You are on page 1of 165

1

COPYRIGHT NOTICE Copyright 2004-2008 Cymphonix All rights reserved. Licensed software and documentation. Use, copy, and disclosure restricted by license agreement. DISCLAIMER Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However, Cymphonix, accepts no responsibility, and offers no warranty whether expressed or implied, for the accuracy of this publication. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the express written permission of Cymphonix. The information in this document is subject to change without notice. Cymphonix makes no warranty of any kind in regard to the contents of this document, including, but not limited to, any implied warranties of merchantability quality or fitness for any particular purpose. Cymphonix shall not be liable for errors contained in it or for incidental or consequential damages concerning the furnishing, performance or use of this document. FCC TESTING DECLARATION This equipment has been tested and verified to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interferences in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help.

Cymphonix 8871 S. Sandy Parkway, Suite 150 Sandy, Utah 84070 866-511-1155 www.cymphonix.com DOC-USR-0819-4

Network Composer User Guide

Table of Contents
Table of Contents ........................................................................................................................ ii Chapter 1: Introducing Network Composer ............................................................................. 1 Chapter 2: Installing Network Composer ................................................................................. 3 Gathering Initial Information ......................................................................................................................................... 4 Connecting to Network Composer ................................................................................................................................ 5 Running the Setup Wizard ............................................................................................................................................. 7 Cutting-Over .................................................................................................................................................................. 8 Accessing Network Composer ...................................................................................................................................... 9 Manual Configuration ............................................................................................................................................. 10 Management/Auxiliary Interface ............................................................................................................................ 10 Text Menu Interface................................................................................................................................................ 11 Proxy Mode ............................................................................................................................................................ 14 Configuring Port Settings ............................................................................................................................................ 16 Configuring Cabling .................................................................................................................................................... 17 Testing Fail to Wire or No Failover............................................................................................................................. 17 Fail to Wire ............................................................................................................................................................. 17 Bypass Mode .......................................................................................................................................................... 18 No Failover ............................................................................................................................................................. 18 Chapter 3: Navigating Network Composer ............................................................................. 20
General Navigation ...................................................................................................................................................... 20 Tasks Pane ................................................................................................................................................................... 22 Help Pane..................................................................................................................................................................... 23

Chapter 4: Generating Reports ................................................................................................ 25 Home Page................................................................................................................................................................... 25 The Message Center................................................................................................................................................ 25 System Notifications ............................................................................................................................................... 26

ii

Network Composer User Guide

Getting Started ........................................................................................................................................................ 26 Hardware Settings ................................................................................................................................................... 26 System .................................................................................................................................................................... 26 General Reporting Options .......................................................................................................................................... 26 Selected Date .......................................................................................................................................................... 27 Search ..................................................................................................................................................................... 27 Correlated by .......................................................................................................................................................... 27 Result Type ............................................................................................................................................................. 27 Group ...................................................................................................................................................................... 27 Network Node ......................................................................................................................................................... 28 Directory User ........................................................................................................................................................ 28 Encryption Type ..................................................................................................................................................... 28 Application Set ....................................................................................................................................................... 28 Right-Click Options ................................................................................................................................................ 28 Drop-Down Arrows ................................................................................................................................................ 29 Bar-Pie Graph Drop-Down ..................................................................................................................................... 29 Snapshot-Real Time Drop-Down ........................................................................................................................... 29 Report Recommendations ....................................................................................................................................... 29 Users tab ...................................................................................................................................................................... 31 Dashboard Reports.................................................................................................................................................. 31 Applications tab ........................................................................................................................................................... 32 Threats tab ................................................................................................................................................................... 33 Internet Usage tab ........................................................................................................................................................ 34 System Reports tab ...................................................................................................................................................... 35 Dashboards tab ............................................................................................................................................................ 36

Chapter 5: Managing Network Composer .............................................................................. 39 General Manage Options ............................................................................................................................................. 39 Policies & Rules tab .................................................................................................................................................... 40 Groups .................................................................................................................................................................... 40 Time-of-Day Rules ................................................................................................................................................. 43 Traffic Flow Rule Sets ............................................................................................................................................ 44 Content Filtering ..................................................................................................................................................... 45 Advanced Filtering ................................................................................................................................................. 47 Internet Usage Rules ............................................................................................................................................... 49 Shaping Rules ......................................................................................................................................................... 52 Policy Manager ....................................................................................................................................................... 55 Directory Users & Nodes ............................................................................................................................................ 55 Network Nodes ....................................................................................................................................................... 56 Directory Users ....................................................................................................................................................... 59 Directory Agent ...................................................................................................................................................... 60 Broadcasts tab .............................................................................................................................................................. 60 System Access tab ....................................................................................................................................................... 61 Applications tab ........................................................................................................................................................... 61 Traffic Flow Rule Sets ............................................................................................................................................ 62 Application Sets ...................................................................................................................................................... 63 Applications ............................................................................................................................................................ 65 Chapter 6: Administrating Network Composer ...................................................................... 68 Setup Wizard ............................................................................................................................................................... 68 Configuration tab ......................................................................................................................................................... 69 Setup ....................................................................................................................................................................... 69 Advanced Setup ...................................................................................................................................................... 69 Ethernet Settings ..................................................................................................................................................... 71 Company Settings ................................................................................................................................................... 71

iii

Network Composer User Guide

Registration Settings ............................................................................................................................................... 72 Miscellaneous (Misc.) Settings ............................................................................................................................... 72 Update Settings ....................................................................................................................................................... 73 Custom Category Rules .......................................................................................................................................... 74 Custom Category Options ....................................................................................................................................... 75 Remote Subnets ...................................................................................................................................................... 75 User Preferences ..................................................................................................................................................... 77 Static Routes ........................................................................................................................................................... 78 SSL Certificate Settings .......................................................................................................................................... 79 License Settings ...................................................................................................................................................... 79 Special Domains ..................................................................................................................................................... 80 LDAP Settings ........................................................................................................................................................ 80 Backup .................................................................................................................................................................... 80 Proxy Settings ......................................................................................................................................................... 81 Diagnostic Tools tab .................................................................................................................................................... 82 Device Status .......................................................................................................................................................... 82 Directory Agent Diagnostics................................................................................................................................... 82 Directory Agent Users ............................................................................................................................................ 82 Display ARP Table ................................................................................................................................................. 82 Ethernet Status ........................................................................................................................................................ 83 Group IP List .......................................................................................................................................................... 83 IP Address Map ...................................................................................................................................................... 83 No LDAP Network Nodes ...................................................................................................................................... 83 PING ....................................................................................................................................................................... 83 Test DNS Settings................................................................................................................................................... 84 Traceroute ............................................................................................................................................................... 84 IP Traffic Monitor ................................................................................................................................................... 84 Downloads tab ............................................................................................................................................................. 84 Logs tab ....................................................................................................................................................................... 84 Activity Log ............................................................................................................................................................ 84 Kernel Log .............................................................................................................................................................. 85 Redirection Pages ........................................................................................................................................................ 85 Blocked URL .......................................................................................................................................................... 86 Directory Agent Login Page ................................................................................................................................... 87 Utilities ........................................................................................................................................................................ 87 System Resets ......................................................................................................................................................... 87 Support Link ........................................................................................................................................................... 90 Spyware Removal Tool .......................................................................................................................................... 90

Chapter 7: Integrating Directory Users with Network Composer ......................................... 92 Directory Overview ..................................................................................................................................................... 92 Directory Options ........................................................................................................................................................ 94 Directory Option 1: Directory Agent with Directory Client (cymdir.exe) .............................................................. 94 Directory Option 2: Directory Agent with IP Lookup ............................................................................................ 95 Directory Option 3: Directory Agent with NTLM .................................................................................................. 95 Directory Option 4: Directory Agent with Login Page ........................................................................................... 96 Directory Option 5: LDAP Settings with LDAP Client (cymldap.exe) .................................................................. 97 Directory Configurations ............................................................................................................................................. 98 Install Directory Agents .......................................................................................................................................... 99 Create Directory Agents ....................................................................................................................................... 101 Create Network Composer Groups ....................................................................................................................... 101 Create Directory Agent Group .............................................................................................................................. 102 Deploy Directory Client/LDAP Client ................................................................................................................. 105 Create Directory Internet Usage Rules ................................................................................................................. 116 Enable LDAP Settings .......................................................................................................................................... 117

iv

Network Composer User Guide

Create LDAP Groups ............................................................................................................................................ 119 Directory Troubleshooting......................................................................................................................................... 119 Using Diagnostic Tools ........................................................................................................................................ 119 Troubleshooting GPO Issues ................................................................................................................................ 121 Troubleshooting Directory/LDAP Client.............................................................................................................. 122 Troubleshooting LDAP Settings ........................................................................................................................... 124

Chapter 8: Implementing HTTPS/SSL Filtering with Network Composer .......................... 125 Certificate Authorities ............................................................................................................................................... 126 SSL Anonymous Proxies ........................................................................................................................................... 126 SSL CGI Proxy ..................................................................................................................................................... 127 SSL Full Proxy ..................................................................................................................................................... 127 SOCKS4/5 Proxy .................................................................................................................................................. 127 TorPark Network .................................................................................................................................................. 127 HTTPS/SSL Filtering ................................................................................................................................................ 127 Disable SSL Inspection and Filtering ................................................................................................................... 127 Enable SSL Certificate-Based Content Filtering .................................................................................................. 127 Enable Denied Access Page for SSL Certificate-Based Content Filtering ........................................................... 128 Enable Full SSL Content Filtering ........................................................................................................................ 128 Only Allow Trusted Certificate Authorities and Non-Expired Certificates .......................................................... 128 HTTPS/SSL Filter Exemption List ....................................................................................................................... 128 Content Filtering Rules ......................................................................................................................................... 128 HTTPS/SSL Blocking ............................................................................................................................................... 129 HTTPS/SSL Filtering Requirements ......................................................................................................................... 129 Enabling SSL Certificate-Based Filtering ................................................................................................................. 130 Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filter ......................................................................... 131 Web Filter + Anonymous Proxy Guard + SSL Filter ........................................................................................... 131 Web Filter + SSL Filter ........................................................................................................................................ 131 Network Composers Digital Certificate ................................................................................................................... 131 Installing Network Composers Digital Certificate ................................................................................................... 132 Deploying Network Composers Certificate via Web Browsers .......................................................................... 133 Deploying Network Composers Certificate via Active Directory ....................................................................... 136 Enabling Full SSL Content Filtering ......................................................................................................................... 139 Confirming Network Composers Digital Certificate ................................................................................................ 139 Viewing Sensitive Content on HTTPS/SSL Web Sites ............................................................................................. 140 Customer Support and Feedback ......................................................................................... 141
Getting Help .............................................................................................................................................................. 141

Appendix A: Web Filtering Categories ................................................................................. 142 Appendix B: MIME Types ....................................................................................................... 149 Appendix C: File Types .......................................................................................................... 153 Appendix D: Cymphonix CIDR Cheat Sheet ......................................................................... 155 Appendix E: Cymphonix License Agreement and Warranty .............................................. 157

Network Composer User Guide

vi

Chapter 1: Introducing Network Composer


Welcome to Network Composer. Network Composer is a smart gateway appliance from Cymphonix that offers network administrators an in-depth view on network traffic and resources. With Network Composer, you can monitor and manage traffic generated by specific applications within the network as well as traffic generated by specific users or computers. Not only can you manage traffic from users and devices, you can also control which web sites or categories can be visited. In addition to this, Network Composer offers protection against spyware and virus web applications so that your network is running optimally. Network Composer helps manage network traffic by reporting which types of traffic are being utilized on the network. The device also provides tools to help control the traffic and identify potentially dangerous users or applications. By monitoring all Internet traffic, Network Composer will report on how much bandwidth is being used for browsing the Web, downloading files via File Transfer Protocol (FTP) or Peer-to-Peer (P2P) applications. This information is valuable as you will begin to see how your network resources are being used. With this information, you can then use Network Composer to optimize traffic, identify highpriority traffic, and restrict unwanted types of traffic or web sites. In essence, Network Composer will allow you to receive the most benefit from your network and users. Network Composer provides three essential facets for traffic reporting and control: Filter contentNetwork Composer will monitor and report on web sites visited. Network Composer will allow you to block unauthorized web sites or web categories. Shape trafficNetwork Composer can prioritize applications or users within the network, allowing you to limit or restrict bandwidth and specific types of traffic. For example, P2P file sharing can consume large amounts of bandwidth. Network Composer can restrict this traffic allocating more bandwidth to higher priority traffic. Block spyware and web virusesNetwork Composer will also identify and block spyware or viral web sites and applications that can potentially harm your network and consume bandwidth.

Network Composer User Guide Network Composer can quickly increase bandwidth for high priority traffic, ensure employee productivity, provide appropriate web content, add an additional layer of security, and prevent users from compromising your network. This user guide will instruct you on how to utilize and deploy the various functions of Network Composer.

Network Composer User Guide

Chapter 2: Installing Network Composer


In this chapter, you learn how to perform an initial installation of Network Composer. The following topics will be covered:

Gathering Initial Information Connecting to Network Composer Running the Setup Wizard Cutting-Over Accessing Network Composer Using Alternative Configuration Methods Configuring Port Settings Configuring Cabling Testing Fail to Wire or No Failover

Network Composer is a powerful network device that is relatively easy to set up in any network environment using the instructions in this document and the Setup Wizard. Please read and understand all configuration and installation considerations before proceeding. If you have questions or are unsure about the installation of Network Composer, please contact your Authorized Cymphonix Reseller and/or the person responsible for the service of your network.

Network Composer User Guide

Gathering Initial Information


Under this section are listed the information and basic definitions of terms you will need to know before installing Network Composer. Begin by reviewing the information and filling out the following table for documentation. You will need the subsequent information: License Key
Licenses that have been purchased with your system will ship as a license key on a card in the Documentation & Accessories box. Locate this card to enable the licenses on your system during the setup process.

License Key: Model Number: Serial Number: Licensed Network Nodes: Licensinglicensing with Network Composer is based on network connections. One hundred connections on your network will constitute 100 Network Node license. Please make sure that the amount of licenses purchased is sufficient for the active connections present on your network. Model Number and Serial Numberthese numbers are associated with your Network Composer for device identification and are used in conjunction with the License Key for verification of the amount of licenses purchased. IP Configuration
If you are unsure of the following fields, the Setup Wizard will detect available addresses and settings within your network via DHCP. You may copy over these settings during the Setup Wizard.

Network Composer (Bridge) IP address: Subnet Mask: Default Gateway (WAN Side) IP address: DNS Server IP address: Management/Auxiliary Port IP address:
The Management/Auxiliary Port IP address cannot be in any active subnet in your network.

Management/Auxiliary Port Subnet Mask: Total Download Bandwidth (in Kbps): Total Upload Bandwidth (in Kbps):

Network Composer User Guide

Time Zone:

Amounts used in the Total Download Bandwidth and Total Upload Bandwidth will restrict total throughput through Network Composer. Please make sure the amounts you enter in these fields are correct.

If you would like to receive email alerts when users attempt to access viral web sites, you must fill out the Email Settings. If you are not interested in this option, you may leave the following fields blank.

Email Settings
In order for Network Composer to send email alerts, the email server listed below must be configured to relay messages from Network Composer.

System Alerts & Broadcasts email address (System Administrator): Email Server Hostname or IP address (optional):

Remote Subnets
Network Composer will identify and monitor all network traffic native to its local subnet. If you have a routed network (VLANs, different network addresses, etc.), please note the network addresses outside Network Composers local subnet with the appropriate CIDR notation. See Appendix E for CIDR Cheat Sheet.

Subnet Address (CIDR notation): Subnet Address (CIDR notation): Subnet Address (CIDR notation): Once you have this information, youre ready to make your initial connections to Network Composer.

Connecting to Network Composer


The next step is to power on and establish a connection to Network Composer from a local management workstation/laptop. You will also need to connect Network Composer to your network.

Network Composer User Guide

Running the Setup Wizard requires an active Internet connection from the network where Network Composer will be installed. If you do not have an active Internet connection available, or you do not wish to use the Setup Wizard, please consult the section Using Alternative Configuration Methods. 1. Connect a cross-over cable (included in your Accessories Kit) from Network Composers LAN port to the network port on your workstation/laptop. 2. Connect a straight-through cable from Network Composers WAN port to an empty port on your local network switch.

Figure 2.1 Network Composer Configuration Connectivity 3. Write down the existing IP settings of your local workstation/laptop so that you can easily change them back when configuration is complete. 4. Change your local workstation/laptop IP settings. You will need to change the IP settings on your local workstation/laptop to communicate with the default settings of Network Composer: a. Default IP Address192.168.1.80 b. Default Subnet Mask255.255.255.0 The suggested settings for the local workstation/laptop are the following: c. IP Address192.168.1.81 d. Subnet Mask255.255.255.0

Network Composer User Guide

Running the Setup Wizard


1. To access the Setup Wizard, open Microsofts Internet Explorer (IE) 6 or higher and enter http://192.168.1.80 in the address bar. 2. Login to the system using: a. Default User Name: admin (all lowercase) b. Default Password: cymphonix (all lowercase) 3. Please read and accept the EULA agreement. 4. The Welcome Screen is then displayed automatically on new systems, as well as on systems that have been reset to factory defaults. Read the following information displayed in the Welcome Screen and select Next>>.

Figure 2.2 The Setup Wizard Welcome Screen 5. Using the information you collected in the section Gathering Initial Information, complete the steps within the Setup Wizard. Select Next>> when the page fields are complete. Network Composer will test the settings of each step and if successful, will allow you to proceed. 6. The final step in the Setup Wizard allows you to confirm and, if necessary, edit your configuration. This step will also check for updates and will automatically retrieve and install them. Major firmware upgrades will result in a reboot of your system when complete.

Network Composer User Guide Please note that advanced configuration options such as Directory Integration or Ethernet Settings require additional steps that are not covered in the Setup Wizard. For additional information, please review their corresponding chapters.

Cutting-Over
Only perform these next steps when network traffic can be momentarily interrupted. Now that you have finished the Setup Wizard, you are ready to place Network Composer inline with Internet traffic. Network Composer requires all Internet traffic to pass through its bridge interface, unless the device is configured in Proxy Mode. If you are planning to configure Network Composer in Proxy Mode, you can skip the current section and proceed to the section Using Alternative Configuration Methods. For typical installations you will need to follow the next steps and physically place Network Composer inline with your networks traffic. In general this location is between the Firewall/WAN Router and the Core Network Switch. 1. Remove the cables connected to Network Composers WAN and LAN ports. 2. If you modified your local workstation/laptop IP settings, you will need to change your local workstation/laptop settings back to their original IP settings. 3. Locate the connection between the Core Network Switch and the Firewall/WAN Router. Unplug the cable from the Firewall/WAN Router and connect it to the LAN port on Network Composer. 4. Using the cross-over cable, connect the WAN port of Network Composer to the now open port on the Firewall/WAN Router that was previously used by the Core Network Switch. 5. Verify that the cross-over cable is plugged into Network Composers WAN port and the Firewall/WAN Router. 6. Verify that the straight-through cable is plugged into Network Composers LAN port and the Core Network Switch. Network Composer should now be sitting inline with your Internet traffic. 7. Confirm the Light Emitting Diodes (LEDs) for both the WAN and LAN ports are posting solid green (link) lights and blinking amber (speed) lights. 8. Verify that local workstations can access the Internet by opening a web browser and navigating to several web sites.

Network Composer User Guide

Figure 2.3 Network Composer Installation Connectivity If you are able to browse to the Internet, you have completed the installation of Network Composer. The device should now be sitting inline with your Internet traffic and monitoring web requests.

Accessing Network Composer


After completing the configuration and installation processes, you can access Network Composer by using the IP address you assigned to the device during the Setup Wizard. 1. Open Microsofts IE 6 or higher and navigate to http://IP address assigned. 2. Login using the default credentials (listed under the section Running Setup Wizard) or with the newly created administrative login. 3. When you login to Network Composer the Home Page will display. This page provides a snapshot of system health, filtering effectiveness, current firmware versions, subscription settings, as well as links to administration of your new system. We strongly recommend that you create a new administrative login, and change the default login password to limit access to Network Composer. Select the Manage -> System Access -> Logins link to make these changes.

Using Alternative Configuration Methods


The previous sections discuss the most common steps for installing Network Composer. However, there are alternative methods that can be used for initial configuration of the device as well as different modes that Network Composer can accommodate. In this section

Network Composer User Guide the topics of installing Network Composer without the assistance of the Setup Wizard as well as Proxy Mode will be discussed.

Manual Configuration
Physical connectivity for manual configuration of Network Composer can be accomplished using a cross-over cable from a local machine (such as a laptop) to either the LAN, WAN, or Management/Auxiliary (AUX) ports on Network Composer. See the instructions in Connecting to Network Composer on modifying your local machine IP settings to connect to Network Composer. If you wish to configure Network Composer without the assistance of the Setup Wizard, or if you are pre-configuring the system for installation, the Manual Configuration settings can be accessed through Admin -> Configuration settings screens. Simply cancel the Setup Wizard and access the settings listed in the table below. The following table shows where the network configuration information collected in Gathering Initial Information can be manually entered into Network Composers configuration pages. Quick Start Guide Table Name License Key IP Settings Total Upload/Download Bandwidth Email Settings Remote Subnets Admin -> Configuration -> Page Name License Setup Misc. Settings Company Settings Remote Subnets

Management/Auxiliary Interface
Network Composer can be accessed via the Management/Auxiliary port for the initial configuration. However, the IP settings for the port will need to be different than those for the bridge interfaces (WAN and LAN ports) and cannot be an IP address found under the Remote Subnets listings. 1. Connect a cross-over cable (included in your Accessories Kit) from Network Composers Management/Auxiliary port to the network port on your workstation/laptop. 2. Write down the existing IP settings of your local workstation/laptop so that you can easily change them back when configuration is complete. 3. Change you local workstation/laptop IP settings. You will need to change the IP settings on your local workstation/laptop to communicate with the default settings of Network Composer: e. Default Management/Auxiliary IP address10.1.1.1 f. Default Subnet Mask255.255.255.0

The suggested settings on the local workstation/laptop are the following:

10

Network Composer User Guide g. IP address10.1.1.2 h. Subnet Mask255.255.255.0 4. From the Management/Auxiliary port, you can access Network Composer via the GUI or Text Menu (covered in the following section). If you choose to configure Network Composer via the GUI, please follow the steps listed under the section Setup Wizard. If you choose to configure Network Composer via the Text Menu, please follow the steps listed under the next section.

Text Menu Interface


Network Composers Text Menu allows installers, system administrators, and other trained technical personnel to access the device via a text interface, similar to a Command Line Interface (CLI). While some of the basic features and options available within Network Composers web interface are also available here, most advanced technical options are only available through the GUI menus. The one exception is IP Traffic Monitor (Option 2 Utilities, Option 3IP Traffic Monitor), which is discussed under Chapter 6: Administrating Network Composer, section Diagnostic Tools tab. Below are the supported options for accessing Network Composers Text Menu: Secure Shell (SSH) HyperTerminal (via serial connection)

The default login for all these menus is the following: Default User Name: menu (all lowercase) Default Password: cymphonix (all lowercase)

Secure Shell Access Secure Shell (SSH) access allows administrators to access Network Composers Text Menu through a secure connection. SSH applications such as PuTTY (a freeware application available from the installation CD) make it easy to use this secure method of accessing systems remotely. 1. Download PuTTY.exe from the CD. 2. Double click on the program. 3. Enter in the IP address of Network Composer. 4. Leave all other settings at default. 5. Click the Open button.

11

Network Composer User Guide

Figure 2.4 PuTTY Configuration 6. Login with the default credentials. 7. Type 1 to access Configure IP addresses submenu.

Figure 2.5 Text Menu Interface

12

Network Composer User Guide 8. Enter in the information collected in the IP Settings table under Gathering Initial Information. Serial Access The following section lists steps on how to connect to Network Composers Text Menu using HyperTerminal. Although there are other terminal simulators that can work with the Network Composers serial connection, the steps listed below are for a workstation/laptop with Windows XP and HyperTerminal. Ensure that you have a null modem cable (included with shipping materials) connected to a communication port of your local workstation/laptop and to Network Composers serial port (38.4 8N1). 1. Set up a connection using HyperTerminal (Start -> All Programs -> Accessories -> Communications -> HyperTerminal). 1. In the New Connection Description dialog, enter a name for the connection in the Name field and select an icon if you want. 2. Click the OK button. 3. In the Connect To dialog, select the COM port for the connection. 4. Click the OK button. 5. In the COM Port Properties window, select the settings that correspond to: Bits per second: 38,400 Data bits: 8 Parity: None Stop bits: 1 Flow control: None

6. Click the OK button. 7. When the main HyperTerminal screen appears, press the Enter key to confirm a connection. 8. Login with the default credentials: a. Default User Name: menu (all lowercase) b. Default Password: cymphonix (all lowercase) 9. Type 1 to access the Configure IP addresses submenu. 10. Type the information collected in the IP Settings table under Gathering Initial Information. Once Network Composer has been configured using an alternative method described above, you can perform the steps listed under Cutting-Over of this chapter.

13

Network Composer User Guide

We strongly recommend that you change the default password for the menu account to limit access to the Text Menu. Select Option 3Change Menu Password under the main menu to make this change.

Proxy Mode
For full functionality of Network Composer, the recommend placement of the device is inline with traffic. However, if you do not want to place the device inline with network traffic, or if you have users on the WAN side of Network Composer that you want to filter, you can configure Network Composer as a web proxy. A web proxy is normally a server that carries out web requests for users. Typically, web traffic is routed to the server which requests the web sites for the intended users. Network Composer does likewise with a configuration called Proxy Mode. This configuration does not require Network Composer to be inline with network traffic. To use Network Composer as a proxy, the device must have a network connection to the users and the Internet via the WAN or LAN port (only one has to be active). With this connection, you can then use either the Setup Wizard or an alternative method to assign the device the required IP settings. Afterwards, you must alter the connection settings of the users web browsers to use the IP address of Network Composer as a proxy and port 8888 for browsing. (Port 8888 is the assigned port utilized by Network Composers filtering engine). If Network Composer has a private IP address and you want external users to use Network Composer as a proxy, you may need to create a Network Address Translation (NAT) rule for Network Composer. Below are the steps on how to alter the LAN connections using IE 7 and Firefox 2. You can also alter LAN connections via Group Policy Objects (GPOs), VPN connections, or other network devices; however, these steps are not covered in the User Guide and will need to be researched independently. Internet Explorer (IE) 7 1. Open up IE 7 web browser. 2. Click on Tools -> Internet Options. 3. Click on the Connections tab. 4. Click the LAN Settings button. 5. Under Proxy Server section, select the checkbox for Use a proxy server for your LAN. 6. Under the Address field, enter in Network Composers IP address. 7. Under the Port filed, enter in the number 8888. 8. Click OK until the settings are applied. Firefox 2 1. Open up Firefox 2 web browser. 2. Click on Tools -> Options. 3. Click on the Advanced menu.

14

Network Composer User Guide 4. Select the Network tab. 5. Under the Connection section, click the Settings button. 6. Select the radio button next to Manual proxy connection. 7. Enter in the IP address of Network Composer in the HTTP Proxy field. 8. Enter in the number 8888 in the Port field. 9. You may also select the checkbox Use this proxy server for all protocols as well if you like. 10. Click OK until the settings are applied. Once users web browsers have been configured to use Network Composer as a proxy, you will then need to configure Network Composer to accept web requests. This setting is found under Admin -> Configuration -> Advanced Setup. Select the check box next to Allow HTTP Connections on port 8888. Dont forget to apply the changes. Network Composer will then begin to create profiles for users as they begin to send web requests to Network Composer. You can confirm this under Manage -> Directory Users & Nodes -> Network Nodes. If you have enabled Directory settings, Network Composer will also create Directory Profiles as well (Manage -> Directory Users & Nodes -> Directory Users). You can then create groups based on the profiles for content filtering and reporting. Please see Chapter 5: Managing Network Composer for steps on how to create groups. Please note that Proxy Mode does not offer all functions over network traffic normally associated when the default inline mode, in particular bandwidth control and full reporting. Because network traffic is not physically passing through Network Composers bridge interface, the device can no longer confirm which applications are passing nor control bandwidth. In addition to this, you cannot use all of the Advanced Filtering options and HTTPS/SSL Filtering settings to ensure content filtering. With Proxy Mode you will only be able to filter web content and report on web sites visited. As such, you will not be able to apply all Shaping Rules nor will there be data posted for under the applications reports (Report -> Applications) or users reports (Report > Users). There will, however, be data under Internet Usage and Threats. Below is a table of all supported reports and menus with Proxy Mode (Report and Manage Tabs). If a specific feature in not listed in this table, then it is not supported in Proxy Mode. Proxy Mode Support Report Threats Spyware Overview Spyware Infected Users Spyware Threat Names Virus Overview Virus Infected Users Virus Threat Names Manage Policies & Rules Groups Time of Day Rules Internet Usage Rules o TFRS (HTTP Traffic Only) Deny Access, No Filters, Web Filter Only, Web Logging, SSL Block, and SSL Filter, Content Filtering, Advanced Filtering, HTTPS/SSL Filtering (SSL Certificate Based Content Filtering), Web Authentication

15

Network Composer User Guide Shaping Rules o Web Content Policy Manager Directory Users & Nodes Directory Users Directory Agent Network Nodes

Internet Usage Web Hits Overview Web Bandwidth Overview Web Hits by Network Node Web Bandwidth by Network Node Web Time Online System Reports Active Users CPU Utilization IP Connections Latency Packets per Second RAM Usage Dashboard Real Time URL Monitor

Broadcast Manager

Applications Traffic Flow Rule Sets (HTTP Traffic Only) Deny Access, No Filters, Web Filter Only, Web Logging, SSL Block, and SSL Filter

One final note is you can configure Network Composer inline with traffic and use the device as a proxy for a combination of functionality. For example, you can install Network Composer inline with network traffic for internal users, and then alter web browser settings for VPN or external users to use Network Composer as a proxy. This way, you gain full functionality for internal users and web filtering functionality for external users.

Configuring Port Settings


Network Composers bridge ports (WAN and LAN) by default are set to auto-negotiate for both speed and duplex settings. This means that Network Composer will negotiate with the devices that are plugged into these ports to verify their speeds and duplex mode. Normally auto negotiate will allow Network Composer to operate at least 100 Mbps or above and FullDuplex. However, you should confirm that Network Composer is operating at least 100Mbps or above, Full-Duplex, and is not generating any interface errors. You can do this under Admin -> Diagnostic Tools -> Ethernet Status. Review both WAN Port and LAN Port tabs to confirm that Network Composer is operating at the correct speed and duplex. Also verify that no errors are listed under the Errors field. If the auto-negotiating settings list a speed under 100 Mbps, a duplex mode that is not Full or are generating errors, you may need to hard set these settings on the interfaces. You can do this under Admin -> Configuration -> Ethernet Settings. Hard setting the Ethernet settings can cause network interruptions. Only perform these next steps when network traffic can be momentarily interrupted. Select the speed and duplex settings you would like to hard set for the desired port(s) and press the Apply button. In addition to this, you may need to hard set the interface settings

16

Network Composer User Guide on the devices connected to Network Composer. This will allow Fail to Wire and No Failover to work correctly. The next section will explain these options.

Configuring Cabling
In addition to confirming the port and duplex settings, you should also confirm cables connected to Network Composer. Typically, layer 3 devices connected to Network Composer require a cross-over cable while layer 2 devices connected to Network Composer require straight-through cables. In a standard installation, Network Composers WAN port will connect to the firewall via a cross-over cable while Network Composers LAN port will connect to the core network switch via a straight-through cable. However, if you are installing Network Composer in between a firewall and the core network router, you may need cross-over cables for each port. Also, if the devices connecting to Network Composer offer Medium Dependent Interface Crossover (MDIX), which can compensate for switching transmit and receiving signals, you may be able to use straightthrough cables for each port. In any case, you will want to confirm the cabling for proper negotiation for Fail to Wire or No Failover. You can confirm negotiation by reviewing the section Ethernet Status. If after hard setting the ports, Network Composer is still generating errors, you may need to change the cabling. After confirming negotiation, you should confirm Fail to Wire or No Failover by following the steps listed in the next section.

Testing Fail to Wire or No Failover


Network Composer offers two options for network connectivity in case of a device failure or power loss: Fail to Wire and No Failover. Unless specified before purchase, the model of Network Composer you receive will be designed for Fail to Wire. Fail to Wire allows network traffic to pass in case Network Composer fails or is powered down, while No Failover stops all network traffic in the event of failure or power less. Your preference must be specified before purchasing the device as the implementation is done via hardware. After confirming your preference and the installation of Network Composer, you should perform some tests to confirm the functionality. Only perform this test when network traffic can be momentarily interrupted and you are physically next to Network Composer.

Fail to Wire
Fail to Wire allows network traffic to pass in case of failure by closing a circuit in between the WAN and LAN ports. However, for this to work properly, the devices connected to Network Composer must be able to negotiate correctly. 1. Power off Network Composer under Admin -> Utilities -> System Resets -> Hardware Shutdown.

17

Network Composer User Guide

Do not power down Network Composer by pulling the power cord or pressing the power button on the front bezel. These procedures should only be used when there is no other alternative for powering down the device. 2. Depending upon the devices that are connected to Network Composer, the duplex settings and cabling, it may take up to 5 minutes for Fail to Wire to complete. As such, please wait up to 5 minutes after powering down Network Composer completely before performing the next step. 3. Confirm that the firewall/WAN router and the core network switch are still communicating by the interface LEDs. Confirm that all network options are available, i.e., browse the Web, log into a remote site, etc. If the test is not successful, check the compatibility of port speed/duplex and cabling used on Network Composer and the other devices.

4. Power on Network Composer using the power button on the front bezel. 5. After waiting 5 minutes for the device to power up, log into Network Composer and verify that the unit in functional.

Bypass Mode
Besides powering down Network Composer, there are other scenarios that can cause Network Composer to fail, i.e., running the device out of specs, hardware failure, etc. Once a failure is detected, Network Composer will initiate the supported Bypass Mode (Fail to Wire or No Failover). This is indicated by the LEDs on all ports, which will blink and scroll in unison. If this happens, please contact your Authorized Cymphonix Reseller and/or Cymphonix Technical support. Diagnosing and troubleshooting the problem may require that you physically remove Network Composer from the network.

No Failover
No Failover works by simply grounding the circuit in between the WAN and LAN ports of Network Composer. As such, when a failure is detected, all traffic will not be passed from the LAN port to the WAN port; thereby denying Internet access. 1. Power off Network under Admin -> Utilities -> System Resets -> Hardware Shutdown. Do not power down Network Composer by pulling the power cord or pressing the power button on the front bezel. These procedures should only be used when there is no other alternative for powering down the device. 2. Depending upon the devices that are connected to Network Composer, duplex settings, and cabling, it may take up to 5 minutes for No Failover to complete. As such, please wait up to 5 minutes after powering down Network Composer completely before performing the next step.

18

Network Composer User Guide 3. Confirm that the firewall/WAN router and the core network switch are not communicating by the interface lights. Confirm that all network options are not available, i.e., attempt to browse the Web, log into a remote site, etc. If the test is not successful, check the compatibility of port speed/duplex and cabling used on Network Composer and the other devices.

4. Power on Network Composer using the power button on the front bezel. 5. After waiting 5 minutes for the device to power up, log into Network Composer and verify that the unit in functional. As with Fail to Wire, there are other scenarios that can cause Network Composer to fail besides powering down the device. If Network Composer is entering No Failover unintentionally, please contact your Authorized Cymphonix Reseller and/or Cymphonix Technical support for diagnosis and troubleshooting. Now that you have confirmed Fail to Wire or No Failover, lets discuss how to navigate through Network Composers GUI.

19

Network Composer User Guide

Chapter 3: Navigating Network Composer


This section contains guides and tips on how best to navigate through Network Composers Graphical User Interface (GUI). The chapter is divided into three sections:

General Navigation Task Pane Help Pane

To access Network Composer, open up Microsofts Internet Explorer (IE) 6 or higher and enter in the IP address assigned to Network Composer in the address bar (Network Composer only supports IE 6 and above). You should receive the login menu.

