8e6 R3000 USER R | Enterprise Filter GUIDE for Authentication Model: R3000 Release 1.10.20 / Version No.: 1.
ii 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE © 2006 8e6 Technologies All rights reserved. 828 W. Taft Ave., Orange, CA 92865, USA Version 1.01, published December 2006 To be used with R3000 User Guide version 1.01 for software release 1.10.20 Printed in the United States of America This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine readable form without prior written consent from 8e6 Technologies.
iv 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
CONTENTS CHAPTER 1: INTRODUCTION ..........................................1 About this User Guide ................................................................ 1 How to Use this User Guide ....................................................... 2 Conventions ...................................................................................... 2 Terminology ...................................................................................... 3 Filtering Elements .......................................
CONTENTS R3000 Authentication Tiers ............................................................. 23 Tier 1: Single Sign-On Authentication ............................................. 25 Net use based authentication process ..................................... 25 Re-authentication process .................................................. 26 Authentication methods ............................................................ 27 SMB protocol..................................................................
CONTENTS Authentication Solution Compatibility .............................................. 53 Configuring the R3000 for Authentication ....................................... 54 Configuration procedures ......................................................... 54 System section.................................................................... 54 Group section ..................................................................... 57 CHAPTER 2: NETWORK SETUP ....................................
CONTENTS Enable, Disable Features.................................................... 91 Authentication Form Customization .......................................... 93 Preview Sample Authentication Request Form .................. 95 Block Page Customization ........................................................ 97 Preview Sample Block Page .............................................. 99 CHAPTER 3: NT AUTHENTICATION SETUP ..................101 Join the NT Domain .......................................
CONTENTS User Objects . .......................................................................... 130 Address Info ........................................................................... 131 Account Info ............................................................................ 134 SSL Settings . .......................................................................... 135 Alias List . ................................................................................ 137 Default Rule . ..............
CONTENTS Step 7: Disable filter options . .................................................. 170 Step 8: Attempt to access Web content . ................................ 171 Test net use based authentication settings ................................... 173 Activate Authentication on the Network ............................... 174 Activate Web-based authentication for an IP Group ..................... 175 Step 1: Create a new IP Group, “webauth” ............................
CONTENTS User/Group File Format and Rules ........................................ 209 Username Formats ....................................................................... 209 Rule Criteria .................................................................................. 210 File Format: Rules and Examples ................................................. 212 NT User List Format and Rules . ............................................. 213 NT Group List Format and Rules ...............................
CONTENTS If pop-up blocking is enabled .................................................. 237 Add override account to the white list ..................................... 237 Google Toolbar Pop-up Blocker .................................................... 239 If pop-up blocking is enabled .................................................. 239 Add override account to the white list ..................................... 239 AdwareSafe Pop-up Blocker .........................................................
CHAPTER 1: INTRODUCTION ABOUT THIS USER GUIDE CHAPTER 1: INTRODUCTION The R3000 Authentication User Guide contains information about setting up authentication on the network. About this User Guide This user guide addresses the network administrator designated to configure and manage the R3000 server on the network. Chapter 1 provides information on how to use this user guide, and also includes an overview of filtering components and authentication operations.
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE blocker software installed; a glossary on authentication terms, and an index. How to Use this User Guide Conventions The following icons are used throughout this user guide: NOTE: The “note” icon is followed by italicized text providing additional information about the current subject. TIP: The “tip” icon is followed by italicized text giving you hints on how to execute a task more efficiently.
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE Terminology The following terms are used throughout this user guide. Sample images (not to scale) are included for each item. • alert box - a message box that opens in response to an entry you made in a dialog box, window, or screen. This box often contains a button (usually labeled “OK”) for you to click in order to confirm or execute a command.
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE • dialog box - a box that opens in response to a command made in a window or screen, and requires your input. You must choose an option by clicking a button (such as “Yes” or “No”, or “Next” or “Cancel”) to execute your command. As dictated by this box, you also might need to make one or more entries or selections prior to clicking a button.
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE • pop-up box or pop-up window - a box or window that opens after you click a button in a dialog box, window, or screen. This box or window may display information, or may require you to make one or more entries. Unlike a dialog box, you do not need to choose between options. • pull-down menu - a field in a dialog box, window, or screen that contains a down-arrow to the right.
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE • sub-topic - a subset of a main topic that displays as a menu item for the topic. The menu of subtopics opens when a pertinent topic link in the left panel—the control panel—of a screen is clicked. If a sub-topic is selected, the window for that sub-topic displays in the right panel of the screen, or a pop-up window or an alert box opens, as appropriate. • text box - an area in a dialog box, window, or screen that accommodates your data entry.
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE • tree - a tree displays in the control panel of a screen, and is comprised of a hierarchical list of items. An entity associated with a branch of the tree is preceded by a plus (+) sign when the branch is collapsed. By double-clicking the item, a minus (-) sign replaces the plus sign, and any entity within that branch of the tree displays. An item in the tree is selected by clicking it.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS Filtering Elements Filtering operations include the following elements: groups, filtering profiles and their components, and rules for filtering. Group Types In the Group section of the Administrator console, group types are structured in a tree format in the control panel.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS IP Groups The IP group type is represented in the tree by the IP icon . A master IP group is comprised of sub-group members and/or individual IP members . The global administrator adds master IP groups, adds and maintains override accounts at the global level, and establishes and maintains the minimum filtering level.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS NT Domain Groups An NT domain on a network server is comprised of Windows NT groups and their associated members (users), derived from profiles on the network’s domain controller. The NT group type is represented in the tree by the NT icon . This branch will only display if authentication is enabled. Using the tree menu, the global administrator adds and maintains NT domains , and profiles of NT groups and members within the domain.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS LDAP Domain Groups An LDAP (Lightweight Directory Access Protocol) domain on a network server is comprised of LDAP groups and their associated members (users), derived from profiles on the network’s authentication server. The LDAP group type is represented in the tree by the LDAP icon . This branch will only display if authentication is enabled.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS Filtering Profile Types A filtering profile is used by all users who are set up to be filtered on the network. This profile consists of rules that dictate whether a user has access to a specified Web site or service on the Internet.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS Other filtering profiles • override account profile - set up in either the global group section or the master group section of the console. NOTE: An override account set up in the master IP group section of the R3000 console takes precedence over an override account set up in the global group section of the console. • lock profile - set up under X Strikes Blocking in the Filter Options section of the profile.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS Active Filtering Profiles Active filtering profiles include the global group profile, NT/ LDAP authentication profile, override account profile, time profile, and lock profile. Global Filtering Profile The global filtering profile is created by the global administrator. This profile is used as the default filtering profile.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS Override Account Profile If any user needs access to a specified URL that is set up to be blocked, the global administrator or group administrator can create an override account for that user. This account grants the user access to areas set up to be blocked on the Internet. Time Profile A time profile is a customized filtering profile set up to be effective at a specified time period for designated users.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS Filtering Profile Components Filtering profiles are comprised of the following components: • library categories - used when creating a rule, minimum filtering level, or filtering profile for the global group or any entity • service ports - used when setting up filter segments on the network, creating the global group (default) filtering profile, or establishing the minimum filtering level • rules - specify which library categories should be blocked, left open, or
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS Library Categories A library category contains a list of Web site addresses and keywords for search engines and URLs that have been set up to be blocked or white listed. Library categories are used when creating a rule, the minimum filtering level, or a filtering profile. 8e6 Supplied Categories 8e6 furnishes a collection of library categories, grouped under the heading “8e6 Supplied Categories.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS Service Ports Service ports are used when setting up filter segments on the network (the range of IP addresses/netmasks to be detected by the R3000), the global (default) filtering profile, and the minimum filtering level. When setting up the range of IP addresses/netmasks to be detected, service ports can be set up to be open (ignored).
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS NOTE: If the minimum filtering level is not set up, global (default) filtering settings will apply instead.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS Filtering Rules Individual User Profiles - A user in an NT or LDAP domain can have only one individual profile set up per domain. Filtering Levels Applied: 1. The global (default) filtering profile applies to any user under the following circumstances: • the user does not belong to a master IP group • the user has not been assigned a domain default profile from an NT or LDAP authentication domain 2.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS 6. For NT/LDAP users, if a user is authenticated, settings for the user’s group or individual profile from the NT/ LDAP domain are applied and take precedence over any IP profile. a. If the user belongs to more than one group in an authentication domain, the profile for the user is determined by the order in which the groups are listed in the Group Priority list set by the global administrator.
