ScanCenter Administrator Guide

Version 5.2 January 18, 2012

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Text Part Number: OL-22629-05

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/web/siteassets/legal/trademark.html. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. ScanCenter Administrator Guide © 2009-2012 Cisco Systems, Inc. All rights reserved.

CONTENTS
Preface
iii 1-1

Getting Started with ScanCenter Overview Dashboards Administration Overview
1-1 1-1 2-1 2-1

Account Management 2-2 Editing Your Account Details 2-2 Changing Your Password 2-3 Changing the Scanned IP Addresses 2-4 Downloading a List of Dynamic DNS Addresses Managing Admin Users 2-6 Creating a New Admin User 2-7 Editing an Admin User 2-7 Removing an Admin User 2-8 User Management 2-9 Managing Groups 2-9 Adding a Directory Group 2-10 Creating a Custom Group 2-10 Editing a Group 2-11 Removing a Group 2-12 Managing Users 2-12 Importing a User List 2-12 Removing Users 2-13 Hosted Configuration Files 2-13 Uploading a New Configuration File 2-14 Managing Configuration Files 2-14 Removing Configuration Files 2-15 Authentication 2-16 Company Keys 2-16 Group Keys 2-17 Bulk Group Management User Keys 2-18

2-5

2-18

ScanCenter Administrator Guide OL-22629-05

i

Contents Bulk User Management 2-19 Setting the User Email Message 2-19 Dictionaries and Databases 2-20 Managing Dictionaries 2-20 Creating a New Dictionary 2-20 Editing a Dictionary 2-20 Managing File Information Databases Creating a New Database 2-23 Editing a Database 2-23 Removing a Database 2-25 Auditing ScanCenter Use 2-25 Email Alerts 2-25 Access Audits 2-26 Activity Audits 2-27 Secure Traffic Inspection 2-29 Legal Disclaimer 2-30 Secure Sockets Layer Certificates 2-31 Creating a Certificate in ScanCenter 2-31 Using an Externally Generated Certificate 2-31 Editing a Certificate Description 2-32 Removing a Certificate 2-33 Filters 2-33 Creating a Filter 2-33 Editing a Filter 2-34 Removing a Filter 2-34 Policy 2-34 Creating a Rule 2-35 Editing a Rule 2-36 Removing a Rule 2-37 Reporting 3-1 2-22 Overview 3-1 Calculating Browse Time 3-2 Viewing Reports 3-3 Viewing Reports Online 3-5 Grid Chart 3-5 Graphical Charts 3-7 Downloading Reports 3-10 Downloading PDF Reports Downloading CSV Reports ScanCenter Administrator Guide 3-10 3-11 ii OL-22629-05 .

Contents Filtering Reports 3-11 Adding Filters to a Search 3-11 Adding a Filter 3-11 Managing Filter Sets 3-13 Adding a Filter Set 3-13 Copying a Filter Set 3-14 Renaming a Filter Set 3-14 Editing a Filter Set 3-14 Removing a Filter Set 3-14 Creating a Search 3-14 Creating a Standard Search 3-15 Creating a Time Analysis Search 3-17 Creating a Detailed Search 3-18 Allowed Traffic 3-19 Downloading Detailed Reports as CSV 3-22 Creating a Search from a Predefined Search 3-22 Saving a Search 3-22 Editing a Search 3-23 Renaming a Search 3-24 Removing a Search 3-24 Removing an Empty Folder 3-24 Creating Composite Reports 3-25 Downloading Composite Reports 3-26 Editing Composite Reports 3-26 Removing Composite Reports 3-27 Scheduling Reports 3-27 Email Groups 3-27 Creating an Email Group 3-27 Removing an Email Group 3-28 Email Recipients 3-28 Creating an Email Recipient 3-28 Removing an Email Recipient 3-29 Creating a Scheduled Report 3-29 Editing a Scheduled Report 3-31 Removing a Scheduled Report 3-31 Web Filtering Service Overview 4-1 4-1 Managing Filters 4-1 Creating a New Filter 4-2 ScanCenter Administrator Guide OL-22629-05 iii .

Contents Categories (HTTP) 4-2 Categories (HTTPS) 4-2 Domains/URLs 4-3 Content Types 4-3 File Types 4-3 Exceptions 4-4 Editing a Filter 4-4 Removing a Filter 4-5 Outbound Content Control 4-5 Bi-directional Filters 4-5 Outbound Filters 4-5 Schedules 4-8 Creating a New Schedule 4-8 Editing a Schedule 4-9 Removing a Schedule 4-9 Policy 4-9 Creating a Rule 4-9 Editing a Rule 4-12 Removing a Rule 4-12 Quotas 4-12 Creating a Quota 4-12 Editing a Quota 4-14 Removing a Quota 4-15 Global Settings 4-15 SearchAhead 4-15 Changing Global Settings Notifications 4-18 User Messages 4-18 Email Alerts 4-20 Malware Service Overview 5-1 5-1 4-16 Spyware 5-1 Approved List 5-1 Password Protected Archives User Messages 5-2 Email Alerts 5-3 Web Virus 5-4 User Messages 5-4 5-2 ScanCenter Administrator Guide iv OL-22629-05 .

Contents

Email Alerts Reporting Attributes Overview Attributes
A-1 A-1

5-5 A-1

Web Filtering Categories Overview Categories
B-1 B-1 C-1

B-1

Pre-Defined Searches Application Analysis Bandwidth Analysis Block Analysis
C-2

C-1 C-1

Browse Time Analysis Category Analysis Group Analysis Host Analysis
C-3 C-2 C-3

C-2

Legal Liability Analysis Malware Analysis Security Analysis User Analysis Role Permissions Access
D-1 C-4 D-1 C-3 C-3

C-3

Delegated Administration Overview
E-1

E-1

Logging In to the Parent Organization

E-1 E-2

Enabling Subsidiary Organizations to Set Policies Subsidiary Privacy Policy E-3 Managing Filters, Schedules, and Dictionaries Setting Global and Local User Messages Configuring Email Domains Running Audits
E-3 E-4 F-1 E-3 E-3 E-3

Delegated Reporting

Web Security Appliance Integration Overview
F-1

ScanCenter Administrator Guide OL-22629-05

v

Contents

Configuring the WSA Upstream Proxy Setting the Routing Policies F-2 CLI Settings F-3 Third Party Integration Overview
G-1 G-2 G-1

F-1

BlackBerry Enterprise Server

Blue Coat G-2 Prerequisites G-2 Proxying With BCAAA G-2 Proxying With ICAP G-3 Check Point Firebox NetCache NetScreen SonicWALL
G-4 G-5 G-3

ISA Server/Forefront TMG
G-5 G-6 G-8

Squid G-8 Prerequisites G-8 Configuration G-9
GLOSSARY

INDEX

ScanCenter Administrator Guide

vi

OL-22629-05

Preface
Revised: October 6, 2010, OL-22629-05

This preface describes the audience and conventions of the ScanCenter Administrator Guide. It also described the available product documentation and provides information on how to obtain documentation and technical assistance.
• • •

Audience Conventions Obtaining Documentation and Submitting a Service Request

Audience
This guide is intended for primarily for network administrators and channel partners.

Conventions
This guide uses the following conventions: Item Commands and keywords. Variables for which you supply values. Optional command keywords. You do not have to select any options. Required command keyword to be selected from a set of options. You must choose one option. Displayed session and system information. Information you enter. Variables you enter. Menu items and button names.
Choosing a menu item.

Convention boldface font. italic font. [enclosed in brackets] {options enclosed in braces | separated by a vertical bar} screen font. boldface screen font. italic screen font. boldface font. Options > Network Preferences

ScanCenter Administrator Guide OL-22629-05

iii

see the monthly What’s New in Cisco Product Documentation. Tip Means the following information will help you solve a problem.com/en/US/docs/general/whatsnew/whatsnew. Timesaver Means the described action saves time. you might perform an action that could result in equipment damage or loss of data. which also lists all new and revised Cisco technical documentation. at: http://www. You can save time by performing the action described in the paragraph.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application.cisco. Obtaining Documentation and Submitting a Service Request For information on obtaining documentation. Caution Means reader be careful. submitting a service request. and gathering additional information. In this situation. ScanCenter Administrator Guide iv OL-22629-05 . The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.Preface Note Means reader take note.

ScanCenter Administrator Guide OL-22629-05 1-1 . Dashboards Dashboards are online reports that give you an overview of Web activity at your organization over the last 24 hours. page 1-1 Overview ScanCenter is the Cisco Cloud Web Security administration portal. depending on your region and vendor. This guide details the full set of functionality available in ScanCenter. From here you can manage users and groups. Some functionality may not be present in your account.6 Microsoft Internet Explorer 8 Note Microsoft Internet Explorer 8 is supported in Compatibility View only. The ScanCenter home page includes links to the four dashboards. monitor traffic and generate reports. This chapter contains the following topics: • • Overview. 2011. page 1-1 Dashboards. The following Web browsers are supported: • • Mozilla Firefox 3. and monitoring Cisco Cloud Web Security.CH A P T E R 1 Getting Started with ScanCenter Revised: October 20. These instructions are designed for an experienced system administrator with knowledge of networking and Web administration. If this is the case. OL-22629-05 The ScanCenter Administrator Guide provides instructions for setting up. you can contact a sales representative for further information. set policy. administering.

Chapter 1 Dashboards Getting Started with ScanCenter Click Dashboard to display the main dashboard where you can view reports for: • • • • All services Web Virus Spyware Web Filtering All blocks Top 10 Users by Blocks Top 10 Groups by Virus Blocks Virus Blocks Over Time Top 10 Virus by Blocks Top 10 Zero Hour Blocks Spyware Blocks Over Time Spyware Subcategory Blocks Over Time Top 10 Spyware by Blocks Top 10 Groups by Spyware Blocks Bandwidth Consumed Over Time Blocks Over Time Top 10 Categories by Hits Top Risk Classes by Hits Top 10 Web Filtering Users by Hits Top 10 Users by Connections The following reports are displayed: • • Click Web Virus to display the Web Virus dashboard where you can view reports for: • • • • Click Spyware to display the Spyware dashboard where you can view reports for: • • • • Click Web Filtering to display the Web Filtering dashboard where you can view reports for: • • • • • • ScanCenter Administrator Guide 1-2 OL-22629-05 .

CH A P T E R

2

Administration
Revised: Janueary 18, 2012, OL-22629-05

This chapter contains the following topics:
• • • • • • • •

Overview, page 2-1 Account Management, page 2-2 User Management, page 2-8 Hosted Configuration Files, page 2-12 Authentication, page 2-15 Dictionaries and Databases, page 2-31 Auditing ScanCenter Use, page 2-36 Secure Traffic Inspection, page 2-40

Overview
The administration tasks in ScanCenter are accessed via the Admin tab. From there you can:
• • • • • • • • • • •

Change your account details and password. Update the IP addresses scanned by Cisco Cloud Web Security. Verify dynamic DNS. Manage admin users. Manage company, group, and user keys. Configure email messages. Manage users and groups. Host configuration files. Create or import dictionaries and file information databases. Generate audits. Manage HTTPS certificates, filters, and policy.

ScanCenter Administrator Guide OL-22629-05

2-1

Chapter 2 Account Management

Administration

Account Management
The account management area of ScanCenter enables you to:
• • • • •

Edit your account details. Change your password. Update the scanned IP addresses. Download a list of registered dynamic DNS addresses. Manage admin users.

Editing Your Account Details
To edit your account details:
Step 1 Step 2

Click the Admin tab to display the administration menus. In the Your Account menu, click Account Details to display the Account Details page.

Step 3

In the Title list, click your title. The available options are:
• • • • • •

Mr Ms Miss Mrs Dr Other

Step 4 Step 5 Step 6

Enter your First name. Enter your Last name. Enter your Job Title.

ScanCenter Administrator Guide

2-2

OL-22629-05

Chapter 2

Administration Account Management

Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16

Enter your organization’s name in the Company name box. Enter the URL of your organization’s website in the Website box. Enter your telephone number in the Telephone box. Enter your facsimile number in the Fax box. Enter your mobile telephone number in the Mobile Phone box. Enter your organization’s address, using up to three lines, in the Address boxes. Enter your postal code in the ZIP/Post Code box. In the Country list, click your country. In the Timezone list, click your time zone. Alternatively, click UTC. Click Save to save your changes. Alternatively, navigate to another page to abandon your changes.

Changing Your Password
When a new user is created, or an administrator resets the password of a user who has forgotten their password, a temporary password is sent to the email address associated with that user. Passwords expire after a set period of time, 90 days by default. This is configured for you by customer support and you can request that passwords do not expire. If your password has expired, you will be prompted to change your password before you can access any other areas of ScanCenter. Your can also choose to change your password at any time. Your new password cannot be the same as any of your five previous passwords and it must contain:
• • • • •

at least 8 characters one or more lower case letters one or more upper case letters one or more digits one or more of the following special characters: @ # $ % ^ & - = _ ! : ?

To change your password:
Step 1 Step 2

Click the Admin tab to display the administration menus. In the Your Account menu, click Change Password to display the Change Password page.

ScanCenter Administrator Guide OL-22629-05

2-3

Note Clicking Reset does not reset your password. It only clears the boxes. click Scanning IPs to display the Request Scanning Ips page. Alternatively. ScanCenter Administrator Guide 2-4 OL-22629-05 . navigate away from the page to abandon your changes. Click Save to save your changes. When you have entered a valid password. Alternatively. click Save to change your password. Step 3 Step 4 Enter the IP addresses with their net masks in the box. Changing the Scanned IP Addresses To request changes to the IP addresses scanned by Cisco Cloud Web Security. navigate away from the page to abandon your changes.Chapter 2 Account Management Administration Step 3 Step 4 Enter the new password in the Password and Confirm password boxes. In the Your Account menu. As you type the password the red crosses will change to green ticks as each criterion is met. Step 1 Step 2 Click the Admin tab to display the administration menus.

typically your email domain. create a group authentication key in ScanCenter. For detailed instructions on configuring your router. A DDNS update comprises a user name. The DDNS server is automatically updated if the external IP address changes.Chapter 2 Administration Account Management Note IP addresses will normally be updated within one business day. and host name. Any router which has a ‘custom’ option for DDNS should be able to use this functionality. browser proxy settings (PAC. refer to your router documentation. The majority of Cisco and third-party routers can issue Dynamic DNS (DDNS) requests. WPAD. Downloading a List of Dynamic DNS Addresses Typically. Set the host name to one of the domains associated with your ScanCenter account. Set a unique identifier for the user name or equivalent parameter. click Dynamic DNS to display the Dynamic DNS page. Alternatively. and so on) may be used if required. so that other devices can connect to it using a static name resolved through normal DNS requests. Set the server to ddns.scansafe. It does not contain a history of device IP addresses. which can be used by the service to authenticate these devices. To download the list: Step 1 Step 2 Click the Admin tab to display the administration menus. accessing the proxy servers from a dynamic IP address requires the use of Connector configured with group or company authentication keys. If your change is urgent. To verify your routers are working correctly you may want to view a list of currently registered dynamic DNS addresses. DDNS enables the router to communicate with an external server to send its current external (WAN) IP address. ScanCenter Administrator Guide OL-22629-05 2-5 . To enable DDNS support: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 If you have not already done so. DDNS routers must support the ability to port forward traffic to the proxy servers. Set the URL to /dir/register?hostname=. Set the password to the group authentication key you previously created. In the Your Account menu. It is also possible to perform DDNS registration with client-side software. The list is provided as a CSV file containing the current IP address for each device. A confirmation email will be sent when the changes are complete. Note For transparent deployment. Cisco provides a proprietary DDNS service as a means to verify dynamic IP addresses against its authentication database. password. email support for immediate action.net. Create a ‘custom’ DDNS on your router.

The access rights of an admin user are determined by the role assigned to that user.Chapter 2 Account Management Administration Step 3 Click Generate Audit to download a comma-separated list of the dynamic IP addresses registered with your account. Managing Admin Users The Admin Users page enables you to create. page D-1 for details of the access rights associated with each role. IP addresses. click Admin Users to display the Admin Users page. To manage admin users: Step 1 Step 2 Click the Admin tab to display the administration menus. The list contains user names. Creating a New Admin User To create a new admin user: Step 1 Click Create to display the Create Admin User page. edit and remove admin users. The available roles are: • • • • • • Full Access Read Only Report Admin Admin with no Forensic Role HR Full Read Only See Role Permissions. and the date of the last update. host names. In the Your Account menu. ScanCenter Administrator Guide 2-6 OL-22629-05 .

Chapter 2

Administration Account Management

Step 2 Step 3 Step 4

Enter the email address of the admin user in the Email Login box. This will be the user name. In the Role list, click a role. Click Save to create the admin user. Alternatively, navigate away from the page to abandon your changes.

Note

You must activate the admin user to enable them to log in. A temporary password will be generated and emailed to the user on first activation.

Editing an Admin User
To activate an inactive admin user, click Activate. To deactivate an active admin user, click Deactivate. To reset the password of an admin user, click Reset. To unlock an admin user who has been locked out after multiple failed log-in attempts, click Unlock.

Note

The organization super user account will never be locked. In the even of multiple failed log-in attempts, the password is reset and a temporary password sent to the email address associated with the account. To change the role of an admin user:

Step 1 Step 2

Click the require role in the Role list. Click Save. Alternatively, navigate away from the page to abandon your changes.

Changing Admin User Email Credentials
To change an admin user’s email password:
Step 1 Step 2

Click Change to display the Change Password page. Enter the new password in the Password and Confirm password boxes, ensuring the password meets the acceptable password criteria (see Changing Your Password, page 2-3).

ScanCenter Administrator Guide OL-22629-05

2-7

Chapter 2 User Management

Administration

Step 3

Click Save to change the password. Alternatively, navigate away from the page to abandon your changes.

Restricting Access to Reports
You can restrict the data that an admin user is able to view when running reports. By default there are no restrictions in place. To exclude attributes from reports run by a specific admin user:
Step 1 Step 2 Step 3

Click Change to display the list of attributes. Clear the check boxes of the attributes that you do not want to be viewed by the admin user. Add any filters you want to apply to online reports viewed by the admin user. For more information about filters see Filtering Reports, page 3-11.

Note Step 4

Filters will not be applied to scheduled reports. Filter sets cannot be applied to admin users.

Click Save.

Removing an Admin User
To permanently remove an admin user:
Step 1 Step 2

Select the Delete check box for the required user. You can select multiple admin users to be removed. Click Delete. You will be prompted to confirm your action.

Caution

When an admin user has been removed it cannot be recovered. Instead, you must create a new admin user.

User Management
The user management area of ScanCenter enables you to create groups, edit groups and users, and import users, dictionaries, and file information. When using Cisco Integrated Services Router Web Security, Cisco AnyConnect Secure Mobility Web Security, or Connector, groups enable you to implement role based Web access policy. Groups are evaluated as follows:
1.

If Connector is configured to send internal group details, a check is made to see if the supplied group name matches any groups configured in ScanCenter. If a match exists the matched group is selected. If the user belongs to more than one group then any group containing the string 'webscan' will be given priority.

ScanCenter Administrator Guide

2-8

OL-22629-05

Chapter 2

Administration User Management

2. 3. 4. 5.

If the user name is matched but no group is matched, a check is made to see if the user belongs to an existing group. If the group cannot be matched but the internal IP addresses is present, a check is made to see if the IP address matches a group IP expression. If the group cannot be matched, a check is made to see if the external IP address matches a group IP expression. If the group still cannot be matched, the default group is used.

Managing Groups
Two types of groups are supported in ScanCenter; directory groups and custom groups. Directory groups can be Windows Active Directory groups or LDAP groups. Custom groups enable you to create a group containing any users, regardless of their active directory or LDAP group. To manage groups:
Step 1 Step 2

Click the Admin tab to display the administration menus. In the Management menu, click Groups to display the Manage Groups page.

Adding a Directory Group
Before you can add a directory group you must first create the Windows Active Directory or LDAP group on your server. To add a directory group:
Step 1

Click Add Directory Group to display the Add New Directory Group page.

Step 2

Enter the Active Directory or LDAP group in the box.

ScanCenter Administrator Guide OL-22629-05

2-9

click Cancel to abandon your changes. Click Save to return to the Manage Groups page. click the group name hyperlink to display the Edit Custom Group page.Chapter 2 User Management Administration Step 3 Click Save to save your changes. Editing a Group To edit a group: Step 1 In the Manage Groups page. Edit the group. Alternatively. Step 2 Enter a new name for the group in the box and click Save. ScanCenter Administrator Guide 2-10 OL-22629-05 . accept the existing name. Creating a Custom Group To create a custom group: Step 1 Click Add Custom Group to display the Add New Custom Group page. Alternatively. click Cancel to abandon creating the group. Step 2 Step 3 Step 4 Enter a name for the group in the box. Alternatively.

You cannot remove a group that is associated with a policy. They must be imported from a text file containing a comma-separated list in the form <group>. You can click Done to return to the Manage Groups page.0. Click Import.0/255. Enter the required Active Directory or LDAP users in the box and click Save.0. Instead you must create the custom group again. <user name>. If you need to make changes you should remove the existing user and import a new user with the appropriate details. Importing a User List To import a user list: Step 1 Step 2 Click the Admin tab to display the administration menus.255. Step 3 Step 4 Click Browse then navigate to the file. Removing a Group In the Manage Groups page.Chapter 2 Administration User Management Step 3 Step 4 Enter the required IP expressions in the box.0. In the Management menu. select the check box of the group to be removed then click Delete Selected to permanently remove the group. Users cannot be edited. You can select multiple groups to be removed. for example 192. Caution When a custom group has been removed it cannot be recovered. When the list has been imported individual users can be removed. click Import User List to display the Import User List page. Managing Users Users cannot be added individually. You will be notified if the file cannot be validated.168. <email address> for each user. ScanCenter Administrator Guide OL-22629-05 2-11 . You will be prompted to confirm your action. and click Save.

if you wait 10 seconds you will be taken back. When you have imported a user list you can click Back to step 1. You must test PAC files to ensure they function correctly before uploading. click Confirm. and other configuration files to ScanCenter. You will be notified if the import was successful. to import additional user lists. Click Delete Selected. Removing Users To remove a user: Step 1 Step 2 Click the Admin tab to display the administration menus. You will be prompted to confirm your action. Alternatively. and manage those files. In the Management menu.Chapter 2 Hosted Configuration Files Administration Step 5 If the list is correct. Alternatively. Step 3 Step 4 Select the check box of the user to be removed. click Users to display the Manage Users page. Hosted Configuration Files The hosted configuration area of ScanCenter enables you upload PAC (proxy auto-config) files. You can search for a user by entering all or part of the user name in the Search box and clicking Search. To display the full list again click Reload list. click Back to step 1. edit the file and repeat the import process. Cisco AnyConnect Secure Mobility Client Web Security config. You can select multiple users to be removed. For ScanCenter Administrator Guide 2-12 OL-22629-05 .