General Navigation
Once you login to Network Composer, you will be presented with the Home Page. The Home Page provides a snapshot of system health, filtering effectiveness, current firmware versions, subscription settings, as well as links to guide the administration of your system. Network Composers navigation is divided into three tabs: Report, Manage, and Admin. Each tab presents you with different functions for Network Composer. When you click on one of the tabs, the expanded menus for those tabs will appear. You can then select a submenu under the corresponding tabs for more options which will appear as expandable selections. In general, the Report tab will be used for generating reports and viewing network traffic. The Manage tab will be used to create groups, content filtering rules, and shaping rules. The Admin tab is used for basic and advanced configuration of the device, as well as troubleshooting and disaster recovery.

20

Network Composer User Guide You can navigate back between tabs and reports by using the back arrow button located . Do not use the back arrow button available on your web browser next to the Admin tab as this will take you back to Network Composers login page. You can have multiple tabs open for ease of use by right-clicking a selection and choosing Open in new tab. Each tab color will correspond to the main menu tab color.

Figure 3.1 Network Composer Navigations tabs For large reports, group membership, or application menus, Network Composer has a pagination menu that can be used to navigate to specific pages or towards the end or beginning of a series. The open box in the pagination menu allows you to view a certain page after entering the page number and clicking the Go button (the available pages are listed above the open box). You can also navigate to the next (Next) or previous (Prev) page by clicking the single arrow or to the very end or beginning of the series by clicking the double arrows. Where available, the pagination menu will post towards the bottom of the report, membership box, or application menu.

Figure 3.2 Network Composer Pagination arrows Finally, depending upon which tasks are being preformed, you may receive a communication error from Network Composer. This is usually a result of services being restarted. If you are presented with the below dialog box, select the OK button, wait 30 seconds, and attempt to access a menu. If the problem persists, you may need to re-login to Network Composer.

Figure 3.3 Communication Error Dialog Box Now that you have become familiar with general navigation, lets explain the Tasks Pane, Help pane, and the different navigation options available.

21

Network Composer User Guide

Tasks Pane
The Tasks Pane is located in the upperright corner of any of Network Composers screens. The Tasks Pane lists actions or options that can be selected for the active page. Because of this, the contents displayed in the Tasks Pane will change depending on the screen currently displayed. The Tasks Pane is a great help that will post common accessible actions. For example, if you select a report, the Tasks Pane will list options on how to present the report, i.e., Email, Print, Export, etc. These actions are available by clicking on the Tasks Pane icons located in the Tasks Pane. Below are listed all options presented in the Tasks Pane with the corresponding action. Please review Chapter 4: Generating Reports for more information on some of the options. Actions Directory User Dashboard: Displays Directory User Overview Directory User Detail: Displays Directory User Detail for selected Directory User profiles Network Node Overview: Display the Network Nodes Overview report Network Node Detail: Display all details for the Network Node selected Re-scan Port: This will re-scan profiles under Network Node Manager (Manage -> Directory Users & Nodes -> Network Nodes). Use this action when a device needs to be re-scanned due to configuration changes, i.e., new NetBIOS name, new IP address, etc. Re-scan Directory User Name: This will re-scan profiles under Directory Users (Manage -> Directory Users & Nodes -> Directory Users). Use this action when Directory Users need to be re-scanned due to configuration changes, i.e., new domain, new groups, changed name, etc. Actions Download Certificate: Download the SSL Certificate Correlate by Category: Correlate report by Web categories visited Directory User: Correlate report by Directory User profiles File Type: Correlate report by File Types downloaded Group: Correlate report by Group profiles Host: Correlate report by Web sites (hosts) visited MIME Type: Correlate report by MIME Types downloaded

22

Network Composer User Guide

Network Node: Correlate report by Network Node profiles None: No correlation Service: Correlate IM reports by IM Client service Export Email: Send the report in an email Excel Document: Export the report or polices into a Comma Separated Value (CSV) format Print: Print the report or polices currently displayed on screen XML Document: Export the report or policies into an Extensible Markup Language (XML) document Getting Started Getting Started Videos: Watch tutorial videos on the corresponding topic Related Dashboards Directory User Dashboard: Display all traffic reported for the Directory User selected Group Dashboard: Display all traffic reported for the group selected Network Nodes Dashboard: Display all traffic reported for the Network Node selected Related Tasks View Bandwidth Report: View amount of bandwidth consumed for selected Web category, Web site, or profile View Hits Report: View amount of URL hits for selected Web category, Web site, or profile System Information System Information will post current system time. If your device does not post the correct time, you may need to adjust the Time Zone settings or the Network Time Protocol (NTP) server. Please review the sections Setup and Advanced Setup in Chapter 6: Administrating Network Composer.

Help Pane
The Help Pane lists topics from the User Guide that are related to the page currently posted. For example, if you select the Application Overview report, the Help Pane will list Related Topics for the Application Overview. You can then select the link which will display the first

23

Network Composer User Guide page within the User Guide dealing with the Application Overview. You must have Adobe Reader installed to use the Help Pane. The Help Pane also posts information regarding the Product Enhancement Program. The Product Enhancement Program allows Cymphonix to upload a small file containing anonymous configuration and system usage details as part of the scheduled update routine. This file will not contain personal identifiable information, will not be used for direct marketing, and will not impact system performance. The product details collected as part of the Product Enhancement Program may change from time to time as new features and capabilities are added to or changed in the product, but they will never include personal identifiable information. You can stop participating at any time by disabling the checkbox located in the Product Enhancement Program. One last item under the Help Pane is Cymphonix Network Composer Privacy Policy. The privacy policy covers how Cymphonix will handle personal information collected and received with Network Composer. For full details on this information, you can select the link for Cymphonix Network Composer Privacy Policy under the Help pan. Lastly, the Tasks Pane and Help Pane are collapsible by selecting the collapse icon located to the right of the Tasks Pane.

24

Network Composer User Guide

Chapter 4: Generating Reports


The Report tab will present information concerning network traffic, web sites visited, and system health. This chapter is divided into each report available and also general reporting rules that will apply to each different report.

Home Page General Reporting Options Users Tab Applications Tab Threats Tab Internet Usage Tab System Reports Dashboards Tab

Home Page
The first page presented under the Report tab is the Home Page. The Home Page is divided into 5 sections: Message Center, System Notifications, Getting Started, Hardware Settings, and System. The top display will be the Message Center.

The Message Center


The Message Center posts message about firmware and software releases. The Message Center will also post important suggestions such as changing default passwords and

25

Network Composer User Guide company communications. These messages are posted by date and can be read by selecting the individual messages. Afterwards, you may delete the messages by either selecting the trash icon next to the message or by clicking the delete button inside the messages.

System Notifications
System Notifications will post messages from Network Composer. These messages are intended to alert the administrator of Network Composer of critical configuration or incompatibility issues that may impede proper Network Composer functionality. Messages such as incorrect installation, exceeded license count, or network scenarios such as asymmetrical routing that require advanced configuration will be posted here. These messages will be posted in their entirety on the System Notifications area. You may delete the messages by selecting the trash icon next to the message; however, the message may return if the problem is not resolved.

Getting Started
The Getting Started area provides you with access to tutorial vides that give you a hands-on demonstration on some of the main components of Network Composer. Select the appropriate link to view a tutorial that will walk you through the selected topic. The videos cover topics such as Group Management, Time-of-Day Rules, and Policy Management.

Hardware Settings
The Hardware Settings area provides you with a summary of your Network Composers hardware settings, i.e., Model, Serial number, and Device ID. This area also posts the devices Licensed Nodes, Software Version, Last Known Updates, System Time, and expiration date of Annual Software Maintenance (ASM). ASM is used for support on your device and provides Network Composer with continued updates on firmware, spyware, anti-virus, and content filtering. ASM also grants you access to Cymphonix Technical support if needed. If your ASM is not current, Network Composer will not be able to update firmware, software, content filtering, spyware or anti-virus nor will Cymphonix Technical support be available. To renew your ASM please contact your Authorized Cymphonix Reseller or Cymphonix Sales at (801) 938-1500 option 1.

System
The System area provides you with a summary of Network Composer monitoring statistics and system information such as blocked spyware, blocked viruses, blocked web requests, and average CPU load. Totals for each parameter are displayed for the last 24 hours.

General Reporting Options


There are several options available that are universal under the Report Tab. These options are Selected Date, Search, Correlated by, Result Type, Group, Network Node, Directory User, and Encryption Type. These options allow you to customize reports on any device, user, or application.

26

Network Composer User Guide

Figure 4.1 Reporting Options For example, click on the Application Overview report (Report -> Applications -> Application Overview). This will post the top applications passing traffic through the network within the last 24 hours. However, if you would like to search for traffic from a specific device within the last 30 days, you may adjust the Selected Date and search for device under Network Node. The report will then modify to display the last 30 days for the specific device. These same options can be used for a wide variety of reports. Below are listed all available adjustments with reporting. You may also click on the different settings contained within the specific reports for a list of available options.

Selected Date
Selected Date allows you to adjust the time frame for the generated report. The options available are Last Hour, Last 24 Hours, Last 7 Days, Last Week, Last 30 Days, Last Month, Last Year, and Custom. If you select Custom, you will be presented with a calendar that will allow you to adjust the time and days accordingly.

Search
This field will allow you to search for different sections in reports, i.e., specific web sites, categories, applications, etc. Enter in the search criteria and click the Search button (or press the Enter key) for results.

Correlated by
This field allows you to link traffic reports to the most bandwidth consuming users (Group, Directory User, and Network Nodes) for specific applications. You can also use the field to link Internet Usage reports by the most browsed web Categories, Hosts, File types, and MIME Types.

Result Type
This field is available under Web Content reporting. This option allows you to customize web reports based on the four general areas of web sites: No Filter (All web sites requested), Allowed (web sites that have been accessed), Blocked (web sites that have been blocked), and Bypassed (web sites that were bypassed using the Bypass Password).

Group
This field will allow you to search for specific Groups. Clicking this field will populate the Select Filter Group box. Search the Available Groups list for the desired Group profile, select the profile and click the Add button. Then click the OK button to run the report.

27

Network Composer User Guide

Network Node
This field will allow you to search for specific Network Nodes (devices on the network). Clicking this field will populate the Select Filter Network Node box. Search the Available Network Node list for the desired Network Node Profile, select the profile and click the Add button. Then click the OK button to run the report.

Directory User
This field will allow you to search for specific Directory Users. Clicking this field will populate the Select Filter Directory box. Search the Available Directory Users list for the desired profile, select the profile and click the Add button. Then click the OK button to run the report.

Encryption Type
This field is available under Web Content reporting. This option allows you to customize web reports to display all web requests (No Filter), typical web requests that use Hypertext Transfer Protocol-HTTP (No Encryption), or web requests that use Secure Hypertext Transfer ProtocolHTTPS (Secure Socket Layer-SSL). Chapter 8: Implementing HTTPS/SSL Filtering with Network Composer discusses this topic in more detail.

Application Set
This field is available under Application Overview and some detail reports. This option will allow you to filter reports by Application Sets. For more information on Application Sets please see the section Applications Tab in this chapter.

Right-Click Options
Right-click options allow you to customize reports using specific time, users, or devices. For example, to view specific applications under Application Set reports you can use right-click options to post the report. Go to Report -> Application -> Application Set Overview. This report will display all application sets passing through the network within the last 24 hours. Select an application set, and right-click on the title. You will be presented with several options that will allow you to correlate the report. Select Correlate by Application to view the exact applications within the Application set.

Figure 4.2 Right-click Options Selecting this option will post the specific applications being used under the application set. Using right-click options will allow you to quickly access different correlations under all reports. If you are not sure how to retrieve detailed information within a specific report, right-clicking will present you with the most common options for the report. Other rightclick options available are correlations by Groups, Network Node, Directory User, etc.

28

Network Composer User Guide

Drop-Down Arrows
Another option that allows you to customize reports is the Drop-Down Arrows. Any of the reports available can be collapsed by using the Up arrow icon on the right side of the corresponding menu bar. You can also expand an area in the Report tab using the Down arrow icon .

Bar-Pie Graph Drop-Down


Some reports allow you to choose the graph types of either Bar Graphs or Pie Graphs. Where this is available, you will be presented with a Drop-Down Box located in the Graph title that will make available a bar graph or pie graph for the report.

Figure 4.3 Bar-Pie Graph Drop-Down

Snapshot-Real Time Drop-Down


The Snapshot-Real Time Drop-Down Menu allows you to view selected information historically or in real time. For example, if you are reviewing the report of Web Hits by Category (Report -> Internet Usage -> Allowed) the default settings will post the results by Snapshot within the last 24 hours (historically). If you select the option of Real Time, the report will change and display actual web hits as they pass through the device at the moment. This option is found under Internet Usage reports (Report -> Internet Usage) and is a great tool for troubleshooting and identifying problematic users or web sites as they occur.

Figure 4.4 Snapshot-Real Time Drop-Down Real Time options also allow you to correlate reports by Network Node, Directory User, Groups, and other criteria. This is useful for confirming problems immediately and preventing them with less response time. For example, if a user is attempting to visit a prohibited site, you can verify the web sites he or she is visiting right now by correlating these reports by Network Node or Directory User.

Report Recommendations
Network Composer is capable of reporting on a tremendous amount of information. Active users, web sites visited, and general overviews of applications are examples of the most readily reports available. Please keep in mind that while Network Composer is recording information for reporting, the device is also filtering web traffic and shaping network applications. This requires that Network Composer share resources between the different operations being performed. Because of this, priority is given to filtering and shaping so that reporting does not consume resources that may impact network performance. Network Composer has a default timeout limit of five minutes for reports to complete. This is done to ensure reporting will not

29

Network Composer User Guide consume needed resources for other operations. If a report cannot complete within the five minutes, you will receive a timeout message. If you receive a timeout message, you may alter the time limit under the Advanced Setup menu (Admin -> Configuration -> Advanced Setup -> Database Timeout). You can allocate up to 15 minutes for reports to complete. Dont forget to Apply the changes. This will allow the database to dedicate more time to complete the report and post the results. Nonetheless, detailed reports that span large amounts of time and cover multiple users or applications may better be executed during non-peak traffic times; thus allowing more resources for Network Composer to complete the report without running the risk of effecting network traffic or filtering and shaping rules. In addition to running detailed reports during non-peak traffic times, you can also use Summary Tables to expedite reporting results. Summary Tables allow Network Composer to summarize or condense large web reports, allowing for a faster response time with Internet Usage reports. This utility will index web reports and correlations for all reports once the option is selected. Summary Tables also decrease dependency on shared resources. To enable Summary Tables go to Admin -> Configuration -> Advanced Setup and select the checkbox next to Enable Summary Tables. This will begin indexing web requests to allow for faster Internet Usage reporting. Please note that the Enable Summary Tables option will only begin summarizing from that point forward. If you would like to summarize previous data gathered before Enabling Summary Tables, you will need to run the Conversion Utility. The Conversion Utility will take previous data that has not been summarized and create a summary table for that information. There are three options for converting previous data: Web Request Summary Table, Level 1 Summary, and Level 2 Summary. Web Request Summary Table will summarize all Web requests data. Level 1 Summary Table will summarize the first correlation for those reports, i.e., first correlation by Category, Host, File Type, MIME Type, Group, Directory User, and Network Node. Level 2 Summary Table will summarize the second correlation for those reports, i.e., second correlation by Category, Host, File Type, MIME Type, Group, Directory User, and Network Node. The Conversion Utility is located under Admin -> Configuration -> Advanced Setup -> Run Conversion Utility Now. Once selected, you will be presented with the three different levels of conversion: Web Request Summary Table, Level 1 Summary Table, and Level 2 Summary Table. You can then select the Start Conversion Now button next to each level to activate the conversion. The Conversion Utility places additional load on Network Composer and may consume a large amount of processes. Because of this, we strongly recommend that you run the Conversion Utility during non-peak hours to avoid unnecessary interruptions in network traffic. Also note that you can only run one conversion at a time, and they must be done in order. This concludes the section on general reporting options. In the next sections we will discuss the different reports for application and web traffic.

30

Network Composer User Guide

Users tab
The Users tab gives you an overview of the Internet traffic generated on your network by users. This report will display the top 25 users, devices, or groups on your network within the last 24 hours. However, this time frame is customizable as well as sorting features. This report will display total network traffic as well as total download and upload for the corresponding criteria. The reports available are Directory User Overview, Group Overview, and Network Node Overview. Also available under this report are Directory User Detail, Group Detail, and Network Node Detail reports. These reports are often referred to as Dashboard reports.

Dashboard Reports
Dashboard Reports are detailed reports about individual users, devices, or groups. They present all information available about the selected device, user, or group. For example, go to Report -> Users -> Network Node Overview. Under the Network Node Details legend, select any profile and click on the name. This will populate the Network Node Detail report for the particular device. Dashboard Reports display all recorded information for the profile selected. The reports available are listed below: Total Trafficthis traffic is the combined amount of upload and download traffic. Application Trafficthis traffic is the amount of bandwidth consumed for all applications. Uncategorized Trafficthis is traffic that Network Composer does not recognize. Web Requests by Hostthese are the host name of Web sites visited by the user, device, or group. Web Request by Categorythese are categories of Web sites visited by the user, device, or group. Possibly Infected Spywarethese are Web sites visited or applications used by the user, device, or group that are possibly infected with spyware. Possibly Infected Virusthese are Web sites visited by the user, device, or group that are possibly infected with Web viruses. Open portsthese are all ports active by the user, device, or group and their corresponding service. Network Node Informationthis report will post the Operating System (OS) as well as the assigned group for the device.

If you need more detail on the individual reporting aspect, simply select the title of the report for a more comprehensive representation. To display dashboards for different users, devices, or groups, select the profile name located in the upper right-hand corner of the original dashboard.

31

Network Composer User Guide

Applications tab
The Applications tab displays the amount of bandwidth used by applications and application sets. These reports are presented in total downloads and uploads according to colors and amounts. When data is presented as a bar graph, the corresponding Network Node, Directory User, Group or application will be posted next to a colored bar. When data is presented as a column graph, the most recent data is presented at the right end of the graph with the green column representing download traffic and the blue column representing upload traffic. Network Composer identifies traffic based on application signatures. Applications can then be grouped into application sets (signature sets) of programs that perform a comparable purpose. For example, the signature set of Remote Desktop/Remote Control/X Traffic comprises the applications of PC Anywhere, Citrix, GoToMyPC, Microsofts Remote Desktop, and many more. For a complete list of application sets, please see Chapter 5: Managing Network Composer. Also available in this tab are Custom Application Sets and Uncategorized Reports. Custom Application Sets report on traffic for which Network Composer administrators have defined a custom signature. Uncategorized Reports presents specific stats of applications for which Network Composer does not have an explicit signature. Although Network Composer may not have a signature for this traffic, the device will record the protocol used, the destination port and the percent of bandwidth used. These topics are covered in more detail as a tutorial document entitled How to Create a Custom Signature. This document can be found on Cymphonix Knowledge Base (http://kb.cymphonix.com). The application sets are listed below as bulleted items. Application Overviewthis is a summary of bandwidth consumed by individual applications. Application Set Overviewthis is a summary of bandwidth consumed by application sets. Total Trafficthis is the amount of total bandwidth consumed. Chat and IMthis is the amount of bandwidth consumed by Chat and IM applications. Databasesthis is amount of bandwidth consumed by Database applications. DNS/Naming/Locatorsthis is the amount of bandwidth consumed by DNS and other network naming applications. Email/Collaborationthis is the amount of bandwidth consumed by Email and services used to send email. FTP/File Transferthis is the amount of bandwidth consumed by File Transfer Protocol applications. ICMP Trafficthis is the amount of bandwidth consumed by Internet Control Message Protocol applications.

32

Network Composer User Guide Gamesthis is the amount of bandwidth consumed by online gaming applications. HTTPthis is the amount of bandwidth consumed by Hypertext Transfer Protocol (Web) applications. NetBIOS/MS File Servicethis is the amount of bandwidth consumed by Network Basic Input/Output and other Microsoft File Service applications. Network Mgt/Monitoringthis is the amount of bandwidth consumed by network management applications (SNMP, NMS, etc.). Network Routingthis is the amount of bandwidth consumed by network routing applications (RIP, NCP, etc). Network Utilitythis is the amount of bandwidth consumed by network utility applications (DHCP, NSW, etc.). Peer 2 Peerthis is the amount of bandwidth consumed by Peer 2 Peer applications. Printing and Reportingthis is the amount of bandwidth consumed by printing and reporting applications. Proxy and Cachethis is the amount of bandwidth consumed by Proxy and cached applications. RPC/Remote Executionthis is the amount of bandwidth consumed by remote execution applications. Remote Desktop/Remote Control/X Trafficthis is the amount of bandwidth consumed by remote desktop and control applications. Security/Authenticationthis is the amount of bandwidth consumed by security applications. Streaming Mediathis is the amount of bandwidth consumed by streaming media (music and video) applications. Telnet/SSHthis is the amount of bandwidth consumed by Telnet and SSH applications. Uncategorized Trafficthis is the amount of bandwidth consumed by traffic that has no explicit signature set. VIOP and Voice Chatthis is the amount of bandwidth consumed by Voice over Internet Protocol (VoIP) and Voice Chat applications. VPN and Tunnelthis is the amount of bandwidth consumed by VPN and Tunneling applications.

Threats tab
The Threats tab will report and provide a detailed view of all activity in your network relating to Spyware and web viruses. These reports will present information on Spyware

33

Network Composer User Guide and Web viruses and possibly infected devices in your network. You can then use Network Composer to identify possible threats before they become problematic. Spyware Overviewthis is a summary of spyware threats that have been blocked. Spyware Infected Usersthese are devices that may be infected with spyware. Spyware Threat Namesthese are the names of spyware threats present on the network. Virus Overviewthis is a summary of web viruses that have been blocked. Virus Infected Usersthese are devices that may be infected with web viruses. Virus Threat Namesthese are names of web virus threats present on the network.

Internet Usage tab


Internet Usage tab reports on all web sites requested by users. This is a great report to give a general indication of which web sites and categories users are visiting or attempting to visit. One of the reports, Web Time Online, is a report based on estimated values and generated by counting the number of hits per page multiplied by the value entered in Miscellaneous Settings (Admin -> Configuration -> Misc. Settings). As with most online timers, there is not a definite method for determining if a user is actively surfing the Web or merely has a program in the background generating hits, i.e., weather report, stock ticker, or Internet radio. As such, these are estimates and not exact values. Web Hits Overviewthis report is presented in three categories: Allowed, Blocked, and Bypassed. Allowed refers to web hits on sites that users have been allowed to visit. Blocked refers to blocked web hits on sites that users have not been allowed to visit. Bypassed refers to web hits originally blocked on sites but were later allowed as users entered in the Bypass Password (for more information on this setting see Chapter 5: Managing Network Composer). Clicking on each category will present all information pertinent to category. For example, clicking on Allowed will show you all hits for Web categories that users were allowed to visit. This will also post the percentage in comparison to the total number of hits for the Allowed category. You can correlate this report by Host, File Type, MIME Type, Group, Directory User, and Network Node. Web Bandwidth Overviewthis report displays how much bandwidth is being consumed by web requests. The report is presented in a similar format of web Hits Overview (Allowed, Blocked, and Bypassed) with a column graph showing the amount of bandwidth for Web requests. This report can be modified for specific dates, correlations, result types, and other features. Web Hits by Network Nodethis report shows the top users of web traffic in terms of hits. This reports display a bar graph which shows the top users followed by a detail view of the corresponding profiles, number of hits, and percentage of the users Web hits compared to total web hits.

34

Network Composer User Guide Web Bandwidth by Network Nodethis report shows the top users of Web traffic in terms of bandwidth. This report shows you the Hardware Profile (Network Node) and its corresponding download total, upload total, total bytes, and percentage of bandwidth consumed for web traffic. Web Time Onlinethis report displays the amount of time users have spent browsing the Internet. Please remember that this report is an estimation of time spent browsing the Internet and is not an exact value.

System Reports tab


System Reports tab reports on the actual system health of Network Composer. This report posts the CPU and RAM utilization of the device. The report will also post the active connections in the network as well as requests for Directory Users. Understanding this report will allow you to schedule maintenance, plan for upgrades, and prevent problems on the network or with Network Composer. Active Usersthis report refers to active devices present on the network. CPU Utilizationthis report refers to how much of the Central Processing Unit (CPU) Network Composer is utilizing. Directory Agent Requeststhis report lists how many requests Network Composer has sent to the Directory Agent installed on your directory server. For this report to post information, Directory Users must be integrated with Network Composer. Please see Chapter 7: Integrating Directory Users with Network Composer for more information. IP Connectionsthis report refers to live IP flows traversing through Network Composer. Latencythis report shows in milliseconds the response time for PING requests sent from Network Composer to the networks default gateway. HTTP Connectionsthis report shows the number of connections per second to Web sites being filtered by Network Composer. HTTP Requeststhis report shows the number of Web requests per second Network Composer has filtered. Packets per Secondthis report displays the number of Internet packets per second passing through Network Composer. RAM Usagethis report shows the amount of Random Access Memory (RAM) Network Composer is using. SSL Connectionsthis report shows the number of HTTP Connections that have been established with SSL. For this report to function, Network Composer must be configured for HTTPS/SSL Filtering. For more information on this feature, please see Chapter 8: Implementing HTTPS/SSL Filtering with Network Composer.

35

Network Composer User Guide

Dashboards tab
The Dashboards tab presents two tools that demonstrate traffic and Web request in real time. These tools are Real Time Monitor (RTM) and Real Time URL Monitor (RTUM). RTM displays traffic amounts as they happen. This can be helpful in troubleshooting network problems or resolving bandwidth issues in real time. RTM will post total application traffic, both upload and download, with a legend representing distinct applications. RTM parses traffic in three second intervals and display the amounts accordingly.

Figure 4.5 Real Time Monitor

36

Network Composer User Guide

Figure 4.6 Real Time Monitor Legend Another capability of RTM is the ability to correlate within the last hour to display the most bandwidth consuming users. For example, in the above diagram RTM has HTTP as the highest amount of traffic. If you right-click on this traffic, you will be presented with the options to correlate by Directory User, Group, or Network Node.

Figure 4.7 Real Time Monitor Right-Click Options You can then select Correlate by Network Node to confirm what devices within the last hour have consumed the highest amount of HTTP traffic. RTM can be used to diagnose a problem in actual time; thus allowing you to resolve the issue as soon as possible. RTUM displays web requests as they pass through Network Composer. This tool, in addition to RTM, can be used to confirm instantaneously the web sites that are being accessed, blocked, or bypassed. You can also use the different options to display the web requests for

37

Network Composer User Guide a specific Network Node, Directory User, and Group as well as the Date, Web category and Encryption Type of the request.

Figure 4.8 Real Time URL Monitor This concludes the chapter on generating reports. The next chapter will guide you on how to manage Network Composer in regards to creating groups, implementing policies, and managing devices and traffic.

38

Network Composer User Guide

Chapter 5: Managing Network Composer


Network Composer allows you to control and identify network traffic based on applications and users. Network Composer also allows you to separate problematic users from general traffic or problematic applications based on different criteria, time of day, and priority. The device can also block web sites or categories protecting users and your network from improper content. Network Composer can also allocate resources to identify proprietary traffic within you network; thus customizing the device to your specific needs. Most of these options are available under the Manage tab and are covered in this chapter:

General Manage Options Policies & Rules tab Directory Users & Nodes System Access tab Application tab

General Manage Options


The Manage tab is where policies and organization of users will be enforced. Under this tab, you will create groups, time of day rules, content filtering rules, and shaping rules. This tab also allows you to customize traffic identification and select which devices or users will or will not be monitored. The basic principles behind the Manage tab are Who, When, What, and How. Who will define which users will be assigned to which groups. When will define what time during the day the rules take affect, i.e., all day, 9am to 5pm, etc. What will define the allowed content and applications, and How will deal with correlating specific policies to the

39

Network Composer User Guide corresponding groups. Each menu under the Policies & Rules tab addresses these principles: Groupswho will be in the group? Time of Day Ruleswhen will the rules take affect? Internet Usage Ruleswhat web sites can group members visit? Shaping Ruleswhat applications can group members access? Policy Managerhow to correlate rules to groups?

As a general rule, these principles must be inline with these steps. For example, once you create a group, you will then want to define a Time of Day Rule (TDR) and an Internet Usage Rules (IUR). After those steps, you will create a shaping rule and tie all pieces together with the Policy Manager. In addition to these steps, please note that the more information you have about network traffic, the better prepared you will be to implement policies. Because of this, it is highly recommended that you first install and run Network Composer in the network for at least 24 hours before implementing any policies. Afterwards, you can review the information collected and make a more precise decision on which web sites should be blocked, which applications should be shaped, and what threats are present on the network. The more information you have, the better adapt youll be at deciding on policies and controlling the network and users.

Policies & Rules tab


You will want to become very familiar with the Polices & Rules tab. This tab is used for creating Groups, Time of Day Rules (TDRs), Internet Usage Rules (IURs), and Shaping Rules. This is the main management tab used for almost all user organization and policy implementation with Network Composer. First lets define Groups.

Groups
Network Composer has by default 8 groups for your ease. These Groups are called Network Composer Groups. All users and devices are placed in the Default Group until assigned to another group. You can assign users to Network Composer Groups based on several different identifiers. First lets discuss the default Network Composer Groups and their accompanying policies. Then we well discuss how to add members to Network Composer groups and how to create new Network Composer Groups. Each group is assigned a default policy for Internet use. These policies are called Internet Usage Rules (IURs) and are covered in more detail under that section. Also, none of the default Network Composer Groups has any shaping rules. Default Groupall users and devices are in this group by default. As such you will not be able to add users or devices to this group but rather you will be able to remove them from this group. This is done by creating new groups and adding users or devices to the group or adding them to one of the other groups. The Default Group by default uses the Default Usage Rules.

40

Network Composer User Guide Deny Access Groupmembers of this group will not be able to access any Internet traffic. All web sites and application traffic will be denied for this group. Users in this group will be assigned the Deny Access Usage Rules. Filter Bypass Groupmembers in this group will not be monitored or filtered by Network Composer. Only bandwidth and application reporting will be recorded for members in this group. This group uses the Filter Bypass Usage Rules. Moderate Groupmembers in this group will have their web pages monitored and filtered with typical restrictions on web categories such as Adult, Shopping, Tasteless, and Obscene. Users will be prohibited from passing web traffic through proxies and visiting proxy web sites. This group uses the Moderate Policy Rules. Monitor Onlymembers of this group will have their web pages monitored but not filtered or blocked. This group uses the Monitor Only Policy Rules. Monitor Only with Threat Protect Groupmembers in this group will have their web pages monitored but not filtered or blocked except in the case of Spyware and web viruses. This group uses the Monitor Only with Threat Protect Policy Rules. Permissive Groupmembers in this group will have their web pages monitored and filtered based on light restrictions and a limited amount of blocked categories. Users will not be able to visit proxy web sites. This group uses the Permissive Policy Rules. Strict Groupmembers in this group will have their web (HTTP) traffic monitored and filtered and secure web pages (HTTPS) blocked. A broad range of categories will be blocked as well as proxy web sites. In addition to this, users will not be able to pass web traffic through Open or Secure Proxies. Lastly users will not be able to view blocked content via search engines or search engine cached pages. This group uses the Strict Policy Rules.

Now that we have described the pre-defined Network Composer Groups, lets discuss how to add members to these groups. Go to Manage -> Policies & Rules -> Groups. Select one of the Network Composer Groups to which you want to add members. Once you select a group, you will be presented with the Add/Edit Group Detail field. In this field, you can change the name of the group as well as add devices, network addresses, or specific MAC addresses to the group. Before adding members to Network Composer Groups, you need to understand how Network Composer identifies devices on the network. Devices can be identified by several different criteria, i.e., by MAC address, by IP address, by VLAN, while users can be identified by Directory or user names. Because of this, Network Composer allows you to configure how users will be identified depending on your network. This option is called Member Type. When you first access the Add/Edit Group Detail field, the default Member Type of Network Node will be selected. Network Node represents devices on the network that Network Composer has already discovered. These devices will be listed by their NetBIOS name (if available) or by their IP address. If you would like to add devices to Network Composer Groups by Network Node, simply click the open check box next to the profiles under the Member Name column and select Add>. However, if you would like to add users to the group by different criteria, click the Select a Member Type Drop-Down Box. This will present you with fourteen different member types listed below that allow you to identify users based on distinctive criteria.

41

Network Composer User Guide Please note that the member type Network Node will post devices already discovered by Network Composer. If you have intergraded LDAP with Network Composer, LDAP User will post LDAP Profiles already discovered by Network Composer. All other fields will present you an Enter New field that will allow you to manually add a user. Network Nodethis member type represents devices discovered by Network Composer. LDAP Userthis member type represents LDAP profiles discovered by Network Composer. MAC Sourcethis member type represents profiles using the Media Access Control (MAC) source address of devices. MAC Destinationthis member type represents profiles using the MAC destination address of devices. CIDR Block Sourcethis member type represents profiles using an IP source address or IP source address range listed in Classless Inter-Domain Routing (CIDR) notation. CIDR Block Destinationthis member type represents profiles using an IP destination address or IP destination address listed in CIDR notation. CIDR Block Source and Destinationthis member type represents profiles using an IP source and destination address or IP source and destination address range listed in CIDR notation. VLANthis member type represents profiles using Virtual Local Area Network (VLAN) tags. Protocolthis member type represents profiles using different protocols, i.e., TCP, UDP, etc. TOSthis member type represents Type of Service (TOS) profiles. TOS is a singlebyte field in an IP packet header that specifies the service level required for the packet. DSCPthis member type represents Differentiated Services Code Point (DSCP) profiles. DSCP is an integer value encoded in the DS field of an IP header. TTLthis member type represents Time to Live (TTL) profiles. TTL values exist in each IP packet headers and determine how long the packet can traverse the network before being dropped. Lengththis member type represents the Ethernet Length profiles. Ethernet length actually specifies the size of the frame used within the network interface. CIDR Block Overridethis member type represents IP addresses that you want to take precedence over any other group assignment. This member type is normally used in the Filter Bypass Group to ensure specific IP addresses or ranges of addresses are not filtered.

Once you have added members to the pre-defined Network Composer Groups, you can confirm the assignments by pressing the Save button. The pre-defined groups and any new

42

Network Composer User Guide groups you create based on the different member types are called Network Composer Groups. To create groups, you can click the Create button under the Group Manager. This will post the Chose a Group Type dialog box. You can use the previous steps to create a Network Composer Group. If you would like to create groups based on Directory Users, please see Chapter 7: Integrating Directory Users with Network Composer. If you want to create groups based on the different member types, you can then add members to the newly created Network Composer Group following the same steps listed beforehand. If you need to delete groups you may do so with the Delete Selected button also located under the Group Manager. If you delete groups, all members from the deleted groups will fall into the Default Group again. Now that we have defined Network Composer Groups, well discuss Time of Day Rules.

