SmartFilter DA 4.0 Administration Guide
Transcription
SmartFilter DA 4.0 Administration Guide
ADMINISTRATION GUIDE www.securecomputing.com Copyright © 2005 Secure Computing Corporation. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Secure Computing Corporation. Trademarks Secure Computing, SafeWord, Sidewinder, Sidewinder G2, SmartFilter, Type Enforcement, SofToken, Enterprise Strong, Mobile Pass, G2 Firewall, PremierAccess, SecureSupport, SecureOS, Bess and Strikeback are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. G2 Enterprise Manager, SmartReporter, On-Box, Application Defenses, RemoteAccess, Sentian, Securing connections between people, applications and networks are trademarks of Secure Computing Corporation. All other trademarks, tradenames, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. Software License Agreement The following is a copy of the Software License Agreement as shown in the software: CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE LOADING THE SOFTWARE. BY CLICKING "I ACCEPT" BELOW, OR BY INSTALLING, COPYING, OR OTHERWISE USING THE SOFTWARE, YOU ARE SIGNING THIS AGREEMENT, THEREBY BECOMING BOUND BY ITS TERMS. IF YOU DO NOT AGREE WITH THIS AGREEMENT, THEN CLICK "I DO NOT ACCEPT" BELOW AND RETURN ALL COPIES OF THE SOFTWARE AND DOCUMENTATION TO SECURE COMPUTING CORPORATION ("SECURE COMPUTING") OR THE RESELLER FROM WHOM YOU OBTAINED THE SOFTWARE. If this Software is being installed by a third party (for example, a value-added reseller, consultant, employee, or agent), such third party represents that it has the authority to bind the person or entity for whom the Software is being installed, and that its acceptance of this Agreement in the manner set forth above does bind such person or entity. 1. Grant of License. Secure Computing grants to you, and you accept, a non-exclusive, and non-transferable license (without right to sub-license) to use the Software Products and Control List as defined herein, for a predefined set number of users. 2. Software Products. "Software Product(s)" means (i) the machine-readable object-code versions of the SmartFilter® software contained in the media (the "Software"), (ii) the published user manuals and documentation that are made available for the Software (the "Documentation"), and (iii) any updates or revisions of the Software or Documentation that you may receive (the "Update"). Under no circumstances will you receive any source code of the Software. Software Products provided for use as "backup" in the event of failure of a primary unit may be used only to replace the primary unit after a failure in fact occurs. They may not be used to provide any capability in addition to the functioning primary system that they backup. 3. SmartFilter Control List Subscription Service. Secure Computing provides access to available updates to the SmartFilter Control List (the "Control List") on a subscription basis measured from the delivery of the Software Product to you. Sixty (60) days prior to the expiration of each subscription term, Secure Computing shall invoice you the then prevailing annual renewal fees for the Control List subscription. Payment of the annual renewal fees for the Control List shall entitle you to receive these services for the following year. Either party may terminate the Control List subscription at the end of any annual term by providing sixty (60) days advance written notice to the other party. 4. Limitation of Use. You may not: 1) copy, except to make one copy of the Software or Control List solely for backup or archival purposes; 2) transfer, distribute, rent, lease or sublicense all or any portion of the Software Product or Control List to any third party; 3) translate, modify, adapt, decompile, disassemble, or reverse engineer any Software Product or Control List in whole or in part; or 4) modify or prepare derivative works of the Software Product or Control List. 5. Limited Warranty and Remedies. Secure Computing warrants that the medium/media on which its Software is recorded is/are free from defects in material and workmanship under normal use and service for a period of ninety (90) days from the date of shipment to you. Secure Computing does not warrant that the functions contained in the Software will meet your requirements or that operation of the program will be uninterrupted or error-free. The Software is furnished "AS IS" and without warranty as to the performance or results you may obtain by using the Software. The entire risk as to the results and performance of the Software is assumed by you. If you do not receive media which is free from defects in materials and workmanship during the 90-day warranty period, you will receive a refund for the amount paid for the Software i Product returned. 6. Limitation Of Warranty And Remedies. THE WARRANTIES STATED HEREIN ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES AND COUNTRIES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS WHICH VARY BY STATE OR COUNTRY. SECURE COMPUTING'S AND ITS LICENSORS ENTIRE LIABILITY UNDER, FOR BREACH OF, OR ARISING OUT OF THIS AGREEMENT, IS LIMITED TO A REFUND OF THE PURCHASE PRICE OF THE PRODUCT OR SERVICE THAT GAVE RISE TO THE CLAIM. IN NO EVENT SHALL SECURE COMPUTING OR ITS LICENSORS BE LIABLE FOR YOUR COST OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING OR ITS LICENSORS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. 7. Term and Termination. This license is effective until terminated. You may terminate it at any time by destroying the Software Product, including all computer programs and documentation, and erasing any copies residing on computer equipment. This Agreement also will automatically terminate if you do not comply with any terms or conditions of this Agreement. Upon such termination you agree to destroy the Software Product and erase all copies residing on computer equipment. 8. Ownership. The Software and Control List are licensed (not sold) to you. All intellectual property rights including trademarks, service marks, patents, copyrights, trade secrets, and other proprietary rights in or related to the Software Products and Control List are and will remain the property of Secure Computing or its licensors, whether or not specifically recognized or protected under local law. You will not remove any product identification, copyright notices, or other legends set forth on the Software Product or Control List. 9. Export Restrictions. You agree to comply with all applicable United States export control laws and regulations, including without limitation, the laws and regulations administered by the United States Department of Commerce and the United States Department of State. 10. U.S. Government Rights. Software Products furnished to the U.S. Government are provided on these commercial terms and conditions as set forth in DFARS 227.7202-1(a). 11. Entire Agreement. This Agreement is our offer to license the Software Product and Control List to you exclusively on the terms set forth in this Agreement, and is subject to the condition that you accept these terms in their entirety. If you have submitted (or hereafter submit) different, additional, or other alternative terms to Secure Computing or any reseller or authorized dealer, whether through a purchase order or otherwise, we object to and reject those terms. Without limiting the generality of the foregoing, to the extent that you have submitted a purchase order for the Software Product, any shipment to you of the Software Product is not an acceptance of your purchase order, but rather is a counteroffer subject to your acceptance of this Agreement without any objections or modifications by you. To the extent that we are deemed to have formed a contract with you related to the Software Product prior to your acceptance of this Agreement, this Agreement shall govern and shall be deemed to be a modification of any prior terms in their entirety. 12. General. Any waiver of or modification to the terms of this Agreement will not be effective unless executed in writing and signed by Secure Computing. If any provision of this Agreement is held to be unenforceable, in whole or in part, such holding shall not affect the validity of the other provisions of this Agreement. You may not assign this License or any associated transactions without the written consent of Secure Computing. This License shall be governed by and construed in accordance with the laws of California, without regard to its conflicts of laws provisions. ii Technical Support information Secure Computing works closely with our Channel Partners to offer worldwide Technical Support services. If you purchased this product through a Secure Computing Channel Partner, please contact your reseller directly for support needs. To contact Secure Computing Technical Support directly, telephone +1.800.700.8328 or +1.651.628.1500. If you prefer, send an e-mail to support@securecomputing.com. To inquire about obtaining a support contract, refer to our "Contact Secure" Web page for the latest information at www.securecomputing.com. Customer Advocate information To suggest enhancements in a product or service, or to request assistance in resolving a problem, please contact a Customer Advocate at +1.877.851.9080. If you prefer, send an e-mail to customer_advocate@securecomputing.com. If you have comments or suggestions you would like to make regarding this document or any other Secure Computing document, please send an e-mail to techpubs@securecomputing.com. Printing history Date Part number Software release March 2005 86-0944653-A SmartFilter DA v4.0. iii iv Table of Contents T Preface: About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . .vii Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Who should read this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii How to use this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Tips for finding information . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Printing this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Related information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Chapter 1: Introducing SmartFilter DA . . . . . . . . . . . . . . . 1-1 What is SmartFilter DA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Comprehensive, accurate Web content categorization . . . . . . 1-2 Simple, secure, network-based administration . . . . . . . . . . . . 1-2 Accessing SmartFilter DA settings . . . . . . . . . . . . . . . . . . . . . . . 1-3 Logging on to the Control Center . . . . . . . . . . . . . . . . . . . . . . 1-4 Browsing the Web with SmartFilter DA . . . . . . . . . . . . . . . . . . . . 1-6 Viewing the redirect page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Submitting site review requests . . . . . . . . . . . . . . . . . . . . . . . 1-6 Overriding filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Getting help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 Viewing the online guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 Looking at SmartFilter DA Help . . . . . . . . . . . . . . . . . . . . . . . . 1-9 Contacting technical support . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 Chapter 2: Configuring SmartFilter DA . . . . . . . . . . . . . . . 2-1 Overview of setting general options . . . . . . . . . . . . . . . . . . . . . . 2-2 Changing personal settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Setting Monitor with Warning options . . . . . . . . . . . . . . . . . . . . . 2-6 Choosing a redirect page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9 Customizing a redirect page . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 Chapter 3: Delegating Administration . . . . . . . . . . . . . . . . 3-1 Overview of delegating administration . . . . . . . . . . . . . . . . . . . . 3-2 How delegated administration works . . . . . . . . . . . . . . . . . . . 3-2 Table of Contents v Table of Contents The differences between super- and subadministrators . . . . . 3-4 Delegating zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Managing zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 Managing administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 Chapter 4: Customizing Web Filtering. . . . . . . . . . . . . . . . 4-1 Overview of customizing Web filtering . . . . . . . . . . . . . . . . . . . . 4-2 How Web content categorization works . . . . . . . . . . . . . . . . . 4-2 Using filters to manage Web access . . . . . . . . . . . . . . . . . . . . 4-2 Creating custom block and allow lists . . . . . . . . . . . . . . . . . . . 4-3 Defining filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Creating custom categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Blocking specific Web content . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Tips on using Virtual Reviewer . . . . . . . . . . . . . . . . . . . . . . . 4-12 Allowing specific Web content . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13 Filtering using keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 Tips for entering keywords using Boolean operators . . . . . . 4-16 Filtering using file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18 Guidelines for specifying URLs to filter . . . . . . . . . . . . . . . . . . . 4-20 General guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20 Optimizing the block list for Virtual Reviewer™ . . . . . . . . . . 4-20 Syntax for entering Web sites, file types, and keywords . . . . 4-22 Chapter 5: Applying Filters. . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Overview of applying Web filters . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Handling multiple filter assignments . . . . . . . . . . . . . . . . . . . . 5-2 Applying a global filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Assigning filters to users and groups . . . . . . . . . . . . . . . . . . . . . 5-6 Scheduling filter changes for users and groups . . . . . . . . . . . . . 5-8 Assigning filters to IP address ranges . . . . . . . . . . . . . . . . . . . . 5-10 Scheduling filter changes for IP address ranges . . . . . . . . . . . . 5-12 Authorizing users to override filtering . . . . . . . . . . . . . . . . . . . . 5-15 Chapter 6: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Introduction to troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Problems with the Control Center . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Problems with Web access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Problems with delegating administration . . . . . . . . . . . . . . . . . . . 