Webroot Web Security Service
Transcription
Webroot Web Security Service
Webroot ® Web Security Service Desktop Web Proxy Configuration Guide Webroot Software, Inc. 385 Interlocken Crescent Suite 800 Broomfield, CO 80021 www.webroot.com WSS 4.4.0-2 Desktop Web Proxy Configuration Guide September 2011 © 2011 Webroot Software, Inc. All rights reserved. Webroot, the Webroot icon, and the Webroot tagline are trademarks or registered trademarks of Webroot Software, Inc., in the United States and other countries. All other trademarks are properties of their respective owners. Technical Support Technical support is available by calling any of these toll-free phone numbers: • APAC (outside of Australia): +61 (0)2 8071 1903 • Australia: 1-800-212-640 • Sweden: +46 (0) 8 555 36 161 • United Kingdom: 0800 804 7015 +44 800 804 7015 (international) • United States: 877-612-6009 Send questions to our automated ticket response system: SaaSsupport@webroot.com (APAC, Australia, United Kingdom, and United States) supportnordic@webroot.com (Sweden) We will respond within one business day. Log a ticket in the Support Website: http://mysite.webroot.com/forms/saasCaseSubmissionForm WSS 4.4.0-2 Contents 1: Installing Desktop Web Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 System and browser requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 About the DWP Installation Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Downloading the DWP package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Installing DWP on individual workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Installing DWP on multiple workstations (silent install) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Installing DWP in hidden mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Using ARP commands with MSI parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Installing DWP using Group Policy Object (GPO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Activating DWP globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Installing DWP version updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Automating DWP updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Updating DWP manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Uninstalling a hidden DWP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 2: DWP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Configuring DWP using the Management Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Enabling the Account to use DWP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Entering DWP settings at the Account level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Overriding settings at the group level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Bypassing the Web Security Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Authenticating DWP user credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Managing hot spots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Configuring a proxy automatic configuration (PAC) file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Logging DWP events and running diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Using Windows’ Group Policy Object (GPO) to configure DWP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 3: Client-Specific Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Setting proxy connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Configuring the DWP logging level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Configuring proxy settings for applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Configuring DWP to use a PAC file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Using a script to automate registry settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 4: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Viewing running processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Running diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Using the DWP Latency Tester . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Using DWP Network Packet Capture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 PAC file is unavailable when user profile folders are remapped . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Desktop Web Proxy Configuration Guide iii WSS 4.4.0-2 Contents iv Desktop Web Proxy Configuration Guide WSS 4.4.0-2 1: Installing Desktop Web Proxy The Desktop Web Proxy (DWP) is a service that manages traffic from users’ computers to the Web Security Service by routing all traffic to the data center nearest the user’s computer. You can install DWP individually on each workstation using the downloaded msi installation package, or by using a Group Policy Object editor or other batch installation for a mass rollout. Note Windows Vista and Windows 7 require administrative rights to install DWP even if the administrator has these rights on the machine. To install on Windows Vista, run the MSI installation with an elevated command prompt. Topics in this chapter: ` System and browser requirements . . . . . . . . . . . . . . . . . . . . page 2 ` About the DWP Installation Packages . . . . . . . . . . . . . . . . page 2 ` Installing DWP on individual workstations . . . . . . . . . . . . page 4 ` Installing DWP on multiple workstations (silent install) . . page 4 ` Installing DWP in hidden mode . . . . . . . . . . . . . . . . . . . . . page 5 ` Installing DWP using Group Policy Object (GPO) . . . . . . . page 7 ` Activating DWP globally . . . . . . . . . . . . . . . . . . . . . . . . . . page 7 ` Installing DWP version updates . . . . . . . . . . . . . . . . . . . . . page 8 ` Uninstalling a hidden DWP . . . . . . . . . . . . . . . . . . . . . . . . . page 9 Desktop Web Proxy Configuration Guide 1 WSS 4.4.0-2 1: Installing Desktop Web Proxy System and browser requirements You can install the Desktop Web Proxy on these systems: • Windows XP Service Pack 2, 32-bit • Windows XP Service Pack 3, 32-bit • Windows 2003, 32-bit • Windows Vista, 32- and 64-bit • Windows 7, 32- and 64-bit • Windows 2008 Enterprise, 32- and 64-bit • Citrix Presentation Server 4.5, 32-bit • Citrix XenApp 5.0, Windows 2008 Enterprise, 32-bit • Citrix XenApp 6.0, Windows 2008 R2 Enterprise, 64-bit You can use DWP with these browsers: • Microsoft Internet Explorer version 7, 8, and 9, 32-bit and 64-bit • Mozilla Firefox version 3.6, 4.0, and 5.0 • Google Chrome 11 and 12 About the DWP Installation Packages The Desktop Web Proxy is available in two installation packages: • DWPSetup.msi installs the standard version of DWP. • DWPSetup_NoUninstall.msi installs a version of DWP that cannot be uninstalled. This installer disables the Remove and Change buttons in the Add or Remove Programs option of the Windows Control Panel. You can use either installation package to install DWP, using any of the methods described in this chapter—on individual machines, on multiple machines, in hidden mode, or using GPO. DWP can be uninstalled using the .msi installer if the DWPSetup_NoUninstall.msi is used. Downloading the DWP package The DWP MSI package is available from the Web Security Service Management Portal. To download the DWP package: 1 Log in to the Web Security Service Management Portal. 2 Open the Resources tab. The Resources tab opens at the Downloads page. 2 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 Downloading the DWP package Standard version of DWP Uninstallable version of DWP 3 4 Click a DWP link: – DWP installs the standard DWP package – DWP (Uninstall Disabled) installs a version of DWP that cannot be uninstalled Follow the browser prompts to save the installer zip file into a location of your choice. • If you used Mozilla Firefox to access the Management Portal, you can continue with the installation method of your choice as described in rest of this chapter. • If you used Microsoft Internet Explorer, continue through the end of this procedure. This information applies to various versions of Windows Internet Explorer: You can successfully download the DWP zip archive, but you might get an error when you open the archive. There is a known bug about downloaded zipped files through Internet Explorer. The downloaded file appears corrupted and can’t be opened. For more information about this issue, see: http://social.msdn.microsoft.com/Forums/en-US/iewebdevelopment/thread/ bf4077dd-20bc-4f66-bf73-b79a2440cf30/ http://support.microsoft.com/kb/2002350 5 If you used Internet Explorer to download, rename the file to append .gz to the end of the filename: DWPSetup.zip.gz or DWPSetup_NoUninstall.zip.gz 6 Use Winzip or 7-Zip (an open source software) to extract the original archive from the renamed file. Then continue with the installation method of your choice. Desktop Web Proxy Configuration Guide 3 WSS 4.4.0-2 1: Installing Desktop Web Proxy Installing DWP on individual workstations Use the downloaded msi installation package to install DWP on individual workstations, or on a Terminal Service or Citrix server. See “System and browser requirements” on page 2 for supported versions. To install DWP on an individual workstation: 1 Load the installation package on a desktop or laptop computer. 2 Double-click one of the installation files: DWPSetup.msi or DWPSetup_NoUninstall.msi 3 Follow the instructions in the DWP setup wizard. The settings are automatically applied to the browsers. Note: The settings are not automatically applied to the browsers in either of these cases: • The Activate DWP on Install option on the Management Portal is set. If this option is not set, you can configure the browsers manually by right-clicking the DWP icon in the system tray and selecting Apply Proxy Setting. • The Apply portal settings to the DWP clients option is turned off at both the account and group levels. If the option is on at either the account or group level, the settings are applied. Installing DWP on multiple workstations (silent install) Use the silent option to install DWP on multiple workstations without using an installation interface. The procedure assumes you are familiar with MSI package installations. See “System and browser requirements” on page 2 for supported versions. To use the silent option for mass rollout: 1 On the command window, append /quiet to the installation command: DWPSetup.msi /quiet or DWPSetup_NoUninstall.msi /quiet Note the space before /quiet. 