Time-of-Day Rules
Network Composer provides the ability to configure policies based on specific times of the day. For example, if you want to block access to certain web sites during business hours but allow access to those web sites during non-business hours, you can create a Time of Day Rule (TDR). Another scenario is if you want E-mail traffic to have priority during the day, but VPN traffic to have priority during the night, a TDR can allow you to distinguish accordingly. Unless otherwise specified all rules created will be in effect 24 hours a day, seven days a week. TDRs allow you to create different rules for different times or the day or different days of the week. The first step in creating TDRs is to define the blocks of time that will separate the different policies. Afterwards, you will assign an IUR to each block of time. This later step will be covered in the section Policy Manager. Select Manage -> Policies & Rules -> Time of Day Rules. Network Composer ships with two default TDRs: All Day and Business Work Week. All Day (the default TDR) enforces policies 24 hours a day, seven days a week. Business Work Week enforces policies Monday through Friday, 9am to 5pm. If you would like to alter these blocks you may select them individually or create your own by selecting the Create button. Once you select or create a TDR, you will be presented with the Add/Edit Time of Day Detail field. Here you will give the TDR a name, a description, and define the blocks of time for the different polices. The blocks of time (presented in military time) can be separated by 15 minutes. Select the Start Time and End Time for each day and click the Add> button. Network Composer will automatically separate the blocks from the rest of the day (24 hours) and post the time after saving the changes. Also, you can copy the blocks of time from one day to another by using the Copy From Drop-Down Box. Once you have selected the blocks of time for the individual days of the week, click the Save button. The second step with creating TDRs, is to assign different policies to the time blocks. This is covered under the section Policy Manager. Also, you can edit and delete any TDR by selecting them under Time of Day Rule Manager. Now that you have created groups and TDRs, we will discus Internet Usage Rules (IURs) and how to manage them. Internet Usage Rules (IURs) are the main content filtering

43

Network Composer User Guide components of Network Composer. IURs are used to block web sites, web categories, File Types, MIME Types, and even common tactics used to bypass content filtering. First, well define general options available in all IURs, including Traffic Flow Rule Sets (TFRS). Second, well list the default IURs and the associated policies. Third, well give an example on how to customize IURs and other advanced policies.

Traffic Flow Rule Sets


Click on Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules. This screen will present the options available under Add/Edit Internet Usage Rule Sets. Towards the top will be posted the Rule Set Name and Rule Set Description followed by the Traffic Flow Rule Set Drop-Down Box. For you to correctly control and filter web traffic, you will need to understand Traffic Flow Rule Sets. Traffic Flow Rule Sets (TFRS) are the basic traffic identification and control engine within Network Composer. TFRS allow you to dictate how traffic will be identified, controlled, reported, filtered, and shaped. TFRS define the content rules and implement restrictions on identified traffic for users on the network. In essence, TFRS are the controlling mechanisms that decide what types of traffic are allowed and what types are not. TFRS will be your tool in managing network traffic and reporting on such. Select the Traffic Flow Rule Sets Drop-Down Box to view the default TFRS. There are also listed below with their corresponding targets. Deny Accessthis TFRS restricts all traffic that passes through Network Composer. No Filtersthis TFRS performs no content filtering, no Web logging, no IM client logging, no Spyware scanning and no virus scanning. Web Filter + Anonymous Proxy Guardthis TFRS performs content filtering, web logging, Spyware scanning, virus scanning for HTTP traffic (Web Filter), and prohibits HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous Proxy Guard). Web Filter + Deny IMthis TFRS performs content filtering, web logging, Spyware scanning, virus scanning (Web Filter), and denies all IM Client conversations (Deny IM). Web Filter + Deny IM + Anonymous Proxy Guardthis TFRS performs content filtering, web logging, Spyware scanning, virus scanning for HTTP traffic (Web Filter), denies all IM Client conversations (Deny IM), and prohibits HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous Proxy Guard). Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filterthis TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP traffic (Web Filter) and HTTPS traffic (SSL Filter), denies all IM Client conversations (Deny IM), prohibits HTTP traffic on any port other than port 80 or a designated Proxy port, and prohibits HTTPS traffic on any port other than port 443 or a designated Proxy port (Anonymous Proxy Guard). Web Filterthis TFRS performs content filtering, web logging, spyware scanning, virus scanning for HTTP traffic (Web Filter). This is the default TFRS for users and newly created IURs.

44

Network Composer User Guide Web Filter + Anonymous Proxy Guardthis TFRS performs content filtering, web logging, spyware scanning, virus scanning for HTTP traffic (Web Filter), and prohibits HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous Proxy Guard). Web Filter + Anonymous Proxy Guard + SSL Blockthis TFRS performs content filtering, web logging, spyware scanning, virus scanning for HTTP traffic (Web Filter), prohibits HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous Proxy Guard), and prohibits all HTTPS traffic from passing through Network Composer (SSL Block). Web Filter + Anonymous Proxy Guard + SSL Filterthis TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP traffic (Web Filter) and HTTPS traffic (SSL Filter), prohibits HTTP traffic on any port other than port 80 or a designated proxy port, and prohibits HTTPS traffic on any port other than port 443 or a designated proxy port (Anonymous Proxy Guard). Web Filter + SSL Filterthis TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP traffic (Web Filter) and HTTPS traffic (SSL Filter). Web Loggingthis TFRS only logs web requested URLs. No other actions will be taken as far as content filtering, spyware scanning, and virus scanning.

The most important factor in configuring TFRS is deciding on what needs to happen to traffic. For example, do you want to block certain web sites or categories? If so, the TFRS of Web Filter needs to be selected. Do you want to deny IM Client conversations? If so, the TFRS of Deny IM must be selected. These factors will help determine the active TFRS.

Content Filtering
Now that we have defined TFRS, lets discuss the other components of the Add/Edit Internet Usage Rule set. Below the TFRS Drop-Down Box, you will see four tabs: Content Filtering, Advanced Filtering, HTTPS/SSL Filtering, and Web Authentication. In this section we will discuss the Content Filtering and Advanced Filtering tabs. HTTPS/SSL Filtering will be covered in Chapter 8: Implementing HTTPS/SSL Filtering with Network Composer. Web Authentication is covered in Chapter 7: Integrating Directory Users with Network Composer. Content Filtering provides general choices for filtering web traffic. For example, this tab displays Blocked Categories, Blocked URLs, White List URLs, Blocked File Types, Blocked MIME Types, and Web Authentication White List. If you would like to block a web category, e.g. Porn, you can select the sub-tab of Blocked Categories, click Edit Blocked Categories, and, search for the Porn category under Allowed Categories. Once found, select the category, click the Add> button to move it to the Blocked Category List, and click Ok. Once you save your changes, this category will be blocked for that particular Internet Usage Rule. Below are listed the general explanations of the Content Filtering tab. Appendix A through Appendix C lists all options for web categories, File, and MIME types. Blocked Categoriesthis sub-tab lists all selected web categories for preventing access. They range from Adult and Porn to Online Communities and Shopping. To add categories to the Blocked Category list select the Blocked Category sub-tab and click Edit Blocked Categories button.

45

Network Composer User Guide Blocked URLsthis sub-tab allows you to enter in a specific Universal Resource Locator (URL) address to be blocked. There are three compare strings that can be used to enter Blocked URLs: URLRegular Expression, URL, and Domain. o URL-Regular Expressionthis compare string utilizes regular expressions to block web sites. Regular expression (regex) is a method used to describe a string of text using metacharacters or wildcard symbols. To use URL-Regular Expression, you will need to understand the functions of regular expression metacharacters. URL-Regular Expression supports regular expressions for POSIX Basic and Extended Regular Expression. A full explanation of the syntax for a Regular Expresssion Rule is beyond the scope of this document. Additional information is available on the Cymphonix Knowledgebase at kb.cymphonix.com. To add a URL-Regular Expression to the Blocked URL list, select the Blocked URLs sub-tab, click on the Edit the Blocked URLs button, and choose the URL-Regular Expression setting from the Compare String drop-down box. Enter the URL-Regular Expression, click the Update button and then the Ok button. URLthis compare string looks for an exact URL match. Use this compare string to block specific web pages where an exact match is necessary. For example, an entry of myspace.com/forums will block MySpaces forum web page, but not necessarily other MySpace web pages. However, you can use an asterisk symbol (*) as a wildcard with the compare string of URL. For instance, an entry of http://www.myspace.com* will block any web page that begins with http://www.myspace.com. To add a URL to the Blocked URL list, select the Blocked URLs sub-tab, click on the Edit the Blocked URLs button, and choose the URL setting from the Compare String drop-down box. Enter the URL, click the Update button and then the Ok button. Domainthis compare string looks for any web page that begins with the domain name of the web site. Use this compare string to block web sites where the domain name is constant in the URL. For example, an entry of myspace.com will block all of MySpaces web pages. You can also use an asterisk symbol (*) as a wildcard with the compare string of Domain. erFor instance, an entry of *myspace.com will block any web page that has myspace.com in the domain name regardless of http, https, or www. To add a Domain to the Blocked URL list, select the Blocked URLs sub-tab, click on the Edit the Blocked URLs button, and choose the Domain setting from the Compare String drop-down box. Enter the Domain name, click the Update button and then the Ok button. Legacy Keyword Modethis keyword string was used as a general match string under firmware releases 8.3.4 and earlier. It has now been replaced by the stronger compare strings above. This compare string should only be used to accommodate upgrades from earlier releases until they can be reclassified using the above compare strings.

White List URLsthis sub-tab allows you to whitelist or allow users to access specific web sites. These fields are mostly used when there is a conflict with another rule. For example, if you choose to block the web category of Search Engines and Portals but want to allow Google searches, you would add Google into the White List, which will override the blocked category. White List URLs will override blocks from all policies except for web sites under the Blocked URLs and Non-HTTP traffic. White List URLs follow the same compare strings as Blocked URLs.

46

Network Composer User Guide Other settings available in the Content Filtering tab are Import, Export options, Remove Selected Rows, Remove All Rows, and Edit Selected Rows under Blocked URLs and White List URLs. Import, Export options allow you to import or export a plain text (.txt) version of your Blocked URLs and White List URLs, allowing you to back up your lists or share lists with multiple IURs. By selecting either option, you will be presented with Browse utility, where you can direct Network Composer to import or export the plain text file. Removes Selected Rows and Remove All Rows allows you to remove selected entries in the Blocked URLs and White List URLs. Edit Selected Rows permit manual entries of selected entries. Blocked File Typesthis sub-tab lists all File types that can be blocked for download. To add File Types to the Blocked File Type list, select the Blocked File Type sub-tab and click Edit File Types button. Blocked MIME Typesthis sub-tab lists all Multipurpose Internet Mail Extensions (MIME) types available that can be blocked for download. To add MIME Types to the Blocked MIME Types list, select the Blocked MIME Type sub-tab and click the Edit MIME Types button. Web Authentication White Listthis sub-tab is defined in Chapter 7: Integrating Directory Users with Network Composer.

Advanced Filtering
Click on Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules. Once this populates the Add/Edit Internet Usage Rule Set, click the Advanced Filtering tab. The Advanced Filtering tab presents complex selections that offer more stringent policy control for content filtering. Some options are selected by default for security reasons; however, you can enable or disable any of these options depending upon your requirements. Spyware Enable Spyware URL Blockingthis setting scans web requests for URLs known to host spyware. Enable Spyware MD5 Blockingthis setting scans web traffic for known MessageDigest algorithm 5 matches utilized for spyware downloads. Enable Spyware ClassID Blockingthis settings scans HTML pages for Class IDs (identification tags associated with Active X or OLE objects) known to host spyware.

Anti-Virus Enable Anti-Virus Blockingthis settings scans web traffic for web pages that are infected with viruses. Enable Anti-Virus Email Alert Email Addressthis setting allows the administrator of Network Composer to receive an email alert if a user attempts to download a web virus. For this setting to work, the Technical Admin Name and Technical Admin Email fields under the Miscellaneous tab must be completed (Admin -> Configuration > Misc. Settings). Enable Filter Avoidance IP Lookupthis setting associates proxy web sites with their IP addresses and prevents users from entering them into web browsers.

47

Network Composer User Guide Filter Avoidance Enable Filter Avoidance Real-Time Filterthis setting performs a real-time scan on web sites to validate if the web page is hosting proxy services. Enable Filter Avoidance Deep HTTP Inspectionthis setting scans content for the retrieved web pages from a proxy web site. Enable Bypassthis setting allows users to bypass a blocked web site if he/she knows the Bypass Password.

Filter Bypass Enable Bypassthis setting allows users to access a blocked web site that is normally blocked by entering the correct password listed in the Bypass Password. Bypass Passwordthis setting is for the password that will be used with the Enable Bypass setting. Bypass Timeout (in minutes)this setting specifies an exact time how long a user can access a blocked web site using the Enable Bypass setting. Enable Filter Bypass on a Per-IP Address Basisthis setting allows users to bypass all web sites that are normally blocked instead of just a single blocked web site. Enable Filter Bypass on a Per-IP Address Basis will use the same password and timeout as the Enable Bypass setting.

Web Policy Enable Anonymous Browse Modethis setting continues to block users from prohibited web sites; however, browsing history for these users will be reported. Enable Safe Search Protection for Search Enginesthis setting forces search engines to use safe search, which disallows search engines to post inappropriate results. The supported search engines for this setting are Google, Yahoo!, Ask, MSN, Hotbot, AOL, AlltheWeb, AltaVista, Lycos, and Netscape. Block Search Engine Cached Pagesthis setting allows you to blocked cached pages from search engines, i.e., binoculars, Google Image search, etc. Allow ONLY White List URLsthis setting prohibits users from visiting web sites that are not specifically listed in the White List. Apply White List to Referring URLsthis setting allows white listed web sites to post all page objects, i.e., banners, images, etc., that are referred within the web site regardless of the original hosting site. Add X-Forwarded-For to HTTP headerthis setting instructs Network Composer to forwarded original host information when Enhanced Bridging Mode (EBM) is disabled. See Chapter 6: Administrating Network Composer for more information. Real-Time Filterthis setting instructs Network Composer to analyze content on web pages in real time for better categorization and identification. Enable Reverse DNS Lookupsthis setting prohibits users from browsing blocked web sites via IP addresses instead of domain names.

48

Network Composer User Guide Block IP Address URLsthis setting prohibits users from browsing any web sites via IP addresses instead of domain names. Allow Non-HTTP Traffic Through the Web Filterthis setting allows Non-HTTP traffic to pass through port 80 or the designated parent proxy port for web traffic. Non-HTTP Traffic Socket Timeout (in minutes)this setting allows you to set a time limit in minutes for how long Non-HTTP traffic can pass through port 80 or the designated parent proxy port for web traffic. Force HTTP v1.0this setting allows you to force web browsers to use HTTP version 1. HTTP v1.0 is the first protocol revision for HTTP traffic and is still in wide use, especially by proxy servers.

Again you can disable or enable any of these options by selecting the sub-tab of each selection, and then checking the check box next to the settings. Again, dont forget to Save your changes. If you create a new IUR, the following table lists the default settings. All other options will be disabled. New IUR Default Settings TFRS Web Filter Spyware Enable Spyware URL Blocking, Enable Spyware MD5 Blocking, Enable Spyware ClassID Blocking Web Policy Real-Time Filter, Allow Non-HTTP Traffic Through the Web Filter, Non-HTTP Traffic Socket Timeout (60 minutes) Anti-Virus Enable Anti-Virus Blocking

Filter Avoidance Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection

Now that you are familiar with both the Content Filtering and Advanced Filtering tabs, lets discuss the default Internet Usage Rules and how to create a new one.

Internet Usage Rules


Network Composer has 8 default Internet Usage Rules (IURs). These IURs correspond to the default groups available with Network Composer. Remember that the method is to create a group and then assign that group an IUR. Because Network Composer has 8 default groups, their IURs are also available. The following are the pre-defined IURs and their settings. Default Usage Rules are the default settings for all users unless configured otherwise. By default this IUR will log and filter only HTTP traffic. This IUR will not block any Web sites, File Types, or MIME Types except spyware and viral web sites. The following table lists all filtering options for the Default Usage Rules.

Default Usage Rules TFRS Web Filter Spyware Enable Spyware URL Blocking, Anti-Virus Enable Anti-Virus Blocking

49

Network Composer User Guide Enable Spyware MD5 Blocking, Enable Spyware ClassID Blocking Filter Avoidance Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection Web Policy Real-Time Filter, Allow Non-HTTP Traffic Through the Web Filter, Non-HTTP Traffic Socket Timeout (60 minutes)

Deny Access Policy Rules denies all Web traffic and cannot be altered. Filter Bypass Policy Rules allows all network traffic to pass and only reports on bandwidth and applications used. This IUR cannot be altered. Moderate Policy Rules provides typical restrictions on common web categories and also blocks several file types. In addition to this, this IUR has some advanced filter avoidance options selected as well as a TFRS that blocks anonymous web surfing for HTTP traffic. The following table lists all filtering options for this IUR. Moderate Policy Rules TFRS Web Filter + Anonymous Proxy Guard Blocked Categories Adult, Cheating and Plagiarism, Crime, Criminal Related, Cults, Dating, Filter Avoidance, Gambling, Hacking, Hate Speech, Illegal Drugs, Job Search, Lingerie, Non-sexual nudity, Online Communities, Peer File Transfer, Porn, Shopping, Tasteless or Obscene, Vice, Violence, and Weapons Anti-Virus Enable Anti-Virus Blocking Blocked File Types bat, cab, cmd, com, dll, ed2k, emo, exe, ini, iso, lnk,torrent, wmf

Spyware Enable Spyware URL Blocking, Enable Spyware MD5 Blocking, Enable Spyware ClassID Blocking Web Policy Enable Safe Search Protection for Search Engines, Apply White List to Referring URLs, RealTime Filter, Allow NonHTTP Traffic Through the Web Filter, Non-HTTP Socket Timeout (60 minutes)

Filter Avoidance Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection

Monitor Only Policy Rules are intended for users that will only be monitored and not filtered for web traffic. The following table lists all filtering options for this IUR.

50

Network Composer User Guide

Monitor Only Policy Rules TFRS Web Filter Filter Avoidance Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection Web Policy Apply White List to Referring URLs, Real-Time Filter, Allow Non-HTTP Traffic Through the Web Filter, Non-HTTP Socket Timeout (60 Minutes)

Monitor Only with Threat Protection Policy Rules are intended for users that will only be monitored and not blocked except for in the case of spyware and web viruses. The following table lists all filtering options for this IUR. Monitor Only with Threat Protection Policy Rules TFRS Web Filter Filter Avoidance Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection Spyware Enable Spyware MD5 Blocking, Enable Spyware ClassID Blocking Web Policy Apply White List to Referring URLs, Real-Time Filter, Allow Non-HTTP Traffic Through the Web Filter, Non-HTTP Socket Timeout (60 Minutes) Anti-Virus Enable Anti-Virus Blocking

Permissive Policy Rules are designed for users that will have more leniencies in regards to the web sites they can visit and what file extensions can be downloaded. Web traffic will be monitored and filtered. The following table lists all filtering options for this IUR. Permissive Policy Rules TFRS Web Filter Blocked Categories Adult, Filter Avoidance, Hacking, Hate Speech, Illegal Drugs, Lingerie, Porn, Tasteless or Obscene, Vice, Violence, and Weapons Filter Avoidance Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection Spyware Enable Spyware MD5 Blocking, Enable Spyware Class ID Blocking

Anti-Virus Enable Anti-Virus Blocking

Web Policy Apply White List to Referring URLs, Real-Time Filter, Allow Non-HTTP Traffic Through the Web Filter, Non-HTTP Traffic Socket Timeout (60 minutes)

Strict Policy Rules are intended for users who will have stringent rules applied to Web browsing as well as file downloads. Users in this group will have HTTP monitored and filtered and HTTPS traffic blocked. Below is the table with all filtering options.

51

Network Composer User Guide

Strict Policy Rules TFRS Web Filter + Anonymous Proxy Guard + SSL Block Blocked Categories Adult, Alcohol and Tobacco, Cars and Motorcycles, Cheating and Plagiarism, Crime, Criminal Related, Cults, Dating, Filter Avoidance, FYI, Gambling, Games, Hacking, Hate Speech, Illegal Drugs, Instant Messaging, Job Search, Lingerie, Lottery and Sweepstakes, Non-mainstream, Non-sexual Nudity, Online Communities, Online Trading, Peer File Transfer, Porn, Real Estate, Sex Ed and Abortion, Shopping, Sports and Recreation, Streaming Media, Tasteless or Obscene, Tattoos, Vice, Violence, Weapons, Web Messaging, Web-based Chat, Web-based Email Anti-Virus Enable Anti-Virus Blocking Blocked File Types aac, adp, aiff, asx, avi, bat, cab, cmd, com, dll, dmg, ed2k, emo, exe, flac, flv, fpt, ini, iso, kmz, lit, lnk, log, m3u, m4a, mid, midi, moov, mov, mp3, mp4, mpeg, mpg, mpu, msi, mst, ogg, ogm, pab, pls, qt, ra, ram, rm, torrent, wav, wma, wmf, wmv

Spyware Enable Spyware URL Blocking, Enable Spyware MD5 Blocking, Enable Spyware ClassID Blocking Web Policy Enable Safe Search Protection for Search Engines, Block Search Engine Cached Pages, Real-Time Filter, Enable Reverse DNS Lookups, Block IP Address URLs

Filter Avoidance Enable Filter Avoidance IP Lookup, Enable Filter Avoidance Real-Time Filter, Enable Filter Avoidance Deep HTTP Inspection

Again, these are the default IURs available for ease of use. You may simply add users to these groups for the policy to apply. You can also alter all default IURs except for Deny Access Usage Rules and Filter Bypass Usage Rules by selecting the individual IURs under Internet Usage Rule Manager. If you would like to create you own IUR, select the Create button under Internet Usage Rule Manager.

Shaping Rules
Shaping Rules allow you to shape network bandwidth for applications, users, and web sites. In essence, Shaping Rules allow you to cap or restrict bandwidth for specific users or applications on the network. These rules also allow you to shape bandwidth to Web sites as well as assign priority levels for all traffic. Through Shaping Rules, you can control and manage network traffic to ensure that critical users and applications have complete access to the Internet and network resources.

52

Network Composer User Guide Network Composer has no default shaping rules. As such, you will need to create them under the Shaping Rule Manager (Manage -> Policies & Rules -> Shaping Rules). Here you will be presented with three tabs: Group, Application, and Web Content. Group shaping rules manage total bandwidth for users and groups. Application shaping rules administer bandwidth for specific application sets, i.e., P2P, Streaming Media, VoIP, etc. Web Content shaping rules control bandwidth for specific web sites, web categories, File Types, and MIME Types. To create shaping rules, you must first enter a name for Shaping Rule Detail. Afterwards, you can select the different tabs for each corresponding shaping rule. Please remember that shaping rules are restrictions. This means that Network Composer will not allow a group, application, or web content to exceed the bandwidth assigned. These rules do not ensure that traffic will meet a certain amount, but rather will not go beyond the restriction. Think of shaping rules as a ceiling and not a floor. Because of this, many users and applications may not need a shaping rule unless they pose a threat to the network or are known consumers of bandwidth. A good practice is to install Network Composer in the network and have it report on users and application before implementing shaping rules. Knowing what types of traffic are passing in the network and the amounts will help in creating a better shaping rule. When you decide to implement a shaping rule, keep in mind several things (listed below). All shaping rules will have three settings: Max Upload, Max Download, and Priority Level. The Max Upload refers to traffic passing from the LAN port to the WAN port of Network Composer. Max Download refers to traffic passing from the WAN port to the LAN port of Network Composer. Priority refers to the precedence level assigned to the traffic. The options are Highest, Higher, High, Default, Low, Lower, and Lowest. Group shaping rules restrict total bandwidth for all users within groups. This means that if you apply Application shaping rules as well as Web content shaping rules for the same group, these amounts must not exceed the Group shaping rule. Group shaping rules are divided dynamically between active members. For example, if only one group member is active within a group that has a shaping rule of 1Mbps, then that one member will have total access of the bandwidth up to 1Mbps. However, if another group member becomes active, Network Composer will dynamically divide the restriction and cap each member to 500 Kbps and so on depending on the amount of active group members. The percentages of traffic shown in the Drop-Down Boxes for all tabs are calculated from the Available Upload Bandwidth and Available Download Bandwidth listed under Miscellaneous Settings. The default settings are set to 5000Kbps and will restrict traffic to that amount. If you have not adjusted this amount for your bandwidth, please do so during the Setup Wizard or under the Miscellaneous settings (Admin -> Configuration -> Misc. Settings).

Please note that the amounts listed in the available upload and download under Miscellaneous Settings will restrict total traffic through Network Composer. Make sure that the amounts entered in these fields are the correct amounts for your network (Admin -> Configuration -> Misc. Settings).

53

Network Composer User Guide If you choose to enter a custom amount for the upload and download restrictions, remember that this amount is presented in kilobits per second (Kbps). You will need to compute your bandwidth into this amount (1024Kbps = 1 Mbps). There are two application sets that you probably should not restrict: HTTP and Uncategorized. The application set of HTTP correlates to all web-based traffic, including regular web browsing. Because this application set is commonly used more than any other application set, we recommend that you do not set a highly stringent shaping rule for HTTP. The application set of Uncategorized correlates to network traffic for which Network Composer does not have an explicit signature. These applications could be proprietary, recent, or uncommon. In addition to this, this application set could also include traffic that is very important, such as a custom accounting application, or an unrecognized VoIP system, etc. Because of this, we strongly recommend that you do not disable this traffic or create a strict shaping rule for this traffic. Priority levels are only used when there is not enough bandwidth to complete requests for active users or applications. For example, if you have two shaping rules: 1Mbps for VPN with a High priority level and 1Mbps for P2P with a Low priority level and there is not enough bandwidth to complete the requests for both applications, Network Composer will restrict P2P even more than 1Mbps to allocate more bandwidth for VPN. There can be some variance between shaping rules and reporting, especially with P2P and Streaming Media, because of how initial communications for these applications take place. For example, Bit Torrent will negotiate on random ports and may be considered Uncategorized until data begins to pass. After data is passed Network Composer can identify Bit Torrent as P2P and will then report on all traffic passed beginning with the initial connections. However, shaping rules for Bit Torrent will not take effect until the data is confirmed as P2P, normally after the initial connections. Below are some general expectations for the variance: o o o Shaping rules under 256K can have up to 20% difference in reporting Shaping rules under 1M can have up to 10% difference in reporting Shaping rules under 5M can have up to 5% difference in reporting

If you chose to shape a web URL, use general phrases. For instance, if you want to shape traffic to the Web site YouTube, enter the phrase youtube instead of http://www.youtube.com. Web Content shaping rules take precedence over Application shaping rules and will be recorded jointly for shared applications. For example, if you have an Application shaping rule for Streaming Media at 1Mbps and a Web Content shaping rule for YouTube at 1Mbps, the Web Content shaping rule will take preference while the Application shaping rule will not apply. Reporting for the Streaming Media Application Set will then report traffic for Streaming Media combined with traffic for YouTube (2Mbps). To assure that Streaming Media does not exceed a specific amount, balance the amount with Web Content shaping rules designated for Streaming Media Web sites. All changes to shaping rules will flush Network Composers forwarding plane. The forwarding plane is the architecture that decides how to handle packets arriving on

54

Network Composer User Guide the LAN interface, i.e., applying shaping rules, denying traffic, etc. Flushing Network Composers forwarding plane will drop all connections and reassign traffic accordingly. Because of this, we recommend that you only make changes to shaping rules during off peak hours. Once you have created a shaping rule, dont forget to Save the changes. Also remember that shaping rules are not active until you assign them to a group in the Policy Manager.

Policy Manager
The Policy Manager correlates all polices to groups. That is to say, all the rules you have created under Time-of-Day Rules, Internet Usage Rules, and Shaping Rules will need to be assigned to groups using the Policy Manager. The default groups Network Composer offers have already been assigned their corresponding Internet Usage Rules under the Policy Manager. In addition to this, the default groups use the default Time-of-Day Rule (TDR) of 24 hours a day, 7 days a week. However, if you would like to change their Internet Usage Rule or TDR, you can do so for all groups except for the Deny Access Group and the Filter Bypass Group with the Policy Manager. Also the Policy Manager allows you to assign shaping rules to groups. Click on Manage -> Policies & Rules -> Policy Manager -> Default Group. This will post the Add/Edit Policy. Presented here are two tabs: Single Rule Set and Multiple Rule Set. The Single Rule Set is used for Internet Usage Rules that will apply 24 hours a day, 7 days a week. The Multiple Rule Set is used for Internet Usage Rules that will use different blocks of time from TDRs. Under the Single Rule Set tab, select the Drop-Down Box for Internet Usage Rule Set. This will present you will all available IURs created under Internet Usage Rules. You may do the same for shaping rules under the Drop-Down Box for Shaping Rule Set. Once you have chosen an IUR and Shaping Rule for the group, select Save. The Multiple Rule Sets are used for assigning different IURs and Shaping Rule for time blocks created under TDRs. Click on Manage -> Policies & Rules -> Policy Manager -> Default Group -> Multiple Rule Sets. This tab will post a weekly calendar. Select the day of the week you will be assigning the time blocks. Towards the bottom will be a Time-of-Day Rule Set Drop-Down Box. Select this box and chose the TDR you have created. This will populate the time blocks created. Next, for each time block assign an Internet Usage Rule Set and a Shaping Rule that will be active for the time specified. Repeat these steps for each day of the week (you may use the Copy button) and select the Save button. Once you complete these steps, Group membership, Time-of-day Rules, Internet Usage Rules, and Shaping Rules will be active for devices and users. Remember to always use this method when creating groups and policies: create Groups, create Time-ofDay Rules, create Internet Usage Rules, create Shaping Rules, and tie them all together with the Policy Manager. Next well discuss the other options available under the Manage tab.

Directory Users & Nodes


Network Composer can track Internet traffic by devices (Network Nodes) and by username (if Directory integration has been enabled). Once a device or user is discovered, Network

55

Network Composer User Guide Composer will create a profile and list it accordingly under Directory Users & Nodes. These profiles (devices or users) will then be available for group membership assignment under the Group menu (Manage -> Policies & Rules -> Groups). Directory Users & Nodes lists three separate options: Network Nodes, Directory Users, and Directory Agent. Network Nodes will list devices discovered by Network Composer, while Directory Users will list Directory profiles. Directory Agent will list agents you have created for your directory servers. These topics are covered in more detail under Chapter 7: Integrating Directory Users with Network Composer.

Network Nodes
Click Manage -> Directory Users & Nodes -> Network Nodes. This will post the Network Node Manager, which lists all devices (Network Nodes) discovered by Network Composer. Network Composer discovers these devices by examining network traffic as it passes through the bridge interface. Once a unique device is discovered, Network Composer will send a port scan to retrieve several pieces of information to create a profile, i.e., NetBIOS name, Internet Protocol (IP) address, Operating System (OS), Media Access Control (MAC) address, and open ports. Network Composer will also list the scan status and the date the profile was created. Network Composer accomplishes this scan via a utility called Network Mapper (Nmap). For Nmap to retrieve these pieces of information successfully, some options may need to be permitted on the network (listed below): UDP port 137 Client for Microsoft Network NetBIOS over TCP/IP Samba to respond to NetBIOS queries DNS entries for Macintosh computers Simple Network Management Protocol (SNMP) for Macintosh computers

If after enabling these settings, you need to rescan profiles for missing or changed information, you can select the profiles under Network Node Manager and click Re-scan port under the Tasks pane. The Scan Status for the selected profiles will then list Pending. After several minutes, the profile will be updated with the missing or changed information. If after rescanning a profile Network Composer still cannot retrieve the missing or changed information, you can select profiles and manually enter change for the profile name. Dont forget to Save your changes afterwards. If you have profiles listed under the Network Node Manager, click on one to see the information gathered for each device on the network. The first information posted is the Scan Name (NetBIOS name if available accompanied by the current IP address), Operating System (OS), Detected OS, and MAC address. Below that are posted two settings: Ignore multiple IP Addresses from this Network Node and Treat IPs as Remote Subnets from this Network Node. Ignore multiple IP Addresses from this Network Node can be used when Network Composer identifies a single unique MAC address being used by multiple IP addresses. This behavior is typical in an asymmetrical network. Because profiles are created by MAC addresses,

56

Network Composer User Guide Network Composer can sometimes incorrectly associate traffic to the wrong Network Node with asymmetrical networks. If you have an asymmetrical network, you can select Ignore Multiple IP Addresses from this Network Node, which will permanently associate the IP address to the MAC address listed. Thus if Network Composer sees the MAC address being used by another IP address, Network Composer will assume this is due to asymmetrical routing and group the traffic based on the IP address and attempt to discover the true MAC address of the original sending device. The next option is Treat IPs as Remote Subnets from this Network Node. By default Network Composer will create profiles for network devices in the local subnet based on MAC addresses. With routed networks, on the other hand, Network Composer will create profiles for network devices based on IP addresses. These profiles will have the MAC addresses listed as all 0s while local profiles will post true MAC addresses. There are rare scenarios where profiles based on MAC addresses within the local subnet should be treated as remote profiles because of unique network architectures, e.g., network segments separated by layer three devices that use the same broadcast range or physical connections, asymmetrical networks, etc. In these cases, you may need to regard local profiles as remote. For more information on configuring Network Composer in an asymmetrical or MAC alternating network, please review the tutorial document entitled How to Configure Network Composer with Asymmetrical Routing (http://kb.cymphonix.com). Also listed under the Add/Edit Network Node Detail are the IP addresses used by this Network Node as well as the open ports, protocols, state and services utilized by the device. These settings can be sorted by selecting the Column title of each setting. Another option available under Network Node Manager is the Search box. You can search for profiles based on IP address, Profile Name (normally the NetBIOS name or IP address), MAC address, and OS. Simply select the search criteria from the Search Drop-Down Menu, enter the corresponding value, and hit Enter. For example, to search for a specific MAC address, select MAC address from the Search Drop-Down Menu, enter the MAC address you are searching for, and click the Search icon (or press the Enter key). Use the format presented in the Network Node Manager, i.e., IP addresses are separated by dots (.) and MAC addresses are not separated by colons (:) to search according to the values. You can also sort the profiles by Name, IP address, OS, MAC address, Scan Status, and date profiles were created by clicking on the column titles. Please note that when Network Composer is first installed or if new devices are installed on the network, you may see a profile entitled Unknown Network Node (mostly under the Report tab). Unknown Network Node simply represents profiles that have not been completely scanned. In essence, Network Composer has identified new devices on the network but has not had sufficient time to complete the profile scan or is in the process of doing so. With time, this profile will disappear as Network Composer is able to complete the profile scan and identify the new profiles. Lastly, Network Node Manager allows you to license and unlicense devices. Licensing with Network Composer is based on network connections or active IP addresses on the network. That is to say, one hundred connections on your network will constitute 100 Network Node licenses.

57

Network Composer User Guide For example, in a flat network where all devices are connected via switches or hubs, Network Composer can normally discover MAC addresses for individual devices. With this scenario, licensing and profile creation will be based on unique MAC addresses. You can verify whether Network Composer is licensing based on MAC addresses by reviewing the column of MAC Address under Network Node Manager. If individual MAC addresses are listed, then Network Composer is essentially issuing a license to those MAC addresses. However, if an entry of all zeros is listed under the column of MAC address, then Network Composer is licensing based on IP addresses (typical of routed networks as MAC address remain in local subnets). This means that individual IP addresses will consume licenses, and profiles will be based on such. You may review Chapter 6: Administrating Network Composer for more information on installing Network Composer in a routed network. Knowing how Network Composer is issuing licenses will help you better manage your license count as exceeding the license count can cause inconsistencies with content filtering and reporting. For example, devices that are unlicensed are handled quite differently than licensed devices. Reporting for unlicensed devices will not list individual statistics. Traffic from Unlicensed Network Nodes will be aggregated into one profile entitled Unlicensed Network Nodes. Another drawback for Unlicensed Network Nodes is the inability to add these devices to a group via the Network Node Manager. If a device is unlicensed, you will not be able to select it when adding members to groups. Lastly, filtering will be handled differently with Unlicensed Network Nodes. Filtering for Unlicensed Network Nodes will still be in effect for these devices but depending upon your group configuration, traffic from Unlicensed Network Nodes can be in different groups. More than likely traffic from Unlicensed Network Nodes will fall into the Default Group, but different configurations can change this. For more information on how Network Composer handles traffic from Unlicensed Network Nodes, please see the tutorial document entitled How to Manage Licensing with Network Composer (http://kb.cymphonix.com). Other scenarios to be aware of with licensing are devices such as printers, scanners, network cameras, plotters, or any other non-user specific devices that have Internet connections. Because these devices are configured with a MAC or IP address, they can potentially consume licenses unless configured otherwise. Also, a device with multiple Internet connections can possibly take up two licenses, e.g. a laptop with a wireless card and an Ethernet port. In addition to multiple Internet connections being a problem, large Dynamic Host Configuration Protocol (DHCP) ranges or short DCHP lease times can possibly pose an issue as well with licensing. If licensing is based on IP addresses, for example, a device will be assigned an IP address via DHCP. Network Composer will issue a license to that IP address. If that same device is assigned a different IP address via DHCP, Network Composer will again issue an additional license but now to the new IP address. Hence, in this scenario a device could possibly consume several licenses depending on how DHCP is configured. Also please note that historical data and grouping based on IP addresses will follow IP addresses as well and not the devices per se. Because of this, it is highly recommended that you purchase sufficient licenses to filter and report on all connections present in the network. Also, you will want to closely watch your license count and confirm that you do not exceed the license amount. This can be accomplished with Network Node Manager.