6-5 vi Table of Contents P R E F A C E P About this Guide Introduction This guide contains information on SmartFilter DA options and features and how to use them. Who should read this guide You should read this guide if you are responsible for evaluating, installing or configuring SmartFilter to run on a network. This guide assumes you are familiar with SmartFilter and your organization’s internal network and the operating system on which the SmartFilter software will reside. You should also have some knowledge of the Internet, HTTP (Hypertext Transfer Protocol), and FTP (File Transfer Protocol). How to use this guide This guide is organized in the following main sections. Section Description Chapter 1 Provides SmartFilter DA overview information. Introducing SmartFilter DA Chapter 2 Configuring SmartFilter DA Provides SmartFilter DA configuration information. Chapter 3 Delegating Administration Provides SmartFilter Delegating Administration configuration information. Chapter 4 Customizing Web Filtering Provides information on selecting the Web filter content to block or allow. Chapter 5 Applying Filters Provides information on applying filters to users and groups. Chapter 6 Troubleshooting Provides basic SmartFilter troubleshooting information. Preface: About this Guide vii Related information Tips for finding information Check the Table of Contents for the primary topics covered in this guide. When viewing this guide online, you can use Acrobat’s Find feature to search for every instance of any word or phrase that you want. Also, the entries in the Table of Contents are active links; clicking on an entry will jump to that topic. P Printing this book For the best results, print this PDF book using Acrobat Reader Version 5 or greater and print using a PostScript printer driver. If your printer understands PostScript but does not have a PostScript driver installed, you need to install a PostScript driver. You can download one from www.adobe.com. If your printer is not a PostScript printer, and the book does not print out as expected, try one of the following: — If your printer has the option, Print as Image, set this option on and then try printing. — Print specific page(s) one at a time rather than sending the entire book to the printer. Related information viii Preface: About this Guide For all SmartFilter DA and SmartReporter 1.1 information, review the appropriate documentation (PDF document, Release Notes, etc.). CH APTER 1 Introducing SmartFilter DA 1 This chapter provides an introduction to SmartFilter and how to access the help. It contains the following topics: “What is SmartFilter DA?” on page 1-2 “Accessing SmartFilter DA settings” on page 1-3 “Browsing the Web with SmartFilter DA” on page 1-6 “Getting help” on page 1-8 Introducing SmartFilter DA 1-1 What is SmartFilter DA? What is SmartFilter DA? 1 SmartFilter DA gives users in your organization access to Internet resources while minimizing the legal, productivity, and bandwidth concerns that the Web often introduces. Easy to administer and fully integrated with Red Hat Linux, SmartFilter DA prevents inappropriate Web content from reaching users on your network. Comprehensive, accurate Web content categorization SmartFilter DA helps you manage your organization’s Internet use by giving you access to Secure Computing’s comprehensive database of Web sites. Secure Computing adds thousands of new entries per day to this database through a combination of techniques, including: Sophisticated artificial intelligence technology that gathers suspect URLs and analyzes their content. A team of human reviewers that analyzes the Web site content of the suspect URLs, and then categorizes sites accordingly. Customer suggestions, which Secure Computing evaluates and adds to its database as appropriate. Once you download the database of Web sites, you can create filters that block or allow specific categories of URLs, and then apply the filters to users on your network. Simple, secure, network-based administration SmartFilter DA is not a software program installed on individual computers. Instead, it operates at the server level, providing filtering for every computer on the network. For the administrator, this means improved security and simplified maintenance. And, because it’s configured locally, you can customize SmartFilter DA to meet the specific needs of your organization. Using SmartFilter DA, you can create a variety of filters tailored to your organization’s Internet policies and preferences, and then assign these filters to users, groups, and IP addresses on your network. You can also schedule filters to apply during certain times of the day, block and allow particular Web sites, keywords, and file types, and authorize specific users to temporarily override filtering. And if you choose, you can delegate administrative tasks to other individuals in your organization. 1-2 Introducing SmartFilter DA Accessing SmartFilter DA settings With SmartFilter DA, you can manage filtering for your organization through a single Web-based interface. This central, server-based approach provides a Web filtering solution that is flexible and easy to maintain, and that gives you more precise control over how the Internet is used within your organization. Accessing SmartFilter DA settings To define and manage your organization’s filtering policy, open SmartFilter DA and click a tab to access a particular set of features. Superadministrators see all of the following tabs; subadministrators see only those tabs that correspond with their administrator rights. Home is the main welcome tab. Define Filters lets you implement a filtering policy using filters and custom categories. For information on defining filters and custom categories, see “Defining filters” on page 4-5 and “Creating custom categories” on page 4-8. Assign Filters lets you apply filters to users, groups, and IP addresses in your organization. For information on assigning filters, see “Applying a global filter” on page 5-4, “Assigning filters to users and groups” on page 5-6, and “Assigning filters to IP address ranges” on page 5-10. Create Custom Lists lets you block and allow specific Web sites, keywords, and file types. For information on creating custom lists, see “Blocking specific Web content” on page 4-10 and “Allowing specific Web content” on page 4-13. Assign Overrides lets you give certain users the ability to temporarily override filtering. For information on assigning override privileges, see “Authorizing users to override filtering” on page 5-15. Choose Redirect Page lets you select and customize the page that appears when users try to access blocked Web content. For information on selecting a redirect page, see “Choosing a redirect page” on page 2-9. Delegate Tasks lets you give administrator responsibilities to other individuals within your organization. For information on delegating administrator tasks, see “Overview of delegating administration” on page 3-2. Change My Profile lets you specify your e-mail address, change your logon name and password, and choose how to display IP ranges. For information on changing profile settings, see “Changing Introducing SmartFilter DA 1-3 Accessing SmartFilter DA settings personal settings” on page 2-4. Configure System lets you manage system settings, as well as download the latest Control List from Secure Computing. For information on setting system options, see the SmartFilter DA Installation Guide. Logging on to the Control Center To access the Control Center, use a Web browser on any computer on your network that has access to the computer where SmartFilter DA is installed. Note: For optimal viewing, open the Control Center with Microsoft Internet Explorer 5.5 or later, or Mozilla 1.0 or later. Note that you must enable JavaScript in your browser to take advantage of all SmartFilter DA features. To log on to the Control Center 1. Open a new browser window. 2. In the Address box or Location box, type: https://Address/controlcenter Note: For Address, type the IP address or fully qualified domain name (FQDN) of the computer where SmartFilter DA is installed. 3. In the Look In list, click the directory service where your user profile resides. If you didn’t specify the logon using a directory service, click Local. 4. Type your administrator name and password. 5. Click OK. Note: When working in the Control Center, it’s recommended that you don’t click the browser’s Back button or Refresh (Reload) button. By default, if the Control Center is inactive for 10 minutes or longer, you must log back on to the Control Center. To change the default time-out period, see the SmartFilter DA Installation Guide. 1-4 Introducing SmartFilter DA Accessing SmartFilter DA settings Figure 1-1. Logging on to the Control Center To open SmartFilter DA, select your network location. Type your administrator name and password, and Click here to log off or access help. Click a tab on the navigation bar to access a particular set of features. Introducing SmartFilter DA 1-5 Browsing the Web with SmartFilter DA Browsing the Web with SmartFilter DA SmartFilter DA prevents users from accessing inappropriate Web sites without detracting from their normal Web browsing experience. If a user tries to access a blocked site, SmartFilter DA rejects the request and displays a redirect page. If a site isn’t in a blocked or warned category, the user accesses the site without any interference. Viewing the redirect page If users request a Web page that’s in a category you’ve chosen to block, SmartFilter DA displays a redirect page. The redirect page provided by SmartFilter DA displays the page’s URL and filter category. The user can then choose to submit a site review request to the administrator; override filtering using an authorized name and password; or go to another site. You choose the redirect page that appears in users’ browsers—either SmartFilter DA’s redirect page, a customized version of SmartFilter DA’s redirect page, or a specific Web address. For information on specifying a redirect page, see “Choosing a redirect page” on page 29. Submitting site review requests If a user needs to access a blocked Web site, he or she can click a link on the redirect page to send a site review request to the administrator. This request lets the user explain why access to a particular site is necessary. Note that if a subadministrator doesn’t specify an e-mail address on the Change My Profile tab, SmartFilter DA forwards site review requests from users in that subadministrator’s zone to the next administrator up in the hierarchy. Note: If users are abusing the review request feature, you can remove the request link from the redirect page. For information on removing the request link, see “Choosing a redirect page” on page 2-9. To submit a site review request 1-6 Introducing SmartFilter DA 1. On the redirect page, click Submit a Site Review Request. 2. To ensure that the administrator can reply to the request if necessary, Browsing the Web with SmartFilter DA type your e-mail address. 3. Type a message in the Comments box if necessary, and then click Submit. Overriding filtering The superadministrator has override privileges for the entire network. Subadministrators have override privileges on all computers with IP addresses in their assigned zone(s). Note that all administrators use the same name and password for overriding filtering as they do for logging on to the Control Center. Administrators can also grant override privileges to users on a caseby-case basis. However, subadministrators can only assign overrides to users in their zones if they have the appropriate administrator rights. For information on assigning override privileges, see “Authorizing users to override filtering” on page 5-15. To override filtering 1. On the redirect page, click Temporarily Bypass Filtering. 2. Type your override name and password. Note: If you’re an administrator, simply type your Control Center logon name and password. 3. Specify the length of time to override filtering. 4. Click Begin Override. After the override time expires, the user continues to see the requested page until he or she refreshes the page or enters another Web address. Introducing SmartFilter DA 1-7 Getting help Figure 1-2. Redirct page The administrator or an authorized user can choose to temporarily bypass filtering on this computer. This lets the user view the blocked page. Note: This redirect page is displayed if you don’t specify a custom redirect page. Getting help Use this guide, the SmartFilter DA Installation Guide, the SmartReporter Administration Guide, and online help to learn more about SmartFilter DA and SmartReporter. Viewing the online guides There are three online guides included with SmartFilter DA: This SmartFilter DA Administration Guide is geared toward filtering administrators and others responsible for implementing your organization’s filtering policy. It includes overviews of product concepts and features, as well as step-by-step procedures. The SmartFilter DA Installation Guide is geared toward system administrators and others responsible for installing SmartFilter DA and configuring it to run on a network. It includes step-by-step procedures and a troubleshooting section. The SmartReporter Administration Guide is geared toward filtering administrators and others responsible for viewing Web activity statistics. It includes overviews of reporting concepts and features, as well as step-by-step procedures. Use Adobe Acrobat® to view the guides online or to print them. You can access the guides in the /opt/n2h2/docs folder or the docs folder of your SmartFilter DA tar file. 1-8 Introducing SmartFilter DA Getting help Looking at SmartFilter DA Help SmartFilter DA Help provides instructions for performing various tasks in the Control Center. You can access online help from within the Control Center (see Figure 1-3). To access SmartFilter DA Help To view the complete list of help topics, click Help in the top right corner of the Control Center Home page. Click Contents to view a list of topics by feature, click Index to locate a topic by keyword, or click Search to view all topics that match the search criteria you type. To access help that’s specific to a particular page, click Help in the top right corner of that page. In addition, you can access help for SmartReporter from within the SmartReporter interface. Introducing SmartFilter DA 1-9 Getting help Figure 1-3. Accessing Help You can access help through the Control Center. Click Contents to view a list of topics by feature, click Index to locate a topic by keyword, or click Search to view all topics that match the search criteria you type. Contacting technical support Technical support for SmartFilter DA is available on the Web. You can access Secure Computing support resources at the following Web address: www.securecomputing.com/goto/support. If you’re still unable to resolve a problem, call +1.800.700.8328 or +1.651.628.1500. 