2 To specify restart options after installation, you can use these command-line options: • /norestart: Does not restart the computer after the installation. • /promptrestart: Prompts the user for a restart if necessary. • /forcerestart: Always restart the computer after installation. The settings are automatically applied to the browsers. Note: The settings are not automatically applied to the browsers in either of these cases: • The Activate DWP on Install option on the Management Portal is set. If this option is not set, you can configure the browsers manually by right-clicking the DWP icon in the system tray and selecting Apply Proxy Setting. 4 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 Installing DWP in hidden mode • The Apply portal settings to the DWP clients option is turned off at both the account and group levels. If the option is on at either the account or group level, the settings are applied. For a complete list of command-line options, use /help at the command window. Installing DWP in hidden mode Installing DWP in hidden mode prevents users from making changes to DWP. When you install DWP in hidden mode: • the shortcut Launch Desktop Web Proxy does not appear in the Start menu • the DWP icon doesn’t appear in the system tray . Note If DWP is being managed by the portal, you must set the portal option Hide Icon in Tray, even though you are installing DWP in hidden mode. See “Hide Icon in Tray” on page 14. Using hidden mode, you can specify MSI parameters to remove the Change and Remove buttons, or remove the DWP plug-in entirely from the Add or Remove Programs option of the Windows Control Panel. Logging and diagnostics are not supported in hidden mode—they are supported only if you reinstall DWP with the regular installation, without the hidden switch. To install DWP in hidden mode: In the command window, type Msiexec /i <Path_to_dwp_msi_file> /q dwpmode=hidden Using ARP commands with MSI parameters Advanced users who are experienced with MSI package modification can enforce higher levels of invisibility with any of the ARP commands, using these parameters: MSI parameters ARPNOMODIFY={""|1} • 1 removes the Change button from Add/Remove Programs, preventing the user from changing the DWP client. • Blank ("") means the Modify button is available for the DWP client. Note: The DWP Uninstall Disabled installer also removes the Change button from Add or Remove Programs. Desktop Web Proxy Configuration Guide 5 WSS 4.4.0-2 MSI parameters (continued) ARPNOREMOVE={""|1} • 1 removes the Remove button from Add/Remove Programs, preventing the user from uninstalling the DWP client. • Blank ("") or omitting this parameter means the Remove button is visible for the DWP client. Note: The DWP Uninstall Disabled installer also removes the Remove button from Add or Remove Programs. ARPSYSTEMCOMPONENT= • 1 removes the plug-in itself from Add/Remove Programs. {""|1} • Blank ("") or omitting this parameter means the DWP client has an entry in Add/Remove Programs. For example: Msiexec /i <Path_to_dwp_msi_file> ARPNOMODIFY=1 For more details about these parameters, see Microsoft’s Developer Network (MSDN) library. Note To restart a hidden DWP either restart the computer, or use Administrative Tools’ Services console to restart the DWP Local Proxy Service. To restore MSI parameters to their original settings, uninstall DWP (see “Uninstalling a hidden DWP” on page 9) and re-install it without the hidden switch. 6 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 Installing DWP using Group Policy Object (GPO) Installing DWP using Group Policy Object (GPO) You can install and deploy DWP using Group Policy Object (GPO). This method of installation requires that you are experienced with Microsoft’s Active Directory and that you are using GPO in your environment. Note If you install and deploy DWP using GPO, use the DWP_NoUninstall package (see “About the DWP Installation Packages” on page 2). If you use GPO to install DWP, use the GPO Editor if you need to uninstall it. Do not use Add/Remove programs to remove DWP. GPO information is available on Microsoft’s Help and Support sites: • http://support.microsoft.com/default.aspx?kbid=314934 Expand On This Page to display all related subtopics. • http://support.microsoft.com/?kbid=302430 This site describes how to assign or publish software to users using GPO. Activating DWP globally If you use the Management Portal to manage DWP, you can activate DWP globally without having it apply settings to the browsers. The Activate DWP on Install option is on by default for new accounts and groups, so that when DWP is installed on a machine in that account and DWP is managed by the portal, it automatically applies its settings to the browsers. If, however, you want to deploy DWP across multiple machines in the network but don’t want it to be used immediately, you can disable this option before you deploy DWP, then enable it later. The Activate DWP on Install option is on the DWP Configuration subtab of the Account and of each user group: To disable automatic DWP activation: 1 Log in to the Web Security Service Management Portal. 2 In Edit mode, open the DWP Configuration subtab of either the Account or a user group. 3 Select Apply portal settings to DWP clients to enable settings for editing. 4 Clear the Activate DWP on Install box. 5 Save your settings. If you are configuring user groups, repeat for every group as required. When Activate DWP on Install is unchecked, you can apply settings to the browser manually by right-clicking on each DWP tray icon and selecting Apply Proxy Setting. Desktop Web Proxy Configuration Guide 7 WSS 4.4.0-2 Installing DWP version updates You can enable automatic updates to DWP clients, or have users initiate their updates manually. Automating DWP updates Automatic updates to DWP clients are enabled on the Web Security Service Management Portal at the Account level. To enable automatic DWP updates at the Account level: 1 Log in to the Web Security Service Management Portal. 2 Open the Accounts tab in Edit mode. 3 Under the User Configuration section, select Automatically Update the DWP. If the setting is enabled, the Account automatically sends updates to the DWP clients. If the setting is disabled, you must manually download DWP updates to all clients. This setting is inherited by all user groups; you can override for selected groups as required. 4 Save your setting. Updating DWP manually If you don’t want to use the automatic update feature, you can have users initiate their own updates. Make sure these users have access to the DWP icon on their system tray. Because this update method is user-initiated, you might have various DWP versions throughout your Account. To initiate a DWP update at the client: 1 Hold down the Ctrl key, right-click the DWP icon on the system tray. 2 Select Update Now from the pop-up menu. The installer program examines the DWP version on the desktop. If an older version is found, the DWP client is installed in silent mode. Otherwise, a message states that no updates are available. 8 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 Uninstalling a hidden DWP Uninstalling a hidden DWP If you modified the MSI parameters (“MSI parameters” on page 5), the DWP might be hidden and inaccessible through the Add/Remove Programs utility. To uninstall a hidden DWP: Run the original MSI installer and select the Remove Desktop Web Proxy option. Desktop Web Proxy Configuration Guide 9 WSS 4.4.0-2 1: Installing Desktop Web Proxy 10 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 2: DWP Configuration Topics in this chapter: ` Configuring DWP using the Management Portal . . . . . . . page 12 ` Using Windows’ Group Policy Object (GPO) to configure DWP page 27 Desktop Web Proxy Configuration Guide 11 WSS 4.4.0-2 2: DWP Configuration Configuring DWP using the Management Portal You configure the Desktop Web Proxy from the Web Security Service Management Portal for deployment to all computers that have DWP installed. You can define a management configuration at the Account level that applies to all groups, then override settings at the Group level as appropriate. DWP clients poll the Web Security Service server every 15 minutes for any changes that were made on the Management Portal, then uses the new settings. Caution DWP settings entered on the Management Portal are deployed to all computers that have the DWP client installed. If DWP was configured individually on those computers, those settings are overwritten because portal-based settings take precedence. Enabling the Account to use DWP Settings described here are applied to all user-based groups. Each group can override Account-level settings. To enable the Account for DWP: 1 Log in to the Web Security Service Management Portal. 