUE WITH LINUX AND ACTIVE DIRECTORY. The new account is only required to establish the trust relationship and after which can be removed if necessary.


Click SET OPTIONS to enable Transparent NTLM authentication.

After a few seconds, you should receive a SUCCESS message if CensorNet was able to establish a trust

relationship with the Active Directory server (see below).

VERIFY THAT NTLM AUTHENTICATION IS WORKING



CensorNet as a proxy server (see section on Web Browser Configuration).


should not prompt the test user to login – if this happens please see Common Problems below.






Click on the test user, in this case “foo” to drill-down into the recent web site visits. Here you should see the


If this is correct, then you should move on to Active Directory Integration for details on how to replicate your

Active Directory structure within CensorNet.

If you do not see any user names in the WHO’S BROWSING report then please read the section Common

Problems below.

COMMON PROBLEMS WITH NTLM

If the trust relationship fails you will receive a FAILURE message (see below). This can happen for a number of reasons.

o The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 MINUTES of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please see: http://wiki.censornet.com/foswiki/bin/natsearch/Main/KnowledgeBase?limit=100&search=clock+drift

o The administrator password contains special characters, e.g. å, $, _, \%, ^, £, etc. Please change the administrator password or create a new user account with administrator privileges that does not use these characters.

o If you have created a new administrator account for CensorNet, please ensure you reset its password TWICE to work around a known issue with Linux and Active Directory.

o Please ensure that the hostname on CensorNet does not use a reserved word, such as “internet”. We recommend the CensorNet hostname stays as “censornet” to avoid any conflicts.





o Ensure that the hostname of your CensorNet server is not the same as your Windows domain name.

If the web browser prompts you to login even though the trust was successful, it is usually due to the following:

o The clock has drifted more than 5 minutes apart from the Active Directory clock. Please see the Common Problems section above for more detail.

o The web browser is using NTLMv2 rather than NTLMv1. This is the default on Windows Vista and Windows 7 computers. You can roll back the version of NTLM using a group policy registry edit. For further information please see: http://wiki.censornet.com/foswiki/bin/natsearch/Main/KnowledgeBase?limit=100&search=ntlm+problem

CENSORNET ACTIVE DIRECTORY AGENT

The CensorNet Active Directory Agent is a system service that sends network login credentials to CensorNet

for the purposes of identifying users and computers. The software should be installed on Windows 2000, 2003

or 2008 domain controller(s) and will run as a system service with administrator rights. Currently the software

supports a single domain.

The CensorNet Active Directory agent can provide user identification when CensorNet is running in Inline

mode and it can also provide a faster alternative to NTLM.

NOTE: THE SERVICE IS NOT DESIGNED TO WORK IN CITRIX / TERMINAL SERVICES

ENVIRONMENTS. IN THIS CASE, PLEASE CONFIGURE TRANSPARENT KERBEROS OR

TRANSPARENT NTLM AS THE USER AUTHENTICATION OPTION WITHIN CENSORNET.

INSTALLING THE CENSORNET ACTIVE DIRECTORY AGENT

Please visit http://www.censornet.com/adagent/ for download and installation instructions.

Please make a note of the secret key that you set during installation.

CONFIGURING THE CENSORNET ACTIVE DIRECTORY AGENT

After installing the Active Directory agent on each of your Windows Domain Controllers you will need to

configure the “secret” within the CensorNet server.

To do this, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and enter the secret key as shown

below. The secret keys must match exactly on both the Agent and the CensorNet server for the

authentication to work.

http://wiki.censornet.com/foswiki/bin/natsearch/Main/KnowledgeBase?limit=100&search=ntlm+problem

http://wiki.censornet.com/foswiki/bin/natsearch/Main/KnowledgeBase?limit=100&search=ntlm+problem

http://www.censornet.com/adagent/


Press SET OPTIONS to enable the use of the CensorNet Active Directory Agent.

VERIFY THAT USER IDENTIFICATION IS WORKING WITH THE ACTIVE DIRECTORY AGENT

On the domain controllers, use the Start menu to find and open the CENSORNET AUTHENTICATION SERVICE

MONITOR. The status should show as RUNNING, as shown below:-

NOTE: THE CENSORNET ACTIVE DIRECTORY AGENT ACTS AS THE PRIMARY

AUTHENTICATION METHOD FOR CENSORNET. YOU CAN ALSO CONFIGURE A SECONDARY

AUTHENTICATION METHOD USING ANY OF THE OTHER SUPPORTED METHODS (E.G. NTLM,

LDAP, ETC). IF THE AGENT FAILS FOR ANY REASON, CENSORNET WILL FALL BACK TO THE

SECONDARY METHOD OF AUTHENTICATION. PLEASE SEE THE SECTION CONFIGURING USER

AUTHENTICATION FOR THE AVAILABLE SECONDARY METHODS.

ACTIVE DIRECTORY (KERBEROS)


CensorNet supports standard Kerberos authentication with Active Directory. This is useful if you require users

from Active Directory to log in with a username and password when they open a web browser.

CONFIGURING ACTIVE DIRECTORY (KERBEROS)

To configure Active Directory authentication using Kerberos, go to SYSTEM -> CONFIGURATION -> USER

AUTHENTICATION and select the Active Directory (Kerberos) radio button.


Server IP Address – This is the IP address of the primary Active Directory server on the network.

Server Hostname – This is the computer name of the primary Active Directory server. This is just the

computer name and not the fully qualified domain name.

AD Domain – The full Active Directory domain name without the computer name or hostname

included at the start.

Press SET OPTIONS to enable the use of Active Directory (Kerberos) authentication.