1-10 Introducing SmartFilter DA CH APTER 2 Configuring SmartFilter DA 2 This chapter provides SmartFilter DA configuration information. It contains the following topics: “Overview of setting general options” on page 2-2 “Changing personal settings” on page 2-4 “Setting Monitor with Warning options” on page 2-6 “Choosing a redirect page” on page 2-9 “Customizing a redirect page” on page 2-11 Configuring SmartFilter DA 2-1 Overview of setting general options 2 Overview of setting general options Configuring SmartFilter DA is easy. Simply click the appropriate tab on the left side of the Control Center to access the settings you want to modify. Note: Superadministrators can access additional system settings on the Configure System tab. For information on these additional settings, see the SmartFilter DA Installation Guide. Click the Warnings tab under Define Filters to: Specify how the Monitor with Warning feature works, including whether to receive e-mail notifications when users bypass the warning page and how often to display the warning page in users’ browsers. For step-by-step instructions, see “Setting Monitor with Warning options” on page 2-6. Click Choose Redirect Page to: Specify the page that users see when they try to view blocked Web content. This can be the default page provided by SmartFilter DA, a custom page that you create, or a specific URL. For step-by-step instructions, see “Choosing a redirect page” on page 2-9. Click Change My Profile to: Specify the e-mail address where site review requests, override notifications, and warning notifications should be sent. For stepby-step instructions, see “Changing personal settings” on page 2-4. Change your logon name and password for accessing SmartFilter DA settings. For step-by-step instructions, see “Changing personal settings” on page 2-4. Choose to view IP ranges using descriptive text or numeric addresses. For step-by-step instructions, see “Changing personal settings” on page 2-4. 2-2 Configuring SmartFilter DA Overview of setting general options Figure 2-1. General filtering options Click Define Filters and then the Warnings subtab to specify Monitor with Warning options. Click Choose Redirect Page to select the page that appears in users’ browsers when they try to access blocked Web content. Click Change My Profile to set basic system options, including your logon information and e-mail address. Configuring SmartFilter DA 2-3 Changing personal settings Changing personal settings Use the Change My Profile tab to change your e-mail address, as well as your logon name and password. You can also choose whether to display IP ranges in the Control Center using descriptive text or numeric addresses. To change your personal settings 1. On the navigation bar, click Change My Profile. 2. In the Administrator list, click the administrator to change settings for. Note: This list only appears if there are subadministrators below you. 3. In the E-mail Address box, type the e-mail address where notifications should be sent. If you don’t type an e-mail address, site review requests are sent to the administrator one level up in the hierarchy. Note: SmartFilter DA sends site review requests, override notifications, and warning notifications related to users in your assigned zone(s) to this address. (System notifications are sent to the superadministrator only.) 4. Select one of the following options: Display IP Ranges Using Descriptions. This option displays IP ranges in the Control Center using the description specified for each IP range. Display IP Ranges Using IP Addresses. This option displays IP ranges in the Control Center using their numeric addresses. 5. Click Save. To change the Control Center logon Note: Before changing your logon name and password, save the changes you made during this session. In most cases, confirming the change logs you off from the Control Center. To log on again, you must use the new administrator name and password. 1. On the navigation bar, click Change My Profile. 2. In the Administrator list, click the administrator to change logon settings for. Note: This list only appears if there are subadministrators below you. 3. Click Change Logon. 4. Select one of the following options: Log on Using a Local Name and Password. This option lets you access the Control Center using a name and password you create. 2-4 Configuring SmartFilter DA Changing personal settings Type the name and password you want to use, and then retype the password to confirm it. Log on Using This User’s Network Logon Information. This option lets you access the Control Center using your network logon name and password. Click the directory service where your name resides. In the User/Group box, type the first letters of your name, and then click Search. Then in the list of matching users and groups, click your network logon name. Note that if you choose a group network name, each member of the group can access the Control Center using his or her individual network name and password. Note: If the superadministrator didn’t specify one or more directory services under Configure System, this option does not appear. Note: To display all of the users and groups in the selected directory service, leave the User/Group box empty and click Search. Note that if your directory service contains a large number of users, SmartFilter DA may not be able to display all of the users in a single list. 5. Type your full name as you want it to appear in the Control Center. This name helps you distinguish your settings from your subadministrators’ settings. 6. Click Save, and then click Yes to confirm the change. If necessary, you can change your logon without accessing the Control Center. For step-by-step instructions, see the SmartFilter DA Installation Guide. Figure 2-2. Changing your profile Type the e-mail address you want SmartFilter DA to send site review requests, override notifications, and warning notifications to. Specify how to display IP range information in the Control Center. Configuring SmartFilter DA 2-5 Setting Monitor with Warning options Setting Monitor with Warning options Choose how SmartFilter DA responds when users view sites that fit into categories you’ve set to Monitor with Warning. When you create a filter, you can set categories within that filter to Monitor with Warning. Then, when a user you’ve assigned that filter to attempts to access a site in a category set to Monitor with Warning, he or she sees a warning page. The user can bypass the warning page and view the site if he or she chooses, or go to another site. Note: If you specify a logo and/or links for your redirect page, they also appear on the warning page. For step-by-step instructions on modifying the redirect page, see “Customizing a redirect page” on page 2-11. SmartFilter DA lets you customize Monitor with Warning options. You specify whether to receive e-mail notifications when users bypass the warning page. You can also choose how long to turn off additional warnings for sites in a specific category after the initial warning page is bypassed. For example, let’s say that Mary, a user on your network, tries to access www.espn.com. Because the Sports category is set to Monitor with Warning under the filter you’ve assigned to her, SmartFilter DA displays a warning page. Mary decides to bypass the warning page and view the site. If you’ve turned off multiple warnings, Mary can navigate to different areas within www.espn.com, as well as to other sites in the Sports category, without encountering additional warning pages for the length of time you’ve specified. If you haven’t turned off multiple warnings, Mary sees a warning page each time she tries to access a different page within www.espn.com, as well as when she tries to access other sports-related sites. Note: You must have the appropriate administrator rights to set Monitor with Warning options. If you don’t have these rights, the Define Filters tab and its subtabs do not appear. 2-6 Configuring SmartFilter DA Setting Monitor with Warning options To set Monitor with Warning options 1. On the navigation bar, click Define Filters. 2. On the Warnings tab, in the Administrator list, click the administrator to change warning settings for. Note: This list only appears if there are subadministrators below you. 3. Check Send Me Warning Notifications to receive e-mail notifications when users choose to bypass the warning page and access sites in categories that you’ve chosen to “Monitor with Warning.” 4. If you chose to receive warning notifications, check Only If User Bypasses the Warning Page to receive notifications only after a user bypasses the warning page a specific number of times within a certain period. Specify the number of times that a user must bypass the warning page within a certain period in order to trigger the e-mail notification. Then specify the number of minutes in that period. 5. Check Don’t Show Warning Page Again to turn off additional warnings for sites in the same category after a user bypasses the initial warning page. Specify how long to turn off additional warnings after a user bypasses the initial warning page. 6. Click Save. Configuring SmartFilter DA 2-7 Setting Monitor with Warning options Figure 2-3. Setting Monitor with Warning options Choose whether to receive e-mail notifications when users bypass the warning page. If you chose to receive notifications, specify under what circumstances the notifications are sent to you. To turn off multiple warnings, check Don’t Show Warning Page Again, and then specify how long to turn off warnings after a user bypasses an initial warning page. 2-8 Configuring SmartFilter DA Choosing a redirect page Choosing a redirect page Specify the redirect page (also called block page) that users see when they try to access blocked Web sites. This redirect page can be the redirect page provided by SmartFilter DA, a custom redirect page, or any URL you specify. If you're a subadministrator, you can also choose to use the exact redirect page specified by the parent administrator directly above you. This redirect page can be a custom redirect page, SmartFilter DA's redirect page, or a URL; it can also be a redirect page specified by an administrator above your parent administrator. You can view your parent administrator's redirect page before choosing to display it. Note: You must have the appropriate administrator rights to specify a redirect page. If you don’t have these rights, the Choose Redirect Page tab does not appear. To specify a redirect page 1. On the navigation bar, click Choose Redirect Page. 2. In the Administrator list, click the administrator to specify a redirect page for. If you're a subadministrator who manages multiple zones, or if you choose a subadministrator from the Administrator list who manages multiple zones, the page automatically refreshes and shows you a list of delegated zones, as well as the redirect pages associated with those zones. Click the zone to specify a redirect page for, and then click Modify. 3. Select one of the following options: Display Redirect Page of Administrator Above Me. This option displays the exact redirect page specified by the parent administrator directly above the subadministrator you selected, whether that redirect page is a custom redirect page, SmartFilter DA's redirect page, or a URL. To view the parent administrator's redirect page, click View Admin's Page. (This option only appears for subadministrators, not for the superadministrator.) Display Default Redirect Page. This option displays SmartFilter DA's redirect page when users try to access blocked Web content. To view SmartFilter DA's redirect page in a separate browser window, click View Default Page. To include a link on SmartFilter DA’s page for submitting site review requests to the administrator, check Include Review Request Link. Note: For more information on submitting site review requests, see “Submitting site review requests” on page 1-6. Configuring SmartFilter DA 2-9 Choosing a redirect page Display This Customized Redirect Page. This option displays a customized version of SmartFilter DA's redirect page when users try to access blocked Web content. To specify the logo, text, and/or links that appear on this page, click Customize Page. Note: For more information on creating a custom redirect page, see “Customizing a redirect page” on page 2-11. Display This URL. This option displays the URL you specify when users try to access blocked Web content. Note that the URL you specify must be located on a Web server. 4. Click Save. Figure 2-4. Specifying a redirect page Specify the redirect page to display when users try to access blocked Web content. You can choose SmartFilter DA’s page, a customized version of SmartFilter DA’s page, or a URL. If you’re a subadministrator, you can also choose the page of the administrator directly above you. 2-10 Configuring SmartFilter DA Customizing a redirect page Customizing a redirect page Creating a custom redirect page using SmartFilter DA's template lets you easily tailor the redirect page for your organization. You can specify the logo, text, and links to appear on the page. Note that if you specify a custom logo for the redirect page, that logo also appears on all other predefined pages. In addition, any custom links you add appear on the warning page as well. Custom text appears on the redirect page only. Note: You can further customize other predefined pages (for example, the warning page and request review pages) in a text editor. For step-by-step instructions on customizing predefined pages, see the SmartFilter DA Installation Guide. Note: You must have the appropriate administrator rights to specify a redirect page. If you don’t have these rights, the Choose Redirect Page tab does not appear. To customize SmartFilter DA’s redirect page 1. On the navigation bar, click Choose Redirect Page. 2. In the Administrator list, click the administrator to specify a redirect page for. If you're a subadministrator who manages multiple zones, or if you choose a subadministrator from the Administrator list who manages multiple zones, the page automatically refreshes and shows you a list of delegated zones, as well as the redirect pages associated with those zones. Click the zone to specify a redirect page for, and then click Modify. 3. Click Display This Customized Redirect Page, and then click Customize Page. 4. To view the redirect page template, click View Template. 5. Select one of the following options for displaying a logo: Display SmartFilter DA's Logo. This option displays SmartFilter DA's default logo in the top right corner of the redirect page. Display My Logo. This option displays the logo you specify in the top right corner of the redirect page. Type the location of the logo file, or click Browse to locate and select the logo file. Note: The optimum logo size is 235 by 104 pixels; the logo you specify will be stretched or compressed to fit this size. If you want your logo to blend in with the redirect page’s background, set the background color of your logo to this RGB value: Red 231, Green 231, Blue 223. (This is equivalent to the hexadecimal value E7E7DF.) Configuring SmartFilter DA 2-11 Customizing a redirect page 6. To display customized text on the redirect page, type the text in the box provided. The text you type appears as a single paragraph between the blocked URL and the list of categories that the URL was blocked under. 7. Specify the link(s) to include on the redirect page. To include the link for submitting site review requests to the administrator, check Include Review Request Link. Note: Use the arrow buttons to order the links as you want them to appear on the redirect page. Figure 2-5. Creating a custom redirect page 8. To preview the customized page before saving it, click Preview. 