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS Fig.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Authentication Operations R3000 Authentication Protocols The R3000 supports two types of authentication protocols: Windows NT LAN Manager (NTLM), and Lightweight Directory Access Protocol (LDAP). • NTLM authentication supports NTLM authentication running on any of the following servers: Windows NT 4.0, Windows 2000 Mixed Mode, and Windows 2003 Mixed Mode.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS tory server, the Novell eDirectory Agent can be used instead to authenticate end users. NOTE: See 8e6 Authenticator and Novell eDirectory Agent for information on setting up these types of authentication on the network.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Tier 1: Single Sign-On Authentication Net use based authentication process The following diagram and steps describe the operations of the net use based user authentication process: Fig. 1-5 Net use based authentication module diagram 1. The user logs on the network from a Windows workstation (also known as “client” or “machine”). 2. The authentication server on the network sends the user’s workstation a login script containing a net use command. 3.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS 4. Upon creating the IPC share, the software in the R3000 queries the network authentication server with the user's login name and password sent by the workstation. 5. Once the user is successfully authenticated, the R3000 matches the user’s login name or group name with a stored list of profile settings in the R3000. As a result of this process, the user is assigned the appropriate level of filtering. 6.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Authentication methods Tier 1 supports two server authentication methods: Server Message Block (SMB) and LDAP. SMB protocol SMB is a client/server protocol that requires the client to send a request to the server and receive an authentication response from the server, in order for the client to access resources on the network. As the default protocol for NT 4.0 and earlier operating systems, SMB is supported by Windows 2000 and later OS versions.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS NOTE: For information on SMB Signing compatibility with the R3000, refer to the chart in Appendix D: Disable SMB Signing Requirements. LDAP protocol LDAP is a directory service protocol that stores entries (Distinguished Names) in a domain’s directory using a hierarchical tree structure. The LDAP directory service is based on a client/server model protocol to give the client access to resources on the network.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Name resolution methods The name resolution process occurs when the R3000 attempts to resolve the IP address of the authentication server with the machine name of that server. This continuous and regulated automated procedure ensures the connection between the two servers is maintained.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Authentication setup procedures Server setup types R3000 authentication is designed to support the following server types for the specified tier(s): Tier 1: Net use based authentication NOTE: Login scripts must be used for net use based authentication. Using SMB/NetBIOS: • Windows NT 4.0, SP4 or later • Windows 2000 or 2003 Server in mixed/legacy mode NOTE: SMB Signing must not be required.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Configuring the authentication server When configuring authentication, you must first go to the authentication server and make all necessary entries before configuring the R3000.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Login scripts Login (or logon) scripts are used by the R3000 server for reauthenticating users on the network. The following syntax must be entered in the appropriate directory on the authentication server console: Enter net use syntax in the login script The virtual IP address is used by the R3000 to communicate with all users who log on to that server. This address must be in the same subnet as the one used by the transmitting interface of the R3000.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS View login script on the server console The login script can be viewed on the authentication server console. This script resides in a different location on the server, depending on the version of the server: • Windows 2000 or Windows 2003 Server \\servername.suffix\sysvol\domainname.suffix\ policies\{guid}\user\scripts\logon c:\winnt\sysvol\sysvol\domainname.suffix\scripts c:\winnt\sysvol\domainname\scripts • Windows NT 4.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Block page authentication login scripts In addition to the use of login scripts in the console of the authentication server, a login script path must be entered in the Block Page window of the R3000 Administrator console. This script is used for reauthenticating users on the network. The following syntax must be used: \\SERVERNAME\netlogon or \\IPaddress\netlogon NOTE: See Block Page Authentication for more information about these entries.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS LDAP server setup rules WARNING: The instructions in this user guide have been documented based on standard default settings in LDAP for Microsoft Active Directory Services. The use of other server types, or any changes made to these default settings, must be considered when configuring the R3000 server for authentication.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Tier 2: Time-based, Web Authentication The following diagram and steps describe the operations of the time-based authentication process: Fig. 1-6 Web-based authentication module diagram 1. The user makes a Web request by entering a URL in his/ her browser window. 2. The R3000 intercepts this request and sends the user the Authentication Request Form, requesting the user to log in with his/her login ID and password. 3.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Tier 2 implementation in an environment In an environment where Tier 2 time-based profiles have been implemented, end users receive filtering profiles after correctly entering their credentials into a Web-based Authentication Request Form. A profile remains active for a configurable amount of time even if the user logs out of the workstation, changes IP addresses, etc.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Tier 2 Script If using Tier 2 only, this script should be inserted into the network’s login script. If the network also uses a logoff script, 8e6’s script should be inserted there as well. The inclusion of this script ensures that the previous end user’s profile is completely removed, in the event the end user did not log out successfully. echo off :start cls net use \\10.10.10.10\LOGOFF$ /delete :try1 NET USE \\10.10.10.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Tier 1 and Tier 2 Script In an environment in which both Tier 1 and Tier 2 are used, this version of 8e6’s script should be inserted into the network’s login script. 8e6’s script attempts to remove the previous end user’s profile, and then lets the new user log in with his/her assigned profile. echo off :startremove cls NET USE \\10.10.10.10\LOGOFF$ /delete :tryremove1 NET USE \\10.10.10.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS :try1 NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :try2 if errorlevel 0 echo code 0: Success goto :end :try2 NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :try3 if errorlevel 0 echo code 0: Success goto :end :try3 NET USE \\10.10.10.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Tier 3: Session-based, Web Authentication The diagram on the previous page (Fig. 1-6) and steps below describe the operations of the session-based authentication process: 1. The user makes a Web request by entering a URL in his/ her browser window. 2. The R3000 intercepts this request and sends the user the Authentication Request Form, requesting the user to log in with his/her login ID and password. 3.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS 8e6 Authenticator The 8e6 Authenticator ensures the end user is authenticated on his/her workstation, via an executable file that launches during the login process. To use this option, the 8e6 Authenticator client (authenticat.exe) should be placed in a network share accessible by the domain controller or a Novell eDirectory server such as NetWare eDirectory server 6.5. NOTE: The 8e6 Authenticator client (authenticat.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Recommended system requirements The following server components are recommended for optimal performance when using NetWare eDirectory server 6.5: • Server-class PC with two-way Pentium III, IV, or Xeon 700 MHz or higher processors • 1 GB of RAM • VESA compliant 1.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Work flow in a Windows environment 1. The administrator stores the 8e6 Authenticator client (authenticat.exe) in a network-shared location that a login script can access. 2. Using a Windows machine, an end user logs on the domain, or logs on the eDirectory tree via a Novell client. 3. The end user’s login script evokes authenticat.exe. 4.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS 8e6 Authenticator configuration priority The source and order in which parameters are received and override one another are described below. NOTE: Any parameter set at the end of the list will override any parameter that was previously set. 1. Compiled Defaults: Given no parameters at all, the client will try to execute using the default compilation. 2.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS 8e6 Authenticator configuration syntax All configuration parameters, regardless of their source, will use the following format/syntax: wAA[B]w{C}w {Parameter ‘AA’ with Data ‘B’, and Comment ‘C’ ignored.} w;DD[E]w{C}w {The semicolon causes ‘DD[E]’ to be ignored, ‘C’ is also ignored.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS You only need to change the options you do not wish to remain as default. Often the IP address of the R3000 (RA) and the log file (LF) are the most desired options to change. Note that full network paths are allowed. Table of parameters The following table contains the different parameters, their meanings, and possible values.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS + If UT[0] is set, then the Novell environment will be ignored, if present, and only the Windows environment information will be retrieved and sent to the R3000. If UT[1] is set and the Novell environment is invalid or the user is not authenticated with its Novell server, then the results sent to the R3000 are invalid (probably empty values). The default UT[255] auto detects Novell vs.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS RP[] affects port-less addresses specified in the RV[] command as well. • For RA[], each IP address is separated by a semi-colon ‘;’ and the first IP address will be tried for each new connection attempt. When the main IP address fails to respond, the next IP address in the list will be tried, and so on, if it fails. After the last IP address is tried, the logic will continue from the first IP address again.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Novell eDirectory Agent Novell eDirectory Agent provides Single Sign-On (SSO) authentication for an R3000 set up in a Novell eDirectory environment. Using Novell eDirectory Agent, the R3000 is notified by the eDirectory server when an end user logs on or off the network, and adds/removes his/her network IP address, thus setting the end user’s filtering profile accordingly.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Client workstations To use this option, all end users must log in the network. The following OS have been tested: • Windows 2000 Professional • Windows XP • Macintosh Novell clients The following Novell clients have been tested: • Windows: Version 4.91 SP2 • Macintosh: Prosoft NetWare client Version 2.0 Novell eDirectory setup The eDirectory Agent uses the LDAP eDirectory domain configuration setup in the R3000 Administrator console.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS R3000 setup and event logs When using a Novell eDirectory server and choosing to use the Novell eDirectory Agent option in the R3000: • Enable Novell eDirectory Agent in the Enable/Disable Authentication window. NOTES: If using an SSO authentication solution, Tier 2 or Tier 3 should be selected as a fallback authentication operation. When choosing the Novell eDirectory Agent option, the 8e6 Authenticator option must be disabled.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Authentication Solution Compatibility Below is a chart representing the authentication solution compatibility for a single user: Tier1 net use Tier 2 time based Tier 3 session based 8e6 Authenticator eDirectory Agent Tier 1 -- Yes Yes N/R N/A Tier 2 Yes -- N/A Yes Yes Tier 3 Yes N/A -- Yes Yes 8e6 Authenticator N/R Yes Yes -- N/R eDirectory Agent N/A Yes Yes N/R -- KEY: • • N/A = Not Applicable N/R = Not Recommended 8E6
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Configuring the R3000 for Authentication Configuration procedures When configuring the R3000 server for authentication, settings must be made in System and Group windows in the Administrator console. NOTES: If the network has more than one domain, the first one you add should be the domain on which the R3000 resides. The entries described in this section represent entries to be made on a typical network.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS The entries made in this window will vary depending on whether you are using the invisible mode, or the router or firewall mode. The LAN 1 and LAN 2 IP addresses should usually be in a different subnet. • If using the invisible mode: For the LAN1 IP (eth0) address, select 255.255.255.255 for the subnet mask. • If using the router or firewall mode: Specify the appropriate IP address and subnet mask in the applicable fields. 3.
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS In the Settings frame, enter general configuration settings for the R3000 server such as IP address entries. In the NIC Device to Use for Authentication field: • If using the invisible mode: Enter eth1 (Ethernet 1) as the device to send traffic on the network. • If using the router or firewall mode: Enter eth0 (Ethernet 0).
CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS Group section In the Group section of the Administrator console, choose NT or LDAP, and then do the following: 1. Add a domain from the network to the list of domains that will have users authenticated by the R3000. NOTE: If the network has more than one domain, the first one you add should be the domain on which the R3000 resides. 2. Create filtering profiles for each group within that domain. 3.
CHAPTER 2: NETWORK SETUP ENVIRONMENT REQUIREMENTS CHAPTER 2: NETWORK SETUP Environment Requirements Workstation Requirements Administrator Minimum system requirements for the administrator include the following: • Windows 98 or later operating system (not compatible with Windows server 2003) • Internet Explorer (IE) 5.