VERIFY THAT ACTIVE DIRECTORY (KERBEROS) AUTHENTICATION IS WORKING



CensorNet as a proxy server (see section Web Browser Configuration).


should prompt the test user to login – see below – and after you enter a valid username and password access

to the Web page should be granted.






Click on the test user, in this case “FOO” to drill-down into the recent web site visits. Here you should see the


COMMON PROBLEMS

After entering the username and password three times you receive a LOGIN FAILED message:



The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 minutes of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please see: http://wiki.censornet.com/foswiki/bin/natsearch/Main/KnowledgeBase?limit=100&search=clock+drift

The user account on the Active Directory server has been set to “Change password on next logon”. This will cause CensorNet to fail the authentication until the password has been reset.

The username or password provided is actually incorrect.

WINDOWS NT OR SAMBA SERVER

CensorNet supports authentication with Windows NT or Samba servers using the SMB protocol. This should be

used in legacy environments where Active Directory is not yet available or Samba does not support NTLM

(some Linux and Apple networks).

CONFIGURING WINDOWS NT OR SAMBA SERVER AUTHENTICATION

To configure Windows NT or Samba Authentication, go to SYSTEM -> CONFIGURATION -> USER

AUTHENTICATION and select the Windows NT or Samba Server radio button


PDC Address – This is the IP address of the Primary Domain Controller.

BDC Address – This is the IP of the Backup Domain Controller (optional)

Domain Name – This is the Windows Domain on your network.

Click SET OPTIONS to enable Windows NT or Samba authentication.




VERIFY THAT WINDOWS NT OR SAMBA SERVER AUTHENTICATION IS WORKING


account from the domain (the “test user”) and open a Web browser that is configured to use CensorNet as a

proxy server (see section Web Browser Configuration).


should prompt the test user to login – see below – and after you enter a valid username and password access

to the Web page should be granted.




Click on the test user, in this case “FOO” to drill-down into the recent web site visits. Here you should see the





NETWARENDS (E-DIRECTORY)

CensorNet supports NDS authentication against a Novell Netware directory server, such as Netware 6.5.


AUTHENTICATION and select the Netware NDS (e-Directory) radio button


Server IP address – the IP address of the main Netware server used to authenticate users on your network.

Click SET OPTIONS to enable Netware NDS authentication.

LDAP SERVER AUTHENTICATION

The LDAP Server Authentication method enables the use of a vanilla (non-Active Directory) LDAP server, such

as Open LDAP, as a source for user authentication.


AUTHENTICATION and select the LDAP Server Authentication radio button



Server IP address - The address of the server running the LDAP service.

Server Port number - The port that the LDAP server is listening on. The default is port 389

Base DN - This is the “root” of the directory tree. For example “dc=ldap, dc=example, dc=com”. You should enter the correct values for your LDAP server. Queries from the CensorNet server to your LDAP server will start from here.

Bind DN - This is an entity authorised to query the LDAP tree. All queries from CensorNet to the LDAP server will use this entity. NOTE: Ensure the BINDDN entity has suitable rights on the LDAP server.

Bind DN Password - The password associated with the Bind DN entity.

Login Attribute - This attribute within the LDAP tree specifies the username. Most Unix installations use the uid attribute, though it is possible to configure an alternate one. Consequently, CensorNet permits a choice of which attribute is to be used to define the users. NOTE: This attribute must be correct in order for CensorNet to retrieve users from the tree.

Object Class Filter - In most installations, this field can safely be left blank. It is provided for those users who have a more complex LDAP configuration.

INTERNAL AUTHENTICATION

Internal Authentication allows CensorNet to store a list of usernames and passwords to authenticate users

when they attempt to browse the web. This is useful for environments where there is no central domain

controller or other suitable user authentication source.

When in Internal Authentication mode, CensorNet also provides a portal for users themselves to manage their

own passwords.

To configure Internal Authentication, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and

select the Internal Authentication radio button.

Click SET OPTIONS to enable Internal Authentication.


With Internal Authentication enabled, users will be prompted to login when they open a web browser, as

shown in the following screenshot.

MANAGING USER ACCOUNTS

You must create user accounts on the CensorNet server for each of the users that require access to the

Internet.

To create a new user account, go to OBJECTS -> USERS -> NEW USER.

You will be prompted for the following information:


Username – this is a unique username for the account.

Group – this is the group that the new user account will belong to. If there are no groups defined, you will be asked to create one.

Password – this is the password for the new account.

Confirm Password – this is the password for the new account.

Click ADD USER to create the new user account. You should then test that you can access the Web by entering

the new username and password when prompted.

To change the password or delete the user, go to OBJECTS -> USERS -> MANAGE USERS and find the

username in the list of accounts, e.g.

To delete the account, click the tick box and click COMMIT CHANGES.

To move the account, select the new group from the groups drop down list and then click COMMIT CHANGES.

To change the password, click the CHANGE PASSWORD button and enter a new password.

MANAGING USER PASSWORDS

CensorNet includes a self-service password management page, which makes managing passwords easier. To

access the password page, point a web browser at:

HTTP://X.X.X.X/CENSORNET/PASSWORD.PHP

Where X.X.X.X is the IP address or hostname of the CensorNet server.

http://x.x.x.x/censornet/password.php


The password page will be displayed:

This page can be used by a user to reset their own password without needing to contact the network

administrator. Furthermore, only users that have an existing account that know their own password can use

this page.

NO USER AUTHENTICATION

It is possible to configure CensorNet without any user authentication or identification at all. In this mode,

filtering policies will be applied based on the computer information. The reports will not contain any user

details.