9. Click Save, and then click Save again. Create a custom redirect page by adding or changing just one or all of the following items: logo, custom text, links. Click View Template to see where the new logo, text, and links will appear. Type or browse for the location of your custom logo. Type the text to display at the top of the redirect page. Add, change, and remove links. You can also choose whether to display the request review link. Preview your changes, and then save your custom page. 2-12 Configuring SmartFilter DA CH APTER 3 Delegating Administration 3 This chapter provides SmartFilter Delegating Administration (DA) configuration information. It contains the following topics: “Overview of delegating administration” on page 3-2 “Delegating zones” on page 3-5 “Managing zones” on page 3-7 “Managing administrators” on page 3-9 Delegating Administration 3-1 Overview of delegating administration 3 Overview of delegating administration To manage filtering more effectively across a large or multilevel organization, you can delegate tasks to other administrators. Delegating administration lets you distribute filter management responsibilities as appropriate to administrators within different areas of your organization. It lets those who are closest to specific groups of users administer filtering for those users on a daily basis, while allowing you to retain supervisory control over how your organization's filtering policy is implemented. To delegate filtering tasks, you must first create zones—distinct ranges of IP addresses associated with computers on your network—and then assign those zones to administrators. You specify what tasks each administrator can perform when managing his or her assigned zone(s). You can also modify filter settings for zones assigned to administrators below you at any time. How delegated administration works Here are two examples of how delegated administration can work in different organizational settings. In an educational setting. Let's say you're the superintendent of a large school district. You want to implement a standard Internet filtering policy for the entire district, but you also want principals, teachers, and librarians to be able to customize that policy as necessary to meet certain educational goals, as well as the specific needs of students at various grade levels. As the top-level filtering administrator—or superadministrator—you can apply a global filter to your entire school district. If you choose, you can set this global filter as the minimum level of filtering for all computers and users on your school district's network; this prevents administrators below you from applying filters that are less restrictive than the global filter you specify. You can then create zones for the different schools in your district, and assign them to the principals of those schools. As subadministrators, the principals can then create zones for specific classrooms, labs, and libraries within their schools, and delegate the administration of those zones to the appropriate teachers and librarians. This lets those who are closest to students tailor filtering to students' day-to-day needs, while giving you the ability to prevent misuse and ensure the integrity of your school district's filtering 3-2 Delegating Administration Overview of delegating administration policy. In a corporate setting. Let's say you're the HR director for a large company. You want to implement a standard Internet filtering policy that protects your company and its employees, but you also want to empower department managers to give their employees the Web access they need to meet your company's goals. As the top-level filtering administrator—or superadministrator—you can apply a global filter to your entire corporate network. Unless you specify this as the minimum level of filtering for your company, this filter applies only to users, groups, and IP addresses that filters haven't been assigned to. You can then create zones for the different departments in your company, and assign them to the department managers. As subadministrators, the managers can create and assign filters to IP addresses within their zones, or delegate administration of the zones to team leaders or other department leads. This lets department managers provide the types of Internet access that are most useful for their employees, while giving you the ability to prevent misuse and ensure the integrity of your company's filtering policy. Delegating Administration 3-3 Overview of delegating administration The differences between super- and subadministrators As the superadministrator, you can perform all filter and system administration tasks within the Control Center, including tasks that cannot be performed by other administrators. These tasks include: Apply a global filter Assign filters to users and groups defined in your local directory service Set system options All other administrators are considered subadministrators. When you delegate zones to subadministrators, you choose which tasks they can perform by selecting from this list of administrator rights: Create and assign filters. Lets the subadministrator add, change, and remove filters and custom categories; assign filters to IP addresses; create custom block and allow lists; and choose a redirect page. Assign override privileges. Lets the subadministrator assign override privileges to users. Delegate tasks to other administrators. Lets the subadministrator create zones and delegate tasks to other administrators. In addition, all subadministrators can specify an e-mail address for site review requests, override notifications, and warning notifications. They can also change their own logon names and passwords and specify settings for the Monitor with Warning feature and IP range display. 3-4 Delegating Administration Delegating zones Delegating zones To delegate portions of your organization to other administrators, you must first define a zone consisting of a range of IP addresses. Then, delegate authority of the zone to a subadministrator so that he or she can manage filtering for that zone. When delegating zones, keep in mind the following: You must have the appropriate administrator rights to create zones and delegate tasks. If you don’t have these rights, the Delegate Tasks tab does not appear. When you delegate a zone to an administrator, that administrator receives copies of any filters you’ve created. From then on, your filters and the subadministrator’s filters are independent of each other; changes you make to your filters are not reflected in his or her filters and vice versa. You can only delegate those IP ranges that fall within the zone(s) assigned to you. In addition, you can’t create zones that overlap with other zones. To create a zone 1. On the navigation bar, click Delegate Tasks. 2. In the Administrator list, click the administrator to add a zone for. Note: This list only appears if there are subadministrators below you. 3. Click Add Zone. 4. Type the IP address range of the new zone in the From and To boxes, and then type an optional description. Note: To specify a single IP address, just type that address in the From box. 5. Click Save. Once you’ve created a zone, assign an administrator to manage it. To assign a zone to an administrator 1. On the navigation bar, click Delegate Tasks. 2. In the Administrator list, click the administrator to assign a zone for. Note: This list only appears if there are subadministrators below you. 3. Click Add Admin. Delegating Administration 3-5 Delegating zones 4. Select one of the following: Log on Using a Local Name and Password. Type the name and password of the new administrator, and then retype the password. Log on Using This User’s Network Logon Information. Click the directory service where the administrator’s name resides. In the User/Group box, type the first letters of the administrator’s name, and then click Search. Then in the list of matching users and groups, click the administrator’s name. Note: If the superadministrator didn’t specify one or more directory services under Configure System, this option does not appear. Note: To display all of the users and groups in the selected directory service, leave the User/Group box empty and click Search. Note that if your directory service contains a large number of users, SmartFilter may not be able to display all of the users in a single list. 5. Type the full name you want to display in the Control Center for the administrator. This name helps you identify the subadministrator’s settings. 6. Type the e-mail address to send review request, override, and warning notifications to. Note: If you don’t type an e-mail address, review requests from users in this administrator’s zone are sent to you. Figure 3-1. Assigning a zone to an administrator 7. Specify the zone(s) you want the subadministrator to manage. 8. Check the tasks that the subadministrator can perform. 9. Click Save. To delegate zones to subadministrators, click Delegate Tasks. Click Add Zone, and then create your new zone. Then, click Add Admin to delegate the zone to an administrator. 3-6 Delegating Administration Managing zones Managing zones When managing zones, it’s important to remember that after you’ve delegated a zone to a subadministrator, removing or modifying it can significantly affect the filtering hierarchy. For example, say you assign a zone containing 100 IP addresses to subadministrator JSmith. If you remove 80 of those IP addresses from the zone, all 80 of those IP addresses lose the filter assignments JSmith gave them. In addition, if JSmith delegated any of the IP addresses to subadministrators, those subadministrators are also affected. Note: You must have the appropriate administrator rights to create zones and delegate tasks. If you don’t have these rights, the Delegate Tasks tab does not appear. Even after you’ve delegated responsibility for a zone to a subadministrator, you can still modify it. To modify a zone 1. On the navigation bar, click Delegate Tasks. 2. In the Administrator list, click the administrator to modify a zone for. Note: This list only appears if there are subadministrators below you. 3. Click the zone to modify, and then click Change Zone. 4. Type the zone’s new IP address range in the From and To boxes, and then type an optional description. Note: To specify a single IP address, just type that address in the From box. 5. Click Save. You can also remove a zone altogether. To remove a zone 1. On the navigation bar, click Delegate Tasks. 2. In the Administrator list, click the administrator to remove a zone for. Note: This list only appears if there are subadministrators below you. Delegating Administration 3-7 Managing zones Figure 3-2. Removing a zone 3. Click the zone to remove, and then click Remove Zone. 4. Confirm that you want to remove this zone. On the Delegate Tasks tab, select the zone to change settings for, and then click Change Zone. Type the zone’s new IP range. A description is optional. 3-8 Delegating Administration Managing administrators Managing administrators You can modify your subadministrators’ settings, including changing the zones they control and the rights they have within those zones. For example, if you find that a subadministrator is abusing the assign overrides right, simply remove it from his or her list of rights. You can also prevent subadministrators from accessing the Control Center. By disabling a subadministrator’s logon account, his or her filter settings stay intact, but the subadministrator cannot open the Control Center and change settings. Note: You must have the appropriate administrator rights to create zones and delegate tasks. If you don’t have these rights, the Delegate Tasks tab does not appear. To modify administrator settings 1. On the navigation bar, click Delegate Tasks. 2. In the Administrator list, click the administrator to modify settings for. Note: This list only appears if there are subadministrators below you. 3. Click the administrator to change settings for, and then click Change Admin. 4. Select one of the following: Log on Using a Local Name and Password. Type the name and password of the administrator, and then retype the password. Log on Using This User’s Network Logon Information. Click the directory service where the administrator’s name resides. In the User/Group box, type the first letters of the administrator’s name, and then click Search. Then in the list of matching users and groups, click the administrator’s name. Note: If the superadministrator didn’t specify one or more directory services under Configure System, this option does not appear. Note: To display all of the users and groups in the selected directory service, leave the User/Group box empty and click Search. Note that if your directory service contains a large number of users, SmartFilter may not be able to display all of the users in a single list. Disable Logon. 5. Type the full name you want to display in the Control Center for the administrator. This name helps you identify the subadministrator’s settings. 6. Type the e-mail address to send review request, override, and warning notifications to. Delegating Administration 3-9 Managing administrators Note: If you don’t type an e-mail address, review requests from users in this administrator’s zone are sent to you. 7. Specify the zone(s) you want the subadministrator to manage. 8. Check or clear the tasks that the subadministrator can perform. 9. Click Save. You can remove settings for any administrator that you manage. Removing an administrator’s settings deletes all filter settings for the zones assigned to that administrator, as well as all filter settings for zones assigned to any subadministrators created by the administrator. To remove administrator settings 1. On the navigation bar, click Delegate Tasks. 2. In the Administrator list, click the administrator to remove subadministrator settings for. Note: This list only appears if there are subadministrators below you. Figure 3-3. Removing administrator settings 3. Click the administrator to remove settings for, and then click Remove Admin. 