2 Open the Accounts tab in Edit mode. 3 On the Account subtab, enter these required configurations: a Select the checkbox for Enable DWP User Creation. This setting enables automatic user registration into the Web Security Service when users in the corporate network first connect using DWP. DWP checks the Web Security Service to see if the connecting user has an existing entry. If no entry exists, DWP creates a user name and password for the user. b Keep the default group in DWP User Creation Default Group or select another. The DWP User Creation Default Group setting specifies a user-based group to which DWP adds new users by default, because the Web Security Service requires users to belong to groups. The selection list shows user-based groups only In general, before changing a user group to an IP group, make sure it has no users and that it is not the group for DWP to add users. Desktop Web Proxy Configuration Guide 12 WSS 4.4.0-2 Entering DWP settings at the Account level Caution The DWP expects the User Creation Default Group to be a user-based group. You can, however edit the group to be IP-address-based. Before changing the group to IP-based, edit the Account and select another default group for new DWP users or creating users using DWP will fail. 4 Continue to Entering DWP settings at the Account level. Entering DWP settings at the Account level When the Account is enabled for DWP user creation, you can use the Management Portal to further configure DWP, to ensure consistency among all groups. You can override individual group settings as necessary. To enter DWP settings at the Account level: 1 Log in to the Web Security Service Management Portal and open the Accounts tab. 2 Click Edit on the Account subtab. 3 Verify that the Account is enabled for DWP, as described in “Enabling the Account to use DWP” on page 12. 4 Open the DWP Configuration subtab. Desktop Web Proxy Configuration Guide 13 WSS 4.4.0-2 2: DWP Configuration 5 Set DWP configuration options: DWP Configuration General Settings Prevent user access to browser proxy settings Controls users’ ability to change browser proxy settings: • Not Configured: Enabled by default. Prevents DWP from conflicting with Group Policy Object (GPO) trying to modify the same settings, by locking user access to browser proxy settings. When this option is enabled, GPO settings take precedence because DWP is not modifying settings. • Enabled: DWP modifies settings to prevent users from modifying their proxy settings in the browser. Note: If this option is enabled, you must set it to Disabled 15 minutes before you uninstall the DWP. • Disabled: DWP modifies settings, so that users can modify their proxy settings in the browser. Note: If a GPO in the customer’s environment is locking the proxy settings, DWP does not override it. It’s not possible to predict whether GPO or DWP will prevail in this situation, however, so we recommend that you disable any GPO actions that are locking proxy settings in the customer’s environment while using this feature. If you want the GPO settings to prevail, leave this setting as Not Configured. In Firefox, the Settings button is hidden if the browser control setting is applied using DWP. The Settings button does not appear here if DWP applies the browser control setting. Hide Icon in Tray Hides the DWP icon on the end user’s system tray, preventing the end user from accessing DWP functions. For more information see the Desktop Web Proxy Configuration Guide, which is available on the Management Portal at Resources > Documents. Desktop Web Proxy Configuration Guide 14 WSS 4.4.0-2 Entering DWP settings at the Account level DWP Configuration (continued) List of Caching Proxies Proxy names and port numbers of caching proxies at your gateway locations. Allows mobile users to connect transparently to either caching proxies or directly to the Web Security Service. For a single caching proxy, separate the name and port with a colon: ProxyName:port For multiple caching proxies, separate proxies with a semicolon and end the string with a semicolon: ProxyName1:port1;ProxyName2:port2; Enable Automatic Configuration Script (PAC File) Enable use of a Proxy Auto Configuration (PAC) script to tell browsers where to route users’ page requests. If enabled, works with the PAC File Location option. PAC File Location The URL or local network path to the configuration script. DWP copies the script to the local machine, then applies the settings to the browser. DWPclients must be restarted after PAC configuration options are set. Note: Firefox is unable to parse PAC files correctly if the local path or the DWP username contains the # special character (for example, user#1). In this case, traffic is not filtered. See the Web Security Service Administrator Guide for details. Monitor Port 80 and 443 Uploads process data to the Monitors | Port Monitor tab, to help usage the Admin identify rogue applications that are using default ports 80 and 443. See the Web Security Service Administrator Guide for details. Allow Unsafe Browsing Editable if Enable Dynamic Hot Spot Management is selected. Allows users to bypass the Web Security Service to browse the Internet in hotspot environments where access might be blocked or re-routed. If not set, DWP opens an error page and prevents users from browsing the Internet in hotspots. To Bypass the Web Security Service See “Bypassing the Web Security Service” on page 18 for details about these options. Browser Bypass Enter the sites stored in the browser’s exception list. DWP Bypass Enter the URLs to be accessed directly by DWP without going through the Web Security Service. Configured by Default as Active Proxy Address Required. The address of the Web Security Service data center. This proxy address should be changed only at the service provider’s direction. Proxy Port Required. Do not change this setting. Only ports 80, 3128, or 8080 can be used. . Desktop Web Proxy Configuration Guide 15 WSS 4.4.0-2 2: DWP Configuration DWP Configuration (continued) Apply portal settings to the DWP clients Enabled by default when the service provider created the Account, so that you can enter and deploy DWP settings that are consistent throughout the Account. Caution: If you keep this option selected, any DWP settings previously entered at each client computer are overwritten after you click Save. If you clear this checkbox, all options become read-only and the settings are not functional. If you are in Edit mode, selecting this checkbox makes other options editable. Activate DWP on Install Selected by default. DWP client installations are not activated by default, so settings are not yet applied. After you save this setting, DWP client installations are automatically activated and the settings are immediately applied to the users’ browsers. 6 Enable Dynamic Hot Spot Management Automatically handles hotspot billing systems. DWP enters direct mode if it detects that a user’s browser is blocked by a hotspot. The user is connected to the Web Security Service when billing or sign-up is complete. If you enable hot-spot detection, DWP tries to access ports 3128, 8080, 80, and 443 in succession, and uses the first of those ports that is accessible. Use the IE Browser setting “Bypass proxy server for local addresses” Selects the Internet Explorer option that sends all traffic to non-routable IP addresses. See “Bypassing the Web Security Service” on page 18. Enable Automatic User Name Resolution: Synchronizes the Web Security Service and client user name and password for users in the corporate network. If a Web Security Service user name and password are not configured in DWP, DWP requests the service to generate the credentials and DWP stores them locally. With this option enabled, passwords are updated automatically if they change in the service. Note: This option only works if the request from DWP is from within your corporate network via the configured IP addresses on the Web Security Service. If the initial connection to DWP is not within the network, credentials are not created. To use this option, your corporate firewall must allow requests on port 80 and 443 directly to the Web Security Service. See your Provisioning Notification Document for information about allowed ports. Click Save. Your settings apply to all user-based groups in the Account. Desktop Web Proxy Configuration Guide 16 WSS 4.4.0-2 Overriding settings at the group level Overriding settings at the group level All user-based groups inherit their DWP settings from the Account. You can, however, configure individual user-based groups to have their own settings based on business requirements. To override Account settings: 1 Log in to the Web Security Service Management Portal. 2 Open the Groups tab. 3 Locate the user group and click its Edit link. 4 Open the DWP Configuration subtab. 5 Enable Use Group Settings and Apply portal settings to the DWP clients. The DWP options are now ready for editing. Refer to “DWP Configuration” on page 14 for a description of each option. 6 Save your settings, and repeat for each required user group. The settings will be applied to the members of the groups when the DWP clients poll the server every 15 minutes to get updates. Desktop Web Proxy Configuration Guide 17 WSS 4.4.0-2 2: DWP Configuration Bypassing the Web Security Service If there are sites that the Web Security Service cannot resolve and access, you can configure the DWP to bypass the filtering service and send HTTP requests directly to the sites. You can bypass filtering using one of these approaches: • Bypass both DWP and the Web Security Service so that the browser takes the users directly to the specified sites. This method takes the highest precedence and uses the exception list entered into the browser. For convenience, define your lists in the Account’s or group’s DWP Configuration subtab. After DWP receives this information, DWP updates the users’ browser exception list. Browsers have their own syntax for entering multiple items on a list. The Management Portal requires you to use a single format, but DWP converts the format later to conform to the browser’s syntax. • Use DWP to bypass the Web Security Service if the specified sites are accessed. The procedure instructs you to enter the sites using a prescribed syntax. • Bypass filtering for local (Intranet) sites. This option works with IE browsers only. Following are examples of browser-defined exception lists on Internet Explorer and Firefox. Internet Explorer example Firefox example Sites to bypass DWP and web filtering Caution Be cautious about the URLs you enter in the text boxes, because no filtering and therefore no policy will be applied when these URLs are accessed. Access to the URLs will not be logged. Desktop Web Proxy Configuration Guide 18 WSS 4.4.0-2 Bypassing the Web Security Service To bypass web filtering and enter an exception list in the browser: 1 On the Management Portal, open the DWP Configuration subtab in Edit mode. 2 Verify that Activate DWP on Install is selected: 3 In the Browser Bypass: Browser connects directly to the Internet text box, enter the sites stored in the browser’s exception list. Use a semicolon to separate the site entries. DWP converts the syntax into a browser-specific supported format. Both DWP and the Web Security Service are bypassed for these sites. 