Web Security Service

(1)

Webroot

^®

Web Security Service

Desktop Web Proxy Configuration Guide

Webroot Software, Inc.

385 Interlocken Crescent Suite 800 Broomfield, CO 80021

(2)

Desktop Web Proxy Configuration Guide September 2011

© 2011 Webroot Software, Inc. All rights reserved. Webroot, the Webroot icon, and the Webroot tagline are trademarks or registered trademarks of Webroot Software, Inc., in the United States and other countries. All other trademarks are properties of their respective owners.

Technical Support

Technical support is available by calling any of these toll-free phone numbers:

• APAC (outside of Australia):

+61 (0)2 8071 1903

• Australia:

1-800-212-640

• Sweden:

+46 (0) 8 555 36 161

• United Kingdom:

0800 804 7015

+44 800 804 7015 (international)

• United States:

877-612-6009

Send questions to our automated ticket response system:

[email protected] (APAC, Australia, United Kingdom, and United States) [email protected] (Sweden)

We will respond within one business day.

Log a ticket in the Support Website:

http://mysite.webroot.com/forms/saasCaseSubmissionForm

(3)

1: Installing Desktop Web Proxy . . . .1

System and browser requirements. . . .2

About the DWP Installation Packages . . . .2

Downloading the DWP package. . . .2

Installing DWP on individual workstations . . . .4

Installing DWP on multiple workstations (silent install) . . . .4

Installing DWP in hidden mode . . . .5

Using ARP commands with MSI parameters. . . .5

Installing DWP using Group Policy Object (GPO) . . . .7

Activating DWP globally . . . .7

Installing DWP version updates . . . .8

Automating DWP updates . . . .8

Updating DWP manually . . . .8

Uninstalling a hidden DWP. . . .9

2: DWP Configuration . . . .11

Configuring DWP using the Management Portal . . . .12

Enabling the Account to use DWP. . . .12

Entering DWP settings at the Account level . . . .13

Overriding settings at the group level . . . .17

Bypassing the Web Security Service . . . .18

Authenticating DWP user credentials . . . .20

Managing hot spots . . . .23

Configuring a proxy automatic configuration (PAC) file . . . .25

Logging DWP events and running diagnostics . . . .26

Using Windows’ Group Policy Object (GPO) to configure DWP . . . .27

3: Client-Specific Configuration. . . .35

Introduction. . . .36

Setting proxy connections . . . .36

Configuring the DWP logging level. . . .38

Configuring proxy settings for applications. . . .39

Configuring DWP to use a PAC file . . . .40

Using a script to automate registry settings . . . .41

4: Troubleshooting . . . .45

FAQs . . . .46

Viewing running processes . . . .47

Running diagnostics . . . .48

Using the DWP Latency Tester . . . .49

Using DWP Network Packet Capture. . . .52

Error messages . . . .55

PAC file is unavailable when user profile folders are remapped . . . .56

(4)

(5)

1: Installing Desktop Web Proxy

The Desktop Web Proxy (DWP) is a service that manages traffic from users’ computers to the Web Security Service by routing all traffic to the data center nearest the user’s computer.

You can install DWP individually on each workstation using the downloaded msi installation package, or by using a Group Policy Object editor or other batch installation for a mass rollout.

Topics in this chapter:

` System and browser requirements . . . page 2

` About the DWP Installation Packages . . . page 2

` Installing DWP on individual workstations . . . page 4

` Installing DWP on multiple workstations (silent install) . . page 4

` Installing DWP in hidden mode . . . page 5

` Installing DWP using Group Policy Object (GPO) . . . page 7

` Activating DWP globally . . . page 7

` Installing DWP version updates . . . page 8

` Uninstalling a hidden DWP . . . page 9 Note

Windows Vista and Windows 7 require administrative rights to install DWP even if the administrator has these rights on the machine. To install on Windows Vista, run the MSI installation with an elevated command prompt.

(6)

System and browser requirements

You can install the Desktop Web Proxy on these systems:

• Windows XP Service Pack 2, 32-bit

• Windows XP Service Pack 3, 32-bit

• Windows 2003, 32-bit

• Windows Vista, 32- and 64-bit

• Windows 7, 32- and 64-bit

• Windows 2008 Enterprise, 32- and 64-bit

• Citrix Presentation Server 4.5, 32-bit

• Citrix XenApp 5.0, Windows 2008 Enterprise, 32-bit

• Citrix XenApp 6.0, Windows 2008 R2 Enterprise, 64-bit

You can use DWP with these browsers:

• Microsoft Internet Explorer version 7, 8, and 9, 32-bit and 64-bit

• Mozilla Firefox version 3.6, 4.0, and 5.0

• Google Chrome 11 and 12

About the DWP Installation Packages

The Desktop Web Proxy is available in two installation packages:

• DWPSetup.msi installs the standard version of DWP.

• DWPSetup_NoUninstall.msi installs a version of DWP that cannot be uninstalled. This installer disables the Remove and Change buttons in the Add or Remove Programs option of the Windows Control Panel.

You can use either installation package to install DWP, using any of the methods described in this chapter—on individual machines, on multiple machines, in hidden mode, or using GPO.

DWP can be uninstalled using the .msi installer if the DWPSetup_NoUninstall.msi is used.