Step 2 Step 3 Step 4 Step 5 Click the required file type in the Resource Format box. Uploading a New Configuration File To upload a file: Step 1 Click the Upload Config tab to display the Upload Config page. Enter a unique Description in the box. There is a maximum file size limit of 500 kilobytes.0 (or later). status.Chapter 2 Administration Hosted Configuration Files further information about PAC files. ScanCenter Administrator Guide OL-22629-05 2-13 . Click Upload to upload the file. refer to the Cisco AnyConnect Secure Mobility Client Administrator Guide. To view your hosted configuration files: Step 1 Step 2 Click the Admin tab to display the administration menus. URL or associated group key. The description. Note You must upload the unscrambled version of the AnyConnect config file. refer to the Connector Administrator Guide appendix “Proxy Auto-Config Files”. creation and modification dates are displayed. In the Management menu. type. Release 3. For information about Web Security. The file will be scrambled before it is served to your users but you will still be able to download the plain text version. Click Browse to select a file to upload. click Hosted Config to display the Hosted Config page.

click Delete. Removing Configuration Files Only configuration files that are inactive can be completely removed. To remove an inactive configuration file: Step 1 Click the Admin tab to display the administration menus. In the Management menu. then click Save. Click the Edit icon. To remove a specific version of a file. Alternatively. then click Save. clear the check box to deactivate the configuration file. select the Active check box. You will not be asked to confirm your action. upload newer versions. When there are two or more versions of a file. click Default to enable a specific version. click Hosted Config to display the Hosted Config page. Caution When you click Delete the file will be deleted immediately unless it is the default version. then click Save.Chapter 2 Hosted Configuration Files Administration Managing Configuration Files When you have uploaded a file you can activate or deactivate it. To activate a configuration file. and delete versions. ScanCenter Administrator Guide 2-14 OL-22629-05 . To manage a configuration file: Step 1 Step 2 Step 3 Click the Admin tab to display the administration menus.

Authentication Authentication is the act of confirming the identity of a user. See User Management. For further information refer to the relevant administrator guide. To deactivate an active key. To generate a company key: Step 1 Click Create new. click Deactivate.Chapter 2 Administration Authentication Step 2 Step 3 In the Management menu. Note Revoking or deactivating a key will prevent users from being able to authenticate with Cisco Cloud Web Security. groups. You will not be asked to confirm your actions. and individual users for use with Cisco Integrated Services Router Web Security. click Company Key to display the Company Key page. Before creating group or user keys you should set up your groups and users. Company Keys The company key is used for organization-wide authentication. ScanCenter enables you to control access to the Web for each user or a group of users. Cisco AnyConnect Secure Mobility Web Security. ScanCenter can perform authentication without the need for client software. click Hosted Config to display the Hosted Config page. click Activate. To view the company key: Step 1 Step 2 Click the Admin tab to display the administration menus. Caution Files are removed immediately. When you have revoked a key you must generate a new key. but you can also generate authentication keys for your organization. To activate a deactivated key. and Connector. To permanently remove a key click Revoke. ScanCenter Administrator Guide OL-22629-05 2-15 . This enables you to enforce your organization's policies and comply with regulations. In the Authentication menu. page 2-8. Click the Delete icon.

To activate a deactivated key. click Activate. page 2-8. To view the group keys: Step 1 Step 2 Click the Admin tab to display the administration menus. Step 2 Copy the authentication key to a secure location. Caution For security reasons. Group Keys Group keys are used for authenticating groups of users. Click a domain in the list. In the Authentication menu. ScanCenter Administrator Guide 2-16 OL-22629-05 . click Deactivate. Click Send to send an email to members of the group. the authentication key is displayed only once. To deactivate an active key.Chapter 2 Authentication Administration The Authentication Keys page is displayed. The Authentication Keys page is displayed. Before creating group keys you should ensure you have created the required groups. Enter a group email address in the Send via email to the user box. See User Management. To create and activate a key: Step 1 Step 2 Step 3 Step 4 Click Create Key. If you lose the key you must revoke the existing key and create a new key. click Group Keys to display the Group Authentication Keys page.

To display the full list again click Reload list. Bulk User Management You can activate. select the Mobile check box. deactivate and revoke user keys in bulk. click User Keys to display the User Authentication Keys page. Click the check box to select a user with a key. To enable mobile functionality for a user. The Authentication Keys page is displayed. You will be prompted to confirm your action. click Create Key. Click the check box to select a group with a key. To deactivate an active key. Click Activate Selected to activate all the selected group keys. See User Management. clear the check box to switch off mobile functionality. You can click Select All to select the check box of all groups with keys or Deselect All to clear all check boxes. deactivate and revoke group keys in bulk. To display the full list again click Reload list. click a domain in the list and click Send to send an email to the user. Bulk Group Management You can activate. page 2-8. Alternatively. You can click Select All to select the check box of all users with keys or Deselect All to clear all check boxes.Chapter 2 Administration Authentication You can search for a group by entering all or part of the group name in the Search box and clicking Search. ScanCenter Administrator Guide OL-22629-05 2-17 . click Deactivate. Click Revoke Selected to permanently remove all the selected group keys. To activate a deactivated key. To create and activate a key. You can search for a user by entering all or part of the user name in the Search box and clicking Search. click Activate. Click Deactivate Selected to deactivate all the selected group keys. Step 1 Step 2 Click the Admin tab to display the administration menus. Enter a user email address in the Send via email to the user box. In the Authentication menu. Before creating user keys you should ensure you have imported the required users. User Keys User keys are used for authenticating individual users.

click Email Messages to display the Email Messages page. In the Authentication menu. Click Submit to save your changes. Cisco Cloud Web Security authenticates users before allowing them to connect to a destination server. navigate away from the page to abandon your changes. ScanCenter supports the Lightweight Directory Access Protocol (LDAP) with standard and secure LDAP authentication. Setting the User Email Message To set the email message that is sent to a user with an authentication key: Step 1 Step 2 Click the Admin tab to display the administration menus. Clientless Authentication When you enable clientless authentication. typically using a PAC file. For roaming users this also requires configuring their browser to send traffic to the Cisco Cloud Web Security proxy server. Click Deactivate Selected to deactivate all the selected user keys. Click Revoke Selected to delete all the selected user keys. ScanCenter Administrator Guide 2-18 OL-22629-05 . This is achieved by creating an Authenticate rule in ScanCenter for the user or group. Alternatively. You can click Reset to default message to restore the default message.Chapter 2 Authentication Administration Click Activate Selected to activate all the selected user keys. Edit the signature in the second box. Step 3 Step 4 Step 5 Edit the message in the first box. The text [username] and [company_name] will be replaced with the user's name and your organization's name.

ScanCenter Administrator Guide OL-22629-05 2-19 . Configuring Authentication Realms Authentication realms reduce the changes required to your network and simplify provisioning users with Cisco Cloud Web Security. Cisco Cloud Web Security connects to an external authentication server. Each object name is referred to as a Distinguished Name (DN). ScanCenter supports LDAP connections over TLS. An authentication realm is a set of authentication servers (or a single server) supporting a single authentication protocol with a particular configuration. Cisco Cloud Web Security uses the LDAP Bind operation to query an LDAP-compatible authentication server. which requires a server certificate on the LDAP server. email address. When users access the Web through Cisco Cloud Web Security. StartTLS uses certificates to identify the LDAP server before a connection is created. they must provide valid authentication credentials (user name and password as stored in the authentication server). Cisco Cloud Web Security supports standard LDAP server authentication and Secure LDAP (LDAPS) authentication. • In addition to the preceding protocols. These directories include the names of employees along with various types of personal data such as a phone number. StartTLS requires a server certificate on the LDAP server. Cisco Cloud Web Security supports basic authentication. When you create more than one realm. you must create at least one authentication realm. and other information that is exclusive to the individual employee.Chapter 2 Administration Authentication To enable authentication. the service communicates with both the client and the authentication server to authenticate the user and process the request. The authentication server contains a list of users and their corresponding passwords and it organizes the users into a hierarchy. Cisco Cloud Web Security can establish Transport Layer Security with the sever prior to authentication. ScanCenter supports standard LDAP server authentication. Cisco Cloud Web Security supports the following authentication protocols: • Lightweight Directory Access Protocol (LDAP). and StartTLS. For users on the network to successfully authenticate. LDAP Authentication The Lightweight Directory Access Protocol (LDAP) server database is a repository for employee directories. The LDAP database is composed of objects containing attributes and values. StartTLS. Support for LDAP enables established installations to continue using their LDAP server database to authenticate users. Understanding How Authentication Works To authenticate users who access the Web. If your LDAP server supports the StartTLS extension. The TLS protocol is an industry standard for ensuring confidentiality. For Secure LDAP. your users will be able to select the realm they wish to authenticate with at the login screen. TLS uses key encryption algorithms along with Certificate Authority (CA) signed certificates to provide the LDAP servers a way to verify the identity of the appliance. The location on the LDAP server where a search begins is called the Base Distinguished Name or base DN. Cisco Cloud Web Security allows a client application to provide authentication credentials in the form of a user name and password when it makes a request. Secure LDAP authentication.

Save the key from this system because you will need to install it on the LDAP server later.org. (Optional) Certificate — The certificate to be used if you will be using a secure protocol. to have a certificate created for the LDAP server.8/ssl_faq.org/docs/2. LDAP servers use self-signed certificates. • Note You must import certificates before creating an authentication realm that requires a secure protocol. On Windows Server you can use Microsoft Certificate Services to generate a suitable certificate. free software from http://www.html#cert-ownca Note Tools for generating and signing your own certificate are included with OpenSSL. Generate a Certificate Signing Request (CSR).openssl. Alternatively. The ports you need to open. you can use any UNIX machine with a recent version of OpenSSL installed. and protocol. Use the guidelines at the following location for information on generating a CSR using OpenSSL: http://www. and remove authentication realms and manage certificates (used by secure protocols). can be found in your provisioning email. For information on using Microsoft Certificate Services refer to your vendor documentation. LDAP access — ScanCenter requires at least read-only access to your LDAP servers. when the CSR has been generated. Use the guidelines at the following location for information on creating and using your own certificate authority (CA) http://www. Search Base — The location in the LDAP tree to start searching for users. The certificate you upload must use the X. submit it to a certificate authority (CA).html#ToC28 Typically.509 standard and you must install the matching private key on your LDAP server.Chapter 2 Authentication Administration From this area of ScanCenter you can create. Before configuring an authentication realm you will require: • • • Server address — The full address to your LDAP server. you must follow these steps: Step 1 Step 2 Step 3 Generate a public-private key pair.org/docs/2. and the IP addresses you must enable access for. Alternatively. The CA will return the certificate in PEM format.modssl. Self-sign the certificate.modssl. ScanCenter cannot generate Certificate Signing Requests (CSRs) for this purpose. Alternatively. ScanCenter Administrator Guide 2-20 OL-22629-05 . you must issue the signing request from another system. and other related information. contact a certificate authority (CA) to sign the certificate. port.8/ssl_faq. host. Obtaining Certificates To obtain a digital certificate for use with LDAP. edit. for example LDAPS. Therefore.

Users should enter the user name and password of the credentials recognized by your organization's authentication server. or apply the default policy.Chapter 2 Administration Authentication If you are acquiring a certificate for the first time. • ScanCenter Administrator Guide OL-22629-05 2-21 . search the Internet for “certificate authority services SSL server certificates. use cached credentials. Working with Failed Authentication Sometimes users are blocked from the Web due to authentication failure. you can create a Web Filtering rule to allow the client to connect. Authenticating Users When users access the Web through Cisco Cloud Web Security. Click Browse then navigate to and select the required certificate. Note When enabling authentication with an LDAP authentication realm. See [WEB FILTERING] Authentication server is unavailable. Step 2 Step 3 Step 4 Enter a unique Certificate name. Some clients cannot perform authentication or cannot perform the type of authentication that is required. Managing Certificates To upload an LDAP certificate: Step 1 Click the Admin tab to display the Authentication menu. Follow the service's instructions for obtaining an SSL certificate. The following list describes reasons for authentication failure and remedial actions you can take: • Client application cannot perform authentication. they may be prompted to enter a user name and password. Cisco Cloud Web Security requires authentication credentials for some users depending on the configured Identity and Access Policy groups.” and choose the service that best meets the needs of your organization. then click Management to display the Upload LDAP Certificates panel. You can set the desired behavior in the Failover options to block the user. ensure users do not enter the Windows domain name. Click Add to upload the certificate. Click the Remove icon to remove a certificate. An authentication server may be unavailable if the network connection is broken or if the server is experiencing a problem. If a client application causes authentication to fail.

You create. edit. Step 3 Enter a unique Realm name in the box. Step 2 Click Add to display the Network connection panel. Creating an Authentication Realm To create an authentication realm: Step 1 Click the Admin tab to display the Authentication menu. although typically this is not required unless you use an Active Directory Global Catalog which stores a limited read-only copy of data for multiple domains or realms.Chapter 2 Authentication Administration • Invalid credentials. essentially blocking access to the Web by default. Cisco Cloud Web Security continually requests valid credentials. Each server in the realm shares the same logical database. Note It is also possible to include an authentication server in multiple realms. and so on should be unique. When a client passes invalid authentication credentials. Typically. The realm is the context in which user names. any server will return the same results for a given user. and remove authentication realms on the Admin > Authentication > Management page under the Authentication Realms section. Working with Authentication Realms An authentication realm is a set of authentication servers (or a single server) supporting a single authentication protocol with a particular configuration. ScanCenter Administrator Guide 2-22 OL-22629-05 . You can perform any of the following tasks when configuring authentication: • • Include one or more authentication servers in a realm. then click Management to display the Authentication Realms panel. Create one or more LDAP realms. a realm will have a one to one match with a Windows domain. group names.

d. Click Check connection. Enter a Port in the box. in the Certificate list. select the Server Accepts Anonymous Queries check box. c. e. Step 6 ScanCenter Administrator Guide OL-22629-05 2-23 . In the Protocol list. You can click Add another server to add as many servers as you want. Enter an IP address in IPv4 format. If you are using a secure protocol. You can click Remove server to remove any unwanted servers. select the certificate you previously imported. Click Check Authentication. and enter the password in the Password box. or SSL (LDAPS). click the required protocol. StartTLS.Chapter 2 Administration Authentication Step 4 For each server you want to add to the realm: a. The default for LDAPS is 636. or a hostname in the Host name box. b. Alternatively enter the LDAP server's distinguished name in the Bind DN box. The default for LDAP and StartTLS is 389. Step 5 When a connection has been successfully made. LDAP. if your LDAP server accepts anonymous queries.

Click Browse to populate the Exclude the following groups list.Chapter 2 Authentication Administration Step 7 Step 8 Step 9 Step 10 Step 11 Accept or change the Search Base. click a query to exclude non-user LDAP entries. This box must not be left empty. Alternatively. select custom and enter a query in the box. Accept the memberOf attribute or click custom and enter an attribute in the box. click the attribute that contains the user name. uid. Alternatively. This can be cn. This can be None or (objectClass=person). click Group Member Of Attribute. to locate users by group. Alternatively. To locate users by attribute. Accept the users attribute or click custom and enter an attribute in the box. In the User Filter Query list. In the Search Attribute list. Accept or enter a Subject Attribute. select custom and enter an attribute in the box. or sAMAccountName. click Group Members Attribute. Step 12 ScanCenter Administrator Guide 2-24 OL-22629-05 .

Step 17 Step 18 In the Groups Display list. Enter a user name in the Check Sample User box and click Check LDAP to verify your settings. Alternatively. Enter number of nodes to traverse in the Nested Group Depth box. click WinNT groups or LDAP standard to determine how the groups will be displayed. ScanCenter Administrator Guide OL-22629-05 2-25 . Elements may include: • • • • • • users groups organizational units (OUs) computers folders miscellaneous elements ) to expand or collapse an element. click Cancel to abandon your selection. b. ) to edit or remove a filter.Chapter 2 Administration Authentication Select the element's check box to include an element. Click the expand icon ( Click the filter icon ( Click the filter enabled icon ( Step 13 Step 14 Step 15 Step 16 Click Select to add the selected elements. (Optional) Click Advanced settings to display the additional settings: a. Click Browse to populate the Use the following groups list. Alternatively. Enter the maximum number of groups to search in the Maximum Groups box. ) to add a filter to an element. Click Select to add the selected elements. click Cancel to abandon your selection.

click an operator and enter a value in the box.Chapter 2 Authentication Administration Step 19 Click the required failover option. ScanCenter Administrator Guide 2-26 OL-22629-05 . or Grant default policy. Step 20 (Optional) To exclude users from authentication: a. • • • • • c. Use cached credentials. • • • • • c. Step 21 (Optional) To add users to a group for the duration of an authenticated session: a. Click Add. The available operators are: Equals Less Than Regex (for details on constructing valid regular expressions contact customer support) Is True Is False In the Action list click Block User. d. In the Custom Attributes pane. b. Block user. enter an LDAP Attribute to match. Alternatively. You can click the Remove icon to remove the group settings. You can click the Remove icon to remove the user filter. b. Step 22 When you have finished configuring the authentication realm. d. In the Rule Match list. click Apply settings. navigate to another page to abandon your changes. enter an LDAP Attribute to match. click an operator and enter a value in the box. In the Rule Match list. In the Custom Attributes pane. Click Add. The available operators are: Equals Less Than Regex (for details on constructing valid regular expressions contact customer support) Is True Is False In the Action list click Add to Group.

Chapter 2 Administration Authentication Managing an Authentication Realm To manage an existing authentication realm. ScanCenter informs you of that error. clear the Active check box and click Apply settings. Testing Process When you test authentication settings. you may want to configure multiple realms if your organization acquires another organization that has its own authentication server using the same or a different security protocol. click the CSV icon. If the realm contains multiple authentication servers. click the Remove icon. 3. ScanCenter performs different steps. To download an audit of a realm. click the Admin tab to display the Authentication menu. If Secure LDAP is selected. ScanCenter first verifies that the settings you entered for the realm are in valid formats. you can create one policy for all users. you must edit your authentication realms in ScanCenter to match the changes or your users will not be able to authenticate. if a field requires a text string and it currently contains a numeric value. It ensures that the LDAP server is listening on the specified LDAP port. select the Active check box and click Apply settings. To activate an inactive realm. To deactivate an active realm. 4. depending on the security protocol. Testing Authentication Settings When you create or edit an authentication realm. LDAP Testing ScanCenter performs the following steps when testing LDAP authentication settings: 1. The information you enter is validated at each stage of the process to ensure the correct information has been entered. If all fields contain valid values. ScanCenter validates them by attempting to authenticate with the LDAP server. you enter a lot of configuration settings to connect to the authentication server. ScanCenter ensures the LDAP server supports the StartTLS extension. ScanCenter Administrator Guide OL-22629-05 2-27 . Caution If you make configuration changes to an LDAP server. If StartTLS is selected. Cisco Cloud Web Security Behavior With Multiple Realms You can configure Cisco Cloud Web Security to provide users with a choice of authentication realms which may include multiple servers with different security protocols. For example. That way. click the Edit icon. 2. To remove a realm. then click Management to display the Authentication Realms panel. For example. If the realm includes bind parameters. ScanCenter ensures the LDAP server supports Secure LDAP. To change a realm. ScanCenter goes through the testing process for each server in turn.

Enter the duration in seconds before user cookies expire in the User Expiry Seconds box. then click Management to display the Cookie Expiry panel. Configuring Roaming To enable roaming users to authenticate with a specific realm. Step 2 Click a Period the report will cover. Enter the duration in seconds before roaming cookies expire in the Roaming Expiry Seconds box. Alternatively. To configure the time before expiry: Step 1 Click the Admin tab to display the Authentication menu. The available options are: • • • Last 5 Minutes Last Hour Last Day Step 3 Click the CSV icon. Step 2 Step 3 Step 4 Step 5 Enter the duration in seconds before group cookies expire in the Group Expiry Seconds box. Downloading Audit Reports To download a clientless authentication audit report:: Step 1 Click the Admin tab to display the Authentication menu. Click Apply settings. navigate away from the page to abandon your changes. then click Management to display the Download Audit Reports panel.Chapter 2 Authentication Administration Setting the Cookie Duration Clientless authentication uses cookies stored in the client browser. To configure roaming settings: ScanCenter Administrator Guide 2-28 OL-22629-05 . roaming must be enabled for that realm.

Enter the Roaming Group or click Browse and select a group from the LDAP server. then click Configure Roaming to display the Roaming Configuration panel. To configure the page: Step 1 Click the Admin tab to display the Authentication menu. Enter the Email Attribute or click Browse and select an attribute from the LDAP server. Click Apply settings. Step 2 Step 3 Step 4 Step 5 Step 6 For each realm that you want to enable roaming users to authenticate with. This must be deployed to user browsers if you want to enable HTTPS inspection. select the Enable Roaming check box. You can click Download to download the HTTPS CA certificate. click Add and enter an Attribute name and Attribute description in the boxes.Chapter 2 Administration Authentication Step 1 Click the Admin tab to display the Authentication menu. then click Management. ScanCenter Administrator Guide OL-22629-05 2-29 . You can click the Remove icon to remove additional attributes. (Optional) To add additional LDAP attributes. Configuring the User Authentication Page Cisco Cloud Web Security displays the User Authentication page when a user that is not already authenticated attempts to connect to the service. then click User Messages to display the User Messages panel.

Step 3 Step 4 Step 5 Step 6 Step 7 ScanCenter Administrator Guide 2-30 OL-22629-05 . The image can be in PNG.000 characters of plain text in the Help text box. but you should use something appropriate for the screen size of your user’s devices that will connect to the service. or JPEG format and must be no larger than 500K. Enter the word or phrase you want to use in the User name text box. Enter the word or phrase you want to use in the Password text box. Enter up to 1. GIF.Chapter 2 Authentication Administration Step 2 Click Choose File and navigate to an image you want to be displayed on the page. Enter up to 1.000 characters of plain text in the Disclaimer text box. Click Preview to display the User Authentication page. It can be any pixel size you want.

You can also import databases from a file. click Dictionaries to display the Manage Dictionaries page. Dictionaries can contain a maximum of 1. Alternatively. You can import dictionaries from a file which can include words and phrases.000 words or phrases. click Cancel to continue editing the User Authentication page or navigate away from the page to abandon your changes. ScanCenter Administrator Guide OL-22629-05 2-31 . In the Management menu. but not regular expressions or wild cards.Chapter 2 Administration Dictionaries and Databases Step 8 Click Apply settings to make your changes permanent. File information databases enable you to block specific files. Dictionaries and Databases Dictionaries are used with Outbound Content Control (OCC). Managing Dictionaries Click the Admin tab to display the administration menus.

jumps over the. Click Add Dictionary.brown. Click Import. To add an individual word or a phrase.Chapter 2 Dictionaries and Databases Administration Creating a New Dictionary To create a new dictionary: Step 1 Step 2 Step 3 Enter a name in the Enter new Dictionary name box.quick.fox. click it in the list then click Delete. The list must be comma-separated. You can import words and phrases from a text file. For example: the. Edit the dictionary. enter the text in the Enter the words or phrases below that you wish to block box then click Add. Editing a Dictionary Click the dictionary name hyperlink to display the Edit Dictionary page.lazy dog To import a comma-separated list of words and phrases: Step 1 Step 2 Click Browse then navigate to the file. ScanCenter Administrator Guide 2-32 OL-22629-05 . To remove a word or phrase.

Click Delete Dictionaries. select the check box of the dictionary to be removed. Alternatively. edit the file and repeat the import process. Removing a Dictionary To remove a dictionary: Step 1 Step 2 In the Manage Dictionaries page. click File Info DBs to display the Manage File Infos page. click Back to step 1. click Confirm to add the words or phrases and return to the Edit Dictionary page.Chapter 2 Administration Dictionaries and Databases Step 3 If the list is correct. Managing File Information Databases To manage file information databases: Step 1 Step 2 Click the Admin tab to display the administration menus. In the Management menu. You will be prompted to confirm your action. You can select multiple dictionaries to be removed. ScanCenter Administrator Guide OL-22629-05 2-33 .

