To add additional filter lists to a filter set, or to change the allow and deny settings of the filter lists within a filter set, do the following:
1. On the Filters page, in the Filters Tree, select the Filter Set heading.
2. In the right pane, select the row for the filter set that you want to modify.
Note: Do not click the link for the filter set.
3. Click Modify at the bottom of the page.
4. On the Create/Modify Filter Set dialog box, click Select Filter List.
The Add Allowed and Denied List dialog box appears, and displays all available filter lists.
5. On the Add Allowed and Denied List dialog box, select the Allow or Deny option to set the filter lists within this set to either allow or deny traffic.
Note: All filter lists must be set to either allow or deny; you cannot mix allow and deny filter lists within the filter set.
6. Select the check box next to each filter list that you want to include in this filter set.
If you selected the Allow option, the filter list is included in the filter set with the behavior set to allow communication with the addresses specified in the list. If you selected the Deny option, then the filter list is included in the set with the behavior set to deny communication with the addresses specified in the list.
Filter lists are processed in the order in which they appear within the filter set.
7. To reorder the filter lists, ensure that the lists that you want to include in the filter set are selected, and click Change Priority.
8. On the Change Priority dialog box, drag the filter lists into the order in which you want them to be used, and click Save.
9. Click Save to add the filter list or lists and update the filter set.
To remove a filter list from a filter set, do the following:
1. On the Filters Tree, select the Filter Set heading.
2. In the right pane, select the filter set that you want to modify by clicking the table row that includes the filter set.
Note: Do not click the filter set link.
3. Click Modify at the bottom of the page.
4. On the Create/Modify Filter Set dialog box, click Select Filter List.
The Add Allowed and Denied List dialog box appears, and displays all available filter lists.
5. Clear the check box next to each filter list that you want to remove from the filter set, and click Save.
4.2.4. Changing the Priority of Filters and Filter Lists
Filters and filter lists are processed in the order in which they are arranged within a filter list. To rearrange filters or filter lists, do the following:
1. Select Filters in the menu bar.
2. In the Filters Tree, select the Filter List heading.
3. In the right pane, select the link for the filter list that includes the filters and filter lists that you want to reorder.
4. On the Filter List page, click Change Priority at the bottom of the page.
5. On the Change Priority dialog box, drag the filter lists or filters in the order in which you want them to be processed.
6. Click Save.
4.3. Assigning COIs, Users, and Filters to Roles
After you have added roles, COIs, and users on the Configure page, and added filters on the Filters page, you use the Provision page to assign these components.
Note: On this page, you can click the Validate button to validate your configuration, including:
• The configuration includes at least one Authorization Service URL.
• The configuration includes a License Service URL.
• The configuration includes a Service Role.
• All other roles associated with the configuration include at least one user or group.
However, for Management Server instances running in a Stealth(cloud) environment, there is no License Service URL, and so you should ignore any warnings you receive that a license server is not specified. If you receive any other errors or warnings, resolve them before continuing.
4.3.1. Assigning COIs
To assign a COI to a role, do the following:
1. Select Provision in the menu bar.
2. From the Configuration drop-down list (next to the Validate button), select the configuration that includes the role that you want to assign a COI to.
3. Select the COI tab.
4. In the left pane, select the arrow next to the configuration name and select the arrow next to Roles so that you can see the roles you created for the configuration.
5. In the left pane, select the check box for the role or roles that you want to assign the COI or COIs to.
You can select a maximum of two roles at one time.
6. In the COI table, select the COI or COIs that you want to assign to the role.
You can select multiple COIs at one time by holding down the Ctrl button and selecting multiple COIs.
7. Click the arrow between the left pane and the COI table to copy the COI under the role name.
8. Sort the COIs in the order in which they should be used. To re-sort the COIs, in the left pane (under the role name), drag the COIs into the appropriate order.
Note: COIs are processed in the order in which they are listed, so you might want to sort them in a specific order. For example, an endpoint in the Finance department might include a COI named FinanceCOI and a COI to maintain communication with the Authorization Service named AuthCOI. In that case, you probably want to sort the FinanceCOI above the AuthCOI.
9. Click Save.
To remove a COI from a role, under the role name, right-click the COI name, and then click Remove.