Downloading the DWP package

The DWP MSI package is available from the Web Security Service Management Portal.

To download the DWP package:

1 Log in to the Web Security Service Management Portal.

2 Open the Resources tab.

(7)

Downloading the DWP package

3 Click a DWP link:

– DWP installs the standard DWP package

– DWP (Uninstall Disabled) installs a version of DWP that cannot be uninstalled 4 Follow the browser prompts to save the installer zip file into a location of your choice.

• If you used Mozilla Firefox to access the Management Portal, you can continue with the installation method of your choice as described in rest of this chapter.

• If you used Microsoft Internet Explorer, continue through the end of this procedure.

This information applies to various versions of Windows Internet Explorer:

You can successfully download the DWP zip archive, but you might get an error when you open the archive. There is a known bug about downloaded zipped files through Internet Explorer. The downloaded file appears corrupted and can’t be opened.

For more information about this issue, see:

http://social.msdn.microsoft.com/Forums/en-US/iewebdevelopment/thread/

bf4077dd-20bc-4f66-bf73-b79a2440cf30/

http://support.microsoft.com/kb/2002350

5 If you used Internet Explorer to download, rename the file to append .gz to the end of the filename:

DWPSetup.zip.gz or DWPSetup_NoUninstall.zip.gz

6 Use Winzip or 7-Zip (an open source software) to extract the original archive from the renamed file. Then continue with the installation method of your choice.

Standard version of DWP

Uninstallable version of DWP

(8)

Installing DWP on individual workstations

Use the downloaded msi installation package to install DWP on individual workstations, or on a Terminal Service or Citrix server. See “System and browser requirements” on page 2 for supported versions.

To install DWP on an individual workstation:

1 Load the installation package on a desktop or laptop computer.

2 Double-click one of the installation files:

DWPSetup.msi or DWPSetup_NoUninstall.msi 3 Follow the instructions in the DWP setup wizard.

The settings are automatically applied to the browsers.

Note: The settings are not automatically applied to the browsers in either of these cases:

• The Activate DWP on Install option on the Management Portal is set. If this option is not set, you can configure the browsers manually by right-clicking the DWP icon in the system tray and selecting Apply Proxy Setting.

• The Apply portal settings to the DWP clients option is turned off at both the account and group levels. If the option is on at either the account or group level, the settings are applied.

Installing DWP on multiple workstations (silent

install)

Use the silent option to install DWP on multiple workstations without using an installation interface. The procedure assumes you are familiar with MSI package installations. See “System and browser requirements” on page 2 for supported versions.

To use the silent option for mass rollout:

1 On the command window, append /quiet to the installation command:

DWPSetup.msi /quiet or DWPSetup_NoUninstall.msi /quiet Note the space before /quiet.

2 To specify restart options after installation, you can use these command-line options:

• /norestart: Does not restart the computer after the installation.

• /promptrestart: Prompts the user for a restart if necessary.

• /forcerestart: Always restart the computer after installation.

The settings are automatically applied to the browsers.

Note: The settings are not automatically applied to the browsers in either of these cases:

(9)

Installing DWP in hidden mode

• The Apply portal settings to the DWP clients option is turned off at both the account and group levels. If the option is on at either the account or group level, the settings are applied.

For a complete list of command-line options, use /help at the command window.

Installing DWP in hidden mode

Installing DWP in hidden mode prevents users from making changes to DWP. When you install DWP in hidden mode:

• the shortcut Launch Desktop Web Proxy does not appear in the Start menu

• the DWP icon doesn’t appear in the system tray .

Using hidden mode, you can specify MSI parameters to remove the Change and Remove buttons, or remove the DWP plug-in entirely from the Add or Remove Programs option of the Windows Control Panel.

Logging and diagnostics are not supported in hidden mode—they are supported only if you reinstall DWP with the regular installation, without the hidden switch.

To install DWP in hidden mode:

In the command window, type

Msiexec /i <Path_to_dwp_msi_file> /q dwpmode=hidden

Using ARP commands with MSI parameters

Advanced users who are experienced with MSI package modification can enforce higher levels of invisibility with any of the ARP commands, using these parameters:

Note

If DWP is being managed by the portal, you must set the portal option Hide Icon in Tray, even though you are installing DWP in hidden mode. See “Hide Icon in Tray” on page 14.

MSI parameters

ARPNOMODIFY={""|1} • 1 removes the Change button from Add/Remove Programs, preventing the user from changing the DWP client.

• Blank ("") means the Modify button is available for the DWP client.

Note: The DWP Uninstall Disabled installer also removes the Change button from Add or Remove Programs.

(10)

For example:

Msiexec /i <Path_to_dwp_msi_file> ARPNOMODIFY=1

For more details about these parameters, see Microsoft’s Developer Network (MSDN) library.

Programs, preventing the user from uninstalling the DWP client.

• Blank ("") or omitting this parameter means the Remove button is visible for the DWP client.

Note: The DWP Uninstall Disabled installer also removes the Remove button from Add or Remove Programs.

ARPSYSTEMCOMPONENT=

{""|1}

• 1 removes the plug-in itself from Add/Remove Programs.

• Blank ("") or omitting this parameter means the DWP client has an entry in Add/Remove Programs.