Edit the database.com/results. Each entry in the list must include the file name.aspx?q=microsoft+file+checksum+integrity+verifier To import a list of file information into a database: Step 1 Click the database name hyperlink. Click Import. You will be notified if the file cannot be validated.avi. and an SHA-1 checksum in that order. an MD5 checksum. for example: 1video.Chapter 2 Dictionaries and Databases Administration Creating a New Database To create a new database: Step 1 Step 2 Step 3 Enter a name in the Enter new File Info DB name box. Click Add File Info DB. OpenSSL can be used to generate the checksum with the following commands: openssl md5 <filename> openssl sha1 <filename> On Windows.de9e351ebe13186770f3fc79f45733a6d595e2e1 On UNIX and UNIX-like systems.37352. ScanCenter Administrator Guide 2-34 OL-22629-05 .microsoft. file size. Step 2 Step 3 Click Browse then navigate to the file.d97343b7ef8a00307091c6456b25c84. Editing a Database Records are added to a database by importing comma-separated lists of file information. the Microsoft File Checksum Integrity Verifier can be used to generate the checksum with the following commands: fciv md5 <filename> fciv sha1 <filename> The File Checksum Integrity Verifier can be downloaded from Microsoft's website: http://search.

The imported data is displayed in a table with file name. click Back to step 1. click Confirm. Alternatively. You can select multiple databases to be removed. Click Delete File Infos. select the check box of the database to be removed. You will be prompted to confirm your action. file size. MD5 and SHA-1 checksum. edit the file and repeat the import process. Removing a Database To remove a database: Step 1 Step 2 In the Manage File Infos page. ScanCenter Administrator Guide OL-22629-05 2-35 .Chapter 2 Administration Dictionaries and Databases Step 4 If the list is correct.

Step 4 Step 5 Step 6 Step 7 Step 8 Access Audits Generating an access audit enables you to see all the login attempts that have taken place in ScanCenter over a period of time. You must have the correct role to be able to perform these tasks. If no address is provided the organization super user’s email address is displayed. click Access Settings to display the Access Settings page. In the Period box. See Role Permissions. Alternatively. page D-1 for more information on roles. In the Max frequency box. ScanCenter Administrator Guide 2-36 OL-22629-05 . Select the Enable email alerts check box to send an email whenever there is a failed login attempt. the user is instructed to send an email to an administrator to unlock their account. click the number of email alerts to batch together (1 to 20). following a series of failed login attempts. In the Audit menu. from a day up to a year. navigate away from the page to abandon your changes. You can also configure email alerts to notify you of failed ScanCenter login attempts. Step 3 When a user account is locked.Chapter 2 Auditing ScanCenter Use Administration Auditing ScanCenter Use You can generate access and activity audits for your organization’s ScanCenter account. Click Save to save your changes. Enter the administrate email address to display in the Contact email in the login failure message box. Enter up to five email addresses in the boxes. click the delay between emails in hours (1 to 24). Email Alerts To configure the email alert sent after a failed login attempt: Step 1 Step 2 Click the Admin tab to display the administration menus.

click a pre-defined time period. 4. Step 3 Step 4 In the Time zone list. In the Time period list.the last full week Last n hours (12. Enter an end date in the box or click the Calendar icon to choose a date. 6. The time is shown using the 24-hour clock. Alternatively. 24. Choose a start time using the hour and minute lists. ScanCenter Administrator Guide OL-22629-05 2-37 . 9 or 12) Enter a start date in the box or click the Calendar icon to choose a date.Chapter 2 Administration Auditing ScanCenter Use To download an audit as a CSV file: Step 1 Step 2 Click the Admin tab to display the administration menus. 5. The pre-defined time periods are: • • • • • • • • Previous hour Previous day . click Custom and enter the required start and end dates and times: a. 48 or 72) Last week . click a time zone. click Access Audit to display the Access Audit page.the previous seven days Last n weeks (2 or 3) Last month Last n months (2. b. c. In the Audit menu.yesterday Previous week . 3. The default is UTC.

ScanCenter Administrator Guide 2-38 OL-22629-05 . click a pre-defined time period. The default is UTC. Select the Unsuccessful Login check box to include unsuccessful login attempts in the audit. from a day up to a year. Step 5 Step 6 Step 7 Step 8 Clear the All Admins check box and click an admin user in the or select an Admin list. To download an audit: Step 1 Step 2 Click the Admin tab to display the administration menus. click a time zone. and a description for each logged event. Step 3 Step 4 In the Time zone list. configuration. click Activity Audit to display the Activity Audit page. category type. Alternatively. log time. The audit is downloaded as a CSV file containing the user name. Click Generate Audit to download the audit as a CSV (comma-separated value) file. clear the check box to exclude unsuccessful login attempts. clear the check box to exclude successful login attempts. and policy. action. Choose an end time using the hour and minute lists. Activity Audits Generating an activity audit enables you to see all the administration activity that has taken place in ScanCenter over a period of time. Select the Successful Login check box to include successful login attempts in the audit. filtering. Audits provide a record of changes to administration. Alternatively.Chapter 2 Auditing ScanCenter Use Administration d. In the Time period list. In the Audit menu. Alternatively. select the All Admins check box to include all admin users.

The available actions are: • • • INSERT UPDATE DELETE Alternatively. 24. 3. 9 or 12) Enter a start date in the box or click the Calendar icon to choose a date. The available categories are: • • • • • Administration Filtering Policy Https Inspection Spyware Policy Web Virus Policy Alternatively. b.the last full week Last n hours (12. 48 or 72) Last week . d. ScanCenter Administrator Guide OL-22629-05 2-39 . Enter an end date in the box or click the Calendar icon to choose a date. click Custom and enter the required start and end dates and times: a. The time is shown using the 24-hour clock.the previous seven days Last n weeks (2 or 3) Last month Last n months (2. select the All Actions check box to include all actions. Alternatively. Clear the All Categories check box and click a category in the or select a Category list. Choose a start time using the hour and minute lists. Step 7 Clear the All Actions check box and click an action in the 'or select an Action list. c. select the All Admins check box to include all admin users. Choose an end time using the hour and minute lists. Alternatively.yesterday Previous week . Step 5 Step 6 Clear the All Admins check box and click an admin user in the or select an Admin list. 6. select the All Categories check box to include all categories.Chapter 2 Administration Auditing ScanCenter Use The pre-defined time periods are: • • • • • • • • Previous hour Previous day . 5. 4.

ScanCenter Administrator Guide 2-40 OL-22629-05 . or on your organization’s firewall or gateway device. select 0. Legal Disclaimer It is your responsibility to determine if it is legal for you to inspect HTTPS traffic in your jurisdiction. you can select the check box and add the HTTPS warning to the standard Acceptable Usage Policy warning. edit the Customized Warn Alert Page to display an HTTPS warning. the session is encrypted with a digital certificate. It is possible to present an HTML page to the user that states that the session will be decrypted. While all such inspection is carried out automatically rather than by individuals. if you do this you will not be able be able to use the standard warning page for other purposes. Switching on this functionality will permit Cisco Cloud Web Security to inspect HTTPS traffic. Secure Traffic Inspection When a user connects to a website via HTTPS. Cisco Cloud Web Security blocks all expired. Two changes are required on the client: 1. However. In the Timeout value list.Chapter 2 Secure Traffic Inspection Administration Step 8 Click Generate Audit to download the audit as a CSV (comma-separated value) file. All users must have an SSL certificate deployed to their browser. Secure traffic inspection decrypts and scans the HTTPS traffic passing through Cisco Cloud Web Security for threats and carries out actions based on your policy settings. Note If you also want to display warnings for non-HTTPS pages. If the traffic is deemed safe it is re-encrypted and passed back to your organization with a new SSL certificate. In most jurisdictions you are required by law to inform your users that secure traffic is being inspected. Proxy settings for SSL traffic must be configured in the client browser. or alternatively you can download a Certificate Signing Request (CSR) and use it with a tool such as Microsoft Certificate Services or OpenSSL to generate and upload your own certificate where your organization is the CA. and revoked certificates. and gives the user the option to continue or not. such decryption may nonetheless be in breach of privacy laws in certain countries. To present an HTTPS warning to users: Step 1 Step 2 Step 3 In Web Filtering > Notifications > User Messages. Step 4 Click Save to save your changes. You can generate a certificate in ScanCenter with Cisco as the Certificate Authority (CA). When secure traffic inspection is enabled. By enabling this functionality you agree that you have the legal right to decrypt this traffic in all relevant jurisdictions and that you have obtained all necessary consents from your users to do so. The Cisco root certificate must be imported into the client browser to enable it to trust SSL connections with Cisco Cloud Web Security. Clear the Include standard HTML page template for warning page check box. invalid. The certificate is then associated with your secure traffic inspection policy. 2.

To enable you to comply with privacy law. Caution To abide by privacy laws.Chapter 2 Administration Secure Traffic Inspection Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 In Web Filtering > Management > Global Settings. ScanCenter Administrator Guide OL-22629-05 2-41 . Cisco will be the Certificate Authority (CA). create HTTPS filters for the websites you want to block In Web Filtering > Management > Filters. Secure Sockets Layer Certificates When you generate an SSL certificate in ScanCenter. create a block rule and add the HTTPS filters for the websites you want to block.” In Web Filtering > Management > Policy. you are responsible for ensuring that the content decryption and encryption takes place in a closed loop and that no content is cached. In Web Filtering > Management > Filters. Creating a Certificate in ScanCenter To create an SSL certificate: Step 1 Click the Create a certificate tab. select the Enable HTTP/HTTPS split check box and click Save. However. If you want your organization to be the CA you can generate a Certificate Signing Request (CSR) in ScanCenter. In Web Filtering > Management > Policy. notice is given to the user before the SSL connection is established. for example banking websites. To view existing certificates: Step 1 Step 2 Click the Admin tab to display the administration menus. You can exclude websites from secure traffic inspection. use that to generate the certificate. and then upload it to ScanCenter. In the HTTPS Inspection menu. click Certificates to display the certificates page. create an HTTPS filter for all categories called “HTTPS warn. no log record is maintained. create a warn rule and add the “HTTPS warn” filter with the anytime schedule. Ensure the HTTPS warn rule has a lower priority than the HTTPS block rule and then select the Activate check box for both rules. These sites will bypass secure traffic inspection and the user will be connected to the site via a direct SSL connection.

Using an Externally Generated Certificate If you want to generate your own SSL certificates with your organization as the CA. Enter an Identifier. Click Save to save your changes. Click Generate to generate a CSR. Enter a Description. ScanCenter Administrator Guide 2-42 OL-22629-05 . If you are not familiar with SSL software you should use ScanCenter to create an SSL certificate instead. navigate away from the page to abandon your changes. you will need SSL software such as Microsoft Certificate Services (a component of Windows Server operating systems) or OpenSSL (a toolkit included with most UNIX and UNIX-like operating systems).Chapter 2 Secure Traffic Inspection Administration Step 2 Step 3 Step 4 Step 5 Click create a certificate or. Enter a Description of the CSR. Alternatively. To use an externally generated SSL certificate: Step 1 Click the Create a certificate tab. Step 2 Step 3 Step 4 Step 5 Click generate a CSR? Enter a unique name for the CSR in the Identifier box.

Select the Active check box to make the rule active. navigate away from the page to abandon your changes. Enter a Filter name. ScanCenter Administrator Guide OL-22629-05 2-43 . In the HTTPS Inspection menu. Select the check boxes of the required categories. Click Save. To view filters: Step 1 Step 2 Click the Admin tab to display the administration menus. Click Upload. Filters Filters enable you to set the websites and categories that will be subject to HTTPS inspection. See Web Filtering Categories. click the Delete icon. clear the check box to activate the rule at another time. click Filters to display the filters page. Click Browse and navigate to the SSL certificate you wish to associate with the CSR. Alternatively. You have 30 minutes to create and upload the certificate. Creating a Filter To create a new filter: Step 1 Step 2 Step 3 Step 4 Step 5 Click the Create a filter tab. Alternatively. Enter a new Description. Removing a Certificate To delete an SSL certificate. You can click Select All to select all the check boxes or Deselect all to deselect all the check boxes.Chapter 2 Administration Secure Traffic Inspection Step 6 Step 7 Step 8 Step 9 Click Download your CSR to download the CSR. Editing a Certificate Description To edit an SSL certificate description: Step 1 Step 2 Step 3 Click the Edit icon. You will be prompted to confirm your action. Generate your SSL certificate using the downloaded CSR with your SSL software. Click the Categories hyperlink. page B-1. For more details refer to your SSL software vendor documentation.

Alternatively. Each domain or URL should appear on its own line. Alternatively. Step 7 Enter the domains or URLs to be included in the filter. Each domain or URL should appear on its own line. Make your changes. Click the hyperlink of the settings you want to change. You can use host names and sub-domains but you must omit the protocol (https://). Step 9 Click Save all settings to save your changes. You can click Sort Alphabetically to sort the list. Click the Exceptions hyperlink. ScanCenter Administrator Guide 2-44 OL-22629-05 . You can use host names and sub-domains but you must omit the protocol (https://).Chapter 2 Secure Traffic Inspection Administration Step 6 Click the Domains/URLs hyperlink. Editing a Filter To edit a filter: Step 1 Step 2 Step 3 Step 4 Click the Edit icon. Step 8 Enter the domains or URLs to bypass the filter. navigate away from the page to abandon your changes. Click Save to save your changes. navigate away from the page to abandon your changes. You can click Sort Alphabetically to sort the list.

click the Delete icon. In the HTTPS Inspection menu.Chapter 2 Administration Secure Traffic Inspection Removing a Filter To remove a filter. click Policy to display the policy page. In the Choose certificate list click an SSL certificate. You can set the priority of a rule by clicking the up and down icons in the Move column and then clicking Apply Changes. Step 2 Step 3 Step 4 Enter a rule Name. To view your existing policy: Step 1 Step 2 Click the Admin tab to display the administration menus. Creating a Rule To create a new rule: Step 1 Click the Create a rule tab. Click Add group. Policy Policy enables you to set the rules for applying filters. ScanCenter Administrator Guide OL-22629-05 2-45 .

You cannot remove the default rule. Alternatively. If this is correct.Chapter 2 Secure Traffic Inspection Administration Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Enter all or part of a group name in the Search box and click Go. Click Create rule to save your changes. clear the check box to apply the rule to the group. Click Confirm Selection. Editing a Rule To edit a rule: Step 1 Step 2 Step 3 Click the Edit icon. click the Delete icon. Select the Set as an exception check box to exclude the group from the rule. Only one filter can be set. If this is not correct. Click Select to select the group. Make your changes. click OK. navigate away from the page to abandon your changes. ScanCenter Administrator Guide 2-46 OL-22629-05 . In the Add Filter list. navigate away from the page to abandon your changes. click a filter then click Set to set the filter. You will be prompted to confirm that you are in compliance with privacy laws and have obtained consent to inspect HTTPS traffic. you must click Cancel. You can click the Delete icon to remove a filter added by mistake. Click Save to save your changes. Alternatively. Removing a Rule To remove a rule. You can click the Delete icon to remove any groups added by mistake. Alternatively.

page 3-2. and up to two attributes to provide more detailed information for a chosen time period. There are three types of report: • ScanCenter Administrator Guide OL-22629-05 3-1 . page 3-3 Filtering Reports. See Calculating Browse Time. Reports enable you to analyze: • • • • • • • • • • • Applications Bandwidth Blocks Browse Time. page 3-1 Viewing Reports. page 3-14 Creating Composite Reports. page 3-27 Overview The reporting functionality in ScanCenter is accessed from the Reports tab. page 3-11 Creating a Search. 2011.CH A P T E R 3 Reporting Revised: October 20. Categories Groups Hosts Legal Liability Malware Security Users Standard reports use conditions. page 3-25 Scheduling Reports. OL-22629-05 This chapter contains the following topics: • • • • • • Overview.

Choose to view the top or bottom results. or even create searches from scratch. add a second reporting attribute to group the results by. For example. bandwidth. column. Choose to view the report as a grid. Any distinct minute in which one or more Web requests are made is counted as a single minute of Browse Time. See Reporting Attributes. bar. from the last hour to the last year. Choose the number of results to view. Save the search for future use. Choose to sort the results by name. The main steps to create any type of report are the same: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Choose a time period for the search. Choose a pre-defined search or saved search. if a complex Web page results in 100 Web requests made within a distinct minute. Choose a reporting attribute to group the results by. Browse Time is calculated based on Web requests made within a distinct minute. browse time. Calculating Browse Time Because it not possible to tell when a user is away from their computer. bytes sent. In addition to creating and modifying searches. or viewing a page that has finished loading. it will count as one minute of Browse Time. ScanCenter Administrator Guide 3-2 OL-22629-05 . Click Launch search. Cisco provides an extensive range of pre-defined searches. Add filters based on reporting attributes or metrics. page C-1. or create a new search. Detailed reports use conditions and multiple attributes to provide a higher level of detail than standard reports for a chosen time period. bytes received or hits. page A-1. You can also use these as the starting point for creating your own searches. There are more than 60 unique attributes to choose from so it is best to start by using pre-defined searches. from the Reports pane you can: • • • • • Create and manage sets of filters Combine searches into composite reports View reports online and print or export them Download reports to view offline or import into a spreadsheet or word-processor Schedule reports for delivery by email to groups of recipients Note The reporting functionality requires Adobe Flash 10 (or higher).Chapter 3 Overview Reporting • • Time Analysis reports provide similar information to standard reports but for a single attribute over a chosen time period. from 10 to 1000. Optionally. See Pre-Defined Searches. pie or line chart. Reports are generated by running searches.

click a pre-defined time period. Viewing Reports Reports are generated from predefined or previously saved searches. click a time zone. if a user spends an hour reading a simple Web page that loaded within a distinct minute that does not refresh itself. It is not possible to determine if a Web page refreshed itself. if a site is classified in more than one category. You can save your changes as a new search or replace a previously saved search. or if different Web requests are made in the same minute. Alternatively. Note Browse Time should not be relied on as a metric in two level reports because this can result in the double counting of requests. For example. In the Time period list. To view report from a predefined or saved search: Step 1 Click the Reports tab to display the Reports page. this is measured as one minute of Browse Time When you create a reports including browse time. click Reports. then Web requests will be made across two distinct minutes measured as two minutes of Browse Time. on the Reports menu. The available searches are displayed in two tables: • • Custom reports Predefined reports See Pre-Defined Searches. ScanCenter Administrator Guide OL-22629-05 3-3 . In the Time zone list. If a Web page takes one and a half minutes to load. However. The default is UTC. They can be viewed online or downloaded as a PDF. Step 2 Step 3 Searches do not include time period information so you must provide this each time you generate a report. page C-1. you should always use Host instead of URL to generate the most accurate report.Chapter 3 Reporting Viewing Reports The actual time taken for a Web page to load is not measured. When a report has been generated you can refine the search by adding filters or changing the conditions of the search.

Alternatively. Enter an end date in the box or click the Calendar icon to choose a date. See Downloading Reports. click Custom and enter the required start and end dates and times: a. ScanCenter Administrator Guide 3-4 OL-22629-05 . page 3-5.the last full week Last n hours (12. Choose a start time using the hour and minute lists. Choose an end time using the hour and minute lists. b. 24. 5. Step 4 Step 5 Step 6 Select the Auto Run Report check box to run the search as soon as the report is opened. 48 or 72) Last week . 4. click the Download icon to download the report in PDF format. Alternatively. In the View as list. 9 or 12) Enter a start date in the box or click the Calendar icon to choose a date. d. The time is shown using the 24-hour clock. page 3-10.the previous seven days Last n weeks (2 or 3) Last month Last n months (2. click a chart type. clear the check box to prevent the search running automatically.yesterday Previous week .Chapter 3 Viewing Reports Reporting The pre-defined time periods are: • • • • • • • • Previous hour Previous day . See Viewing Reports Online. 3. 6. Click a folder to show or hide the searches for that folder. Alternatively. The available charts depend on the type of report and may include: • • • • • Grid Bars Pie Columns Line Step 7 Click Launch search to generate and view a report. c.

Chapter 3 Reporting Viewing Reports Viewing Reports Online When the report has been generated you can click one of the following icons to change the way the report is displayed. ScanCenter Administrator Guide OL-22629-05 3-5 . Grid Chart The grid chart is the default way of viewing reports. Note The first line of the table always displays the overall totals for all data. From here you can change the data that is displayed in the other charts. not just that included in the report. Grid Bar Column Pie Line The icons available depend on the type of report being viewed.

click is not equal to to exclude the entry. click Launch search to display the refined report.Chapter 3 Viewing Reports Reporting Viewing Grid Data Choose the number of results to display per page from the Show list.distinct minutes spent browsing Browse Time (% Tot) Bytes Received Bytes Received (% Tot) Bytes Sent Bytes Sent (% Tot) Hits Hits (% Tot) ScanCenter Administrator Guide 3-6 OL-22629-05 . Step 2 For each list entry click hide or show. You can refine your search by clicking entries in the attribute columns. prev. Click an entry.the sum of bytes sent and received Bandwidth (% Tot) Browse Time . The following metrics are available • • • • • • • • • • • Host Bandwidth . When you have made your changes. The available options are: • • • • 10 25 50 100 Navigate through the pages using the first. as required.button to display the Choose which columns you would like to see dialog. Adding and Removing Metrics To add or remove columns from the display: Step 1 Click the +|. then click is equal to to include only that entry in the report. Alternatively. next and last buttons.

Choose Print Chart to print the chart Choose Save as JPEG Image to export to a JPEG image. For reports with two attributes. Graphical Charts There are four types of graphical chart: • • • • Bar Column Pie Line Bandwidth (Bytes) Browse Time (Min) Bytes Received Bytes Sent Hits Click the hyperlink at the top of the chart to change the sort metric. Click the primary attribute name to sort by the primary attribute. Choose Save as PDF to export to Adobe PDF. Bar Chart The bar chart displays the data as horizontal bars. only the secondary sort metric is changed. Changing the Sort Metric Click any of the other columns to change the sort metric and re-run the report. The available metrics are: • • • • • Right-click the chart to print or save the chart. click the secondary attribute name to sort by the secondary attribute within the primary attribute sort order. Alternatively. Sorting Grid Data by Attribute The first column displays the primary and secondary attributes. ScanCenter Administrator Guide OL-22629-05 3-7 . Choose Save as PNG Image to export to a PNG image.Chapter 3 Reporting Viewing Reports Step 3 Click Close to close the dialog.

ScanCenter Administrator Guide 3-8 OL-22629-05 .Chapter 3 Viewing Reports Reporting Column Chart The column chart displays the data as vertical bars.

Pie Chart The pie chart displays the data as a 2D or 3D pie chart. ScanCenter Administrator Guide OL-22629-05 3-9 .Chapter 3 Reporting Viewing Reports Line Chart The line chart displays time analysis data.

Click Enable Rotation to enable the chart to be rotated by clicking and dragging the chart. click Reports. In the View as list. The available charts depend on the type of report and may include: • • • • • Grid Bars Pie Columns Line Click the Download icon to download the report. PDF and PNG format. Click View 3D to view a three-dimensional representation of the chart. See Viewing Reports. view the report on-screen as normal and then click the PDF icon to download the report. You cannot rotate the chart while you are moving slices. Downloading Reports In addition to exporting reports in JPEG.Chapter 3 Viewing Reports Reporting Additional commands are available when you right-click the pie chart. click a chart type. Click Enable Slicing Movement to enable the chart's slices to be moved by clicking them. Downloading CSV Reports Downloading a report in CSV (comma separated value) format enables you to open the report in a spreadsheet. ScanCenter Administrator Guide 3-10 OL-22629-05 . To download a report in CSV format: Step 1 Step 2 View the report on screen. Alternatively. page 3-3. Alternatively. you can also download reports directly. Click View 2D to view a two-dimensional representation of the chart. You cannot move slices while you are rotating the chart. Click the CSV icon to download the report. on the Reports menu. to download a report in PDF format without viewing the report on-screen: Step 1 Step 2 Click the Reports tab to display the Reports pane. for example as a grid. Click a folder to show or hide the reports for that folder. Downloading PDF Reports To download a report in PDF format.

click the required operator. See Reporting Attributes. However. See Managing Filter Sets. They can be used to narrow a predefined or saved search or applied when you are creating a search. The available options are: contains does not contain is equal to is not equal to in list (equals) is not in list (does not equal) in list (contains) is not in list (does not contain) is null is not null starts with does not start with Step 3 If you are adding an attribute filter: a. • • • • • • • • • • • • “Equal to” indicates a full match while “contains” indicates a partial match. Adding a Filter To add a filter: Step 1 Step 2 Click Add Filter. b. page 3-13. In the Select filter type list. metrics. You can also save the filters. Adding Filters to a Search A search will include only the results returned where all filter conditions are met. or a combination of both. Activating and deactivating filters enables you to experiment to find the best set of filters to get the information you want. as a filter set. page A-1. click the required type. page 3-14. The available options are: • • • Attribute Filter Metric Filter Filter Set In the Select attribute list.Chapter 3 Reporting Filtering Reports Filtering Reports Filters enable you to refine searches by reporting attributes. In the Select operator list. only one exact match from the lists of values provided with the in list operators is required to return a result. See Creating a Search. separately from the search. ScanCenter Administrator Guide OL-22629-05 3-11 . click the required attribute. but only the active filters will be saved.