To enable this mode, go to System -> CONFIGURATION -> USER AUTHENTICATION and click the “No User

Authentication” radio button and then click SET OPTIONS.

GLOBAL USER AUTHENTICATION SETTINGS

CensorNet has two global authentication settings which are enabled by default:


Multiple Login Detection – selecting this option prevents the same username from being used to browse the Internet from more than one computer at once. There is a 5 minute timeout, so after finishing a browsing session on one computer users must wait 5 minutes before browsing from another computer.

Anonymous Browsing on Inline Intercepted Connections – applies to Inline mode only. Selecting this option allows anonymous browsing which effectively disables all the authentication options except for the CensorNet Active Directory Agent. For further information please refer to this Knowledge Base article: http://wiki.censornet.com/foswiki/bin/view/Main/AnonBrowsingInLine

http://wiki.censornet.com/foswiki/bin/view/Main/AnonBrowsingInLine


ACTIVE DIRECTORY INTEGRATION

CensorNet is compatible with Active Directory running on:

Windows 2000 Server

Windows 2003, 2003r2 Server

Windows 2008, 2008r2 (64-bit) Server

It is possible to synchronise or replicate your Active Directory structure with CensorNet.

Synchronise (Windows Server 2003 and above) – this requires the CensorNet Synchronisation Service

to be installed on your domain controller and the structure of your Active Directory will be

automatically imported and then kept synchronised on CensorNet. If you create, delete or move user

accounts on your Active Directory, CensorNet will automatically update with the changes.

Replicate – this does not require any software installing on the domain controller. Replication is a

manual process of importing the Active Directory structure into CensorNet. Each time a change is

made to the Active Directory, you should replicate the structure within CensorNet again.

SYNCHRONISING WITH ACTIVE DIRECTORY

The CensorNet Synchronisation Service is a system service that runs on Windows Server 2003 and above. The

purpose of the service is to synchronise the Active Directory structure with the CensorNet server, specified

during installation. With the service running, you do not need to manually update CensorNet with changes to

the Active Directory (users, groups, etc).

The service can synchronise based on Organisational Unit (OU) or Primary Group.

INSTALLING THE CENSORNET SYNCHRONISATION SERVICE

Please visit http://www.censornet.com/adsync/ for download and installation instructions.

CONFIGURING THE CENSORNET SYNCHRONISATION SERVICE

After installing the CensorNet Synchronisation Service on your domain controller you will need to configure a

shared secret key on the CensorNet server.

To do this, go to OBJECTS -> SYNCHRONISE -> WITH ACTIVE DIRECTORY and enter a secret key as shown

below. The secret keys must match exactly on both the Synchronisation Service and the CensorNet server for

the synchronisation to work.

Press SET OPTIONS to enable the use of the CensorNet Synchronisation Service.

http://www.censornet.com/adsync/


On the domain controller, go to START -> ALL PROGRAMS -> CENSORNET SYNCHRONISATION MONITOR to

configure the service.

Enter the IP address of the CensorNet server, the shared secret key (exactly as you set it on the CensorNet

server), select the domain to synchronise and the method to group users by. Then press START SERVICE.

If the service fails to start, check the IP address and shared secret are correct and try again.

VERIFY THAT THE CENSORNET SYNCHRONISATION SERVICE IS WORKING

After a few seconds, the service will synchronise CensorNet with Active Directory. Please check the user

manager under OBJECTS -> USERS -> MANAGE GROUPS to verify that the Active Directory structure has been

synchronised. Any changes that are made to the Active Directory server will be visible within CensorNet a few

seconds later.

You are now ready to apply filtering policies to the group or make changes to the group name and/or its

members if required.

REPLICATING THE ACTIVE DIRECTORY STRUCTURE

It is possible to replicate your Active Directory structure within CensorNet. This makes it easy to apply policies

to your existing groups. If you change the structure, move users between groups or add new users to groups,

you should re synchronise with CensorNet. For automatic synchronization please see Synchronising with Active

Directory.

You should configure an appropriate User Authentication method before attempting to import user and group

information from Active Directory.


You can replicate your Active Directory structure based on OU or Primary Group. Most Active Directories use

OU containers so this is the most common method.

REPLICATING BY ORGANISATIONAL UNIT (OU)

Go to OBJECTS -> IMPORT -> USERS FROM ACTIVE DIRECTORY BY OU.

You will be prompted to enter the following details:

Server Address – this is the IP address of the primary Active Directory server on your network.

Active Directory Domain – this is the full Active Directory domain for the network excluding the hostname or server name of the Active Directory.

Admin Username – this is a username that has administrator rights on the Active Directory server.

Admin Password – this is the password for the username specified in Admin Username.

Press SYNCHRONISE USER LIST to start the replication.


If the credentials have been entered correctly, CensorNet will display a list of OU groups and users within

those groups. Review the list and ensure they are correct and then press CREATE/MOVE USERS AS ABOVE. If

the list is empty, try using the Import by Primary Group method instead.

You will be prompted to confirm this action, which will create new groups and users as per the structure

shown above.

The replication may take several seconds depending on the size and complexity of your Active Directory

server. You will receive a confirmation message, like the one below, once the replication has completed.


Click CONTINUE to view the newly imported groups and users.



REPLICATING BY PRIMARY GROUP

Go to OBJECTS -> IMPORT -> USERS FROM ACTIVE DIRECTORY BY PRIMARY GROUP.

You will be prompted to enter the following details:

Server Address – this is the IP address of the primary Active Directory server on your network.