CHAPTER 2: NETWORK SETUP ENVIRONMENT REQUIREMENTS Network Requirements • High speed connection from the R3000 server to the client workstations • FTP or HTTPS connection to 8e6’s patch server • Internet connectivity for downloading Java Virtual Machine—and Java Runtime Environment, if necessary—if not already installed 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 59
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Set up the Network for Authentication The first settings for authentication must be made in the System section of the console in the following windows: Operation Mode, LAN Settings, Enable/Disable Authentication, Authentication Settings, Authentication SSL Certificate (if Web-based authentication will be used), View Log File (for troubleshooting authentication setup), and Block Page Authentication.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION The entries made in this window will vary depending on whether you will be using the invisible mode, or the router or firewall mode. 1. In the Mode frame, select the mode to be used: “Invisible”, “Router”, or “Firewall”. 2. In the Listening Device frame, set the Device to “eth0”. 3. In the Block Page Device frame: • If using the invisible mode, select “eth1”. • If using the router or firewall mode, select “eth0”.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Specify the subnet mask, IP address(es) Click Network and select LAN Settings from the pop-up menu to display the LAN Settings window: Fig. 2-2 LAN Settings window The entries made in this window will vary depending on whether you are using the invisible mode, or the router or firewall mode. NOTE: If the gateway IP address on the network changes, be sure to update the Gateway IP address in this window.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Invisible mode For the LAN1 IP (eth0) address, select 255.255.255.255 for the subnet mask, and click Apply. Router or firewall mode 1. Enter the following information: • In the LAN1 IP (eth0) field of the IP/Mask Setting frame, enter the IP address and specify the corresponding subnet of the “eth0” network interface card to be used on the network.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Enable authentication, specify criteria 1. Click Authentication and select Enable/Disable Authentication from the pop-up menu to display the Enable/ Disable Authentication window: 2. Click Enable to enable authentication. 3. Select one of three tiers in the Web-based Authentication frame: Fig.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 4. In the 8e6 Authenticator frame, be sure the 8e6 Authenticator is “On”—unless the Novell eDirectory Agent option will be used instead. When enabling the 8e6 Authenticator option, and then downloading and installing the 8e6 Authenticator (authenticat.exe) on a network share accessible by the domain controller or a Novell eDirectory server, the 8e6 Authenticator automatically authenticates the end user when he/she logs into his/her workstation.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Net use based authentication Tier 1: Web-based Authentication disabled (Net Use enabled) – Choose this option if you will be using net use based authentication for NT or Active Directory. 1. Click “Tier 1”. 2. In the Sending Keep Alive frame, click the radio button corresponding to the option to be used: • “On” - This option specifies that keep alives should be sent on a connection to verify whether it is still active.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Web-based authentication Choose either Tier 2 or Tier 3 if Web-based authentication will be used. NOTE: If selecting either Tier 2 or Tier 3, please be informed that in an organization with more than 5000 users, slowness may be experienced during the authentication process. In this scenario, 8e6 recommends using an R3000 Filter with an SSL accelerator card installed. Please contact 8e6 for more information.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Tier 3: Use persistent logins via a Java Applet – Choose this option if using NT and/or LDAP authentication, and you want the user to maintain a persistent network connection. This option—the preferred method for NT authentication— opens a profile window that uses a Java applet: Fig. 2-4 Java applet The profile window must be kept open during the user’s session in order for the user to have continued access to the Internet.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Fig. 2-5 Tier 3 dialog box 3. To ensure that end-users are using the most current version of JRE, choose the method for distributing the current version to their workstations: “8e6 automatically distributes JRE during user login” or the default selection, “Administrator manually distributes JRE to user workstations”. 4. Click Continue to open the alert box that confirms your selection.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Enter network settings for authentication 1. Click Authentication and select Authentication Settings from the pop-up menu to display the Authentication Settings window: Fig. 2-6 Authentication Settings window In the Settings frame, at the R3000 NetBIOS Name field the NetBIOS name of the R3000 displays. This information comes from the entry made in the Host Name field of the LAN Settings window. 2.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 3. In the Virtual IP Address to Use for Authentication field,1.2.3.5 displays by default. If using Tier 1 or Tier 3, enter the IP address that from now on will be used for communicating authentication information between the R3000 and the PDC. This must be an IP address that is not being used, on the same segment of the network as the R3000.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Create an SSL certificate Authentication SSL Certificate should be used if Web-based authentication will be deployed on the R3000 server. Using this feature, a Secured Sockets Layer (SSL) self-signed certificate is created and placed on client machines so that the R3000 will be recognized as a valid server with which they can communicate.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Create, Download a Self-Signed Certificate 1. On the Self Signed Certificate tab, click Create Self Signed Certificate to generate the SSL certificate. 2. Click the Download/View/Delete Certificate tab: Fig. 2-8 Download/View/Delete Certificate tab 3.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Once the certificate is saved to your workstation, it can be distributed to client workstations for users who need to be authenticated. TIP: Click Delete Certificate to remove the certificate from the server. Create, Upload a Third Party Certificate Create a Third Party Certificate 1. Click the Third Party Certificate tab: Fig.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 2. Click Create CSR to open the Create CSR pop-up window: Fig. 2-10 Create CSR pop-up window The Common Name (Host Name) field should automatically be populated with the host name. This field can be edited, if necessary. 3. Enter your Email Address. 4. Enter the name of your Organization, such as 8e6 Technologies. 5. Enter an Organizational Unit code set up on your server, such as Corp. 6.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Upload a Third Party Certificate 1. Click Upload Certificate to open the Upload Signed SSL Certificate for R3000 pop-up window: Fig. 2-11 Upload Signed SSL Certificate box The Message dialog box also opens with the message: "Click OK when upload completes." TIP: Click Cancel in the dialog box to cancel the procedure. 2. In the Upload Signed SSL Certficate for R3000 pop-up window, click Browse to open the Choose file window. 3.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Download a Third Party Certificate 1. In the Authentication SSL Certificate window, click Download/View CSR to open a pop-up window containing the contents of the certificate request: Fig. 2-12 Download CSR pop-up window 2. Click the “X” in the upper right corner of the window to close it. TIP: Click Delete CSR to remove the certificate from the server.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION View log results Use the View Log File window if you need to troubleshoot any problems with the authentication setup process. 1. Click Diagnostics and select View Log File from the popup menu to display the View Log File window: Fig. 2-13 View Log File window NOTE: In this user guide, only authentication options will be addressed. For information about all other options, see the View Log File window in the R3000 User Guide. 2.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION • “Wbwatch Log (wbwatch.log)” - used for viewing messages on attempts to join the domain via the Authentication Settings window. • “Authentication Log (AuthenticationServer.log)” - used for viewing information about the authentication process for users, including SEVERE and WARNING error messages. • “Admin GUI Server Log (AdminGUIServer.log)” - used for viewing information on entries made by the administrator in the console.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 4. Click View to display results in the Result pop-up window: Fig. 2-14 View Log File Result pop-up window 5. Click the “X” in the upper right corner of the pop-up window to close it.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Specify block page settings Click Control and select Block Page Authentication from the pop-up menu to display the Block Page Authentication window: Fig.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Block Page Authentication 1. In the Re-authentication Options field of the Details frame, all block page options are selected by default, except for Web-based Authentication. Choose from the following options by clicking your selection: • Web-based Authentication - select this option if using Web authentication with time-based profiles or persistent login connections for NT or LDAP authentication methods.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Block page When a user attempts to access Internet content set up to be blocked, the block page displays on the user’s screen: Fig. 2-16 Block page NOTES: See Block Page Customization for information on adding free form text and a hyperlink at the top of the block page. Appendix D: Create a Custom Block Page from the R3000 User Guide for information on creating a customized block page using your own design.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION User/Machine frame By default, the following data displays in the User/Machine frame: • User/Machine field - The username displays for the NT/ LDAP user. This field is blank for the IP group user. • IP field - The user’s IP address displays. • Category field - The name of the library category that blocked the user’s access to the URL displays.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Optional Links By default, these links are included in the block page under the following conditions: • For further options, click here. - This phrase and link is included if any option was selected at the Re-authentication Options field in the Block Page Authentication window. Clicking this link takes the user to the Options window, described in the Options page sub-section that follows. • To submit this blocked site for review, click here.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Options page The Options page displays when the user clicks the following link in the block page: For further options, click here. Fig.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Option 1 Option 1 is included in the Options page if “Web-based Authentication” was selected at the Re-authentication Options field in the Block Page Authentication window. The following phrase/link displays: Click here for secure Web-based authentication. When the user clicks the link, the Authentication Request Form opens: Fig.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Option 2 The following phrase/link displays, based on options selected at the Re-authentication Options field in the Block Page Authentication window: • Re-start your system and re-login - This phrase displays for Option 1, whether or not either of the Reauthentication Options (Re-authentication, or Webbased Authentication) was selected in the Block Page Authentication window.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Option 3 Option 3 is included in the Options page, if “Override Account” was selected at the Re-authentication Options field in the Block Page Authentication window. This option is used by any user who has an override account set up for him/her by the global group administrator or the group administrator. An override account allows the user to access Internet content blocked at the global or IP sub-group level.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Common Customization Common Customization lets you specify elements to be included in block pages and/or the authentication request form end users will see. Click Customization and then select Common Customization from the pop-up menu to display the Common Customization window: Fig.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Enable, Disable Features 1.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION • Help Link URL - By default, http://www.8e6.com/techsupport/deniedresponse.html displays as the help link URL. Enter the URL to be used when the end user clicks the help link text (specified in the Help Link Text field). • Submission Review Display - if enabled, displays in block pages the email address of the administrator to receive requests for a review on sites the end users feel are incorrectly blocked.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Authentication Form Customization To customize the Authentication Request Form, click Customization and select Authentication Form from the pop-up menu: Fig. 2-21 Authentication Form Customization window NOTE: This window is activated only if Authentication is enabled via System > Authentication > Enable/Disable Authentication, and Web-based Authentication is specified.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 1. Make an entry in any of the following fields: • In the Header field, enter a static header to be displayed at the top of the Authentication Request Form. • In the Description field, enter a static text message to be displayed beneath the Authentication Request Form header.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Preview Sample Authentication Request Form 1. Click Preview to launch a separate browser window containing a sample Authentication Request Form, based on entries saved in this window and in the Common Customization window: Fig. 2-22 Sample Customized Authentication Request Form By default, the following data displays in the frame: • Username field - The username displays. • Password field - The user’s IP address displays.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION By default, the following standard links are included in the Authentication Request Form: • HELP - Clicking this link takes the user to 8e6’s Technical Support page that explains why access to the site or service may have been denied. • 8e6 Technologies - Clicking this link takes the user to 8e6’s Web site. 2. Click the “X” in the upper right corner of the window to close the sample Authentication Request Form.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Block Page Customization To customize the block page, click Customization and select Block Page from the pop-up menu: Fig. 2-23 Block Page Customization window NOTE: See Appendix D: Create a Custom Block Page from the R3000 User Guide for information on creating a customized block page using your own design.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 1. Make an entry in any of the following fields: • In the Header field, enter a static header to be displayed at the top of the block page. • In the Description field, enter a static text message to be displayed beneath the block page header.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION Preview Sample Block Page 1. Click Preview to launch a separate browser window containing a sample customized block page, based on entries saved in this window and in the Common Customization window: Fig. 2-24 Sample Customized Block Page By default, the following data displays in the User/ Machine frame: • User/Machine field - The username displays for the NT/LDAP user. This field is blank for the IP group user.
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION By default, the following standard links are included in the block page: • HELP - Clicking this link takes the user to 8e6’s Technical Support page that explains why access to the site or service may have been denied. • 8e6 Technologies - Clicking this link takes the user to 8e6’s Web site. By default, these links are included in the block page under the following conditions: • For further options, click here.
CHAPTER 3: NT AUTHENTICATION SETUP JOIN THE NT DOMAIN CHAPTER 3: NT AUTHENTICATION SETUP NOTE: If you are running a Windows 2000 or Windows 2003 Server and are using the NTLM authentication protocol, then you need to make SMB Signing “not required.” See Appendix D: Disable SMB Signing Requirements for steps on how to disable SMB Signing restrictions. Join the NT Domain Click Authentication and select Authentication Settings from the pop-up menu to display the Authentication Settings window: Fig.