ScanCenter Administrator Guide 3-12 OL-22629-05 . click the filter you want to edit. click the required operator. Deactivated filters are shown with a red warning sign. click Save Changes. Activating and Deactivating Filters Activated filters are shown with a green triangle. click the filter then click Activate. click the required metric.Chapter 3 Filtering Reports Reporting Step 4 If you are adding a metric filter: a. Tip Unless you are certain you will not want to use the filter again. The available options are: = (equal to) > (greater than) >= (greater than or equal to) <> (not equal to) <= (lest than or equal to) < (less than) Step 5 Step 6 If you are adding an attribute or metric filter. click the filter then click Deactivate. You will not be prompted to confirm your action. click Remove. Editing Filters To edit a filter. • • • • • b. • • • • • • In the Select metric list. enter a value in the box. You can click Select All to select all the filters or Select None to clear the selected filters. After you have made your changes. To activate a filter. Click Add to add and activate the filter. it is generally better to deactivate a filter instead of removing it. Removing Filters To remove a filters. The available options are: Bandwidth (Bytes) Browse Time (Min) Bytes Received Bytes Sent Hits In the Select operator list. To deactivate a filter.

Adding a Filter Set To add a filter set: Step 1 Step 2 Step 3 Click Add. click Filter Sets. c. Flash content. but exclude external requests that a web page makes to load banners. active traffic would include requests generated by the user entering a URL in a browser or clicking a hyperlink. Click Add Filter. page 3-11. additional HTML and so on.Chapter 3 Reporting Filtering Reports Managing Filter Sets Filter sets enable you to combine frequently used filters into a reusable set. Enter a unique name for the filter set in the box. Filter sets can contain up to four nested filter sets and up to 20 individual filters. For each filter you want to add to the set: a. You can nest filter sets up to three levels deep. In the Select filter type list. b. For example. To manage filter sets: Step 1 Step 2 Click the Reports tab to display the Reports menu. or existing filter sets. ScanCenter Administrator Guide OL-22629-05 3-13 . Click Add. In the Reports menu. You can add attribute or metric filters. The predefined Active Traffic Only filter set can be used to exclude traffic that was not generated directly by your users. Renaming a Filter Set To rename a filter set: Step 1 Click the filter set. Enter a unique name for the copy in the box and press Enter. click a filter type. Note You can edit or remove individual filters contained in filter sets the in the same way you edit or remove filters contained in a report. Copying a Filter Set To copy a filter set: Step 1 Step 2 Click the filter set. See Adding Filters to a Search.

Step 3 Click the tab for the type of search you want to create. and then click Save Changes. click Search. Creating a Search Reports are generated by running one of the three available search types. Removing a Filter Set To remove a filter set: Step 1 Step 2 Click the filter set. click the filter set. Click the tab for the type of search you want to create. Click Delete to permanently remove the filter set. The tabs are: • • • Search Time Analysis Detailed Search Alternatively: Step 1 Step 2 Click the Reports tab to display the Reports pane. Creating a Standard Search To create an standard search: ScanCenter Administrator Guide 3-14 OL-22629-05 . make your changes.Chapter 3 Creating a Search Reporting Step 2 Enter a unique name in the box and press Enter. On the Reports menu. Searches are refined by time period and filters. To create a search: Step 1 Step 2 Step 3 Click the Reports tab to display the Reports menu. See Viewing Reports. page 3-3. Click the Create a new report hyperlink. Editing a Filter Set To edit a filter set.

Add any required filters. Enter the number of primary attributes to be displayed in the View first box (1 to 20000). page 3-3. The hyperlink indicates the current order. See Reporting Attributes. See Filtering Reports. Step 5 In the primary sort metric list. See Viewing Reports. ScanCenter Administrator Guide OL-22629-05 3-15 . the bottom n results are shown. The available metrics are: • • • • • • Step 6 Name Bandwidth Browse Time Bytes Received Bytes Sent Hits Click the hyperlink to change the primary sort order. click the required primary sort metric. for example: For descending order.Chapter 3 Reporting Creating a Search Step 1 Step 2 Step 3 Step 4 Select a time period. the top n results are shown. page A-1. Step 7 Clear the check box to exclude secondary attribute criteria. In the primary attribute list. click the required primary attribute. For ascending order. page 3-11.

Note The product of the values entered in the View first and the and their first boxes must be no larger than 20. the bottom n results are shown. click the required attribute. When the report has been generated it is displayed below the button. click the required sort metric. Click the hyperlink to change the secondary sort order. See Saving a Search. In the secondary attribute list. The available metrics are the same as for the primary sort metric. In the secondary sort metric list. b. c.Chapter 3 Creating a Search Reporting Alternatively select the check box to enable additional criteria. page 3-22. Enter the number of secondary attributes to be displayed in the and their first box (1 to 20000). For ascending order.000. The available attributes are the same as for the primary attribute. then: a. The hyperlink indicates the current order. Step 8 Step 9 Click Launch search. the top n results are shown. for example: For descending order. Click Save to save the search. d. ScanCenter Administrator Guide 3-16 OL-22629-05 .

click the required attribute. page 3-3. See Filtering Reports. The available options are: • • • • • • • • • • • • Step 4 1 2 3 4 5 6 7 8 9 10 11 12 In the attribute list. See Reporting Attributes. In the View list. click the number of attributes to display. See Viewing Reports. ScanCenter Administrator Guide OL-22629-05 3-17 . click the required sort metric. Step 5 In the sort metric list.Chapter 3 Reporting Creating a Search Creating a Time Analysis Search To create a time analysis search: Step 1 Step 2 Step 3 Select a time period. Add any required filters. page 3-11. page A-1.

The default attributes are Timestamp.Chapter 3 Creating a Search Reporting The available metrics are: • • • • • • Step 6 Step 7 Step 8 Name Bandwidth Browse Time Bytes Received Bytes Sent Hits Click the hyperlink to change the sort order. See Viewing Reports. See Reporting Attributes. page 3-22. Host. page 3-3. Click Save to save the search. Click Launch search. When the report has been generated it is displayed below the button. Query. page 3-11. To add one or more attributes: a. Internal IP. Add any required filters. page A-1. Creating a Detailed Search To create a detailed search: Step 1 Step 2 Step 3 Select a time period. Path. and User. Category. Rule Action. Click the Add/Remove columns hyperlink. See Filtering Reports. Group. See Saving a Search. Choose between one and 15 reporting attributes to include in the report. ScanCenter Administrator Guide 3-18 OL-22629-05 .

You cannot remove the Timestamp attribute. accept the default order to use Timestamp as the sort order. To remove an attribute. Step 5 Step 6 Drag and drop the attributes to change the order of the columns in the report.Chapter 3 Reporting Creating a Search b. Click the Add/Remove columns hyperlink. In the Reports menu. click Allowed Traffic. When the report has been generated it is displayed below the button. click the required attribute or attributes. Step 3 In the Type list. Alternatively. The allowed traffic report shows all of the allowed traffic by category for a single day. Clicking the selected attribute changes the sort order. To view an allowed traffic report: Step 1 Step 2 Click the Reports tab to display the Reports menu. click a filter type. hover over the attribute and click the Remove icon. In the attribute list. Click Launch search. then click the attribute or attributes you wish to remove. Step 4 Click the attribute you want to sort by. The available types are: • • • User Group Internal IP ScanCenter Administrator Guide OL-22629-05 3-19 . Alternatively. which is indicated by a triangle. Allowed Traffic You can also create a detailed report from an allowed traffic report.

Enter a user name.high security risk ScanCenter Administrator Guide 3-20 OL-22629-05 . for example default. Security risks are shown as a colored icon in the hour column for the various filter categories with the following meanings: • Red . group name or internal IP address in the User/Group/IP box.Chapter 3 Creating a Search Reporting Step 4 Step 5 Step 6 Enter a Date in the box or click the Calendar icon to choose a date. Click Search to view the report.

page 3-15. Save the new report. See Creating a Standard Search. Click the CSV icon to download the report. Creating a Search from a Predefined Search To create a search from a predefined search: Step 1 Step 2 Step 3 Step 4 Click the Reports tab to display the Reports pane. Downloading Detailed Reports as CSV Downloading a detailed report in CSV (comma separated value) format enables you to open the report in a spreadsheet. Alternatively. page 3-3. See Viewing Reports. Edit the report criteria. To download a detailed report in CSV format: Step 1 Step 2 View the report as a grid. See Saving a Search.low security risk Click the icon to display a detailed report of the risk.Chapter 3 Reporting Creating a Search • • Yellow . page 3-3. click Save as to save a copy of the report. View the report. page 3-22. Saving a Search To save a search: Step 1 Click Save. The Use current settings to create a new Report dialog is displayed.medium security risk Green . ScanCenter Administrator Guide OL-22629-05 3-21 . See Viewing Reports.

page 3-3. Note You can only save a copy of a predefined search or a search that is part of a composite report. select the Create a new folder check box and enter a Folder name (up to 256 characters). on the Reports menu. select the use the default name check box to use the name adjacent to the check box. Edit the search criteria. Alternatively. Alternatively. click a folder. See Viewing Reports. click Save as to save a copy of the report. Click Save. click Reports. ScanCenter Administrator Guide 3-22 OL-22629-05 . Step 4 Editing a Search To edit a search: Step 1 Step 2 Step 3 View the report as normal. Alternatively. Renaming a Search To rename a search: Step 1 Click the Reports tab to display the Reports page.Chapter 3 Creating a Search Reporting Step 2 Step 3 Enter a name for the search (up to 256 characters) in the Choose a report title box. Click SUBMIT to save the search. Alternatively. page 3-14. In the Choose an existing folder from the list list. click Close window to return to the previous screen without saving. the search will be saved at the top level. If you select the default. See Creating a Search. (no folder). Alternatively.

Note You cannot delete a folder that is not empty. Step 4 In the dialog click OK to delete the search. Step 4 Enter a new name in the Enter new name box and press Enter. If the search you wish to delete is contained within a folder. Click the Delete icon. click Cancel to abandon deleting the search. Step 3 In the dialog click OK to remove the folder. Note You cannot remove a search that is part of a composite report. click the X icon to abandon renaming the search. on the Reports menu. You must first remove the search from the composite report.Chapter 3 Reporting Creating a Search Step 2 Step 3 If the search you wish to rename is contained within a folder. Alternatively. click the folder to display the search. on the Reports menu. click Reports. click the folder to display the search. Alternatively. Click the Delete icon. Click the Rename icon. click Cancel to abandon removing the folder. click Reports. Alternatively. Removing a Search To remove a search: Step 1 Step 2 Step 3 Click the Reports tab to display the Reports page. You will be prompted to confirm your action. Alternatively. Alternatively. ScanCenter Administrator Guide OL-22629-05 3-23 . You will be prompted to confirm your action. You must first remove any saved searches from the folder. Removing an Empty Folder To remove an empty folder: Step 1 Step 2 Click the Reports tab to display the Reports page.

On the Reports menu. You can combine a maximum of 20 searches in a composite report. Click the Create composite reports tab. b. Downloading Composite Reports To download a composite report: ScanCenter Administrator Guide 3-24 OL-22629-05 . Click add. click the required search. Use the move up and move down icons to change the position of the search. To create a composite report: Step 1 Step 2 Step 3 Click the Reports tab to display the Reports menu. In the Report(s) to include in composite list. For each search you wish to include: a. You can even combine pre-defined searches with searches you have created yourself. click the Delete icon Step 6 Step 7 Add any required filters or filter sets. Click Save changes to save the composite report. click Composite Reports.Chapter 3 Creating Composite Reports Reporting Creating Composite Reports Composite reports enable you to combine the contents of two or more existing searches into a single report. To remove a search from the composite report. To change the order in which the searches will be displayed: a. In the Report table. Step 4 Step 5 Enter a name for the report in the Composite report name box. click the required search. b.

Removing Composite Reports To remove a composite report: Step 1 Click the Reports tab to display the Reports menu. On the Reports menu. Click the Manage composite reports tab. Click the Edit icon next to the composite report you wish to edit. Select a time period. click Composite Reports. page 3-25. When you have finished editing the report. click Composite Reports. On the Reports menu. Click the Edit composite reports tab. Step 4 In the Composite report name list. ScanCenter Administrator Guide OL-22629-05 3-25 . click the report you wish to edit. See Creating Composite Reports.Chapter 3 Reporting Creating Composite Reports Step 1 Step 2 Step 3 Step 4 Step 5 Click the Reports tab to display the Reports menu. click Save changes to save your changes. Click the Download icon to download the composite report in PDF format. On the Reports menu. Alternatively: Step 1 Step 2 Step 3 Click the Reports tab to display the Reports menu. Click the Manage composite reports tab. click Composite Reports. Editing Composite Reports To edit a composite report: Step 1 Step 2 Step 3 Step 4 Click the Reports tab to display the Reports menu.

click Recipients. You will be asked to confirm that you want to remove the report. typically 75. Step 3 Step 4 Enter a group name in the Groups box.Chapter 3 Scheduling Reports Reporting Step 2 Step 3 Step 4 On the Reports menu. Before scheduling a report you must have created at least one email group with at least one recipient. scheduled reports do not enforce user level restrictions and any user receiving a scheduled report will see the full report. Scheduling Reports Scheduling reports enables you send reports via email to specific recipients. or attributes hidden. click Recipients. There is a maximum limit to the number of reports you can schedule. ScanCenter Administrator Guide 3-26 OL-22629-05 . However. Click the Delete icon next to the composite report you wish to remove. Creating an Email Group To create an email group: Step 1 Step 2 Click the Reports tab to display the Reports menu. are not permitted to schedule reports. Click Create new group. On the Reports menu. Caution Users who have filters applied to their results. click Composite Reports. Removing an Email Group To remove an email group: Step 1 Step 2 Click the Reports tab to display the Reports menu. On the Reports menu. Each report in a composite report counts as an individual report when determining if the maximum number of reports has been reached. Email Groups Email groups enable you to send scheduled reports to groups of recipients. Click the Manage composite reports tab.

Click the group you want to add recipients to. Removing an Email Recipient To remove an email recipient: Step 1 Step 2 Step 3 Click the Reports tab to display the Reports menu. click Recipients. On the Reports menu. Creating an Email Recipient To add recipients to an email group: Step 1 Step 2 Step 3 Click the Reports tab to display the Reports menu.Chapter 3 Reporting Scheduling Reports Step 3 Click the Delete group icon next to the group you wish to remove. ScanCenter Administrator Guide OL-22629-05 3-27 . Click Add recipient. If you want to send a report to a single recipient then you must create a group with only one recipient. Removed groups cannot be recovered. In the @ list. Email Recipients Scheduled reports are sent to groups of email recipients. Only valid email domains for your organization are included in this list. click the last part of the email address. Step 4 Step 5 Step 6 Enter the first part of the email address in the Recipients for box. Caution You will not be asked to confirm your action. click Recipients. Click the group containing the recipients you want to delete. On the Reports menu.

In the Delivery schedule area.every day Weekly . Click the Create scheduled reports tab. enter a name for the scheduled report in the Report schedule name box. click Scheduled Reports. Creating a Scheduled Report To create a scheduled report: Step 1 Step 2 Step 3 Click the Reports tab to display the Reports menu.Chapter 3 Scheduling Reports Reporting Step 4 Click the Remove a recipient icon next to the email recipient you wish to remove. Step 4 In the Create Report Schedule area.every four weeks on the day specified ScanCenter Administrator Guide 3-28 OL-22629-05 . click one of the following to set when the report will run: • • • • Daily . Deleted recipients cannot be recovered. Caution You will not be asked to confirm your action. On the Reports menu.every week on the day specified Monthly .every month on the first day of the month Four weekly .

In the Report list. Enter the Message for the email. you can click the Manage recipient groups hyperlink to do so. If you want to combine reports into a single report you can click the Manage composite reports hyperlink to do so. enter the Subject for the generated email. Select a Timezone. click a day. Enter a password in the Enter a password and Confirm password boxes. Caution Clicking the Manage recipient groups or Manage composite reports hyperlink abandons any unsaved changes made to the scheduled report. saved or composite report. Alternatively: ScanCenter Administrator Guide OL-22629-05 3-29 . Editing a Scheduled Report To edit a scheduled report: Step 1 Step 2 Step 3 Click the Reports tab to display the Reports menu. If you have not created a group yet. Step 4 Click the Edit icon next to the composite report you wish to edit. On the Reports menu. Click Save changes to save the scheduled report. Click the Manage scheduled reports tab. for example Monthly bandwidth report.Chapter 3 Reporting Scheduling Reports Reports contain data for the period up to midnight on the day before the report is run: • • • • Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 daily contains the previous 24 hours weekly contains the previous seven days monthly contains the previous month four weekly contains the previous 28 days If you chose weekly or four-weekly reports you must choose a day on which they will run. In the To (recipient group) list. click Scheduled Reports. for example Report attached. In the Email content area. In the Report runs on list. Click PDF to attach the report to the generated email as a PDF file. click a group. click a pre-defined. This determines the hour at which the day begins for reporting purposes.

See Scheduling Reports. click the report you wish to edit. page 3-27. Click the Manage scheduled reports tab. Removing a Scheduled Report To remove a scheduled report: Step 1 Step 2 Step 3 Step 4 Click the Reports tab to display the Reports menu. When you have finished editing the report. click Save changes to save your changes.Chapter 3 Scheduling Reports Reporting Step 1 Step 2 Step 3 Click the Reports tab to display the Reports menu. Note Removing a scheduled report does not remove the original report or email group. On the Reports menu. click Scheduled Reports. Click the Delete icon next to the scheduled report you wish to remove. On the Reports menu. Click the Edit composite reports tab. Step 4 In the Report schedule name list. ScanCenter Administrator Guide 3-30 OL-22629-05 . You will be asked to confirm that you want to remove the scheduled report. click Schedule.

page 4-19 Overview Web filtering enables you to control the content entering and leaving your organization's internal network. Quotas determine the amount of time users may spend browsing. and out of. page 4-8 Policy. page 4-1 Schedules. page 4-1 Managing Filters. 2012. ScanCenter Administrator Guide OL-22629-05 4-1 .000 entries per filter. Policy determines the order in which rules are applied. page 4-16 Notifications. From this area you can manage: • • • • • • Policy Rules Filters Schedules Quotas Notifications Rules are composed of combinations of filters and schedules.CH A P T E R 4 Web Filtering Service Revised: January 10. your network. and a total limit of 10. Notifications include messages displayed to users when rules are applied and the email sent to administrators. OL-22629-05 This chapter contains the following topics: • • • • • • • Overview. page 4-13 Global Settings. There is a limit of 1. Managing Filters Filters are used to control content passing in to. page 4-9 Quotas.000 entries.

see Web Filtering Categories. click the hyperlink and enter the details. ScanCenter Administrator Guide 4-2 OL-22629-05 . Step 4 Categories (HTTP) Select the check boxes for the required categories. page B-1. navigate away from the page to abandon your changes. You can use as many or as few filter types as you want for each filter. For each filter type you want to add to the filter. You can click Select All to select all the check boxes or Deselect all to clear all the check boxes. The available categories are the same as for HTTP. Click Save all settings to save your changes. You can click Set to Default to copy the categories from the default filter. Note This option will be available only if you have been provisioned to have different policies for HTTP and HTTPS. The filter will be applied if the conditions are met for any one of the filter types. Enter a unique Filter name. In the Management menu. Creating a New Filter To create a new filter: Step 1 Step 2 Step 3 Click the Create a filter tab. You can click Set to Default to copy the categories from the default filter or Copy HTTP selection to copy the categories from the HTTP settings for the filter. You can click Select All to select all the check boxes or Deselect all to clear all the check boxes. click Filters to display the filter management page. For a list of the available categories. Alternatively. Categories (HTTPS) Select the check boxes of the required categories.Chapter 4 Managing Filters Web Filtering Service To view existing filters: Step 1 Step 2 Click the Web Filtering tab to display the Web Filtering menus.

Chapter 4 Web Filtering Service Managing Filters Domains/URLs Enter the domains or URLs to be included in the filter. You can click Select All to select all the check boxes or Deselect all to clear them. for example 192. ScanCenter Administrator Guide OL-22629-05 4-3 . You can select the Select All check box to select all the check boxes for a category or clear it to clear all the check boxes. Each MIME type must be entered on its own line. You can click Sort Alphabetically to sort the list. You can click Set to Default to copy the settings from the default filter. In the box. Enter the IP ranges to be included in the Networks/IPs box. video. for example text/html. enter any additional MIME types you want to block. audio. You can click Sort Alphabetically to sort the list. You can use host names and sub-domains but you must omit the protocol (http://). Each domain or URL should appear on its own line.0/24. Content Types Select the check boxes of the applications. and image files you want to block.43. File Types Select the check boxes of the inbound file types you want to block.0. You can click Set to Default to copy the settings from the default filter. You can click Select All to select all the check boxes or Deselect all to clear them. These must be entered in the form of an IP address and a net mask.

Enter any other user agents you want to include in the Custom User Agents box. Each user agent must be entered on a separate line. User Agents Select the required check boxes for the Web browsers you want to include in the filter. These must be entered in the form of an IP address and a net mask. including future versions. Enter the IP ranges to be included in the Networks/IPs box. You can select the All Versions check box to add every version. You can click Sort Alphabetically to sort the list.Chapter 4 Managing Filters Web Filtering Service Enter any additional file extensions (up to eight characters) in the box. for example 7z.43. Each file extension should be entered on its own line.0/24. Exceptions Enter the domains or URLs to be excluded from the filter.0. for example 192. The following characters can be included: ScanCenter Administrator Guide 4-4 OL-22629-05 . of a given browser. You can click Sort Alphabetically to sort the list. You can use host names and sub-domains but you must omit the protocol (http://). Each domain or URL should appear on its own line.

ScanCenter Administrator Guide OL-22629-05 4-5 . Protocols Select the check boxes of the protocols to be included in the filter. from leaving your network. It enables you to control the data traffic passing though your gateway or firewall using outbound and bi-directional filtering. or credit card details. When OCC is enabled you will be given the additional filtering options: • • • • • • Exceptions Protocols File Matching Keywords Outbound File Types Pre configured IDs Bi-directional Filters Bi-directional filters are applied to incoming as well as outgoing content. Click Save to save your changes. Make your changes. Click the hyperlink of the settings you want to change. click the Delete icon.Chapter 4 Web Filtering Service Managing Filters • • • • !<text> does not equal <text> ^<text> starts with <text> * zero or more characters <text>$ string ends with <text> Editing a Filter To edit a filter: Step 1 Step 2 Step 3 Step 4 Click the Edit icon. Removing a Filter To remove a filter. navigate away from the page to abandon your changes. intellectual property. Alternatively. Outbound Content Control Outbound Content Control (OCC) prevents sensitive information such as social security numbers.