Active Directory Domain – this is the full Active Directory domain for the network excluding the hostname or server name of the Active Directory.

Admin Username – this is a username that has administrator rights on the Active Directory server.

Admin Password – this is the password for the username specified in Admin Username.

Press SYNCHRONISE USER LIST to start the replication.


If the credentials have been entered correctly, CensorNet will display a list of Primary Groups and users within

those groups. Review the list and ensure they are correct and then press CREATE/MOVE USERS AS ABOVE. If

the list is empty, try using the Import by OU method instead.

You will be prompted to confirm this action, which will create new groups and users as per the structure

shown above.

The replication may take several seconds depending on the size and complexity of your Active Directory

server. You will receive a confirmation message, like the one below, once the replication has completed.


Click CONTINUE to view the newly imported groups and users.




COMPUTER IDENTIFICATION

CensorNet is capable of logging and filtering based on the computer credentials as well as the user credentials.

A computer can be identified in a number of ways and it is worthwhile deciding on the best method to use up

front, as changing the mode later will require you to import the computers again. CensorNet can identify

computers in three ways:-

Method When to use

MAC Address (default) On a LAN when using DHCP

IP Address On a WAN or with multiple subnets

Hostname On a LAN/WAN with DNS to resolve computers to hostname

The COMPUTER IDENTIFICATION methods are described in detail in this section.

CONFIGURING THE COMPUTER IDENTIFICATION METHOD

To set the Computer Identification method, go to SYSTEM -> CONFIGURATION -> COMPUTER

IDENTIFICATION.

Press SET OPTIONS to enable the specified Identification Method.

NOTE: CHANGING THE COMPUTER IDENTIFICATION MODE WILL REMOVE ANY EXISTING

COMPUTER OBJECTS FROM CENSORNET


MAC ADDRESS METHOD

By default, CensorNet is configured to identify computers by their MAC address.

In order for computer details to appear in the reports and to apply filtering rules specifically to computers, you

must tell CensorNet about the computers on your network.

There are two ways you can do this. The first is an automatic PROBE LAN which will scan the entire subnet and

attempt to auto-detect any computers that are connected to the network and add their MAC address and

hostname. The second way is to import the computer information from a compatible file, such as CSV.

IMPORT COMPUTERS AUTOMATICALLY

You must have at least one computer group defined. To create a new group, go to OBJECTS -> COMPUTERS ->

NEW GROUP.

Group Name – this should be a plain text name for the group, e.g. Computers.

Require User Authentication – Select “Yes” to force authentication when accessing the Internet from computers in this group (if you have enabled User Authentication, see section User Authentication). Select “No” if you do not require authentication for this group of computers, for example, if it is a suite of guest computers or public access computers.

Click ADD GROUP to create the new computer group.

To probe the network for computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN.

Scan on interface – select the network Interface to use for scanning the network. If your CensorNet server has more than one NIC then you can select which one to use for the probe.

Import into group – select the group to import computer information into. All automatically discovered computers will appear in this group. Later, you can move the computers into different groups if you require different filtering rules for different groups of machines.

Click RUN PROBE to start the automatic detection. The progress bar will be shown on the screen:


NOTE: IF YOUR SUBNET IS PARTICULARLY LARGE, THE PROBE MAY TAKE A WHILE TO RUN

AND MAY CAUSE AN UNEXPECTED PEAK IN NETWORK TRAFFIC.

After the probe has completed you will be able to view the computers that have been detected.

Go to OBJECTS ->COMPUTERS -> MANAGE COMPUTER page to make changes to the hostnames, MAC

address information and group membership for the imported computers.

IMPORT COMPUTERS FROM CSV

CensorNet supports a number of CSV formats for importing computer information.

HOSTNAME,MAC ADDRESS – this is a simple CSV format containing the hostname and MAC address separated by a comma, one per line, without any header. E.g.

samurai,00:0C:29:7F:5F:6F

sword,00:02:E3:0A:8F:72

ANGRYIP – AngryIP is a free network scanner that can probe the network for connected devices and export the contents to CSV. This CSV file can be imported directly into CensorNet.

CSVDE – CSVDE is a tool provided by Microsoft to export user and computer information from Active

Directory. The exported file can be imported directly into CensorNet.

COMMON PROBLEMS

The Probe LAN option does not detect all of the computers on the network – this can happen for a number of reasons:


o Ensure that all the computers are powered on and connected to the network and re-run the probe.

o If the computers do not respond to NetBIOS requests then the Probe cannot detect them. You will need to enter the hostname and MAC address manually or import them from CSV (see Import Computers from CSV).

o If the computers have a secure firewall running this may block the NetBIOS requests.

The Probe LAN takes too long – If your subnet is larger than 255.255.252.0 then we recommend that you import computer information via CSV.

IP ADDRESS METHOD

IP address mode can be used if you have a network topology consisting of multiple routers, VLANs, VPNs or

you identify computers based on static IP addresses rather than DHCP.

In order for computer information to appear in the reports you must import all or part of the subnet into

CensorNet.


To automatically import computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN.

You can import by IP address range or by subnet. This allows you to import different ranges into different

groups if required. Optionally, CensorNet can attempt to resolve the IP address to a hostname using NetBIOS.

If this is selected, the import will take slightly longer.

PLEASE NOTE: IF YOU TICK TO USE NETBIOS AND THE IP ADDRESS CANNOT BE RESOLVED IT

WILL NOT BE ADDED TO CENSORNET.


Go to OBJECTS ->COMPUTERS -> MANAGE COMPUTER page to make changes to the hostnames, IP address

information and group membership for the imported computers.