Note

To restart a hidden DWP either restart the computer, or use Administrative Tools’ Services console to restart the DWP Local Proxy Service. To restore MSI parameters to their original settings, uninstall DWP (see “Uninstalling a hidden DWP” on page 9) and re-install it without the hidden switch.

(11)

Installing DWP using Group Policy Object (GPO)

Installing DWP using Group Policy Object

(GPO)

You can install and deploy DWP using Group Policy Object (GPO). This method of installation requires that you are experienced with Microsoft’s Active Directory and that you are using GPO in your environment.

GPO information is available on Microsoft’s Help and Support sites:

• http://support.microsoft.com/default.aspx?kbid=314934 Expand On This Page to display all related subtopics.

• http://support.microsoft.com/?kbid=302430

This site describes how to assign or publish software to users using GPO.

Activating DWP globally

If you use the Management Portal to manage DWP, you can activate DWP globally without having it apply settings to the browsers. The Activate DWP on Install option is on by default for new accounts and groups, so that when DWP is installed on a machine in that account and DWP is managed by the portal, it automatically applies its settings to the browsers.

If, however, you want to deploy DWP across multiple machines in the network but don’t want it to be used immediately, you can disable this option before you deploy DWP, then enable it later. The Activate DWP on Install option is on the DWP Configuration subtab of the Account and of each user group:

To disable automatic DWP activation:

2 In Edit mode, open the DWP Configuration subtab of either the Account or a user group.

3 Select Apply portal settings to DWP clients to enable settings for editing.

4 Clear the Activate DWP on Install box.

5 Save your settings. If you are configuring user groups, repeat for every group as required.

When Activate DWP on Install is unchecked, you can apply settings to the browser manually by right-clicking on each DWP tray icon and selecting Apply Proxy Setting.

Note

If you install and deploy DWP using GPO, use the DWP_NoUninstall package (see “About the DWP Installation Packages” on page 2). If you use GPO to install DWP, use the GPO Editor if you need to uninstall it. Do not use Add/Remove programs to remove DWP.

(12)

You can enable automatic updates to DWP clients, or have users initiate their updates manually.

Automating DWP updates

Automatic updates to DWP clients are enabled on the Web Security Service Management Portal at the Account level.

To enable automatic DWP updates at the Account level:

2 Open the Accounts tab in Edit mode.

3 Under the User Configuration section, select Automatically Update the DWP.

If the setting is enabled, the Account automatically sends updates to the DWP clients. If the setting is disabled, you must manually download DWP updates to all clients. This setting is inherited by all user groups; you can override for selected groups as required.

4 Save your setting.

Updating DWP manually

If you don’t want to use the automatic update feature, you can have users initiate their own updates. Make sure these users have access to the DWP icon on their system tray. Because this update method is user-initiated, you might have various DWP versions throughout your Account.

To initiate a DWP update at the client:

1 Hold down the Ctrl key, right-click the DWP icon on the system tray.

2 Select Update Now from the pop-up menu.

(13)

Uninstalling a hidden DWP

If you modified the MSI parameters (“MSI parameters” on page 5), the DWP might be hidden and inaccessible through the Add/Remove Programs utility.

To uninstall a hidden DWP:

Run the original MSI installer and select the Remove Desktop Web Proxy option.

(14)

(15)

2: DWP Configuration

` Configuring DWP using the Management Portal . . . page 12

` Using Windows’ Group Policy Object (GPO) to configure DWP page 27

(16)

Configuring DWP using the Management Portal

You configure the Desktop Web Proxy from the Web Security Service Management Portal for deployment to all computers that have DWP installed. You can define a management configuration at the Account level that applies to all groups, then override settings at the Group level as

appropriate.

DWP clients poll the Web Security Service server every 15 minutes for any changes that were made on the Management Portal, then uses the new settings.

Enabling the Account to use DWP

Settings described here are applied to all user-based groups. Each group can override Account-level settings.

To enable the Account for DWP:

2 Open the Accounts tab in Edit mode.

3 On the Account subtab, enter these required configurations:

a Select the checkbox for Enable DWP User Creation.

This setting enables automatic user registration into the Web Security Service when users in the corporate network first connect using DWP. DWP checks the Web Security Service to see if the connecting user has an existing entry. If no entry exists, DWP creates a user name and password for the user.

b Keep the default group in DWP User Creation Default Group or select another.

The DWP User Creation Default Group setting specifies a user-based group to which DWP adds new users by default, because the Web Security Service requires users to belong to groups. The selection list shows user-based groups only

In general, before changing a user group to an IP group, make sure it has no users and that it is not the group for DWP to add users.

Caution

DWP settings entered on the Management Portal are deployed to all computers that have the DWP client installed. If DWP was configured individually on those computers, those settings are overwritten because portal-based settings take precedence.

(17)

Entering DWP settings at the Account level

4 Continue to Entering DWP settings at the Account level.

Entering DWP settings at the Account level

When the Account is enabled for DWP user creation, you can use the Management Portal to further configure DWP, to ensure consistency among all groups. You can override individual group settings as necessary.