58

Network Composer User Guide Click Manage -> Directory Users & Nodes -> Network Nodes. Towards the bottom of the page you will see a listing of how many licenses have been issued (Showing 125 of 100). The last number listed is the complete number of profiles that have consumed licenses. You will want to periodically compare this number to your license count to confirm that you have sufficient licenses to report and filter correctly. Also, the total license count is posted on the Home Page under Hardware Settings, and System Message Alerts will be sent when the license count is nearing 80%, 90%, and 100%. Network Node Manager also allows you to license and unlicense selected nodes. For example, if you had several printers that you do not wish to consume licenses you can select those profiles and click the Unlicense Selected Nodes button located at the bottom of the page of the Network Node Manager (Manage -> Directory User & Nodes -> Network Nodes -> Unlicense Selected Nodes). This will flag those profiles as unlicensed, and Network Composer will no count those devices towards the total license count. Again, unlicensed nodes are handled quite differently than licensed nodes; however, devices such as printers, network cameras, etc., normally do not need content filtering and shaping. You can also license profiles that have been unlicensed by changing the License Status to Unlicensed (located in the top right corner of Network Node Manager). This will post all devices that have not been issued a license. You may select those profiles that you want be licensed and select License Selected Nodes. These profiles will now be issued a license and counted towards the total license count. If you need to purchase additional licenses, you may do so from Cymphonix or your Authorized Cymphonix Reseller. Additional licenses are issued in the form of a license key and may be entered during the Setup Wizard (Step 1) or under Admin -> Configuration -> License.

Directory Users
Directory User Manager is similar to Network Node Manager in the sense that this manager keeps track of all reported profiles. The difference being that Directory User Manager tracks all Directory Users and not Network Node Profiles. If you have implemented Directory Users with Network Composer, the Directory User Manager will post all Directory Users Profiles discovered by Network Composer. Directory User Manager will list all user names that Network Composer has discovered. Please review Chapter 7: Integrating Directory Users with Network Composer for more information. The Directory User Manager will also list the domain names associated with the profiles, as well as the Directory Agent (if applicable) and username used to access the directory. Another option available with the Directory Users Manager is Re-scan Directory User Name (located under the Tasks pane). This option allows you to update a profile by selecting the checkbox next to the user profile(s) you want to rescan. After selecting the profiles, select Re-scan Directory User Name and any changes made to the profiles, i.e., changed name, new directory group, etc., will be posted under the Directory Users Manager. Again, Chapter 7 covers these topics in more detail. One last important detail to note is that Directory Users have no effect on licensing.

59

Network Composer User Guide

Directory Agent
The Directory Agent Manager lists all created Directory Agents used for synchronization of Directory Users. For more information on this menu, please refer to Chapter 7: Integrating Directory Users with Network Composer.

Broadcasts tab
The Broadcast tab grants access to the Broadcast Manager, which displays all email reports that have been created for automated reporting. Email reports must first be created by selecting the report you want to email. Once you have done this, you may select the Email icon under the Tasks pane. For example, click on Report -> Application -> Application Overview. As a practice, you can set up this report for a weekly email. Under the Tasks pane select the Email icon, which will populate the Add/Edit Broadcast field. Fill out the required information such as Name, Description, Send To: Send From:, Reply To:, Subject Line, Send Format, and Schedule. If you need to send the email to multiple recipients, separate the emails with a semicolon (;). Also, the recommended Send Format is PDF as this format is more presentable; however, other formats available are HTML, XML, CSV. The schedule will depend on how frequent you want the automated report sent. For example, if you choose Weekly, several new fields will appear that will allow you to select the day of the week you want the report to run. The same is true with Monthly and Yearly. Once you have created the report and filled out the necessary fields, you will need to select which Activation mode for the email. Run Now will send the email report as soon as it is created. Send Once and Delete will send the report at the scheduled time and will then automatically delete the report once it has been sent. Activate Broadcast must be selected for any action to occur. Once you have selected all settings, dont forget to select the Save button. Now that you have created the email report, it will be saved under the Broadcast Manager (unless you have selected Send Once and Delete). If you need to alter or delete the report in the future, you may do so under the Broadcast Manager by selecting the individual Email Broadcast or selecting the checkbox next to the report and clicking the Delete Selected button. All Email Broadcasts are handled by Cymphonix in-house Report Server. After you have created and activated an Email Broadcast, the data is encrypted using Secure Socket Layer (SSL) and sent to Cymphonix Report Server. The Report Server processes the encrypted data and creates the desired report in the selected format. The Report Server then sends the completed report to the requested email address(es) for retrieval. The process creates performance advantages for Network Composer while still allowing automatic delivery of important reports and information. Also after the finalized Email Broadcast has been sent, the data is immediately deleted from the Report Server. The entire process normally takes less than 5 seconds. Physical access at Cymphonix Report Server is permitted through a minimum of two biometric authentication systems. On-site staff is notified of all building access in real time and environmental systems are maintained with N+1 redundancy.

60

Network Composer User Guide Because the data is leaving Network Composer, some technical considerations may need to be implemented in order for the recipients to receive email reports. For example, if a spam filter is present on the network, you may need to allow email transmissions from Cymphonix Internet Service Provider (IP.XMISSION.COM). In addition to this, you may need to alter the sender and receiver of the email to be different email addresses as same email addresses are commonly flagged as spoofing techniques. Also note that when the data leaves Network Composer to Cymphonix Report Server, all data is encrypted. However, the transmission from Cymphonix Report Server to the recipients is not encrypted. Nevertheless, this is the same level of security as most common email messages sent over the Internet.

System Access tab


Network Composer allows you to create multiple login accounts used to access the system. All accounts are listed under the Manage -> System Access -> Logins menu. By default only one account is present on the device (the admin account with a password of cymphonix). Administrative login accounts can do anything that the default admin account can do. They can view any report and can make any configuration changes. Another access level exists (Read-Only) which allows users to view reports and configuration settings. However, users with Read-Only access cannot make configuration or administrative changes to the device. The Add/Edit Login Detail field (Manage -> System Access -> Logins -> Admin) allows you to customize all logins with User Name, Password, First Name, Last Name, Email Address, Admin Level (if you would like to create a login that does not have Admin Level, uncheck the box), and Activate Login (the login will not be accessible until this option is checked). Dont forget to Save your changes after creating or modifying a login. We strongly recommend that you create a new administrative login, and change the default login password to limit access to the management interface. Select the Manage -> System Access -> Logins link to make these changes.

Applications tab
The Applications tab is designed for expert use. This menu and submenus allow you to customize applications and redefine default signature sets for a more tailored environment. The default application sets provided should be sufficient for most environments. Nonetheless, if you would like to customize signature definitions as well as Traffic Flow Rule Sets (TFRS), you can do so under the Applications tab. The three options available under the Applications tab are Traffic Flow Rule Sets, Applications Sets, and Applications. A more detailed explanation on how to customize TFRS and Application Sets is available on Cymphonix Knowledge Base entitled How to Create Custom Signatures (http://kb.cymphonix.com).

61

Network Composer User Guide

Traffic Flow Rule Sets


Traffic Flow Rule Sets (TFRS) are the basic traffic identification and control engine within Network Composer. By default, TFRS define content rules and implement restrictions on identified traffic. Network Composer ships with 12 default TFRS (for more information see previous section on Traffic Flow Rules Sets); however, you can customize TFRS using the Traffic Flow Rule Set Manager. For example, suppose you had a group of users that needed a variety of functions not available in the default TFRS. Case in point would be the need to filter Web traffic (Web Filter), deny IM Client communications (Deny IM), and block HTTPS traffic (SSL Block). There are several default TFRS that can do some of these options; however, there is no one TRFS that has all components (Web Filter + Deny IM + SSL Block). Nevertheless, the Traffic Flow Rule Set Manager allows you to combine or delete components of the TFRS to tailor how traffic will be handled. Select Manage -> Applications -> Traffic Flow Rule Sets. Rather than editing the default TFRS, you can copy them and make the necessary changes to create a custom TFRS. Although you can select the default TFRS and edit them, it is highly recommended that you do not edit default TFRS. Doing so can cause severe problems if the TFRS are configured incorrectly. You are better served by copying default TFRS and editing the copies. The key factor in creating a custom TFRS is to choose a default one that closely represents the end result. For this example, we will select to copy the TFRS of Web Filter + Deny IM and afterwards add the component of SSL Block. Copying TFRS is quite simple: select the checkbox next to the TFRS that is going to be copied and select the Copy Selected button. This will bring up the Add/Edit Traffic Flow Rule Set field. Here, you can create a distinct name and description for the custom TFRS. This field also allows you to remove certain applications for the TFRS. For example, if you didnt want this TFRS to identify ICMP traffic, you could remove this application using the < Remove button. More often than not, you will only want to customize the name and description in this field as removing applications can cause unexpected effects. Another suggestion is to name the TFRS according to the targets. In our example, we would name the TFRS Web Filter + Deny IM + SSL Block. Again, dont forget to Save your changes. Once you have created a custom TFRS, you will alter the targets according to the desired modifications. This is done under the Application Signature Manager (covered later under the Applications section). In our example we will need to alter the SSL targets to block this traffic. Now that we have created a custom TFRS to block SSL traffic, we will need to alter the targets. The steps to alter targets are covered under the next sections. Other options available under the Traffic Flow Rule Set Manager are deleting and creating. There is also a search box to search available TFRS. Now lets continue our example of a custom TFRS by discussing the Application Sets and Applications menus. The following sections will give a brief explanation of the options available and a common example of configuration changes.

62

Network Composer User Guide

Application Sets
Application sets, or simply signature sets, are groups of signatures for similar applications that perform a comparable purpose. For example, the signature set of Remote Desktop /Remote Control /X comprises the applications of PC Anywhere, Citrix, GoToMyPC, Microsofts Remote Desktop, and many more. Because these applications use similar signatures and perform an equivalent purpose (connecting users remotely to computers) the different applications are grouped together in an Application set. The Application Signature Set Manager (Manage -> Applications -> Application Sets) lists all sets of applications that Network Composer can identify and shape. Currently there are 23 Application Sets that Network Composer identifies. Chat and IMthis application set comprises signature definitions for chat and IM applications, e.g., Windows Live Messenger, Yahoo! Messenger, etc. Databasesthis application set comprises signature definitions for database applications, e.g., SQL, Oracle, etc. DNS/Naming/Locators and Informationthis application set comprises signature definitions for services that identify domains, users, and devices on a network, e.g., Domain Name Service (DNS), Lightweight Directory Access Protocol (LDAP), etc. Email, Paging, and Collaborationthis application set comprises signature definitions for email services and protocols used to transmit emails, e.g., Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), etc. FTP/File Transferthis application set comprises signature definitions for File Transfer Protocol (FTP). Gamesthis application set comprises signature definitions for online games or network games, e.g., XBOX Live, War of World Craft, etc. HTTPthis application set comprises signature definitions for Web traffic or Hypertext Transfer Protocol (HTTP). ICMPthis application set comprises signature definitions for Internet Control Message Protocol (ICMP) e.g., PING. NetBIOS/Microsoft File Servicesthis application set comprises signature definitions for Network Basic Input/Output Service (NetBIOS) and Server Message Block (SMB or Samba) protocol. Network Management and Monitoringthis application set comprises signature definitions for services that manage and monitor networks, e.g., Simple Network Management Protocol (SNMP), Network Management Service (NMS), etc. Network Routingthis application set comprises signature definitions for networking protocols, e.g., Routing Information Protocol (RIP), Network Control Program (NCP), etc. Network Utilitythis application set comprises signature definitions for protocols used to manage networking devices, e.g., Dynamic Host Configuration Protocol (DHCP), NSW under System FE.

63

Network Composer User Guide Peer to Peerthis application set comprises signature definitions for programs that share files via a direct (peer to peer) connection, e.g., Bit Torrent, Gnutella, etc. Printing and Reportingthis application set comprises signature definitions for printing and reporting services, e.g., Network Printing, Internet Printing, etc. Proxy and Cachethis application set comprises signature definitions for Proxy and cache servers, e.g., Squid, Sockets Server (SOCKS), etc. Remote Desktop/Remote Control/Xthis application set comprises signature definitions for programs used for remote management and administration, e.g., PC Anywhere, Citrix, etc. RPC/Remote Execution and Messagethis application set comprises signature definitions for programs that execute other programs or routines remotely, e.g., Remote Procedure Call (RPC), IBMs Tivoli, etc. Security, Auditing, and Auththis application set comprises signature definitions for network protocols that authenticate and secure users or devices, e.g., Kerberos, Pretty Group Privacy (PGP), etc. Streaming Mediathis application set comprises signature definitions for programs that stream audio and video content, e.g., Windows Media Player, Flash, etc. Telnet and SSHthis application set comprises signature definitions for applications that use Telecommunication Network (Telnet) and Secure Shell (SSH) protocols. Uncategorizedthis application set comprises all traffic that does not meet a specific application set. VOIP and Voice Chatthis application set comprises signature definitions for Voice over Internet Protocol (VoIP) and programs that facilitate voice conversations over the Internet, e.g., Ventrilo, Buddy Phone, etc. VPN and Tunnelthis application set comprises signature definitions for protocols used for Virtual Private Network (VPN) and for tunneling, e.g., Internet Protocol Security (IPSec), Secure Socket Layer (SSL), etc.

The Application Signature Set Manager also allows you to select Application Sets to review all applications present within the set. In addition to reviewing the applications within the set, you may add or remove individual applications. For example, if you wanted to separate Citrix traffic from Remote Desktop/Remote Control/X application set for individual shaping and reporting, you could create a new application set or custom TFRS to do so. Once more, this menu is intended for expert use. As such, you may want to review the Tutorial Document on how to create a custom signature located at Cymphonix Knowledge Base (http://kb.cymphonix.com). Still, following the example in the previous section of creating a custom TFRS of Web Filter + Deny IM + SSL Block, we will create a custom Application Set. In this example, we will separate SMTP traffic from Email, Paging, and Collaboration Application set. Click Manage -> Applications -> Application Set -> Create. This will populate the Add/Edit Application Set Details field. Here you will give the custom application set a Name and Description. In our example, we will call the Application Set SMTP. Dont forget to Save the changes.

64

Network Composer User Guide Once a custom TFRS and Application Set have been created, you will need to alter the individual applications under the Application Manager. These final steps are covered in the next section. Two other options available under the Application Signature Set Manager is the ability to search for Application Sets using the Search box (located in the upper-left corner) and delete a custom Application Set using the Delete Selected button (located in the bottom of the page).

Applications
Now that we have detailed the applications listed under each Application Set, we can now look at the individual applications that Network Composer can shape. This can be accomplished under the Applications Menu. Like other menus under the Applications menu, this menu is intended for expert use. The Applications menu will allow you to finish creating the custom TFRS. You can also finish altering the Application Set to add or remove specific applications for an Application Set. Lastly, this menu allows you to search for individual applications, values (ports), and application sets to see how traffic is being categorized. Click Manage -> Applications -> Applications. This will bring up the Application Signature Manager. The Application Signature manager lists each individual application alphabetically according to the Traffic Flow Rule Set listed in the top right-hand corner. You can also search for a particular application based on the Name, Application Set, or Value and sort the different applications by the column titles. Below are the column titles and corresponding definitions: Namethis is the name of the application. Application Setthis will list which application set the application belongs under. Typethis will list the type of signature identification used to recognize the traffic. The different types are the following: o o Destination Portthis type is the target port of the application. Diff Servthis type is the Differentiated Services (DiffServ) of the application. DiffServ is a networking architecture that specifies a simple, scalable and coarse-grained mechanism for classifying, managing network traffic and providing Quality of Service (QoS). Type of Servicethis type is the Type of Service (TOS) of the application. TOS is a single-byte field in an IP packet header that specifies the service level required for the packet. Lengththis type is the Ethernet Length of the application. Ethernet length specifies the size of the frame used within the network interface. VLANthis type is the Virtual Local Area Network (VLAN) used for the application. Protocol Onlythis type is the protocol used for the application, i.e., TCP, UDP, etc.

65

Network Composer User Guide Layer7this type is Network Composers Layer 7 signature used for the application. Source and Destination Portthis type is the sending and target port of the application. Source Portthis type is the target port of the application. XLi Enginethis type is the Cross Layer Intelligence (XLi) Engine used for the application. XLi is the component of Network Composer that scans and identifies packet payload using 6 layers of the OSI model. Web Request MIME Typethis type is the Multipurpose Internet Mail Extensions (MIME) for the application. Web Request File Typethis type is the File Type for the application.

o o

Valuethis will list the corresponding measures from the Type field. For example, under the application of HTTP, the Type is listed Destination and Port; hence, the Value is listed as 80 as this is the Destination and Port number for HTTP traffic. Other entries listed here will be the XLi values, File Type values, MIME values, and all other associated values for Types. Targetthis will list what actions will be taken with the corresponding application. For example, if the target is set to Pass Thru the application will be allowed. Other options available are Deny (block traffic), None (no action taken), Web Filter (content filtering, web logging, spyware scanning, and virus scanning) and Web Logging (only logs web request URLs).

To review the different options for each application, you will need to create a custom TFRS. Lets continue with the example of the custom TFRS created in the previous section. In the top right-hand corner, select the link for the TFRS of IM Only. This will then list all TFRS available. Chose Web Filter + Deny IM + SSL Block. Notice how the individual applications are now clickable. By creating a custom TFRS and application set, you can adjust each application and change settings such as Protocol, Type, and Value. Remember that we need to change the target of the custom TFRS to deny SSL traffic. You can do this by changing the Target field under the SSL applications. Click on the drop-down search box and select Value as the search criteria. Enter in the value of SSL and hit the Enter key. The Application Signatures Manager will post the associated applications for SSL traffic. Select the application of SSL CONNECT L7. This will show the Add/Edit Application Detail page. The Add/Edit Application Detail field allows you to change the Name of the application as well as other options, i.e., the Description, Application Set, Traffic Flow Rule Set, Type, Value, Protocol, and Target. Again, changing options can cause serious errors if you are unsure of the settings. More often than not you will only need to change the Application Set, Traffic Flow Rule Set, and Value. In general only use Destination Port, Source Port, and Source and Destination Port for the Type field. Finally, for Protocol you will probably only need to use TCP and UDP, and Target with Pass Thru or Deny. To block all SSL connections, you will change the targets from Pass Thru to Deny. Once you save the changes, this will block all SSL connections. You will need to do this for all other application that use SSL, (search for HTTPS applications as well).

66

Network Composer User Guide Once you have set all SSL applications to Deny, you only need to apply the custom TFRS. This is done by creating an Internet Usage Rule and applying it to a group under the Policy Manager. Please review the sections Internet Usage Rules and Policy Manager for more information. Before leaving the Application Signature Manager, we can continue with the example of separating an application from an application set. Again, click on Manage -> Applications > Applications. Make sure the custom TFRS is selected as the Traffic Flow Rule Sets in the top right-hand corner. Now, lets search for the application that were going to separate. Select Name as the Search criteria and enter in the name of the application. In our example we will search for SMTP traffic. This will post all applications that use SMTP as a signature. Because we have created a custom TFRS and application set, we can select the applications to separate or modify them. In this example, we will separate SMTP from the application set of E-mail, Paging, and Collaboration and tie it to the custom Application set of SMTP (created in the previous section). Click on the first SMTP application (On Demand SMTP Relay). This will post the Add/Edit Application Detail. Here, change the Application Set to SMTP from E-mail, Paging, and Collaboration. Dont forget to Save your changes. Repeat the previous steps for all applications listed after the search. Again, these changes will take final effect once they are initiated under Internet Usage Rules and Policy Manager. One last option available under the Applications Set Manager is deleting custom applications. You may follow the general instructions listed above to create custom TFRS or Applications Set or review a more complete tutorial of these steps entitled How to Create Custom Signatures (http://kb.cymphonix.com). This concludes Chapter 5: Managing Network Composer. The next chapters describe advanced configuration methods and options with Network Composer followed by chapters dedicated to Directory Users and HTTPS/SSL Filtering.

67

Network Composer User Guide

Chapter 6: Administrating Network Composer


The Admin tab of Network Composer provides you with administration functions for initial configuration of the device. Also available are maintenance options such as backup settings and diagnostic tools that allow you to prevent failures or down time. Lastly, the Admin tab has advanced configuration options for Directory Users, SSL Certificate, custom redirection pages, and Spyware Removal. This chapter is divided into 6 sections.

Setup Wizard Configuration tab Diagnostic Tools tab Downloads tab Logs tab Redirection Pages tab Utilities tab

Setup Wizard
The Setup Wizard is available during the first login to Network Composer and if the device has been reset back to factory defaults. If you would like to run the Setup Wizard again after the initial setup, you may do so with this tab. Remember that the Setup Wizard does require a live Internet connection to the network and will reboot if a firmware upgrade is downloaded. For more information, please review Chapter 2: Installing Network Composer.

68

Network Composer User Guide

Configuration tab
The Configuration tab provides you with a variety of tools that can help manage the installation and maintenance of Network Composer. The options available under this tab allow you to optimize and customize your Network Composer to meet the organizations needs. Among these settings are basic and advanced settings, license settings, LDAP, remote subnets, backup settings and static routes. This menu is intended for manual configurations of Network Composer if you are unable to run the Setup Wizard or need to customize settings. Below are all the options available under the Configuration tab.

Setup
Use this menu to manually assign an IP address and Subnet Mask to the Bridge (WAN/LAN) interface. You can also assign a default gateway, DNS Server, and an IP address and Subnet Mask to the Management/Auxiliary Port. Remember that the IP address assigned to the Management/Auxiliary Port cannot be in any active subnet in your network. You can also use this menu to enter in the name or IP address of the Email server (if you would like to receive email alerts for viral web downloads). Lastly, you can specify the time zone for Network Composer. Dont forget to Apply any changes made.

Advanced Setup
The Advanced Setup provides you with enhanced configuration settings that are used for customization of Network Composer within the network. Most of the below options are enabled by default; however, if Network Composer is installed in a more complex or uncommon network topology, you may need to disable or adjust some of the settings. Domainthis allows you to identify the domain name in which Network Composer is installed. Enable Port Scanning / OS Detectionthis refers to the Nmap scan that is performed when a unique profile is discovered. This setting allows Network Composer to post unique information about each device present on the network. However, some security settings may identify Nmap scans as intrusions; as such, you can disable this feature by unchecking this setting. For more information see section Network Nodes in Chapter 5: Managing Network Composer. Enable TCP Window Scalingthis allows Network Composer to send a larger window size to improve TCP performance in networks with large bandwidth. However, some routers or web sites do not support this feature and can cause latency. If you are experiencing latency with Network Composer or connection failure to web sites, you may need to disable this option to improve performance. Disable MAC based Network Node Discoverythis is used when you do not want Network Composer to create profiles based on MAC addresses. As previously mentioned in Chapter 5, devices located in Network Composers local subnet will be profiled based on MAC addresses. If you would prefer Network Composer to profile these devices based on IP addresses, you will need to check this option. NTP Serverthis is used to specify a Network Time Protocol (NTP) server used to sync time for Network Composer. The default setting is pool.ntp.org; however, if you have an NTP server or an Active Directory server and would prefer to use those devices instead, you may enter in either the IP address or domain name for the

69

Network Composer User Guide device in this field. Also, for NTP to function properly UDP port 123 must be open for Network Composer. HTTP Keep-Alive Mode HTTPthis allows Network Composer to use the same connection to send and receive multiple HTTP requests and responses, as opposed to opening new connections for every single HTTP request or response. This option can improve performance on frequently visited web sites and should be checked. This option is also necessary if you want to enable HTTPS/SSL Filtering. Enhanced Bridging Mode (EBM)this allows Network Composer to act as a transparent bridge. As a transparent bridge, Network Composer does not modify the web request or response beyond what is required for content filtering and identification. EBM facilitates an easier installation, especially in a routed network, without requiring static routes or running the risk of dropping network traffic. Because EBM does not alter web requests, Network Composer can rely on networking devices already present to route traffic correctly. We highly recommend that EBM is enabled to avoid interrupting network traffic. Lastly, EBM can improve performance with Network Composer and is necessary for HTTPS/SSL Filtering. Allow HTTP Connections on port 8888this allows Network Composer to act as a proxy for web traffic. This option must be selected if you would like to install Network Composer in Proxy Mode or use NTLM Web Authentication. Please see sections Proxy Mode in Chapter 2 and NTLM Web Authentication in Chapter 7 for more information. Enable Summary Tablesthis allows Network Composer to summarize or condense large web reports, allowing for faster response times for Internet Usage reports. This utility will index web reports and correlations for all reports. For more information please see the section Report Recommendations in Chapter 3: Generating Reports. Summary Table Conversion Utilitythis utility will take previous data that has not been summarized and create summary tables. Selecting the link will present three options for converting previous data: Web Request Summary Table, Level 1 Summary, and Level 2 Summary. Web Request Summary Table will summarize all Web requests data. Level 1 Summary Table will summarize the first correlation for those reports, i.e., first correlation by Category, Host, File Type, MIME Type, Group, Directory User, and Network Node. Level 2 Summary Table will summarize the second correlation for those reports, i.e., second correlation by Category, Host, File Type, MIME Type, Group, Directory User, and Network Node. For more information please see the section Report Recommendations in Chapter3: Generating Reports. Network Normalization Modethis setting enables Network Composer to discover MAC addresses in an asymmetrical network or where MAC addresses are alternating. For example, if MAC addresses change during data transmission, Network Composer can encounter a problem with group assignments and reporting. However, by enabling Network Normalization Mode, Network Composer can send Address Resolution Protocol (ARP) requests and discover MAC addresses of devices, and

70

Network Composer User Guide therefore group and report correctly. The recommended setting for this option is to be enabled (checked). For more information on this setting, please review the tutorial document entitled How to Configure Network Composer with Asymmetrical Routing (http://kb.cymphonix.com). Allow DNS and HTTP block page for Deny Access Traffic Flow Rule Setthis will present group members of the Deny Access Group a blocked redirection page if they attempt to access the Internet. Please note, that for this page to post, DNS and HTTP traffic will be allowed to pass for the Deny Access Group for initial connections. Database Timeoutthis setting places a limit (in minutes) of how much time Network Composer has to complete a report. Because Network Composer runs several different functions simultaneously (filtering, shaping, reporting, etc.), priority is given to filtering and shaping so that reporting does not consume resources that may impact network performance. Network Composer has a default timeout of five minutes for reports to complete. If a report cannot complete within the five minutes, you will receive a timeout message stating accordingly. If needed, you may alter the time limit with this setting. You can allocate up to 15 minutes for reports to complete. Please see the section Report Recommendations in Chapter 4: Generating Reports for more information. Group Member Type Precedence (GMTP)this option is critical for assigning devices and users to correct groups. Because Network Composer allows for multiple groups, a problem can arise when a device or a user can possibly be in multiple groups at the same time. For example, if a user begins to access the Internet, Network Composer can identify the user and place him/her in a group by MAC address, IP address, or the Directory User account. The scenario can become even more complex if Network Composer is configured to identify multiple groups based on VLANs, specific IP addresses, or Classless Inter-Domain Routing (CIDR) Blocks. The default list should be sufficient; nonetheless, if you are experiencing problems with users being assigned to incorrect groups, please review the Tutorial Document entitled How to Configure Group Member Type Precedence on Cymphonix Knowledge Base (http://kb.cymphonix.com).

Ethernet Settings
This menu allows you to hard code speed and duplex settings for the WAN, LAN, and Management/Auxiliary ports. As mentioned in Chapter 2: Installing Network Composer, normally Network Composer will auto-negotiate correctly with the devices directly connected into the ports. However, if Network Composer is unable to auto-negotiate correctly, you may need to hard set the speed and duplex settings. This can be done under the Ethernet Settings menu. Please note that if you make changes under this menu, more than likely you will need to hard code the interface settings of the devices connected to Network Composers ports. Also note that you may experience some network interruption while Network Composer makes the necessary changes.

Company Settings
Company Settings allows you to customize Network Composer and the GUI with information pertinent to the organization. This menu allows you to enter in the Company Name, Company Address, Company City, Company State, Company ZIP Code, Technical Admin Name, and Technical Admin E-mail. Once done, these settings will reflect in other menus as well (Anti-Virus Email Alert, Network Composers Menu Bar, etc.)

71

Network Composer User Guide

Registration Settings
The Registration Settings menu presents the information that is used to register Network Composer. The settings are the same settings as Company settings with two differences; Company Address 2 and Technical Admin Phone.

Miscellaneous (Misc.) Settings


Miscellaneous Settings displays five important options that are used in a variety of menus. The first two settings (Available Upload Bandwidth and Available Download Bandwidth) are used to calculate percentage for both shaping rules and reporting values and will cap total bandwidth available within the network. The default settings are set to 5000Kbps and will restrict traffic to that amount. If you have not adjusted this amount for your bandwidth, please do so during the Setup Wizard or under this menu. Please note that the amounts listed in the available upload and download under Miscellaneous Settings will restrict total traffic through Network Composer. Make sure that the amounts entered in these fields are the correct amounts for your network. The next option, Web Time Online seconds per hit, is used to calculate the amount of time for the Web Time Online Report (Report -> Internet Usage -> Web Time Online). Please note that the Web Time Online report is an estimated value generated by counting the number of hits per page, and then multiplying the number of hits by the number listed under this setting. The default setting of 20 seconds is an approximation based on typical business usage. However, in other circumstances the values may need to be altered. Simple Network Management Protocol (SNMP) can be used to monitor the state of Network Composer and poll the device to verify its CPU, hard drive usage, and other pertinent information. SNMP works by a software component called an agent that runs on Network Composer and reports information via SNMP to the managing systems. The managing system can retrieve the information through the GET and WALK protocol operations. Although you will have to supply the SNMP managing system to retrieve the information, the following fields will allow you to interact with Network Composers SNMP agent. The first field, SNMP Read Only Community is the password used for the GET requests and allows access to Network Composers SNMP agent. The default setting for this field is public, but the Read Only Community password can be changed to the desired password with this menu. Dont forget to Apply the changes after altering the field. Afterwards, you can use the SNMP GET command to poll the following values from Network Composer. Network Composer SNMP Values Value 1 2 3 4 CPU Percent Hard Drive Usage Percent Web Hits Web Hits by Category ID Result

72

Network Composer User Guide

5 6 7 8 9 10 11

Web Category Name by ID Application Set Name by ID Application Set Upload by ID Application Set Download by ID Total Traffic Upload/Download Number of Possibly Infected Spyware Number of Possibly Infected Virus

Also, please note that Object Identifier (OID) for Network Composer is 1.3.6.1.4.1.31010. With the above listed values and Network Composers OID, you should be able to use the SNMP Get command: snmpget v 2c c public localhost 1.3.6.1.4.1.31010.1. The WALK command allows you to use the SNMP GETNEXT request to query Network Composer for a several pieces of information. SNMPWALK will search all SNMP values for Network Composer and post the corresponding values. Again, with Network Composers OID, you can query Network Composers SNMP agent for all values present: snmpwalk v 2c c publick localhost 1.3.6.1.4.1.31010.1 The next setting is the SNMP Read Write Community. This setting is used to set SNMP MIB variables to a specified value. These writes are protected by the write community string and are set to the default settings of private. However, this field allows you to alter the password for the SNMP Read Write Community. Any changes made to these two fields will not take effect until you Apply the changes.

Update Settings
The Update Settings menu lists the available updates for Network Composer. These updates are divided into five categories: Firmware, Software, Content Filter, Spyware, and Anti-Virus. Firmware updates deal with new features, Network Composer OS upgrades, and signature updates. Software updates deal with component changes, maintenance patches, and code resolutions. Content Filter updates are for updating web categories, web sites, and file types. Spyware updates are for new definitions on spyware, while Anti-Virus handles new definitions for web viruses. All updates can be configured to execute automatically via the Enable check boxes and Daily Schedule Drop-Down Boxes, except for Firmware updates. The reason being is that Firmware updates require a reboot. Because of this you will need to manually update the firmware using the Update Now button. You will be notified via the Message Center on the Home Page when a new firmware version is offered. For updates to be successful, Network Composer will need access to port 80 as well as authorization to download MD5 check sums. Also, you should schedule updates during non-

73

Network Composer User Guide peak traffic times as some services may need to restart after the updates have completed. Default settings for Update Settings are 1am for Software, 2am for Content Filter, 3am for Spyware, and 4am for Anti-Virus.

Custom Category Rules


The Custom Category Rules menu allows you to modify or create web site categorization. This menu allows you to categorize web sites that has been miss-categorized, do not have an explicit categorization, or your organization needs a distinct categorization for the web site. For example, by default the web site YouTube is categorized as Online Communities. However, for your organization YouTube may be considered more of a streaming media web site than an online community. The Custom Category Rules allow you to enter the URL of YouTube and re-categorize the site as Streaming Media instead of Online Communities. This rule will then take effect for both reporting and Internet Usage Rules (IURs). To categorize a web site with the Custom Category Rules, enter the URL in the Match String field. Afterwards, chose a Compare String for the entry. There are three distinct compare strings that can be used to categorize web sites: URL-Regular Expression, URL, and Domain. URL-Regular Expressionthis compare string utilizes regular expressions to categorize web sites. Regular expression (regex) is a method used to describe a string of text using metacharacters or wildcard symbols. To use URL-Regular Expression, you will need to understand the functions of regular expression metacharacters. URL-Regular Expression supports regular expressions for POSIX Basic and Extended Regular Expression. A complete discussion of Regular Expression capabilities is beyond the scope of this document. See the Cymphonix Knowledgebase on kb.cymphonix.com for additional information. URLthis compare string looks for an exact URL match. Use this compare string to categorize specific web pages where an exact match is necessary. For example, an entry of youtube.com/forums will categorize YouTubes forum web page, but not necessarily other YouTube web pages. However, you can use an asterisk symbol (*) as a wildcard with the compare string of URL. For instance, an entry of http://www.youtube.com* will categorize any web page that begins with http://www.youtube.com. Domainthis compare string looks for any web page that begins with the domain name of the web site. Use this compare string to categorize web sites where the domain name is constant in the URL. For example, and entry of youtube.com will categorize all of YouTubes web pages. You can also use an asterisk symbol (*) as a wildcard with the compare string of Domain. For instance, an entry of *youtube.com will categorize any web page that has youtube.com in the domain name regardless of http, https, or www.

After you make your entry in the Match String field and chose a Compare String, select which categorize the web site will be assigned. You can also create your own category by selecting the **Add a Custom Category** selection. Once selected, you can entry in the name of the custom category. Afterwards, you can choose which priority level will be assigned to the entry. Priority levels are only used when there are conflictions with other custom categorizations. For example, if you chose to categorize the web site youtube.com as Streaming Media but the web page of youtube.com/forums as Online Communities, you would select the URL of youtube.com/forums as a high priority. This indicates to Network Composer to always categorize youtube.com/forums as Online Communities while other web sites under

74

Network Composer User Guide youtube.com will be categorized as Streaming Media. If there is any site with conflicting criteria, the higher priority rule will direct the categorization. To finalize your entry, click the Update button followed by the Apply button. Other options available in this menu are Reset (clear current entries under the Add/Edit Custom Category Rules), Remove Selected Rows (clear selected custom category entry), Edit Selected Rows (modify selected custom category entry), Export List and Import List (export or import a plain text file of entries from the custom category list), and Cancel button.