CHAPTER 3: NT AUTHENTICATION SETUP JOIN THE NT DOMAIN Information should only be entered in the NT Authentication Server Details frame if the R3000 will use the NT Authentication method to authenticate users. NOTE: The following Windows servers are supported by the current version of authentication: NT 4.0 SP4 or later, Mixed Mode 2000, and 2003. A Windows 2003 server may require changes to the default settings for SMB signing to allow communications.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AN NT DOMAIN Create an NT Domain After joining the domain, go to the Group section of the console and add an NT domain that contains entities to be authenticated. Add an NT domain 1. Click NT in the control panel to open the pop-up menu, and select Add Domain to open the Create Domain Controller dialog box: Fig. 3-2 Create Domain Controller 2. In the Domain Name field, enter the name of the domain on which the R3000 resides, using capital letters.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AN NT DOMAIN 7. Click Apply to add the domain to the tree. Refresh the NT branch Click NT in the control panel to open the pop-up menu, and select Refresh whenever changes have been made in this branch of the tree.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AN NT DOMAIN View or modify NT domain details Domain Settings 1. Double-click NT in the control panel to open the NT branch of the Group tree. Select the NT domain you added, and choose Domain Details from the pop-up menu to display the default Settings tab of the NT Domain Details window: Fig.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AN NT DOMAIN 2. For the Domain Settings: • The Domain Name entered in the Create Domain Controller dialog box displays greyed-out and cannot be modified. • The following fields can be modified: name of the domain Controller, IP Address, User Name, Password, and Confirm Password. Whenever criteria on this tab is modified: a. The password from the Password field must be entered in the Confirm Password field for verification. b. Click Modify to apply your settings.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AN NT DOMAIN Default Rule 1. Click the Default Rule tab to display the Default Rule settings of the NT Domain Details window: Fig. 3-4 NT Domain Details window, Default Rule tab 2. For the Default Rule: • “Rule0, the Minimum Filtering Level” displays by default as the Default Rule. If this rule is used, it will be applied to all groups and members in the NT domain without a filtering profile established.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AN NT DOMAIN • Filter Options that have been selected display check marks in corresponding checkboxes for “X Strikes Blocking”, “Google/Yahoo! Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”, and “Extend URL Keyword Filter Control”. Whenever criteria on this tab is modified, click Modify to apply your settings. Delete an NT domain To delete a domain profile, choose Delete from the NT domain menu.
CHAPTER 3: NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS, MEMBERS Set up NT Domain Groups, Members In the control panel, the NT domain branch of the tree menu includes options for setting up groups and/or members in the domain so that filtering profiles can later be created. The following options are used in this setup process: Select Group/Member from Domain, Set Group Priority, Manually Add Member, Manually Add Group, and Upload User/Group Profile.
CHAPTER 3: NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS, MEMBERS Select the NT domain, and choose Select Group/Member from Domain from the pop-up menu to display the Select Groups/Members from Domain window (see Figure 3-5). To add groups—that need filtering profiles—to the tree list: 1. Choose a group from the Available Groups list box. 2. Use the right arrow button (>) to move the group to the Selected Groups list box.
CHAPTER 3: NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS, MEMBERS WARNING: When adding an NT group or member to the tree list, the group/member will be blocked from Internet access if the minimum filtering level has not been defined via the Minimum Filtering Level window. If you have just established the minimum filtering level, filter settings will not be effective until the group member/user logs off and back on the server.
CHAPTER 3: NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS, MEMBERS NOTES: Groups automatically populate the Profile Group(s) list box, if these groups have one or more identical users and were added to the tree list via the Select Groups/Members from Domain window. An entry for the Group Priority list is added to the end of the list when the group profile for that group is added to the R3000, and is removed automatically when you delete the profile. 2. To change the filtering priority of groups: a.
CHAPTER 3: NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS, MEMBERS Manually add a user’s name to the tree 1. Select the NT domain, and choose Manually Add Member from the pop-up menu to open the Manually Add Member dialog box: Fig. 3-7 Manually Add Member box This dialog box is used for adding a username to the tree list, so that a filtering profile can be defined for that user. 2. Enter the username in the text box, up to 16 characters. TIP: NT usernames should be entered without breaks or spaces.
CHAPTER 3: NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS, MEMBERS Manually add a group’s name to the tree 1. Select the NT domain, and choose Manually Add Group from the pop-up menu to open the Manually Add Group dialog box: Fig. 3-8 Manually Add Group box This dialog box is used for adding a group name to the tree list, so that a filtering profile can be defined for that group. 2. Enter the group’s name in the text box. 3. Click OK to add the group name to the domain’s section of the tree.
CHAPTER 3: NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS, MEMBERS Upload a file of filtering profiles to the tree 1. Select the NT domain, and choose Upload User/Group Profile from the pop-up menu to display the Upload User/ Group Profile window: Fig. 3-9 Upload User/Group Profile window This window is used for uploading a file to the tree with user or group names and their associated filtering profiles. 2.
CHAPTER 3: NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS, MEMBERS Fig. 3-10 Upload Member Profile File window 3. Click Browse to open the Choose file window. 4. Select the file to be uploaded. WARNING: Any file uploaded to the server will overwrite the existing user/group profile file. Each user/group profile in the file uploaded to the server must be set up in a specified format in order for the profile to be activated on the server.
CHAPTER 3: NT AUTHENTICATION SETUP SET UP NT DOMAIN GROUPS, MEMBERS 5. Click Upload File to upload this file to the server. The Upload Successful pop-up window informs you to click Reload in order for these changes to be effective. 6. Click Reload. 7. Go to the NT branch of the tree, and choose Refresh from the NT group menu.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES Create and Maintain NT Profiles Once an NT group or member has been added to the tree, a filtering profile can be created and maintained for that entity. For groups, the following options are available for filtering profile creation and maintenance: Group Member Details, Profile, and Remove. For members, the following options are available for filtering profile creation and maintenance: Profile, and Remove.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES This window is used for viewing profile information about a group, and for adding members to a group. In the Group Details frame, the following details display: Group name, Domain name, and Domain Type. Members that belong to the group display in the Members list box in the Add Member to Profile frame. To add a member to the tree list so that a profile can be created for that member: 1. Select the entity from the Members list box. 2.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES Add or maintain an entity’s profile Select the NT domain, and choose Profile from the pop-up menu to display the default Category tab of the Profile window: Fig. 3-12 Group Profile window, Category tab The Profile window is used for viewing/creating the filtering profile of the defined entity (group or member). Entries made in the Category, Redirect URL, and Filter Options tabs comprise the profile string for the entity.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES Category Profile Category Profile is used for creating the categories portion of the filtering profile for the entity. NOTE: In order to use this tab, filtering rules should already have been set up via the Rules window, accessible from the Global Group options, and the minimum filtering level should already be established. The minimum filtering level is set up in the Minimum Filtering Level window, accessible from the Global Group options.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES TIP: Multiple categories can be selected by clicking each category while pressing the Ctrl key on your keyboard. Blocks of categories can be selected by clicking the first category, and then pressing the Shift key on your keyboard while clicking the last category. 2. Click the “Pass” or “Block” radio button to specify whether all Uncategorized Sites should pass or be blocked. 3.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES Redirect URL is used for specifying the URL to be used for redirecting users who attempt to access a site or service set up to be blocked. 1. Specify the type of redirect URL to be used: “Default Block Page”, or “Custom URL”. If “Custom URL” is selected, enter the redirect URL in the corresponding text box. Users will be redirected to the designated page at this URL instead of the block page. 2. Click Apply to apply your settings.
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AND MAINTAIN NT PROFILES Filter Options is used for specifying which filter option(s) will be applied to the entity’s filtering profile. 1. Click the checkbox(es) corresponding to the option(s) to be applied to the filtering profile: “X Strikes Blocking”, “Google/Yahoo! Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN CHAPTER 4: LDAP AUTHENTICATION SETUP Create an LDAP Domain In the Group section of the console, add an LDAP domain that contains entities to be authenticated. Add the LDAP domain 1. Click LDAP in the control panel to open the pop-up menu, and select Add Domain to open the Create LDAP Domain dialog box: Fig. 4-1 Create LDAP Domain box 2. In the LDAP Server IP field, enter the IP address of the authentication server. 3.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN Refresh the LDAP branch Click LDAP in the control panel to open the pop-up menu, and select Refresh whenever changes have been made in this branch of the tree. View, modify, enter LDAP domain details Double-click LDAP in the control panel to open the LDAP branch of the Group tree. Select the LDAP domain you added, and choose Domain Details from the pop-up menu to display the default Type tab of the LDAP Domain Details window: Fig.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN The LDAP domain window is comprised of the following wizard tabs: Type, Group, User, Address, Account, SSL, Alias List, and Default Rule. By going through the entire wizard, domain details are established for the LDAP domain, preparing the LDAP domain for group and user filtering profile setup. After all entries are made on the wizard tabs, the domain can be activated.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN • Click Next to go to the Group tab. WARNING: The contents of the tabs for User and Group do not normally need to be changed. The settings on these tabs are made automatically when you select the server type at the beginning of the setup process. Unless you have made changes to the Schema of your LDAP server and are sure of the consequences of altering these settings, do not alter anything in these tabs.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN By default, the Include List will be populated with appropriate group objects, based on the server type. • Generally, no action needs to be performed on this tab. However, under special circumstances, a group object can be added or excluded by making an entry in the appropriate field, and then clicking the Include or Exclude button.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN User Objects The User tab is used for including or excluding user objects in the LDAP domain. Fig. 4-4 Domain Details window, User tab By default, the Include List and Exclude List will be populated with appropriate user objects, based on the server type. • Generally, no action needs to be performed on this tab.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN • A user object name can be edited by selecting the user object from the appropriate list box, editing the name in the field, and then clicking the Edit button. • A user object can be removed by selecting the user object and then clicking Remove. • If the user DN cannot be auto-detected during the profile setup process, click “Use Case-Sensitive Comparison” to perform a manual comparison check. Click Next to go to the Address tab.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN NOTE: If the DNS settings are not published in the LDAP directory, the Server DNS Name, DNS Domain Name, and LDAP Query Base fields will not be populated automatically. Functioning forward and reverse DNS name resolution is one of the requirements for LDAP authentication. Please ensure the correct DNS settings are set. • The Server DNS Name field should contain the DNS name of the server.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN • By default, the LDAP Query Base displays the root of the LDAP database to query using the LDAP Syntax, i.e. DC=domain,DC=com. The entry in this field is case sensitive and should be edited, if necessary. If this field is not populated, enter the LDAP query base. Click Next to go to the Account tab.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN Account Info Fig. 4-6 Domain Details window, Account tab 1. If your LDAP database does not require a username to be provided in order to bind to the LDAP database, click the “Use Anonymous Bind” checkbox to grey out the fields in this tab. Otherwise: • Enter the authorized user's full LDAP Distinguished Name in the LDAP Account Name field.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN SSL Settings SSL settings should be made if your network requires a secure connection from the R3000 to the LDAP server. Fig. 4-7 Domain Details window, SSL tab NOTE: See Appendix E: Obtain or Export an SSL Certificate for information on how to obtain a Sun ONE server’s SSL certificate, or how to export an Active Directory or Novell server’s SSL certficate to your desktop and then upload it to the R3000. 1.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN Fig. 4-8 Upload SSL Certificate for LDAPS 3. Click Browse to open the Choose file window and select the R3000 server’s SSL certificate. 4. Click Upload File to upload the SSL certificate to the R3000 server. WARNING: If using a Novell server, be sure the name on the SSL certificate (to be uploaded to the server) matches the Server DNS Name entered in the Address Info tab. 5. Click Next to go to the Alias List tab.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN Alias List The Alias List will be automatically populated if the Account Name was entered in the Account tab. This list includes all alias names for the domain that will be included in the Alias pull-down menu in the Authentication Request Form. Fig. 4-9 Domain Details window, Alias List tab However, if there are many alias names to be loaded, the tab initially displays without any data and the Search in Progress box opens: Fig.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN After the search is completed, the Search in Progress box closes, and the list displays the Alias Name and the corresponding LDAP Container Name. NOTE: If the alias list does not display, double-check the settings on the other tabs and verify that all of your settings are correct.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN Default Rule The Default Rule applies to any authenticated user in the LDAP domain who does not have a filtering profile. Fig. 4-11 Domain Details window, Default Rule tab NOTE: If using Novell eDirectory, see Default Rule for Novell eDirectory. The tab is comprised of the following components that can be modified: • By default, “Rule0” is the default rule. This rule can be changed by making another selection from the pull-down menu.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN If Custom URL is selected, enter the redirect URL in the text box. • Click the checkbox(es) corresponding to the option(s) to be applied to the filtering profile: “X Strikes Blocking”, “Google/Yahoo! Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”. If URL Keyword Filter Control is selected, the “Extend URL Keyword Filter Control” option can be selected.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN Default Rule for Novell eDirectory If “Novell eDirectory” was selected for the LDAP Server Type, and the Novell eDirectory Agent option was enabled in the Enable/Disable Authentication window in the System section of the console, the Default Rule tab includes buttons for configuring a backup server to be used in the event the primary server cannot be accessed. Fig.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN Fig. 4-13 Backup Server Configuration, Address Info NOTE: The Back and Save buttons can be clicked at any time during the wizard setup process. Click Close to close the wizard pop-up window. 2. Enter, edit, or verify the following criteria: • Server DNS Name - DNS name of the LDAP server, such as server.logo.local NOTES: If your LDAP server’s name is not a resolvable, fully qualified DNS name, you may be able to enter the domain name.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN • NETBIOS Domain Name - an entry in this field is optional • Server LDAPS Port - by default, 636 displays in this field • Server LDAP Port - by default, the value that was entered in the LDAP Server Port field of the Create LDAP Domain dialog box displays in the field • LDAP Query Base - root of the LDAP database to query using the LDAP Syntax, i.e. DC=domain,DC=com. TIP: The entry in this field is case sensitive. 3.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN a. Enter the authorized user's full LDAP Distinguished Name in the LDAP Account Name field. For example: cn=Administrator,cn=Users,dc=qc2domain, dc=local b. Enter the password in the Password and Confirm Password fields. 5. Click Next to go to the SSL tab: Fig. 4-15 Backup Server Configuration, SSL Settings SSL settings should be made if your network requires a secure connection from the R3000 to the LDAP server.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE AN LDAP DOMAIN c. Click Browse to open the Choose file window and select the R3000 server’s SSL certificate. d. Click Upload File to upload the SSL certificate to the R3000 server. WARNING: Be sure the name on the SSL certificate (to be uploaded to the server) matches the Server DNS Name entered in the Address Info tab. 6. After all entries are made using the wizard, click Save. 7. Click Close to close the wizard pop-up window.