To enter DWP settings at the Account level:

1 Log in to the Web Security Service Management Portal and open the Accounts tab.

2 Click Edit on the Account subtab.

3 Verify that the Account is enabled for DWP, as described in “Enabling the Account to use DWP” on page 12.

4 Open the DWP Configuration subtab.

Caution

The DWP expects the User Creation Default Group to be a user-based group. You can, however edit the group to be IP-address-based. Before changing the group to IP-based, edit the Account and select another default group for new DWP users or creating users using DWP will fail.

(18)

5 Set DWP configuration options:

DWP Configuration General Settings

Prevent user access to browser proxy settings

Controls users’ ability to change browser proxy settings:

• Not Configured: Enabled by default. Prevents DWP from conflicting with Group Policy Object (GPO) trying to modify the same settings, by locking user access to browser proxy settings.

When this option is enabled, GPO settings take precedence because DWP is not modifying settings.

• Enabled: DWP modifies settings to prevent users from modifying their proxy settings in the browser.

Note: If this option is enabled, you must set it to Disabled 15 minutes before you uninstall the DWP.

• Disabled: DWP modifies settings, so that users can modify their proxy settings in the browser.

Note: If a GPO in the customer’s environment is locking the proxy settings, DWP does not override it. It’s not possible to predict whether GPO or DWP will prevail in this situation, however, so we recommend that you disable any GPO actions that are locking proxy settings in the customer’s environment while using this feature. If you want the GPO settings to prevail, leave this setting as Not Configured.

In Firefox, the Settings button is hidden if the browser control setting is applied using DWP.

Hide Icon in Tray Hides the DWP icon on the end user’s system tray, preventing the end user from accessing DWP functions.

For more information see the Desktop Web Proxy Configuration Guide, which is available on the Management Portal at Resources >

Documents.

The Settings button does not appear here if DWP applies the browser control setting.

(19)

Entering DWP settings at the Account level

List of Caching Proxies Proxy names and port numbers of caching proxies at your gateway locations. Allows mobile users to connect transparently to either caching proxies or directly to the Web Security Service.

For a single caching proxy, separate the name and port with a colon:

ProxyName:port

For multiple caching proxies, separate proxies with a semicolon and end the string with a semicolon:

ProxyName1:port1;ProxyName2:port2;

Enable Automatic Configuration Script (PAC File)

Enable use of a Proxy Auto Configuration (PAC) script to tell browsers where to route users’ page requests. If enabled, works with the PAC File Location option.

PAC File Location The URL or local network path to the configuration script. DWP copies the script to the local machine, then applies the settings to the browser. DWPclients must be restarted after PAC configuration options are set.

Note: Firefox is unable to parse PAC files correctly if the local path or the DWP username contains the # special character (for example, user#1). In this case, traffic is not filtered.

See the Web Security Service Administrator Guide for details.

Monitor Port 80 and 443 usage

Uploads process data to the Monitors | Port Monitor tab, to help the Admin identify rogue applications that are using default ports 80 and 443. See the Web Security Service Administrator Guide for details.

Allow Unsafe Browsing Editable if Enable Dynamic Hot Spot Management is selected.

Allows users to bypass the Web Security Service to browse the Internet in hotspot environments where access might be blocked or re-routed. If not set, DWP opens an error page and prevents users from browsing the Internet in hotspots.

To Bypass the Web Security Service

See “Bypassing the Web Security Service” on page 18 for details about these options.

Browser Bypass Enter the sites stored in the browser’s exception list.

DWP Bypass Enter the URLs to be accessed directly by DWP without going through the Web Security Service.

Configured by Default as Active

Proxy Address Required. The address of the Web Security Service data center. This proxy address should be changed only at the service provider’s direction.

Proxy Port Required. Do not change this setting. Only ports 80, 3128, or 8080 can be used. .

DWP Configuration (continued)

(20)

6 Click Save.

Your settings apply to all user-based groups in the Account.

Apply portal settings to the DWP clients

Enabled by default when the service provider created the Account, so that you can enter and deploy DWP settings that are consistent throughout the Account.

Caution: If you keep this option selected, any DWP settings previously entered at each client computer are overwritten after you click Save.

If you clear this checkbox, all options become read-only and the settings are not functional. If you are in Edit mode, selecting this checkbox makes other options editable.

Activate DWP on Install Selected by default. DWP client installations are not activated by default, so settings are not yet applied. After you save this setting, DWP client installations are automatically activated and the settings are immediately applied to the users’ browsers.

Enable Dynamic Hot Spot Management

Automatically handles hotspot billing systems. DWP enters direct mode if it detects that a user’s browser is blocked by a hotspot. The user is connected to the Web Security Service when billing or sign-up is complete.

If you enable hot-spot detection, DWP tries to access ports 3128, 8080, 80, and 443 in succession, and uses the first of those ports that is accessible.

Use the IE Browser setting “Bypass proxy server for local addresses”

Selects the Internet Explorer option that sends all traffic to non-routable IP addresses.

See “Bypassing the Web Security Service” on page 18.

Enable Automatic User Name Resolution:

Synchronizes the Web Security Service and client user name and password for users in the corporate network. If a Web Security Service user name and password are not configured in DWP, DWP requests the service to generate the credentials and DWP stores them locally. With this option enabled, passwords are updated automatically if they change in the service.