4. Confirm that you want to remove settings for this administrator. On the Delegate Tasks tab, select the administrator to change settings for, and then click Change Admin. Select new settings for the administrator, and then click Save. 3-10 Delegating Administration CH APTER 4 Customizing Web Filtering 4 This chapter provides Web filtering customization information. It contains the following topics: “Overview of customizing Web filtering” on page 4-2 “Defining filters” on page 4-5 “Creating custom categories” on page 4-8 “Blocking specific Web content” on page 4-10 “Allowing specific Web content” on page 4-13 “Filtering using keywords” on page 4-15 “Filtering using file types” on page 4-18 “Guidelines for specifying URLs to filter” on page 4-20 Customizing Web Filtering 4-1 Overview of customizing Web filtering 4 Overview of customizing Web filtering SmartFilter blocks inappropriate and distracting Web content based on the filtering criteria you specify. You can choose to apply the default filters provided by SmartFilter, or custom filters that you create, to all or part of your organization. Create Web filters, or modify existing ones, by choosing categories of content from a predefined list, as well as any custom categories that you define. Note: To view a list of SmartFilter categories and their descriptions, go to www.securecomputing.com/goto/controllist During installation, you can apply a global filter to your entire network. After you create filters, you can apply a different global filter to your network, and/or assign specific filters to individual users, groups, and IP addresses. Note: Only the superadministrator can apply a global filter and assign filters to users and groups. Subadministrators with the appropriate rights can assign filters to IP addresses in their zones. How Web content categorization works To categorize Web content, Secure Computing uses a combination of advanced artificial intelligence technology and human analysis, locating Web content as it becomes available and then categorizing it according to predefined filter categories. This information is then stored in Secure Computing’s database of Web sites called the Control List. SmartFilter downloads the Control List on a daily or weekly basis, ensuring that Web access on your network is filtered according to the most accurate and up-to-date information possible. Using filters to manage Web access A filter is a collection of settings specifying the Web content that users can and cannot view. Create custom filters or use predefined filters provided by SmartFilter to manage your organization’s Internet access. When a user tries to access a Web page, SmartFilter checks the request against the Control List downloaded from Secure Computing. If the requested page is categorized as a type of content you’ve 4-2 Customizing Web Filtering Overview of customizing Web filtering chosen to block, SmartFilter denies the request. The user sees a redirect page in the browser rather than the requested page. If the requested page is categorized as a type of content you’ve chosen to allow, SmartFilter approves the request. The user sees the requested page. SmartFilter lets you apply a global filter to your entire network, as well as assign specific filters to individual users, groups, and IP addresses. You can also schedule filters to apply during different times of the day. This lets you give users less restrictive Web access during lunch breaks, or before and after business hours. In addition, subadministrators can apply filters to the zones of IP addresses that they manage. Creating custom block and allow lists In addition to using category-based filters to manage Web access, it’s possible to block specific Web sites, file types, and keywords. You can also let users access Web sites, file types, and keywords that SmartFilter would normally block. Note: Unlike filters, which you can assign to specific users, groups, and IP addresses, the Web sites, file types, and keywords in the custom lists are blocked or allowed for all users, groups, and IP addresses on your network. (If you’re a subadministrator, the items in the custom lists are blocked or allowed for all IP addresses in your zones.) Customizing Web Filtering 4-3 Overview of customizing Web filtering Figure 4-1. Web filtering Secure Computing locates and categorizes Web content into the Control List. SmartFilter downloads the updated Control List from Secure Computing. The Web Secure Computing As users request Web pages, SmartFilter checks the requests against the Control List, as well as the filters assigned to the requestors. If the requested page is not blocked under the user’s filter assignment, the user can view it. SmartFilter User 1 User 2 If the requested Web page is categorized as the type of content blocked for this user, the request is denied and a redirect page appears. 4-4 Customizing Web Filtering Defining filters Defining filters A filter is a collection of settings that defines what Web content users can access and how that access is tracked. When you create a filter, you can include: Categories of Web content to block, such as pornography or violence. This option prevents access to any content in this category. Categories of Web content to monitor with warning, or “soft block.” This option displays warning pages that help discourage certain types of Web activity without completely blocking access to content. Categories of Web content to monitor. This option lets you track Web usage by category without blocking sites. Categories of Web content to allow regardless of other filter settings. (These categories are called exceptions.) For example, you can let users view historically significant Web pages, even if they contain violent content. When you create a filter, you choose the predefined and custom categories of Web content to block, warn, or monitor when the filter is applied, as well as any exceptions to the types of content blocked, warned, or monitored. Note: You must have the appropriate administrator rights to define filters. If you don’t have these rights, the Define Filters tab does not appear. To create or modify a Web filter 1. On the navigation bar, click Define Filters. 2. On the Filters tab, in the Administrator list, click the administrator to add a filter for. Note: This list only appears if there are subadministrators below you. 3. Click Add. Or, to modify an existing filter, click the filter to modify, and then click Change. 4. In the Filter Name box, type a name for the filter you want to add or change. 5. Next to each category you want to block, warn, or monitor, click the appropriate option. Block. Click this option to block access to sites in this category. Customizing Web Filtering 4-5 Defining filters Warn. Click this option to display a warning when users attempt to access sites in this category. Users can choose to view the site by clicking a link on the warning page. If you choose, you can receive an e-mail notification when a user bypasses the warning page. Monitor. Click this option to allow access to sites in this category and log the categories they fall into. Don’t Block. Click this option to allow access to sites in this category. 6. To allow access to certain content regardless of other filter settings, next to each exception category, click the appropriate option. Allow As Exception. Click this option to allow access to sites in this category, even if they’re blocked, warned, or monitored under other settings. Don’t Allow As Exception. Click this option to base the block/ monitor decision on other filter settings. 7. Click Save. Note: If a site falls into multiple categories, one or more of which you’ve chosen to block, the site is always blocked. For example, if you set the Sexual Materials category to Block and the Sports category to Monitor, and a user tries to view a site that falls into both categories, the site is blocked. Figure 4-2. Creating a filter To create a new filter, click Define Filters... ...and then click Add. 4-6 Customizing Web Filtering Defining filters You can also remove filters that you no longer need. If the filter is currently assigned to users, groups, and/or IP addresses as the default (primary) filter, removing it will delete all of their filter settings. If the filter is currently applied as the global filter, removing it gives full Internet access to those users, groups, and IP addresses without individual filter assignments. To remove a Web filter 1. On the navigation bar, click Define Filters. 2. On the Filters tab, in the Administrator list, click the administrator to remove a filter for. Note: This list only appears if there are subadministrators below you. 3. Click the filter to remove, and then click Remove. 4. Confirm that you want to remove the filter. Customizing Web Filtering 4-7 Creating custom categories Creating custom categories When you create a filter, you choose the categories of Web content to block or allow from a comprehensive list of categories provided by SmartFilter. You can also create your own custom block and exception categories that contain Web content not found in any of the predefined block or exception categories. For example, you can create a block category that contains the Web addresses of popular travel sites. When applied as part of a filter, this category prevents users from accessing these sites. Once created, custom categories automatically show up in all filters as categories of content that you can block or allow. Like other categories, the content contained in each custom category is not blocked or allowed until you select the category when creating or modifying a filter. To help you differentiate custom categories from SmartFilter’s predefined categories, custom categories appear in bold text. You must have the appropriate administrator rights to create custom categories. If you don’t have these rights, the Define Filters tab does not appear. If you want to view reports on blocked media files (such as MP3 and WAV files), create a custom category for media instead of adding these file types to a custom block list. To create or modify a custom category 1. On the navigation bar, click Define Filters. 2. On the Custom Categories tab, click Add. Or, to modify an existing custom category, click the category you want to change, and then click Change. 3. In the Name box, type a name for the category you want to add. Or, type a new name for the existing category. 4. Click Block or Exception to indicate the category type. 5. Type the URLs (one per line) to block or allow when you apply this category as part of a filter. You can also copy items from a text editor and paste them into the custom category. Be sure to separate each item with a hard return. To block or allow URLs that contain specific keywords, click Add Keyword. To block or allow specific file types, click Add File Type. 4-8 Customizing Web Filtering Creating custom categories Note: For more information on entering Web sites, file types, and keywords, see “Guidelines for specifying URLs to filter” on page 4-20. 6. Click Save. Figure 4-3. Modifying a custom category Type the sites, file types, and keywords to block or allow in this custom category. To remove a custom block or exception category Note: When you remove a category, it is no longer applied under any filter. 1. On the navigation bar, click Define Filters. 2. On the Custom Categories tab, click the category you want to remove, and then click Remove. 3. Confirm that you want to remove this category. Customizing Web Filtering 4-9 Blocking specific Web content Blocking specific Web content With SmartFilter, you can block specific Web sites that are otherwise allowed under the filters you’ve defined. For example, if you find that users on your network are spending too much time viewing a car buying Web site, simply add the site to your custom block list. SmartFilter blocks access to that site for as long as it remains in your custom block list. If your organization uses the delegate tasks feature, each administrator with the right to create and assign filters can create his or her own custom block list. When a user requests a Web site, SmartFilter checks the custom block list of the administrator closest to the user for a match. If no match is found, SmartFilter checks the custom block list of the next administrator up in the hierarchy, and so on. Note: You must have the appropriate administrator rights to create custom lists. If you don’t have these rights, the Create Custom Lists tab does not appear. Note: If you want to view reports on blocked media files (such as MP3 and WAV files), create a custom category for media instead of adding these file types to the block list. To create a custom block list 1. On the navigation bar, click Create Custom Lists. 2. On the Block List tab, in the Administrator list, click the administrator to create a custom block list for. Note: This list only appears if there are subadministrators below you. 3. Type the URLs to block, one per line. You can also copy items from a text editor and paste them into the custom block list. Be sure to separate each item with a hard return. To block URLs that contain specific keywords, click Add Keyword. To block specific file types, click Add File Type. Note: For more information on entering Web sites, file types, and keywords, see “Guidelines for specifying URLs to filter” on page 4-20. 4. To let SmartFilter review the custom block list each night and automatically remove URLs categorized by Secure Computing, check Turn on Virtual Reviewer.™ If you select this option, you’ll be notified via e-mail when URLs are removed from the block list. Removing categorized URLs helps keep your block list as compact and efficient as possible. Note: Virtual Reviewer also forwards the URLs in your custom lists to Secure Computing for review. Forwarding these URLs to Secure Computing lets the Secure 4-10 Customizing Web Filtering Blocking specific Web content Computing review team analyze the URLs and categorize them as appropriate. 5. Click Save. Figure 4-4. Creating a custom block list On the Block List tab, type the sites, pages, file types, and keywords you want to block. Choose whether to clean up the block list each night. To remove an entry from the custom block list 1. On the navigation bar, click Create Custom Lists. 2. On the Block List tab, in the Administrator list, click the administrator to remove a site from the custom block list for. Note: This list only appears if there are subadministrators below you. 3. Select the Web site, file type, or keyword to remove, and then press Delete. 4. Click Save. Note: Removing an item from the custom block list doesn’t automatically allow it; it simply bases the block/allow decision on filters applied under SmartFilter. Customizing Web Filtering 4-11 Blocking specific Web content Tips on using Virtual Reviewer To prevent SmartFilter from removing an item from the block list, type [lock] before the item. For example, if you type [lock] www.sports.com, www.sports.com cannot be automatically deleted from your block list. Virtual Reviewer also skips URLs that contain a wildcard (such as an asterisk) in the host name or path, as well as items preceded with [keycgi], [keyurl], and [ftype]. Note: Because Virtual Reviewer skips URLs that contain a wildcard, it’s recommended that you replace wildcard entries with the specific sites and domains you want to block. Minimizing wildcard usage in the block list also improves filtering performance. 4-12 Customizing Web Filtering Allowing specific Web content Allowing specific Web content With SmartFilter, you can allow specific Web sites that are otherwise blocked under the filters you’ve defined. For example, if your organization conducts research on hate crimes, users may need access to certain sites with content usually considered inappropriate. Rather than changing filter settings to allow access to all hate and discrimination content, just add the specific sites needed to your custom allow list. If your organization uses the delegate tasks feature, each administrator with the right to create and assign filters can create his or her own custom allow list. When a user requests a Web site, SmartFilter checks the custom allow list of the administrator closest to the user for a match. If no match is found, SmartFilter checks the custom allow list of the next administrator up in the hierarchy, and so on. Note: You must have the appropriate administrator rights to create custom lists. If you don’t have these rights, the Create Custom Lists tab does not appear. To create a custom allow list 1. On the navigation bar, click Create Custom Lists. 