HOSTNAME METHOD

The Hostname method should be used on networks with single or multiple subnets where the internal DNS

servers are configured to return a hostname for each IP address on the network. If the IP address does not

resolve to a hostname, CensorNet will deny access to the Internet from this computer as a security measure.

In order for computer information to appear in the reports you must import all or part of the subnet into

CensorNet.


To automatically import computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN.

You can import by IP address range or by subnet. This allows you to import different ranges into different

groups if required. CensorNet will attempt to resolve all IP addresses to a hostname.


NOTE: IF CENSORNET CANNOT RESOLVE THE IP ADDRESS TO A HOSTNAME IT WILL NOT

IMPORT IT AND THE COMPUTER MAY BE DENIED ACCESS TO THE INTERNET UNTIL THERE IS

A VALID PTR RECORD, OR YOU MANUALLY ADD THE INFORMATION TO CENSORNET


SSL INTERCEPT MODE

CensorNet has the ability to intercept, decrypt and filter secure SSL web sites. This option is off by default

when CensorNet is configured in SIDEWAYS mode and on by default when CensorNet is configured in INLINE

mode.

SSL sites can harbour web based threats such as anonymous proxy servers and malware. They are also used

legitimately to transfer confidential and secure information. You should decide whether you wish to allow SSL

completely with no filtering (bypass), block it completely, or allow CensorNet to intercept and filter it

regardless of the type of content on the site.

ENABLING SSL INTERCEPT MODE

To enable SSL Intercept mode, go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT MODE. Select “Enabled”

and press SET OPTIONS.

INSTALLING WEB BROWSER SSL CERTIFICATE

The act of SSL interception replaces the requested Web server certificate with a certificate signed by the

CensorNet server. This causes a browser warning to appear when viewing SSL web sites. It is necessary for you

to install the CensorNet root certificate authority (CA) into each of the browsers on your network to avoid the

browser warning from appearing. This can be achieved in one of two ways:

Using an Active Directory group policy update to install the certificate (see Knowledge Base article)

Manual installation

Please refer to the guide “SSL Certificate Installation” for detailed information and installation instructions.

http://www.censornet.com/pdf/SSL-Certificate-Installation.pdf

BYPASSING SSL INTERCEPT MODE

If you do not want to filter any SSL web sites you can configure CensorNet to completely ignore any SSL

enabled web requests (e.g. https://). This is a global setting and will apply to all users and computers. It is also

possible to allow or deny SSL sites on a per policy basis, please see the section on Policies.

http://wiki.censornet.com/foswiki/bin/view/Main/HowToInstallCensorNetSSSLCertificateAuthorityUsingAGroupPolicyUpdate

http://www.censornet.com/pdf/SSL-Certificate-Installation.pdf


COMPLETELY BYPASS SSL WEB SITES

First of all, you should disable the SSL Intercept Mode. Go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT

MODE, select “Disabled” and press SET OPTIONS.

Next, you need to create a Bypass rule to ignore SSL sites. GO TO FILTERS -> FILTER BYPASS MODULE ->

BYPASS CATEGORIES.

WARNING: This will allow all HTTPS/SSL enabled web sites regardless of their content which may be legitimate

or harmful.

Create a new category called “SSL Bypass” and click ADD.

Click on the category name from the EXISTING CATEGORIES list.

Add the pattern: “:443” to the new category (without the quotes) and press ADD URL, as shown below:

DISABLING SSL INTERCEPT MODE

Disabling SSL mode will prevent CensorNet from intercepting and filtering SSL enabled web sites. As a result,

by default, CensorNet will block all SSL web sites unless you specifically allow access to them in a filtering

policy.

To disable SSL Intercept, go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT MODE, select “Disabled” and

press SET OPTIONS.


NOTE: If you disable SSL Intercept Mode, SSL web sites will be blocked by default unless you bypass filtering

for SSL or add explicit URL’s to allow in the Custom URL module.


FILTERING POLICIES

CensorNet provides a powerful and granular way of filtering Web content in the form of policies. Policies are

sets of rules which instruct the filtering modules to act in a certain way (ALLOW / IGNORE / BLOCK) and these

policies can be applied to user groups or computer groups. The filtering modules are plug-in components that

provide a specific type of filtering, e.g. URL matching, image filtering, real time classification, streaming

content, etc. By building a policy, you can control what can be accessed online, by whom and at what time.

Policies can operate in one of five modes. The modes decide the base functionality of the policy and,

depending on the mode, can be further customised by the administrator.

The five filtering modes are:

OPEN – An open mode policy provides unfiltered, but logged, access to the Web.

CLOSED – The closed mode policy prevents access to the Web.

RESTRICTED – The restricted mode policy creates a “walled garden” and only allows access to a specified list of Web sites or web site categories.

FILTERED – The filtered mode policy allows you to specify granular filtering rules for each of the filter modules.

ADVISORY – This is the same as the filtered mode but any web site that is blocked can be overridden by the user. This is a “coaching” mode.

A policy can be applied to more than one group of users or computers, but only one policy can be active at any

one time for any particular group. Combinations of policies can be scheduled to activate and deactivate at

certain times during the week for a specified group.

DEFAULT POLICY

At least one policy must exist on the CensorNet server. CensorNet comes pre-configured with a default policy.

This policy operates in the filtered mode and contains common rules, which you should use as a basis to

customise to meet your exact requirements as an organisation. The default policy is meant to be an example

from which you can build rules to match your requirements.

The default policy is applied to any user or computer that does not already have a policy assigned to their

group or to an unknown user or computer trying to use CensorNet. It is a useful “catch all” policy that will

provide the minimum level of filtering on the network.