Custom Category Options


The Custom Options menu works in conjunction with the Custom Category Rules and has two tabs: Categories and Precedence. The Categories tab allows you to create or modify categories listed in Network Composers current category list. For example, the category of Computers and Internet covers web sites that post information about computers and software but also covers web sites with information about the Web and the Internet in general. If you wanted to separate this category into two separate categories, i.e., one category called Internet and another called Computers, you could create two new categories with the Custom Category Options menu. As you add web sites to these new categories, the names of these categories will appear in the new category list under Admin -> Configuration -> Custom Category Rules -> Assign a Category as well as under the Edit Blocked Categories list. To add a new category, enter the name of category in the Add/Edit Category Name field and click the Update button. Other options available are Edit Selected Row, Apply, and Cancel. The Precedence tab allows you to modify the order in which the Compare String is examined for classification of web sites. The Custom Category Rules use three compare strings to classify web sites: URL-Regular Expression, URL, and Domain. The Default order should be sufficient, but you can alter the order by clicking and dragging an entry and then selecting the Apply button. The Cancel button is also available under this menu.

Remote Subnets
By default, Network Composer will monitor all traffic within the local subnet. However, Network Composer can also monitor subnets outside the local subnet. These subnets are called Remote Subnets because they are not within Network Composers local subnet. Review the following topology. This is an example of a flat network. Characteristics of a flat network are all devices are connected via switches or hubs, there are no layer three devices (routers or layer 3 switches), and the network is not segmented logically by different IP address ranges (VLANs or remote subnets). If you have a flat network, all devices will fall into the local subnet, and you will not need to add entries to the Remote Subnets menu as Network Composer will be able to track by MAC addresses.

75

Network Composer User Guide

Figure 6.1 Flat Network Topology Now review the following topology. This is an example of a routed network. Notice how there are different logical segments separated by the IP address ranges within the network, i.e., 192.168.255.0, 172.16.0.0, and 10.0.0.0. Also notice how there is a layer three device present in the network (Router 1). These are characteristics of a routed network.

Figure 6.2 Routed Network Topology In this example, the network subnets of 10.0.0.0 and 172.16.0.0 will be identified as remote subnets. Network Composer can track Internet traffic by IP addresses once these

76

Network Composer User Guide networks are identified as remote subnets. Network Composer will not be able to track by MAC addresses for remote subnets as layer three devices maintain MAC addresses within their corresponding subnets. For more information on this you can review Chapter 5: Managing Network Composer, section Directory Users & Nodes or the Tutorial Document called How to Install Network Composer in a Routed Network (http://kb.cymphonix.com). To add network segments to the Remote Subnet menu, enter in the network address with the subnet mask in Classless Inter-Domain Routing (CIDR) notation. For example, a network address of 172.16.1.0 with a subnet mask of 255.255.255.0 would be entered in as 172.16.1.0/24. For more information on CIDR notation, please see Appendix D: CIDR Cheat Sheet. Once you have entered in the network address, select the Add> button and Apply. Please note that you may at any time add network addresses to remote subnets for monitoring and filtering. If you remove network addresses from remote subnets, this will require a Reset on Telemetry and Profile Data because of how Network Composer profiles devices. Please review section System Utilities for more information on resetting the database. Once you have added the remote subnets, you can create static routes for those subnets. This topic is covered the section Static Routes.

User Preferences
User Preferences menu allows you to customize how reports and filters will be displayed by Network Composer. This menu also allows you to automatically accept downloads from Network Composers GUI. Default Rows per Page indicate how many results will be posted for each report. For example, if you want to see how many users have passed Peer to Peer traffic, you can access this information under Report -> Applications -> Peer to Peer -> Correlate by Network Node. This report will post by default the top 25 users of Peer to Peer traffic. However, if you wanted the report to post the top 30 users of Peer to Peer traffic, you will need to change the amount of Default Rows per Page to 30. Afterwards, all reports by default will post 30 results instead of 25. Report Filter Per Page is for Group, Network Node, and Directory User filters. These filters are available under individual reports and allow you to search for specific Groups, Network Nodes, or Directory Users for the specified reports. Clicking these fields will populate the Select Filter Group, Network Node, or Directory User box. You can then search the Available profiles listed for the desired Group, Network Node, or Directory User profile. By default these filters will post 10 profiles per page. You can change this amount by altering the Report Filter Per Page. Once the amount has been altered, all report filters will post the number specified on every filter page accordingly. Lastly, the lowest amounts for both fields are 5 and the highest is 500. The last setting in the User Preferences menu is Enable Automatic Downloads. Network Composer has several downloads for different features, i.e., SSL Certificate, Directory Clients, etc. Selecting these downloads will post a file download dialog box with an additional link for the download. If you would like to skip the additional dialog box and have files from Network Composer be downloaded automatically, you will need to enable this option. Please note that may also need to add the IP address of Network Composer to the Local Internet security zone on your web browser as well as select Medium-Low security

77

Network Composer User Guide settings for downloads. Once you make changes to the User Preferences menu, dont forget to Apply the changes. Default setting for Enable Automatic Downloads is unchecked.

Static Routes
The Static Routes menu is used in conjunction with the Remote Subnets menu. For example, if you have entries in the Remote Subnet menu, you may need to create static routes for those subnets. However, if you do not have entries in that menu, more than likely you will not need to add static routes. In addition to this, static routes are only necessary under certain circumstances. One circumstance is remote administration. For instance, if you had a network entry in the Remote Subnet menu and wanted to allow users on that remote subnet administrative access to Network Composer, you would need to create a static route for that network. Other scenarios that require static routes are disabling Enhanced Bridging Mode (EBM), using Redirect blocked pages, and installing Directory Agents outside Network Composers local subnet. If you meet some of these requirements, you will need to create static routes. Static routes are created by identifying the next hop for Network Composer to the remote subnets. Review the following topology. Notice how Network Composer is installed on a network with a schema of 192.168.255.0. However, most users are located on 10.0.0.0. For Network Composer to communicate properly with the users on the 10.0.0.0 network, the device will need to know the next hop to this network. The next hop is referred to as the gateway or destination gateway for the remote subnets. In this example, the remote subnet will be 10.0.0.0/8 with a gateway of 192.168.255.3.

Figure 6.3 Static Routes Diagram Please take special notice of the different gateways. The 10.0.0.0 has a default gateway of 10.0.0.1. This is not the gateway for Network Composers static route as this address is not the next hop for the remote subnet. The gateway will be 192.168.255.3 as this is the next hop for Network Composer to communicate to users on the 10.0.0.0 network. Essentially, the static route will indicate to Network Composer the routing path to take when direct communication is required to a host on the 10.0.0.0 network.

78

Network Composer User Guide Also, do not confuse the static route with Network Composers default gateway. Network Composer uses the default gateway to access the Internet for updates while static route gateways are used to communicate with users on the remote subnet. Things that can help you to identify proper static gateways for Network Composer are the following: Static route gateways will always be in the same local subnet as Network Composers Bridge IP address. Static route gateways will always be on the LAN side of Network Composer. Static route gateways will never be the same IP address as Network Composers default gateway. Static route gateways will never be the default gateway for the remote subnets.

After you have identified the correct static route with the corresponding remote subnet, you can enter them by entering in the network address of the remote subnet and the route gateway. Again, network addresses will be entered in CIDR notation. Once you have correctly entered in the settings, you can select the Add button and then apply. For more information on static routes, you can review the Tutorial Document How to Install Network Composer in Routed Networks (http://kb.cymphonix.com) Remember that static routes are only necessary for remote subnets. Do not add a static route that will encompass the local subnet as this may cause routing problems with the default gateway for Network Composer.

SSL Certificate Settings


This menu is covered in Chapter 8: Implementing HTTPS/SSL Filtering with Network Composer.

License Settings
The License Settings menu allows you to enter a license key to increase the amount of devices Network Composer will profile. Licensing with Network Composer is based on network connections. That is to say, one hundred connections on your network will constitute 100 licenses. For full functionality of Network Composer, you will need to have sufficient licenses for all active connections on your network. You can purchase the license key from Cymphonix or your Authorized Cymphonix Reseller. Once purchased, you can enter in the License Key by selecting the Update button. Network Composer will then confirm that License Key, and if correct will alter the Licensed Network Nodes to the correct amount. Dont forget to Apply the changes. This option is also available during the Setup Wizard. Information pertinent to the device, such as Model Number, Serial Number, and Annual Software Maintenance (ASM) Expiration Date are posted on this menu as well. ASM is used for support on your device and provides Network Composer with continued updates on Web content, Spyware, Web viruses, and application signatures. ASM also allows you to utilize Cymphonix Technical support if needed. If ASM is not current, Network Composer will not be able to update on firmware, software, content filtering, Spyware, or virus definitions nor will Cymphonix Technical support be available. To renew your ASM please contact your Authorized Cymphonix Reseller or Cymphonix Sales at (801) 938-1500 option 1.

79

Network Composer User Guide Other stats available on this menu are Current Software Version, Available Software Version, Last Software Update Date, Last Anti-Virus Update Date, and Last Spyware Definition Update Date.

Special Domains
The Special Domains menu offers two settings to assist in troubleshooting group membership as well as Directory User integration. The first setting is Web Authentication Logout Domain. Web Authentication allows Network Composer to identify Directory Users without using the Directory/LDAP Client. Network Composer does this by associating initial web connections to Directory Users. However, Web Authentication does not identify when Directory Users have logged out unless an inactivity or session timeout have been met. By using the URL in Web Authentication Logout Domain, Directory Users can immediately notify Network Composer when they have logged out. The default setting is logout.cymphonix.com, but you can use this menu to change the URL. Once users enter this URL into their web browser, Network Composer will present them with a logout page. After logging out, Network Composer will disassociate the web connections to the Directory Users. For this setting to work properly, you must have some form of Web Authentication enabled for users. For more information on Web Authentication, please see Chapter 7: Integrating Directory Users with Network Composer. The next setting is Web Filter Info Domain. Web Filter Info Domain allows you to confirm group membership, Internet Usage Rules, and HTTPS/SSL Filtering rules. By entering in the URL into a web browser, you can confirm how Network Composer is identifying the user, to which group the user is being assigned, and if the correct rules are being applied. To use Web Filter Info, enter the URL into a web browser (default setting is info.cymphonix.com), and the Web Filter Status Report will post the results. Please note that any changes to these two settings will require correct Domain Name Service (DNS) resolution. If you alter the URLs under the Special Domains menu, you will need to make specific entries for these web sites in users DNS records.

LDAP Settings
LDAP Settings are defined in Chapter 7: Integrating Directory Users with Network Composer.

Backup
Network Composer allows you to back up configuration data and telemetry data. These backups can be completed via FTP or HTTP manual backups. The submenus available here are Backup File Settings, FTP Automated Backup, FTP Manual Backup/Restore, and HTTP Manual Backup. The options available under Backup are Backup File Name, Add Timestamp to File Name, Backup Configuration Data (device configuration, groups, IUR, shaping rules, etc.), and Backup Telemetry Data (Web logs, application reports, etc.). Once these settings are configured, you will need to create the backup file using the Create File button. Afterwards, you can manually push the backup file to a FTP server or use HTTP to place the backup file in a folder accessible to Network Composer.

80

Network Composer User Guide The FTP Automatic Backup menu allows you to automate backups via File Transfer Protocol. For this to work, Network Composer needs write access to a FTP server. You can select Enable Automatic Backups and select the day and time for the backup to execute. In addition to this, Network Composer will need to have listed the hostname or IP address of the FTP server as well as the Server User Name, Server Password, and path for the backup directory. Lastly, you can specify that Network Composer only create a backup file automatically and not downloaded to an FTP server. This option is available as the check box for Create Backup File Only. You can also restore backups to Network Composer in the case of device failure. For example, if you need to replace your current Network Composer with another device, you can use a stored backup file to restore device settings on the replacement device. Although easy to execute, the restore options can only be accomplished with a FTP server. Also please note that restores are only possible through same Network Composer models. In other words you cannot restore a DC10 backup file to a DC30. Again, Network Composer will need specifics related to the FTP server, i.e., Hostname or IP address, Server User Name, Server Password, Path, and File Name. The options available under this submenu are Restore From FTP Server and Backup To FTP Server. If you are intending to restore information to Network Composer, you will need to select Restore from FTP Server. The Backup To FTP Server is for manual backups to a FTP server as opposed to automated backups available in the previous submenu. Finally, you can backup manually via HTTP if they do not have access to a FTP server. Again, you will need to create the backup file using the submenu Backup File Settings. Afterwards, you can select the Download button and browse to a network drive, network directory, or even to your desktop to place the backup file. When you are finished modifying the backup settings, remember to Apply the changes.

Proxy Settings
Proxy Settings menu allows you to configure Network Composer to work with your networks proxy server. The most important factor with configuring Network Composer with your networks proxy server is the placement of the device in regards to the proxy server. If the proxy server is an inline device, the recommended placement for Network Composer will be in between the proxy server and users to allow for correct identification of users and devices. In addition to this, if the proxy server requires users to enter a username and password for Internet connectivity, Network Composer likewise will need such information to access the Internet for updates. These settings are entitled Parent Proxy Username and Parent Proxy Password. We recommend that you create a user specific account on the proxy server for Network Composer. Network Composer will also need access to the Web for updates and TCP port 22 for the Support Link utility to work. For correct reporting, Network Composer will need to know the IP address and port used (other than port 80 and 8080) for the proxy server. If your networks Proxy Server is not an inline device, please contact your Authorized Reseller or Cymphonix support before installing Network Composer. If the networks proxy server is not an inline device, you will not be able to place Network Composer in between users and the proxy server as web requests will be traversing the proxy servers connection twice; once for the initial request and once for the response. As

81

Network Composer User Guide such, you will need to contact Cymphonix Support or your Authorized Cymphonix Reseller for assistance with installing Network Composer with this scenario. If Network Composer cannot be placed in between the users and your networks proxy server, you will need to configure Network Composer differently. First, you will not need to enter any information in the Proxy Settings menu as your networks proxy server will be on the LAN side of Network Composer. Second, some advanced options are specifically designed for interoperability with current proxy servers, in particular Enhanced Bridging Mode (EBM) and HTTP Keep-Alive Mode. With the proxy server on the LAN side of Network Composer, the device no longer needs these options enabled as the proxy server will perform similar functions. You may need to disable these options (Admin -> Configuration -> Advanced Setup). Finally, most proxy servers execute web requests via Network Address Translation (NAT). NAT is a technique of routing network traffic that involves re-writing or masquerading IP addresses. Network Composer will only see the IP address of the proxy server passing web traffic instead of unique users. If the proxy server is located on Network Composers LAN side, individual filtering and reporting may be impossible because Network Composer will not receive the users IP addresses. If your networks proxy server allows you to disable NAT, this may be an option for individual reporting and filtering.

Diagnostic Tools tab


The Diagnostic Tools provides you with a variety of tools that you can use to test the functionality of your network as well as Network Composer. The Diagnostic Tools tab includes utilities to test network connectivity and device status. This menu is a great place to start the troubleshooting process to confirm device settings and status.

Device Status
Device Status posts the condition of Network Composer and several key components of the device. Here you can confirm that the IP address for the bridge interface is correctly assigned. You can also verify the status of all Ethernet ports, WAN, LAN, and Management/Auxiliary. Lastly, you can validate device settings (Device Key, Serial Number) and device status in regards to uptime (how long the device has been up), CPU load, and Used Disk Space.

Directory Agent Diagnostics


This menu is covered in more detail under Chapter 7: Integrating Directory Users with Network Composer.

Directory Agent Users


This menu is covered in more detail under Chapter 7: Integrating Directory Users with Network Composer.

Display ARP Table


The Display ARP Table lets you view current entries in Network Composers Address Resolution Protocol (ARP) table. ARP provides dynamic address mapping between an IP address and hardware or MAC address. Network Composers ARP tables displays IP or MAC

82

Network Composer User Guide address of devices that have directly communicated with Network Composer within the last 5 minutes. The columns listed in the ARP table are Address (IP address), HW Types (Ethernet), MAC Address, Flags (Creachable), and Interface (broBridge, eth0WAN, eth1LAN).

Ethernet Status
The Ethernet Status menu lists the state of Network Composers ports, WAN, LAN, Management/Auxiliary. The tabs are divided by each port and list the status, autonegotiate, speed, duplex, packets, and errors. Use this tab to confirm that each active port is operating at correct speeds and duplex settings and not generating any errors. AutoNegotiation is recommended, but not necessary.

Group IP List
Group IP List is a great tool that can be used to verify group membership for individual users. For example, if you have a device or user that is not being assigned to a group correctly, you can confirm which group is being assigned within the past five minutes for that user or device. Group IP List will list the Group, MAC address (where available), and IP address of the devices currently passing traffic through Network Composer. Also available is a drop-down list that allows you to search entries based on Group name, MAC address, or IP address. You can then verify this group assignment against the member type and assigned group (Manage -> Policies & Rules -> Groups). If users or devices are being assigned to incorrect groups, you can use this tool as well as Group Member Type Precedence to resolve the issue and better configure Network Composer.

IP Address Map
This menu is covered in more detail under Chapter 7: Integrating Directory Users with Network Composer.

No LDAP Network Nodes


This menu is covered in more detail under Chapter 7: Integrating Directory Users with Network Composer.

PING
Packet Internet Groups (PING) is a useful troubleshooting tool for computer networks. This tool is used to test whether or not network hosts are reachable by sending an ICMP Echo Request packet. When the destination system receives the packet, it responds with an ICMP Echo Response packet. Network Composer includes PING as a troubleshooting tool in the event that a device or web site cannot communicate with Network Composer. You can enter in the hostname or IP address to run the PING test. You can also alter the number of attempts. If the test results in a failure, you may want to review the network topology and the Static Routes menu. Please note that many host-based software firewalls, such as those that ship with Microsoft Windows XP and Vista, deny PING traffic by default. You may need to enable ICMP traffic through firewall systems for this utility to be successful.

83

Network Composer User Guide

Test DNS Settings


Test Domain Names System (DNS) Settings menu allows you to test the DNS settings for Network Composer, e.g., if Network Composer can resolve web sites or NetBIOS names to their corresponding IP addresses correctly. Enter in the URL of the web site, i.e., www.google.com, or the NetBIOS name of the computer, i.e., computername.mydomain.com, and select Run for a test. You can also change the DNS server for the test by entering in a different IP address for the DNS server. A positive result will reply with a host name and an IP address.

Traceroute
Traceroute is a computer networking tool used to determine the route taken by packets across an IP network. Network Composers Traceroute menu allows you to confirm the path taken by Network Composer to reach individual computers, routers, or web sites that respond to traceroute. Similar to Test DNS Settings, enter in the hostname or IP address for the Traceroute and select the Run button. You can also alter the Timeout in seconds. If the test is successful, the menu will list how many hops are taken for the packet to reach the destination. The menu will also list the time spent in reaching each individual hop.

IP Traffic Monitor
IP Traffic Monitor is a console-based network statistics utility that gathers a variety of data such as TCP connection packet and byte counts, interface statistics and activity indicators. IP Traffic Monitor shows information on network traffic as it passes in real-time through Network Composer. Some of the information posted can be used to diagnose network connectivity problems as well as confirm highest bandwidth consuming IP addresses within the network. The difference with this diagnostic tool is that it is not accessible from the Diagnostic tab or any other menu in Network Composers GUI. Instead, you can access this utility via the Text Menu Interface (Option 2Utilities, Option 3IP Traffic Monitor). Please see Chapter 1: Configuring Network Composer, Section Text Menu Interface for more information.

Downloads tab
The Downloads tab stores the Directory Agent, Directory Client, LDAP Client, and SSL Certificate necessary for Directory Users integration and SSL Filtering respectively. These topics are covered in Chapter 7: Integrating Directory Users with Network Composer and Chapter 8: Implementing HTTPS/SSL Filtering with Network Composer.

Logs tab
As Network Composer completes its day-to-day tasks, the device will track important events, activities, and errors in log files. You can use the Activity Logs and Kernel logs to view these files for troubleshooting purposes.

Activity Log
The Activity Log records information about programmed events and their status, i.e., backups, updates, etc. If some of these functions are not working properly, you can use the

84

Network Composer User Guide Activity Log to troubleshoot the process. Also, the Activity Log is useful in troubleshooting Directory Users, which will be covered in Chapter 7: Integrating Directory Users with Network Composer. By default, all types of Activity Log messages are for the last 24 hours. However, you can use the Selected Date option to browse for messages during different times, e.g., Last Hour, Last 24 Hours, Last 7 Days, Last Week, Last Month, Last Year, and custom dates. Also available are message type filters that can be used to post messages only relative to problem. The message type options are No Filter, Verbose, Informational, Status, Warning, Error, Comment, and Invalid. Comment, Informational, Verbose are debug-level messages. These messages will give information regarding normal operation of processes and events. Warnings are non-fatal process errors or unexpected conditions, while Errors are fatal process faults that can affect device functionality. Invalid messages denote invalid or unexpected conditions that might prevent future code execution or cause future Warnings or Errors. Status messages give information regarding the current status of processes and or programmed event. The other option available under logs is Context. Context describes which components of Network Composer have delivered the message. For example, if an error happens with the backup utility of Network Composer, the Context will be backup and the message will be error. The options available under Context are No Filter, System, Initialization, Updates, Backup, Broadcast, and Alert. System Context means the error came from the forwarding plane. The forwarding plane is the Network Composer architecture that decides how to handle packets arriving on the LAN interface, i.e., applying shaping rules, denying traffic, etc. Initialization messages are from boot-up or process launchers. Updates Context indicates the messages were generated by the update system, e.g., Firmware, Software, Content Filter, etc. Backup messages come from the backup system (automated and forced), and Broadcast messages come from the e-mail broadcast system. Alert messages are not currently used.

Kernel Log
The Kernel is the central component of Network Composers Operating System (OS). The Kernels responsibilities include managing communication between the hardware and software components. As the Kernel does this, it keeps several key entries in a log file that can be reviewed. This is an excellent place to begin troubleshooting hardware or software problems. Some of the entries are common markers or steps that are routinely run by Network Composer. However, pay close attention to messages that concern the hard drive and messages that repeat several times in a row.

Redirection Pages
Network Composer offers two customizable pages for blocking web sites and authentication Directory Users. The Directory Agent Login Page is defined in Chapter 7: Integrating Directory Users with Network Composer.

85

Network Composer User Guide

Blocked URL
When Network Composer blocks web sites based on Internet Usage Rules (IURs), users will be presented a Block Redirection or Block Uniform Resource Locator (URL) page. The Redirection Pages menu allows you to customize the Block URL page to display company messages, customized phrases, etc. The first option available under Block URL Redirection Page is Display Blocked Reason. This will post the reason to users why the page has been blocked, i.e., because of a Blocked Category, Blocked URL, etc. The next option is the Blocked Phrase. Blocked Phrase allows you to customize the message posted to users. The default message is Your access to the website %blockedURL% was blocked for the following reason:. The Blocked Reason will then post underneath the message. The Bypass Message is for those users who have the password for the Enable Bypass (setting that allows users to bypass a blocked web site if he/she knows the Bypass Password). The default message for the Bypass Message is Click here to bypass the filter for this website. Please note that if you have not enabled the Enable Bypass, this message will not post. Contact Message allows users to contact the Network Composer administrator in case a web site needs to be re-categorized or allowed. For example if a user is blocked from http://www.myspace.com.com, but believes that the web site should be allowed or recategorized, he/she can send an email by clicking on the link posted in the Blocked URL page. For this setting to be active, the Contact Email needs to have the email address of the Network Composer administrator. Also note that the URL will not be automatically posted in the email. You should alter the Contact Message asking users to place the URL in the email. For Network Composer to send the Blocked URL Page, the device needs to know the route taken by the initial request for redirection. Normally this is handled by a 200 HTTP response, indicating that the request was received and that the result is the Blocked URL Page. However, by selecting Redirect blocked pages, you can change the response to a 302 HTTP response, which redirects the response to another page. The difference with these options is that the 302 HTTP response posts an image of a stop sign located in the top righthand corner of the Blocked URL Page. Also the IP address of Network Composer will be displayed in the URL of the web browser requesting the page. To activate the 302 HTTP response, select the checkbox next to Redirect blocked pages. Please note that the option of Redirect blocked pages requires static routes for remote subnets to issue the Blocked URL Page. Please see the previous section of Static Routes for more information. The last checkbox available is Reset to Defaults. This option allows you to erase any alternations to the Blocked URL Redirection Page and default back to the original settings. The box below the Reset to Defaults is the actual Hypertext Markup Language (HTML) code used for the Blocked URL Redirection Page. If you are familiar with HTML, you can alter the text, color, and format of the Blocked URL Redirection Page manually using the code present on the page. The following are some suggestions on what lines of codes handle the different format options within the page; however, again, you should be familiar with HTML code to make any alterations.

86

Network Composer User Guide

Name Bypass URL Spyware Removal Tool Network Composer Trademark Blocked URL Blocked Reason Blocked Message

Syntax %bypassURL% %spywareCleaner% %productName% %blockedURL% %blockedReason% %blockedMessage%

Bypass Message Contact Message

%bypassHTML% %contactMessage%

Contact Email

%contactAddr%

Function Posts a link to the Enable Bypass Password Posts a link to the Spyware Removal tool Posts the trademark on Network Composer Posts the original URL requested by users that has been blocked Posts the reason for the Block URL Redirection Page, e.g., Category, URL. Posts an explanation why the pages has been blocked, i.e., access to this URL is restricted because Post a link to bypass the Blocked Web site, i.e., Click here to bypass Allows users to send an email to the Network Composer administrator for recategorization of a blocked Web site, etc. Posts the email address of the Network Composer administrator.

Once you have completed the alterations, dont forget to Apply the changes.

Directory Agent Login Page


This menu is covered in more detail under Chapter 7: Integrating Directory Users with Network Composer.

Utilities
The Utilities menu offers several functions that are used for troubleshooting and also deletion of information. Also available are the menus of Support Link (allows Cymphonix Technicians to access your device for remote assistance) and Spyware Removal Tool (utility that allows you to remotely scan and delete Spyware present on infected devices). Each utility should be used with caution as some of the options can drastically erase data and configuration of Network Composer.

System Resets
System Resets is divided into four subsections: Restart Services, Filter Resets, Database Resets, and Device Power Resets. Restart Services Restart All Services will stop and reinitialize all system processes such as content filtering, application shaping, and report generating. Normally, you will not need to select this option; however, for troubleshooting you may need to select this option if a service is not responding correctly. For example, if you are unable to run a report, you may need to restart all services to terminate an orphan process and enable the particular report to run again. Restart All

87

Network Composer User Guide Services may cause a temporary drop in traffic, but should allow you to continue a service if it was not functioning correctly before. Filter Resets The first option under Filter Resets is Clear SSL Certificate. This option is covered in Chapter 8: Implementing HTTPS/SSL Filtering with Network Composer. After that come Force cymdir.exe Session Timeouts and Flush Web Auth Cache. These utilities are covered in Chapter 7: Integrating Directory Users with Network Composer. Database Resets Reset to Factory Defaults sets Network Composer back to the factory settings. This means that all information is erased as well as configuration data. Basically the device will be reset to the original settings as the device was received. Use this option with care, as Reset to Factory Defaults completely wipes the entire system. You will lose your configuration parameters, accounts, rules, telemetry data, licensing information, and annual support contract information. Access to the device is reset to the username of admin and a password of cymphonix. If you select this option, you must connect a system to Network Composers LAN port and run the initial configuration of the device. The next option is Reset the Database. Reset the Database erases the database used by Network Composer for group configuration, device profiling, Internet Usage Rules, and Shaping Rules. This option also erases all historical data on the device. This utility is almost as drastic as Reset to Factory Defaults except that basic configuration settings, such as the bridge IP address, subnet mask, default gateway, and DNS server will remain intact. Licensing and ASM information will still remain. The following is a table that lists all settings lost with Reset the Database. Followed by a table that lists which options will be enabled or disabled after resetting the database. If an item is not mentioned, then it will be retained accordingly. Lost Settings after Resetting the Database Report All information Manage Groups Time of Day Rules Custom IURs Shaping Rules Network Nodes Directory Users Broadcasts Custom Logins Admin Mail server Backup Settings Update Settings (dates erased) Logs (erased)

88

Network Composer User Guide

Custom TFRS Custom Application Sets Custom Applications

Default Settings after Resetting the Database Manage All users assigned to Default Group Default IUR set to Web Filter + IM System Access admin; cymphonix NTP Server set to pool.ntp.org HTTP-Keep Alive Mode Selected Allow DNS and HTTP Block page for Deny Access Traffic Flow Rule Set not selected Enable Summary Tables selected Database Timeout set to 5 minutes Default Settings for Group Member Type Precedence Default Settings for Special Domains Web Time Online set to 20 seconds Default Times for Update Settings SSL Certificate Settings set to default Blocked URL Redirection Page set to default Directory Agent Login Page set to default Although resetting the database can be drastic, this option is necessary in many scenarios. For example, if you have made extensive changes to your network such as IP address schemes or new hardware, you will want to reset the database to avoid invalid licenses, incorrect device profiles, or inconsistent grouping. Another scenario that may require resetting the database is if you move Network Composer within the network or from one network to another. Also, at any time that you remove subnets from the Remote Subnets settings, you will need to reset the database. Reset Telemetry Data is the least drastic of the reset options. This utility only erases the historical data from Network Composer. For example, web logs, Application reports, Device Admin Domain set to cymphonix.com Enable Port Scanning/OS Detection selected Enable TCP Window Scaling selected

89

Network Composer User Guide Status reports will be erased with this option; but groups, IURs, Shaping Rules, and other settings will be retained. This utility is mostly used when a particular web log needs to be erased while rules and groups will remain. The final database reset option is Reset Telemetry and Profile Data (Preserves IURs, Shapers, and the Filter Bypass Group). This option is similar to Resetting the Database except that Internet Usage Rules, Shaping Rules, and members of the Filter Bypass Group by CIDR Block Override will be retained. If you need to reset the database but would like to retain these settings, you can select this option instead. Device Power Resets The last two options are for the actual power for Network Composer. Hardware Shutdown will physically shut down the device and should be used when the device needs to be powered down. Hardware Reboot powers down the device and automatically powers it back up. All these options will require confirmation via a dialog box. Do not power down Network Composer by pulling the power cord or pressing the power button on the front bezel. These procedures should only be used when there is no other alternative for powering down the device.

Support Link
Support Link is a utility that allows a Cymphonix technician to access your Network Composer remotely and assist in troubleshooting or configuring the device. To activate a support link, you must first call Cymphonix Technical Support for a port number. This port number is only relevant to the technician and used on his/her side. Network Composer will require outbound access to the Internet on port 22 (both TCP and UDP) for the support link to work. Once the technician issues you the port, enter in the number and select Connect.

Spyware Removal Tool


Network Composer has several tools that can identify applications and devices that are infected with spyware. Once a device has been identified as infected, Network Composer offers a removal tool that allows you to scan the hard drive of the infected device and remove or quarantine the infected program. This tool is powered by Counter Spy and is called Spyware Removal Tool. This tool can be activated by accessing the GUI of Network Composer from the infected device or having the user browse to http://spyware.cymphonix.com. Once activated, the Spyware Removal Tool will prompt the user to download and install a program called WebDeploy.cab. This program is used to push the latest spyware definitions to the computer. You may also need to install an Active X Control for browsing capabilities. Once the Spyware Removal Tool has been installed properly, you can then select to perform a Quick Scan, Full Scan, or Cookies. After you choose which scan to perform, the Spyware Removal Tool will begin to scan the hard drive for infected applications. You can pause or stop this scan at any time. As soon as the scan is completed, you will be presented with the results of the scan, i.e., which applications were infected, which applications were quarantined, etc.

90

Network Composer User Guide Please note that the Spyware Removal Tool can only be used on computers using Windows OS, and users must have administrative rights to the hard drive as the Spyware Removal Tool will scan the entire drive. This concludes the chapter on administrating Network Composer. The next chapters deal with additional options that allow you to use Network Composer with an existing directory on the network to track traffic by Directory Users, and to filter secure web traffic via HTTPS/SSL Filtering.

91

Network Composer User Guide

Chapter 7: Integrating Directory Users with Network Composer


Network Composer by default tracks all web and application traffic based on device addresses (MAC addresses or IP addresses). This is to say, by default Network Composer will report traffic by each individual device located on the network and list the traffic by Network Nodes. However, reporting by these criteria may be daunting or insufficient as IP addresses can change constantly or users will move from one machine to another on the network. In these cases, reporting by Directory Users may be more useful as Network Composer can monitor and report based on Directory User Names as well as by Network Nodes. This chapter will explain how to integrate Directory Users with Network Composer. The following topics will be explained.

Directory Overview Directory Options Directory Configurations Directory Troubleshooting

Directory Overview
Integrating Directory Users with the Network Composer consists of two steps: (1) allowing Network Composer access to your directory server, and (2) identifying when users are accessing the network. The first step can be accomplished through either the Directory Agent or LDAP settings while the second step is done via the Directory Client, LDAP Client, or Web Authentication. Choosing which option depends upon the architecture of your network and how you are going to identify Directory Users on your network.

92

Network Composer User Guide

The Directory Client, LDAP Client, and Web Authentication are processes that signal to Network Composer when users are logging onto the network. These processes correlate the Directory User profile to the corresponding Network Node in use. Review the following diagram.

Figure 7.1 Directory Integration with Network Composer Network Composer uses both processes to identify Directory Users and filter accordingly. For example, when a user logs into a computer, the Directory Client, the LDAP Client, or Web Authentication will signal to Network Composer where the user is located and what credentials were used to access the network. When Network Composer receives this traffic, it then queries the directory server either through the Directory Agent or LDAP Settings to find the user with his/her associated group, Organizational Unit (OU), attribute, or other settings from your directory structure. Once the user has been identified, Network Composer will then apply any filtering or shaping rules to the user and begin reporting traffic by the Directory User profile. When the user logs out or logs into another computer, the Directory Client, LDAP Client, or Web Authentication again will send an appropriate signal to Network Composer that the user has logged out or started using a new workstation. Using these processes, Network Composer can monitor all web traffic by Directory User regardless of where in the network he/she is located and apply appropriate rules to the traffic.

93

Network Composer User Guide The first step in integrating Directory Users with Network Composer is deciding on which option will fit best for your network. Each option is designed for specific scenarios and has inherited advantages as well as disadvantages.

Directory Options
Use the following Directory User Decision Tree to help you decide which Directory Option is correct for your environment. Again, each Directory Option is designed for specific scenarios or networks to facilitate Directory User integration. In essence, you will need to decide which level of Directory User integration is right for your organization and which requirements can be met by your network. Followed by the Directory Decision Tree are descriptions of each Directory Option with a Directory Matrix listing advantages and disadvantages of each Directory Option.

Figure 7.2 Directory User Decision Tree

Directory Option 1: Directory Agent with Directory Client (cymdir.exe)


This is the recommended option for most networks. This option allows Network Composer to immediately identify when users are accessing the network while synchronizing with the already defined directory groups, OUs, or user attributes. This method involves installing the Directory Agent on your directory server and deploying a Directory Client through the login process to identify when users access the network.

94

Network Composer User Guide The advantages to this option are immediate identification of users when they access the network and more accurate application reporting based on Directory Users. Because users will be executing the Directory Client as they login to the network, Network Composer will be instantly notified of the user and will be able to associate all traffic to the corresponding Directory User. The Directory Client supports Windows 64-bit, 32-bit (2000 SP4 or above), and Macintosh OSX (10.3 or above) Operating Systems (OS). Some of the disadvantages with this option are that it only supports Microsoft Active Directory and computers that are members of the Active Directory domain. In addition to this, this option will not report on individual users through Terminal Services sessions or Citrix sessions.