Note: This option only works if the request from DWP is from within your corporate network via the configured IP addresses on the Web Security Service. If the initial connection to DWP is not within the network, credentials are not created.

To use this option, your corporate firewall must allow requests on port 80 and 443 directly to the Web Security Service. See your Provisioning Notification Document for information about allowed ports.

DWP Configuration (continued)

(21)

Overriding settings at the group level

All user-based groups inherit their DWP settings from the Account. You can, however, configure individual user-based groups to have their own settings based on business requirements.

To override Account settings:

2 Open the Groups tab.

3 Locate the user group and click its Edit link.

4 Open the DWP Configuration subtab.

5 Enable Use Group Settings and Apply portal settings to the DWP clients.

The DWP options are now ready for editing. Refer to “DWP Configuration” on page 14 for a description of each option.

6 Save your settings, and repeat for each required user group.

The settings will be applied to the members of the groups when the DWP clients poll the server every 15 minutes to get updates.

(22)

Bypassing the Web Security Service

If there are sites that the Web Security Service cannot resolve and access, you can configure the DWP to bypass the filtering service and send HTTP requests directly to the sites.

You can bypass filtering using one of these approaches:

• Bypass both DWP and the Web Security Service so that the browser takes the users directly to the specified sites. This method takes the highest precedence and uses the exception list entered into the browser. For convenience, define your lists in the Account’s or group’s DWP Configuration subtab. After DWP receives this information, DWP updates the users’ browser exception list.

Browsers have their own syntax for entering multiple items on a list. The Management Portal requires you to use a single format, but DWP converts the format later to conform to the browser’s syntax.

• Use DWP to bypass the Web Security Service if the specified sites are accessed. The procedure instructs you to enter the sites using a prescribed syntax.

• Bypass filtering for local (Intranet) sites. This option works with IE browsers only.

Following are examples of browser-defined exception lists on Internet Explorer and Firefox.

Caution

Be cautious about the URLs you enter in the text boxes, because no filtering and therefore no policy will be applied when these URLs are accessed. Access to the URLs will not be logged.

Sites to bypass DWP and web filtering Internet Explorer example

Firefox example

(23)

Bypassing the Web Security Service

To bypass web filtering and enter an exception list in the browser:

1 On the Management Portal, open the DWP Configuration subtab in Edit mode.

2 Verify that Activate DWP on Install is selected:

3 In the Browser Bypass: Browser connects directly to the Internet text box, enter the sites stored in the browser’s exception list. Use a semicolon to separate the site entries.

DWP converts the syntax into a browser-specific supported format. Both DWP and the Web Security Service are bypassed for these sites.

4 Verify that the exception list is created in the browser.

To access sites directly using DWP and bypass web filtering:

1 In the DWP Bypass: DWP connects directly to the Internet text box, enter the URLs to be accessed directly by DWP without going through the Web Security Service. Use one line per domain. Don’t use IP addresses in place of domain names.

Use this general format:

domainname=DIRECT

Replace domainname with one of these values:

• The fully qualified notation of the domain, so that the bypass is specific to that domain

• A partial domain notation, to include subdomains within a domain.

For partial domains or URLs, start your entry with a leading dot (.) to include any second-level domains within a domain.

The allowed formats are:

maps.google.com=DIRECT google.com=DIRECT google=DIRECT

www.google.com=DIRECT

(24)

If you accidentally type a forward slash within the entries, the browser session might end.

2 For Internet Explorer browsers only: If you want to bypass filtering for local (Intranet) sites, select this checkbox:

3 Click Save.

This checkbox on the DWP Configuration subtab updates Internet Explorer’s Proxy server settings in the LAN Settings dialog:

Authenticating DWP user credentials

The Web Security Service must identify the user’s name to check credentials and associate the user with the correct web filtering group. To configure an environment that supports DWP, we

recommend using LDAP synchronization and DWP’s automatic user creation feature. Both

(25)

Enabling automatic user creation

If you cannot access your LDAP directory from the Web Security Service or you do not have an LDAP interface, you can use automatic user account creation.

To enable automatic user creation:

2 Open the Accounts page and click Edit.

3 Verify that the setting Enable DWP User Creation is enabled. If not, select it.

The DWP creates user names on the service when the user accesses the Web. Users must belong to a group, so new DWP users are created in the Default User Group. You can use the Management Portal to reassign users to other policy-based groups later.

Synchronizing with LDAP

If you use LDAP synchronization to add users to the Web Security Service, the new user names always match the Windows user names. The DWP identifies the Windows user name of the locally logged-on user, then requests the Web Security Service for that user’s credentials. Set up one or more LDAP-enabled groups on the Web Security Service that synchronizes in the appropriate

sAMAccountNames from your environment into the relevant groups. See the Web Security Service Administrator Guide for details on LDAP-enabled groups.

Users added from LDAP initially have a Pending Activation status on the Users page. After new users connect via DWP while inside the corporate network, the user status changes to Active.

(26)

Setting credentials for mobile users

Mobile users’ credentials are usually created automatically if the users first access the web within the corporate network. Mobile users whose first access is outside the corporate network enter a system-generated Authentication Code into the DWP client. The Web Security Service generates an Authentication Code for each user group.