2. On the Allow List tab, in the Administrator list, click the administrator to create a custom allow list for. Note: This list only appears if there are subadministrators below you. 3. Type the URLs to allow, one per line. You can also copy items from a text editor and paste them into the custom allow list. Be sure to separate each item with a hard return. To allow URLs that contain specific keywords, click Add Keyword. To allow specific file types, click Add File Type. Note: For more information on entering Web sites, file types, and keywords, see “Guidelines for specifying URLs to filter” on page 4-20. 4. Click Save. Customizing Web Filtering 4-13 Allowing specific Web content Figure 4-5. Creating a custom allow list On the Allow List tab, type the sites, pages, file types, and keywords you want to allow. To remove an entry from the custom allow list 1. On the navigation bar, click Create Custom Lists. 2. On the Allow List tab, in the Administrator list, click the administrator to remove a site from the custom allow list for. Note: This list only appears if there are subadministrators below you. 3. Select the Web site, file type, or keyword to remove, and then press Delete. 4. Click Save. Note: Removing an item from the custom allow list doesn’t automatically block it; it simply bases the block/allow decision on filters applied under SmartFilter. 4-14 Customizing Web Filtering Filtering using keywords Filtering using keywords You can further modify your custom categories and custom block and allow lists by filtering URLs that contain specific keywords. For example, you can type travel + vacation in the custom block list to keep users from accessing Web sites with both “travel” and “vacation” in their URLs. Note: You can also add keywords directly to custom categories and the custom lists. For information on manually entering keywords, see “Guidelines for specifying URLs to filter” on page 4-20. To block or allow specific keywords 1. Choose whether to block or allow the keyword for your entire organization or for select users and IP addresses. To block or allow a keyword for your entire organization, on the navigation bar, click Create Custom Lists. Note: For more information on creating custom lists, see “Blocking specific Web content” on page 4-10 and “Allowing specific Web content” on page 4-13. To block or allow a keyword for select users and IP addresses, click Define Filters. On the Custom Categories tab, click Add. Note:For more information on creating custom categories, see “Creating custom categories” on page 4-8. 2. Click Add Keyword. 3. In the Keyword box, type the word or phrase you want to block or allow. You can use Boolean operators when specifying more than one word. 4. In the Block Using list or Allow Using list, click the appropriate option. All Words. Click this option to block or allow URLs that contain all of the words in the phrase you typed. Any Words. Click this option to block or allow URLs that contain at least one of the words in the phrase you typed. This is the least specific type of matching. Boolean. Click this option to block or allow URLs using any Boolean operators you specified in the Keyword box. 5. Specify whether SmartFilter should block or allow the keyword if it appears anywhere in the URL (Entire URL) or only in the CGI portion of the URL (CGI Portion Only). Note: To block or allow this keyword only in Web searches, click CGI Portion Only. 6. Click Save, and then click Save again to save the custom category or custom list. Customizing Web Filtering 4-15 Filtering using keywords Tips for entering keywords using Boolean operators Boolean operators include AND (and, +); OR (or, |); NOT (not, -) Operator precedence is as follows: 1) OR; 2) AND, NOT. (AND and NOT have equal precedence.) So birds AND dogs OR cats is equal to birds AND (dogs OR cats) You can include parentheses to force operator precedence. For example, (birds AND dogs) OR cats will match URLs that contain both “birds” and “dogs” and URLs that contain “cats”. The NOT operator is logically treated as AND NOT. So dogs NOT cats will match URLs that contain “dogs” but don’t contain “cats”. It won’t match URLs that contain “dogs” or don't contain “cats”. If you click Boolean and don’t separate multiple words with operators, AND is implied. So dogs cats is equal to dogs AND cats An operator can’t be proceeded by another operator. So dogs AND NOT cats is an invalid phrase. Symbolic operators can separate words with or without spaces. So dogs+cats is equal to dogs + cats However, dogsANDcats is not equal to dogs AND cats All comparisons are done on a case-insensitive basis. So birds and Dogs AND CATS is equal to Birds AND DOGS AND CATS To match a phrase exactly as you’ve typed it, surround the phrase in quotes. For example, “cats+dogs” will match URLs that contain “cats+dogs” in the CGI query string. 4-16 Customizing Web Filtering Filtering using keywords Figure 4-6. Keyword block or allow Type the keyword you want to block or allow. If you typed a phrase, choose how to match the phrase. For both words and phrases, choose which URLs to match based on the location of the keyword in the URL. Customizing Web Filtering 4-17 Filtering using file types Filtering using file types Fine-tune your filtering policy by blocking and allowing specific file types. For example, if users on your network are wasting valuable bandwidth resources by downloading MP3 audio files, you can block all URLs ending in “mp3”. Note: You can also add file types directly to custom categories and the custom lists. For information on manually entering file types, see “Guidelines for specifying URLs to filter” on page 4-20. To block or allow specific file types 1. Choose whether to block or allow the file types for your entire organization or for select users and IP addresses. To block or allow a file type for your entire organization, on the navigation bar, click Create Custom Lists. Note:For more information on creating custom lists, see “Blocking specific Web content” on page 4-10 and “Allowing specific Web content” on page 4-13. To block or allow a file type for select users and IP addresses, click Define Filters. On the Custom Categories tab, click Add. Note: For more information on creating custom categories, see “Creating custom categories” on page 4-8. 2. Click Add File Type. 3. Use the top arrow button to move the file type(s) you want to block or allow to the list on the right. 4. To block or allow a new file type, type the file extension, and then click Add. For example, to block or allow QuickTime movie clips, type mov Click Save, and then click Save again to save the custom category or custom list. 4-18 Customizing Web Filtering Filtering using file types Figure 4-7. File type block or allow Move the file types you want to block or allow to the list on the right. To block or allow file types not included in the predefined list, type the appropriate file extension and click Add. Customizing Web Filtering 4-19 Guidelines for specifying URLs to filter Guidelines for specifying URLs to filter When you create a custom category, or add items to the block list or allow list, you specify the Web addresses (sites, folders, pages), file types, and keywords to block or allow. To ensure that filtering works as expected, review the guidelines and syntax examples on the following pages before adding items to a custom category, custom block list, or custom allow list. Note that you must have the appropriate administrator rights to create custom categories and custom lists. General guidelines To avoid overblocking or overallowing Web content, be as specific as possible when creating your custom categories and custom lists. SmartFilter supports all protocols (including HTTP, HTTPS, and FTP). For HTTPS addresses, SmartFilter can only base filtering on the host name. Thus, you can block or allow an entire HTTPS site, but not specific sections or pages within an HTTPS site or file types from HTTPS sources. SmartFilter supports two wildcard characters: * matches zero or more characters; ? matches any character, but there must be a character present. Note: It’s recommended that you minimize wildcard usage in the custom lists and custom categories. Wildcard entries slow filtering performance. In addition, Virtual Reviewer skips URLs that contain a wildcard. You can enter URLs in uppercase or lowercase. However, SmartFilter automatically converts to lowercase all URLs included as part of a custom category or the custom lists. Optimizing the block list for Virtual Reviewer™ Use SmartFilter's Virtual Reviewer to manage your custom block list more efficiently. Virtual Reviewer compares the URLs in your custom block list each night with Secure Computing's database of categorized Web sites. If Virtual Reviewer finds a URL in your block list that is categorized by Secure Computing, it removes the URL from your block list and sends you an e-mail notification that includes category information for that URL. 4-20 Customizing Web Filtering Guidelines for specifying URLs to filter Note: For information on turning on Virtual Reviewer to help you manage your custom block list, see “Blocking specific Web content” on page 4-10. To ensure you're receiving the full benefits of Virtual Reviewer, keep in mind the following when you add items to your custom block list: To prevent Virtual Reviewer from removing an item from the block list, type [lock] before the item. For example, if you type [lock] www.sports.com, www.sports.com cannot be automatically removed from your block list. Virtual Reviewer also skips URLs that contain a wildcard (such as an asterisk) in the host name or path, as well as items preceded with [keycgi], [keyurl], and [ftype]. For example, Virtual Reviewer would skip these items when reviewing the block list: *.yahoo.com http://www.cnn.com/*/travel/ [keycgi] sports [keyurl] stock prices [ftype] mp3 If you want to use Virtual Reviewer, look over your existing block list and remove asterisks from URL host names and paths as appropriate. (Note that removing asterisks from URL host names and paths also improves filtering performance.) For example, the following sets of URLs are functionally equivalent; however, while Virtual Reviewer will skip the URLs in the first column, it will compare the URLs in the second column against Secure Computing's database. Table 4-1. Virtual Reviewer URL information. To review this URL Change it to this format *geocities.* http://geocities.com *cnn.*/* http://cnn.com If you want Virtual Reviewer to review URLs such as *.yahoo.com, replace this URL with the specific domains you want to block. For example, in place of *.yahoo.com, you might type these URLs: http://finance.yahoo.com http://chat.yahoo.com http://www.yahoo.com Customizing Web Filtering 4-21 Guidelines for specifying URLs to filter Syntax for entering Web sites, file types, and keywords Use the following syntax guidelines when adding items to a custom category, custom block list, or custom allow list. Table 4-2. Syntax guidelines To block or allow Type Notes An entire Web site <protocol>://<host name> For greater flexibility, just type the site's domain: site.com. This blocks or allows the site under HTTP, HTTPS, and FTP, as well as with any host (such as www). http://www.ergo.net An entire Web site (including its associated IP addresses) [ipmap] <protocol>://<host name> [ipmap] http://www.ergo.net Typing [ipmap] before the URL blocks or allows all sites hosted on the same server as the URL. So other sites sharing the same IP address(es) are also blocked or allowed. Be selective when typing [ipmap] before a URL: typing [ipmap] before a URL will also block or allow all URLs matching the entry on this virtual host. Particular sections of a Web site (HTTP only) http://<host name>/<path> Particular pages in a Web site (HTTP only) http://<host name>/<path>/ <page> http://www.ergo.net/about http://www.ergo.net/about/ info.html An IP address http://<IP address> http://64.58.79.230 Use paths to block or allow specific sections or pages within an HTTP site. If you don't specify a path, the entire site is blocked or allowed. You can block a page within an allowed path, and vice versa. For example, you can allow http://www.ergo.net/about/info.html even if you've blocked http://www.ergo.net/about. Only the IP address you specify is blocked or allowed. It is not mapped to a specific URL or another IP address. More... 4-22 Customizing Web Filtering Guidelines for specifying URLs to filter To block or allow Type Notes A file type (from any HTTP source) [ftype] <file extension> You can also block or allow file types from any HTTP source by clicking Add File Type and then selecting the file type. For more information, see “Filtering using file types” on page 4-18. [ftype] jpg Note that SmartFilter doesn’t support wildcards as part of the file extension. So if you want to block or allow both mp3 and mpeg, type [ftype] mp3 and [ftype] mpeg on separate lines. A file type (from a particular HTTP location) http://<host name>/*.<file extension> URLs that contain a particular keyword or phrase anywhere in the URL [keyurl] <word> http://www.ergo.net/*.jpg [keyurl] travel vacation [keyurl] stocks URLs that contain a particular keyword in the CGI portion of the URL [keycgi] <word> [keycgi] sexyphotos [keycgi] stocks You can also block or allow keywords by clicking Add Keyword and then typing the word or phrase. For more information, see “Filtering using keywords” on page 4-15. You can also block or allow keywords by clicking Add Keyword and then typing the word or phrase. For more information, see “Filtering using keywords” on page 4-15. Use [keycgi] to block or allow particular keywords when used for Web searches. A URL that contains * or ? characters that are not used as wildcards http://www.ergo.net/forsale/ default.cgi\?q=\* If a ? or * appears in a URL, and you don’t want to treat the character as a wildcard, precede the ? or * with a backslash. (This may be necessary to block or allow URLs that contain parameters.) Customizing Web Filtering 4-23 Guidelines for specifying URLs to filter 4-24 Customizing Web Filtering CH APTER 5 5 Applying Filters This chapter provides information on applying filters. It contains the following topics: “Overview of applying Web filters” on page 5-2 “Applying a global filter” on page 5-4 “Assigning filters to users and groups” on page 5-6 “Scheduling filter changes for users and groups” on page 5-8 “Assigning filters to IP address ranges” on page 5-10 “Scheduling filter changes for IP address ranges” on page 5-12 “Authorizing users to override filtering” on page 5-15 Applying Filters 5-1 Overview of applying Web filters 5 Overview of applying Web filters Once you’ve created filters, you can assign them to the users, groups, and IP addresses defined on your network. To provide basic Web filtering for your network, apply a global filter. This filter applies to all users, groups, and IP addresses on your network and ensures that Web content accessed through your network is filtered according to criteria you’ve specified. To manage Web access more closely, assign filters to individual users and groups, as well as specific IP addresses and address ranges. This lets you customize Web access according to the particular needs of users within your organization. Note: SmartFilter supports directory services accessed via Lightweight Directory Access Protocol (LDAP), including Windows Active Directory, Novell eDirectory (formerly Novell Directory Services), and Sun ONE Directory (formerly iPlanet). If you use a directory service other than those listed above, you can apply filter settings to IP addresses only. You can also schedule filter changes to occur at certain times of the day. Use this feature to allow less restrictive Web access before or after work, during lunch, and so on. Note: Only the superadministrator can apply a global filter and assign filters to users and groups. Subadministrators with the appropriate rights can assign filters to IP addresses. Handling multiple filter assignments Some users on your network may belong to multiple groups with filter assignments. Others may have filter assignments for their individual user profiles and belong to one or more groups. And others may use computers that have filter assignments associated with their IP addresses. In these situations, SmartFilter uses a protocol to determine which filter settings are applied (see Table 5-1). Under this protocol, filters assigned to specific users always override other filter settings, while the least restrictive filter settings apply to users or IP addresses within multiple groups or IP address ranges. 