Smoothwall Secure Web Gateway Secure Web Gateway Administration Guide For future reference Secure Web Gateway serial number: Date installed: Smoothwall contact: Smoothwall® Secure Web Gateway, Administration Guide, March 2015 Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Secure Web Gateway. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall. For more information, contact: [email protected] © 2001 – 2015 Smoothwall Ltd. All rights reserved. Trademark notice Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. Acknowledgements Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Secure Web Gateway contains graphics taken from the Open Icon Library project http://openiconlibrary.sourceforge.net/ Address Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom Email [email protected] Web www.smoothwall.net Telephone USA and Canada: 1 800 959 3760 United Kingdom: 0870 1 999 500 All other countries: +44 870 1 999 500 Fax USA and Canada: 1 888 899 9164 United Kingdom: 0870 1 991 399 All other countries: +44 870 1 991 399 Contents About This Guide...................................................... 1 Audience and Scope.........................................................................1 Organization and Use.......................................................................1 Conventions.......................................................................................2 Related Documentation....................................................................2 Chapter 1 Secure Web Gateway Overview............................... 3 Overview of Secure Web Gateway..................................................3 Annual Renewal.................................................................................4 Accessing Secure Web Gateway ....................................................4 Dashboard ........................................................................................5 Logs and Reports .............................................................................5 Reports ....................................................................................5 Alerts ........................................................................................6 Realtime ...................................................................................6 Logs .........................................................................................7 Settings ....................................................................................7 Networking........................................................................................8 Configuration ..........................................................................8 Filtering ....................................................................................8 Routing ....................................................................................9 Settings ....................................................................................9 Services..............................................................................................9 Authentication .........................................................................9 User Portal .............................................................................10 Proxies ...................................................................................10 SNMP .....................................................................................11 Message Censor ...................................................................11 System............................................................................................11 Maintenance ..........................................................................11 Central Management ............................................................12 Preferences ...........................................................................12 Administration........................................................................13 iii Secure Web Gateway Administration Guide Contents Hardware ...............................................................................13 Diagnostics ............................................................................13 Certificates ............................................................................14 Guardian ..........................................................................................14 Quick Links ............................................................................14 Web Filter Policies ................................................................14 HTTPS Inspection Policies ...................................................15 Content Modification Policies .............................................15 Anti-malware Policies ..........................................................15 Block Page Policies...............................................................16 Policy Objects .......................................................................16 Swurl ...............................................................................................16 Web Proxy .......................................................................................17 Web Proxy .............................................................................17 Upstream Proxy ....................................................................17 Authentication .......................................................................17 MobileProxy ...........................................................................18 Global Proxy ..........................................................................18 Configuration Guidelines................................................................18 Specifying Networks, Hosts and Ports................................18 Using Comments...................................................................19 Connecting via SSH .......................................................................20 Connecting Using a Client....................................................20 Secure Communication..................................................................20 Unknown Entity Warning.......................................................21 Inconsistent Site Address.....................................................21 Chapter 2 Working with Interfaces ......................................... 23 About Network Interfaces and Roles ...........................................23 Creating an External Connection .................................................25 About Load Balancing Traffic over External Connections 26 Editing an External Connection............................................26 Deleting an External Connection..........................................26 Monitoring External Connections’ Status...........................27 Adding a New Interface..................................................................27 Allocating IP Addresses to Interfaces ..........................................28 Adding an IP Address............................................................28 Editing Allocated IP Addresses............................................30 Deleting Allocated IP Addresses..........................................30 Configuring Bonded Interfaces .....................................................30 Creating Bonds......................................................................30 Editing Bonds.........................................................................32 Deleting a Bond Interface.....................................................32 Using Virtual Local Area Networks ..............................................33 Creating a VLAN.....................................................................33 Configuring Transparent Bridges..................................................34 Creating Bridges....................................................................34 Editing Bridges.......................................................................36 Deleting Bridge Interfaces....................................................36 iv Smoothwall Ltd Secure Web Gateway Administration Guide Contents Using a Point-to-Point Protocol over Ethernet Interface ...........37 Editing a PPPoE Interface.....................................................38 Deleting Parent PPPoE Interfaces.......................................38 Adding Alias IP Addresses....................................................39 Using Domain Name System Services .........................................40 Configuring Global DNS Settings ........................................40 Configuring the DNS Servers ...............................................41 Using Conditional DNS Forwarders ....................................42 Mapping Static DNS Hosts ..................................................43 Chapter 3 Deploying Web Filtering ......................................... 