To use the authentication code:

2 Open the Accounts > General Information tab and confirm that the Account is enabled for DWP user creation.

3 Open the Groups tab.

4 Locate the user group to which the mobile user belongs and click its Edit link.

The General Information subtab opens.

5 Open the Authentication subtab.

6 Verify that Allow Mobile User Access is enabled.

7 Open the DWP Configuration subtab.

a Verify that the DWP icon is not hidden on the users’ system tray. If you need to clear this checkbox but it is not editable, select Use Group Settings first.

(27)

Managing hot spots

The Hide Icon setting applies to all DWP users in the group. You can disable this setting again later. Hiding the icon from the end user prevents the user from entering client-specific settings.

b Make note of the read-only Authentication Code; for example:

8 Communicate with the mobile user:

• Provide the authentication code from the DWP Configuration tab.

• Ask the user to right-click on the DWP icon on the system tray and select Credentials from the menu. In the Authentication Details dialog, type the provided authentication code in the box as shown.

This code identifies the Account to which the user belongs, and the DWP creates the user login and adds the user to the group associated with the Authentication Code. The credentials are stored on the mobile user’s laptop and used for subsequent Internet access.

Managing hot spots

The Dynamic Hot Spot Management feature allows mobile users to be redirected temporarily to a hot spot provider’s sign up page and enter billing information.

Caution

Do not let the user change the other settings in Authentication Details. If the user is already registered on the Web Security Service and Automatic User Name Resolution is enabled on the Management Portal, the stored credentials will be used to authenticate the user. If Automatic User Name Resolution is not enabled and the name and password are changed here, the user will be blocked from Internet access.

(28)

To configure dynamic hot spot management:

1 To configure for all groups within the Account, display the Accounts tab in Edit mode.

Or

To configure a specific user group:

a Select the Groups tab.

b Display the specific group in Edit mode.

2 Select the DWP Configuration subtab.

3 Verify the following settings:

• If you are editing the Account, ensure that Apply portal settings to the DWP clients is selected:

• If you are editing a group, ensure that Use Group Settings is selected:,

4 Configure the Enable Dynamic Hot Spot Management options:

Hot spot management options Enable Dynamic Hot Spot

Management:

Select this option.

Allow Unsafe Browsing. Optional.

Editable if Enable Dynamic Hot Spot Management is selected.

Allows users to bypass the Web Security Service to browse the Internet in hotspot environments where access might be blocked or re-routed. If not set, DWP opens an error page and prevents users from browsing the Internet in hotspots.

Setting for Account

Setting for Group

(29)

Configuring a proxy automatic configuration (PAC) file

To route traffic directly to web sites without going through the Web Security Service you can use a proxy automatic configuration (PAC) file.

In a PAC file you configure rules that tell your browser how to make decisions about routing HTTP requests. Construct the last rule in the PAC file to route all traffic to localhost on a listening port such as 3128. The port number is dynamically replaced after you configure DWP to do so.

This section describes:

• Creating the PAC file

• Specifying the PAC file on the Web Security Service

Creating the PAC file

The Web Security Service provides a PAC file template for you to use with DWP.

To create a PAC file:

1 On the Management Portal, select Resources > Downloads.

2 Select the PAC file for DWP link.

The template opens.

3 Create your PAC file by copying the template’s contents and modify it to suit your requirements. To go back to the Management Portal, click your browser Back button.

4 Save the PACfile on a web server, or an accessible local or network drive.

5 Continue to “Specifying the PAC file on the Web Security Service” on page 25.

Specifying the PAC file on the Web Security Service

You can specify a single PAC file for the entire account, or specify the PAC file only for a group.

(30)

To specify the PAC file:

1 To configure for all groups within the Account, display the Accounts tab in Edit mode.

Or

To configure a specific user group:

a Select the Groups tab.

b Display the specific group in Edit mode.

2 Select the DWP Configuration subtab.

3 Verify the following settings:

• If you are editing the Account, ensure that Apply portal settings to the DWP clients is selected:

• If you are editing a group, ensure that Use Group Settings is selected:,

4 Select the Enable Automatic Configuration Script checkbox and enter the location of your PAC file (a URL, or a local or network drive).

5 Click Save.

If you are remapping %USERPROFILE% folders to other drives, see “PAC file is unavailable when user profile folders are remapped” on page 56 for more information.

Logging DWP events and running diagnostics

You can log DWP events for diagnostic purposes. This client-specific setting requires that the DWP icon is visible on the desktop’s system tray. See “Configuring the DWP logging level” on page 38 for details.

You run diagnostics on the DWP client. See “Running diagnostics” on page 48 for details.

Note

Firefox browsers cannot parse PAC files if the local path to the file or the DWP username contains the # character (for example, user#1). In this case, traffic is not filtered.

Setting for Account

Setting for Group

(31)

Using Windows’ Group Policy Object (GPO) to configure DWP

Using Windows’ Group Policy Object (GPO) to

configure DWP

If you are experienced with Windows Active Directory and the Group Policy Object editor to manage configurations, you can use the administrative template (ADM file) that is available from the Web Security Service Management Portal. This template contains the registry settings required to update the DWP installations within your Group Policy network.