4 Verify that the exception list is created in the browser. To access sites directly using DWP and bypass web filtering: 1 In the DWP Bypass: DWP connects directly to the Internet text box, enter the URLs to be accessed directly by DWP without going through the Web Security Service. Use one line per domain. Don’t use IP addresses in place of domain names. Use this general format: domainname=DIRECT Replace domainname with one of these values: • The fully qualified notation of the domain, so that the bypass is specific to that domain • A partial domain notation, to include subdomains within a domain. For partial domains or URLs, start your entry with a leading dot (.) to include any second-level domains within a domain. The allowed formats are: maps.google.com=DIRECT google.com=DIRECT google=DIRECT www.google.com=DIRECT Desktop Web Proxy Configuration Guide 19 WSS 4.4.0-2 2: DWP Configuration If you accidentally type a forward slash within the entries, the browser session might end. 2 For Internet Explorer browsers only: If you want to bypass filtering for local (Intranet) sites, select this checkbox: 3 Click Save. This checkbox on the DWP Configuration subtab updates Internet Explorer’s Proxy server settings in the LAN Settings dialog: Authenticating DWP user credentials The Web Security Service must identify the user’s name to check credentials and associate the user with the correct web filtering group. To configure an environment that supports DWP, we recommend using LDAP synchronization and DWP’s automatic user creation feature. Both methods ensure that the user’s computer and the Web Security Service are synchronized and able to service the requests from the DWP for user credentials. Desktop Web Proxy Configuration Guide 20 WSS 4.4.0-2 Enabling automatic user creation Enabling automatic user creation If you cannot access your LDAP directory from the Web Security Service or you do not have an LDAP interface, you can use automatic user account creation. To enable automatic user creation: 1 Log in to the Web Security Service Management Portal. 2 Open the Accounts page and click Edit. 3 Verify that the setting Enable DWP User Creation is enabled. If not, select it. The DWP creates user names on the service when the user accesses the Web. Users must belong to a group, so new DWP users are created in the Default User Group. You can use the Management Portal to reassign users to other policy-based groups later. Synchronizing with LDAP If you use LDAP synchronization to add users to the Web Security Service, the new user names always match the Windows user names. The DWP identifies the Windows user name of the locally logged-on user, then requests the Web Security Service for that user’s credentials. Set up one or more LDAP-enabled groups on the Web Security Service that synchronizes in the appropriate sAMAccountNames from your environment into the relevant groups. See the Web Security Service Administrator Guide for details on LDAP-enabled groups. Users added from LDAP initially have a Pending Activation status on the Users page. After new users connect via DWP while inside the corporate network, the user status changes to Active. Desktop Web Proxy Configuration Guide 21 WSS 4.4.0-2 2: DWP Configuration Setting credentials for mobile users Mobile users’ credentials are usually created automatically if the users first access the web within the corporate network. Mobile users whose first access is outside the corporate network enter a system-generated Authentication Code into the DWP client. The Web Security Service generates an Authentication Code for each user group. To use the authentication code: 1 Log in to the Web Security Service Management Portal. 2 Open the Accounts > General Information tab and confirm that the Account is enabled for DWP user creation. 3 Open the Groups tab. 4 Locate the user group to which the mobile user belongs and click its Edit link. The General Information subtab opens. 5 Open the Authentication subtab. 6 Verify that Allow Mobile User Access is enabled. 7 Open the DWP Configuration subtab. a Verify that the DWP icon is not hidden on the users’ system tray. If you need to clear this checkbox but it is not editable, select Use Group Settings first. Desktop Web Proxy Configuration Guide 22 WSS 4.4.0-2 Managing hot spots The Hide Icon setting applies to all DWP users in the group. You can disable this setting again later. Hiding the icon from the end user prevents the user from entering client-specific settings. b 8 Make note of the read-only Authentication Code; for example: Communicate with the mobile user: • Provide the authentication code from the DWP Configuration tab. • Ask the user to right-click on the DWP icon on the system tray and select Credentials from the menu. In the Authentication Details dialog, type the provided authentication code in the box as shown. Caution Do not let the user change the other settings in Authentication Details. If the user is already registered on the Web Security Service and Automatic User Name Resolution is enabled on the Management Portal, the stored credentials will be used to authenticate the user. If Automatic User Name Resolution is not enabled and the name and password are changed here, the user will be blocked from Internet access. This code identifies the Account to which the user belongs, and the DWP creates the user login and adds the user to the group associated with the Authentication Code. The credentials are stored on the mobile user’s laptop and used for subsequent Internet access. Managing hot spots The Dynamic Hot Spot Management feature allows mobile users to be redirected temporarily to a hot spot provider’s sign up page and enter billing information. Desktop Web Proxy Configuration Guide 23 WSS 4.4.0-2 2: DWP Configuration To configure dynamic hot spot management: 1 To configure for all groups within the Account, display the Accounts tab in Edit mode. Or To configure a specific user group: a Select the Groups tab. b Display the specific group in Edit mode. 2 Select the DWP Configuration subtab. 3 Verify the following settings: • If you are editing the Account, ensure that Apply portal settings to the DWP clients is selected: Setting for Account • If you are editing a group, ensure that Use Group Settings is selected:, Setting for Group 4 Configure the Enable Dynamic Hot Spot Management options: Hot spot management options 5 Enable Dynamic Hot Spot Management: Select this option. Automatically handles hotspot billing systems. DWP enters direct mode if it detects that a user’s browser is blocked by a hotspot. The user is connected to the Web Security Service when billing or sign-up is complete. If you enable hot-spot detection, DWP tries to access ports 3128, 8080, 80, and 443 in succession, and uses the first of those ports that is accessible. Allow Unsafe Browsing. Optional. Editable if Enable Dynamic Hot Spot Management is selected. Allows users to bypass the Web Security Service to browse the Internet in hotspot environments where access might be blocked or re-routed. If not set, DWP opens an error page and prevents users from browsing the Internet in hotspots. Click Save. Desktop Web Proxy Configuration Guide 24 WSS 4.4.0-2 Configuring a proxy automatic configuration (PAC) file Configuring a proxy automatic configuration (PAC) file To route traffic directly to web sites without going through the Web Security Service you can use a proxy automatic configuration (PAC) file. In a PAC file you configure rules that tell your browser how to make decisions about routing HTTP requests. Construct the last rule in the PAC file to route all traffic to localhost on a listening port such as 3128. The port number is dynamically replaced after you configure DWP to do so. This section describes: • Creating the PAC file • Specifying the PAC file on the Web Security Service Creating the PAC file The Web Security Service provides a PAC file template for you to use with DWP. To create a PAC file: 1 On the Management Portal, select Resources > Downloads. 2 Select the PAC file for DWP link. The template opens. 3 Create your PAC file by copying the template’s contents and modify it to suit your requirements. To go back to the Management Portal, click your browser Back button. 4 Save the PACfile on a web server, or an accessible local or network drive. 5 Continue to “Specifying the PAC file on the Web Security Service” on page 25. Specifying the PAC file on the Web Security Service You can specify a single PAC file for the entire account, or specify the PAC file only for a group. Desktop Web Proxy Configuration Guide 25 WSS 4.4.0-2 2: DWP Configuration To specify the PAC file: 1 To configure for all groups within the Account, display the Accounts tab in Edit mode. Or To configure a specific user group: a Select the Groups tab. b Display the specific group in Edit mode. 2 Select the DWP Configuration subtab. 