CHAPTER 4: LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS, MEMBERS Set up LDAP Domain Groups, Members In the control panel, the LDAP domain branch of the tree menu includes options for setting up groups and/or members in the domain so that filtering profiles can later be created. The following options are used in this setup process: Select Group/Member from Domain, Set Group Priority, Manually Add Member, Manually Add Group, and Upload User/Group Profile.
CHAPTER 4: LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS, MEMBERS Select the LDAP domain, and choose Select Group/ Member from Domain from the pop-up menu to display the LDAP User/Group Browser window (see Figure 4-12). This window is used for retrieving the names of groups or users from an LDAP domain so that a filtering profile can be assigned. NOTE: See Appendix C: LDAP Server Customizations if using an OpenLDAP server. Perform a basic search 1.
CHAPTER 4: LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS, MEMBERS • Search within existing results – To search within the list of records returned by your initial query, change your search criteria, and then click Search In Results. This can speed up searches when the LDAP server is slow to respond. The View button in the Members column is used for either querying the list of groups in which a user is a member, or the list of users who are members of a Group Record.
CHAPTER 4: LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS, MEMBERS Delete a rule To delete a rule from a profile, the entity must currently display in the grid and have a rule assigned to the profile. 1. Click the Mark checkbox for the entity. 2. Click Delete Rule to remove the entity’s profile from the tree. Specify a group’s filtering profile priority 1. Select the LDAP domain, and choose Set Group Priority from the pop-up menu to display the Set Group Priority window: Fig.
CHAPTER 4: LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS, MEMBERS This window is used for designating which group profile will be assigned to a user when he/she logs in. If a user is a member of multiple groups, the one that is positioned highest in the list is applied. NOTES: Groups automatically populate the Profile Group(s) list box, if these groups have one or more identical users and were added to the tree list via the Select Groups/Members from Domain window.
CHAPTER 4: LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS, MEMBERS TIP: LDAP usernames should be input exactly as entered as entered for the LDAP Distinguished Name. Examples: CN=Jane Doe, CN=Users, DC=qc, DC=local CN=Public\, Joe Q., OU=Users, OU=Sales, DC=qc, DC=local CN=Doe\, John, CN=Users, DC=qc, DC=local 3. Click OK to add the username to the domain’s section of the tree.
CHAPTER 4: LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS, MEMBERS NOTE: See Add or maintain the entity’s profile under Create and Maintain LDAP Profiles for information on defining the filtering profile for the group. Upload a file of filtering profiles to the tree 1. Select the LDAP domain, and choose Upload User/ Group Profile from the pop-up menu to open the Upload User/Group Profile window: Fig.
CHAPTER 4: LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS, MEMBERS Fig. 4-21 Upload Member Profile File window 3. Click Browse to open the Choose file window. 4. Select the file to be uploaded. WARNING: Any file uploaded to the server will overwrite the existing user/group profile file. Each user/group profile in the file uploaded to the server must be set up in a specified format in order for the profile to be activated on the server.
CHAPTER 4: LDAP AUTHENTICATION SETUP SET UP LDAP DOMAIN GROUPS, MEMBERS 5. Click Upload File to upload this file to the server. The Upload Successful pop-up window informs you to click Reload in order for these changes to be effective. 6. Click Reload. 7. Go to the LDAP branch of the tree, and choose Refresh from the LDAP group menu.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE, MAINTAIN LDAP PROFILES Create, Maintain LDAP Profiles Once an LDAP group or member has been added to the tree, a filtering profile can be created and maintained for that entity. For groups, the following options are available for filtering profile creation and maintenance: Group Member Details, Profile, and Remove. For members, the following options are available for filtering profile creation and maintenance: Profile, and Remove.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE, MAINTAIN LDAP PROFILES This window is used for viewing profile information about a group, and for adding members to a group. In the Group Details frame, the following details display: Group name, Full Name (Distinguished Name) of the group, Domain name, and Domain Type. Members that belong to the group display in the Members list box in the Add Member to Profile frame. To add a member to the tree list so that a profile can be created for that member: 1.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE, MAINTAIN LDAP PROFILES Add or maintain an entity’s profile Select the LDAP domain, and choose Profile from the popup menu to display the default Category tab of the Profile window: Fig. 4-23 Group Profile window, Category tab The Profile option is used for viewing/creating the filtering profile of the defined entity (group or member). Entries made in the Category, Redirect URL, and Filter Options tabs comprise the profile string for the entity.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE, MAINTAIN LDAP PROFILES Category Profile Category Profile is used for creating the categories portion of the filtering profile for the entity. NOTE: In order to use this tab, filtering rules should already have been set up via the Rules window, accessible from the Global Group options, and the minimum filtering level should already be established.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE, MAINTAIN LDAP PROFILES TIP: Multiple categories can be selected by clicking each category while pressing the Ctrl key on your keyboard. Blocks of categories can be selected by clicking the first category, and then pressing the Shift key on your keyboard while clicking the last category. 2. Click the “Pass” or “Block” radio button to specify whether all Uncategorized Sites should pass or be blocked. 3.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE, MAINTAIN LDAP PROFILES Redirect URL is used for specifying the URL to be used for redirecting users who attempt to access a site or service set up to be blocked. 1. Specify the type of redirect URL to be used: “Default Block Page”, or “Custom URL”. If “Custom URL” is selected, enter the redirect URL in the corresponding text box. Users will be redirected to the designated page at this URL instead of the block page. 2. Click Apply to apply your settings.
CHAPTER 4: LDAP AUTHENTICATION SETUP CREATE, MAINTAIN LDAP PROFILES Filter Options is used for specifying which filter option(s) will be applied to the entity’s filtering profile. 1. Click the checkbox(es) corresponding to the option(s) to be applied to the filtering profile: “X Strikes Blocking”, “Google/Yahoo! Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”, and “Extend URL Keyword Filter Control”.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS CHAPTER 5: AUTHENTICATION DEPLOYMENT This final step of the authentication setup process includes testing authentication settings and activating authentication on the network. Test Authentication Settings Before deploying authentication on the network, you should test your settings to be sure the Authentication Request Form login page can be accessed.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS NOTE: In order to complete the test process, you should be sure you have your own filtering profile set up. To verify that authentication is working, do either of the following, based on the Tier you selected: • If Tier 2 or Tier 3 Web-based authentication will be used: Go to the Test Web-based authentication settings sub-section for instructions on testing the Authentication Request Form login page from a single workstation.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Test Web-based authentication settings To verify that authentication is working properly, make the following settings in the Group section of the console: Step 1: Create an IP Group, “test” 1. Click the IP branch of the tree. 2. Select Add Group from the pop-up menu to open the Create New Group dialog box: Fig. 5-2 Create New Group box 3. Enter test as the Group Name. 4. Enter the password in the Password and Confirm Password fields. 5.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 2: Create a Sub-Group, “workstation” 1. Select the IP Group from the tree. 2. Click Add Sub Group in the pop-up menu to open the Create Sub Group dialog box: Fig. 5-3 Create Sub Group box 3. Enter workstation as the Group Name. 4. Click OK to add the Sub-Group to the IP Group.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 3: Set up “test” with a 32-bit net mask 1. Select the IP Group named “test” from the tree. 2. Click Members in the pop-up menu to display the Members window: Fig. 5-4 Group Members window 3. Click the radio button corresponding to “Source IP”. 4. Enter the Source IP address of the workstation, and select 255.255.255.255 as the subnet mask. 5. Click Add to include the IP address in the Current Members list box.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 4: Give “workstation” a 32-bit net mask 1. Select the IP Sub-Group “workstation” from the tree. 2. Click Members in the pop-up menu to display the Members window: Fig. 5-5 Sub Group Members window 3. Click the radio button corresponding to “Member”. 4. In the Member fields, enter the IP address of the workstation, and select 255.255.255.255 as the subnet mask. 5. Click Modify.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 5: Block everything for the Sub-Group 1. Select the IP Sub-Group “workstation” from the tree. 2. Click Sub Group Profile in the pop-up menu to display the Sub Group Profile window: Fig. 5-6 Sub Group Profile window, Category tab 3.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS 5. Click Apply. Step 6: Use Authentication Request Page for redirect URL 1. Click the Redirect URL tab to display the Redirect URL page: Fig. 5-7 Sub Group Profile window, Redirect URL tab 2. Select “Authentication Request Form”. NOTE: The host name of the R3000 will be used in the redirect URL of the Authentication Request Form, not the IP address. Be sure a forward/reverse DNS entry for the R3000 is made on the DNS server. 3.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 7: Disable filter options 1. Click the Filter Options tab to display the Filter options page: Fig. 5-8 Sub Group Profile window, Filter Options tab 2. Uncheck all the checkboxes: “X Strikes Blocking”, “Google/Yahoo! Safe Search Enforcement”, “Search Engine Keyword Filter Control”, “URL Keyword Filter Control”, and “Extend URL Keyword Filter Control”. 3. Click Apply.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Step 8: Attempt to access Web content NOTE: For this step, you must have your own profile set up in order to complete the test process. 1. Launch Internet Explorer: Fig. 5-9 Internet Explorer browser 2. Enter a URL in the Address field of the browser window. NOTE: The URL should be one that begins with “http”—not “https”. 3.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Fig. 5-10 Authentication Request Form 4. Enter the following information: • Username • Password If the Domain and Alias fields display, select the following information: • Domain you are using • Alias name for that domain (unless “Disabled” displays and the field is greyed-out) 5. Click Log In to authenticate or re-authenticate yourself on the network.