Directory Option 2: Directory Agent with IP Lookup


This option is designed for networks that cannot deploy the Directory Client because no login process is initiated, login credentials are cached on devices locally, or company policies restrict pushing end client processes. With this option, Network Composer identifies Directory Users when they initiate web (HTTP) traffic. After Network Composer intercepts initial web requests from users, Network Composer (through the Directory Agent) will petition the directory server to find the credentials used to login to the device. This option involves installing the Directory Agent on your directory server and creating an Internet Usage Rule to use IP Lookup. Because IP Lookup will petition the directory server to find login credentials, the Directory Agent must be installed on the Directory server with administrator rights (Log on as Administrator). In addition to this, the Operating System (OS) of users will need to be Windows 2000 (SP4) or above, and their computers must be joined to the domain. For computers to successfully communicate login credentials to the directory server, File and Print share rights must be enable as well as their primary DNS server set to the IP address of the Active Directory server. Also, these computers must be joined to the domain and use Windows (2000 SP4 or above) OS. Lastly, you will need to create two groups with this feature; one for the devices used by the users (Network Node Group) and another for the Directory Users (Directory Group). Both these groups will need to use the same Internet Usage Rule (IUR) configured to use Web Based Authentication-IP Lookup. The main advantage to this option is that you do not have to execute the Directory Client during the login process. Also, if successfully executed, IP Lookup will seamlessly identify users without presenting them a secondary login page. One disadvantage is that users will not be correctly identified until Network Composer first receives web (HTTP) traffic from users. As such, there may be some discrepancy with application control and reporting for users.

Directory Option 3: Directory Agent with NTLM


This option is intended for networks that use Terminal Server and Citrix Server sessions. Please note that Citrix Servers offer a feature called Virtual IPs (VIPs), which will allow you to use Directory Option 1: Directory Agent with Directory Client. If you can enable VIPs with your Citrix Servers, using Directory Option 1 is recommended. Directory Option 3 allows Network Composer to identify individual users through devices or applications that use one single IP address for several users. With this option, you will be able to identify and filter individual users that access the Internet from the same device.

95

Network Composer User Guide This option requires that you install the Directory Agent on your directory server and then deploy proxy settings to users web browsers. Essentially, users will send web traffic to Network Composer, acting as a proxy. This allows Network Composer to identify users based on web sessions rather than by IP addresses (method used by all other directory options). In addition to this, you will need to create two groups; one Network Node Group that will include the Terminal Services servers or Citrix Servers, and one Directory User Group that will include the Directory Users. Both groups will use the same Internet Usage Rule set to Web Authentication-NTLM. The main advantage to this option is the ability to individually identify and filter users through Terminal Server or Citrix Server sessions. Although users will be using identical devices to browse the Web, you can enforce different filtering policies based on Directory Users. The main disadvantage is that all application reporting and control are global for these users. Essentially, you will be able to control application and bandwidth traffic for the Terminal Services server or Citrix server, but you will not be able to control application and bandwidth traffic for specific users. Also, you will need to configure proxy settings accordingly. This option will only support Windows (2000 SP4 or above) devices.

Directory Option 4: Directory Agent with Login Page


This option is designed as a failsafe in the event that Directory Option 2 or Directory Option 3 does not succeed, or if users have directory accounts but their devices are not members of the domain. This option allows you to present users with a login page, where they can enter in their username and password. Network Composer will then verify the credentials and enforce any filtering or shaping rules to the devices used to access the network. This option requires that the Directory Agent is installed on your directory server and that you create an IUR set to Require Web based authentication. This allows Network Composer to identify users by on initial web (HTTP) requests and then query the directory server to confirm the user. You can also edit the login page presented to users under Admin -> Redirection Pages -> Login Page. This menu allows you to name the Login Page, add a description, and a username hint. You can also completely alter the page by using HTML code present on the page. The main advantage to this scenario is you can confirm Directory Users regardless of the device in use. Whether users access the network via Microsoft PC, Macintosh computers, Linux devices, or even hand held PDAs, Network Composer will present all users with a login page before accessing the Web. The main disadvantage to this scenario is (depending upon your network) users may be presented with two login processes; one for the computer or network and one for Internet access. Also, users must have a login for the directory to use this feature. You cannot create a Network Composer login specific for this feature. If you are attempting to use this feature for guest users, we recommend you create a guest account on your directory server and inform guest users of the credentials or alter the login page to present this information. Another disadvantage is that users will not be correctly identified until Network Composer first receives web (HTTP) traffic from users. As such, there may be some discrepancy with application control and reporting for users. In addition to this, as with all Web Authentication options, you will need to create two groups for users, one for their devices (Network Node Group) and one for Directory Users

96

Network Composer User Guide (Directory Group). Both groups will need to use the same Internet Usage Rule set to Web Authentication.

Directory Option 5: LDAP Settings with LDAP Client (cymldap.exe)


The last directory option is mainly designed for networks that do not use Microsofts Active Directory. This option supports eDirectory, True Open LDAP, and also Microsoft AD if you can not install the Directory Client on the directory server. This option allows Network Composer to identify users based on user names and manual creation of groups for these users. This option requires that you create an account for Network Composer on your directory server and that you deploy the LDAP Client during the login process. Directory Option 5 will support both Windows (2000 SP4 or above) devices as well as Macintosh OSX (10.3 or above) computers. The main advantage with this option is support for networks that do not use Microsofts AD. The main disadvantage to this option is that you will have to manually create groups on Network Composer for these users. In other words, you will not be able to synchronize already created directory groups, OUs, or attributes from your directory server. Lastly, this option only supports integration with one directory. Below is a Directory Matrix listing all Directory Options with their accompanied advantages and disadvantages. Although each Directory Option is targeted for a distinct network, you can use a combination of options. For example, you could use Directory Option 1 for you static directory users, and for rooming users you could use Directory Option 4. Also, Web Authentication (which encompasses Directory Options 2 through 4) can be used in conjunction with all other options. By identifying which option is best for which set of users, you can create Directory Groups designed around each option. Once you decide which option is best for your groups, you can proceed by following the configuration steps for the Directory Options.

97

Network Composer User Guide

Figure 7.3 Directory User Matrix

Directory Configurations
After deciding which Directory Option to use, you will need to follow the individual steps for the corresponding option. Below are listed the instructions on how to configure the various Directory Options. Directory Instructions Directory Option 1 Install Directory Agent Create Directory Agent Create Directory Agent Group Deploy Directory Client Create Directory IURs Directory Option 3 Install Directory Agent Create Directory Agent Create Network Composer Group Create Directory Agent Group Directory Option 2 Install Directory Agent Create Directory Agent Create Network Composer Group Create Directory Agent Group Create Directory IURs Directory Option 4 Install Directory Agent Create Directory Agent Create Network Composer Group Create Directory Agent Group

98

Network Composer User Guide Create Directory IURs Directory Option 5 Enable LDAP Settings Deploy LDAP Client Create LDAP Groups Create Directory IURs Create Directory IURs

Install Directory Agents


The Directory Agent will allow Network Composer to synchronize your Directory groups, OUs, or user attributes with Network Composers Directory Groups. The Directory Agent will also indicate how to display user names under Reports. You can download the Directory Agent under Admin -> Downloads -> Directory/LDAP Software -> Download 32-bit Active Directory Agent. The Directory Agent must be installed on a Windows (2000 or above) Server that has access to the directory, e.g., Active Directory server, domain controller, etc. Once downloaded, double-click on the Directory Agent installation package. This will present you with the Directory Agent Installation Wizard. Follow the steps of the Wizard by accepting the License Agreement, selecting a destination folder (C:\\Program Files\Cymphonix Directory Agent\ is the recommended placement), and Directory Agent Settings.

Figure 7.4 Directory Agent Settings The Directory Agent Settings allow you to specify how Network Composer will communicate with the Directory Agent. In this step, you can adjust the port used to communicate (we recommend you use the default setting of TCP 3462), and the password for authentication

99

Network Composer User Guide to and from the Directory Agent. Remember these settings in this step as you will need to use the same settings for creating the Directory Agent on Network Composer. Once complete, select Finish as the last step for installing the Directory Agent. If you need to support multiple directories, perform the same steps on the additional directory servers. There are certain events that can cause the Directory Agent to fail. To avoid this, you can configure the Directory Agent to restart after failures. Access the Services on your directory server (Start -> Administrative Tools -> Services) and search for the service called Cymphonix Directory Agent. Right-click on the Cymphonix Directory Agent service and select Properties. On the Recovery Tab, you can select Restart the Service under First Failure, Second Failure, and Subsequent Failures.

Figure 7.5 Cymphonix Directory Agent Properties One final note is that the Directory Agent needs domain user access with all Directory Options except for Directory Option 2: Directory Agent with IP Lookup. This option requires that the Directory Agent has administrative access (Log on as Administrator) to the directory server. This allows the Directory Agent to force the directory server to retrieve user credentials. Please make sure you select Log On as Administrator with this option.

100

Network Composer User Guide

Figure 7.6 Cymphonix Directory Agent Properties

Create Directory Agents


The second part to using the Directory Agent is to establish an association with Network Composer. This is done by creating the Directory Agent on Network Composer, which will allow the device to synchronize directory groups, OUs, and user attributes. Under Manage -> Directory Users & Nodes -> Directory Agent -> Click the Create button. This will bring up the Add/Edit Directory Agent menu. In this menu you can create a name for the Directory Agent, but more importantly you will specify the IP address of the AD server where the Directory Agent is installed. Also, indicate the Directory Agent settings from the previous section, i.e., TCP port (recommended port 3462), and the Directory Agent Password. Once you have entered these settings, click Save and Network Composer will attempt to contact the Directory Agent confirming it can communicate with the Directory Agent. If any errors are returned, verify that you have entered the correct IP address, TCP port number, and password. If you have installed multiple Directory Agents, you will need to create multiple Directory Agents as a result.

Create Network Composer Groups


Directory Options 2, 3, and 4 are different in the fact that the Directory Client is not used to indicate when Directory Users access the network. Rather, Network Composer identifies Directory Users by initial web (HTTP) requests. Because of this, there is a potential that non-web (HTTP) traffic coming from users will not be handled or grouped correctly until they access the Web. To compensate for this, you will need to create Network Node Groups

101

Network Composer User Guide for the devices that will be used by Directory Users to ensure that all their traffic is handled correctly. To do this, follow the steps under the section Groups in Chapter 5: Managing Network Composer. Add the devices that the Directory Users will be using to access the network. For example, if you are using Directory Option 3: Directory Agent with NTLM, you will place the Citrix servers or Terminal Services servers into this group. Later, you will create a single Internet Usage Rule that will be used by both the Network Node Group as well as the Directory Users Group. If you are unaware of the exact devices that will be in use by the Directory Users, you can create a Network Composer Group based on the IP address range assigned to their devices. Again, see the section Groups in Chapter 5: Managing Network Composer for information on how to create Network Composer Groups with different member types. An additional option is to have the Default Group (all unassigned devices) use the same Internet Usage Rule as your Directory Users.

Create Directory Agent Group


Directory Agent Groups are created under the same menu as Network Composer Groups. The difference with Directory Agent Groups is that these groups will use the Directory Agent and your directory sever to identify Directory Users. You must first install and create a Directory Agent before you can create Directory Agent Groups. Click on Manage -> Policies & Rules -> Groups -> Create -> Create a Directory Agent Group. This will post the Add/Edit Directory Agent Group Detail. In this menu, you will need to assign a name for the Directory Agent Group as well as a description. Afterwards, select which Directory Agent you will use to synchronize the Directory Agent Group with the Directory Agent drop-down box. Once you have selected your Directory Agent, click the Add Members button. Network Composer will now communicate with the Directory Agent and query your directory server for Distribution Groups or Security Groups. To add these groups select the empty checkboxes next to the groups and then click the Ok button. If you need to select multiple profiles, you can use the Shift + Click or CTRL + Click accordingly. Distribution or Security Groups are just one of four member types you can synchronize with the Directory Agent. You can also synchronize Organizational Units (OUs) and user attributes. To select these different member types, click on the Chose a Member Type dropdown box under the Add Directory Group Members menu. If you select OUs, again, Network Composer will communicate with the Directory Agent and query your directory server for OUs. You can then select the profiles for the OUs with the empty checkboxes and select Add. If you choose Attribute or Custom, you will be prompted to define the user attribute of the Directory Users you want to synchronize to the Directory Agent Group. Attributes are characteristics or distinguishing features that are applied to users. You can use the Directory Agent to query the directory server and find distinguishing attributes and group users accordingly. The two menus (Attributes and Custom) require advanced knowledge of your directory and users attributes. With Attribute you will need to specifically identify which user attributes will identify members of the Directory Agent Group, i.e., phone numbers, names, locations, etc. With Custom, you can use a combination of Attributes.

102

Network Composer User Guide Below is a table of some common examples used in directory servers and how to synchronize groups based on attributes. Use this guide or your own directory attributes to assist in synchronizing Directory Agent Groups with Network Composer. Common Directory Attributes CN (Common Name) displayName givenName objectCategory sAMAccountName userPrincipalName mail c (Country) company department location manager postalCode st (State) streetAddress telephoneNumber CN=John Doe displayName=John Doe givenName=Joe objectClass =user sAMAccountName=jdoe userPrincipalName=jdoe@mycompany.com mail=jdoe@mycompany.com c=usa company=mycompany department=IT location=remote site manager=boss postalCode=11111 st=New York streetAddress=123 Main telephoneNumber=111-111-1111

An example of how to synchronize Directory Agent Groups based on Attributes would be creating a Directory Agent Group for all users that are upper level managers. The Attribute would read manager followed by is exactly and then upper level.

Figure 7.7 Attribute Example This Directory Agent would then query the directory server for any user that has an Attribute of manager set to upper level. Accordingly, every time upper level managers access the network, Network Composer will group the users as a result. Again, the member type of Attribute requires a high level of understanding on how to identify specific characteristics with Directory Users. The examples listed above are common directory attributes, but keep in mind that your directory server may have its own attributes specific to your organization. Because of this, you may need to perform some independent research on how to use the Attribute feature. The drop down options for the Attribute member type are is exactly, is approximately, is not, is less than or equal to, is greater then or equal to, contains, does not contain, starts with, and ends with. The Attribute and Value field allow you to enter case sensitive options from your directory server.

103

Network Composer User Guide The member type of Attribute allows you specifically identify how to synchronize Directory Agent Groups based on a single attribute. However, if you want to synchronize Directory Agent Groups based on multiple Attributes, you will need to select the member type of Custom. Custom allows you to synchronize Directory Agent Groups based on combined attributes. Using the example above we could create a group based on all upper level managers that didnt include those from a remote site. The custom attribute would read manager followed by = upper level. Towards the end would be the attribute for the stipulation to not include the remote site ! location=remote site. The Custom member type would require that you separate the different Attributes as well as enclose the entire string with parenthesis to identify these Directory Users correctly, e.g., ((manager=upperlevel)!(location=remote site)).

Figure 7.8 Custom Example The following table lists common operators with Directory Custom Attributes. Common Directory Operators & | ! = ~= > < >= <= And Or Not Equals Approximately Greater than Less than Greater than or equals Less than or equals

Once more, using Custom member type requires advanced knowledge of how to define Directory Attributes. If you are having difficulty creating Directory Agent Groups based on Attributes or Custom, please contact your Authorized Cymphonix Reseller or Cymphonix Support at (801) 938-1500 option 2. One last note is that you can also combine Directory Users into one group using a combination of the different member types. After you have added members to the Directory Agent Group, you can also review the Directory Members by selecting Show User List. This menu is available under the Add/Edit Directory Agent Group Detail. Select the checkbox next to each Directory Member and click the Show User List button. You can also remove Directory Members with the Remove Members button. The Edit Member button is only available with Directory Members based on Attributes or Custom member types. The last option available with the Add/Edit Directory Agent Group Detail is the Edit Precedence. This setting is used when you have created multiple Directory Agent Groups

104

Network Composer User Guide and may have conflicting user membership. For example, if you have two Directory Agent Groups based on OUs and some users of the Directory Agent Groups are members of both OUs, you can use the Edit Precedence to specify which Directory Agent Group assignment will take priority. The Edit Precedence allows you to drag and drop Directory Agent Group names to adjust group precedence. After you have synchronized your Directory Agent Groups, make sure to Save your changes.

Deploy Directory Client/LDAP Client


The Directory and LDAP Client are small executable files that send user information to Network Composer. These transmissions are called heartbeats. They allow Network Composer to identify the specific user that is generating network traffic from a particular computer. In essence, the Directory and LDAP Client identify the traffic by user name and associate it with the current computers IP address. While the Directory and LDAP Client continue to send heartbeats, Network Composer watches traffic from that IP address and associates it with the user. Once the user logs out, the Directory and LDAP Client stop sending heartbeats, and Network Composer disassociates the IP address from the user name. Thus, the Directory and LDAP Client allow Network Composer to identify user traffic for monitoring, shaping, and blocking. The steps to deploy these two clients are similar. Directory Client/LDAP Client Versions There are three versions of the Directory and LDAP Client. The three versions of the Directory Client are cymdir.exe (Directory Client for 32-bit Windows OS), cymdir_64.exe (Directory Client for 64-bit Windows OS), and cymdir_MAC (Directory Client for Macintosh computers). The three versions of the LDAP Client are cymldap.exe (LDAP Client for 32-bit Windows OS), cymldap_64.exe (LDAP Client for 64-bit Windows OS), and cymldap_MAC (LDAP Client for Macintosh computers). Please note that both the Directory and LDAP Client are compatible for Windows 2000 SP4 and above platforms as well as Macintosh OSX 10.3 and above platforms. This next section details how to deploy the Directory and LDAP Client for 32-bit Windows XP. The Macintosh clients have read me files that instruct on how to deploy cymdir_MAC and cymldap_MAC clients. You can download the Macintosh client to access the read me files under Admin -> Configuration -> Downloads -> Directory/LDAP Software. The other Directory Clients are also available under Admin -> Downloads -> Directory/LDAP Software. The LDAP Clients are available under Admin -> Downloads -> Directory/LDAP Software -> Click here for legacy executables. Once you download the Directory or LDAP Client, you will want to execute the file locally to present some of the help features that the Clients offer. You can also test how user names will be posted with Network Composer. You will need to be logged into a Windows PC that is a member of the domain for these steps to work. Executing the Directory/LDAP Client Place the Directory or LDAP Client on your desktop. Now, double-click the executable. Although the Clients are signed applications, your security settings may trigger a warning about running executables. Simply click Run to continue executing the Client. You should receive the following help dialog box.

105

Network Composer User Guide

Figure 7.9 Directory Client Help Dialog Box Without any parameters set for the Clients, you should receive a help dialog box like the one posted above. This help dialog box will post when the Clients are unable to send heartbeats to Network Composer or have other communication errors. This box will also appear if there are syntax errors or if no Network Composers IP address is not provided. The Help Dialog will provide several useful pieces of information: Error Messagesthis message will post when a connection failure is present for the Clients. Causes of connection failures are invalid IP addresses assigned as parameter values, Network Composer is powered off, computers running the Clients are unable to connect to the network, bad command line parameters, etc. You can use the Error Message to diagnose problems with the Clients if they occur. Authentication Typethis message will post which type of authentication appears to be on the network, such as Windows authentication or Novell authentication. If both are available, you can choose which you prefer by using the /AD switch (please see section Usage below). Authentication Informationthis option displays the current user logged into the computer as well as the Domain (Windows) or Context (eDirectory). If the computer is not part of a Domain, the Clients will return the name of the Windows workstation. Usagethis is intended to show the proper syntax for command line options given to the Clients. Please note that Network Composers IP address is always required and should always come last. o /ad switchthis option is only necessary under either of the following conditions: Some of your workstations have the Novell Client installed. You want to use Active Directory even though eDirectory is present.

106

Network Composer User Guide This option will force the Clients to send Windows Active Directory user information and not eDirectory user information. o /tcp switchthis option is used to force the Clients to use TCP connections instead of UDP. UDP connections are preferred as they do not require static routes; however, this option is available for backwards compatibility and troubleshooting. If you enable this option, you will need to create static routes accordingly. Please see the section Static Routes in Chapter 6: Administrating Network Composer.

/silent switchthis option will prevent the help dialog from coming up under any circumstances. This setting is not recommended for troubleshooting and testing purposes; however, under normal usage this option is recommended. This option should be used when you deploy the Clients in your production environment. By doing so, you will prevent end users from seeing this dialog box and possibly disabling it or causing other problems. /sleep switchthis option allows you to change the number of minutes the Clients will allow to pass before sending heartbeats and becoming dormant. The default setting is 5 minutes. The value must be 1 minute or greater, and with the LDAP Client (cymldap.exe) should be less than the LDAP Client Heartbeat Timeout (Admin -> Configuration -> LDAP Settings). IP addressthis option is necessary to direct the Client to Network Composer for heartbeats. You will need to use the IP address of Network Composer. Complete Usage Informationthis option lists further reference information for assistance on deploying the Clients.

Once you have reviewed the options available on the help dialog box for the Clients, you may exit the dialog box and properly execute the client locally for testing. Please follow these steps: 1. Open a Windows Run Prompt (Start -> Run). 2. Type cmd in the open dialog box. 3. Click OK. 4. Drag cymdir.exe or cymldap.exe to the Command Prompt, and drop it (this will paste the full path). 5. After cymdir.exe or cymldap.exe type in the IP address of the Network Composer (in this example, we will use 192.168.255.2).

107

Network Composer User Guide

Figure 7.10 Command Line Syntax for Directory Client 6. Execute the command by pressing ENTER. a. If the help dialog is raised, then there were communication errors. Please review the syntax and correct any possible errors, i.e., IP address, switches, etc. b. If the help dialog is not raised, then the command executed properly. You can verify this by looking at the process list of the Windows Task Manager. A process called cymdir.exe or cymldap.exe should be listed. Now that you have properly executed the Client locally, lets confirm that Network Composer received the heartbeat and posted the correct username. Click Manage -> Directory Users & Nodes -> Directory Users. Verify there is a new profile listed by username used to access the computer. Deploying the Directory/LDAP Client Now that you have confirmed that the Client can communicate to Network Composer, you are ready to deploy the Client in your network. Because each network is unique, the User Guide and Cymphonix cannot make specific recommendations as to how you should integrate Directory/LDAP Client into your network and directory server. This section will provide the best information; however, please note that this information is provided AS-IS and without warranty of any kind. There are a variety of ways to deploy Directory/LDAP in your network that will execute when users login to the domain. The most common ways are the following: Batch file Registry Setting Domain Group Policy Object (GPO) Netware Login Script

108

Network Composer User Guide VB Script Registry Key Shortcut in Startup folder

All of these methods employ different means for executing Directory/LDAP Client. However, this chapter will only cover how to deploy Directory/LDAP Clients via a batch file, registry settings, Domain GPO, and Netware Login Script. Other methods presented will need to be researched and deployed at your discretion. Again, because each network is different, this User Guide will not advise which method is better. This guide will merely present the most common techniques used. The examples below are for the Directory Client. However, simply substitute cymdir.exe for cymldap.exe if you are using the LDAP Client. Creating a Batch File for Directory/LDAP Client 1. Pick a file directory on your directory server that will store both the batch file and Client (for example \\server\share\folder). 2. Copy Directory/LDAP Client to this folder. 3. Create a Windows batch/command file in this folder (you can do this from notepad and change the file extension to .bat). 4. Enter the following text into the file: start /d \\server\share\folder cymdir.exe /silent IP address of Network Composer (in this example we will use the path of \\mydomain.tld\netlogon\cymphonix and the IP address of 192.168.255.2). a. Using Windows shell environment variables can add power and flexibility to the batch file. For example, by using the syntax: start /d \\%directoryserver%\netlogin\ cymdir.exe /silent 192.168.255.2 you can deploy Directory/LDAP Client over multiple directory servers. However, this may require additional troubleshooting if the variables do not resolve correctly. If this is the case, use the full syntax as displayed below.

Figure 7.11 Batch File for Client 5. Verify that the newly created batch file executes when users login to the domain by loading the Windows Task Manger and confirming Directory/LDAP Client is in the process list. Deploying the Directory/LDAP Client in a Group Policy Object 1. Log on to your Domain or Active Directory server. 2. Open a Windows Run Prompt (Start -> Run).

109

Network Composer User Guide 3. In the Open field type mmc (Microsoft Management Console). 4. Click OK. 5. In the File menu select Add/Remove Snap-in.

Figure 7.12 Console Prompt 6. Click the Add button. 7. Scroll down and select Group Policy Object Editor.

Figure 7.13 Add Standalone Snap In 8. Click the Add button (this will launch the Group Policy Object Wizard). 9. Press the Browse button. 10. Select Default Domain Policy. 11. Click OK.

110

Network Composer User Guide

Figure 7.14 Browse for Group Policy Object 12. Click Finish on the Add Group Policy Wizard. 13. Close the Add Standalone Snap-in dialog box. 14. Click OK on the Add/Remove Snap-in dialog box (you should now be looking at the MMC screen with the Console Root Folder above the new Default Domain Policy you have just added.

Figure 7.15 Console Root 15. Expand the Default Domain Policy. 16. Expand the User Configuration option. 17. Expand the Windows Settings option.

111

Network Composer User Guide

Figure 7.16 Scripts Logon 18. Select Scripts (Logon/Logoff). 19. Right-click the Logon option for the Logon Properties dialog box (depending on your current configuration you may already have several scripts running). 20. In order to place Directory/LDAP Client in the correct folder for your Domain Policy select Show Files button (this will open a new window displaying the current files for the Domain Policy). 21. Copy Directory/LDAP Client and paste it into the logon scripts folder (please confirm that you copied the entire file into the folder and not just a shortcut to the file or the file path). 22. Close the logon scripts folder to return to the Logon Properties dialog box. 23. Click Add to open the Add a Script dialog box. 24. Click Browse to open the Logon Script Folder. 25. Select Directory/LDAP Client and click Open (you should now be in the Add a Script Dialog box; Directory/LDAP Client should appear in the Script Name box). 26. Enter Network Composers IP address in the Script Parameters box (in this example we will use 192.168.255.2).

112

Network Composer User Guide

Figure 7.17 Script Parameters 27. Click OK to close the Add a Script dialog box. 28. Click OK again to close the Logon Properties dialog box. 29. Confirm any other changes to the Console Root settings that you have edited. Directory/LDAP Client is now ready to run the next time users login to the Active Directory domain. Again, you can confirm this by reviewing the Directory User tab in Network Composer to verify that Network Composer is receiving heartbeats from users. Deploying Directory/LDAP Client in a Registry Entry This method requires additional administrative effort as Directory/LDAP Client must be deployed to each work station in question and a registry key imported. Directory/LDAP Client also may require multiple running instances in some circumstances; however, this will not impact performance or reporting. 1. Create a Windows registry file (you can do this from notepad and change the file extension to .reg). 2. Insert the following text. (You may need to adjust the path depending on your settings. Also the last line requires the IP address of Network Composer. In this example, we will use 192.168.255.2) Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Cymphonix=cymdir.exe /silent 192.168.255.2

113

Network Composer User Guide 3. Save and exit the registry file 4. Place a copy of Directory/LDAP Client on each workstations Windows folder. (You can also choose any location in PATH). 5. Import the registry file into each Windowss registry. Deploying the LDAP Client in a Netware Login Script Because the Directory Client cannot be used in an eDirectory environment, the following steps are just for the LDAP Client. Please note that the screen shots presented here are represented in ConsoleOne for Novell eDirectory. Similar functionality is available from iManager. We will use an Organizational Unit to set a common login script for all users. The LDAP Client will be executed with /silent and the IP address of Network Composer. 1. Run ConsoleOne (this is usually located at Z:\mgmt\ ConsoleOne\1.2\bin\ ConsoleOne.exe if your Netware Public share is mapped or C:\novell\consoleone\1.2\bin if you have installed it locally).

Figure 7.18 ConsoleOne 2. Copy the cymldap.exe to an accessible location (this could be on a Netware Server with a mapped drive, network attached storage, or the local workstation. 3. Navigate to an Organizational Unit containing users. 4. Edit the properties of the OU to add a login script similar to the following.

114

Network Composer User Guide

Figure 7.19 Login Script Properties Depending on your LDAP settings, eDirectory could be requiring TLS for simple binds. However, TLS can prevent Network Composer from retrieving user data. To allow Network Composer to retrieve LDAP User data, you will need to disable TLS for simple binds. 5. Open the properties and of the LDAP group. 6. Verify the Require TLS for simple binds with password is unchecked.

Figure 7.20 Properties of LDAP group This concludes the section on how to deploy Directory/LDAP Client. Again, because each network is unique, you may need to determine the best method (or perhaps combination of methods) to deploy the Directory and LDAP Client.

115

Network Composer User Guide

Create Directory Internet Usage Rules


Creating Internet Usage Rules (IURs) for Directory Groups in quite similar to creating IURs for Network Composer Groups. If you have chosen Directory Option 1 and Directory Option 5 for integrating Directory Users, you will follow the same steps listed in Chapter 5: Managing Network Composer for your IURs. If you have chosen Directory Options 2, 3, and 4, you will need to enable the different features tailored for each option under the Internet Usage Rule Manager. This is done under the Web Authentication tab. There are several options that are universal for Directory Options 2, 3, 4 that are listed under Web Authentication. Web Authentication Remember that Web Authentication identifies uses by web (HTTP) requests. Because of this, non Web traffic, e.g., IM, P2P, etc, may not at first be correctly reported or controlled until Network Composer receives a web request from Directory Users. Because of this, the IUR you assign to the Directory Users needs to be the same IUR you assign to device in use by Directory Users. Directory Options 2, 3, 4, require you to make two groups, Network Composer Groups for Directory Users devices and Directory Groups for Directory Users. Both these groups will need to use the exact same IUR. Also, remember that Directory Option 4 is the safeguard for Directory Option 2 and 3. If for some reason, these two Web Authentication pieces fail (IP Lookup or NTLM) Network Composer will present a login page for members of the Directory Group. Below are settings that can be used with all Web Authentication rules. Web Authentication White Listthese are web sites for which Network Composer will not require Directory credentials to access. Inactivity Timeoutthis setting allows you to identify how much inactive time can pass before Network Composer re-confirms Directory Users. For example, if you use Directory Option 4: Directory Agent with Login Page, Network Composer will present a user with a login page on his/her first initial web (HTTP) request. If after logging in, the user does not pass any more web traffic within a certain amount of time, Network Composer will again present the login page to the user. The default time for this setting is 5 minutes. Session Timeoutthis setting allows you to identify how much time can pass, regardless of activity, before Network Composer re-confirms Directory Users. With Directory Option 2: Directory Agent with IP Lookup, Network Composer will again (via the Directory Agent) have the Directory Server re-confirm the credentials of the Directory Users. With Directory Option 3: Directory Agent with NTLM, Network Composer will review the Proxy connections of the users and reconfirm their credentials. Lastly, with Directory Option 4: Directory Agent with Login Page, Network Composer will present users with a Login page. The default time for this setting is 30 minutes.

Directory Option 2: Directory Agent with IP Lookup For Directory Option 2, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create. Name the Internet Usage Rule after its corresponding Directory Group. You can also select web categories, URLs, and other settings to block for the Directory Group by following the instructions listed under Internet Usage Rules in Chapter 5: Managing Network Composer for your IURs.

116

Network Composer User Guide Afterwards, click on the Web Authentication tab and select Require Web Based Authentication. Once you have selected this, the checkbox next to Directory Agent IP Lookup will be available. Check the box next to the option and Save your changes. Dont forget to apply the IUR to the Directory Group and its corresponding Network Composer Group using the Policy Manager. Directory Option 3: Directory Agent with NTLM For Directory Option 3, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create. Name the Internet Usage Rule after its corresponding Directory Agent Group. You can also select Web categories, URLs, and other settings to block for the Directory Agent Group by following the instructions listed under Internet Usage Rules in Chapter 5: Managing Network Composer for your IURs. Afterwards, click on the Web Authentication tab and select Require Web Based Authentication. Once you have selected this, the checkbox next to Directory Agent NTLM Handshake will be available. Check the box next to the option and Save your changes. Dont forget to apply the IUR to the Directory Group and Network Composer Group using the Policy Manager. Because the NTLM handshake will be issued via a proxy connection, make sure that Network Composer is configured in Proxy mode (Admin -> Configuration -> Advanced Setup -> Allow HTTP Connections on Port 8888). For more information on this setting please see Chapter 2: Installing Network Composer. Directory Option 4: Directory Agent with Login Page For Directory Option 4, go to Manage -> Policies & Rules -> Internet Usage Rule -> Create. Name the Internet Usage Rule after its corresponding Directory Group. You can select which web categories, URLs, and other settings to block for the Directory Group by following the instructions listed under Internet Usage Rules in Chapter 5: Managing Network Composer for your IURs. Afterwards, click on the Web Authentication tab and select Require Web Based Authentication. User will now be presented with a Login Page as soon as they initiate a web (HTTP) request. Remember to Save your changes and apply the IUR to the Directory Group as well as the Network Composer Group using the Policy Manager.

Enable LDAP Settings


To enable LDAP settings on Network Composer, you will need the information listed below. If you are unaware of some of these settings, Network Composer offers utilities that can scan your network for the appropriate information. In addition to this, a brief explanation follows the terms for clarification. LDAP Server IP/Hostnamethis is the IP address or hostname of the LDAP Server, e.g., 192.168.255.2 or ldap.mycompany.com. If you are unsure of the IP address assigned to the LDAP Server, you may select Scan My Network during the Setup Wizard or under Admin -> Configuration -> LDAP Settings for possible LDAP Servers. LDAP Server Query PortTCP port 389 is registered with the Internet Assigned Numbers Authority (IANA) for LDAP Traffic. Do not change this value unless your LDAP Server uses a port other than 389.

117

Network Composer User Guide LDAP Server Base Distinguished Name (DN)the LDAP Server Base Distinguished Name tells Network Composer where to begin searching for user information. For example, if users are located in different directories, you will want to select a common directory where are users can be found. Usually the root directory is the preferred setting for the LDAP Server Base DN as all users can be found from the root directory. If you are unsure of the LDAP Server Base DN, you may select Query My LDAP Server during the Setup Wizard or under Admin -> Configuration -> LDAP Settings for possible options. LDAP Profile Default Name Maskthis value controls which LDAP attributes are used for the names associated with each LDAP User. The default Given Name %givenName% and Surname %sn% use standard LDAP attributes that should work for all LDAP Servers. A default name mask of such will result in displaying a name of John Doe for a user. However, some LDAP deployments do not populate these attributes and should instead use %displayName%, %cn%, or %sAMAccountName%. o o Windows Active Directory exampleDC=mydomain,DC=com Novell eDirectory exampleO=MyOrganization

LDAP Server User Namethis represents an LDAP account with sufficient access in the directory to perform searches associated with the network users and groups. In Windows, this means a user with Domain User privileges. This field must use the User Principle Name with Active Directory and the Fully Qualified Distinguished Name (FQDN) for eDirectory. Also, we recommend that you create an account on your LDAP Server that is specific to Network Composer and no other user. o o o Windows Active Directory exampleusername@mydomain.com Novell eDirectory exampleCN=username,O=MyOrganization mycompany\jdoe may not work as expected because some LDAP Servers dont accept this setting by default.

LDAP Server Passwordthis is the password associated with the LDAP Server User Name. Please remember that the password is case sensitive and will need to be updated if you change the password on the LDAP Server. LDAP Client Heartbeat Timeout (in minutes)this setting indicates to Network Composer how many minutes must pass with no heartbeat before a user is considered to be gone. Because CymLDAP tracks when a user logs in or out and sends heartbeats at regular interval, a timeout is most likely under two circumstances: o o The LDAP Client, CymLDAP, has terminated (likely by user intervention) The user disconnects his/her computer from the network

The default value is 15 minutes. When a timeout occurs, network traffic associated with that particular network node is not associated with the former user. With the previous information provided, you are now ready to enable Network Composer LDAP settings. You can enable LDAP under Admin -> Configuration -> LDAP Settings. Remember to Apply the changes once you enter in the information.

118

Network Composer User Guide Once you have enabled LDAP Settings within Network Composer, you will need to deploy the LDAP Client for user reporting and filtering.

Create LDAP Groups


LDAP Groups are created the same as Network Composer groups; however, you will use the member type of LDAP instead of Network Node, MAC address, CIDR Block Source and Destination or any other member types. Please see Chapter 5: Managing Network Composer for more information.

Directory Troubleshooting
There are several variables that can cause Directory integration to not work properly with Network Composer. Identifying which components of Directory integration are not working properly, will help you find a solution. Well first discuss using Network Composer to diagnose the problem. We then discuss troubleshooting Group Policy Objects with the Directory and LDAP Client, scripting issues, and other possible problems.