THE DEFAULT POLICY EXPLAINED

The default policy is a good starting point to familiarise yourself with how filtering policies work within

CensorNet. Go to POLICIES -> MANAGE POLICIES and click on the “Default Policy” entry.

After a few moments, the rules will load and you will be able to make changes to the policy if you require.

Under the “Policy Details” section there are several import configuration options for the policy, as described

below.


Name – this is a plain text name for the policy. It is useful to give meaningful names to the policies as it makes administering them easier.

Description – this is a plain text description of the policy, which is useful to tell other administrators the purpose of the policy.

Colour Label – this is the colour that will identify the policy when you create a policy schedule.

Mode – this defines the filtering mode that this policy will use (please see Policies section for a description of the five modes).

If rules conflict – Web sites can be classified into more than one category by the filtering modules. If a module has conflicting block and allow rules, then CensorNet will use this option to resolve the conflict. The choices are “Block rules override allow rules” or “Allow rules override block rules”.

Dynamic sites – Web sites categorised as having highly dynamic content (e.g. Google, Wikipedia) may contain unsuitable content even though they are in a legitimate category (e.g. Search Engines, Reference). Forcing the real-time analysis will attempt to block adult, obscene or explicit pages that may exist within the dynamic site even though the category they are in has been set to “allow”. The choices are “Force real-time content analysis” or “URL database categories override real-time content analysis”. The latter will disable any real-time analysis of dynamic web sites and allow or deny the web site based upon the rules configured in the Content Classifier module, which is explained below.

Time Quota – a policy can contain a Time Quota for categories of web site that you choose. Every time you access a web site that is in a category which is part of the time quota, the time will be reduced. When the time quota has reached zero, access to the web sites in those categories will be blocked until the next day. The quotas are reset at midnight. NOTE: The Time Quota feature only works if User Authentication is enabled. For more information on Time Quotas please see: http://wiki.censornet.com/foswiki/bin/view/Main/QuotasExplained

The “Filter modules” section provides a way to set the rules for each of the filter modules that are available to

the Filtered Mode policy.

With the exception of the Active Image Control, the modules use “categories” which can be set to trigger

“ALLOW”, “DENY” or “IGNORE”. The “categories” may contain lists of URL’s or represent a single entity, such

as a file extension.

http://wiki.censornet.com/foswiki/bin/view/Main/QuotasExplained


The three triggers, “ALLOW”, “DENY” and “IGNORE” are used to instruct CensorNet what to do if it

encounters a match with the category configured in the filtering module.

Allow – allow the request. Processing of the policy stops as soon as a match is triggered.

Block – block the request. Processing of the policy stops as soon as a match is triggered.

Ignore – pass the request to the next filter module and continue running the policy.

Within a policy there are five modules which can be configured:-

Custom URL – The Custom URL module allows you to maintain categories of web site yourself, which override or compliment those provided in the URL database. The Custom URL module uses patterns to match URL’s so you can also use it to block keywords in the URL or to match multiple addresses with a wildcard. Categories that are set to “allow” can also be placed into a Time Quota. For more information on Custom URL patterns please see http://wiki.censornet.com/foswiki/bin/view/Main/URLPatternsExplained

Content Classifier – The Content Classifier allows you to specify which categories from the URL database should be matched as part of the policy and what action should be taken. There are over 70 categories, in multiple languages, which contain over 65,000,000 individual web sites. Categories that are set to “allow” can also be placed into a Time Quota.

File Extension Filter – The File Extension Filter contains a list of file extensions which you can control using the policy.

MIME Type Filter – The MIME Type Filter contains a list of MIME types which you can control using the policy. Setting a MIME type to allow will also allow it to stream properly through CensorNet without being cached first.

Active Image Control – The Active Image Control uses image recognition techniques to attempt to block explicit images from being displayed in the web browser.

Upload Filter – The upload filter inspects any HTTP POST requests for specific file types being uploaded

When a policy is processed, the modules are executed in order from top to bottom as they appear under the

“Filter Modules” section. This means, for example, that if a rule is matched in the Custom URL module to

“block” the request, it will not reach any of the other modules for processing. For further information on policy

parsing please see this Knowledge Base article: http://wiki.censornet.com/foswiki/bin/view/Main/PolicyParser

Any changes that you make to the policy must be confirmed by pressing the UPDATE POLICY button at the

bottom of the page.

CREATING NEW POLICIES

To create a new policy, go to POLICIES -> NEW POLICY.

Alternatively, you can clone an existing policy. Go to POLICIES -> MANAGE POLICIES and click on the policy to

clone. Select a new COLOUR LABEL for the new policy otherwise it will be the same as the existing one, which

could cause confusion when setting up schedules, and then scroll to the bottom of the page and click the

CLONE POLICY button. You will be prompted to provide a name for the new policy.

http://wiki.censornet.com/foswiki/bin/view/Main/URLPatternsExplained

http://wiki.censornet.com/foswiki/bin/view/Main/PolicyParser


Enter the new name and press enter or click OK. The policy will be cloned and the new policy will appear in the

Manage Policies list.

After creating a new policy you need to apply the policy to a group of users or computers.

APPLYING POLICIES TO GROUPS OF USERS OR COMPUTERS

Policies must be applied to groups in order for them to be active, with the exception of the Default Policy

which is active for any group that does not have a policy assigned to it.

Assigning policies in CensorNet is straight forward. After creating your policy, decide whether you wish to

apply it to a group of users or a group of computers. The method is the same for both; however you should

note that computer policies override user policies.