3 Verify the following settings: • If you are editing the Account, ensure that Apply portal settings to the DWP clients is selected: Setting for Account • If you are editing a group, ensure that Use Group Settings is selected:, Setting for Group 4 Select the Enable Automatic Configuration Script checkbox and enter the location of your PAC file (a URL, or a local or network drive). Note Firefox browsers cannot parse PAC files if the local path to the file or the DWP username contains the # character (for example, user#1). In this case, traffic is not filtered. 5 Click Save. If you are remapping %USERPROFILE% folders to other drives, see “PAC file is unavailable when user profile folders are remapped” on page 56 for more information. Logging DWP events and running diagnostics You can log DWP events for diagnostic purposes. This client-specific setting requires that the DWP icon is visible on the desktop’s system tray. See “Configuring the DWP logging level” on page 38 for details. You run diagnostics on the DWP client. See “Running diagnostics” on page 48 for details. Desktop Web Proxy Configuration Guide 26 WSS 4.4.0-2 Using Windows’ Group Policy Object (GPO) to configure DWP Using Windows’ Group Policy Object (GPO) to configure DWP If you are experienced with Windows Active Directory and the Group Policy Object editor to manage configurations, you can use the administrative template (ADM file) that is available from the Web Security Service Management Portal. This template contains the registry settings required to update the DWP installations within your Group Policy network. To use the ADM template: 1 On the Web Security Service Management Portal, open Resources > Downloads. 2 Click ADM File to open the template. 3 Copy the contents and paste into a text editor, then save the file with the .adm extension. Note If you have already created ADM files for configuring DWP from the Group Policy Editor, remove them before continuing to the next steps. 4 Open Active Directory Users and Computers. 5 Create a group policy object or edit an existing one. 6 In the policy, right-click Administrative Templates and select Add/Remove Templates: The Add/Remove Templates window shows all current ADM files. For example: Desktop Web Proxy Configuration Guide 27 WSS 4.4.0-2 2: DWP Configuration 7 Click Add, browse to the location where you saved the ADM file, and add it. The DWP ADM file is added to the list. For example: 8 Close the window. The Desktop Web Proxy Custom Configuration section appears on the Administrative Templates list. 9 Select the newly added Desktop Web Proxy Custom Configuration template, then select View > Filtering: Desktop Web Proxy Configuration Guide 28 WSS 4.4.0-2 Using Windows’ Group Policy Object (GPO) to configure DWP 10 On the Filtering window, clear the checkbox Only show policy settings that can be fully managed and click OK. The GPO Editor window is refreshed with the new settings from the template. The right pane displays all configurable settings for DWP. The settings are added to two folders: one containing common settings and another containing user settings. 11 Expand these folders to see the settings: • Computer Configuration > Administrative Templates > Desktop Web Proxy Custom Configuration This folder displays the common settings. • User Configuration > Administrative Templates > Desktop Web Proxy Custom Configuration This folder displays user settings. Desktop Web Proxy Configuration Guide 29 WSS 4.4.0-2 2: DWP Configuration The settings’ states are initially shown as Not configured as in this example: The following table maps the options on DWP’s System Configuration window to the user settings on the GPO Editor. “Entering DWP settings at the Account level” on page 13 describes how the settings are used. Mapping of DWP settings in System Configuration and GPO Editor windows System Configuration settings GPO Editor settings Proxy Settings: Address Port RemoteProxyServerAddress RemoteProxyServerPort Local Proxy Settings Local Proxy Port LocalProxyPort Caching Proxy Settings: Address UpstreamProxies Desktop Web Proxy Configuration Guide 30 WSS 4.4.0-2 Using Windows’ Group Policy Object (GPO) to configure DWP Mapping of DWP settings (continued)in System Configuration and GPO Editor System Configuration settings GPO Editor settings Connection: Enable Automatic User Name Resolution Enable Dynamic Hot Spot Management Allow Process Port Update Allow Unsafe Browsing Automatic Configuration Script Enable Automatic Configuration Address EnableAutoConfigScript AutoConfigScriptAddress EnablePrimeLogin EnableCyberCafeMode AllowProcessUpdate AllowUnSafeBrowsing 12 In the user settings folder, leave the UserName setting as is (Not configured). This ensures that DWP obtains credentials for all users, including mobile users who connect from outside the corporate network. If you change the setting to Enabled, mobile users are not authenticated properly and are blocked from Internet access. 13 Right-click the remaining settings to display the Properties window, and select Enabled. Enabled settings use the default values, which you can modify. Caution Do not change the default values for ProcessUploadURL, ConnectionListURL, and PrimeLoginURL, and CheckUpdateURL. See the following example. The following example shows the Properties window for an enabled entry whose default value you must not modify. The dialog displays a reminder for such settings. This example shows the final settings: Desktop Web Proxy Configuration Guide 31 WSS 4.4.0-2 2: DWP Configuration In the example, some settings are disabled because they are disabled by default in DWP. If you need to use a disabled feature, see To enable a feature that is disabled by default: To enable a feature that is disabled by default: 1 Open the Properties dialog of a disabled feature. This is an example of a disabled feature’s Properties dialog: Desktop Web Proxy Configuration Guide 32 WSS 4.4.0-2 Using Windows’ Group Policy Object (GPO) to configure DWP The dialog has a checkbox that corresponds to the checkbox in the DWP configuration window (for details, see the mapping table on page 30). 2 Select the checkbox and click OK. On the Group Policy Object Editor window, the feature’s state is changed from Disabled to Enabled. After the ADM is loaded, the settings are added to the Registry Editor in the folder HKEY_LOCAL_MACHINE\SOFTWARE\Web Filtering. For 64-bit systems, the registry path is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Web Filtering. Refer to “Using a script to automate registry settings” on page 41 for related information. Desktop Web Proxy Configuration Guide 33 WSS 4.4.0-2 2: DWP Configuration Desktop Web Proxy Configuration Guide 34 WSS 4.4.0-2 3: Client-Specific Configuration Topics in this chapter: ` Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 36 ` Setting proxy connections . . . . . . . . . . . . . . . . . . . . . . . . . page 36 ` Configuring the DWP logging level . . . . . . . . . . . . . . . . . page 38 ` Configuring proxy settings for applications . . . . . . . . . . . page 39 ` Configuring DWP to use a PAC file . . . . . . . . . . . . . . . . . page 40 ` Using a script to automate registry settings . . . . . . . . . . . . page 41 Desktop Web Proxy Configuration Guide 35 WSS 4.4.0-2 3: Client-Specific Configuration Introduction The recommended way to configure the Desktop Web Proxy is with the Web Security Service Management Portal. If necessary, however, you can configure specific DWP clients using the DWP icon in the system tray: DWP icon The DWP icon does not appear in the system tray if DWP was installed in hidden mode. Note Ihe procedures in this chapter,apply to individual DWP clients. Client-specific settings are overridden by updates entered in the Web Security Service Management Portal. Setting proxy connections To set proxy connections: • You must be logged in to the computer with Windows Administration privileges. • The Apply portal settings to the DWP clients option must be disabled at either the account or group level. See “DWP Configuration” on page 11 for information. To set proxy connections: 1 Right-click the DWP tray icon. 2 Select System Configurations. 36 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 3: Client-Specific Configuration The System Configurations dialog opens. Do not change this setting 3 Keep the value in the WSSAAS Proxy Settings Address field. This is the address of the web proxy service that is entered automatically by DWP. DWP polls all data centers to ensure that they are available. If a data center is not available, DWP connects to the next one and updates the Address field. 4 Keep the Local Proxy Port default. This is the local port that listens for web traffic that is routed to the Desktop Web Proxy. 