For each database you want to add: Step 1 Step 2 In the File Info DB list.Chapter 4 Managing Filters Web Filtering Service You can click Set to Default to copy the settings from the default filter. Click Add. click the database. Keywords Word and phrase dictionaries are maintained in the Admin tab. You can click Delete to remove any databases added by mistake. Click Add. ScanCenter Administrator Guide 4-6 OL-22629-05 . You can click Set to Default to copy the settings from the default filter. For each dictionary you want to add: Step 1 Step 2 In the Dictionaries list. Outbound Filters Outbound filters are applied to outgoing content only. click the dictionary. File Matching File information databases are maintained in the Admin tab.

Chapter 4 Web Filtering Service Managing Filters You can click Delete to remove any dictionaries added by mistake. You can click Set to Default to copy the settings from the default filter. for example 7z. Pre configured IDs Select the check boxes of the pre configured identifiers you want to block. Outbound FIle Types Select the check boxes of the outbound file types you want to block. You can click Sort Alphabetically to sort the list. ScanCenter Administrator Guide OL-22629-05 4-7 . Each file extension should be entered on its own line. Enter any additional file extensions (up to eight characters) in the box.

Schedules are applied in order of length (time duration). from shortest to longest. ScanCenter Administrator Guide 4-8 OL-22629-05 . For each regular expression you want to filter y: Step 1 Step 2 Step 3 Step 4 Click Add. In ScanCenter. Enter a unique name in the Enter a label for the regular expression box. Matching the string to the specified patter n is called pattern matching. Creating a New Schedule To create a new schedule: Step 1 Click the Create a schedule tab. letters. Schedules Schedules are used to determine when policy rules are applied. Enter the regular expression in the Enter the regular expression that you wish to match box. For example. You can add one or more schedules to a rule. Using non-validated regular expressions may lead to data being unintentionally blocked. You could then add a schedule that runs from 12:00 to 14:00 as an exception to permit users to access the website during their lunch break.00 to 14. In the Management menu. and numbers that represents an input string for matching (or sometimes not matching). It is also possible to add a schedule as an exception.Chapter 4 Schedules Web Filtering Service Regular Expressions A regular expression is a pattern made up of symbols. Caution You must validate your regular expressions before applying them across your organization. Step 1 Step 2 Click the Web Filtering tab to display the Web Filtering menus. click Schedules to display the schedule management page. Click OK. you could add a schedule of midnight to midnight to a rule to always block a specific website. So in the previous example the schedule to enable user access from 12. regular expressions are evaluated using deterministic finite-state automata (DFA) only. If you require assistance in creating regular expressions you can contact Customer Support.00 would be applied first.

Make your changes. Policy Policy enables you to set the rules for applying filters. Each rule has one of the following actions associated with it: • • • Allow.Chapter 4 Web Filtering Service Policy Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Enter a unique Schedule name. ScanCenter Administrator Guide OL-22629-05 4-9 . The default is UTC. Typically this is used with clientless authentication. Anonymize. navigate away from the page to abandon your changes. User details are not shown in reporting data. The user must authenticate. click the Delete icon. Click the required start time in the From lists. Alternatively. Removing a Schedule To remove a schedule. Click Save to save your changes. Editing a Schedule To edit a schedule: Step 1 Step 2 Step 3 Click the Edit icon. Alternatively. Select the check box for each day on which you want the schedule to be applied. Access is allowed and data is stored for reporting purposes. Click the required end time in the To lists. Click Create schedule to save your changes. navigate away from the page to abandon your changes. Authenticate. Click a Time Zone.

Access is denied. Warn. Rules with the Anonymize action are treated as privacy rules and given higher priority than the other rules. click Policy to display the policy page. In the Management menu. Access is allowed only if the user clicks through the warn page. To view your existing policy: Step 1 Step 2 Click the Web Filtering tab to display the Web filtering menus. You can set the priority of a rule by clicking the up and down icons in the Move column and then clicking Apply Changes. ScanCenter Administrator Guide 4-10 OL-22629-05 .Chapter 4 Policy Web Filtering Service • • Block.

Alternatively. ScanCenter Administrator Guide OL-22629-05 4-11 . click an action. clear the check box to activate the rule at another time. The available actions are: • • • • Block Allow Anonymize Warn Click Add group. In the Rule Action list. Step 5 For each group you want to add to the rule: a. Step 2 Step 3 Step 4 Enter a rule Name. Select the Active check box to make the rule active.Chapter 4 Web Filtering Service Policy Creating a Rule To create a new rule: Step 1 Click the Create a rule tab.

Click Select to select the group. c. Select the Set as an exception check box to exclude the group from the rule. click a schedule then click Add to add the schedule. Click Confirm Selection. Step 6 Enter all or part of a group name in the Search box and click Go. navigate away from the page to abandon your changes. e. clear the check box to apply the rule to the group. Alternatively. ScanCenter Administrator Guide 4-12 OL-22629-05 . Select the Set as an exception check box to exclude the filter from the rule. d. In the Add Filter list. For each schedule you want to add to the rule: a.Chapter 4 Policy Web Filtering Service b. Alternatively. b. You can click the Delete icon to remove any groups added by mistake. click a filter then click Add to add a filter. Select the Set as an exception check box to exclude the schedule from the rule. You can click the Delete icon to remove a filter added by mistake. In the Add Schedule list. Step 8 Click Create rule to save your changes. Note Step 7 The rule will apply only when all filter conditions are met.

in workgroup mode. refer to the Connector Administrator Guide. to control the time a user or group of users may spend browsing Web content specified by your policy. To view existing quotas: Step 1 Step 2 Click the Web Filtering tab to display the Web Filtering menus. Creating a Quota To create a new quota: Step 1 Click the Create a quota tab. Click Save to save your changes. click the Delete icon. click Quotas to display the quota management page.Chapter 4 Web Filtering Service Quotas Editing a Rule To edit a rule: Step 1 Step 2 Step 3 Click the Edit icon. You cannot remove the default rule. In the Management menu. Quotas Quotas are used in conjunction with Connector. navigate away from the page to abandon your changes. ScanCenter Administrator Guide OL-22629-05 4-13 . Removing a Rule To remove a rule. For further information about Connector. You can set the priority of a quota by clicking the up and down icons in the Move column and then clicking Apply Changes. Make your changes. Alternatively.

Click Add group. clear the check box to activate the quota at another time.Chapter 4 Quotas Web Filtering Service Step 2 Step 3 Step 4 Enter a quota Name. Select the Active check box to make the quota active. For each group you want to add to the quota: a. ScanCenter Administrator Guide 4-14 OL-22629-05 . c. d. Enter all or part of a group name in the Search box and click Go. Alternatively. b. Click Confirm Selection. Click Select to select the group. You can click the Delete icon to remove any groups added by mistake.

navigate away from the page to abandon your changes. Alternatively.000 20. In the Time list click the time limit. In the Bytes in list click the download limit. daily or weekly.000 2. Alternatively. clear the check box to apply the quota to the group. The available options area: • • • • • • • • • unlimited 5M (five megabytes) 10M 20M 50M 100M 200M 500M 1G (one gigabyte) Step 7 Step 8 In the Bytes out list click the upload limit. The available options are the same as for downloads.000 10. click the number of allowed connections.000 50. Step 5 Step 6 Select the Set as an exception check box to exclude the group from the quota. The available options are: • • • • • • • • Step 10 Click Create quota to save your changes.000 Step 9 In the Connections list. In the Period list click the time period for the quota. The available options are: • • • • • • • unlimited 15 minutes 30 minutes 1 hour 2 hours 4 hours 8 hours unlimited 1.Chapter 4 Web Filtering Service Quotas e. Editing a Quota To edit a quota: ScanCenter Administrator Guide OL-22629-05 4-15 .000 5.000 100.

Global Settings Global settings are applied to all users. Click Save to save your changes. navigate away from the page to abandon your changes. Where the content falls into the categories most commonly identified as inappropriate. Set your Acceptable Usage Policy display preferences.Chapter 4 Global Settings Web Filtering Service Step 1 Step 2 Step 3 Click the Edit icon. either daily or weekly. From here you can: • • • • Enable SearchAhead. Removing a Quota To remove a quota. Enable dynamic classification of unclassified sites. The same category restrictions are applied to HTTP and HTTPS traffic unless separate filtering is enabled. It also provides advanced warning for websites that may host malware: ScanCenter Administrator Guide 4-16 OL-22629-05 . Enable separate filtering of HTTP and HTTPS. the system will attempt to identify the content of unclassified websites. See the Connector Administrator Guide for further information. A default page is provided which you can extend or override completely with your own HTML This feature requires Connector. the website is blocked. SearchAhead alerts users to potential risks by adding an icon to search results based on the web filtering policy you have applied. click the Delete icon. If the Dynamic Classification Engine is enabled. When the Enable AUP for all users check box is enabled. every user will be presented with an acceptable usage policy page when they access the Internet at a set interval. It is often searches that lead to inappropriate or dangerous websites. Make your changes. SearchAhead The web usage of most users is based around a small number of websites they visit frequently and a search engine. You cannot remove the default quota. Alternatively.

pa. no.co.mx. com. pl.mt. com. com. de. de. com.sa. dk. com. com. com. dj.vn. ro. lv.ag. am. it. com. gl. co. co.fj. com.il.na. com.my.mt.do. co. hn. co. az. ci.th. lu. se. com. ie.ni. com. com.ls. fi. bi.uz. sh.np.uk.ve. cd.uy. co.uz. sk. as. ca.nz. es.ec. com. com. gl. com. co. tm. co. co.vc. com. it.pa.tw. ci. gr. es.my. com. hn.co. ru. je. com. com. je. co. gm. hu.ec. com. vg) Yahoo (at. com.au. co.ly.ls. co. com. fr. co. com.ni.pk. sk. com. com.tw. com. tt. gm.ly.py. fi. com. com. kz. sm.fj.in. be. com.uk. hu. com. ru. com.nf. com. be. no. fr. se. com.br. az. lu. lv.sv. mw. co. co. ro. se) Adult Extreme Hate Speech Illegal Activities Illegal Downloads Illegal Drugs Pornography Unclassified • • The following categories will always appear as unclassified.jp.ug.tr. com. com. as. com.za. com.mx.za. sh. com. com. com. td. pl. at.ua. it.sa. com. vg) Google (ae.ke.gt. com. sm. mw. mu.vn. cg. ms. lt. com. com. dk. com. pt. com.nf. mn. dk. ca. com. In the Management menu. cd.au.hk. bi. com. com. com.Chapter 4 Web Filtering Service Global Settings The following search engines are supported: • Bing (ae. fm. co. co.br. com. co. mu.sg.th.na. ch.kr.kr. com. com. com.hk. com. pt.vc. com.uk. pn.ug. li.jp. com. no. co.ar. co. com.ai.ve. com.gi. com. co. gr. tt. ie. dk.cu. com. com. com.pe. com.ph. com. co.il. com.gi. co. gg. com. ScanCenter Administrator Guide OL-22629-05 4-17 . co.in. mn. rw. com. nl.in. co. co. at. co.mx. kz. nl.pe. com. td.ar. cg.cu.cr. tm. regardless of your policy: • • • • • • • • Changing Global Settings To change the global settings: Step 1 Step 2 Click the Web Filtering tab. ie. com. fm. dj.do.hk.pr. com.au. com.nz.tr. co.np. li.ua.ag. fr.ke. gg. click Global Settings to display the Global Settings page. co. co. co. pn. com.ai.pr. ca. es.sv.kr. am. com.uy.pk. ms. rw. com. ch. fi. co.sg. lt. co. com.cr. dk.jp.gt.ph. de. com. com.br.ar.py.

clear the check box to prevent the page being displayed. Select the Include standard HTML page template for AUP page check box to include the standard AUP page template. Click Daily or Weekly to set how often the AUP page is displayed. select the check box to use separate filter settings for HTTP and HTTPS traffic. Select the Enable AUP for all users check box to display an acceptable usage policy page to users when they connect to the Internet. Click Save. Alternatively. Enter the AUP text or HTML in the box. Click Save. Alternatively. Alternatively. clear the check box to switch off SearchAhead.Chapter 4 Global Settings Web Filtering Service Step 3 Step 4 Step 5 Select the Enable SearchAhead for all users check box to enable SearchAhead. accept the default text. Alternatively. Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 ScanCenter Administrator Guide 4-18 OL-22629-05 . Clear the Enable HTTP/HTTPS split check box to use the HTTP Web filtering settings for HTTPS traffic as well. Alternatively. clear the check box to display only the text or HTML you supply. Click Save.

ScanCenter Administrator Guide OL-22629-05 4-19 . In the Notifications menu. User Messages To set the message a user sees when a Web virus is blocked: Step 1 Step 2 Click the Web Filtering tab. Notifications Notifications are the messages that appear on screen when a user attempts to access a page that is set to warn or block. Alternatively. clear the check box to switch off this functionality. click User Messages to display the User Messages page. and the email messages that are sent when this occurs.Chapter 4 Web Filtering Service Notifications Step 12 Step 13 Select the Enable Dynamic Classification check box to enable unclassified websites to be classified based on their content. Click Save.

Alternatively.Chapter 4 Notifications Web Filtering Service Step 3 Step 4 Select the Include standard HTML page template for block page check box to include the default page contents. clear the check box to exclude the default page contents. Enter the message in plain text or HTML in the box. You can use the following as replaceable parameters: • • • • #category #reason #url #username ScanCenter Administrator Guide 4-20 OL-22629-05 . Alternatively. click Reset to restore the default message.

In the Limit email alerts to box. Click Save to save your changes. click the number of email alerts to batch together (1 to 20). In the Notifications menu. Alternatively. In the Timeout value list. In the per box. navigate away from the page to abandon your changes. Select the Include standard HTML page template for warning page check box to include the default page contents. Alternatively. Enter the message in plain text or HTML in the box. Enter up to five email addresses in the boxes. Step 3 Step 4 Step 5 Step 6 Step 7 In the Do you wish to be notified when a page is blocked? list. To switch off email alerts: ScanCenter Administrator Guide OL-22629-05 4-21 .Chapter 4 Web Filtering Service Notifications Step 5 Step 6 Step 7 Step 8 Click Save. click Yes. click Email Alerts to display the Email Alerts page. click Reset to restore the default message. clear the check box to exclude the default page contents. Alternatively. navigate away from the page to abandon your changes. click the delay in hours (0-24) between displaying a repeat warning for websites where the action is set to warn. Email Alerts To set the email message sent when a Web virus is blocked: Step 1 Step 2 Click the Web Filtering tab. Alternatively. click the delay between emails in hours (1 to 24). You can use the following as replaceable parameters: • • • • #category #reason #url #username Step 9 Click Save to save your changes.

click No. In the Do you wish to be notified when a page is blocked? list. navigate away from the page to abandon your changes. Click Save. In the Notifications menu. ScanCenter Administrator Guide 4-22 OL-22629-05 . Alternatively.Chapter 4 Notifications Web Filtering Service Step 1 Step 2 Step 3 Click the Web Filtering tab. click Email Alerts to display the Email Alerts page.

Approved List To allow programs that Cisco has classified as potentially unwanted programs: ScanCenter Administrator Guide OL-22629-05 5-1 . an administrator requires a specific PUA to be permitted. such as viruses. user messages. and so on. Similarly. page 5-4 Overview The Malware Service provides protection from Spyware and Web viruses. The approved list applies to ‘grayware’ which typically include applications that hijack Web browsing activities. and exceptions to blocked spyware. The Web Virus area of ScanCenter enables you to configure email alerts and user messages relating to web viruses. and key loggers are automatically blocked. user messages. create unwanted pop-up adverts. all truly malicious code. 2011. page 5-1 Web Virus. monitor non-confidential browsing habits. If.CH A P T E R 5 Malware Service Revised: October 20. back-doors. spyware and potentially unwanted applications (PUA) are blocked. worms. it can be selected in an approved list. By default. page 5-1 Spyware. However. All PUAs are registered in the approved list when a download request is received. and exceptions to blocked spyware. all known phishing exploits are automatically blocked by the Spyware service. redirect users to sponsored sites. OL-22629-05 This chapter contains the following topics: • • • Overview. Spyware The Spyware area of ScanCenter enables you to configure email alerts. all incoming adware. for some reason. Trojans. The Spyware area of ScanCenter enables you to configure email alerts.

Chapter 5 Spyware

Malware Service

Step 1 Step 2

Click the Spyware tab. In the Management menu, click Approved List to display the Approved List page.

Step 3 Step 4

Select the check boxes of the spyware you want to allow. You can enter part or all of the name of a spyware program in the Search box then click Go to find a spyware program. Click Save to save your changes. Alternatively, navigate away from the page to abandon your changes.

You can click Reset list then Save to resume blocking all spyware.

Password Protected Archives
Encrypted archives that may contain applications are classified as Potentially Unwanted Applications (PUA). You can enable users to access these files by selecting the Protected Archive check box in the Approved List.

Caution

Enabling access to Protected Archives will globally allow all users to access these archives which may contain potentially unwanted applications (PUAs).

User Messages
To set the message a user sees when spyware is blocked:
Step 1 Step 2

Click the Spyware tab. In the Notifications menu, click User Messages to display the User Messages page.

ScanCenter Administrator Guide

5-2

OL-22629-05

Chapter 5

Malware Service Spyware

Step 3 Step 4

Select the Include standard HTML page template for block page check box to include the default page contents. Alternatively, clear the check box to exclude the default page contents. Enter the message in plain text or HTML in the box. Alternatively, click Reset to restore the default message. You can use the following as replaceable parameters:
• • • •

#category #reason #url #username

Step 5

Click Save to save your changes. Alternatively, navigate away from the page to abandon your changes.

Email Alerts
To set the email message sent when spyware is blocked:
Step 1 Step 2

Click the Spyware tab. In the Notifications menu, click Email Alerts to display the Email Alerts page.

Step 3

In the Do you wish to be notified when Spyware/Adware/Cookies are blocked? list, click Yes.

ScanCenter Administrator Guide OL-22629-05

5-3

Chapter 5 Web Virus

Malware Service

Step 4 Step 5 Step 6 Step 7

Enter up to five email addresses in the boxes. In the Limit email alerts to box, click the maximum number of email to be sent per hour (1 to 20). In the per box, click the delay between emails in hours (1 to 24). Click Save to save your changes. Alternatively, navigate away from the page to abandon your changes.

To switch off email alerts:
Step 1 Step 2 Step 3 Step 4

Click the Spyware tab. In the Notifications menu, click Email Alerts to display the Email Alerts page. In the Do you wish to be notified when a page is blocked? list, click No. Click Save. Alternatively, navigate away from the page to abandon your changes.

Web Virus
The Web Virus area of enables you to configure email alerts and user messages relating to Web viruses.

User Messages
To set the message a user sees when a Web virus is blocked:
Step 1 Step 2

Click the Web Virus tab. In the Notifications menu, click User Messages to display the User Messages page.

Step 3 Step 4

Select the Include standard HTML page template for block page check box to include the default page contents. Alternatively, clear the check box to exclude the default page contents. Enter the message in plain text or HTML in the box. Alternatively, click Reset to restore the default message. You can use the following as replaceable parameters:

#category

ScanCenter Administrator Guide

5-4

OL-22629-05

Alternatively. ScanCenter Administrator Guide OL-22629-05 5-5 . click Email Alerts to display the Email Alerts page. In the per box. click No. click Email Alerts to display the Email Alerts page.Chapter 5 Malware Service Web Virus • • • Step 5 #reason #url #username Click Save to save your changes. In the Notifications menu. In the Limit email alerts to box. click the delay between emails in hours (1 to 24). click Yes. navigate away from the page to abandon your changes. Enter up to five email addresses in the boxes. In the Notifications menu. Click Save. Alternatively. Email Alerts To set the email message sent when a Web virus is blocked: Step 1 Step 2 Click the Web Virus tab. navigate away from the page to abandon your changes. Click Save to save your changes. navigate away from the page to abandon your changes. In the Do you wish to be notified when a page is blocked? list. Alternatively. click the number of email alerts to batch together (1 to 20). Step 3 Step 4 Step 5 Step 6 Step 7 In the Do you wish to be notified when a page is blocked? list. To switch off email alerts: Step 1 Step 2 Step 3 Step 4 Click the Web Virus tab.

Chapter 5 Web Virus Malware Service ScanCenter Administrator Guide 5-6 OL-22629-05 .

Attributes The contents of the majority of attributes are normalized to lower case. page A-1 Overview Reporting attributes are the main filter applied to searches to generate reports. for some attributes you may wish to view the original string as entered by the user. that generated the block. Attributes listed with “Original” in parentheses are available in normalized and original form. page A-1 Attributes. 2011. However.A P P E N D I X A Reporting Attributes Revised: October 20. Block Type The pattern. specified in the filter. OL-22629-05 This appendix contains the following sections: • • Overview. It can be one of the following: • • • • • • • • spyware possibly unwanted applications (PUA) adware phishing virus category (HTTP) category (HTTPS) domain/URL ScanCenter Administrator Guide OL-22629-05 A-1 . Adware The name of the adware block.

For example. Composite reports do not need to be updated. you must include the old and new category names with the “Category in list” filter to ensure all the results are returned. Connector OS Name (Original) The name of the operating system reported by Connector. sports. online shopping. online shopping.” It now includes the filter “Category in list music. Pre-defined reports are updated for you. See Web Filtering Categories. the value of Block String will be “multiple strings. entertainment. existing customer data is not be migrated. Music. Cinema/TV and Sport” originally included the filter “Category in list music. ScanCenter Administrator Guide A-2 OL-22629-05 . page B-1. the “User Analysis” report “Where were the Top 10 Users browsing in the Categories Shopping. shopping. sports. Connector OS Version (Original) The version of the operating system reported by Connector. as they will inherit the settings of the included reports. It can be one of the following: • • • • • • • • • • the category name the full URL the MIME type the virus name the spyware name the possibly unwanted application (PUA) name the adware name the phishing name the name of the content type the name of the file type Note Where the block was generated by an exception or by more than one patter.Appendix A Attributes Reporting Attributes • • content type file type Note If more than one pattern is matched the value of Block Pattern will be “multiple patterns.” Block Value The string that matched the block pattern. When creating reports. When changes are made to the categories. sports and recreation. cinema/tv.” Category The Web filtering category. cinema/tv.” Connector Mode The mode reported by Connector.

for example 192. Domain Username (Original) The user name under which the user is logged in to the domain. ScanCenter Administrator Guide OL-22629-05 A-3 .Appendix A Reporting Attributes Attributes Connector Version Logs the version of Connector used to embed the directory information.0. Day of Month Used for time series plotting (1 to 31). derived from its IP address. derived from its IP address.0/24. Country Dst Code The two letter ISO code of the country where the Web server is located. for example WinNT://UK\SALES. External IP The IP address Cisco Cloud Web Security gets from the customer (also known as the egress IP address).0. Country Src Code The two letter ISO code of the country where the client Web browser is located. 8] The subnet of the IP address Cisco Cloud Web Security gets from the customer (also known as the egress IP address subnet). Group (Original) The name of the directory group logged. Destination IP The IP address of the remote Web server. Day of Week Used for time series plotting (monday to sunday).2.0. External IP Subnet/[24. Can be used to easily find out which versions of Connector are deployed in your environment. Group Domain The name of the domain logged for the user. for example 192. 16.2. Note Multiple directory groups can be logged for each user.

html the file extension is html.com.html. Note If an internal user is routed through a NAT device before reaching the internal proxy then the IP address subnet which arrives at the Connector is logged.2. Minute Used for time series plotting (00 to 59).2.168. Note If an internal user is routed through a NAT device before reaching the internal proxy then the IP address which arrives at the Connector is logged. Host (Original) The host part of the URL string. for example 192. for example for news. Internal IP Subnet/[24.example.Appendix A Attributes Reporting Attributes Group Name Part (Original) The name of directory group (not including either LDAP://<domain> or WinNT://<domain>).example. for example index. for example for WinNT://UK\SALES the group name part is SALES. Internal IP The IP address the Connector sees from the internal user. Note Hosts are case insensitive. 16. Malware The name of the malware block. Hour Used for time series plotting. ScanCenter Administrator Guide A-4 OL-22629-05 .0/24.0. Month Used for time series plotting (january to december). the host is news. for example 192. Inbound File Name The filename part of any inbound URL using the HTTP(S) protocol. Inbound File Extension The file extension part of any inbound URL using the HTTP(S) protocol. for example for index.com/sport. 8] The IP address subnet the Connector sees from the internal user.10.

example.com/sport. Referrer Host (Original) The host part of the referrer URL string. for example resume. for example for resume.doc.com/search?hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq= the query is hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq= Note Using this attribute will increase the time reports take to generate by a considerable amount. Query The query part of the URL string. Port Port number of web request. for example for news. PUA Possibly Unwanted Application name.example. for example for news.example.Appendix A Reporting Attributes Attributes Outbound File Extension The file extension part of any outbound POST using the HTTP(S) protocol.com.exampe. Outbound File Name The filename part of any outbound POST using the HTTP(S) protocol. Path The path part of the URL string. for example for http://www. Protocol One of: • • • FTP HTTP HTTPS Policy Violation The block value where a web filtering rule resulted in a block. for example 80 or 443. Phishing The name of the phishing block. the host is news. ScanCenter Administrator Guide OL-22629-05 A-5 .doc the file extension is doc.com/sport. the path is /sport.