45 Getting Up and Running.................................................................45 Blocking and Allowing Content Immediately......................46 Blocking Locations................................................................47 Excepting Computers from Web Filtering...........................47 About Shortcuts.....................................................................50 About Secure Web Gateway’s Default Policies............................50 About the Default Web Filter Policies..................................50 About the Default Authentication Policies..........................51 Chapter 4 Working with Policies............................................. 53 An Overview of Policies..................................................................54 Types of Policies....................................................................54 How Policies are Applied......................................................54 Guardian Getting Started......................................................56 Working with Category Group Objects.........................................57 Creating Category Group Objects.......................................57 Creating Custom Categories................................................58 Editing Category Group Objects..........................................59 Deleting Category Group Objects........................................59 Working with Time Slot Objects....................................................60 Creating a Time Slot..............................................................60 Editing a Time Slot.................................................................61 Deleting a Time Slot..............................................................61 Working with Location Objects.....................................................61 Creating a Location Object...................................................62 Editing Location Objects.......................................................63 Deleting Location Objects....................................................63 Working with Quota Objects..........................................................63 About the Default Quota Object...........................................63 Creating Quota Objects........................................................64 Editing Quota Objects...........................................................65 Deleting Quota Objects.........................................................65 Managing Web Filter Policies........................................................65 Creating Web Filter Policies.................................................66 Editing Web Filter Policies....................................................68 Deleting Web Filter Policies..................................................69 Managing HTTPS Inspection Policies...........................................69 Enabling HTTPS Inspection Policies....................................70 Creating an HTTPS Inspection Policy..................................70 v Secure Web Gateway Administration Guide Contents Editing HTTPS Inspection Policies.......................................73 Deleting HTTPS Inspection Policies....................................73 Configuring HTTPS Inspection Policy Settings ..................73 Clearing the Generated Certificate Cache..........................74 Managing Content Modification Policies......................................75 Creating a Content Modification Policy...............................75 Editing Content Modification Policies.................................77 Deleting Content Modification Policies...............................78 Creating Custom Content Modification Policies................78 Managing Anti-malware Policies...................................................79 Creating an Anti-malware Policy..........................................79 Configuring Anti-malware Protection..................................81 Configuring Anti-malware Status Information....................82 Editing Anti-malware Policies...............................................83 Deleting Anti-malware Policies............................................83 Using the Policy Tester...................................................................84 Other Ways of Accessing the Policy Tester........................85 Working with Policy Folders..........................................................85 Creating a Policy Folder........................................................86 Editing Policy Folders............................................................86 Deleting Policy Folders.........................................................86 Censoring Web Form Content.......................................................87 Configuring Organization Accounts..............................................89 Chapter 5 Managing Authentication Policies......................... 91 About Authentication Policies.......................................................91 Creating Authentication Policies...................................................92 Creating Non-transparent Authentication Policies............92 Creating Transparent Authentication Policies....................97 Managing Authentication Policies...............................................101 Editing Authentication Policies..........................................101 Deleting Policies..................................................................102 Managing Authentication Exceptions.........................................102 Identification by Location.............................................................103 Using Global Proxy Certificates...................................................104 Using Multiple, Distinct Proxies.........................................105 Using an Unsecured Proxy.................................................105 Viewing the Global Proxy Logs...........................................106 Connecting to Secure Web Gateway..........................................106 About Non-transparent Connections.................................106 About Transparent Connections........................................108 Authentication Scenarios.............................................................108 New Content Filtering – Changing the Listening Port......108 Providing Filtered Web Access to the Public....................108 Requiring Authentication to Browse the Web...................109 Using Multiple Authentication Methods............................109 Controlling an Unruly Class................................................109 vi Smoothwall Ltd Secure Web Gateway Administration Guide Contents Chapter 6 Managing Web Security ....................................... 111 Overview of the Web Proxy..........................................................112 Global Options.....................................................................112 Advanced Web Proxy Settings...........................................112 Using PAC Scripts.........................................................................116 Using a Built-in Script.........................................................116 Using a Custom Script........................................................117 Managing the Configuration Script....................................118 Limiting Bandwidth Use...............................................................118 Ordering Bandwidth Limiting Policies...............................120 Editing Bandwidth Limiting Policies..................................120 Deleting Bandwidth Limiting Policies................................120 Configuring WCCP........................................................................120 Managing Upstream Proxies .......................................................121 Overview...............................................................................122 Configuring an Upstream Proxy.........................................122 Configuring Source and Destination Filters......................124 Using a Single Upstream Proxy..........................................126 Working with Multiple Upstream Proxies..........................127 Managing Blocklists.....................................................................129 Viewing Blocklist Information.............................................129 Manually Updating Blocklists.............................................130 Managing Block Pages.................................................................130 About the Default Block Page............................................131 Customizing the Default Block Page.................................132 Using a Custom HTML Template.......................................134 Using an External Block Page............................................134 Configuring a Block Page Policy........................................135 Managing Block Page Policies...........................................136 Working with Block Pages..................................................137 Chapter 7 Managing Your Network Infrastructure.............. 