5-2 Applying Filters Overview of applying Web filters Table 5-1. Filter assignments If Then SmartFilter applies A user without an individual filter assignment belongs to more than one group with filter assignments The least restrictive filter settings of those assigned to the groups. A user with an individual filter assignment belongs to one or more groups with filter assignments The filter settings associated with that user’s filter assignment, even if those settings are more restrictive than the filter settings for the group or groups. A user with an individual filter assignment logs on to the network domain using a computer with a filter assignment for its IP address The filter settings associated with that user’s filter assignment. A user with a group filter assignment logs on to a computer with a filter assignment for its IP address The filter settings associated with that group’s filter assignment. An IP address is in one or more IP address ranges that have been assigned filters The least restrictive filter settings of those assigned to the IP address ranges. An IP address with an individual filter assignment falls into one or more IP address ranges with filter assignments The filter settings associated with that IP address’s filter assignment, even if those settings are more restrictive than the filter settings for the IP address range or ranges. Applying a global filter also affects how filter settings are applied to users, groups, and IP addresses. If you've applied a global filter and then assign a filter to an individual user, group, or IP address, the global filter no longer applies to that user, group, or IP address. If you've applied a global filter as the minimum level of filtering for the entire network and then assign a filter to an individual user, group, or IP address, the global filter continues to apply to that user, group, or IP address as the minimum level of filtering. Thus, the filter settings applied to that user or group can never be less restrictive than the global filter. Applying Filters 5-3 Applying a global filter Applying a global filter Use a global filter to apply a single Web filter to all users, groups, and IP addresses on your network. This filter ensures that Web content accessed through your network is always filtered according to certain criteria. The global filter applies to all users, groups, and IP addresses that don't have individual filter assignments. (However, if you chose to apply the global filter as the minimum level of filtering for your network, the global filter applies to all users, groups, and IP addresses, even if individual filters have been assigned to them, and its settings take precedence over less restrictive filters.) Note: Only the superadministrator can apply a global filter to the entire network. Subadministrators with the appropriate rights can assign filters to IP addresses in their zones. To apply a global filter to the entire network 1. On the navigation bar, click Assign Filters. 2. On the Global tab, check Global Filter, and then click a global filter to apply. 3. To provide a minimum level of filtering for your entire network, check Apply to Entire Network As the Minimum Level of Filtering. 4. Click Save. To schedule a global filter change 5-4 Applying Filters 1. On the navigation bar, click Assign Filters. 2. On the Global tab, under Schedule Global Filter Changes, click Add to schedule a new filter change. Or click an existing filter change, and then click Change. 3. In the Filter list, click the filter you want to apply during the period you specify. 4. Next to Start, choose the hour, 15-minute increment, and time of day (A.M. or P.M.) to start the filter change and override the default global filter. 5. Next to End, choose the hour, 15-minute increment, and time of day (A.M. or P.M.) to end the filter change and apply the default global filter. 6. Check the day(s) of the week to apply the filter change. 7. Click Save, and then click Save again. Applying a global filter Figure 5-1. Applying a global filter To apply a global filter to your network, select Global Filter and click a filter to apply. (Select Apply to Entire Network As the Minimum Level of Filtering if you want the filter to apply to all users, groups, and IP addresses—even those with individual filter assignments.) To schedule a new filter change, click Add. To modify or delete an existing filter change, click the scheduled change in the list, and then click Change or Remove. To remove a global filter change 1. On the navigation bar, click Assign Filters. 2. On the Global tab, under Schedule Global Filter Changes, click the scheduled filter change you want to remove, and then click Remove. 3. Confirm that you want to delete this scheduled filter change, and then click Save. Applying Filters 5-5 Assigning filters to users and groups Assigning filters to users and groups SmartFilter helps you manage Internet access for your organization by letting you assign filters to individual users and groups. Note: Only the superadministrator can apply filters to individual users and groups. Subadministrators with the appropriate rights can assign filters to IP addresses in their zones. When you assign a filter to a user or group, you select a default filter, which serves as the primary filter for that user or group. You can then schedule other filters to override the default filter at specific times, such as during non-work hours. Note: To ensure that Web activity is filtered for your entire network, specify a global filter. For more information on applying a global filter, see “Applying a global filter” on page 5-4. To assign a filter to a user or group 1. On the navigation bar, click Assign Filters. 2. On the Users tab, click Add. 3. In the Look In list, click the directory service that contains the user or group to assign a filter to. 4. In the User/Group box, type the first letters of the user or group's name, and then click Search. Note: To display all of the users and groups in the selected directory service, leave the User/Group box empty and click Search. Note that if your directory service contains a large number of users, SmartFilter may not be able to display all of the users in a single list. 5. In the list of matching users and groups, click the user or group to assign a filter to. 6. In the Default Filter list, click the primary filter to apply to this user or group. 7. To schedule filter changes, under Schedule Filter Changes for This User/ Group, click Add. Note: For information on scheduling filters, see “Scheduling filter changes for users and groups” on page 5-8. 8. 5-6 Applying Filters Click Save. Assigning filters to users and groups Figure 5-2. Assigning a filter to a user or group To assign a filter to a user or group, select the location of the user or group. Then type the first few letters of the user or group’s name and click Search. Choose the default filter for this user or group. This filter can be overridden by other filters you’ve scheduled for specific times of day. To modify a filter assignment for a user or group 1. On the navigation bar, click Assign Filters. 2. On the Users tab, click the user or group whose filter settings you want to modify, and then click Change. 3. In the Default Filter list, click the primary filter to apply to this user or group. 4. To schedule filter changes, under Schedule Filter Changes for This User/ Group, click Add. Or click an existing filter change, and then click Change. Note: For information on scheduling filters, see “Scheduling filter changes for users and groups” on page 5-8. 5. Click Save. To remove a filter assignment from a user or group 1. On the navigation bar, click Assign Filters. 2. On the Users tab, click the user or group you want to remove the filter assignment for, and then click Remove. 3. Confirm that you want to remove the filter assignment for this user or group. Applying Filters 5-7 Scheduling filter changes for users and groups Scheduling filter changes for users and groups To let users and groups view certain types of Web content at specific times of the day, schedule filter changes. Note: Only the superadministrator can apply filters to individual users and groups. Subadministrators with the appropriate rights can assign filters to IP addresses in their zones. When you schedule a filter change, you choose a filter to override the user or group’s default filter during the period you specify. When that period is over, SmartFilter applies the default filter again. You can use scheduled filter changes to provide less restrictive Web access before or after work hours, during lunch, or at other times. Note: Scheduled filter changes occur based on local proxy server time. To schedule a filter change for a user or group 1. On the navigation bar, click Assign Filters. 2. On the Users tab, choose the user or group to schedule the filter change for: To schedule a filter change for a new user or group, click Add, click a network location, click the user or group to add, and then click a default filter. To schedule a filter change for an existing user or group, click the user or group in the list, and then click Change. 5-8 Applying Filters 3. Under Schedule Filter Changes for This User/Group, click Add to schedule a new filter change. Or click an existing filter change, and then click Change. 4. In the Filter list, click the filter you want to apply during the period you specify. 5. Next to Start, choose the hour, 15-minute increment, and time of day (A.M. or P.M.) to start the filter change and override the default filter for the user or group. 6. Next to End, choose the hour, 15-minute increment, and time of day (A.M. or P.M.) to end the filter change and apply the default filter for the user or group. 7. Check the day(s) of the week to apply the filter change. 8. Click Save, and then click Save again. Scheduling filter changes for users and groups Figure 5-3. Scheduling a filter change for a user or group To schedule a new filter change, click Add. To modify or delete an existing filter change, click the scheduled change in the list, and then click Change or Remove. Choose the filter you want to apply, and then specify the times and days to apply the filter change. To remove a filter change for a user or group 1. On the navigation bar, click Assign Filters. 2. On the Users tab, click the user or group to remove the filter change for, and then click Change. 3. Under Schedule Filter Changes for This User/Group, click the scheduled filter change you want to remove, and then click Remove. 4. Confirm that you want to delete this scheduled filter change, and then click Save. Applying Filters 5-9 Assigning filters to IP address ranges Assigning filters to IP address ranges In addition to assigning filters to specific users and groups, you can assign filters to computers on your network using their IP addresses. Note: You must have the appropriate administrator rights to assign filters to IP addresses. If you don’t have these rights, the Assign Filters tab does not appear. When you assign a filter to an individual IP address or address range, you select a default filter, the primary filter assigned to that address or range. You can also schedule other filters to apply at specific times. Note: To ensure that Web activity is filtered for your entire network, specify a global filter. For more information on assigning a global filter, see “Applying a global filter” on page 54. To assign or modify a filter for an IP range 1. On the navigation bar, click Assign Filters. 2. On the IP Addresses tab, in the Administrator list, click the administrator who manages the IP address/range you want to assign a filter to or modify a filter for. Note: This list only appears if there are subadministrators below you. 3. Click Add. Or if you want to modify an assigned filter, click the IP address or IP range to modify, and then click Change. 4. Type the IP address range in the From and To boxes, and then type an optional description. Note: To assign a filter to a single IP address, just type the address in the From box. 5. In the Default Filter list, click the primary filter to apply to this IP address range. 6. To schedule filter changes, under Schedule Filter Changes for This IP Address Range, click Add. Or click an existing filter change, and then click Change. Note: For information on scheduling filter changes, see “Scheduling filter changes for IP address ranges” on page 5-12. 7. 5-10 Applying Filters Click Save. Assigning filters to IP address ranges Figure 5-4. Assigning a filter to an IP range Type the IP address or address range to assign a filter to. You can also enter a description of the address or address range. Choose the default filter for this IP address or address range. This filter can be overridden by other filters you’ve scheduled for specific times of day. To remove a filter assignment from an IP address or address range 1. On the navigation bar, click Assign Filters. 2. On the IP Addresses tab, in the Administrator list, click the administrator who manages the IP address/range you want to remove a filter from. Note: This list only appears if there are subadministrators below you. 3. Click the IP address or address range you want to remove the filter assignment for, and then click Remove. 