Examples include: • • • • application audio image text ScanCenter Administrator Guide A-6 OL-22629-05 . for example for http://www. for example com. Referrer URL (Original) The full referrer URL string. Referrer Protocol One of: • • • FTP HTTP HTTPS Referrer Query The query part of the referrer URL string. net.example.Appendix A Attributes Reporting Attributes Referrer Path The path part of the referrer URL string. the second level domain is example. org. for example if response content type is application/pdf then the corresponding major content type is application. for example image/gif. text/html. Referrer Top Level Domain Normally the last part of the referrer domain.com/sport. Referrer Port Port number of referrer. Request Content Type (Original) The request MIME type.uk.com. for example in www.example. gov. application/pdf.com/search?hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq= the query is hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq= Referrer Second Level Domain Normally the referrer organization.example. for example for news. for example 80 or 443. Request Major Content Type The type of request content. the path is /sport. application/EDI-X12. and co.

or example image/gif. for example HTTP/1.html Response Version (Original) The response version. application/EDI-X12. More information on status codes can be found at: http://www. for example to find all web requests to pages which did not exist you can filter by 404.Appendix A Reporting Attributes Attributes • video Request Method (Original) The request method.0 or HTTP/1.0 or HTTP/1. Risk Class The super-class that the risk is grouped under: • • • • • possible business usage possible productivity reduction heavy bandwidth usage potential legal liability potential security risk ScanCenter Administrator Guide OL-22629-05 A-7 . for example HTTP/1. for example if response content type is application/pdf then the corresponding major content type is application. Examples include: • • • • • application audio image text video Response Status Code Enables you to filter by the response status code. Response Content Type (Original) The response MIME type. application/pdf.w3. for example: • • • GET POST CONNECT Request Version (Original) The request version.1. Response Major Content Type The type of response content.1. text/html.org/Protocols/rfc2616/rfc2616-sec10.

the second level domain is example. for example in www.Appendix A Attributes Reporting Attributes Rule Action There are three rule actions you can choose from: • • • allow block warn Note If a website does not respond to a request then no Rule Action is assigned. Second Level Domain Typically the organization.com. Threat Type Each record can include multiple threat types from the following: • • • • • • • • • • • • adware category content type extension file match filter protocol phishing possibly unwanted applications (PUA) quota regular expression spyware virus ScanCenter Administrator Guide A-8 OL-22629-05 .example. Rule Engine The rule engine that generated the rule action: • • policy evaluator scanlet Rule Name (Original) The ScanCenter policy rule name. but the request is still stored. Spyware The name of the spyware block.

org.useragentstring.0 (compatible. User Agent Comp Platform The user agent platform token. URL (Original) The full URL string. Year Used for time series plotting.1. for example Windows NT 5. Virus The name of the Virus block. Top Level Domain Typically the last part of the domain. It can be in the form of WinNT://<username> or a custom text name.Appendix A Reporting Attributes Attributes Time Stamp The time at which the rule action was applied in minutes and seconds.php User Agent Application Name The user agent application name. MSIE 7.Downloader. gov. ScanCenter Administrator Guide OL-22629-05 A-9 .0. for example MSIE 7. User Agent Comp Version The user agent version token. for example e com. for example 4. See User Agent.uk. Available only in Detailed Search. User Agent Application Version The user agent application version. User Agent (Original) The complete user agent string.0. for example compatible.1) More information on user agent strings can be found at http://www. for example: Mozilla/4.abg. See User Agent. See User Agent. for example Mozilla. for example Trojan.com/pages/useragentstring.0. User Agent Compatibility The user agent compatibility flag. User (Original) The logged user name (if applicable). Windows NT 5. See User Agent. net. and co. See User Agent.

Appendix A Attributes Reporting Attributes ScanCenter Administrator Guide A-10 OL-22629-05 .

” • www. The “Child Abuse Content” category is never displayed in ScanCenter. • • www. general information about sex. swingers clubs.com Advertisements Banner and pop-up advertisements that often accompany a web page.com www. other advertising websites that provide advertisement content. but not necessarily pornographic. genital piercing. adult products or greeting cards. Advertising services and sales are classified as “Business and Industry. and for legal reasons keeps no logs.adforce. The categories and website classifications used by Cisco Cloud Web Security are subject to change without notice. 2010. Categories Cisco provides examples for test purposes only and does not endorse these websites.adultnetline. page B-1 Categories. Cisco blocks child abuse content for all customers. strippers). page B-1 Overview Cisco constantly evaluates the relevance of websites within a particular category to ensure the industry’s highest accuracy. information about sex not in the context of health or disease.A P P E N D I X B Web Filtering Categories Revised: October 20.com ScanCenter Administrator Guide OL-22629-05 B-1 . May include adult clubs (strip clubs. OL-22629-05 This appendix contains the following sections: • • Overview. non-pornographic in nature. escort services. Adult Directed at adults. Note Without exception.adultentertainmentexpo.

commerce.meebo. musicals.” • • www. breweries.astrology. Cinema and television are classified as “Entertainment. metal fabrication. building materials.com www. machines and mechanical systems. human resources. architecture. load and freight matching. freight and transportation brokers.com Alcohol Alcohol as a pleasurable activity.whisky. design. beer and wine making. horoscope. shipping and freight (freight services. wineries.Appendix B Categories Web Filtering Categories • www. rail shipping.nga. artists and art.icq.com Auctions Online and offline auctions. vineyards. • • www.com www. payroll. • • www.staples.com www.ebay. office supplies.org www. heating equipment. auction houses. • • www. trucking. psychic advice. security and venture capital.gov Astrology Astrology. Alcohol addiction is classified as “Health and Nutrition. business practices. passenger transportation. cooling equipment. track and trace.com Business and Industry Marketing. packaging equipment. road feeder services. museums.samueladams.com Arts Galleries and exhibitions. truckload carriers. construction.doubleclick. industrial design. • • www. fortune telling. manufacturing: solids handling. materials handling equipment. and classified advertisements. ballet.” • • www. photography. cocktail recipes. moving and storage). ocean shipping. expedited services. industrial equipment (process equipment).moma. corporations. literature and books. commerce. alcohol distributors.freightcenter. workforce.astro.com www. tarot. numerology.com Chat and Instant Messaging Web-based instant messaging and chat rooms.craigslist. performing arts and theater.” Bars and restaurants are classified as “Dining and Drinking.com www. construction and building. freight forwarders. transportation. liquor sellers.com ScanCenter Administrator Guide B-2 OL-22629-05 .

Cisco blocks child abuse content for all customers. and pubs.match.restaurantrow. website design.net www. matrimonial agencies.Appendix B Web Filtering Categories Categories Cheating and Plagiarism Promoting cheating and selling written work.superiorpapers.com www. • • www. software support.net Dining and Drinking Eating and drinking establishments.symantec.w3.xml.com Computers and Internet Information about computers and software.bestessays. programming and networking. software. • • www. taverns.delivr. ScanCenter Administrator Guide OL-22629-05 B-3 .com www. the web and Internet in general. for example for a remote session to a home computer. Computer Security Offering security products and services for corporate and home users.computersecurity.com www. • • www.com Child Abuse Content Worldwide illegal child sexual abuse content. This category is never displayed in ScanCenter. • • www. such as term papers. computer science. online personals.com Dynamic and Residential IP addresses of broadband links that usually indicates users attempting to access their home network.all-yours. bars. restaurants.com www. Without exception. and for legal reasons keeps no logs. “Freeware and Shareware” is a separate category. such as hardware. for plagiarism. computer graphics and clipart.com www. restaurant guides and reviews. • • www. information for software engineers. • • www.com Digital Postcards Enabling sending of digital postcards and e-cards.org Dating Dating.hideawaybrewpub.eharmony.

tattoos and piercing. standards and testing.ew. Compare with the “Arts” category. shock websites. • • www. school funding.com Extreme Material of a sexually violent or criminal nature. excessive obscene material. • • www.com www. crime and accident victims.com www.yousendit. including cgi.com ScanCenter Administrator Guide B-4 OL-22629-05 .Appendix B Categories Web Filtering Categories Education Education-related. cosmetics. pictures and text relating to body modification. such as schools.com File Transfer Services File transfer services with the primary purpose of providing download services and hosted file sharing • • www. php and glype anonymous proxy services. Dermatological products are classified as “Health and Nutrition. perfume. television.” • • www. tasteless.education. • • www. accessories. colleges. music and bands. and teachers’ resources. modeling agencies.greatschools. education issues and policies.bypassschoolfilter. celebrity gossip.filterbypass. online training.net www. violence and violent behavior.findabeautysalon. celebrities and fan websites.crime-scene-photos. universities.com Fashion Clothing and fashion. jewelry. entertainment news. entertainment venues. often gory photographs.car-accidents.com Filter Avoidance Promoting and aiding undetectable and anonymous web usage.eonline. photos of crime scenes.com www.org Entertainment Details or discussion of films. • • www.com www. such as autopsy photos.rapidshare.com www. hair salons. technical and vocational training. teaching materials. financial aid.fashion.

banking.” • • finance.yahoo.usa. information relating to the field of law. information relating to law enforcement and correctional systems. mortgages. • • www. military bases.gov www.” Government-run lotteries are classified as “Lotteries”. loans.org www.freewarehome.com www.Appendix B Web Filtering Categories Categories Finance Primarily financial in nature. patents and copyrights. taxes. news and information relating to government and elections. legislation and court decisions. insurance. Stock and shares are classified as “Online Trading. competitive racing in a gambling context. • • www. Websites dealing with gambling addiction are classified as “Health and Nutrition.com Hacking Discussing ways to bypass the security of websites.bankofamerica. dockets. services for spread betting on stocks and shares.gohacking. such as attorneys.com Freeware and Shareware Providing downloads of free and shareware software. law enforcement. crime reporting. sports gambling. word games.com www.law. anti-terrorism.com Gambling Casinos and online gambling. computer games and Internet games.games. taxation. such as accounting practices and accountants. military organizations.gambling. • • www. and legal associations. sports games. such as role-playing games. legal reference material. and video games.shareware. downloadable games. courts. and crime statistics. gambling advice. foreign relations. military. credit cards. civil rights issues.com Games Various card games. sports booking. such as the armed forces.com www. personal finance involving insurance of all types.shockwave. combat games. investing. the national economy. bookmakers and odds.com Government and Law Government websites. • • www. and computers.com ScanCenter Administrator Guide OL-22629-05 B-5 .com www. law publications. cheat sheets.hackthissite. immigration. retirement and estate planning. software. game reviews. board games.888. • • www. law firms.

kkk. class.net Illegal Downloads Providing the ability to download software or other materials. sketches. color. drug use. drug purchase and manufacture. key generators. psychiatry. comics and other humorous content. computer viruses. medicinal drugs. religion. and tools for bypassing software protection in violation of copyright agreements. sites promoting racism. supremacism.com www.nazi. • • www.com www. pharmacology. such as stealing. terrorism. food and beverage. • • www. Holocaust denial. or discrimination on the basis of social group. drug paraphernalia.com Illegal Drugs Information about recreational drugs. illegally accessing telephone networks. • • www. food in general. gender. and anarchy. alternative medicine. including recipe and culinary websites.thedisease.com Illegal Activities Promoting crime.cocaine. neo-Nazi organizations. age. and dieting. tobacco use. intolerance. and gambling in the context of health (disease and health care).com ScanCenter Administrator Guide B-6 OL-22629-05 . sexism. nationality. health. disability. ethnicity. hate music. doctors. serial numbers.com www. bombs. cooking.” • • www.jokes.com www.keygenguru.” • • www.humor. websites depicting murder and suicide as well as explaining ways to commit them.webmd. sexual orientation. alcohol use.ekran.Appendix B Categories Web Filtering Categories Hate Speech Websites promoting hatred. food and nutrition.health.no www. Adult humor likely to offend is classified as “Adult. Torrents are classified as “Peer File Transfer.com Humor Jokes. physical disabilities. diseases and disabilities. racist theology. sex in the context of health (disease and health care). gender identity. medical care. mental health. fraud. vitamins and supplements.org www. hospitals.org Health and Nutrition Health care. • • www.zcrack. exercise and fitness.hightimes. cooking and recipes.

victoriassecret. forests. and zoology. pruning. Cellular carrier websites are included in the “Business and Industry” category. • • www.com www. planting.com www. wilderness. recycling. • • www. pollution prevention. • • www.Appendix B Web Filtering Categories Categories Infrastructure and Content Delivery Networks Content delivery infrastructure and dynamically generated content. landscaping.net Nature Natural resources. • • www.com Mobile Phones Short Message Services (SMS). job databanks.com www.com www. wilderness.zedge. pollution issues (air quality. forest health.com Lingerie and Swimsuits Intimate apparel and swimwear. thinning.flalottery. waste management.com www.calottery. irrigation. ScanCenter Administrator Guide OL-22629-05 B-7 . forest management (reforestation. weed control. • • www.net www. harvesting.akamai. agricultural practices (agriculture.cbfsms.evaphone.monster. permanent and temporary employment agencies. pets. forest. job placement services. hazardous waste.careerbuilder. forest protection. gardening. contests and state-sponsored lotteries. and harvesting). livestock. websites that cannot be classified more specifically because they are secured or otherwise difficult to classify. plants. employer websites. • • www. and the environmental cleanup industry).com Lotteries Sweepstakes.net Internet Telephony Telephonic services using the Internet.webstat.com Job Search Career advice. ringtones and mobile phone downloads.skype. botany. animals. resume writing and interviewing skills. horticulture.swimsuits. and forestry practices. conservation. biology. especially when modeled. forest conservation. flowers. ecology and conservation. and prescribed burning). water quality.

com www.com www. Excludes websites classified as “Professional Networking” or “Social Networking.com www. stock splits.co. IPOs.com www. stock analysis and commentary.org Online Storage and Backup Offsite and peer-to-peer storage for backup. newspapers. naturism. brokers. sharing.unions.org www.org www.dropbox. magazines. stock charts. communities. special interest groups. weather.Appendix B Categories Web Filtering Categories • • www.uk Non-Governmental Organizations Non-governmental organizations such as clubs.naturistsociety.com Online Communities Affinity groups. ski conditions.” • • www. artistic nudes. • • www. lobbies. Services for spread betting on stocks and shares are classified as “Gambling. bonds.nature.igda.com news.com Online Trading Online brokerages. stocks.cnn.tdameritrade.bbc. information relating to the stock market.artenuda. and hosting. ScanCenter Administrator Guide B-8 OL-22629-05 . mutual funds.scottrade. headlines. television stations. websites that enable the user to trade stocks online.ieee. • • www.com Organizational Email Websites used to access business email (often via Outlook Web Access). • • www. • • www.” Other financial services are classified as “Finance. message boards.org Non-Sexual Nudity Nudism and nudity. nudist camps.enature. non-profit organizations and labor unions. stock screens." • • www.org News News. web newsgroups.adrive.panda.

com Peer File Transfer Peer-to-peer file request websites. • • www.” • • www. photographs.limewire.flickr.thisnation.parked. These also include fake search websites which return paid ad links.com www.com Politics Websites of politicians. web-based explicit email.net ScanCenter Administrator Guide OL-22629-05 B-9 .com Pornography Sexually explicit text or depictions. and voting. personal homepage servers. political parties. This does not track the file transfers themselves.com www. general explicit depictions.bittorrent. See also “Social Networking.com www.com www. sex simulators. strip poker. Includes explicit anime and cartoons.com www.europeanpwn.photobucket. or are owned by “squatters” hoping to sell the domain name for a profit. • • www. • • www.com www. democracy.stallman.karymullis. lewd art.com Professional Networking Social networking for the purpose of career or professional development. elections.domainzaar. news and information on politics. adult movies.org Photo Searches and Images Facilitating the storing and searching for. • • www. other fetish material.Appendix B Web Filtering Categories Categories Parked Domains Websites that monetize traffic from the domain using paid listings from an ad network. images.linkedin. websites with personal contents. and clip-art. explicit chat rooms.com Personal Sites Websites about and from private individuals. • • www. personal blogs with no particular theme.com www.redtube. • • www.politics.youporn.

realtor.com Religion Religious content. space exploration. • • kids.yellowpages. dictionaries.Appendix B Categories Web Filtering Categories Real Estate Information that would support the search for real estate.gov Search Engines and Portals Search engines and other initial points of access to information on the Internet. telecommunications). nuclear.com Science and Technology Science and technology. energy (fossil.nickjr.salesforce. office and commercial space.com Safe for Kids Directed at. communications (telephones. renewable). time. • • www. mathematics. ScanCenter Administrator Guide B-10 OL-22629-05 . and specifically approved for. religious communities.com www. reference sources. online meetings. maps.com www. apartments. sexual health.zillow. contraception. • • www.com www.com www. and other similar subjects.physorg. such as rentals.netsuite.org SaaS and B2B Web portals for online business services. information about religions. geography. young children.discovery. • • www.org www. pregnancy. electronics. environment.religionfacts.google.religioustolerance. and homes.bing. meteorology. engineering.wikipedia. house building.com www.science. libraries. • • www. real estate listings.com www. such as aerospace. • • www. • • www.com Reference City and state guides.com Sex Education Factual websites dealing with sex.

fantasy sports.com www. online catalogs. philosophy.com www.net Society and Culture Family and relationships. archaeology.Appendix B Web Filtering Categories Categories • • www. • • www.gov www.versiontracker.net www.com Social Science Sciences and history related to society.scarleteen. coupons and free offers.twitter.gov Streaming Audio Real-time streaming audio content including Internet radio and audio feeds.” • • www.anthropology. cultural studies. seniors.com www. professional and amateur. child-care.facebook. history. genealogy. social organizations. anthropology.archaeology.softwarepatch.com www.org www.shoutcast.com ScanCenter Administrator Guide OL-22629-05 B-11 . • • www. ethnicity. • • www. amusement parks. fishing.org Software Updates Websites that host updates for software packages. • • www.com Shopping Bartering.com Social Networking Social networking. spas.recreation. recreational activities. • • www. • • www. general office supplies. geography. psychology. theme parks.shopping.live-radio.childcare.avert.familysearch. water parks. zoos and aquariums. online malls.amazon. online purchasing. See also “Professional Networking.org www. women's studies. linguistics.com Sports and Recreation All sports.espn. public parks.

gun shows.com www.” • • www.org Transportation Personal transportation. travel transportation. Tobacco addiction is classified as “Health and Nutrition. car clubs.com www.coldsteel.com Web Hosting Website hosting.com www.com ScanCenter Administrator Guide B-12 OL-22629-05 . • • www. general information about guns. cruises. vacation packages.” • • www. travel information. gun classified ads. pipes and smoking products (not marketed for illegal drug use). travel agents. car rental.bat.Appendix B Categories Web Filtering Categories Streaming Video Real-time streaming video including Internet television. and video sharing. flight booking. information about cars and motorcycles. boats.com www.hulu. • • www. airfares. and other similar items. car and motorcycle racing is classified as “Sports and Recreation. Note.com www. other weapons and graphic hunting sites may be included.youtube. Weapons Information relating to the purchase or use of conventional weapons such as gun sellers.com www.expedia.bluehost. bandwidth services. shopping for new and used cars and motorcycles. vacation homes. and gun training.gunbroker.lonelyplanet.com Tobacco Pro-tobacco websites.motorcycles. tobacco manufacturers.com Unclassified Websites which are not in the Cisco database are recorded as unclassified for reporting purposes. gun auctions.com Travel Business and personal travel. web casts. recreational vehicles (RVs). airplanes. This may include mistyped URLs. Government military websites are classified as “Government and Law.cars. gun accessories.tobacco. lodging and accommodation.godaddy.” • • www. travel resources. • • www.

• • babelfish.” • • mail.yahoo.com translate.com Web-Based Email Public web-based email services.google.Appendix B Web Filtering Categories Categories Web Page Translation Translation of web pages between languages. Websites enabling individuals to access their company or organization’s email service are classified as “Organizational Email.com www.com ScanCenter Administrator Guide OL-22629-05 B-13 .yahoo.hotmail.

Appendix B Categories Web Filtering Categories ScanCenter Administrator Guide B-14 OL-22629-05 .

page C-3 User Analysis. page C-3 Host Analysis. page C-2 Category Analysis.A P P E N D I X C Pre-Defined Searches Revised: October 20. OL-22629-05 This appendix contains the following sections: • • • • • • • • • • • Application Analysis. page C-3 Security Analysis. page C-2 Browse Time Analysis. page C-3 Malware Analysis. page C-3 Legal Liability Analysis. page C-4 Application Analysis • • • • What were the Top 10 Browsers being used? What were the Top 10 User Agent strings by Hits by External IP? What were the Top 10 User Agent strings by Hits by Groups? What were the Top 10 User Agents being used? Bandwidth Analysis • • • • What was the Bandwidth consumed by Major Content Type? What was the Bandwidth consumption by Category? What were the Top 10 Categories that consumed the most Bandwidth? What were the Top 10 Sites by Bandwidth for Social Networking Sites? ScanCenter Administrator Guide OL-22629-05 C-1 . page C-1 Block Analysis. page C-1 Bandwidth Analysis. page C-2 Group Analysis. 2011.

Appendix C Block Analysis Pre-Defined Searches • • • • • • • • • What were the Top 10 Multimedia Sites by Hits? Which groups are consuming the most bandwidth in streaming media? Which Groups were consuming the most Bandwidth? Which Hosts were consuming the most Bandwidth for the Top 10 Users? Which of the company's offices had the highest Bandwidth usage broken down by Internal Subnets? Which of the company's offices had the highest Bandwidth usage? Which Users were consuming the most Bandwidth? Who were the Top 10 Users by number of Hits? Who were the Top Users of Streaming Media? Block Analysis • • • • • • • • • • • Adware Blocks All Malware Blocks Spyware Blocks Virus Blocks What were the Top 10 blocked Sites by Hits? What were the Top 10 Categories which were being blocked? Which Hosts were blocked the most for the Top 10 Users? Which Users were blocked the most by which Rules? Which Users were blocked the most? Which web filtering rules generated the most blocks and who were the Top Users for those blocks? Which Web Filtering Rules generated the most blocks? Browse Time Analysis • • • • What was the Browse Time for the most popular Hosts? Which Users spent the most time on Possible Business Usage Sites? Which Users spent the most time on Possible Productivity Reduction Sites? Which Users spent the most time online? Category Analysis • • What was the total number of Hits for all Categories? What were the Top 10 Categories visited by each Internal Subnet? ScanCenter Administrator Guide C-2 OL-22629-05 .