139 Adding Bypass Ports ...................................................................139 Creating Subnets .........................................................................140 Editing and Removing Subnet Rules.................................141 Using the Routing Information Protocol Service.......................142 Load Balancing Traffic ................................................................144 Creating Load Balancing Pools .........................................144 Reordering Load Balancing Pools ....................................146 Example Configuration........................................................147 Using Source NATs and LLB Policies ........................................148 Using LLB Pools for Local Traffic .....................................148 Creating a NAT Policy ........................................................148 Reordering NAT Policies.....................................................151 Chapter 8 Managing Network Security................................. 153 Blocking by IP................................................................................153 Creating IP Blocking Rules.................................................153 Editing and Removing IP Block Rules...............................155 vii Secure Web Gateway Administration Guide Contents Blocking Services on the Ethernet Bridge .................................155 Managing Exceptions to Blocked Services.......................156 Working with Port Groups............................................................157 Creating a Port Group.........................................................157 Adding Ports to Existing Port Groups................................158 Editing Port Groups.............................................................158 Deleting a Port Group..........................................................158 Working with Address Objects ...................................................159 Creating an Address Object...............................................159 Creating Nested Address Objects.....................................160 Editing Address Objects.....................................................161 Deleting Address Objects...................................................161 Configuring Advanced Networking Features.............................162 Blocking and Ignoring Traffic.............................................163 Enabling Advanced Networking Features.........................163 Configuring ARP Table Size................................................164 Configuring Connection Tracking Table Size...................164 Configuring SYN Backlog Queue Size...............................164 Configuring Traffic Audits...................................................165 Dropping Direct Traffic........................................................165 Enabling Network Application Helpers .............................165 Managing Bad External Traffic...........................................166 Chapter 9 Using Zone Bridging Rules .................................. 167 About Zone Bridging Rules .........................................................167 Creating Zone Bridging Rules............................................168 Editing and Removing Zone Bridge Rules.........................169 Example Zone Bridging Rules............................................169 About Group Bridging Rules........................................................171 Group Bridging and Authentication...................................172 Creating Group Bridging Rules..........................................172 Editing and Removing Group Bridges...............................173 Chapter 10 Managing Inbound Traffic................................... 175 Managing Inbound Traffic with Port Forwards..........................175 About Port Forward Rules..................................................175 Creating Port Forward Rules..............................................176 Chapter 11 Authentication and User Management............... 179 About User Authentication...........................................................179 Configuring Global Authentication Settings...............................180 About Directory Services.............................................................181 Configuring a Microsoft Active Directory Connection.....182 Configuring an LDAP Connection......................................183 Configuring a RADIUS Connection....................................186 Configuring an Active Directory Connection – Legacy Meth- od ..........................................................................................187 Configuring a Local Users Directory .................................190 Reordering Directory Servers.............................................190 viii Smoothwall Ltd Secure Web Gateway Administration Guide Contents Editing a Directory Server...................................................190 Deleting a Directory Server.................................................191 Diagnosing Directories........................................................191 Managing Local Users..................................................................191 Adding Users........................................................................191 Editing Local Users..............................................................192 Deleting Users......................................................................192 Managing Groups of Users..........................................................192 About Groups.......................................................................192 Adding Groups.....................................................................193 Editing Groups.....................................................................193 Deleting Groups...................................................................194 Mapping Groups............................................................................194 Remapping Groups..............................................................194 Deleting Group Mappings...................................................195 Managing Temporarily Banned Users.........................................195 Creating a Temporary Ban..................................................195 Removing Temporary Bans................................................196 Removing Expired Bans......................................................196 Managing User Activity ................................................................197 Viewing User Activity...........................................................197 Logging Users Out...............................................................197 Banning Users......................................................................197 About SSL Authentication............................................................198 Customizing the SSL Login Page.......................................198 Reviewing SSL Login Pages...............................................199 Managing Kerberos Keytabs.......................................................199 Prerequisites........................................................................199 Adding Keytabs....................................................................200 Managing Keytabs...............................................................200 Troubleshooting a Kerberos Service.................................201 Authenticating Chromebook Users.............................................202 Creating a Google Client ID and Client Secret (Web Applica- tion).......................................................................................202 Restricting Accepted Google Accounts by Domain.........203 Customizing the Client Login Page....................................204 Managing Chromebooks.....................................................205 Chapter 12 Centrally Managing Smoothwall Systems.......... 209 About Centrally Managing Smoothwall Systems.......................209 Pre-requirements.................................................................210 Setting up a Centrally Managed Smoothwall System...............210 Configuring the Parent Node..............................................210 Configuring Child Nodes.....................................................211 Adding Child Nodes to the System....................................212 Editing Child Node Settings................................................215 Deleting Nodes in the System............................................215 Managing Nodes in a Smoothwall System.................................215 Monitoring Node Status......................................................216 Accessing the Node Details Page......................................217 ix Secure Web Gateway Administration Guide Contents Working with Updates.........................................................217 Rebooting Nodes.................................................................218 Disabling Nodes...................................................................219 Using BYOD in a Centrally Managed System.............................219 Glossary................................................................. 221 Index....................................................................... 231 x Smoothwall Ltd