4. Confirm that you want to remove the filter assignment for this IP address or address range. Applying Filters 5-11 Scheduling filter changes for IP address ranges Scheduling filter changes for IP address ranges To let users of specific computers view certain types of Web content at specific times of the day, schedule filter changes. When you schedule a filter change, you choose a filter to override the default filter assigned to an IP address or address range during the period you specify. When that period is over, SmartFilter applies the default filter again. Note: Scheduled filter changes occur based on local proxy server time. You can use scheduled filter changes to provide less restrictive Web access before or after work hours, during lunch, or at other times. Note: You must have the appropriate administrator rights to assign filters or filter changes to IP addresses. If you don’t have these rights, the Assign Filters tab does not appear. To schedule a filter change for an IP address or address range 1. On the navigation bar, click Assign Filters. 2. On the IP Addresses tab, in the Administrator list, click the administrator who manages the IP address/range you want to schedule filter changes for. Note: This list only appears if there are subadministrators below you. 3. Choose the IP address or address range to schedule the filter change for: To schedule a filter change for an IP address or address range without a filter assignment, click Add. Specify the address or address range to add and a default filter to apply. To schedule a filter change for an existing IP address or address range, click the address or address range in the list, and then click Change. 5-12 Applying Filters 4. Under Schedule Filter Changes for This IP Address Range, click Add to schedule a new filter change. Or click an existing filter change, and then click Change. 5. In the Filter list, click the filter you want to apply during the period you specify. 6. Next to Start, choose the hour, 15-minute increment, and time of day (A.M. or P.M.) to start the filter change and override the default filter for the IP address or address range. 7. Next to End, choose the hour, 15-minute increment, and time of day Scheduling filter changes for IP address ranges (A.M. or P.M.) to end the filter change and apply the default filter for the IP address or address range. 8. Check the day(s) of the week to apply the filter change. 9. Click Save, and then click Save again. Figure 5-5. Scheduling filter changes for an IP range To schedule a new filter change, click Add. To modify or delete an existing filter change, click the scheduled change in the list, and then click Change or Remove. Choose the filter you want to apply, and then specify the times and days to apply the filter change. Applying Filters 5-13 Scheduling filter changes for IP address ranges To remove a filter change for an IP address or address range 1. On the navigation bar, click Assign Filters. 2. On the IP Addresses tab, in the Administrator list, click the administrator who manages the IP address/range you want to schedule filter changes for. Note: This list only appears if there are subadministrators below you. 5-14 Applying Filters 3. Click the IP address or address range to remove the filter change for, and then click Change. 4. Under Schedule Filter Changes for This IP Address Range, click the scheduled filter change you want to remove, and then click Remove. 5. Confirm that you want to delete this scheduled filter change, and then click Save. Authorizing users to override filtering Authorizing users to override filtering To let users temporarily turn off filtering on individual computers, assign override privileges. A user with override privileges can bypass filtering on a computer for a short period of time by entering a name and password on the redirect page. For example, let's say you create a filter that blocks sites in the Electronic Commerce category and assign it to the Customer Support group. One of the users in this group then finds that he needs to check a competitor's e-commerce site for their support policy. But when he attempts to access the site, the redirect page appears. The user then notifies a supervisor with override privileges, who clicks the Temporarily Bypass Filtering link on the redirect page and enters her override name and password. The user can then access the competitor's site on his workstation within the period of time specified by the administrator. Note: The superadministrator has override privileges for the entire network. Subadministrators have override privileges on all computers with IP addresses in their assigned zone(s). Note that all administrators use the same name and password for overriding filtering as they do for logging on to the Control Center. You can also be notified by e-mail each time a user with override privileges bypasses filtering. You choose under what conditions e-mails are sent to you. For more information on overriding filtering, see “Browsing the Web with SmartFilter DA” on page 1-6. Note: You must have the appropriate administrator rights to assign override privileges. If you don’t have these rights, the Assign Overrides tab does not appear. To assign or modify override privileges 1. On the navigation bar, click Assign Overrides. 2. In the Administrator list, click the administrator that you want to create or modify override settings for. Note: This list only appears if there are subadministrators below you. 3. Under Users with Override Privileges, click Add. Or, if you want to modify a user’s override privileges, click the user you want to modify privileges for, and then click Change. 4. Type the name and password this user must enter to override filtering. 5. Retype the password to confirm it. 6. To receive e-mail notifications when this user overrides filtering, check Applying Filters 5-15 Authorizing users to override filtering Notify Me When This User Overrides Filtering. Note: E-mail notifications are sent to the user’s immediate administrator. 7. If you chose to receive e-mail notifications, check Only If User Overrides Filtering to receive notifications only after this user overrides filtering a specific number of times within a certain period. Specify the number of times that this user must override filtering within a certain period in order to trigger the e-mail notification. Then specify the number of minutes in that period. 8. Click Save. To remove override privileges for a user 1. On the navigation bar, click Assign Overrides. 2. In the Administrator list, click the administrator that you want to remove override settings for. Note: This list only appears if there are subadministrators below you. Figure 5-6. Authorizing overrides 3. Under Users with Override Privileges, click the user to remove override privileges for. 4. Click Remove. 5. Confirm that you want to remove these override privileges. To give a user override privileges, click Assign Overrides on the navigation bar, and then click Add. Type the override name and password for this user. Choose whether to receive e-mail notifications when this user overrides filtering. 5-16 Applying Filters CH APTER 6 6 Troubleshooting This chapter provides suggestions for resolving problems related to SmartFilter. It contains the following topics: “Introduction to troubleshooting” on page 6-2 “Problems with the Control Center” on page 6-2 “Problems with Web access” on page 6-3 “Problems with delegating administration” on page 6-5 Troubleshooting 6-1 Introduction to troubleshooting 6 Introduction to troubleshooting If you’re unable to resolve a problem on your own, access online support resources at www.securecomputing.com/goto/support, or call +1.800.700.8328. Problems with the Control Center I can’t access the Control Center. First, make sure you entered the correct address in your browser: https://Address/controlcenter For Address, type the IP address or fully qualified domain name of the computer where you installed SmartFilter. Second, on the Log On page, confirm that you selected the correct network location in the Look In box. (This is the domain where your user profile is stored.) Then confirm that you entered the logon name and password as they appear in that network location. If you didn’t specify the administrator logon using a directory service, click Local. Note: If you’re a subadministrator, a higher-level administrator may have disabled your logon. Contact your managing administrator to find out if your logon is disabled. Third, confirm that the Web server hosting the Control Center is operational. I accidentally changed my logon name and password, and now I can’t access the Control Center. You can change your administrator logon without opening the Control Center. To do this you’ll need access to the computer where SmartFilter is installed. For information on changing your administrator logon without opening the Control Center, see the SmartFilter DA Installation Guide. I can’t save my changes in the Control Center. If the Control Center is inactive for 10 minutes or longer, you must log back on to the Control Center. This lets you save new filter changes. For information on changing the default time-out period, see the SmartFilter DA Installation Guide. 6-2 Troubleshooting Problems with Web access Problems with Web access I added a Web page to the custom allow list and users can’t access it. The browser may be trying to access a copy of the Web page saved in the browser’s cache. To access the Web page, force the proxy server to retrieve the page from the Internet rather than from the cache: In Mozilla, hold down the SHIFT key, and then click Reload. In Internet Explorer, hold down the CTRL key, and then click Refresh. I added a Web page to the custom block list and users can still access it. The browser may be accessing a copy of the Web page saved in the browser’s cache. To prevent this, you must force the proxy server to retrieve the page from the Internet rather than from the cache: In Mozilla, hold down the SHIFT key, and then click Reload. In Internet Explorer, hold down the CTRL key, and then click Refresh. I want to view reports on blocked media files. To view reports on blocked media files (such as MP3 and WAV files), create a custom category for media instead of adding these file types to a custom block list. For information on creating a custom category, see “Creating custom categories” on page 4-8. I want to give users access to only a handful of Web sites. To give your users access to a limited number of Web sites, create a filter and apply it to your network as follows: 1. On the navigation bar, click Define Filters. 2. On the Custom Categories tab, click Add. 3. In the Name box, type a name to identify this category as the block category that prevents access to all Web sites, except the few that you specify. 4. Click Block. 5. Type an asterisk (*), and then click Save. 6. On the Custom Categories tab, click Add to create another custom category. 7. In the Name box, type a name to identify this category as the exception Troubleshooting 6-3 Problems with Web access category that includes the list of sites you want to allow. 8. Click Exception. 9. Type the Web sites, file types, and keywords you want to allow, and then click Save. Note: For information on entering Web sites, file types, and keywords, see “Guidelines for specifying URLs to filter” on page 4-20. 10. On the Filters tab, click Add. 11. In the Filter Name box, type a name for the filter. 12. Next to the block category you created, click Block. 13. Next to the exception category you created, click Allow As Exception. Set all other exception categories to Don’t Allow As Exception. 14. Click Save. 15. On the navigation bar, click Assign Filters. 16. On the Global tab, check Global Filter, and then click the filter you just created. 17. To provide a minimum level of filtering for your entire network, check Apply to Entire Network As the Minimum Level of Filtering. 18. Click Save. 6-4 Troubleshooting Problems with delegating administration Problems with delegating administration I removed IP addresses from a subadministrator’s zone. Are those IP addresses still filtered? The global filter applied by the superadministrator is now the only filter applied to those addresses. If the superadministrator hasn’t applied a global filter, those IP addresses have full access to the Internet. (To see whether a global filter is applied to your network, click Assign Filters, and then view the settings on the Global Filter tab.) If you want additional filtering applied to these IP addresses, you must either assign filters to them directly, or delegate the IP addresses to a subadministrator who can then assign filters to them. I’m a subadministrator and can’t access the Control Center. There are several possible reasons why you can’t access the Control Center, including problems caused by server issues within your network. It is also possible that the superadministrator, or a subadministrator above you, disabled your logon. Contact your managing administrator to find out if your logon has been disabled. I’m a subadministrator and want to give the subadministrators I manage some rights (such as creating filters and delegating tasks). I can’t seem to do this. Why? You can only give subadministrators those rights that you yourself have. If your managing administrator didn’t give you these rights, you can’t pass them on to your subadministrators. I’m a subadministrator and just noticed that some of the filter settings for my zones have changed. I didn’t make the changes. What happened? Any administrator above you, including the superadministrator, has the authority to change settings for your zones. For example, if the superadministrator thinks that the filter settings you’ve applied are too lenient, he or she can alter those setting by blocking additional categories. Troubleshooting 6-5 Problems with delegating administration 6-6 Troubleshooting www.securecomputing.com Corporate Headquarters 4180 Harwood Road San Jose, CA 95124 USA Tel: +1.800.379.4944 Tel: +1.408.979.6100 Fax: +1.408.979.6501 European Headquarters East Wing, Piper House Hatch Lane Windsor SL4 3QP UK Tel: +44.1753.410900 Fax: +44.1753.410901 Asia/Pac Headquarters 1604-5 MLC Tower 248 Queen’s Road East Wan Chai Hong Kong Tel: +852.2520.2422 Fax: +852.2587.1333 Japan Headquarters Level 15 JT Bldg. 2-2-1 Toranomon Minato-Ku Tokyo 105-0001 Japan Tel: +81.3.5114.8224 Fax: +81.3.5114.8226 © 2005 Secure Computing Corporation. All Rights Reserved. Secure Computing, SafeWord, Sidewinder, SmartFilter, Type Enforcement, SofToken, SecureSupport, SecureOS, MobilePass, G2 Firewall, Bess, Sidewinder G2, enterprise strong, PremierAccess, and Strikeback are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. G2 Enterprise Manager, Application Defenses, RemoteAccess, On-Box, Power-It-On!, Sentian, and Securing connections between people, applications, and networks are trademarks of Secure Computing Corporation. All other trademarks used herein belong to their respective owners.
Similar documents
SmartFilter Web Filtering Product Family
© 2004 Secure Computing Corporation. All Rights Reserved. Secure Computing, SafeWord, Sidewinder, SmartFilter, Type Enforcement, SofToken, SecureSupport, SecureOS, and Strikeback are trademarks of ...
More information