Using Diagnostic Tools


There are five Network Composer diagnostic tools that can be used to confirm if Directory is working properly. The first four tools are located under Admin -> Configuration -> Diagnostic Tools. The last is listed under Admin -> Logs. All the tools are listed below as bulleted items: Directory Agent Diagnosticsthis menu allows you to confirm Directory group synchronization, Directory User assignment, and current devices in use by Directory Users. This menu has several options to confirm that the Directory Agent is operating correctly, and that Network Composer is able to associate network traffic with the correct Directory User. The first option is User Lookup. User Lookup can determine where users are located on the Directory Server to ensure they are synchronized correctly to Directory Groups on Network Composer. Select Test Type User Lookup and the Directory Agent that is installed on the Directory Server for the corresponding user. Enter in the Username and click the Run Diagnostic button. If the Directory Agent can successfully find the Username, the users Common Name, Directory Agent Group (the synchronized group for Network Composer), the Directory Agent Group (the actual user group from the Directory Server), the Distinguished Name, and the time taken to run the test will be posted. If this information is not posted or is incorrect, verify that the Directory Agent is running correctly and can communicate to Network Composer. Also, confirm that the users account is present on the Directory Server where the Directory Agent is installed. The next option is IP Lookup. This option allows you to query a workstation and confirm that the user present on the workstation. This option is used in conjunction with Directory Option 2: Directory Agent with IP Lookup and will (via the Directory Agent) petition the Directory Server to confirm user credentials for specific IP addresses. Select the IP Lookup from the Test Type drop-down box and the Directory Agent for the specific Directory User. Enter in the IP address of the device you want to query,

119

Network Composer User Guide and click the Run Diagnostic button. If the Directory Server can successfully communicate to IP address, the Directory Agent will post the Username, the users Common Name, Directory Agent Group (the synchronized group for Network Composer), the Directory Agent Group (the actual user group from the Directory Server), the Distinguished Name, and the time taken to run the test. If the test is unsuccessful, confirm that File and Print share rights are enabled on the end users device. Also, verify that the users DNS server is set to use the Directory server where the Directory Agent is installed. Lastly, confirm that the users account is present on the Directory Server where the Directory Agent is installed. The last option available Directory Agent Diagnostics menu is Validate Username/Password. This option will query the Directory Server to verify the username and password of the user. If users are having trouble accessing their Directory account, you can use this tool to confirm credentials. Select the Validate Username/Password selection from the Test Type drop-down box. Then, select the corresponding Directory Agent from the Directory Agent drop-down box. You can then enter the Username and Password and click the Run Diagnostic button. Again, if the test is successful, the Results will post the Username, the users Common Name, Directory Agent Group (the synchronized group for Network Composer), the Directory Agent Group (the actual user group from the Directory Server), the Distinguished Name, and the time taken to run the test. One additional line will post with this test confirming if the password is valid or not. If this test is unsuccessful, confirm the Username and Password (case sensitive) for the user on the Directory Server. You will also want to verify that Network Composer can communicate to the Directory Server and that the users account is present on the Directory Server where the Directory Agent is installed. Directory Agent Usersthis menu allow you to confirm how Network Composer is identifying Directory Users, which Directory Group users are being assigned, and their associated IP addresses. The columns of Username, Common Name, IP Address, Directory Agent Group, Mode, and Status will list current conditions for the selected Directory Users. The fist option (Username) allows you to enter a Username and confirm the users Username, and Common Name from the Directory. However, also listed are the IP address of the user currently in use, the Directory Agent Group to which Network Composer is assigning the user, and the Mode (Directory Option 1, 2, 3, 4, or 5) being used to identify the Directory User. Lastly, the status will be listed to post the current status stage of the user, i.e., active, inactive, etc. Other search options available are Common Name, IP Address, and Directory Agent Group. Simply select the searchable option you want to use as criteria, enter in the parameters for the search, and click the Search icon (or hit the Enter key). Network Composer will then query the Directory Agent Users menu and post the results. If Directory Users are being assigned to incorrect groups or by incorrect modes, you should confirm how you have created your Directory Groups or what particular attributes have been assigned to your users on your Directory Server.

120

Network Composer User Guide IP Address MapIP Address Map shows the association between Directory Users and IP addresses. You can use this tool to confirm that an active IP Address is being assigned to the correct Directory User. If after a user logs in and the IP address is not posting the correct Directory User profile, you can then confirm that the Directory/LDAP Client is not executing correctly. Review your deployment of the Directory/LDAP Client as a possible culprit for this problem. No LDAP Network Nodesthis menu lists all devices currently passing traffic that do not have an associated Directory/LDAP heartbeat. This is a great tool to use to confirm if a computer on the network is sending Directory/LDAP heartbeats. Please keep in mind that there will inevitably be some devices on the network that do not execute the Directory/LDAP Client upon login (such as network printers, wireless access points, network appliances, etc). You can use IP Address Map and No LDAP Network Nodes to confirm if a user is executing the Directory/LDAP Client upon login. Activity Logsthis log keeps tracks of all process running from Network Composer. If Network Composer cannot communicate with the Directory Agent or cannot query the Directory Server, the Activity log will post an error or alert accordingly. Verify that the Directory Agent is running or that the LDAP settings are correct as this log normally indicates a failed communication between Network Composer and the Directory server. If after using these tools, you are still experiencing problems with LDAP, continue with the following suggestions. Force cymdir.exe Session Timeoutsthis utility forces all cymdir.exe sessions to time out immediately. Use this tool if cymdir.exe users are not being correctly grouped and you need to verify the deployment process. If the Directory Client has been deployed correctly, Network Composer should receive new heartbeats after forcing session timeouts and begin to regroup users according to their Directory Agent Group assignment. Flush Web Auth Cachethis utility forces all Web Authentication sessions to time out immediately. Use this tool if Web Authentication users are not being correctly grouped and you need to verify the Web Authentication process. If Web Authentication is working properly, Network Composer should identify users after forcing session timeouts and begin to regroup users according to their Directory Agent Group assignment.

Troubleshooting GPO Issues


To troubleshoot potential GPO issues, replace the text in cymdir or cymldap Login Script.bat with the following (where the text is bold and italicized you will need to replace with the pertinent information). These steps are written for the Directory Client (cymdir.exe). If you are using the LDAP Client, replace cymdir.exe with cymldap.exe. @ECHO OFF REM This part runs the login client for troubleshooting and testing REM add /tcp if you suspect network/routing problems start /d \\server\share\ cymdir.exe /log %tmp% 192.168.1.80 REM This part runs the version 8 login client for production use

121

Network Composer User Guide

REM start /d \\server\share\ cymdir.exe /silent 192.168.1.80 REM This part verifies that this Login Script is being run by calling standard Windows routines. time /t > %TMP%\login.txt date /t >> %TMP%\login.txt echo %USERNAME% >> %TMP%\login.txt REM Browse to %tmp% in windows explorer by typing %TMP% in the address bar (use internet explorer if necessary) REM There should be BOTH a cymdir.log and also a login.txt file in %TMP% folder. REM If both are missing, this script is not being run REM if both are present, send cymdir.log to support@cymphonix.com The purpose of this script is the put the date, time, and username of the last login in a text file called login.txt located in the users %TMP% directory. As these are all standard Windows Shell Functions, there are no references to cymdir or cymldap.

Figure 7.21 %TMP% Folder After logging in with this policy, browse to the temporary folder %TMP%. %TMP% is a Windows Shell Variable that corresponds to each users Temporary Files Folder. You can navigate to it directly by putting %TMP% in the Address Line of Windows Explorer. Open login.txt if it exists. If login.txt is in the Temporary Directory, verify the login time, date, and username are correct. If so, then Group Policies seem to be working properly, and you should try some of the other troubleshooting methods mentioned below. If the login.txt does not exist or does not contain the correct information, you will more than likely need to contact perform some troubleshooting and verify your GPO settings. Once your Group Policy Object Login scripts are performing as expected, cymdir.exe can be deployed in your network.

Troubleshooting Directory/LDAP Client


If the Directory/LDAP Client Help Dialog Box keeps popping up, look for an error message. The top portion of the cymdir.exe or cymldap.exe dialog will display a relevant error message (connection failure, unrecognized option, bad or misspelled command name, Invalid IP address, etc).

122

Network Composer User Guide Double check the login script. If there are no error messages, it implies that no command line arguments were given to Directory/LDAP Client (Similar to double clicking cymdir.exe or cymldap.exe). Some scripting languages require enclosing the parameters in quotes. If there are no Directory User profiles under Manage -> Directory Users & Nodes -> Directory Users, Network Composer is not receiving heartbeats from the Directory/LDAP Client. Verify that Admin > Configuration > LDAP > Use LDAP is checked for the LDAP Client. Also confirm that cymdir.exe and cymldap.exe are being loaded at login by checking the Process list in the Windows Task Manager. If not, there may be a script problem. If one or more users are not sending heartbeats, network routing issues can prevent packets from reaching Network Composer. Use the /tcp switch to test for connection failures. Please note that you will not be able to use the /silent option for this test. Another scenario that will impede Network Composer from posting the Directory User profile for a user is if the computer has not sent Internet traffic through Network Composer. If the workstation has not sent traffic to the Internet, then Network Composer has no Network Node profile (IP address or MAC address) with which to attach the Directory User. This will correct itself as soon as the workstation sends traffic to the Internet through Network Composer. (Checking the Admin -> Logs -> Activity Log can be used to identify this issue). By default, the Directory/LDAP Client use port 3642 to communicate with Network Composer. You can verify that this port is open by using telnet and attempting to connect to Network Composer on port 3642 from an affected workstation. The syntax for the Windows command line telnet client is this: C:\>telnet 192.168.1.80 3642. Remember to use the IP address of your Network Composer. If you are able to connect and receive an error message about needing to authenticate then there are no network issues. If you are not able to connect, then please review your firewall or settings on the network as they may be blocking access on port 3642. Also, you may need to restart services to ensure that the LDAP service is working properly (Admin -> Utilities -> System Resets -> Restart All Services). If the Directory/LDAP Client causes long login times, this could be due to the syntax in the batch file. Make sure that the batch file begins with the start. Start is required to detach programs from the Windows shell. If it is omitted, Windows may not detach the referenced program as an independent process, and wait 10 minutes before terminating the process. Occasionally, some traffic is not associated with a Directory User. Cymdire.exe and cymldap.exe run when a user logs in, and stop running when a user logs off. If traffic occurs when no user is logged into a Network Node, it will not be associated with any user. This commonly occurs when a user reboots, which logs the user off and then generates network traffic, or when Windows updates are downloaded and installed. In some circumstances (particularly involving laptop computers) a user will not run the login script or Group Policy Object from the network as they log in. This could be because they are not connected to any network, they are connected to a network that is not their home network, or they have somehow bypassed their network login script. (Consider using an alternate method like Web Authentication for these users instead of using the Directory/LDAP Client. Also, users can potentially terminate the cymdir.exe or cymldap.exe process from the Task Manager in an attempt to escalate their network privileges. If this happens, their workstation will be added to the next appropriate group (typically the Default Group). To

123

Network Composer User Guide prevent privilege escalation, simply make the Default Group (or other group as appropriate) have the fewest network privileges available. This way, users will only deescalate their access by terminating the Directory/LDAP Client. Some security settings may impede the Directory/LDAP Client from executing correctly. If you are unable to execute the client after following the deployment steps, you may need to unblock the executable from running. You can do this by right-clicking on the cymdire.exe or cymldap.exe and selecting Properties. Under the General tab, click the Unblock button and then apply the changes. Lastly make sure that you use the correct Directory/LDAP Client for your Operating System. Remember that the Directory/LDAP Clients have three versions (32-bit, 64-bit, and Macintosh) and should be deployed accordingly.

Troubleshooting LDAP Settings


Network Composer must be able to query the LDAP Server in order to gather accurate user information. However, if a user is located in a directory path not include in the LDAP Server Base DN, Network Composer may not be able to retrieve that users information. A good practice is to use the root or base of the directory for the LDAP Server Base DN. For example, instead of using ou=IT,dc=mydomain,dc=com, use dc=mydomain,dc=com. Thus, Network Composer will have complete access to the entire directory. Also remember that Network Composer is compatible with Windows Active Directory and Novells eDirectory. If you are using a different directory service, i.e., Windows NT4 or NetWare 3, Network Composer may not be able to post the information correctly. In such scenarios, you may have to use the Fully Qualified Username or User Principle Name for tracking. Verify that your LDAP Default Name Mask (Admin -> Configuration -> LDAP Settings) is asking for the LDAP Attributes you want posted. For example, using Active Directory Users use a mask that is appropriate to LDAP attribute (%givenName% = First Name, %sn% = Last Name). If you prefer to use different attributes, %displayName%, %cn%, or %sAMAccountName% may be good alternatives. Lastly make sure that the Username and Password used for LDAP Settings are current. If you have changed the password or have deleted the account, Network Composer will not be able to query the directory for LDAP Profiles. This concludes the chapter on implementing LDAP with Network Composer. There is an additional Tutorial Document entitled How to Implement LDAP posted on Cymphonix Knowledge Base (http://kb.cymphonix.com). That document complements the information presented here. The next chapter will deal with filtering HTTPS/SSL traffic.

124

Network Composer User Guide

Chapter 8: Implementing HTTPS/SSL Filtering with Network Composer


Secure Socket Layer (SSL) is a technology that is used to encrypt data sent over the network. (Newer versions of SSL are called Transport Layer Security or TLS. Statements in this User Guide regarding SSL also apply to TLS.) This encryption is done to insure that the data transmission is secure and only readable by the intended recipients. This technology is most commonly associated with Secure Hypertext Transfer Protocol (HTTPS) sent over the Internet. For example, web pages such as banking or ecommerce sites post information that is very sensitive for users, i.e., credit card numbers, social security numbers, etc. Because this information is important, the web site must take some special precautions to make sure that this information is not viewed by the wrong person. Also, the Web site needs to confirm the identity of the site visitor and make sure that the transmission of data across the Internet is not intercepted by anyone. However, SSL can also be used to conceal web traffic and visit prohibited sites. The most common practice of this is with proxy web sites or proxy web servers. Network Composer utilizes HTTPS/SSL Filtering to allow you to view and restrict Web traffic for secure web sites and also prohibit users from viewing unauthorized content. This chapter can be used to enable HTTPS/SSL Filtering. The following topics will be covered.

Certificate Authorities SSL Anonymous Proxies HTTPS/SSL Filtering HTTPS/SSL Blocking HTTPS/SSL Filtering Requirements

125

Network Composer User Guide

Enabling SSL Certificate-Based Filtering Network Composers Digital Certificate Installing Network Composers Digital Certificate Enabling Full SSL Content Filtering Confirming Network Composers Digital Certificate Reporting on HTTPS/SSL Web Sites Viewing Sensitive Content on HTTPS/SSL Web Sites

Certificate Authorities
For Web sites to use SSL to post secure data, they employ a digital certificate signed by Certificate Authorities (CA), like VeriSign or Thawte. A CA issues and signs a digital certificate which confirms the identity of the Web site and that the page is secure. The CA also attests that the certificate belongs to the organization, server, or other entity noted in the certificate. How do users know if a web site is secure?through the digital certificate presented on the web site. Normally, web browsers have a list of trustworthy CAs. When users connect to a secure web site, the web browser will check the name of the web site with the corresponding certificate. If the certificate name matches the name of the web site, is not expired, and is signed by a trusted CA, the web browser will display the web site. If any of these checks fail, a warning is displayed indicating the error. Thus web sites and users depend on digital certificates to confirm identities and information.

SSL Anonymous Proxies


In addition to using SSL for securing web traffic, SSL can also be used to conceal web traffic. The purpose of Network Composers HTTPS/SSL Filtering is to prohibit users from concealing their web traffic and from viewing unauthorized content. One of the ways users can conceal web traffic with SSL is by using SSL Anonymous Proxies. SSL Anonymous Proxies, available to anyone with Internet access, instruct users on how to direct their web traffic to a specific web site or service. Like traditional anonymous proxies, they allow a user to put in a URL, which the proxy then fetches and returns to the user. From a web filters perspective, it is as if all the content was from the proxy site. An SSL Anonymous Proxy takes this one step further by encrypting this data, thereby concealing the users traffic and visiting prohibited web sites. The most common tactics of SSL Anonymous Proxy Servers is using Common Gateway Interface (CGI) web sites that create tunnels to web sites. However, there are many forms of proxy servers that are designed to make web surfing anonymous and bypass content filtering. Below are listed the most common Anonymous Proxy Services and how they conceal web traffic.

126

Network Composer User Guide

SSL CGI Proxy


This type of proxy has users enter the Universal Resource Locator (URL) of the web site they want to browse to into a web form. The web site then processes the request and retrieves the page on behalf of the user. The web sites changes the links and images within the page so that the requests are actually hosted by the proxy web site and not the original web site.

SSL Full Proxy


This type of proxy requires users to modify their web browser settings to use a proxy server. Some of these sites will also use non-standard ports to conceal web traffic.

SOCKS4/5 Proxy
This type of proxy also has users modify web browser settings to use a proxy server.

TorPark Network
This type of proxy is a SSL based network that allows users to hide web browsing. TorPark normally uses non standard port numbers to avoid detection and uses SSL to conceal the content of web sites. Network Composer has several options that allow you to block Anonymous SSL web surfing and users from concealing their traffic. These options are discussed in the next section.

HTTPS/SSL Filtering
Network Composer offers you several tools to filter HTTPS/SSL traffic, and to block proxy web sites that allow users to cover their web traffic. Depending upon the type of control you want over SSL traffic, you will need to configure HTTPS/SSL Filtering accordingly. All HTTPS/SSL filtering options are handled by Traffic Flow Rule Sets (TFRS). TFRS are the basic traffic identification and control engine within Network Composer. TFRS allow you to dictate how traffic will be identified, controlled, reported, filtered and shaped. In the case of HTTPS/SSL traffic, Network Composer has several TFRS that will handle HTTPS/SSL traffic according to the settings listed below. The component of TFRS that handle HTTPS/SSL Filtering is called SSL Filter. SSL Filter can perform content filtering, web logging, spyware scanning, and virus scanning on all HTTPS web sites. However, there are several options with SSL Filtering. Below are all available options.

Disable SSL Inspection and Filtering


This option will not perform any HTTPS/SSL Filtering or Inspection. This is the default option and will not filter, report, or inspect any HTTPS/SSL traffic.

Enable SSL Certificate-Based Content Filtering


This option allows you to filter HTTPS web sites based only on the certificate name present. In addition to this, this option will only log and filter the first web page accessed for the site. No other pages on the web site will be scanned. Also, if the certificate name does not

127

Network Composer User Guide match the URL of the web site, some miss-categorization can happen. Finally, if users attempt to access an HTTPS web site that has been prohibited, they will not receive a redirection page alerting them that the site has been blocked by Network Composer. This is the level of protection provided by almost all Secure Net Gateway devices that support SSL features.

Enable Denied Access Page for SSL Certificate-Based Content Filtering


This option allows you to filter HTTPS web sites based only on the certificate name present. In addition to this, this option will only log and filter the first web page accessed for the site. No other pages on the web site will be scanned. Also, if the certificate name does not match the URL of the web site, some miss-categorization can happen. However, this option will present users with a blocked redirection page if the web site has been prohibited and can be used in conjunction with SSL Certificate-Base Content Filtering.

Enable Full SSL Content Filtering


This option allows you to filter HTTPS web sites based on both the certificate name present, the name of the web site, and the sites content. This option is the most robust and complete of all SSL Filter options as it allows for better categorization of HTTPS web sites, continued filtering of all pages within the web site, and blocked redirection pages for prohibited secure sites. Also, this is the only SSL Filter option that offers full scanning of HTTPS web sites for spyware and virus. Because of the additional steps required to enable Full SSL Content Filtering, you will not be able to turn on this option without first contacting a Cymphonix Support Technician. If you are interested in enabling Full SSL Content Filtering, please call Cymphonix Technical Support at (801) 938-1500 option 2. Do not enable Full SSL Content Filtering without deploying Network Composers Digital Certificate beforehand. Doing so will cause interruption with HTTPS web sites. Please read the section on Installing Network Composers Certificate before enabling this option.

Only Allow Trusted Certificate Authorities and Non-Expired Certificates


This option will increase security for web traffic as it will not allow users to visit HTTPS sites that have expired certificates or certificates issued from non-trusted CAs. This option can be used in conjunction with SSL Certificate-Based Content Filtering and Full SSL Content Filtering.

HTTPS/SSL Filter Exemption List


This option allows you to enter URLs of secure web sites that will be exempt from SSL Filtering. For sensitive web sites, such as banking and ecommerce, you may want to enter the URLs of these sites to avoid content filtering on specific web sites. This option can be used in conjunction will all SSL filtering options.

Content Filtering Rules


Once you have enabled any of the HTTPS/SSL Filtering options, all your Content Filtering Rules will now apply to HTTPS web sites. For example, if you have entered myspace in the

128

Network Composer User Guide Blocked URL list under the Content Filtering tab and enabled HTTPS/SSL Filtering, users will not be able to access http://www.myspace.com or https://www.myspace.com. As such, if you want to block a specific web category or web site that is using HTTPS, enter the web site as blocked in the Content Filtering tab, select a TFRS that has SSL Filtering and chose one of the HTTPS/SSL Filtering options.

HTTPS/SSL Blocking
There is an additional TFRS for SSL traffic entitled SSL Block. This TFRS does not perform any content filtering, web logging, spyware scanning, and virus scanning on HTTPS web sites. This TFRS only prohibits all HTTPS/SSL traffic from passing through Network Composer. By default there is only one TFRS that is set to block HTTPS traffic. This TFRS is called Web Filter + Anonymous Proxy Guard + SSL Block. This TFRS performs content filtering, web logging, spyware scanning, virus scanning for HTTP traffic (Web Filter). This TFRS also prohibits HTTP traffic on any port other than port 80 or a designated proxy port (Anonymous Proxy Guard). Finally this TFRS prohibits all HTTPS/SSL traffic from passing through Network Composer (SSL Block).

HTTPS/SSL Filtering Requirements


HTTPS/SSL Filtering does place additional processing load on Network Composer. As such, HTTPS traffic cannot be more 25% of bandwidth specs (see following table). Before enabling any form of HTTPS/SSL Filtering, please confirm that your HTTPS traffic does not exceed the specified amount listed below. Model DC10 DC20 DC30 DC30X DC40X DC50X DC60X Max Throughput 2 Mbps 5 Mbps 8 Mbps 20 Mbps 45 Mbps 100 Mbps 200 Mbps Max HTTPS Throughput 500 Kbps 1.25 Mbps 2 Mbps 5 Mbps 12 Mbps 25 Mbps 50 Mbps

If the amount of HTTPS traffic exceeds 25% of maximum bandwidth, Network Composer will be outside of operating specification. In this case, you may either purchase a more powerful Network Composer or an SSL Acceleration Network Composer model. SSL Acceleration Network Composer models come equipped with a Peripheral Component Interconnect (PCI) expansion cards that contain co-processors. These co-processors perform part of the HTTPS/SSL Filtering, relieving the load on Network Composer. These models are called the DC30XS, DC40XS, DC50XS, and DC60XS. Model DC30XS DC40XS Max Throughput 20 Mbps 45 Mbps Max SSL Throughput 20 Mbps 45 Mbps

129

Network Composer User Guide DC50XS DC60XS 100 Mbps 200 Mbps 100 Mbps 200 Mbps

If you are interested in purchasing a more powerful Network Composer or a SSL Accelerating Network Composer, please contact your reseller or Cymphonix sales at (801) 938-1500 option 1. Also, HTTPS/SSL Filtering does require a live Internet connection preferably active for at least 24 hours. A good practice is to install Network Composer and let the device collect data for at least 24 hours. This way you can verify via Report -> Application Overview -> HTTPS if the amount of traffic is below 25% of Network Composers maximum bandwidth specification and afterwards enable HTTPS/SSL Filtering. Lastly, Network Composer only supports HTTPS/SSL Filtering for web browsers that use SSL v2.0, SSL v3.0, and Transport Layer Security (TLS) v1.0. Current web browsers use these versions by default, but you may want to verify that your networks web browsers are updated. In addition to bandwidth and connections requirements, HTTPS/SSL Filtering requires that you enable two options under the Advanced Setup tab (Admin -> Configuration -> Advanced Setup) that will allow Network Composer to support HTTPS/SSL filtering. These two options are HTTP Keep-Alive Mode and Enhanced Bridging Mode (EBM). HTTP Keep-Alive Mode allows Network Composer to use the same connection to send and receive multiple HTTP requests and responses, as opposed to opening a new connection for every single HTTP request or response. Using HTTP Keep-Alive Mode is essential for improving Web performance with HTTPS/SSL Filtering. EBM allows Network Composer to act as a transparent filter. As a transparent filter, Network Composer does not modify the Web request or response beyond what is required for authentication and identification. EBM also improves the quality of service delivering content at higher bandwidth and reducing transmission latency. If either of these options is not enabled, HTTPS/SSL Filtering is not possible. One last requirement before enabling HTTPS/SSL Filtering is deciding on what options to use. All HTTPS/SSL filtering is handled by TFRS. However, some of the different HTTPS/SSL Filtering options will determine what steps need to be preformed first. For example, Full SSL Content Filtering requires additional steps for configuration before enabling HTTPS/SSL Filtering. This option utilizes a digital certificate from Network Composer similar to ones used by CAs. If you plan on utilizing Full SSL Content Filtering, you will need to deploy the certificate before enabling HTTPS/SSL Filtering. Please review the section entitled Installing Network Composers Digital Certificate.

Enabling SSL Certificate-Based Filtering


Enabling SSL Certificate-Based Content Filtering allows you to filter HTTPS web sites based only on the certificate name present. You can also select Denied Access Page for SSL Certificate-Based Content Filtering to present users a redirection page for blocked HTTPS Web sites as well as Only Allow Trusted Certificate Authorities and Non-expired Certificates. To do this, you will first select an Internet Usage Rule (IUR).

130

Network Composer User Guide Click Manage -> Policies & Rules -> Internet Usage Rules -> Default Usage Rules (or another groups usage rules). The first step is to alter an IUR for HTTPS/SSL Filtering by choosing a TFRS that can identify and filter HTTPS traffic. Select the Drop-Down Box for TFRS and chose a rule set that has SSL Filter as a component. This will then allow you to access the HTTPS/SSL Filtering tab. Network Composer has three default TFRS that filter HTTPS/SSL traffic. These TFRS are listed below with their corresponding targets. Please note that these are the default settings for the TFRS and can be changed or customized based on your needs. Please see the Tutorial Document entitled How to Manage Traffic Flow Rule Sets for more information (http://kb.cymphonix.com).

Web Filter + Deny IM + Anonymous Proxy Guard + SSL Filter


This TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP (Web Filter) and HTTPS traffic (SSL Filter). This TFRS also denies all IM Client conversations (Deny IM) and prohibits HTTP traffic on any port other than port 80 or the designated proxy ports and SSL traffic on any port other than port 443 (Anonymous Proxy Guard).

Web Filter + Anonymous Proxy Guard + SSL Filter


This TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP (Web Filter) and HTTPS traffic (SSL Filter). This TFRS also prohibits HTTP traffic on any port other than port 80 or a designated proxy port and SSL traffic on any port other than port 443 (Anonymous Proxy Guard).

Web Filter + SSL Filter


This TFRS performs content filtering, web logging, spyware scanning, virus scanning for both HTTP (Web Filter) and HTTPS traffic (SSL Filter). Depending upon how you would like to filter HTTPS traffic, you can choose the TFRS accordingly. Again, once you have selected a TFRS of SSL Filter, you can now select options under the HTTPS/SSL Filtering tab. In this section, we will only be detailing the options of SSL Certificate-Based Filtering. Click on the HTTPS/SSL Filtering tab, and select the radio button for Enable SSL Certificate-Based Content Filtering. Also, if you like you can select the check box for the Enable Denied Access page and Only Allow for Trusted Certificate Authorities and Non-expired Certificates. You can also enter in any URLs for the Filter Exemption List. Once modified, dont forget to save your changes. Once the IUR has been saved, make sure that the new rules are being applied to the group under the Policy Manager. You can review how to do this under Chapter 5: Managing Network Composer. You have now finished creating an Internet Usage Rule that will filter certificates for HTTPS Web sites and assigned it to the corresponding group. You can follow the previous mentioned steps to assign additional IURs that will filter certificates for HTTPS web sites or groups as well.

Network Composers Digital Certificate


For Network Composer to fully scan HTTPS web sites, the device will need to inspect the data traversing the SSL connection between the user and the Web site. Consequently, deploying a third party certificate to act as the middle man for the user and the secure

131

Network Composer User Guide Web site is the most effective method to allow the secure connection while examining the content. By deploying a third party certificate from Network Composer to the user, a secure connection between the two is established. Network Composer then issues a separate secure connection between itself and the secure Web site or server. In this fashion, Network Composer acts as an SSL proxy, allowing the two connections to be fully inspected without dropping the connection (see the following diagram).

Figure 8.1 Network Composer Certificate In essence, Network Composer establishes two SSL connections, one to the user and one to the web site. After these connections are established, the user sends the SSL request to Network Composer. Network Composer reviews the SSL request, verifies filtering rules, and then sends a SSL request on behalf of the user to the web site. This process allows Network Composer to fully inspect the SSL traffic from both the user and the responding web server. Again for this option to work correctly, users will need Network Composers digital certificate installed in their individual Web browsers. This certificate can be downloaded from Network Composer under Admin -> Configuration -> Downloads -> SSL Authority Certificate or at http://IP address of Network Composer/downloads/cacert.cer. Although you can install the certificate individually for each user, this chapter has several options on how to deploy the certificate on a wider scale. Lastly, you can also customize the certificate used for Full SSL Content Filtering. If you would prefer the certificate to display your company information, your companys organizational unit, or your contact information, you may modify these settings under Admin -> Configuration -> SSL Certificate Settings. If you make any errors or need to change the SSL Certificate Settings, you can select the Clear SSL Certificates (Admin -> Utilities -> System Resets -> Clear SSL Certificates). This will set the SSL Certificate Settings back to default settings. However, if you alter the SSL certificate in any form, make sure that users have the new finalized certificate before enabling Full SSL Filtering.

Installing Network Composers Digital Certificate


Network Composers certificate can be deployed individually on each computers Web browser or it can be deployed as a Group Policy Object (GPO) by Active Directory. The following sections describe how to perform each accordingly.

132

Network Composer User Guide

Deploying Network Composers Certificate via Web Browsers


Network Composers certificate can be downloaded and installed directing by your users into their Web browsers. A good practice is to download and install the certificate in a network share and have users install the certificate directly from the shared drive. Another option is to send an email to users with an attached zipped file of the certificate or with the URL of the certificate (http://IP address of Network Composer/downloads/cacert.cer). Once you have distributed the certificate, simply have users import the certificate. Depending upon users OS or default web browsers, the steps will be different on how to install the certificate. Below are email templates you can copy and use to instruct users how to install the certificate using Windows PCs and Internet Explorer and Firefox. Areas where you need to add information before sending the template are italicized and bold. With other Web browsers or OS you will need to research and find how to import digital certificates. Email Template for Windows XP and Internet Explorer 6 As part of our efforts to better provide a secure work environment and offer users reliable Web access, we have decided to employ content filtering for Secure Hypertext Transfer Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is used by web sites to secure information. However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to users and the network. Filtering HTTPS web sites will improve our ability to protect the network and ensure safe web browsing. You will need to import a digital certificate into your web browser that will allow you to access legitimate web sites that use HTTPS. Please click on the following link and save the certificate (cacert.cer) to your desktop: http://IP address of your Network Composer/downloads/cacert.cer. Or please download the following zipped attachment (cacert.cer) to your desktop. Then follow the instructions listed below to import the certificate. Thanks and have a nice day. 1. Open up Internet Explorer 6. 2. Click on Tools -> Internet Options 3. Select the Content tab and click the Certificates button (this will bring Certificate dialog box) 4. Select the Trusted Root Certification Authorities tab and then click the Import button (this will bring up the Certificate Import Wizard) 5. Begin the Wizard by selecting Next and when prompted browse to the certificate you downloaded to your desktop 6. If asked, allow Windows to automatically select the certificate store. 7. Complete the Certificate Import Wizard by selecting Next when prompted.

133

Network Composer User Guide 8. After you have completed the Certificate Import Wizard click the Finish button (you may receive a security warning about installing the certificate; select Yes to allow the import). You have now completed the Certificate Import Wizard for Internet Explorer 6. You can delete the certificate file on your desktop. Email Template for Windows XP and Internet Explorer 7 As part of our efforts to better provide a secure work environment and offer users reliable web access, we have decided to employ content filtering for Secure Hypertext Transfer Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is used by web sites to secure information. However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to users and the network. Filtering HTTPS web sites will improve our ability to protect the network and ensure safe web browsing. You will need to import a digital certificate into your Web browser that will allow you to access legitimate web sites that use HTTPS. Please click on the following link and save the certificate (cacert.cer) to your desktop: http://IP address of your Network Composer/downloads/cacert.cer. Or please download the following zipped attachment (cacert.cer) to your desktop. Then follow the instructions listed below to import the certificate. Thanks and have a nice day. 1. Open up Internet Explorer 7. 2. Click on Tools -> Internet Options 3. Select the Content tab and click the Certificates button (this will bring Certificate dialog box) 4. Select the Trusted Root Certification Authorities tab and then click the Import button (this will bring up the Certificate Import Wizard) 5. Begin the Wizard by selecting Next and when prompted browse to the certificate you downloaded to your desktop 6. If asked, allow Windows to automatically select the certificate store. 7. Complete the Certificate Import Wizard by selecting Next when prompted. 8. After you have completed the Certificate Import Wizard click the Finish button (you may receive a security warning about installing the certificate; select Yes to allow the import). You have now completed the Certificate Import Wizard for Internet Explorer 7. You can delete the certificate file on your desktop. Email Template for Windows Vista and Internet Explorer 7 As part of our efforts to better provide a secure work environment and offer users reliable web access, we have decided to employ content filtering for Secure Hypertext Transfer

134

Network Composer User Guide Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is used by web sites to secure information. However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to users and the network. Filtering HTTPS web sites will improve our ability to protect the network and ensure safe web browsing. You will need to import a digital certificate into your web browser that will allow you to access legitimate web sites that use HTTPS. Please click on the following link and save the certificate (cacert.cer) to your desktop: http://IP address of your Network Composer/downloads/cacert.cer. Or please download the following zipped attachment (cacert.cer) to your desktop. Then follow the instructions listed below to import the certificate. Thanks and have a nice day. 1. Open up Internet Explorer 7. 2. Click on Tools -> Internet Options 3. Select the Content tab and click the Certificates button (this will bring Certificate dialog box) 4. Select the Trusted Root Certification Authorities tab and then click the Import button (this will bring up the Certificate Import Wizard) 5. Begin the Wizard by selecting Next and when prompted browse to the certificate you downloaded to your desktop 6. When asked, Place the certificate in the Trusted Root Certification Authorities store. 7. Complete the Certificate Import Wizard by selecting Next when prompted. 8. After you have completed the Certificate Import Wizard click the Finish button (you may receive a security warning about installing the certificate; select Yes to allow the import). You have now completed the Certificate Import Wizard for Internet Explorer 7. You can delete the certificate file on your desktop. Email Template for Windows XP/Vista and Firefox 2 As part of our efforts to better provide a secure work environment and offer users reliable web access, we have decided to employ content filtering for Secure Hypertext Transfer Protocol (HTTPS). Although you may be unfamiliar with the term HTTPS, this protocol is used by web sites to secure sensitive information. However, HTTPS can also be used fraudulently to conceal web traffic and pose a danger to users and the network. Filtering HTTPS web sites will improve our ability to protect the network and ensure safe web browsing. You will need to import a digital certificate into your web browser that will allow you to access legitimate web sites that use HTTPS. Please click on the following link and save the certificate (cacert.cer) to your desktop: http://IP address of your Network Composer/downloads/cacert.cer. Or please download the following zipped attachment (cacert.cer) to your desktop.