5 If your organization requires all corporate computers to connect to an internal proxy (such as an ISA server) before connecting to the Internet, specify one or more URLs and corresponding ports for this internal proxy server in the Caching Proxy Settings section. Use one of the following formats. Separate the name from the port with a colon, and separate multiple proxies with a semicolon. ProxyName:port or ProxyName1:port1;ProxyName2:port2;ProxyName3:port3; Note With multiple caching proxies, a laptop with DWP installed connects with the available caching proxy if it is inside the corporate network and if the caching proxy is detected. If the laptop is outside the corporate network and the caching proxy is not detected, DWP connects with the Web Security Service. Desktop Web Proxy Configuration Guide 37 WSS 4.4.0-2 3: Client-Specific Configuration 6 Specify connection settings: DWP system configuration settings Enable Automatic User Name Resolution Synchronizes the Web Security Service and client user name and password for users in the corporate network. If a Web Security Service user name and password are not configured in DWP, DWP requests the service to generate the credentials and DWP stores them locally. With this option enabled, passwords are updated automatically if they change in the service. Note: This option only works if the request from DWP is from within your corporate network via the configured IP addresses on the Web Security Service. If the initial connection to DWP is not within the network, credentials are not created. To use this option, your corporate firewall must allow requests on port 80 and 443 directly to the Web Security Service. See your Provisioning Notification Document for information about allowed ports. If you want to support mobile users, see “Setting credentials for mobile users” on page 22 for more information. Allow Process Port Update Uploads process data to the Monitors | Port Monitor tab, to help the Admin identify rogue applications that are using default ports 80 and 443. See the Web Security Service Administrator Guide for details. Refer to the Web Security Service Administrator Guide for details. Enable Dynamic Hotspot Automatically handles hotspot billing systems. DWP enters direct Management mode if it detects that a user’s browser is blocked by a hotspot. The user is connected to the Web Security Service when billing or sign-up is complete. If you enable hot-spot detection, DWP tries to access ports 3128, 8080, 80, and 443 in succession, and uses the first of those ports that is accessible. Allow Unsafe Browsing 7 Editable if Enable Dynamic Hot Spot Management is selected. Allows users to bypass the Web Security Service to browse the Internet in hotspot environments where access might be blocked or re-routed. If not set, DWP opens an error page and prevents users from browsing the Internet in hotspots. Click OK. Configuring the DWP logging level DWP logs are available to help you and your service provider diagnose connection problems. The DWP logging level is configurable only on the client, not on the Management Portal. Three levels of logging are available: • Basic–Logs errors; the default. • Medium–Logs errors and warnings. • Detailed–Logs messages, errors, and warnings. 38 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 3: Client-Specific Configuration To change the logging level and to write a log: 1 Hold down the Shift key and right-click the DWP tray icon. Logging levels 2 Select a logging level. • User-specific logs are written to %ALLUSERSPROFILE%\Application Data\DWP_Webfiltering\<WindowsloginID>.<WindowsDomain>\DesktopWebProxy _*.log • Generic logs are written to %ALLUSERSPROFILE%\Application Data\DWP_Webfiltering\ The DWP_Webfiltering folder also contains uDWPStarter_CA.log and uDWPStopper_CA.log, which contain installation information that is not related to diagnostic logging. Configuring proxy settings for applications After configuring the DWP connections, configure the proxy for Internet applications. You can use the Apply Proxy Setting option in DWP, or configure them in the browser. To configure proxy settings using DWP: 1 Right-click the DWP tray icon and select Apply Proxy Setting. 2 In the pop-up submenu, select Internet Explorer or Firefox. A message confirms that the options are set for the browser to connect to DWP. To configure proxy settings in your browser: 1 Open your browser and access its proxy settings option. 2 Set the host name to localhost and the port to 3128. Desktop Web Proxy Configuration Guide 39 WSS 4.4.0-2 3: Client-Specific Configuration This example is for Internet Explorer: 3 To allow access to company intranet sites: • In Internet Explorer, select Bypass proxy server for local addresses • In Firefox, specify local addresses in the No Proxy For field, separated by commas. Configuring DWP to use a PAC file Before continuing with this section, ensure that the proxy auto configuration (PAC) file exists and is defined in the Web Security Service (see “Configuring a proxy automatic configuration (PAC) file” on page 25). Then follow the steps in this section to reference the PAC file in DWP. To configure DWP to use your PAC file: 1 Right-click the DWP tray icon and select System Configurations. The System Configurations dialog provides two fields for automatic proxy configuration: 2 Select Enable Automatic Configuration to enable PAC file support. 3 Enter the URL of the PAC file’s location in the Address box. 40 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 3: Client-Specific Configuration The URL address is the one you specified for the PAC file—a web server address, or a local or network drive. See “Specifying the PAC file on the Web Security Service” on page 25. 4 Click OK. 5 Restart DWP. To restart DWP, right-click the DWP icon on the system tray and select Re-start DWP, or use the Administrative Tools > Services console to restart DWP Local Proxy Service. After the DWP has restarted, DWP will configure the browsers to start using the PAC file. Note If you prefer to enter settings directly into the registry, refer to “Using a script to automate registry settings” on page 41. Using a script to automate registry settings You can use a script to use the automate registry key for a mass rollout of DWP. You can run the registry editor file directly from a batch login script, or configure it using the Windows Group Policy editor (see “Using Windows’ Group Policy Object (GPO) to configure DWP” on page 27). If you make registry changes directly, you must stop and restart DWP. Caution Use caution when editing the registry keys. Pay special attention to the information in “User settings” on page 42 that specifies the keys not to change. Sample scripts You can use the sample scripts in this section to update your registry with DWP settings. DWP settings are stored in these folders: • HKEY_LOCAL_MACHINE\SOFTWARE\Web Filtering for settings common to all users on the system • HKEY_CURRENT_USER\Software\Web Filtering\ESTPM\Session Data for per-user settings Common settings You can use this script for settings that are common to all users: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Web Filtering] "LoginSessionSetupWait"=dword:0000001e "EnableAutoApplySettings"=dword:000000b4 "AutoApplySettingsDelay"=dword:00000000 "EnableAutoUpdate"=dword:00000001 "AutoUpdateInterval"=dword:00000007 Desktop Web Proxy Configuration Guide 41 WSS 4.4.0-2 3: Client-Specific Configuration "Presence"="Present" These are the common settings: Key descriptions LoginSessionSetupWait The time DWP waits for any login scripts applied for the user. By default, DWP waits for 180 seconds. You can use up to 300 seconds. Value is DWORD:000000b4 EnableAutoApplySettings Enables DWP to apply the settings automatically to Internet Explorer and Firefox. Can be 0 or 1. Default is 1. Value is DWORD:00000001 AutoApplySettingsDelay The number of seconds DWP waits before applying the settings to Internet Explorer and Firefox. This is a work-around to avoid conflicts with anti-virus software during restarts. Default is 0 and can be up to 300 seconds. Value is DWORD:00000000 EnableAutoUpdate Configures the DWP to auto-update when the option is enabled on the Management Portal and a new version is available. Can be 0 or 1. Default is 1 for Yes. Value is DWORD:00000001 AutoUpdateInterval The interval in number of days that DWP periodically checks for updates. Default is the maximum of 7 days and can be configured from 1–7 days. Value is DWORD:00000007 Presence Configures DWP availability. Values are: • Present–DWP icon appears in the system tray (default). • Admin–DWP options are accessible only using administrator logins. • Cloaked–DWP options are hidden. User settings You can use this script for individual user settings: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Web Filtering\ESTPM\Session Data] "UserName"="" "Password"=hex: "ProcessUploadURL"="/webfilter/services/processlist.php" "ConnectionListURL"="/webfilter/services/connectionlist.php" "PrimeLoginURL"="/webfilter/services/webreq.php" "CheckUpdateURL"="/webfilter/services/update.php" "ServiceURL"="http://dwp.ws.wssaas.com” "RemoteProxyServerAddress"="wg.wrproxy.com" "RemoteProxyServerPort"="3128" "LocalProxyPort"="3128" "ConnectionList"="" "ObtainedPrimingURLs"=dword:00000001 42 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 3: Client-Specific Configuration "EnablePrimeLogin"=dword:00000001 "EnableCyberCafeMode"=dword:00000000 "AllowProcessUpdate"=dword:00000000 "AllowUnSafeBrowsing"=dword:00000000 "UpstreamProxies"="" "LoggingLevel"="errors" "EnableAutoConfigScript"=dword:00000000 "AutoConfigScriptAddress"="" These are the user settings: Key descriptions UserName Always leave blank. DWP gets this from the Web Security Service. Password Always leave blank. DWP gets this from the Web Security Service. ProcessUploadURL Use the value in the sample script. Do not change this value. ConnectionListURL Use the value in the sample script. Do not change this value. PrimeLoginURL Use the value in the sample script. Do not change this value. CheckUpdateURL Use the value in the sample script. Do not change this value. ServiceURL Use the value in the sample script. Determines the URL of the Web Security Service Management Portal (as listed in the PND). This is usually not an editable field; in all other cases, it is populated automatically. RemoteProxyServerAddress The proxy server address that specifies the location of the Web Security Service proxy. You can use the value in the sample script , or ask your provider if another remote proxy