Appendix C Pre-Defined Searches Group Analysis Group Analysis • • • What were the Top 10 Groups by Hits? What were the Top 10 Groups consuming the most Bandwidth? Who were the Top 10 Users with the highest Browse Time for the Top 10 Groups? Host Analysis • • • What was the number of Hits for each of the most popular Hosts? What were the Top 10 Hosts by Hits? What were the Top 10 Hosts visited for each Category? Legal Liability Analysis • • • What is the Legal Liability risk by Category? Who were the Top 10 Users browsing for illegal downloads? Who were the Top 10 Users browsing in adult categories? Malware Analysis • • • • • • • • • • • How many blocks were there for Phishing over time? How many blocks were there for Threats over time? What were the Top 10 Groups with the highest number of Spyware blocks? What were the Top 10 most blocked Adware Hosts? What were the Top 10 most blocked Phishing Hosts? What were the Top 10 most blocked Spyware Hosts? What were the Top 10 Threats blocked over HTTPS? What were the Top 10 Threats blocked per protocol? Who were the Top 10 Users browsing Spyware Hosts? Who were the Top 10 Users making outbound Spyware requests? Who were the Top 10 Users that had the highest number of Virus blocks? Security Analysis • • • • What were the Top 10 Categories that were blocked? What were the Top Categories where Users were blocked for Spyware? Who were the Top 10 Users blocked by Outbound Content Control? Who were the Top 10 users per risk category? ScanCenter Administrator Guide OL-22629-05 C-3 .

Appendix C User Analysis Pre-Defined Searches User Analysis • • • Where were the Top 10 Users that were browsing in the Leisure categories? Who were the Top 10 Users by Hits? Who were the Top 10 Users that browsed the most? ScanCenter Administrator Guide C-4 OL-22629-05 .

A P P E N D I X D Role Permissions Revised: October 20. Full Read Only R R R R R Admin (No Forensic) R/W R/W R/W R/W Report Admin R/W R/W R/W Area User Messages Full Access R/W Read Only R R R R HR R R/W R/W Email Alerts R/W Search/Time R/W Analysis Detailed Search Manage Composite Reports Create/Edit Composite Reports Manage Scheduled Reports Create/Edit Scheduled Reports Manage Email Recipients Allowed Traffic Reports R/W R/W R/W - R R/W R/W R/W R/W R R - R/W R/W R/W - R - R/W R/W R/W - R - R/W R/W R/W - R R/W - R/W ScanCenter Administrator Guide OL-22629-05 D-1 . read/write (R/W). 2011. or prohibited (-). OL-22629-05 Access Access can either be read-only (R).

Appendix D Access Role Permissions Area Spyware Approved List Web Filtering Account Details Change Password Full Access R/W Read Only R Full Read Only R HR - Admin (No Forensic) R/W Report Admin - R/W R/W R/W R R R/W - R R R/W R/W R/W R/W R/W R/W R/W R/W R/W R R/W R/W R/W R R R R R R R/W R/W Scanning IPs R/W Admin Users R/W Dynamic DNS Authenticati on R/W R/W User R/W Management Audit R/W ScanCenter Administrator Guide D-2 OL-22629-05 .

A P P E N D I X E Delegated Administration Revised: November 4. page E-2 Managing Filters. 2011. Logging In to the Parent Organization When you log on to the parent organization with the administrator password. page E-3 Running Audits. Policies set at the subsidiary level will be applied only to that specific subsidiary organization. but any policies set there will be applied to all subsidiary organizations. page E-1 Logging In to the Parent Organization. and Dictionaries. ScanCenter Administrator Guide OL-22629-05 E-1 . page E-4 Overview If you have opted to use delegated administration. page E-1 Enabling Subsidiary Organizations to Set Policies. page E-4 Delegated Reporting. page E-3 Configuring Email Domains. the Delegated Administration page is displayed. OL-22629-05 This appendix contains the following sections: • • • • • • • • Overview. you will be provided with access to a parent organization and two or more subsidiary organizations in ScanCenter. No traffic is passed via the parent organization. Schedules. page E-3 Setting Global and Local User Messages.

click Create a rule. This rule represents the policies set at each subsidiary organization. In the Rule Action list. click the parent organization. Click the Move this rule down one row and Move this rule up one row icons to set the order in which the parent and subsidiary policies will be applied. Click Apply Changes. Creating and activating an Execute Subsidiary Policy rule. Click Create rule to create the rule and display the Manage policy tab. The order will be updated. Clearing the Active check box or removing the Execute Subsidiary Policy rule will prevent subsidiary policies being used. You can create only one rule of this kind. enables subsidiary organizations to apply their own policies. The subsidiary rules will be applied after parent rules with a higher priority but before parent rules with a lower priority. Step 1 Step 2 Step 3 Step 4 Log in to the parent organization as administrator. In the Delegated Administration page. In the Web Filtering page. Click the parent organization to proceed to the Web Filtering page. Enabling Subsidiary Organizations to Set Policies Policies set at the parent organization are applied automatically to subsidiary organizations but can only be viewed at the parent. click Execute Subsidiary Policy. Step 5 Step 6 Step 7 Select the Active check box to enable the Execute Subsidiary Policy rule action. ScanCenter Administrator Guide E-2 OL-22629-05 .Appendix E Enabling Subsidiary Organizations to Set Policies Delegated Administration The parent and subsidiary organizations are displayed with their associated Seats and Last Use date.

Email domains configured at the subsidiary organization are only available at that organization. but not edited. Managing Filters. it is possible for subsidiary organizations to set their own privacy policy. Schedules. As with all subsidiary policies. There they can be viewed and used. Clear the Inherit Master alert page settings check box. Click Save. Setting Global and Local User Messages By default any user messages set at the parent organization will be inherited by the subsidiary organizations. ScanCenter Administrator Guide OL-22629-05 E-3 . Enter the required message in the box. the execute subsidiary policy rule must be applied to the HTTPS inspection rule at the parent organization. This enables you to create an organization-wide email domain. schedules. and Dictionaries The filters. Filters. Navigate to the required User Messages page. To change the user message at the subsidiary organization: Step 1 Step 2 Step 3 Step 4 Step 5 Log in to the subsidiary organization as an administrator. any subsidiary privacy policy will be applied immediately after the parent organization’s privacy rule actions. Schedules. Regardless of the priority assigned to the Execute Subsidiary Policy rule action. Configuring Email Domains Email domains configured at the parent organization are available at every subsidiary organization. and Dictionaries Note Only the parent organization can edit the Approved List of potentially unwanted programs Subsidiary Privacy Policy When delegated administration is enabled. Note To enable a child organization to set its own HTTPS policy. and dictionaries created at the subsidiary organization will not be available at the parent or other subsidiary organizations. and dictionaries of the parent organization are available at the subsidiary organizations.Appendix E Delegated Administration Managing Filters. schedules. the privacy policy will be active only when the Active check box is selected.

a parent organization would not see the saved searches of a subsidiary organization. Delegated Reporting Reports run at the parent organization will include results for all of the subsidiary organizations.Appendix E Running Audits Delegated Administration Running Audits Audits run at a subsidiary organization will only include information for that organization. Note Saved searches will only be available to the organization where they were created. Company Group The fully qualified group name including the subsidiary organization name. Reports run at the subsidiary organization will include only results for that organization. In addition to the standard reporting attributes the following attributes are available to refine your searches: Company Name The name of the subsidiary organization. For example. Company User The fully qualified user name including the subsidiary organization name. ScanCenter Administrator Guide E-4 OL-22629-05 .

There are several ways to achieve this but Cisco recommends using explicit proxy. This should generate a block message. With the Cisco ASA 5500 Series Adaptive Security Applicances. To configure the appliance to forward all port 80 traffic on the Inside interface to the Cisco Cloud Web Security proxy server on the Outside interface on port 8080: ScanCenter Administrator Guide OL-22629-05 F-1 . OL-22629-05 This appendix contains the following sections: • • Adaptive Security Appliance. Adaptive Security Appliance Cisco ASA 5500 Series Adaptive Security Appliances with version 8. Connector is required to provide user or group granularity. and domain groups to be sent via PIM to Cisco Cloud Web Security without needing to make end-user changes. see the Passive Identity Management Administrator Guide. You will need the IP address of your Cisco Cloud Web Security primary proxy server (from your provisioning email). 2011. see the Connector Administrator Guide. For further information about Connector.A P P E N D I X F Cisco Security Appliance Integration Revised: October 26. Passive Identity Management (PIM) may also be used to provide similar granularity for machines running the Microsoft Windows operating system.3 or later of the operating system can be configured to enable user names.eicar. Tip The easiest way to test that the service is working is to go to http://www.org and attempt to download an Anti-Malware Testfile. internal IPs. page F-2 Overview This appendix details the configuration settings for integrating with Cisco hardware. PAC file or WPAD. you should ensure outbound traffic is allowed by connecting to the Cisco Cloud Web Security proxy address using telnet on port 8080. For further information about PIM. page F-1 Web Security Appliance. When you have configured your appliance.

Origin: 0.0. untranslate_hits = 61 Source .43. there is no fail-over support.10/27 Destination . 4.0. 2.OUTSIDE) source dynamic csw-protected-network interface destination static csw-protected-network csw-proxy service original-http proxy-8080 Step 2 Verify the configuration with the following command: show nat detail The output should look something like this: Manual NAT Policies (Section 1) 1 (INSIDE) to (OUTSIDE) <truncated> 2 (INSIDE) to (OUTSIDE) <truncated> 3 (INSIDE) to (OUTSIDE) source dynamic csw-protected-network interface destination static csw-protectednetwork csw-proxy service original-http proxy-8080 translate_hits = 61.43. such as Connector.0.Origin: 0. and domain groups to be sent via PIM to Cisco Cloud Web Security without needing to make end-user changes. ScanCenter Administrator Guide F-2 OL-22629-05 . In the event that the appliance cannot connect to the proxy server.0. There are several ways to achieve this but Cisco recommends using explicit proxy.0.Appendix F Web Security Appliance Cisco Security Appliance Integration Step 1 Log in to the CLI and enter the following: object network csw-protected-network subnet 0.0/0.0 ! object network csw-proxy host <proxy server IP address> ! object service original-http service tcp destination eq www ! object service proxy-8080 service tcp destination eq 8080 ! nat (INSIDE. Web Security Appliance The Cisco IronPort Web Security Appliance can be configured to enable user names. External website exceptions must be added at the IP level. HTTPS forwarding is not supported in this configuration.43. Translated: tcp destination eq 8080 The IP address 192.0. The Cisco IronPort Web Security Appliance is a network level proxy and makes transparent redirection possible for network based clients without requiring additional agents.0.0 0. No user information is provided to Cisco Cloud Web Security for use in reports unless PIM is used. PAC file or WPAD. Caveats 1. internal IPs.0.0. You should see the PAT address and the Cisco Cloud Web Security proxy server address instead. Non-standard HTTP ports must be added with their own NAT rule. You can examine the configuration using the Cisco Adaptive Security Device Manager (ADSM) from the Edit NAT Rule and Browse Original Service screens.Origin: tcp destination eq www .0. Translated: 192.0. 3. Translated: 192.10/32 Service .10 is an example. 5.0/0.

click a method. Click Commit Changes. See Secure Traffic Inspection. Step 5 Step 6 Step 7 Step 8 Setting the Routing Policies To set the policies: Step 1 On the WSA click Web Security Manager > Routing Policies.Appendix F Cisco Security Appliance Integration Web Security Appliance Note You must switch off scanning and the additional features of the WSA. Click a Failure Handling method to specify how to handle requests if the primary. page 2-40. click Cancel to abandon your changes. However. and Cisco Cloud Web Security secondary proxies are all unavailable. When using the WSA in transparent mode user granularity is available for HTTP traffic only. Port and the number of Reconnection Attempts for each of the Cisco Cloud Web Security proxy servers (found in your provisioning email). enter the Proxy Address. Configuring the WSA Upstream Proxy To configure the upstream proxy: Step 1 Step 2 On the WSA click Network > Upstream Proxies. In the Load Balancing list. you must enable HTTPS inspection providing it is legal to do so in your jurisdiction. you can enable caching. Click Add Group. enter WebSecurity. To pass HTTPS traffic to Cisco Cloud Web Security. ScanCenter Administrator Guide OL-22629-05 F-3 . Step 3 Step 4 In the Name box. Alternatively. Click Submit to save your changes. In the Proxy Servers area. This should be Drop requests. Typically the Port will be 8080 and the number of Reconnection Attempts should be 2. Typically this will be None (Failover).

At the parameter group select prompt. Enter commit to make the change then enter a description of the change. Note You must switch off all Security Services such as WBRS.Appendix F Web Security Appliance Cisco Security Appliance Integration Step 2 Edit the default routing policy and in the Upstream Proxy Group list.Malware. Step 3 Click Submit to save your changes. click WebSecurity. and Acceptable Use Controls as these are configured in ScanCenter. Anti. At the caching options prompt. CLI Settings You must make the following changes from the command line interface. ScanCenter Administrator Guide F-4 OL-22629-05 . Alternatively. enter 4 to select Customized Mode. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Log in to the CLI and enter advancedproxyconfig. Enter 0. Accept the default values until you are prompted to enter the Time in seconds after which an explicit IMS Refresh request must be issued. click Cancel to abandon your changes. enter caching.

page G-5 NetScreen.eicar. When you have configured your third-party system. Connector is required to provide user or group granularity. 2011. OL-22629-05 This appendix contains the following sections: • • • • • • • • • • Overview. ScanCenter Administrator Guide OL-22629-05 G-1 . see the Connector Administrator Guide. BlackBerry Enterprise Server You can configure your BlackBerry Enterprise Server (BES) to forward traffic to Cisco Cloud Web Security. page G-1 Blue Coat. page G-6 SonicWALL.A P P E N D I X G Third Party Integration Revised: October 20. page G-1 BlackBerry Enterprise Server.org/ and attempt to download an Anti-Malware Testfile. For further information about Connector. page G-7 Squid. page G-2 Check Point. you should ensure outbound traffic is allowed by connecting to the Cisco Cloud Web Security proxy address using telnet on port 8080. page G-8 Overview This appendix details the configuration settings for integrating with third party software and hardware. This should generate a block message. page G-5 NetCache. In some cases. page G-3 Firebox. page G-4 ISA Server/Forefront TMG. Tip The easiest way to test that the service is working is to go to http://www.

Blue Coat must be configured. The Visual Policy Manager must contain a Web Access. Proxying With BCAAA To configure Blue Coat to proxy using BCAAA installed on the Active Directory: Step 1 Create a Source Object and an Action Object for each user or group of users you want to forward to Cisco Cloud Web Security and an Action Object with a forwarding list of the Cisco Cloud Web Security proxies. for example user name or Active Directory security groups. or in ICAP mode using Connector. This can be done either directly using the Blue Coat Authentication and Authorization Agent (BCAAA). internal IPs. then install the policy. If Connector is used. and domain groups to be sent to Cisco Cloud Web Security without needing to make end-user changes. Step 2 Step 3 Step 4 If you require user or group granularity. In the following instructions the Connector URL should be used in place of the Cisco Cloud Web Security primary proxy URL. Web Content and Forwarding layer. Prerequisites • • • • If user granularity is required.Appendix G Blue Coat Third Party Integration Note To connect to internal sites you must use Connector and create exceptions for those sites. Create an IWA realm with the primary server host and port on which BCAAA is operating with Basic and Kerberos credentials enabled. Using the BlackBerry Manager create a new proxy mapping for the BlackBerry MDS Connection Service with the type PROXY and the URL and TCP/IP port of your Cisco Cloud Web Security primary proxy (found in your provisioning email). Add a rule to the Web Access Layer including the Source object and an Authentication object for the IWA realm. To send internal IP address to Cisco Cloud Web Security. Blue Coat Blue Coat can be configured to enable user names. you must ensure the Virtual URL is set to the DNS name of the Blue Coat device. to include x-forwarded-for headers. then BCAAA must be installed on Active Directory. Add a rule to the Web Access Layer including the Source and Action objects. a DNS Host (A) record must be created for the Blue Coat as part of the NTLM realm configuration. Web Authentication. It must contain Control Request Header Objects with the name X-Username and the value $(cs-user)and X-Groups and $(cs-auth-groups). ScanCenter Administrator Guide G-2 OL-22629-05 . typically via the command line.

providing that the user’s gateway of last resort is the Check Point firewall. Create a new ICAP service with the version set to 1. If you are using FloodGate. In this configuration Connector should be behind Check Point. Step 5 Step 6 Step 7 Check Point If you require granularity you must use Connector to connect directly to the Internet. To configure Check Point to transparently proxy HTTP: Step 1 Create a service with the type Other named http_proxy using Protocol 6. Create a Forwarding Group containing the forwarding hosts and with load balancing switched off. By assigning a different IP to each subnet the Cisco Cloud Web Security proxy servers can redirect the subnet to a different account. Set the maximum connections to 1500. Create a rule to use the ICAP service. SmartDefense should be switched off for traffic originating from the Connector IP address. The Action element must be set to Set ICAP Request Service. HTTPS and FTP. ScanCenter Administrator Guide OL-22629-05 G-3 .Appendix G Third Party Integration Check Point Tip You can create a Reflect IP Object for each subnet. Configure the Web Authentication Layer to include the Source and Destination objects for the users you want to forward. Ensure Client address and Authenticated user are selected for request modification. the connection timeout to 70. Create a policy for each of the Forwarding Hosts. Set the Action for HTTP and FTP services to Intercept. bypassing Check Point. Ensure the Source and Destination objects in the Forwarding Layer include the users you want to forward and the service element includes HTTP. Ensure the Service URL is set to icap://<connector IP address>:1344/connector. Note The configuration of the FloodGate and SmartDefense services may be reset if a Check Point firewall restarts.0. You must enable HTTPS traffic to access the Internet directly. that the correct realms are included and that the Mode is Auto. bypassing Cisco Cloud Web Security. Proxying With ICAP To configure Blue Coat to proxy with ICAP using Connector in Enterprise mode: Step 1 Step 2 Step 3 Step 4 Create a Forwarding Host for each Cisco Cloud Web Security proxy with HTTP and FTP enabled on ports 8080. Transparent HTTP proxying does not require any changes to a user’s browser. Check Point is not capable of transparently proxying HTTPS traffic. Ensure the Action element in the Web Content Layer is set to Do Not Cache. Ensure the Action is Authenticate. you must create a rule to prioritize port 8080 traffic over all other services. Ensure Notify administrator and Virus found page are not selected. The Web Content Layer must include a Destination object for the users you want to forward.

the NAT rule does not necessarily have to apply to this connection. The IP to forward to is the Cisco Cloud Web Security primary proxy (found in your provisioning email). add the IP addresses of your primary and secondary Cisco Cloud Web Security proxies (from your provisioning email). Step 3 Note There must be at least one Network Address Translation (NAT) rule in the rule base for this to work. However. If this applies to your whole trusted network then the predefined trusted group can be used. ScanCenter Administrator Guide G-4 OL-22629-05 . However. Cisco recommends that these should be changed to Enable and Deny outbound traffic. It is possible to set the policy to Enabled and Denied but this may cause conflicts if any other inbound port 8080 rules have been configured. In the To box. and Synchronize connections on Cluster are enabled.<new destination port>. Making this change will ensure that any traffic that tries to leave the client network on port 80 or 443 will appear in the logs and provides you with information about any user attempting to connect directly to the Internet.’ Aggressive Aging. You will not be able to see detailed report information on user activity or set up detailed user access policies based on Active Directory groups and user names or internal IP addresses. In the From box. avoiding potential issues with HTTP(S) sites failing due to inconsistencies in source IP addresses. both HTTP and HTTPS traffic is sent to Cisco Cloud Web Security. Cisco does not recommend using the default setting of any. add the IP range or internal hosts that will be accessing the service. Firebox When setting up a local area network with a WatchGuard Firebox as a single gateway firewall device. If so. It is likely that HTTP(S) services already exist within your policy that allow direct Internet access. Set the Outgoing connection to Enabled and Allowed.Appendix G Firebox Third Party Integration Step 2 Edit the Advanced Other Service Properties and set the Match to SRV_REDIRECT(<incoming destination port>. Set the Incoming connections policy to Disabled. In this configuration. There will also be less chance of conflict because all Web traffic will be going via the Cisco Cloud Web Security rule.<IP to forward to>. Match for ‘Any. • To configure Firebox to allow HTTP(S) traffic: Step 1 Step 2 Step 3 Step 4 Step 5 Create a policy for TCP with the Client Port set to ignore and the Port set to 8080. if another domain is being used then it is advisable to lock all other outbound HTTP(S) traffic to prevent users bypassing Cisco Cloud Web Security. Cisco recommends using Connector and allowing port 8080 traffic to pass through Firebox. When Firebox is used as a transparent proxy without Connector: • Cisco Cloud Web Security only processes traffic coming from the external IP address.# Ensure Accept Replies. You will not be able to use both primary and secondary Cisco Cloud Web Security proxies for failover purposes. It is possible to lock down user’s proxy settings when using an Active Directory domain.