CHAPTER 5: AUTHENTICATION DEPLOYMENT TEST AUTHENTICATION SETTINGS Test net use based authentication settings 1. From the test workstation, go to the NET USE command line and enter the NET USE command using the following format: NET USE \\virtualip\R3000$ For example: NET USE \\192.168.0.20\R3000$ The entry you make should initiate a connection with Tier 1.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Activate Authentication on the Network After successfully testing authentication settings, you are now ready to activate authentication on the network.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Activate Web-based authentication for an IP Group IP Group authentication is the preferred selection for Webbased authentication—over the Global Group Profile authentication option—as it decreases the load on the R3000. Step 1: Create a new IP Group, “webauth” 1. Click the IP branch of the tree. 2. Select Add Group from the pop-up menu to open the Create New Group dialog box: Fig. 5-11 Create New Group box 3.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 2: Set “webauth” to cover users in range 1. Select the IP group “webauth” from the tree. 2. Click Members in the pop-up menu to display the Members window: Fig. 5-12 Members window 3. Click the radio button corresponding to “Source IP”. 4. Enter the Source IP address of the workstation and specify the subnet mask for the range of user IP addresses of users to be authenticated. 5.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 3: Create an IP Sub-Group 1. Select the IP Group “webauth” from the tree. 2. Click Add Sub Group in the pop-up menu to open the Create Sub Group dialog box: Fig. 5-13 Create Sub Group box 3. Enter the Group Name of your choice. 4. Click OK to add the Sub-Group to the IP Group. 5. Select the IP Sub-Group from the tree. 6.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Fig. 5-14 Sub Group Members window 7. Click the radio button corresponding to “Member”. 8. In the Member fields, enter the IP address range for members of the Sub-Group, and specify the subnet mask. 9. Click Modify.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 4: Block everything for the Sub-Group 1. Select the IP Sub-Group from the tree. 2. Click Sub Group Profile in the pop-up menu to display the Sub Group Profile window: Fig. 5-15 Sub Group Profile window, Category tab 3.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 5. Click Apply. Step 5: Use Authentication Request Page for redirect URL 1. Click the Redirect URL tab to display the Redirect URL page: Fig. 5-16 Sub Group Profile window, Redirect URL tab 2. Select “Authentication Request Form”. NOTE: Since the Authentication Request Form radio button selection uses the host name of the server—not the IP address— be sure there is a DNS resolution for the host name. 3. Click Apply.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK sent to the Authentication Request Form if he/she attempts to access content on the Internet. After filling out this form and being authenticated, the user will be able to access Internet content based on his/her filtering profile. Step 6: Disable filter options 1. Click the Filter Options tab to display the Filter options page: Fig. 5-17 Sub Group Profile window, Filter Options tab 2.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 7: Set Global Group to filter unknown traffic 1. Click Global Group in the tree to open the pop-up menu. 2. Select Global Group Profile to display the Category tab of the Profile window: Fig. 5-18 Global Group Profile window, Category tab a. In the Category Profile page, select categories to block, pass, or white list, and indicate whether uncategorized sites should pass or be blocked. b. Click Apply. 3.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Fig. 5-19 Global Group Profile window, Port tab a. In the Port page, enter the Port number to be blocked. b. Click Add to include the port number in the Block Port(s) list box. c. After entering all port numbers to be blocked, click Apply.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 4. Click the Default Redirect URL tab to display the Default Redirect URL page: Fig. 5-20 Global Group Profile window, Default Redirect URL tab a. Select “Default Block Page”. b. Click Apply.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 5. Click the Filter Options tab to display the Filter Options page: Fig. 5-21 Global Group Profile window, Filter Options tab a. Select filter options to be enabled. b. Click Apply.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK As a result of these entries, the standard block page will display—instead of the Authentication Request Form— when any user in this Sub-Group is blocked from accessing Internet content. Fig.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Activate Web-based authentication for the Global Group This selection of Web-based authentication creates more of a load on the R3000 than the IP Group selection, and should only be used as an alternative to IP Group authentication. Step 1: Exclude filtering critical equipment This step involves the identification of equipment—such as backup servers—you wish to be excluded from being served the Authentication Request Form page.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 1A: Block Web access, logging via Range to Detect NOTE: Segments of network traffic should not be defined if using the firewall mode. Range to Detect Settings 1. Click Global Group in the tree to open the pop-up menu. 2. Select Range to Detect to display the Range to Detect Settings window: Fig. 5-23 Range to Detect Settings window, main window 3.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Fig. 5-24 Range to Detect Settings window, main window 4.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Range to Detect Setup Wizard Fig. 5-25 Range to Detect Setup Wizard, Step 1 1. Enter the IP address and specify the Netmask, or enter the Individual IP address of the source IP address(es) to be filtered. 2.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Fig. 5-26 Range to Detect Setup Wizard, Step 2 3. An entry for this step of the Wizard is optional. If there are destination IP address(es) to be filtered, enter the IP address and specify the Netmask, or enter the Individual IP address. 4.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Fig. 5-27 Range to Detect Setup Wizard, Step 3 5. An entry for this step of the Wizard is optional. If there are source IP address(es) to be ignored, enter the IP address and specify the Netmask, or enter the Individual IP address. 6.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Fig. 5-28 Range to Detect Setup Wizard, Step 4 7. An entry for this step of the Wizard is optional. If there are destination IP address(es) to be ignored, enter the IP address and specify the Netmask, or enter the Individual IP address. 8.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Fig. 5-29 Range to Detect Setup Wizard, Step 5 9. An entry for this step of the Wizard is optional. If there are ports to be excluded from filtering, enter each port number in the Individual Port field, and click Add. 10.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Fig. 5-30 Range to Detect Setup Wizard, Step 6 11. After review the contents in all list boxes, click Finish to accept all your entries. As a result of these entries, the IP address(es) specified to be excluded will not be logged or filtered on the network. Bypass Step 1B and go on to Step 2 to complete this process.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 1B: Block Web access via IP Sub-Group profile NOTE: This step assumes that the IP Group and Sub-Group have already been created. 1. Select the IP Sub-Group from the tree. 2. Click Sub Group Profile in the pop-up menu to display the Sub Group Profile window: Fig. 5-31 Sub Group Profile window, Category tab 3.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 5. Click the Redirect URL tab to display the Redirect URL page: Fig. 5-32 Sub Group Profile window, Redirect URL tab 6. Select “Default Block Page”, and then click Apply.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 7. Click the Filter Options tab to display the Filter Options page: Fig. 5-33 Sub Group Profile window, Filter Options tab 8. Select filter options to be enabled, and click Apply. As a result of these entries, the machine will not be served the Authentication Request Form, and will use the default block page instead. Go on to Step 2 to complete this process.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Step 2: Modify the Global Group Profile 1. Click Global Group in the tree to open the pop-up menu. 2. Select Global Group Profile to display the Category tab of the Profile window: Fig. 5-34 Global Group Profile window, Category tab a. Block all categories and specify that uncategorized sites should be blocked. b. Click Apply.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 3. Click the Port tab to display the Port page: Fig. 5-35 Global Group Profile window, Port tab a. Enter the Port number to be blocked, and then click Add to include the port number in the Block Port(s) list box. b. After entering all port numbers to be blocked, click Apply.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 4. Click the Default Redirect URL tab to display the Default Redirect URL page: Fig. 5-36 Global Group Profile window, Redirect URL tab a. Select “Authentication Request Form”. NOTE: Since the Authentication Request Form radio button selection uses the host name of the server—not the IP address— be sure there is a DNS resolution for the host name. b. Click Apply.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 5. Click the Filter Options tab to display the Filter Options page: Fig. 5-37 Global Group Profile window, Filter Options tab a. Select filter options to be enabled. b. Click Apply. As a result of these entries, a user who does not have a filtering profile will be served the Authentication Request Form so he/she can be authenticated.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK Activate NT authentication After testing the NET USE command, the next step is to add the NET USE command to users’ login scripts. We recommend that you add the 3-try login script to the existing domain login script. The 3-try login script is used for attempting to log in the user to the authentication server in three separate attempts, in case of a login failure.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK if errorlevel 0 echo code 0: Success goto :end :try3 echo Running net use... net use \\192.168.0.20\r3000$ if errorlevel 1 goto :error if errorlevel 0 echo code 0: Success goto :end :error if errorlevel 1 echo code 1: Failed! :end Once this updated login script has been added to the domain, each time users log in to Windows they will also log in to the R3000. Users will be blocked according to the profiles set up on the domain.
CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 1. Click Global Group in the tree to open the pop-up menu. 2. Select Global Group Profile to display the Category tab of the Profile window. 3. In the Category Profile page, select categories to block, pass, or white list, and indicate whether uncategorized sites should pass or be blocked. 4. Click Apply. 5. Click the Port tab to display the Port page. 6.
CHAPTER 6: TECHNICAL SUPPORT HOURS CHAPTER 6: TECHNICAL SUPPORT For technical support, visit 8e6 Technologies’s Technical Support Web page at http://www.8e6.com/support/ index.htm, or contact us by phone, by e-mail, or in writing. Hours Regular office hours are from Monday through Friday, 8 a.m. to 5 p.m. PST. After hours support is available for emergency issues only. Requests for assistance are routed to a senior-level technician through our forwarding service.