server address is appropriate for your location. RemoteProxyServerPort The proxy server port address that specifies the listening port of the Web Security Service. Use either 3128 or 8080. Default is 3128. LocalProxyPort Any available port number between 1025 and 65535 is allowed, but DWP manages this value and prefers 3128, so there is no need to change it. Default is 3128. ConnectionList Leave blank. DWP polls the Web Security Service every 15 minutes for entries from the Accounts > DWP Configuration subtab. ObtainedPrimingURLs If you provied the options RemoteProxyServerAddress, ServiceURL, and RemoteProxyServerPort on the script, use the value of 1; otherwise, use 0 so that DWP will configure. Default value: dword:00000001 Desktop Web Proxy Configuration Guide 43 WSS 4.4.0-2 3: Client-Specific Configuration Key descriptions (continued) EnablePrimeLogin Enables or disables the Automatic User Name Resolution feature. Specify 1 to enable or 0 to disable. The recommended setting is 1. Default value: dword:00000001 EnableCyberCafeMode Enables or disables the Dynamic Hotspot Management feature. Specify 1 to enable or 0 to disable. Default value: dword:00000000 AllowProcessUpdate Enables or disables the Process on Port Update feature. Specify 1 to enable or 0 to disable. Default value: dword:00000000 AllowUnSafeBrowsing Enables or disables the Allows Unsafe Browsing feature. Specify 1 to enable or 0 to disable. Default value: dword:00000000 UpstreamProxie One or more address:port entries of internal proxy servers, if your organization requires that web traffic goes to those servers (such as ISA servers). Separate the URL and port with a colon, and separate multiple proxies with a semicolon. For example: proxyname:port or proxyname1:port1;proxyname2:port2;proxyname3:port3 LoggingLevel Specifies the type of information to be logged. Default: “errors” Values are: • "errors" = Logs errors only. • "errors_warnings" = Logs errors and warnings. • "everything" = Logs information, errors, and warnings. See “Configuring the DWP logging level” on page 38 for more information. EnableAutoConfigScript Specifies to use the PAC file located in AutoConfigScriptAddress. Specify 1 to enable and 0 to disable. If you specify 1, the option AutoConfigScriptAddress must have a value. Default value: dword:00000000 AutoConfigScriptAddress The URL to the PAC file, provided on the Management Portal Resources tab. 44 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 4: Troubleshooting This chapter provides DWP troubleshooting tips. If you are unable to resolve issues after referring to this information, contact Technical Support. Topics in this chapter: ` FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 46 ` Viewing running processes . . . . . . . . . . . . . . . . . . . . . . . . page 47 ` Running diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 48 ` Using the DWP Latency Tester . . . . . . . . . . . . . . . . . . . . . page 49 ` Using DWP Network Packet Capture . . . . . . . . . . . . . . . . page 52 ` Error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 55 ` PAC file is unavailable when user profile folders are remapped page 56 Desktop Web Proxy Configuration Guide 45 WSS 4.4.0-2 4: Troubleshooting FAQs Why won’t the DWP automatically resolve a user name and password? If DWP won’t resolve a user name and password: • Check your firewall. Ensure that your organizational firewall allows access to port 80, 443, and 3128 to the IP address range detailed on your Provisioning Notification Document. This access allows the DWP to issue commands to the Web Security Service to resolve the credentials. • Select the Enable Automatic User Name Resolution option from the DWP System Configurations menu. See “DWP Configuration” on page 14. • Ensure that the user name exists on the Web Security Service or that Enable DWP User Creation is enabled for the Account. Synchronize the user names directly from your LDAP directory, or enable DWP to create users on demand. See “Enabling the Account to use DWP” on page 12. • Confirm that the DWP is operating inside your configured IP range. You can only resolve a user name from within your IP range, which is configured on your account in the Management Portal. If DWP tries to resolve the user name and password outside the configured IP range, it will fail and you must add it manually. When it is resolved, it remains cached. I see this web page popup: “You are connecting from a location that requires you to logon.” This message usually means that the DWP was unable to resolve the user name and password for the user. See the troubleshooting tips for Why won’t the DWP automatically resolve a user name and password?. I already have the Internet Explorer plug-in version 1.0 installed. Do I still need it? No. The DWP replaces the Internet Explorer plug-in. After you install DWP, uninstall the Internet Explorer plug-in using the Add/ Remove programs console in Windows. Why do I occasionally see the notification, “Connecting to the Internet Directly” when connection to the Web Security Service isn't available? You see this message if the Dynamic Hotspot Management option is set in the DWP System Configurations menu, and your browser is blocked by a hotspot. Dynamic Hot Spot Management enables mobile users to be redirected temporarily to a hotspot provider’s sign-up page to enter billing information. When billing or sign-up is complete, the connection is routed through the Web Security Service again. You might also see this message if no network is available when you turn on your computer. The Dynamic Hotspot Management option should only be enabled on computers that are used for mobile access. 46 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 How do I enable the DWP to work for dial-up connections and VPNs? How do I enable the DWP to work for dial-up connections and VPNs? In Internet Explorer: 1 Open the Tools menu, select Internet Options, and open the Connections tab. The text box labeled Dial-up and Virtual Private Network Settings lists additional connections. 2 Select the connection on which to enable DWP and click Settings. A dialog opens for you to configure the DWP proxy settings, which are usually the address localhost and the port number 3128. Does the DWP support Fast User Switching on Windows XP? Yes, DWP supports Fast User Switching. Viewing running processes You can use the DWP menu to see each process that has tried to use port 80 (HTTP) or port 443 (HTTPS) to communicate. To see which HTTP/ HTTPS applications are running on a machine: 1 Right-click the DWP icon in the system tray. 2 Select List HTTP/HTTPS Processes. This example shows process details: 3 Review any processes that show 80 or 443 in the Port column and configure them to route HTTP traffic via DWP. Processes that are correctly configured display Managed in the Port column. Desktop Web Proxy Configuration Guide 47 WSS 4.4.0-2 4: Troubleshooting Running diagnostics You can perform a diagnostic test that reads your current DWP settings and logs DWP activity into a file. If you need help troubleshooting diagnostics logs, send the file to Technical Support. To run diagnostics: 1 Hold down the Ctrl key and right-click the DWP tray icon. 2 Select Run Diagnostics from the pop-up menu. The DWP Diagnostics window opens. 3 Click Start. The DWP Diagnostics window shows the current state of the DWP. 4 Scroll down to view the captured events, including request and response strings, and the results. The diagnostics results are written to the DWP_Diagnostics.dat file and stored in this location: %ALLUSERSPROFILE%\Application Data\DWP_Webfiltering\<WindowsloginID> Every time you run diagnostics, the latest information is appended to the file. Note The Copy to Clipboard option is available from the Diagnostics window. Select this option to paste the diagnostics data from the current session into a text editor and save it to a file. You still have DWP_Diagnostics.dat, which was generated when you clicked Start. 5 Click Done to close the window. 48 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 Using the DWP Latency Tester Using the DWP Latency Tester The DWP Latency Tester gathers latency data for use by Technical Support in troubleshooting connection problems. You only need to use this tool at the request of Technical Support. The Latency Tester is integrated with the DWP Network Packet Capture tool. When you start a latency test, DWP creates a folder named DWP_Pcaps and begins capturing packets from active adapters. The packet capture stops automatically when the test completes. See “Using DWP Network Packet Capture” on page 52 for details. The Latency Tester connects to a default set of web sites, which are identified in the file latcheck.conf.xml. The default set of sites is based on the location of the system you’re testing: System Location Default Sites to Test United States • • • • • • • www.yahoo.com www.chase.com www.bankofamerica.com www.united.com www.yelp.com www.cnn.com www.stanford.com United Kingdom/EMEA • • • • • • • uk.yahoo.com www.lloydsbankinggroup.com www.bbc.co.uk www.britishairways.com www.thetimes.co.uk www.ox.ac.uk www.squaremeal.co.uk Australia • • • • • • • au.yahoo.com www.eatability.com.au www.qantas.com.au www.abc.net.au www.commbank.com.au www.heraldsun.com.au www.uws.edu.au You can modify the latcheck.conf.xml file to add or delete web sites as appropriate for your system. The file is installed with DWP in C:\Program Files\Web Security Service\Desktop Web Proxy\latcheck.conf.xml. Note If you modify latcheck.conf.xml, change only the default troubleshooting sites. The Latency Tester reads latcheck.conf.xml and connects twice to each site listed—once directly, and once through the DWP. The tester connects to each set of sites three times, and records this information: • the time it takes to connect directly • the time it takes to connect through the proxy Desktop Web Proxy Configuration Guide 49 WSS 4.4.0-2 4: Troubleshooting • the latency difference on each pass • the average latency difference from the three passes. The DWPLatencyTest.txt file contains the results of the test. Latency Check Run 1.... Resource requested Time Direct Time Proxy Diff (TP - TD) -----------------------------------------------------------------------http://www.yahoo.com/ 297ms 500ms 203ms https://www.chase.com/ 843ms 01s:157ms 314ms https://www.bankofamer... 