HTTP and HTTPS must be set to 8080. Select Weak Consistency and ensure Ibw is switched off. For a full description of how to configure ISA Server/Forefront TMG. a rule can be configured to go out direct. Enable the Service Farm and set Round Robin Based Load Balancing with Bypass on Failure. As a work around for HTTPS. or ICP. MMS. there is an option to set an upstream proxy server for HTTP traffic. ScanCenter Administrator Guide OL-22629-05 G-5 . Create a New Service Farm for Connector. It is advisable to turn off all of the other features of the HTTP proxy rule in the other tabs. ISA Server/Forefront TMG Cisco recommends using ISA Server/Forefront TMG in ICAP mode with Connector. There must be no entry for RTSP. Configure the Services to be icap://<IP to forward to>:1344/connector where the IP to forward to is the Cisco Cloud Web Security primary proxy. Step 2 Step 3 Step 4 Step 5 You can add exceptions to the service by creating a new Forwarding Rule for HTTP(S) where the Phrase Equals the IP address you wish to bypass Cisco Cloud Web Security and the Distribution Method is set to Direct. If you require failover support you should use Connector instead. However. Firebox will forward all HTTP traffic to the Cisco Cloud Web Security primary proxy. Object caching must be switched off. NetCache must be configured for NTLM authentication against an Active Directory domain before proceeding. To enable granularity. refer to the Connector Administrator Guide. it will not failover to the secondary proxy and HTTPS traffic will not be forwarded.0 and switch off Generate the X-Client-IP ICAP Header from the X-Forwaded-For-HTTP Header. The monitor status for TCP must be set to Pass through the client user name and password. To enable transparent proxying: Step 1 Step 2 Create a new HTTP service and select Use Caching Proxy Server. set the Access Control Lists for HTTP(S) to icap (<service farm name>) any. Enable ICAP 1.Appendix G Third Party Integration ISA Server/Forefront TMG Although Firebox does not support transparent proxying. set the REQMOD_PRECACHE Order to 1. Enter the IP address of the Cisco Cloud Web Security primary proxy (from your provisioning email) and set the port to 8080. In the Vectoring Point. It is possible to create another HTTP rule which can bypass the proxy forward. To configure NetCache to proxy with ICAP using Connector in Enterprise mode: Step 1 Create a New Parent hierarchy using the Cisco Cloud Web Security primary proxy (from your provisioning email) as the Host Name. NetCache Connector can be integrated with NetCache to provide user and group granularity.

substitute any other outbound facing interface. remove HTTP(S) access from the previously existing rule. internal IPs. NetScreen Juniper Networks NetScreen can be configured to enable user names. the previously existing rule is applied to DNS traffic and HTTP(S) and FTP traffic goes to Cisco Cloud Web Security. The rule must be tied down from the LAN object or range that will access the Internet through the Cisco Cloud Web Security proxy to the IP address/domain name of the remote proxy. The rule must not include any conditions and the Distribution Method must be Parent Cluster. Policy amendments are based on port 8080 being set explicitly in the user’s browser.generate. If policy-based NAT is in use then source NAT must be selected in the specific rule.255 and the Zone must be the untrust zone. the default rules will be switched off. Add the Cisco Cloud Web Security proxy IP addresses (from your provisioning email). ScanCenter Administrator Guide G-6 OL-22629-05 . and domain groups to be sent to Cisco Cloud Web Security. Alternatively. VPN to None. but with NetCache you may need to set it to randomized by adding icap.properties file. If Internet users are using the Cisco Cloud Web Security proxies exclusively. Set the Application to None. Global or local browser settings must include the proxy server IP/Domain name supplied and the HTTP port 8080. create a firewall policy from the trust/private interface to the untrust/public interface.255. the Action to Permit. you must also change the Domain/LAN proxy settings. Set the Source Port range to 0 to 65535. The netmask must be 255. To configure NetScreen to forward to Cisco Cloud Web Security: Step 1 Step 2 Create a custom service for TCP on port 8080. Note The Connector ISTag response to an ICAP server is fixed by default. Step 3 Step 4 Note NetScreen firewalls have an HTTP proxy rule with antivirus scanning and Web filtering. When you have configured your internal Internet users to send traffic to Cisco Cloud Web Security.istag=true to Connector’s agent. If Internet users will be on the trust interface. This policy should be as high in the list as possible. then it is recommended that this function is switched off. The rule must be one way and will be set to ‘allow’.255. In addition to configuring the firewall. Set Service to (Multiple) and enter the addresses again. To do this. It is not possible to enable them again so a Forwarding Rule must be created for HTTP(S) to send normal traffic to Cisco Cloud Web Security.Appendix G NetScreen Third Party Integration When you enable your first Forwarding Rule. The configuration of NAT is dependent on policy. The Source Address must be Address Book Entry Inter-Lan and the Destination Address should be Address Book Entry (Multiple). This is not required if general NAT is in use. L2TP to None and enable logging. You should then have a rule base where Any to Any access is switched off.random. Create a policy for outbound access on port 8080 from the trust zone to the untrust zone. Enter the addresses for which you want to enable outbound access. it is advisable to lock down HTTP(S) traffic being sent directly to the Internet so that users cannot bypass the newly configured service.

Juniper ScreenOS 5. Step 3 If internal subnets or intranet addresses are on the WAN side (un trust zone). Set the Service and Application to HTTP. ScanCenter Administrator Guide OL-22629-05 G-7 . switch off Source Translation and enable Destination Translation. It is also advisable to create a policy from the trusted to the untrust zone that denies all HTTP traffic on port 80. This will allow you to audit the rule to make sure that all users are going through the Scanning proxy rule and not hitting the drop rule which should be at the bottom of the rule base. if the IP address of the WAN interface is the public address supplied by your ISP. Alternatively. See [REF]. use the default settings. Alternatively. or HTTP(S) removed from the specific rule. Set Bind to Interface to None. Because SSL has built in defense against ‘man-in-the-middle’ attacks.scansafe. if the IP address of the WAN interface is the public address supplied by your ISP. Enable Clear Text. Set the Map to Port to 8080 and switch off Authentication.Appendix G Third Party Integration NetScreen Any other rules allowing outbound HTTP(S) must be switched off or set to deny. or “NAT destination. It is useful to have Logging switched on.” Transparent proxying enables traffic to be forwarded to Cisco Cloud Web Security with any client configuration. In the advanced policy settings. Tunnel VPN and L2TP to None. If you have dynamically assigned public IP addresses (for example.net. The rule to allow local intranet traffic must occur before the rule that redirects traffic to Cisco Cloud Web Security. most DSL and broadband connections). Set the Host Name to the domain name registered for your service. for example yourcompany. Cisco Cloud Web Security use the public IP address as one means of authenticating traffic. Create a new policy for traffic from the trust zone to the untrust zone. it will be able to transparently proxy HTTP connections to Cisco Cloud Web Security. select ethernet0/0. Enable the DDNS Client. traffic redirection is not supported for HTTPS. Providing the user’s gateway of last resort is the SonicWALL firewall. The action will be drop/deny. then you must create a new policy to allow traffic to those networks to bypass filtering (go direct). Ensure the WEB Filtering options are switched off. it is possible to leverage NetScreen support for DDNS registration to authenticate new IP addresses.com. Step 4 The advantage of this configuration is that you do not need to change any proxy settings within the user’s browser. Enter a User Name and set the Password to the authentication key you generated earlier. Note The rule to redirect HTTP traffic to Cisco Cloud Web Security must occur before a rule that allows it to go directly to the Internet. Set the Server Type to dyndns. the destination will be Any. the Server Name to ddns. The Last-response column in the DDNS Entries Table will be ‘good’ if registration was successful.4 or later supports transparent proxying. Set the Refresh Interval and Minimum Update Interval to 1. Create a DDNS entry for dynamic IP registration. Set the Antivirus Profile. The source will be the restricted LAN object or range. To configure NetScreen to enable transparent proxying: Step 1 Step 2 Create an authentication key in ScanCenter. Select Translate to IP and enter the address of the Cisco Cloud Web Security primary proxy (from your provisioning email). Set the Source and Destination addresses to Address Book Entry (ANY). Registration may take a minute or so.

a prebuilt package is available in the standard Red Hat Enterprise Linux and CentOS repositories.acmeconsulting. html) which sponsors the Windows port. If you have clients configured on the perimeter network. Note You must enable direct access to the Internet for HTTPS traffic without sending it to Cisco Cloud Web Security. Prerequisites Before installing the RPM provided by Cisco you must install the perl-URI package (1. SonicWALL is not capable of transparent proxying HTTPS traffic.it/download/dl-squid.conf file then the settings with the sysctil -p command: net.30-4 or later): yum install -y perl-URI Add the following lines to the /etc/security/limits. Cisco provides a prebuilt RPM package for use with WCCP. bypassing SonicWALL. Squid You can forward web requests to Cisco Cloud Web Security using the open source Squid firewall.squid-cache.ip_conntrack_max = 65536 Enter the following commands to apply the required firewall rules: ScanCenter Administrator Guide G-8 OL-22629-05 .netfileter. Providing the user’s gateway of last resort is the SonicWALL firewall. Enter 8080 in the Proxy Web Server Port box. A prebuilt Windows binary is available from Acme Consulting (http://squid. select the Forward Client Requests to Proxy Server check box and apply your changes. In this configuration Connector should be behind SonicWALL To configure SonicWALL without using Connector: Step 1 Step 2 Step 3 Step 4 In the Web Proxy page. enter the name or IP address of the Cisco Cloud Web Security primary proxy (found in your provisioning email) in the Proxy Web Server box. The advantage of this configuration is that you do not need to change any proxy settings within the user’s browser. The official Squid website (http://www.Appendix G SonicWALL Third Party Integration SonicWALL If you require granularity you must use Connector to connect directly to the Internet. Select the Bypass Proxy Servers Upon Proxy Server Failure check box. However. it will be able to transparently proxy HTTP connections to Cisco Cloud Web Security. Alternatively.conf file: * * hard soft nofile 32768 nofile 32768 Edit the maximum number of connections in the /etc/sysctl.ipv4.org/) recommends building Squid from the source.

xxx.xxx.conf file which are customer-specific.digest proxy only weight=10 login=*:password default cache_peer xxx.0/24 Comment out the lines starting wccp2 in the WCCP Configuration section.xxx.d/init. Modify the following lines to match the proxies defined in your provisioning email (where xxx.168.222 are the primary and secondary Cisco Cloud Web Security proxy respectively): cache_peer xxx. The items you must modify are identified in bold in the examples below.xxx.xxx. To force Squid to use only the Cisco Cloud Web Security proxies enter the following line: never_direct allow all ScanCenter Administrator Guide OL-22629-05 G-9 .digest proxy only weight=1 login=*:password default Modify the following line to match your internal network range: acl local_netowrk src 192.111 and xxx.10.xxx.222 parent 8080 0 no-query no.d/iptables save Configuration There are a number of lines in the squid.xxx.xxx.Appendix G Third Party Integration Squid /sbin/iptables -t nat -F /sbin/iptables -F /sbin/iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT /sbin/iptables -I INPUT 1 -p tcp --dport 3128 -j ACCEPT /sbin/iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 /etc/rc.111 parent 8080 0 no-query no.

Appendix G Squid Third Party Integration ScanCenter Administrator Guide G-10 OL-22629-05 .

See also DDoS. CSV ScanCenter Administrator Guide OL-22629-05 GL-1 . In a cross site scripting (XSS) attack. hijack accounts. The terms under which you permit your staff to access the Internet. C cross site scripting A type of computer security vulnerability that takes advantage of dynamically generated Web pages. social networking sites and public-accessed blogs. typically deployed group or company wide.GLOSSARY Revised: October 20. and User keys. OL-22629-05 A Active Directory adware antivirus ASCII The directory service for Microsoft Windows network operating systems. access restricted sites and even launch false advertisements. A group of compromised computers. Group. Common XSS targets include search engine boxes. expose SSL connections. Client software designed to block malware. Typically used to export data for use in a spreadsheet. poison cookies with malicious code. a Web application is sent with a script that activates when it is read by an unsuspecting user. online forums. See spyware. When the XSS has been launched. A key used to authenticate a computer. 2011. The log event recorded when a connection is blocked. the attacker can change user settings. ScanCenter can generate Company. Acceptable Usage Policy. The Comma Separated Values file format. typically used for distributed denial-of-service attacks. American Standard Code for Information Interchange. AUP authentication key B bandwidth block botnet The sum of bytes sent and received. A 7-bit code including 95 printable characters (32 to 126 decimal).

Data Loss Prevention.Glossary D DDoS denial of service desktop security agent domain name DoS Abbreviation for Distributed Denial of Service. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB). DLP E egress IP exception exploit Where egress filtering is in use. A combination of HTTP and a cryptographic protocol. A human-readable name that is mapped to an IP address. glitch or vulnerability in order to gain control of a computer system or allow privilege escalation or a DoS attack. Software that prevents data leaving the corporate network. the attack aiming to cause the hosted Web pages to be unavailable on the Internet. H HTTPS Abbreviation for Hypertext Transfer Protocol Secure. Software which prevents malware from executing on a client computer. A site that is excluded from a policy. May refer to Active Directory groups. the IP address that is permitted to connect to the Internet. A distributed DoS attack. See also DoS. Typically the targets are high profile Web servers. See also DoS. or sequence of commands that takes advantage of a bug. A piece of software. or custom groups. a chunk of data. ScanCenter Administrator Guide GL-2 OL-22629-05 . G group A collection of user accounts. F firewall Personal firewalls limit the ports on which Internet traffic can travel. Abbreviation for Denial of Service. See DoS. DoS attacks have two general forms: 1) Force the victim computer(s) to reset or consume its resources such that it can no longer provide its intended service. 2) Obstruct the communication media between the intended users and the victim in such that they can no longer communicate adequately. A type of attack that attempts to make a computer resource unavailable to its intended users.

and other malicious and unwanted software. typically for their own financial gain. adware. Also known as identity fraud because the criminal impersonates rather than 'removes' the victim's identity. O OCC Abbreviation for outbound content control. spyware. virus. Phishers attempt to fraudulently acquire sensitive information. with the information acquired by a fake Web page. ingress IP address K keyword A word used to narrow a search. Trojan horse. without the owner's informed consent. for example by converting all upper-case letters to lower case. N normalized Data that has been standardized. Trojan horses. by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message. The address through which traffic enters a network. It includes computer viruses. worm. Abbreviation for Portable Document Format. P PAC PDF phishing Abbreviation for proxy auto-config. worms. ScanCenter Administrator Guide OL-22629-05 GL-3 . such as passwords and credit card details. See also spyware.Glossary I identity theft This occurs when someone wrongfully acquires or uses another person's personal data. See also social engineering. M malware Software designed to infiltrate or damage a computer system.

other machines on the network. Unsolicited commercial email. Data encrypted with the public key can be decrypted only with the private keys. RSA S session hijacking The exploitation of a valid Session key to gain unauthorized access to information or services in a computer system. create a “backdoor” into the system for the hacker’s use. By this method. A rootkit can consist of spyware and other programs that monitor traffic and keystrokes. displaying 'pop-up' advertisements and hijacking Web requests. rather than exploiting computer security holes. A collection of tools that enable administrator-level access to a computer or computer network. ftp. An algorithm for public-key cryptography. It is generally accepted that users can be the weak link in security and this principle is what makes social engineering possible. The practice of obtaining confidential information by manipulation of legitimate users. possibly. or any other non-encrypted TCP/IP utility. the victim must use telnet. R regular expression rootkit A string that specifies a set of strings that matches it. attack other machines on the network. Various practices used to conceal the identity of a user. Once the rootkit is installed. as the attacker can simply wait until after the user authenticates. Common behaviors include passing information about a user's behavior. Adware and spyware typically deploy without a user's express knowledge and are often difficult to remove. rlogin. For the attack to succeed. of which only the private key needs to be kept secret. Session keys are normally randomized and encrypted to prevent session hijacking. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information. Use of SecurID card. A server that redirects network traffic. alter log files. or other token based secondary authentication is useless as protection against hijacking. A portion of a network that has been partitioned. Rootkits are usually installed on a computer after first obtaining user-level access. it allows the attacker to mask intrusion and gain root or privileged access to the computer and. social engineering spam spoofing spyware subnet ScanCenter Administrator Guide GL-4 OL-22629-05 . either by exploiting a known vulnerability or cracking a password. See also phishing. then hijack the session. or IP address while taking some action. social engineers exploit the natural tendency of a person to trust his or her word. email account. and alter existing system tools to escape detection.Glossary private/public key pair proxy Public-key cryptography uses a pair of keys.

and then begins scanning and replicating anew. Traffic on port 80 is automatically passed through the proxy without requiring any Web browser configuration. Vulnerabilities may result from bugs or design flaws in the system. availability.Glossary T TCP/IP transparent proxy Abbreviation for Transmission Control Protocol/Internet Protocol. A weakness in a system allowing an attacker to violate the integrity. ScanCenter Administrator Guide OL-22629-05 GL-5 . They may look useful or interesting (or at the very least harmless) to an unsuspecting user. A copy of the worm will scan the network for any other machine that has a specific security flaw. It replicates itself to the new machine using the security flaw. The term is derived from the classical myth of the Trojan horse. Trojan horse U URL Uniform Resource Locator. confidentiality. A piece of software that uses computer networks and security flaws to create copies of itself. The Web Proxy Auto-Discovery protocol. WPAD X XSS See Cross Site Scripting. access control. A malicious program that is disguised as or embedded within legitimate software. consistency or audit mechanism of the system or the data and applications it hosts. V VPN vulnerability Virtual Private Network. A proxy implemented as part of the network infrastructure. but are actually harmful when executed. W Windows service worm Software that runs as a background service with Microsoft Windows.

ScanCenter Administrator Guide GL-6 OL-22629-05 . pornography or initiate a DoS attack.Glossary Z zero day exploit zombie computer An exploit of a vulnerability for which a security update does not exist. malware. These hijacked computers are often unwittingly used to distribute spam. See also DoS. A computer that is infected with malware to perform a task without the knowledge of the user.

INDEX A account editing password Active 1-1 2-9. 2-10 2-1 2-2 2-2 domain username external IP group A-3 A-3 A-3 A-3 external IP subnet group domain group name part host hour A-4 A-4 A-3 management 2-3 A-4 Active Directory administration admin users creating editing managing removing AnyConnect attributes adware A-1 2-7 2-7 2-6 2-8 2-9 inbound file extension inbound file name internal IP malware minute month A-4 A-4 A-4 A-4 internal IP subnet A-4 A-4 A-4 outbound file extension outbound file name A-1 A-2 A-5 A-5 block type block value category path A-5 A-5 A-5 phishing E-4 E-4 A-2 policy violation port PUA query A-2 A-2 A-5 A-5 company group company name company user Connector mode protocol A-5 E-4 A-2 A-5 A-5 A-6 A-6 A-6 A-6 Connector OS name Connector OS version Connector version country code destination source day of month day of week destination IP A-3 A-3 A-3 A-3 A-3 referrer host referrer path referrer port referrer query A-3 referrer second level domain referrer top level domain referrer URL request method A-6 A-6 request major content type A-7 A-6 ScanCenter Administrator Guide OL-22629-05 IN-1 .

Index request version A-7 A-7 A-7 botnet 1-1 response content type response status code response version risk class rule action rule engine rule name spyware threat type URL user A-9 A-9 A-9 A-7 A-8 A-8 A-8 A-7 response major content type A-7 C categories adult alcohol arts B-2 B-2 B-2 B-2 B-3 B-1 B-1 B-2 advertisements B-2 second level domain A-8 A-8 A-9 A-8 astrology auctions business and industry cheating and plagiarism child abuse content A-9 A-9 top level domain chat and instant messaging B-3 B-3 B-3 user agent computers and internet computer security dating B-3 B-3 B-3 B-3 user agent application name user agent application version user agent compatibility user agent comp platform user agent comp version virus year audit generating authentication keys bulk management company email group user 2-16 2-19 2-17 2-18 2-26. 2-19 B-4 finance gambling games hacking B-5 B-5 freeware and shareware B-5 B-5 B-5 government and law B-5 B-6 B BCAAA Bing 4-16 G-2 G-2 hate speech humor B-6 health and nutrition illegal activities illegal downloads illegal drugs B-6 G-2 ScanCenter Administrator Guide B-6 B-6 B-6 BlackBerry Enterprise Server Blue Coat IN-2 OL-22629-05 . 2-27 2-16 A-9 A-9 A-9 digital postcards A-9 A-9 dining and drinking education extreme fashion B-4 B-4 dynamic and residential entertainment B-4 B-4 B-4 B-4 file transfer services filter avoidance 2-18.

2-31 2-13 2-9. 2-16 1-1 cross site scripting photo searches and images pornography real estate reference religion 2-26. 3-22 professional networking B-10 B-10 B-10 B-10 B-10 D dashboards audits 1-1 E-1 delegated administration E-3 E-3 E-3 SaaS and B2B safe for kids email domains management B-10 B-10 science and technology sex education shopping B-11 B-11 B-10 messages reporting E-3 E-3 search engines and portals privacy policy E-4 subsidiary organization denial of service dictionaries B-11 B-11 B-11 1-2 B-11 E-2 social networking social science society and culture software updates streaming audio streaming video tobacco B-12 creating editing managing removing dynamic DNS 2-20 2-20 2-20 2-22 iii-iii sports and recreation B-11 B-12 document conventions 2-5 transportation B-12 ScanCenter Administrator Guide OL-22629-05 IN-3 .Index infrastructure and content delivery networks internet telephony job search lotteries nature news B-7 B-7 B-7 B-7 travel B-12 B-12 unclassified weapons B-12 B-13 lingerie and swimsuits B-7 B-7 web-based email web hosting B-12 mobile phones B-7 B-8 web page translation certificate authority certificates B-8 2-31 B-13 non-governmental organizations non-sexual nudity online communities online trading parked domains peer file transfer personal sites politics B-9 B-9 B-9 B-9 B-9 B-8 B-8 B-8 B-8 B-8 creating removing Check Point configuration hosted Connector CSV 2-31 2-31 externally generated 2-33 online storage and backup organizational email B-9 B-9 certificate signing request G-3 2-29. 2-27. 2-29.

renaming Firebox Firefox G-4 1-1 G-5 L LDAP 2-9.Index E exploit 1-2 editing rules creating 2-34 2-34 removing 2-35 2-36 2-37 F file information databases creating editing removing filters. 2-36 2-33 2-33 N NetCache NetScreen G-5 G-6 filters creating ScanCenter Administrator Guide IN-4 OL-22629-05 . managing filter sets. adding filter sets. editing 2-23 2-23 2-25 3-13 3-13 3-14 3-14 3-13 3-14 3-14 2-22 editing removing I ICAP G-3 1-3 1-1 identity theft IP addresses ISA Server filter sets. 2-30. 2-9 filter sets. removing filter sets. 2-24 password protected archives 5-1 5-3 5-2 messages 5-4 5-5 messages 5-4 managing removing Microsoft File Checksum Integrity Verifier 2-23 H HTTPS 2-29. editing Internet Explorer G-5 2-4. 2-33. 2-10 Forefront TMG M G getting started Google group IP groups adding a directory group creating a custom group editing 2-11 2-9 2-12 2-10 2-10 4-16 2-9 1-1 malware 5-1 5-1 5-2 approved spyware alerts web virus alerts MD5 2-23. copying filter sets.

3-7 allowed traffic attributes 3-1 primary 3-15 3-16 3-2 3-15 3-16 primary secondary browse time charts bar grid line pie 3-7 3-8 secondary operators removing saving scheduled 3-11 3-24 3-22 3-27 3-29 3-30 3-31 3-27 column 3-5 3-9 3-10 3-9 creating delivery editing email groups 2D 3-10 3D 3-10 rotating 3-10 slicing 3-10 composite creating editing conditions creating 3-25 3-26 creating 3-27 removing 3-28 email recipients 3-28 creating 3-28 removing 3-29 removing 3-31 security risks sorting 3-7 3-9. 3-4 2-26. 3-17 2-26. 3-17 ScanCenter Administrator Guide downloading OL-22629-05 IN-5 . 2-28.Index O OpenSSL 2-23. 2-31 2-20 4-5 PDF editing exporting JPEG PDF PNG filters 1-3 3-10 3-23 Outbound Content Control outbound content control 3-8 3-8 3-8 P phishing PUA 5-1 3-11 3-12 activating adding deactivating removing folders creating 3-1 3-19 3-11 3-12 3-13 R reports 3-23 3-24 removing metrics 3-6. 3-2. 3-4 3-21 downloading 3-26 removing 3-1 3-14 3-27 time analysis time period time zone 3-22 from predefined standard detailed 3-18 3-10 3-15 viewing grid data online view list 3-6 3-5 3-15. 2-28.

2-31 4-1 4-1 4-18 4-3 4-18 managing messages T Trojan horse 1-5 MIME types notifications quotas 4-12 creating 4-12 4-14 4-15 U UNIX users importing managing mobile removing 2-12 2-9. 2-24 dynamic classification 4-4 4-4 4-3 social engineering SonicWALL spoofing Squid 1-4 G-8 G-8 exceptions file types global limits editing 4-15 4-16 SSL certificates 2-29. 2-12 2-23 editing removing rules 4-9 removing 4-5 creating editing schedules removing 4-9 4-12 4-12 2-18 2-13 4-8 4-8 4-9 4-9 creating V vulnerability 1-5 editing splitting removing 4-17 unclassified 4-16 4-20 W web filters 4-1 4-17 warning page worm WSA 1-5 F-1 acceptable usage policy ScanCenter Administrator Guide IN-6 OL-22629-05 . 2-36 1-4 session hijacking 2-23.Index rootkit rules 1-4 2-34 display frequency template alerts 4-20 4-17 4-17 S SearchAhead 4-15 2-31 2-29 categories HTTP HTTPS content types creating domains editing 1-4 4-2 4-3 4-18 4-2 4-2 4-3 Secure Sockets Layer secure traffic inspection legality SHA-1 2-30.

Index Y Yahoo 4-16 Z zero day exploit zombie computer 1-6 1-6 ScanCenter Administrator Guide OL-22629-05 IN-7 .

Index ScanCenter Administrator Guide IN-8 OL-22629-05 .