135

Network Composer User Guide Then follow the instructions listed below to import the certificate. Thanks and have a nice day. 1. Open up Firefox 2. 2. Click on Tools -> Options 3. Select the Encryption tab and click the View Certificates button (this will bring the Certificate Manager box) 4. Select the Authorities tab and then click the Import button 5. Browse to your desktop and select the certificate you just downloaded. 6. Select Trust this CA to identify web sites. 7. Click OK twice to complete the import. You have now completed the Certificate Import Wizard for Firefox. You can delete the certificate file on your desktop.

Deploying Network Composers Certificate via Active Directory


Again, follow the previous steps to download the certificate and place in on the local drive of the Active Directory server. Once you have done that, follow the subsequent steps. 1. Log on to your Domain or Active Directory server. 2. Open a Windows Run Prompt (Start -> Run). 3. In the Open field type "mmc" (Microsoft Management Console). 4. Click OK. 5. In the File menu select Add/Remove Snap-in.

Figure 8.2 Console Prompt 6. Click the Add button. 7. Scroll down and select Group Policy Object Editor.

136

Network Composer User Guide

Figure 8.3 Add Standalone Snap-in 8. Click the Add button (this will launch the Group Policy Object Wizard). 9. Press the Browse button. 10. Select Default Domain Policy. 11. Click OK.

Figure 8.4 Group Policy Object 12. Click Finish on the Add Group Policy Wizard. 13. Close the Add Standalone Snap-in dialog box. 14. Click OK on the Add/Remove Snap-in dialog box (you should now be looking at the MMC screen with the Console Root Folder above the new Default Domain Policy you have just added).

137

Network Composer User Guide

Figure Console Root 15. Expand the Default Domain Policy. 16. Expand the Computer Configuration option. 17. Expand the Windows Settings option. 18. Expand the Security Settings option. 19. Expand the Public Key Policies. 20. Select the Trusted Root Certification Authorities. 21. In the Action menu, select Import (this will launce the Import Wizard).

8.5

Figure 8.6 Group Policy Object Editor 22. Click the Next button. 23. Browse to where you download Network Composers certificate (unless you have changed the title, the certificate is entitled cacert.cer).

138

Network Composer User Guide 24. Click the Next button. 25. Make sure the Place All Certificates in the Following Store radio button is selected. 26. Make sure the Certificate Store is Trusted Root Certification Authorities. 27. Click the Next button (the Import Wizard will now display a summary of the import process. 28. Click the Finish button. 29. The Import Wizard will inform you if the import was successful. You have now finished deploying Network Composers certificate either via a direct import or Active Directorys GPO. Now that you have completed these steps, you are ready to enable Full SSL Content Filtering. You can also enable Only Allow Trusted Certificate Authorities and Non-Expired Certificates.

Enabling Full SSL Content Filtering


Now that you have installed Network Composers certificate, you will need to contact Cymphonix Technical Support to enable Full SSL Filtering. Because Full SSL Filtering requires additional steps, this option is only available after a certified Cymphonix Technician reviews the device settings. This precaution has been taken to avoid unnecessary interruption with secure Web sites. You can contact Cymphonix Technical Support at (801) 938-1500 option 2. Once approved by a support technician, he/she will ask you what Internet Usage Rules will have Full SSL Content Filtering. Afterwards, you can review the settings under Manage -> Policy & Rules -> Internet Usage Rules -> Default Usage Rules (or another groups usage rules). Select the Traffic Flow Rule Set Drop-Down Box and chose a TFRS that has listed the component of SSL Filter. After a TFRS of SSL Filter has been select, the HTTPS/SSL Filtering tab is accessible. Click on the tab, and confirm that the radio button of Enable Full SSL Content Filtering is selected. If you like you can also select the check box next to Only Allow Trusted Certificate Authorities and Non-Expired Certificates. In addition to this, you can enter in the URLs for the Filter Exemption list. Again dont forget to Save your changes and apply the IUR to the correct groups under Policy Manager. Please note that if you clear the SSL Certificate under Admin -> Utilities -> System Resets or alter the certificate under Admin -> Configuration -> SSL Certificate Settings, you will need to deploy the new certificate to users Web browsers.

Confirming Network Composers Digital Certificate


Now that you have deployed Network Composers certificate, and you have finished configuring Network Composer for Full SSL Content Filtering, the last item to verify is that Network Composers digital certificate is working correctly. You can do this by browsing to a secure Web site (https) and viewing the digital certificate on the page. You can click on the padlock icon located at the end of the URL of the web site and select View certificates.

139

Network Composer User Guide Once selected, make sure that the digital certificate is issued by the Certificate Common Name from Network Composer (Admin -> Configuration -> SSL Certificate Settings).

Reporting on HTTPS/SSL Web Sites


After you have enabled HTTPS/SSL Filtering, you can report on HTTPS/SSL web sites. Click on Report -> Internet Usage -> Web Hits Overview -> Allowed. This will post all allowed Web hits within the past 24 hours. In the top right-hand corner of the report is a reporting option entitled Encryption Type. By default this option is set to No Filter, which will post all Web hits. Select that option and chose SSL. The report will then display all HTTPS/SSL Web site hits within the last 24 hours. You can then adjust the report to correlate and filter for specific user, times frames, etc. Wherever the option of Encryption Type is displayed, you can adjust reporting to display HTTPS/SSL Web sites.

Viewing Sensitive Content on HTTPS/SSL Web Sites


SSL operates by opening a tunnel session and passing information using a public and private key for transmission. Although Web sites that use SSL can be monitored and filtered using Network Composer, items such as passwords, bank account numbers, and social security numbers are normally encrypted at an additional layer within the SSL tunnel. As such, Network Composer normally cannot decipher these items. Typically Network Composer will only capture the URL and Hypertext Markup Language (HTML) of the web site accessed and not the additional encrypted items. However, if you are concerned about sensitive content being captured by Network Composer, you can list Web sites in the HTTPS/SSL Filter Exemption List. Web sites listed in the HTTPS/SSL Exemption List will not be filtered, monitored, or decrypted in any form. For more information, please review the section HTTPS/SSL Filter Exemption List. This concludes the chapter for HTTPS/SSL Filtering. If you need further assistance with this or any other component of Network Composer, please read the following section on getting help.

140

Network Composer User Guide

Customer Support and Feedback


Getting Help
For additional help, please consult Cymphonix Knowledge Base (http://kb.cymphonix.com). Additionally, contact your Authorized Cymphonix Reseller for additional support. Cymphonix Premium Support Services are also available for Configuration & Installation Guidance Network Composer Training Technical Support Services

For more information or to purchase Cymphonix Premium Support Services, contact Cymphonix at support@cymphonix.com or by phone at (801) 938-1500 option 2. Please have the following information ready: Total bandwidth Total # of network nodes and Directory Users Network Composer model & serial number Network Composer firmware version A network topology diagram Presence of VLANs, proxy servers, remote subnets What symptoms or issues you are experiencing

We Welcome Your Feedback We welcome your comments on Network Composer and your ideas for modifications or feature requests. Contact us at feature@cymphonix.com. Please identify the Network Composer model you are using and tell us how we can reach you.

141

Network Composer User Guide

Appendix A: Web Filtering Categories


Network Composer has several distinct layers to identify and filter web sites depending upon the settings you employ on the device. Among the most distinct layers are URL checks against database entries, key-word searches, real-time analysis on web page context, digital certificate scans, and full payload decryption on HTTPS/SSL traffic. These distinct layers allow Network Composer to quickly categorize well-known web sites while providing a more in-depth identification for new, indistinct and constantly changing Web sites. If you would like to confirm the categorization of a web site, you can use the diagnostic tool of /?webFilterCategory. To use this tool, go to any computer that is being filtered by Network Composer and open a web browser. Enter the URL of the web site you want to confirm categorization, and append to it the phrase /?webFilterCategory, i.e., http://www.google.com/?webFilterCategory. This will post the Web Filter Category Report and list the categorization of the web page and which component (URL database, key-word search, or content analysis) categorized the site. If you would like to re-categorize a web site, you can use the Custom Category Rules menu (Admin -> Configuration -> Custom Category Rules) or submit the URL to http://www.cymphonix.com/category. The following table lists the available categories, together with the filtering level typically applied to each. These categories are followed with a brief description of the type of content contained by each and some web site examples.

142

Network Composer User Guide

Category Filtering (Typical)


Adult Unacceptable

Description
These are sites directed to adults, not necessarily pornographic sites. Adult clubs: strip clubs, swingers clubs, escort services, strippers; general information about sex, non-pornographic in nature; genital piercing; adult products, adult greeting cards; information about sex not in the context of health or disease. Beer, wine, spirits: beer and wine making, cocktail recipes, liquor sellers, wineries, vineyards, breweries; mixed drinks, drinking establishments; tobacco; pipes and smoking products. Also Tobacco. Galleries and exhibitions; artists and art; photography; literature and books, publishing; movies; performing arts and theater; music and radio; television; celebrities and fan sites; design; architecture; entertainment news, venues; humor. Also Entertainment. Web pages that monitor activities and automatically update page content on a regular basis, such as stock tickers or weather reports. Sites involved in business-to-business transactions of all kinds. Advertising, marketing, commerce, corporations, business practices, workforce, human resources, transportation, payroll, security, venture capital, etc; office supplies; industrial equipment (process equipment), machines and mechanical systems; heating equipment, cooling equipment; materials handling equipment; packaging equipment; manufacturing: solids handling, metal fabrication construction and building; passenger transportation; commerce; industrial design; construction, building materials; industrial design; shipping and freight: freight services, trucking, freight forwarders, truckload carriers, freight/transportation brokers, expedited services, load & freight matching, track & trace, NVOCC, railroad shipping, ocean shipping, road feeder services, moving & storage. Also Industry. Sites about personal transportation; information about cars and motorcycles; shopping for new and used cars and motorcycles; car clubs; boats, RVs, etc. (Note: auto and motorcycle racing is categorized as Sports and Recreation). Also Motorcycles. Sites promoting cheating and selling written work (e.g. term papers) for plagiarism. Also Plagiarism.

Examples
fhm.com cybereroticanews.com

Alcohol and Tobacco Non-business

budweiser.com philipmorrisusa.com

Arts and Entertainment Non-business

disney.com mgm.com

Automatic Updating Non-business Business and Industry Business

ticker.nasdaq.com pub.weatherbug.com dow.com ussteel.com

Cars and Motorcycles Non-business

autobytel.com autos.msn.com

Cheating and Plagiarism Non-business

cheathouse.com bestpapers.com

143

Network Composer User Guide

Category Filtering (Typical)


Computers and Internet Business

Description
Information about computers and software such as: hardware, software, software support sites; information for software engineers, programming and networking; website design, and the web and Internet in general; computer science; computer graphics and clipart. Also Internet. Sites related to crime, crime reporting, law enforcement, crime statistics, etc. Pages that promote crime such as stealing, fraud, phreaking and cracking; warez and pirated software; computer viruses; terrorism, bombs, and anarchy; sites depicting murder and suicide as well as explaining ways to commit them. Cults and cult behavior.

Examples
dell.com update.microsoft.com

Crime Business Criminal Related Non-business

crime.com terrorism.com illegalworld.com anarchistcookbook.com

Cults Non-business Dating Unacceptable Dinning and Drinking Non-business Education Business

Filter Avoidance Unacceptable Finance Business

FYI Business

Gambling Non-business Games Non-business

Dating sites, online personals, matrimonial agencies, etc., for adults. Eating and drinking establishments; restaurants, bars, taverns, brewpubs, restaurant guides and reviews Education-related sites and web pages such as schools, colleges, universities, teaching materials, teachers resources; technical and vocational training; online training; education issues and policy; financial aid; school funding; standards and testing. Web pages that promote and aid undetectable and anonymous surfing Sites and information that are primarily financial in nature such as: accounting practices and accountants; taxation; banking; insurance; investing: information relating to the stock market, stocks, bonds, mutual funds, brokers, stock analysis and commentary, stock screens, stock charts, IPOs, stock splits; the national economy; personal finance involving insurance of all types; credit cards; retirement and estate planning; loans; mortgages; taxes. City and state guides; maps, weather, time; reference sources; dictionaries; libraries; museums; ski conditions; personal information; mass transportation: consumer mass transit information (bus, commuter train, subway, airport), maps, schedules. Casinos and online gambling sites; bookmakers and odds; gambling advice; horse and dog racing in a gambling context; sports book; sports gambling. Various card games, board games, word games, video games; computer games, Internet games (RPGs and D&D); combat games; sports games; downloadable games; game reviews; cheat sheets.

kimmillerconcernedchris tians.com heavensgate.com eharmony.com friendfinder.com pizzahut.com mortons.com usc.edu nyu.edu

proxify.com proxyblind.org nasdaq.com wellsfargo.com

maps.google.com weather.com

partypoker.com bodog.com games.yahoo.com worldofwarcraft.com

144

Network Composer User Guide

Category Filtering (Typical)


Gay and Lesbian Non-business

Description
Gay, lesbian, bisexual, transgender: gay family, gay parenting, coming out, gay pride sites; gay civil rights, politics, sports, clubs and events, travel and accommodations, leisure activities; gay bars Foreign relations; news and information relating to politics and elections such as: politics, political parties, election news and voting; sites and information relating the field of law such as: attorneys, law firms, law publications, legal reference material, courts, dockets, legal associations; legislation and court decisions; civil rights issues; immigration; patents and copyrights; sites and information relating to law enforcement and correctional systems; sites relating to the military such as: the armed forces, military bases, military organizations, and military equipment; antiterrorism. Also Law. Sites discussing ways to hack into web sites, software, and computers. Hate-related sites, involving racism, sexism, racist theology; hate music; Christian identity religions; World Church of the Creator; Neo-Nazi organizations: Aryan Nations, American Nazi parties, Neo-Nazis, Ku Klux Klan, National Alliance, White Aryan Resistance, white supremacists; National Socialist Movement; Holocaust denial. Health care; disease and disabilities; medical care; hospitals; doctors; medicinal drugs; mental health; psychiatry; pharmacology; exercise and fitness; physical disabilities; vitamins and supplements; sex in a context of health (disease and health care); tobacco use, alcohol use, drug use, and gambling in a context of health (disease and health care); food in general; food and beverage; cooking and recipes; food and nutrition, health, dieting. Information about recreational drugs, drug paraphernalia, marijuana seeds; advice on how to grow marijuana. Web-based instant messaging. Career advice; advice on resume writing and interviewing skills; job placement services; job databanks; employment and temp agencies; employer sites. Intimate apparel, especially when modeled. Sweepstakes, contests and lotteries.

Examples
gay.com gayamerica.com

Government and Law Business

foreignaffairs.org firstgov.gov

Hacking Non-business Hate Speech Unacceptable

elitehackers.com hackerstuff.com kkk.com blacksandjews.com

Health and Nutrition Non-business

efitness.com emedicine.com

Illegal Drugs Non-business Instant Messaging Non-business Job Search Non-business

weedcity.com cannabis.com messenger.yahoo.com meebo.com dice.com monster.com

Lingerie Unacceptable Lottery and Sweepstakes Non-business Miscellaneous Non-business

victoriasecret.com pamperedpassions.com powerball.com calottery.com

Cannot be categorizedoften because the web page is secured from outside visibility or theres either no text or too little text to access it.

145

Network Composer User Guide

Category Filtering (Typical)


Nature Non-business

Description
Natural resources; ecology and conservation; forests; wilderness; plants; flowers; forest conservation; forest, wilderness, forestry practices; forest management (re-forestation, forest protection, conservation, harvesting, forest health, thinning, prescribed burning); agricultural practices: agriculture, gardening, horticulture, landscaping, planting, weed control, irrigation, pruning, harvesting; pollution issues: air quality, hazardous waste, pollution prevention, recycling, waste management, water quality, environmental clean-up industry; animals, pets, livestock, zoology; biology; botany. News, headlines, newspapers; TV station wireless Non-mainstream approaches to life. Occult practices: esoteric magic, voodoo, witchcraft, casting spells; fortune telling practices: I Ching, numerology, psychic advice, Tarot; paranormal: out of body, astral travel, sances; astrology, horoscopes; UFOs and aliens; gay, lesbian and bisexual: gay family, gay parenting, coming out, gay pride sites, civil rights issues, politics, sports, clubs and events, travel and accommodations, leisure activities; gay bars. Nudism/nudity; nudist camps; artistic nudes Personal web pages; affinity groups; special interest groups; professional organizations for social purposes; personal photo collections; web newsgroups. Online brokerages, sites which afford the user the ability to trade stocks online. Peer-to-peer file request sites. This does not track the file transfers themselves. Sexually explicit text or depictions. Includes the following: nude celebrities; anime and XXX cartoons; general XXX depictions; material of a sexually violent nature (bondage, domination, sadomasochism, torture, rape, spanking, snuff, fantasy death, necrophilia); other fetish material (foot/legs, infantilism, balloon sex, latex gloves, enema, pregnant women, pony-play, BBW, bestiality); XXX chat rooms; sex simulators; gay pornography; sites that offer strip poker; adult movies; lewd art; web-based pornographic e-mail. Information that would support the search for real estate. This includes: office and commercial space; real estate listings: rentals, apartments, homes; house building; roommates, etc.

Examples
peta.org nature.org

News Non-business Non-mainstream Non-business

nytimes.com msnbc.com tarot.com psychic.com

Non-sexual nudity Unacceptable Online Communities Non-business

barenakedgallery.com fineartnude.com myspace.com facebook.com

Online Trading Non-business Peer File Transfer Non-business Porn Non-business

franklintrading.com ameritrade.com torrentz.com piratebay.com hustler.com penthouse.com

Real Estate Non-business

remax.com century21.com

146

Network Composer User Guide

Category Filtering (Typical)


Science and Technology Non-business

Description
Sites involving science and technology: aerospace, electronics, engineering, mathematics, etc.; space exploration; meteorology; geography; environment; energy: oil, nuclear, wind, sun; communications: telephones, telecomm. Also Technology. Web directories and search engines that often serve as home pages such as Excite, MSN, Alta Vista, and Google. Sexual health, information about, or descriptions of, abortions procedures such as: abortion pills, medical abortions, surgical abortions; abortion clinics and abortion providers. Auctions; bartering; online purchasing; coupons and free offers; yellow pages; classified ads; general office supplies; online catalogs; online malls. Sites related to: archaeology; anthropology; cultural studies; economics; history; linguistics; philosophy; political science; psychology; theology; women's studies. Family and relationships; religions, ethnicity and race, social organizations; genealogy; seniors, clothing and fashion; spas; hair salons; cosmetics (skin care for diseases or conditions may be categorized as Health and Nutrition); hobbies; do-ityourself; toys for kids; model and remote control cars; toy soldiers. Spiritual healing; alternative approaches to health, both physical and mental. All sports, professional and amateur; recreational activities; hunting; fishing; fantasy sports; gun and hunting clubs; public parks; amusement parks; water parks; theme parks; zoos and aquariums. Sites that involve: net radio; net TV; web casts; streaming audio; streaming video. Sites that offer tasteless, often gory photographs such as autopsy photos, photos of crime scenes, crime or accident victims; sites displaying excessive obscene material. Pictures and text relating to body modification; tattoos and piercing venues; articles and information about tattoos and piercing; body painting. Business and personal travel: travel information; travel resources; travel agents; vacation packages; cruises; lodging and accommodations; travel transportation: flight booking, airfares, renting cars; vacation homes. Cannot be categorizedoften because the web page is secured from outside visibility or theres either no text or too little text to access it. Sites involving illegal drugs, alcohol, tobacco, and gambling.

Examples
space.com ieee.org

Search Engines and Portals Business Sex Education and Abortion Unacceptable Shopping Non-business Social Science Non-business

google.com msn.com abortion.com prolife.com

ebay.com amazon.com civilwar.com ssrc.org

Society and Culture Non-business

unitedway.org goodhousekeeping.com

Spiritual Healing Non-business Sports and Recreation Non-business

aetherius.org enhancedhealing.com espn.com si.com

Streaming Media Non-business Tasteless or Obscene Unacceptable

xmradio.com sirius.com facesofdeath.com torture-museum.com

Tattoos Non-business Travel Non-business

tatoo.com tattoofinder.com travelocity.com hotels.com

Uncategorized Non-business Vice Non-business

viceland.com vbs.tv

147

Network Composer User Guide

Category Filtering (Typical)


Violence Unacceptable Weapons Business

Description
Sites related to violence and violent behavior. Sites or information relating to the purchase or use of conventional weapons such as: gun sellers; gun auctions; gun classified ads; gun accessories; gun shows; gun training; general information about guns; other weapons (e.g., knives, brass knuckles) may be included. Sites that provide web site hosting services. General use of the web for messages: e-cards, online meetings, message boards, etc. Web-based chat sites. Email portals and email messages ported through the web. Sites directed toward and specifically approved for young children

Examples
psfights.com realfights.com nrahq.org remington.com

Web Hosting Business Web Messaging Non-business Web-based Chat Non-business Web-based Email Non-business Young Child Non-business

webmasters.com rackspace.com bluemountain.com ecards.com chatango.com boldchat.com hotmail.com webmail.aol.com groovygirls.com pbskids.org

148

Appendix B: MIME Types


The following lists contain the MIME types you can block on your network.

MIME type
application/EDI-Consent application/EDI-X12 application/EDIFACT application/activemessage application/andrew-inset application/applefile application/atomicmail application/batch-SMTP application/beep+xml application/cals-1840 application/cnrp+xml application/commonground application/cpl+xml application/cybercash application/dca-rft application/dec-dx application/dicom application/dns application/dvcs application/epp+xml application/eshop application/fits application/font-tdpfr application/http

MIME type
application/hyperstudio application/iges application/im-iscomposing+xml application/index application/index.cmd application/index.obj application/index.response application/index.vnd application/iotp application/ipp application/isup application/mac-binhex40 application/macwriteii application/marc application/mathematica application/mikey application/mpeg4-generic application/msword application/news-message-id application/news-transmission application/ocsp-request application/ocsp-response application/octet-stream application/oda

149

Network Composer User Guide

MIME type
application/ogg application/parityfec application/pdf application/pgp-encrypted application/pgp-keys application/pgp-signature application/pidf+xml application/pkcs10 application/pkcs7-mime application/pkcs7-signature application/pkix-cert application/pkix-crl application/pkix-pkipath application/pkixcmp application/postscript application/prs.alvestrand.titrax-sheet application/prs.cww application/prs.nprend application/prs.plucker application/qsig application/rdf+xml application/reginfo+xml application/remote-printing application/riscos application/rtf application/samlassertion+xml application/samlmetadata+xml application/sbml+xml application/sdp application/set-payment application/set-payment-initiation application/set-registration application/set-registration-initiation application/sgml application/sgml-open-catalog application/sieve application/simple-message-summary application/slate application/soap+xml application/spirits-event+xml application/timestamp-query application/timestamp-reply application/tve-trigger application/vemmi application/watcherinfo+xml application/whoispp-query application/whoispp-response application/wita application/wordperfect5.1 application/x400-bp application/xhtml+xml application/xml application/xml-dtd 150

Network Composer User Guide

MIME type
application/xml-external-parsed-entity application/xmpp+xml application/xop+xml application/zip audio/32kadpcm audio/3gpp audio/AMR audio/AMR-WB audio/CN audio/DAT12 audio/DVI4 audio/EVRC audio/EVRC-QCP audio/EVRC0 audio/G.722.1 audio/G722 audio/G723 audio/G726-16 audio/G726-24 audio/G726-32 audio/G726-40 audio/G728 audio/G729 audio/G729D audio/G729E audio/GSM audio/GSM-EFR audio/L16 audio/L20 audio/L24 audio/L8 audio/LPC audio/MP4A-LATM audio/MPA audio/PCMA audio/PCMU audio/QCELP audio/RED audio/SMV audio/SMV-QCP audio/SMV0 audio/VDVI audio/basic audio/clearmode audio/dsr-es201108 audio/dsr-es202050 audio/dsr-es202211 audio/dsr-es202212 audio/iLBC audio/mpa-robust audio/mpeg audio/mpeg4-generic audio/parityfec 151

Network Composer User Guide

MIME type
audio/prs.sid audio/telephone-event audio/tone image/cgm image/fits image/g3fax image/gif image/ief image/jp2 image/jpeg image/jpm image/jpx image/naplps image/png image/prs.btif image/prs.pti image/t38 image/tiff image/tiff-fx message/CPIM message/delivery-status message/disposition-notification message/external-body message/http message/news message/partial message/rfc822 message/s-http message/sip message/sipfrag message/tracking-status model/iges model/mesh model/vrml multipart/alternative multipart/appledouble multipart/byteranges multipart/digest multipart/encrypted multipart/form-data multipart/header-set multipart/mixed multipart/parallel multipart/related multipart/report multipart/signed multipart/voice-message text/calendar text/css text/directory text/dns text/enriched text/html

MIME type
text/parityfec text/plain text/prs.fallenstein.rst text/prs.lines.tag text/rfc822-headers text/richtext text/rtf text/sgml text/t140 text/tab-separated-values text/uri-list text/xml text/xml-external-parsed-entity video/3gpp video/BMPEG video/BT656 video/CelB video/DV video/H261 video/H263 video/H263-1998 video/H263-2000 video/H264 video/JPEG video/MJ2 video/MP1S video/MP2P video/MP2T video/MP4V-ES video/MPV video/SMPTE292M video/mpeg video/mpeg4-generic video/nv video/parityfec video/pointer video/quicktime

152

Appendix C: File Types


The following lists contain the file types you can block on your network.

File type
Active Server Page Active Server Page Active Server Page ActiveX Control Address Book Audio Audio Audio Audio Audio Audio Audio Audio Audio Audio Audio CGI Script Cascading Style Sheet Comma Separated Value Compressed Compressed Compressed Compressed Compressed Compressed Compressed

File extension
.asmx .asp .aspx .ocx .pab .aiff .m4a .mid .midi .mp3 .mpu .ra .ram .wav .wma .aac .cgi .css .csv .arc .gz .gzip .hqx .rar .sea .sit

File type
Compressed Compressed DOS Batch Database Database Disk Image Disk Image Document Document Document Document Dynamic Link Library eBook Executable File Shortcut Filemaker Pro Flash FoxPro HTML Icon Image Image Image Image Image Image Image

File extension
.z .zip .bat .db .mdb .dmg .img .pdf .rtf .wpd .wpt .dll .lit .exe .lnk .fpt .swf .dbx .html .ico .bmp .gif .jpe .jpeg .jpg .pct .png

153

Network Composer User Guide

File type
Image Image Initialization Internet Certificate Java Archive JavaScript Log Lotus Lotus Database Lotus Database Lotus Database MIME MIME Macro Metafile Microsoft Project Microsoft Publisher Outlook PHP PHP PHP PageMaker Perl Script Photoshop Postscript PowerPoint

File extension
.tga .tiff .ini .cer .jar .js .log .wk1 .ns2 .ns3 .ns4 .mim .mime .wpm .wmf .mpp .pub .pst .php .php3 .php4 .p65 .pl .psd .ps .pps

File type
PowerPoint Quark Express SQL Spreadsheet Spreadsheet Spreadsheet Swap Tar Text Uuencoded Uuencoded Video Video Video Video Video Video Video Video Video Visio Windows Help Word Document Word Template XML

File extension
.ppt .qxd .sql .xls .xlt .xlw .sqp .tar .txt .uu .uue .avi .moov .mov .mp4 .mpeg .mpg .qt .rm .wmv .vsd .hlp .doc .dot .xml

154

Network Composer User Guide

Appendix D: Cymphonix CIDR Cheat Sheet


Classless Inter-Domain Routing (CIDR) is the latest refinement on how to present IP Addresses and Subnet masks. CIDR replaces the previous generation of IP Address syntax, Classful networks. Rather than allocating address blocks in 8-bit (octet) boundaries, it uses a technique of a variable subnet mask to allow more allocation. With Network Composer all IP Address are presented as CIDR notations, i.e., the network address of 192.168.255.0 with a subnet mask of 255.255.255.0 is presented as 192.168.255.0/24. Below is a CIDR Cheat Sheet that will help you enter IP Address in CIDR notation.

CIDR Cheat Sheet CIDR Notation /32 /31 /30 /29 /28 /27 /26 /25 /24 /23 1/256 C 1/128 C 1/64 C 1/32 C 1/16 C 1/8 C 1/4 C 1/2 C 1C 2C Class 1 2 4 8 16 32 64 128 256 512 Hosts Mask 255.255.255.255 255.255.255.254 255.255.255.252 255.255.255.248 255.255.255.240 255.255.255.224 255.255.255.192 255.255.255.128 255.255.255.0 255.255.254.0

155

Network Composer User Guide

/22 /21 /20 /19 /18 /17 /16 /15 /14 /13 /12 /11 /10 /9 /8 /7 /6 /5 /4 /3 /2 /1 /0

4C 8C 16 C 32 C 64 C 128 C 256 C 1B 512 C 2 B 1024 C 4 B 2048 C 8 B 4096 C 16 B 8192 C 32 B 16384 C 64 B 32768 C 128 B 65536 C 256 B 1 A 131072 C 512 B 2 A 262144 C 1024 B 4 A 524288 C 2048 B 8 A 1048576 C 4096 B 16 A 2097152 C 8192 B 32 A 4194304 C 16384 B 64 A 8388608 C 32768 B 128 A 1677216 C 65536 B 256 A

1024 2048 4096 8192 16384 32768 65536 131072 262144 524288 1048576 2097152 4194304 8388608 16777216 33554432 67108864 134217728 268435456 536870912 1073741824 2147483648 4294967296

255.255.252.0 255.255.248.0 255.255.240.0 255.255.224.0 255.255.192.0 255.255.128.0 255.255.0.0 255.254.0.0 255.252.0.0 255.248.0.0 255.240.0.0 255.224.0.0 255.192.0.0 255.128.0.0 255.0.0.0 254.0.0.0 252.0.0.0 248.0.0.0 240.0.0.0 224.0.0.0 192.0.0.0 128.0.0.0 0.0.0.0

156

Network Composer User Guide

Appendix E: Cymphonix License Agreement and Warranty


PLEASE READ THE FOLLOWING BEFORE USING THE ACCOMPANYING PRODUCT. YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE ACCOMPANYING SOFTWARE AND HARDWARE (APPLIANCE). THE USE OF THE PRODUCT IS LICENSED FOR USE ONLY AS SET FORTH BELOW. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT USE THE PRODUCT. IF YOU USE ANY PART OF THE SOFTWARE AND HARDWARE, SUCH USE WILL INDICATE THAT YOU ACCEPT. License Grant Subject to the terms and conditions of this License, Cymphonix grants you a nonexclusive right and license to use the Software on the Appliance. In addition, (1) you may not reverse engineer, decompile, disassemble or modify the Software or Appliance, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation; and (2) you may not transfer rights under this License unless such transfer is part of a permanent sale or transfer of the Product, and you transfer at the same time the Appliance and Software to the same party or destroy such materials not transferred, and the recipient agrees to this License. No license is granted in any of the Softwares proprietary source code. You may make a reasonable number of copies of the electronic documentation accompanying the Software for each Software license you acquire, provided that, you must reproduce and include all copyright notices and any other proprietary rights notices appearing on the electronic documentation. Cymphonix reserves all rights not expressly granted herein. Intellectual Property Rights The Software and Appliance is protected by copyright laws, international copyright treaties, and other intellectual property laws and treaties. This license does not grant you any rights to patents, copyright, trade secrets, trademarks or any other rights with respect to the Software and Appliance. Cymphonix and its suppliers retain all ownership of, and intellectual property rights in (including copyright), the Software and Appliance. However, certain components of the Software are components licensed under the GNU General Public License (version 2), which Cymphonix supports. You may obtain a copy of the GNU General Public License at http:/www.fsf.org/copyleft/gpl.html. Cymphonix will provide source code for any of the components of the Software licensed under the GNU General Public License upon request. Additionally this product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). Export Restrictions You agree that you will not export or re-export the Appliance, Software, any part thereof, or any process or service that is the direct product of the Appliance or Software in violation of any applicable laws or regulations of the United States or the country in which you obtained them.

157

Network Composer User Guide

U.S. Government Restricted Rights. The Software and related documentation are provided with Restricted Rights. Use, duplication, or disclosure by the Government is subject to restrictions set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c) (1) and (2) of the Commercial Computer SoftwareRestricted Rights at 48 C.F.R. 52.227-19, as applicable, or any successor regulations. Term and Termination This License is effective until terminated. The License terminates immediately if you fail to comply with any term or condition. In such an event, you must destroy all copies of the Software. You may also terminate this License at any time by destroying the Product. Governing Law and Attorneys Fees This License is governed by the laws of the State of Utah, USA, excluding its conflict of law rules. You agree that the United Nations Convention on Contracts for the International Sale of Goods is hereby excluded in its entirety and does not apply to this License. In any action or suit to enforce any right or remedy under this License or to interpret any provision of this License, the prevailing party will be entitled to recover its costs, including reasonable attorneys fees. Entire Agreement This License constitutes the entire agreement between you and Cymphonix with respect to the Software, and supersedes all other agreements or representations, whether written or oral. The terms of this License can only be modified by express written consent of both parties. If any part of this License is held to be unenforceable as written, it will be enforced to the maximum extent allowed by applicable law, and will not affect the enforceability of any other part. CYMPHONIX DISCLAIMS ANY AND ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OTHER THAN AS STATED HEREIN, THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. ALSO, THERE IS NO WARRANTY AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE SOFTWARE OR AGAINST INFRINGEMENT. IF YOU HAVE RECEIVED ANY WARRANTIES REGARDING THE DEVICE OR THE SOFTWARE, THOSE WARRANTIES DO NOT ORIGINATE FROM, AND ARE NOT BINDING ON, CYMPHONIX. NO LIABILITY FOR CERTAIN DAMAGES. EXCEPT AS PROHIBITED BY LAW, CYMPHONIX SHALL HAVE NO LIABILITY FOR COSTS, LOSS, DAMAGES OR LOST OPPORTUNITY OF ANY TYPE WHATSOEVER, INCLUDING BUT NOT LIMITED TO, LOST OR ANTICIPATED PROFITS, LOSS OF USE, LOSS OF DATA, OR ANY INCIDENTAL, EXEMPLARY SPECIAL OR CONSEQUENTIAL DAMAGES, WHETHER UNDER CONTRACT, TORT, WARRANTY OR OTHERWISE ARISING FROM OR IN CONNECTION WITH THIS LICENSE OR THE USE OR PERFORMANCE OF THE SOFTWARE. IN NO EVENT SHALL CYMPHONIX BE LIABLE FOR ANY AMOUNT IN EXCESS OF THE PURCHASE PRICE AND/OR ANY LICENSE FEES PAID TO CYMPHONIX UNDER THIS LICENSE. SOME STATES AND COUNTRIES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY TO YOU. Hardware Warranty Cymphonix Corp. warrants your Cymphonix product to be in good working order and to be free from defects in workmanship and material (except in those cases where materials are supplied by the Purchaser) under normal and proper use and service for the period of one (1) year from the date of purchase from an Authorized Cymphonix Reseller. In the event that this product fails to meet this warranty within the applicable warranty period, and provided that Cymphonix confirms the specified defects, Purchasers sole remedy is to have Cymphonix, at Cymphonix sole discretion, repair or replace such product at the place of manufacture, at no additional charge other than the cost of freight of the defective product to and from the Purchaser. Repair costs and replacement products will be provided on an exchange basis and will be either new or reconditioned. Cymphonix will retain, as its property, all replaced parts and products. Notwithstanding the foregoing, this hardware warranty does not include service to replace or repair damage to the product resulting from accident, disaster, abuse, misuse, electrical stress, negligence, any nonCymphonix modification of the product except as provided or explicitly recommended by Cymphonix, or other cause not arising out of defects in material or workmanship. This hardware warranty also does not include service to replace or repair damage to the product if the serial number or seal or any part thereof has been altered, defaced, or removed. If Cymphonix does not find the product to be defective, the Purchaser will be invoiced for said inspection and testing at Cymphonix then current rates, regardless of whether the product is under warranty.

158