CHAPTER 6: TECHNICAL SUPPORT CONTACT INFORMATION Office Locations and Phone Numbers 8e6 Corporate Headquarters (USA) 828 West Taft Avenue Orange, CA 92865-4232 USA Local Fax Domestic US International : : : : 714.282.6111 714.282.6116 1.888.786.7999 +1.714.282.6111 8e6 Taiwan RM B2, 13F, No. 49, Sec. 3, Minsheng E. Rd. Taipei 104 Taiwan, R.O.C.
CHAPTER 6: TECHNICAL SUPPORT SUPPORT PROCEDURES Support Procedures When you contact our technical support department: • You will be greeted by a technical professional who will request the details of the problem and attempt to resolve the issue directly. • If your issue needs to be escalated, you will be given a ticket number for reference, and a senior-level technician will contact you to resolve the issue.
APPENDIX A USER/GROUP FILE FORMAT AND RULES APPENDIX A User/Group File Format and Rules The file with user/group profiles you upload to the server must be set up in a specified format, with one complete user/group profile per line. The format for the file will differ depending on whether the file contains a list of user or group profiles for an NT or LDAP server. Each filtering profile in the file must contain the following items: 1. The username or group name. 2.
APPENDIX A USER/GROUP FILE FORMAT AND RULES Rule Criteria Rule criteria consists of selections made from the following lists of codes that are used in profile strings: • Port command codes: A B I J Q R = = = = = = Filter all ports Filter the defined port number(s) Open all ports Open the defined port number(s) Block all ports Block the defined port number(s) • Port Numbers: 21 = 80 = 119 = 443 = Other FTP (File Transfer Protocol) HTTP (Hyper Text Transfer Protocol) NNTP (Network News Transfer Protocol)
APPENDIX A USER/GROUP FILE FORMAT AND RULES • Category Codes: For the list of category codes (short names) and their corresponding descriptions (long names), go to http:// www.8e6.com/r3000help/files/ 2group_textfile_cat.html#cat NOTE: The list of library category codes and corresponding descriptions is subject to change due to the addition of new categories and modification of current categories. For explanations and examples of category items, go to http://www.8e6.
APPENDIX A USER/GROUP FILE FORMAT AND RULES File Format: Rules and Examples When setting up the file to upload to the server, the following items must be considered: • Each profile must be entered on a separate line in the file. • Category Codes must be entered in capital letters. • Port and category command codes must be entered in capital letters. • A redirect URL cannot exceed 200 characters in length. • The string must end with a “0” (zero) if no filter options will be enabled.
APPENDIX A USER/GROUP FILE FORMAT AND RULES NT User List Format and Rules When setting up the “ntuserprofile.conf” file, each entry must consist of the username, and either a rule number or rule criteria (port, category, and filter mode specifications). A redirect URL can be included, if a specific URL should be used in place of the standard block page. If a redirect URL is not included, a blank space should be entered in its place in the profile string.
APPENDIX A USER/GROUP FILE FORMAT AND RULES NT Group List Format and Rules When setting up the “ntgroupprofile.conf” file, each entry must consist of the group name, and either a rule number or rule criteria (port, category, and filter mode specifications). A redirect URL can be included, if a specific URL should be used in place of the standard block page. If a redirect URL is not included, a blank space should be entered in its place in the profile string.
APPENDIX A USER/GROUP FILE FORMAT AND RULES LDAP User List Format and Rules When setting up the “ldapuserprofile.conf” file, each entry must consist of the Distinguished Name (DN), with each part of the DN separated by commas (,). The DN should be followed by a semicolon (;), and then a rule number or rule criteria (port, category, and filter mode specifications). A redirect URL can be included, if a specific URL should be used in place of the standard block page.
APPENDIX A USER/GROUP FILE FORMAT AND RULES • LDAP profile for a user with username “Public\, Joe Q.”, organizational units “Users” and “Sales”, domain “qc”, DNS suffix “.local”: Block all ports, Block Automobile and Entertainment categories, use filter mode 1, use standard block page, Google/Yahoo! Safe Search filter option enabled.
APPENDIX A USER/GROUP FILE FORMAT AND RULES LDAP Group List Format and Rules When setting up the “ldapgroupprofile.conf” file, each entry must consist of the Distinguished Name (DN), with each part of the DN separated by commas (,). The DN should be followed by a semicolon (;), and then a rule number or rule criteria (port, category, and filter mode specifications). A redirect URL can be included, if a specific URL should be used in place of the standard block page.
APPENDIX B PORTS FOR AUTHENTICATION SYSTEM ACCESS APPENDIX B Ports for Authentication System Access The following ports should be used for authentication system access: 218 Type No. Function TCP 8081 Used between the R3000’s transmitting interface and the SSL block page for Tier 2 or Tier 3 authentication. TCP 836 Used between the R3000’s Virtual IP address and Java applet for Tier 3 authentication. TCP 139 Used between the R3000 and workstations requiring Tier 1 or Tier 3 authentication.
APPENDIX C LDAP SERVER CUSTOMIZATIONS APPENDIX C LDAP Server Customizations The R3000 has been tested on common types of standard LDAP servers with default settings. However, due to the number of LDAP servers available, and the limitless ways in which any type of LDAP server can be configured, customizations may need to be made on such an LDAP server that fits either description. NOTE: Please contact technical support for assistance in implementing any of the changes described in this appendix.
APPENDIX D DISABLE SMB SIGNING REQUIREMENTS APPENDIX D Disable SMB Signing Requirements SMB Signing is a Windows security feature that is not currently supported by the R3000. If you are running a Windows 2000 or Windows 2003 server and are using NTLM, then you need to make SMB Signing “not required.
APPENDIX D DISABLE SMB SIGNING REQUIREMENTS Disable SMB Signing Requirements in Windows 2003 By default, the SMB protocol in Windows 2003 is set to “Not Defined = On”. To disable (turn “Off”) SMB Signing, do the following: 1. From your Windows 2003 workstation, go to Start > All Programs > Administrative Tools > Active Directory Users and Computers: Fig. D-1 Go to Active Directory Users and Computers 2.
APPENDIX D DISABLE SMB SIGNING REQUIREMENTS Fig. D-2 Select Properties in the Domain Controllers pop-up menu 3. Select Properties to open the Domain Controllers Properties dialog box: Fig. D-3 Domain Controllers Properties 4.
APPENDIX D DISABLE SMB SIGNING REQUIREMENTS Fig. D-4 Group Policy Object Editor window 5. In the left panel, go to the Computer Configuration branch of the tree and select the Windows Settings folder to display the Windows Settings contents in the right panel: Fig. D-5 Group Policy Object Editor window, Windows Settings 6.
APPENDIX D DISABLE SMB SIGNING REQUIREMENTS Fig. D-6 Group Policy Object Editor window, Security Settings 7. Select Local Policies to display the contents of this folder in the right panel: Fig. D-7 Group Policy Object Editor window, Local Policies 8. Select Security Options to display the contents of this folder in the right panel: Fig.
APPENDIX D DISABLE SMB SIGNING REQUIREMENTS Scroll down and find “Microsoft network client: Digitally sign communications (always)”. 9. Right-click this item to open the pop-up menu, and select Properties to open the dialog box with the Security Policy Setting tab: Fig. D-9 Define this policy setting Click in the “Define this policy setting” checkbox to activate the radio buttons. Choose “Diabled”, and then click OK. 10.Go back to the Group Policy Object Editor window (see Fig.
APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE APPENDIX E Obtain or Export an SSL Certificate When using Web-based authentication, the LDAP server’s SSL certificate needs to be exported and saved to the hard drive, then uploaded to the R3000 so that the R3000 will recognize LDAP server as a trusted source. This appendix provides steps on exporting an SSL certificate from a Microsoft Active Directory or Novell server—the most common types of LDAP servers.
APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE 2. Verify that the certificate authority has been installed on this server and is up and running—indicated by a green check mark on the server icon (see circled item in Fig. E1). Locate Certificates folder 1. Go to Start > Run to open the Run dialog box. In the Open field, type in mmc.exe to specify that you wish to access the Microsoft Management Console: Fig. E-2 Run dialog box 2. Click OK to open the Console window: Fig.
APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE 3. From the toolbar, click Console to open the pop-up menu. Select Add/Remove Snap-in to open the Add/ Remove Snap-in dialog box: Fig. E-4 Add/Remove Snap-in 4. Click Add to open the Add Standalone Snap-in dialog box: Fig. E-5 Add Standalone Snap-in 5.
APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE Fig. E-6 Certificates snap-in dialog box 6. Choose “Computer account”, and click Next to go to the Select Computer wizard page: Fig. E-7 Select Computer dialog box 7. Choose “Local computer: (the computer this console is running on)”, and click Finish to close the wizard dialog box. 8. Click Close to close the Add Standalone Snap-in dialog box. Click OK to close the Add/Remove Snap-in dialog box.
APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE Notice that the snap-in has now been added to the Console Root folder: Fig. E-8 Console Root with snap-in Export the master certificate for the domain 1. Go to the right panel of the Console and select the master certificate for the domain that you just added. 2. Right-click the certificate to open the pop-up menu, and select All Tasks > Export: Fig.
APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE This action launches the Certificate Export Wizard: Fig. E-10 Certificate Export Wizard 3. Click Next to go to the Export Private Key page of the wizard: Fig. E-11 Export Private Key 4.
APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE Fig. E-12 Export File Format 5. Select “Base-64 encoded X.509 (.CER)” and click Next to go to the File to Export page of the wizard: Fig. E-13 File to Export 6. Enter the File name of the file to be exported, followed by the .cer extension.
APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE Fig. E-14 Settings 7. Notice that the specified settings display in the list box, indicating the certificate has been successfully copied from the console to your disk. Click Finish to close the wizard dialog box. 8. Close the Console. The certificate can now be uploaded to the R3000.
APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE Export a Novell SSL Certficate 1. From the console of the LDAP server, go to the tree in the left panel and open the Security folder to display the contents in the Console View (right panel): Fig. E-15 Novell Console window 2. Find the tree’s folder and right-click it to open the pop-up menu. Select Properties to open the Properties dialog box: Fig.
APPENDIX E OBTAIN OR EXPORT AN SSL CERTIFICATE 3. Click the Certificates tab to go to the Self Signed Certificate page. 4. Click Export to open the Export A Certificate pop-up window: Fig. E-17 Export A Certificate pop-up window 5. Select “File in binary DER format” for the Output format. The path of the certificate displays in the Filename field. 6. Click Export to open another pop-up window that asks where you would like to save the certificate—the most convenient place would be your desktop.
APPENDIX F OVERRIDE POP-UP BLOCKERS APPENDIX F Override Pop-up Blockers An override account user with pop-up blocking software installed on his/her workstation will need to temporarily disable pop-up blocking in order to authenticate him/herself via the Options page: Fig.
APPENDIX F OVERRIDE POP-UP BLOCKERS Yahoo! Toolbar Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. F-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window.