To apply a policy, go to OBJECTS -> USERS (OR COMPUTERS) -> MANAGE GROUP.

Click the SCHEDULE POLICY button for the group that you wish to apply a policy to.

This will load the SCHEDULE EDITOR.


The schedule editor allows you to specify when policies will be active for the chosen group. Each small square

represents a 5 MINUTE TIME PERIOD. Along the bottom of the editor is a legend which shows the policy

names and their associated colours.

From the POLICY PAINT BRUSH drop down box, you can select the policy to apply. You can then apply the

policy in a number of ways:

“Draw” when the policy will be active using the mouse. Hover over a time period, press and hold the left mouse button, and drag the policy until it reaches the end time. The policy will be active between each start and end point on the editor. You can increase the number of time blocks each mouse press will add by using the second drop down list – the default is 5 MINUTE BLOCKS.

Clone a schedule you have drawn for a specific day by clicking the radio button to the right of the day and click “Clone”. This will replicate the day’s schedule on all other days.

To apply the policy all day every day, select the policy to apply and click the “Fill All” button. The policy will be active 24x7 for that group.

To apply the policy to a specific day of the week, click the radio button to the right of the day and click “Fill Selected”.

You must click UPDATE SCHEDULE for the changes to take effect.

GLOBAL FILTERING MODULES

There are three global modules that apply to all policies, which are found under the Filters menu:

Safe Search – enforces Google, Yahoo! and Bing image safe search on regardless of whether the user tries to disable it in their web browser.

On-demand Anti-Virus (optional extra) – powered by AVG, the anti-virus module scans web pages in real time for threats such as viruses, Trojans, spyware, etc.

Filter Bypass – a list of trusted sites that you do not ever want to filter with CensorNet. Sites in the bypass list are not logged and are not authenticated in any way. This list should be kept to a minimum.


CUSTOM URL MODULE

The Custom URL module allows you to maintain your own categories of URLs for use within filtering policies.

You can create an unlimited number of categories and they can contain an unlimited number of URL’s. The

Custom URL module is generally used to override the categories provided in the URL database or to control

access to specific URLs from within a filtering policy.

CREATING A CUSTOM URL CATEGORY

Go to FILTERS -> CUSTOM URL MODULE -> CATEGORIES.

Enter the name of the new category and press ADD. The category will appear in the EXISTING CATEGORIES

list where you can click on it to start adding URLs.

ADDING CUSTOM URLS

Go to FILTERS -> CUSTOM URL MODULE -> URL MANAGER or click on a category name from the EXISTING

CATEGORIES list.

NOTE: CUSTOM URLS IN CENSORNET DO NOT USE THE HTTP:// OR HTTPS:// PREFIX

Add the new URL pattern and select a category to add the URL to and then click ADD URL. At this point, the

category containing the URL is just a container for the URL and does not block or allow it. To decide how the

category and its URLs will be handled, the category must be activated within a filtering policy.

Go to POLICIES -> MANAGE POLICIES and select a policy to use the new URL category with, e.g. default policy.

Scroll down to the CUSTOM URL MODULE and the new category will be displayed in the list.


By default the URL category is set to IGNORE. To block the URLs in the custom category change the trigger to

BLOCK or to allow the URLs change the trigger to ALLOW. If you allow a category in the Custom URL module

then all URLs within the category will be allowed and no further filtering will take place.

Scroll to the bottom of the policy page and click UPDATE POLICY to save the changes.

CUSTOM URL PATTERNS

For more information on Custom URL patterns please see this Knowledge Base article:




ADMINISTRATORS

It is possible to define multiple administrator users that can login and administer the CensorNet system. The

administrator users can have different roles and be restricted to only accessing certain parts of the system.

To create a new administrator, go to OBJECTS -> ADMINISTRATORS -> NEW ADMINISTRATOR.

You will be required to enter:

Username – a username for the new administrator.

Password – a password for the new administrator.

Confirm – confirmation of the password for the new administrator.

Rights – select the rights that this administrator should have over the system. At least one right should be applied to the new administrator.


BYPASSING NON-PROXY-AWARE SITES / APPLICATIONS

CensorNet is designed to filter any content that conforms to the HTTP protocol whether that is through a web

browser or a different kind of user agent. Depending on the size and complexity of your network there may be

several applications that do not require filtering or will actually malfunction if there is a web filter in operation.

The URI’s (hostname/IP and port) for these services should be added to the CensorNet bypass list so it is a

good idea to make a note of them now in order to avoid any issues when you deploy CensorNet. The follow is

a non-exhaustive list of applications that should be bypassed:-

Local web servers such as Intranet sites Thin client servers such as Citrix Application servers such Microsoft Outlook Web Access Trusted extranet sites Desktop applications that use HTTP/S e.g. GoToMeeting, WebEx.

To bypass these applications, go to FILTERS -> FILTER BYPASS -> BYPASS URL MANAGER.

Please refer to this guide on URL patterns within CensorNet:




COMMON ERROR MESSAGES

THE UPSTREAM PROXY DID NOT RESPOND IN TIME

This error can occur for a number of reasons.

The DNS server that you have specified is not responding or is running slow. Try specifying a public DNS server as the primary DNS server for CensorNet. You can alter the DNS settings by logging into the console as root and typing “setup” and then choosing “Option 2 – Network Configuration”. Refer to the Installation Guide for network configuration.

You have specified a parent proxy and the details are either incorrect or the parent proxy is offline.

The parent proxy is not responding to CensorNet in time. Try an alternative parent proxy or contact Technical Support for assistance.