375ms 656ms 281ms http://www.united.com/ 375ms 422ms 47ms http://www.yelp.com/ 12s:875ms 02s:484ms -10s:391ms http://www.cnn.com/ 625ms 969ms 344ms http://www.stanford.com/ 47ms 109ms 62ms -----------------------------------------------------------------------Latency Check Run 2.... Resource requested Time Direct Time Proxy Diff (TP - TD) -----------------------------------------------------------------------http://www.yahoo.com/ 313ms 406ms 93ms https://www.chase.com/ 797ms 672ms -125ms . . . Average diff - latency while using proxy vs going direct -----------------------------------------Resource requested Average Diff -----------------------------------------http://www.yahoo.com/ 395ms https://www.chase.com/ 94ms https://www.bankofamer... 20ms http://www.united.com/ 77ms http://www.yelp.com/ -05s:463ms http://www.cnn.com/ 364ms http://www.stanford.com/ 62ms ----------------------------------------- 50 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 Using the DWP Latency Tester To run the Latency Tester: 1 Hold down the Ctrl key and right-click the DWP tray icon. 2 Select Latency Test from the pop-up menu. The Latency Tester window opens, with the path to your desktop selected. The desktop is the default output path. 3 Click Start to accept the default folder, or Browse to another folder and click Start. When the test is complete, the output file DWPLatencyTest.txt is available on your desktop or other location you specified. 4 Click Send Email to Support in the Latency Tester dialog to send the output file to technical support for help with troubleshooting. The Latency Tester opens your default email client using the support email address, and identifies the locations of the results of the latency test and packet capture: 5 Attach the DWPLatencyTest.txt and the files in the DWP_Pcaps folder to the email and send them to support. Desktop Web Proxy Configuration Guide 51 WSS 4.4.0-2 4: Troubleshooting Using DWP Network Packet Capture DWP Network Packet Capture gathers data from all active adapters, for use in troubleshooting network problems. For example, Network Packet Capture gathers data for each network interface card that is sending information. You only need to use this tool at the request of Technical Support. The DWP Latency Tester also gathers network packet data—see “Using the DWP Latency Tester” on page 49 for information Each time a capture runs it creates the DWP_Pcaps folder on the desktop. The DWP_Pcaps folder contains a folder for each capture that is run. The capture folders are identified by the date and time of the capture—for example, 06-06-2011_12-55. Note Although each capture creates one capture file for each adapter on the machine, only the files for active adapters contain data. The other files contain only 24 bytes of header information and no data. The capture folders contain two types of files: • A .pcap file for each adapter located, identifying the data packets that have been sent over the network. • The file AdapterNames.txt, which identifies the adapter traffic. Printing the device list: 1. rpcap://\Device\WPRO_41_2001_GenericDialupAdapter (Network adapter 'Adapter for generic dialup and VPN capture' on local host) 2. rpcap:// \Device\WPRO_41_2001_{65914B87-711E-4CC1-A3C6-9DDC0B6C623B} (Network adapter 'NETGEAR WN121T Wireless USB 2.0 Adapter (Microsoft's Packet Scheduler) ' on local host) 3. rpcap:// \Device\WPRO_41_2001_{E20B9819-0295-4437-B4E7-44124FD22FCA} (Network adapter 'VMware Virtual Ethernet Adapter' on local host) 4. rpcap:// \Device\WPRO_41_2001_{471741F2-E04C-4C95-A8FF-DEF73B68DDC2} (Network adapter 'VMware Virtual Ethernet Adapter' on local host) 5. rpcap:// \Device\WPRO_41_2001_{2502296A-06AB-40E6-AD14-DB0DF60D1E2E} (Network adapter 'Realtek 10/100/1000 Ethernet NIC (Microsoft's Packet Scheduler) ' on local host) To run DWP Network Packet Capture: 1 Hold down the Ctrl key and right-click the DWP tray icon. 2 Select Network Packet Capture from the pop-up menu. 52 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 Using DWP Network Packet Capture The Network Packet Capture window opens with the path to your desktop selected. The desktop is the default output path. 3 Click Start Capture to accept the default folder, or Browse to another folder and click Start Capture. 4 Click Close to hide the window. A notification bubble opens over the DWP icon periodically, reminding you that the capture is running: Note We recommend that you run DWP packet capture for only as long as it takes you to recreate the problem. This keeps file sizes to a minimum and makes it easier to identify problems. 5 When you have captured enough data to recreate the problem you’re troubleshooting, Ctrl/ right-click the DWP icon to open the Network Packet Capture window and click Stop Capture. The capture results are available in the DWP_Pcaps folder on your desktop or other specified location. The folder is identified by the date and time of the capture. The DWP_Pcaps folder contains one folder for each capture, which contains a .pcap file for each adapter found, and the AdapterNames.txt file. For example: Desktop Web Proxy Configuration Guide 53 WSS 4.4.0-2 4: Troubleshooting Note Contact technical support to determine the best way to send the .pcap files to them. These files are very large. 54 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 Error messages Error messages If the Desktop Web Proxy is not configured properly, the user may see one of these errors when trying to browse the Internet: • DNS Lookup Failed. This message appears if the user typed the wrong URL, if the upstream proxy server name provided is not correct in the DWP configuration, or the Web Security Service server name is not correct in the DWP configuration. The message will indicate the host name which was not resolved. • Cannot Load The Web Page. This message appears if connection to the Internet is lost, the web site is currently unavailable, the computer may be offline, or the Web Security Service cannot be contacted. • Web Security Disabled By External Environment. This message appears if DWP’s Allow Unsafe Browsing option is disabled, and the user is in a hotspot where Internet access is blocked or re-routed (not going through DWP). • Failed To Make Direct Connection To Server. This message appears if connection to the Internet is lost or the web site is currently unavailable. The message will indicate the host name which was not resolved. Desktop Web Proxy Configuration Guide 55 WSS 4.4.0-2 4: Troubleshooting PAC file is unavailable when user profile folders are remapped DWP is unable to create local PAC files for users when the \%USERPROFILE%\ folders are mapped to a network drive. This is because upon startup, DWP applies settings to the browser, and download and save the PAC file. However, the GPO takes some time to map the folders and drives. As a result, DWP applies the settings and stores the PAC file to the default profile before the GPO has completed the mapping of the network location to the user profile. This makes the settings and PAC file unavailable to the user. To resolve this, introduce a slight delay, usually a few seconds, so that DWP waits until GPO has completed its mapping. Then DWP can continue applying settings and saving the PAC file to the remapped user profile. To enter a time delay: 1 In the Registry, go to the DWP settings: HKEY_LOCAL_MACHINE\SOFTWARE\Web Filtering 2 Enter a value in seconds for AutoApplySettingsDelay to something greater than 0. Use the lowest possible time delay that will work for you. For example, start with 30 and adjust as required. 56 Desktop Web Proxy Configuration Guide WSS 4.4.0-2 Index Symbols . 41 A ADM template, 27 allow unsafe browsing 38 B browser, unlocking proxy settings 56 browsers, supported, 2 bypassing, Web filtering, 18 C configuration browser setting, 39 Group Policy Object (GPO) editor, using, 27 proxy connection settings, 36 scripting, 41 using the DWP client 35 using the management portal 12 Customer support, ii D Desktop Web Proxy (DWP) caching proxies, 15 hotspots, 16 name resolution, 16 PAC file, 15 L Latency Tester 48 logging levels, diagnostic data, 38 M monitor port 80 and 443 usage 38 MSI parameters, for use with hidden installation, 5 N Network Packet Capture 51 P PCAP 51 processes, DWP, viewing, 47 proxy unlocking browser settings 56 proxy automatic configuration (PAC) file, using with DWP, 40 R registry keys, for DWP configuration, 41 S silent installation, 4 support, ii G Group Policy Object (GPO) configuring with, 27 installing with, 7 T Technical support, ii troubleshooting error messages 55 FAQs 45 Latency Tester 48 Network Packet Capture 51 PAC file unavailable 56 running diagnostics 48 viewing running processes 47 H hotspot management, 38 U unlocking browser proxy settings 56 I installation hidden 5 individual desktops, 4 invisible 5 multiple stations, 4 with GPO, 7 Internet Explorer, downloading issue and workaround, 3 W Web Security Service settings basic configuration requirements, 12 bypassing Web filtering, 18 E enable automatic user name resolution 38 Desktop Web Proxy Configuration Guide 57 WSS 4.4.0-2 58 Desktop Web Proxy Configuration Guide WSS 4.4.0-2