4.3.2. Assigning Users
To assign users to a role, do the following:
1. Select Provision in the menu bar.
2. From the Configuration drop-down list (next to the Validate button), select the configuration that includes the role that you want to assign the user to.
3. Select the User tab.
4. In the left pane, select the arrow next to the configuration name and select the arrow next to Roles so that you can see the roles you created for the configuration.
5. In the left pane, select the check box next to the role that you want to assign the user to.
Notes:
• For Stealth(cloud), endpoint instances can only be assigned to one role. Do not assign more than one role to an endpoint instance.
• You cannot add users to a Service Role.
6. In the User table, select the user that you want to assign to the role.
You can select multiple users at one time by holding down the Ctrl button and selecting multiple users.
7. Click the arrow between the left pane and the User table to copy the user under the selected role.
8. Click Save.
To remove a user from a role, under the role name, right-click the user name, and then click
4.3.3. Applying Filter Sets to COIs and Roles
After you have created your filter sets, you can apply them to COIs and roles in your Stealth network to control communications between your endpoints.
Note: You can apply only one filter set to each role as a clear text filter, and you can apply only one filter set to each COI (that is used in each role) as a Stealth filter. You can apply different filter sets to different roles as clear text filters, and if a COI is used in multiple roles, you can apply different filter sets as Stealth filters to the COI in each role where it is used.
However, if the same user or group is assigned to multiple roles, you must apply the same filter set as a clear text filter to each role. (If you apply different filter sets, and if those filters conflict, this can result in unpredictable behavior as to which clear text filter is applied.)
See3.5 Filteringfor more information on how filters work when applied to COIs and roles.
To assign a filter set to a COI or role, do the following:
1. Select Provision in the menu bar.
2. From the Configuration drop-down list (next to the Validate button), select the configuration that includes the COIs or roles to which you want to apply filters.
3. Select the Filter tab.
4. In the left pane, select the arrow next to the configuration name and select the arrow next to Roles so that you can see the roles you created for the configuration.
Select the arrow next to the role check boxes and select the arrow next to COIs so that you can see the COIs you added to the roles.
5. In the left pane, select the COI or role that you want to apply the filter set to.
You can select a maximum of two COIs and two roles at one time.
Filters work differently, depending on whether they are applied to COIs or roles, as follows:
• When filter sets are applied to COIs, they filter the Stealth-enabled network traffic, allowing or denying information passed between Stealth endpoints that share COIs. Filter sets applied to COIs are called Stealth filters.
You can apply only one filter set to each COI (that is used in each role).
• When filter sets are applied to roles, they filter clear text network traffic, allowing or denying information passed between Stealth endpoints and non-Stealth-enabled (clear text) components. Filter sets applied to roles are called clear text filters.
You can apply only one filter set to each role.
6. In the right pane, select the filter set from the filter table.
7. Click the arrow between the left pane and the filter table to assign the filter set to the selected COI or role.
The filter set appears under the Filter Set heading for the COI or role in the left pane.
8. Click Save.
To remove a filter set from a COI or role, right-click the filter set in the left pane, and select Remove.
4.4. Provisioning or Reprovisioning the Authorization and Licensing Services
You use the Provision Service tab on the Provision page to add an Authorization Service or License Service to a configuration so that endpoints can be authorized and licensed. You then provision the Authorization Service and License Service URLs for a configuration.
When you make any other changes to the configuration, including updating COIs, filters, and roles, you must reprovision the Authorization Service.
Note: On this page, you can click the Validate button to validate your configuration, including:
• The configuration includes at least one Authorization Service URL.
• The configuration includes a License Service URL.
• The configuration includes a Service Role.
• All other roles associated with the configuration include at least one user or group.
However, for Management Server instances running in a Stealth(cloud) environment, there is no License Service URL, and so you should ignore any warnings you receive that a license server is not specified. If you receive any other errors or warnings, resolve them before continuing.
To provision the Authorization Service and License Service, do the following:
1. Select Provision in the menu bar.
2. From the Configuration drop-down list (next to the Validate button), select the configuration that you want to provision.
3. Select the Provision Service tab.
4. If an arrow appears next to the Authorization Service heading, select the arrow next to that heading so that you can see any URLs that are currently assigned.
5. In the Configuration list, right-click each Authorization Service URL, and then click Provision.
The Authorization Service is provisioned with the information for the configuration.