UNABLE TO RETRIEVE MAC ADDRESS OF THE PEER

This error occurs if you are on a network with multiple routers and subnets. You should change the “Computer

Identification” method to “IP” or “Hostname”. See the section on Computer Identification for more

information.

THE AUTHENTICITY OF THE WEB SITE COULD NOT BE VERIFIED

This error can occur when SSL INTERCEPT MODE is enabled and CensorNet encounters a web site that has an

invalid certificate, or a certificate that is signed by a root authority that CensorNet does not know about, e.g.

intranet certificate.

The solution is to add the URL to the Filter Bypass module by going to FILTERS -> FILTER BYPASS MODULE ->

BYPASS URL MANAGER.

For further information please refer to this Knowledge Base article:

http://wiki.censornet.com/foswiki/bin/view/Main/TheAuthenticitiyOfTheSecureWebSiteCouldNotBeVerified

CONTENT LENGTH EXCEEDED

For further information please refer to this Knowledge Base article:

http://wiki.censornet.com/foswiki/bin/view/Main/ContentLengthExceeded

UNABLE TO ESTABLISH AN OUTBOUND CONNECTION TO CSRV.CENSORNET.COM 2200

For CensorNet to operate in Trial Mode it needs to connect to CSRV.CENSORNET.COM on port 2200. It is

possible that a firewall is blocking this connection or the network settings on CensorNet are incorrect. Please

refer to this Knowledge Base article:

http://wiki.censornet.com/foswiki/bin/view/Main/UnableToEstablishAnOutboundConnectionToCsrvCensornet

ComOnPort2200

http://wiki.censornet.com/foswiki/bin/view/Main/TheAuthenticitiyOfTheSecureWebSiteCouldNotBeVerified

http://wiki.censornet.com/foswiki/bin/view/Main/ContentLengthExceeded




TROUBLESHOOTING

ALLOW OR BLOCK INSTANT MESSAGING APPLICATIONS

It is possible to control any application that uses the HTTP protocol using CensorNet, for example Instant

Messenger applications.

Please see the following Knowledge Base article for information on blocking Instant Messaging applications:

http://wiki.censornet.com/foswiki/bin/view/Main/WebMailURL

WEB SITES SUCH AS YOUTUBE NO LONGER STREAM CORRECTLY

To correctly stream media content through the CensorNet proxy server, it is necessary to allow certain MIME

types and URLs related to the streaming media site. Please see this Knowledge Base article for more

information:

http://wiki.censornet.com/foswiki/bin/view/Main/ProblemWithStreamingMediaSitesSuchAsYouTube

WEB PAGES DO NOT LOAD CORRECTLY – MISSING STYLES AND IMAGES

Please see this Knowledge Base article:

http://wiki.censornet.com/foswiki/bin/view/Main/WebPagesDoNotLoadCorrectlyMissingImagesColoursAndSt

yles

PROBLEM AUTHENTICATING USERS USING APPLE OSX

Please see this Knowledge Base article:-

http://wiki.censornet.com/foswiki/bin/view/Main/UserAuthenticationOnAppleMac

INTERMITTENT ACCESS TO WEB SITES OR SLOW WEB SITES

Please see this Knowledge Base article:-

http://wiki.censornet.com/foswiki/bin/view/Main/IntermittentAccessToWebSitesOrSlowBrowsingForCertainSi

tes

http://wiki.censornet.com/foswiki/bin/view/Main/WebMailURL

http://wiki.censornet.com/foswiki/bin/view/Main/ProblemWithStreamingMediaSitesSuchAsYouTube

http://wiki.censornet.com/foswiki/bin/view/Main/WebPagesDoNotLoadCorrectlyMissingImagesColoursAndStyles

http://wiki.censornet.com/foswiki/bin/view/Main/WebPagesDoNotLoadCorrectlyMissingImagesColoursAndStyles

http://wiki.censornet.com/foswiki/bin/view/Main/UserAuthenticationOnAppleMac

http://wiki.censornet.com/foswiki/bin/view/Main/IntermittentAccessToWebSitesOrSlowBrowsingForCertainSites

http://wiki.censornet.com/foswiki/bin/view/Main/IntermittentAccessToWebSitesOrSlowBrowsingForCertainSites


CITRIX NOTES

CensorNet is used by many organisations, of varying sizes, that have implemented Citrix or Terminal Services.

To identify users within a Citrix environment, you should configure Transparent Kerberos or Transparent NTLM

authentication.

In addition, to allow certain Citrix servers and applications to communicate through CensorNet, you should

add rules to the FILTER BYPASS module. Please see the following Knowledge Base articles for more

information:

http://wiki.censornet.com/foswiki/bin/view/Main/CitrixPortNumbers

http://wiki.censornet.com/foswiki/bin/view/Main/CitrixServerConnection

http://wiki.censornet.com/foswiki/bin/view/Main/CitrixPortNumbers

http://wiki.censornet.com/foswiki/bin/view/Main/CitrixServerConnection


SUMMARY

This guide has taken you through the key elements of setting up and configuring CensorNet Professional for

the first time. You should now be in a position to use, test and familiarise yourself with the product and its

extensive features.

For further information please consult the product documentation under HELP -> HELP CONTENTS or review

the Knowledge Base.

http://wiki.censornet.com/


TECHNICAL SUPPORT

Telephone +44 (0) 845 230 9592

E-mail [email protected]

Live Support Desk http://www.censornet.com/support/

Knowledge Base http://wiki.censornet.com

mailto:[email protected]

http://www.censornet.com/support/

http://wiki.censornet.com/

Documents

CensorNet-GettingStartedGuide-1.8