To use the ADM template:

1 On the Web Security Service Management Portal, open Resources > Downloads.

2 Click ADM File to open the template.

3 Copy the contents and paste into a text editor, then save the file with the .adm extension.

4 Open Active Directory Users and Computers.

5 Create a group policy object or edit an existing one.

6 In the policy, right-click Administrative Templates and select Add/Remove Templates:

The Add/Remove Templates window shows all current ADM files. For example:

Note

If you have already created ADM files for configuring DWP from the Group Policy Editor, remove them before continuing to the next steps.

(32)

7 Click Add, browse to the location where you saved the ADM file, and add it.

The DWP ADM file is added to the list. For example:

8 Close the window.

The Desktop Web Proxy Custom Configuration section appears on the Administrative Templates list.

9 Select the newly added Desktop Web Proxy Custom Configuration template, then select View > Filtering:

(33)

10 On the Filtering window, clear the checkbox Only show policy settings that can be fully managed and click OK.

The GPO Editor window is refreshed with the new settings from the template. The right pane displays all configurable settings for DWP. The settings are added to two folders:

one containing common settings and another containing user settings.

11 Expand these folders to see the settings:

• Computer Configuration > Administrative Templates > Desktop Web Proxy Custom Configuration

This folder displays the common settings.

• User Configuration > Administrative Templates > Desktop Web Proxy Custom Configuration

This folder displays user settings.

(34)

The settings’ states are initially shown as Not configured as in this example:

The following table maps the options on DWP’s System Configuration window to the user settings on the GPO Editor. “Entering DWP settings at the Account level” on page 13 describes how the settings are used.

Mapping of DWP settings in System Configuration and GPO Editor windows System Configuration settings GPO Editor settings

Proxy Settings:

Address

Port

RemoteProxyServerAddress

RemoteProxyServerPort Local Proxy Settings

Local Proxy Port LocalProxyPort

Caching Proxy Settings:

(35)

12 In the user settings folder, leave the UserName setting as is (Not configured).

This ensures that DWP obtains credentials for all users, including mobile users who connect from outside the corporate network. If you change the setting to Enabled, mobile users are not authenticated properly and are blocked from Internet access.

13 Right-click the remaining settings to display the Properties window, and select Enabled.

Enabled settings use the default values, which you can modify.

The following example shows the Properties window for an enabled entry whose default value you must not modify. The dialog displays a reminder for such settings.

Connection:

Enable Automatic User Name Resolution

Enable Dynamic Hot Spot Management

Allow Process Port Update

Allow Unsafe Browsing

EnablePrimeLogin

EnableCyberCafeMode

AllowProcessUpdate

AllowUnSafeBrowsing Automatic Configuration Script

Enable Automatic Configuration

Address

EnableAutoConfigScript

AutoConfigScriptAddress

Caution

Do not change the default values for ProcessUploadURL, ConnectionListURL, and PrimeLoginURL, and CheckUpdateURL. See the following example.

Mapping of DWP settings (continued)in System Configuration and GPO Editor System Configuration settings GPO Editor settings

(36)

In the example, some settings are disabled because they are disabled by default in DWP. If you need to use a disabled feature, see To enable a feature that is disabled by default:

To enable a feature that is disabled by default:

1 Open the Properties dialog of a disabled feature.

This is an example of a disabled feature’s Properties dialog:

(37)

The dialog has a checkbox that corresponds to the checkbox in the DWP configuration window (for details, see the mapping table on page 30).

2 Select the checkbox and click OK.

On the Group Policy Object Editor window, the feature’s state is changed from Disabled to Enabled.

After the ADM is loaded, the settings are added to the Registry Editor in the folder

HKEY_LOCAL_MACHINE\SOFTWARE\Web Filtering. For 64-bit systems, the registry path is

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Web Filtering.

Refer to “Using a script to automate registry settings” on page 41 for related information.

(38)

(39)

3: Client-Specific Configuration

` Introduction . . . page 36

` Setting proxy connections . . . page 36

` Configuring the DWP logging level . . . page 38

` Configuring proxy settings for applications . . . page 39

` Configuring DWP to use a PAC file . . . page 40

` Using a script to automate registry settings . . . page 41

(40)

Introduction

The recommended way to configure the Desktop Web Proxy is with the Web Security Service Management Portal. If necessary, however, you can configure specific DWP clients using the DWP icon in the system tray:

The DWP icon does not appear in the system tray if DWP was installed in hidden mode.

Setting proxy connections

To set proxy connections:

• You must be logged in to the computer with Windows Administration privileges.

• The Apply portal settings to the DWP clients option must be disabled at either the account or group level. See “DWP Configuration” on page 11 for information.

To set proxy connections:

1 Right-click the DWP tray icon.

2 Select System Configurations.

Note

Ihe procedures in this chapter,apply to individual DWP clients. Client-specific settings are overridden by updates entered in the Web Security Service Management Portal.

DWP icon

(41)

3: Client-Specific Configuration

The System Configurations dialog opens.

3 Keep the value in the WSSAAS Proxy Settings Address field. This is the address of the web proxy service that is entered automatically by DWP.

DWP polls all data centers to ensure that they are available. If a data center is not available, DWP connects to the next one and updates the Address field.

4 Keep the Local Proxy Port default.

This is the local port that listens for web traffic that is routed to the Desktop Web Proxy.