APPENDIX F OVERRIDE POP-UP BLOCKERS Fig. F-3 Allow pop-ups from source 3. Select the source from the Sources of Recently Blocked Pop-Ups list box to activate the Allow button. 4. Click Allow to move the selected source to the Always Allow Pop-Ups From These Sources list box. 5. Click Close to save your changes and to close the dialog box.
APPENDIX F OVERRIDE POP-UP BLOCKERS Google Toolbar Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. F-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window.
APPENDIX F OVERRIDE POP-UP BLOCKERS AdwareSafe Pop-up Blocker If pop-up blocking is enabled 1. In the Options page (see Fig. F-1), enter your Username and Password. 2. Press and hold the Ctrl key on your keyboard while simultaneously clicking the Override button—this action opens the override account pop-up window.
APPENDIX F OVERRIDE POP-UP BLOCKERS Mozilla Firefox Pop-up Blocker Add override account to the white list 1. From the browser, open the Preferences dialog box. 2. Go to the Category list box and select Privacy & Security > Popup Windows to display the Popup Windows page: Fig. F-6 Mozilla Firefox Popup Windows Preferences 3. With the “Block unrequested popup windows” checkbox checked, click Allowed Sites and enter the URL to allow the override account window to pass. 4.
APPENDIX F OVERRIDE POP-UP BLOCKERS Windows XP SP2 Pop-up Blocker Set up pop-up blocking There are two ways to enable the pop-up blocking feature in the IE browser. Use the Internet Options dialog box 1. From the IE browser, go to the toolbar and select Tools > Internet Options to open the Internet Options dialog box. 2. Click the Privacy tab: Fig. F-7 Enable pop-up blocking 3. In the Pop-up Blocker frame, check “Block pop-ups”. 4. Click Apply and then click OK to close the dialog box.
APPENDIX F OVERRIDE POP-UP BLOCKERS Use the IE toolbar In the IE browser, go to the toolbar and select Tools > Popup Blocker > Turn On Pop-up Blocker: Fig. F-8 Toolbar setup When you click Turn On Pop-up Blocker, this menu selection changes to Turn Off Pop-up Blocker and activates the Pop-up Blocker Settings menu item. You can toggle between the On and Off settings to enable or disable pop-up blocking. Temporarily disable pop-up blocking 1. In the Options page (see Fig.
APPENDIX F OVERRIDE POP-UP BLOCKERS Add override account to the white list There are two ways to disable pop-up blocking for the override account and to add the override account to your white list. Use the IE toolbar 1. With pop-up blocking enabled, go to the toolbar and select Tools > Pop-up Blocker > Pop-up Blocker Settings to open the Pop-up Blocker Settings dialog box: Fig. F-9 Pop-up Blocker Settings 2.
APPENDIX F OVERRIDE POP-UP BLOCKERS Use the Information Bar With pop-up blocking enabled, the Information Bar can be set up and used for viewing information about blocked popups or allowing pop-ups from a specified site. Set up the Information Bar 1. Go to the toolbar and select Tools > Pop-up Blocker > Pop-up Blocker Settings to open the Pop-up Blocker Settings dialog box (see Fig. F-9). 2. In the Notifications and Filter Level frame, click the checkbox for “Show Information Bar when a pop-up is blocked.
APPENDIX F OVERRIDE POP-UP BLOCKERS 3. Click the Information Bar for settings options: Fig. F-11 Information Bar menu options 4. Select Always Allow Pop-ups from This Site—this action opens the Allow pop-ups from this site? dialog box: Fig. F-12 Allow pop-ups dialog box 5. Click Yes to add the override account to your white list and to close the dialog box. NOTE: To view your white list, go to the Pop-up Blocker Settings dialog box (see Fig. F-9) and see the entries in the Allowed sites list box. 6.
APPENDIX G GLOSSARY APPENDIX G Glossary This glossary includes definitions for terminology used in this user guide. ADS - Active Directory Services is a Windows 2000 directory service that acts as the central authority for network security, by letting the operating system validate a user's identity and control his or her access to network resources. attribute - A component of a group base or Distinguished Name (DN) that has a type and value.
APPENDIX G GLOSSARY directory service - Uses a directory on a server to automate administrative tasks for storing and managing objects on a network (such as users, passwords, and network resources users can access). ADS, DNS, and NDS (Novell Directory Services) are types of directory services. Distinguished Name (DN) - A string of “cn” and “dc” attribute types comprised of the username and group name, domain name, and DNS suffix. For example: “cn=admin_user, cn=admin, dc=yahoo, dc=com”.
APPENDIX G GLOSSARY firewall mode - An R3000 set up in the firewall mode will filter all requests. If the request is appropriate, the original packet will pass unchanged. If the request is inappropriate, the original packet will be blocked from being routed through. global administrator - An authorized administrator of the network who maintains all aspects of the R3000, except for managing master IP groups and their members, and their associated filtering profiles.
APPENDIX G GLOSSARY minimum filtering level - A set of library categories and service ports defined at the global level to be blocked or opened. If the minimum filtering level is established, it is applied in conjunction with a user’s filtering profile. If a user does not belong to a group, or the user’s group does not have a filtering profile, the default (global) filtering profile is used, and the minimum filtering level does not apply to that user.
APPENDIX G GLOSSARY organizational unit (ou) - An attribute type that can be entered in the LDAP Distinguished Name for a user group. override account - An account created by the global group administrator or the group administrator to give an authorized user the ability to access Internet content blocked at the global level or the group level. PDC - A Primary Domain Controller functions as the authentication server on a Windows NT domain.
APPENDIX G GLOSSARY search engine - A program that searches Web pages for specified keywords and returns a list of the pages or services where the keywords were found. service port - Service ports can be set up to blocked. Examples of these ports include File Transfer Protocol (FTP), Hyper Text Transfer Protocol (HTTP), Network News Transfer Protocol (NNTP), Secured HTTP Transmission (HTTPS), and Other ports such as Secure Shell (SSH). SMB - One of two authentication method protocols used by the R3000.
APPENDIX G GLOSSARY Web-based - An authentication method that uses timebased profiles or persistent login connections. white list - A list of approved library categories for a specified entity’s filtering profile.
APPENDIX G GLOSSARY 254 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE
INDEX Numerics 3-try login script 203 8e6 Authenticator 23, 42 8e6 supplied category 17 A Account tab 134 Address tab 131 ADS, definition 247 alert box, terminology 3 Alias List tab 137 Alias Name 138 always allowed 19 Anonymous Bind 134, 143 attribute, definition 247 authentication activate NT 203 activate on network 174 activate Web-based for Global Group 187 activated Web-based for IP group 175 configuration procedures 54 methods 27 net use based module diagram 25 net use based process 25 servlet 67 set
INDEX function in net use based process 25 login scripts 32 Authentication Settings window 70 join the domain 101 authentication solution single user compatibility chart 53 Authentication SSL Certificate window 72 authmodule.
INDEX Create LDAP Domain dialog box 125 custom categories 17 D Default Rule tab 139 dialog box, terminology 4 directory service, definition 248 directory, definition 247 Distinguished Name (DN) definition 248 LDAP protocol 28 DNS, definition 248 domain definition 248 delete profile 145 domain component (dc), definition 248 domain controller, definition 248 Domain Name Service (DNS) 248 E edirAgent.log 79 eDirectory 23, 44, 50 backup server 141 Default Rule tab 141 edirEvent.
INDEX profile components 16 profile types 12 rules 20 static profiles 13 user, machine 14 firewall mode 61, 62 definition 249 frame, terminology 4 FTP 59 G gateway IP address 62 global administrator, definition 249 global filtering profile 14 global group 8 grid, terminology 4 group global 8 IP 9 LDAP 11 NT 10 types of 8 group administrator, definition 249 group name, definition 249 group objects 129 Group tab 128 Group/Member Details window LDAP domain 155 NT domain 118 H HTTPS 59 I IANA 28 individual
INDEX definition 249 IP group 9 diagram 9 IPC share 25 J Java applet 68 Java Plug-in 58 Java Runtime Environment 58, 68 Java Virtual Machine 58 JavaScript 58 join the domain 102 L LAN Settings window 62 LDAP Active Directory Service usage 35 authentication protocol 23 definition 249 domain diagram 11 domain groups 11 name resolution method 29 profile file format 153 protocol 28 server customizations 219 server setup 35 LDAP domain add 125 add groups, users 146 LDAP domain window 126 LDAP host, definition
INDEX log view files 78 login (or logon) script definition 249 examples 32 usage 25 M machine name, definition 249 Manually Add Group dialog box LDAP 151 NT domain 114 Manually Add Member dialog box LDAP 150 NT domain 113 master IP group 9 filtering profile 13 methods authentication 27 name resolution 29 Microsoft Active Directory Mixed Mode 30, 127 Native Mode 30, 127 minimum filtering level 18 definition 250 N name resolution definition 250 methods 29 WINS Server 29 NAT definition 250 net use command 2
INDEX name lookup, definition 250 NetBIOS Domain Name 132, 143 NetBIOS name 70 Netscape Directory Server 127 Network Address Translation (NAT), definition 250 network requirements 59 NIC device 71 Novell 23, 28, 30, 44, 48, 127, 136, 226 Novell eDirectory Agent 50 NT domain diagram 10 domain groups 10 profile file format 116 NT domain add 103 Default Rule 107 Domain Settings 105 NTLM authentication protocol 23, 101 O open setting 19 definition 250 OpenLDAP 23, 147 server customizations 219 Operation Mode
INDEX P PDC 102 definition 251 pop-up blocking, disable 236 pop-up box/window, terminology 5 primary IP address 63 Primary Domain Controller (PDC) 248 profile string definition 251 elements 210 Profile window 120 LDAP domain 157 protocol definition 251 LDAP 28 SMB 27 proxy server definition 251 pull-down menu, terminology 5 R radio button, terminology 5 re-authentication block page authentication 82 net use based process 26 Redirect URL tab LDAP domain 159 NT domain 122 requirements environment 58 router
INDEX S screen, terminology 5 search engine, definition 252 secondary IP address 63 Select Groups/Members from Domain window 110 Server Message Block (SMB), definition 252 service port 18 definition 252 session-based authentication (Tier 3) 23 Set Group Priority window LDAP domain 149 NT domain 111 Single Sign-On Novell eDirectory authentication 50 Tier 1 authentication 25 single sign-on authentication (Tier 1) 23 SMB definition 252 disable Signing requirements in Windows 2003 221 protocol 27 Signing 27 SM
INDEX T technical support 206 text box, terminology 6 Tier 1 net use based authentication 25, 55, 66, 174 Tier 1 and Tier 2 Script 39 Tier 2 time-based, Web-based authentication 36 Tier 2 Script 38 Tier 2, Tier 3 Web-based authentication 55, 67, 174 Tier 3 session-based, Web-based authentication 41 tiers definition 252 Web-based authentication 174 time profile definition 252 profile type 15 time-based authentication (Tier 2) 23 time-based profile 67, 82 topic, terminology 6 tree, terminology 7 Type tab 126
INDEX W wbwatch.