5 If your organization requires all corporate computers to connect to an internal proxy (such as an ISA server) before connecting to the Internet, specify one or more URLs and corresponding ports for this internal proxy server in the Caching Proxy Settings section.

Use one of the following formats. Separate the name from the port with a colon, and separate multiple proxies with a semicolon.

ProxyName:port

or

ProxyName1:port1;ProxyName2:port2;ProxyName3:port3;

Note

With multiple caching proxies, a laptop with DWP installed connects with the available caching proxy if it is inside the corporate network and if the caching proxy is detected. If the laptop is outside the corporate network and the caching proxy is not detected, DWP connects with the Web Security Service.

Do not change this setting

(42)

6 Specify connection settings:

7 Click OK.

Configuring the DWP logging level

DWP logs are available to help you and your service provider diagnose connection problems. The DWP logging level is configurable only on the client, not on the Management Portal.

Three levels of logging are available:

• Basic–Logs errors; the default.

• Medium–Logs errors and warnings.

DWP system configuration settings Enable Automatic User

Name Resolution

Synchronizes the Web Security Service and client user name and password for users in the corporate network. If a Web Security Service user name and password are not configured in DWP, DWP requests the service to generate the credentials and DWP stores them locally. With this option enabled, passwords are updated automatically if they change in the service.

Note: This option only works if the request from DWP is from within your corporate network via the configured IP addresses on the Web Security Service. If the initial connection to DWP is not within the network, credentials are not created.

To use this option, your corporate firewall must allow requests on port 80 and 443 directly to the Web Security Service. See your Provisioning Notification Document for information about allowed ports. If you want to support mobile users, see “Setting credentials for mobile users” on page 22 for more information.

Allow Process Port Update

Uploads process data to the Monitors | Port Monitor tab, to help the Admin identify rogue applications that are using default ports 80 and 443. See the Web Security Service Administrator Guide for details.

Refer to the Web Security Service Administrator Guide for details.

Enable Dynamic Hotspot Management

Allow Unsafe Browsing Editable if Enable Dynamic Hot Spot Management is selected. Allows users to bypass the Web Security Service to browse the Internet in hotspot environments where access might be blocked or re-routed. If not set, DWP opens an error page and prevents users from browsing the Internet in hotspots.

(43)

To change the logging level and to write a log:

1 Hold down the Shift key and right-click the DWP tray icon.

2 Select a logging level.

• User-specific logs are written to %ALLUSERSPROFILE%\Application

Data\DWP_Webfiltering\<WindowsloginID>.<WindowsDomain>\DesktopWebProxy _*.log

• Generic logs are written to %ALLUSERSPROFILE%\Application Data\DWP_Webfiltering\

The DWP_Webfiltering folder also contains uDWPStarter_CA.log and

uDWPStopper_CA.log, which contain installation information that is not related to diagnostic logging.

Configuring proxy settings for applications

After configuring the DWP connections, configure the proxy for Internet applications. You can use the Apply Proxy Setting option in DWP, or configure them in the browser.

To configure proxy settings using DWP:

1 Right-click the DWP tray icon and select Apply Proxy Setting.

2 In the pop-up submenu, select Internet Explorer or Firefox.

A message confirms that the options are set for the browser to connect to DWP.

Logging levels

(44)

This example is for Internet Explorer:

3 To allow access to company intranet sites:

• In Internet Explorer, select Bypass proxy server for local addresses

• In Firefox, specify local addresses in the No Proxy For field, separated by commas.

Configuring DWP to use a PAC file

Before continuing with this section, ensure that the proxy auto configuration (PAC) file exists and is defined in the Web Security Service (see “Configuring a proxy automatic configuration (PAC) file” on page 25). Then follow the steps in this section to reference the PAC file in DWP.

To configure DWP to use your PAC file:

1 Right-click the DWP tray icon and select System Configurations.

The System Configurations dialog provides two fields for automatic proxy configuration:

2 Select Enable Automatic Configuration to enable PAC file support.

(45)

The URL address is the one you specified for the PAC file—a web server address, or a local or network drive. See “Specifying the PAC file on the Web Security Service” on page 25.

4 Click OK.

5 Restart DWP.

To restart DWP, right-click the DWP icon on the system tray and select Re-start DWP, or use the Administrative Tools > Services console to restart DWP Local Proxy Service.

After the DWP has restarted, DWP will configure the browsers to start using the PAC file.

Using a script to automate registry settings

You can use a script to use the automate registry key for a mass rollout of DWP. You can run the registry editor file directly from a batch login script, or configure it using the Windows Group Policy editor (see “Using Windows’ Group Policy Object (GPO) to configure DWP” on page 27).

If you make registry changes directly, you must stop and restart DWP.

Sample scripts

You can use the sample scripts in this section to update your registry with DWP settings.

DWP settings are stored in these folders:

• HKEY_LOCAL_MACHINE\SOFTWARE\Web Filtering for settings common to all users on the system

• HKEY_CURRENT_USER\Software\Web Filtering\ESTPM\Session Data for per-user settings

Common settings

You can use this script for settings that are common to all users:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Web Filtering]

"LoginSessionSetupWait"=dword:0000001e

Note

If you prefer to enter settings directly into the registry, refer to “Using a script to automate registry settings” on page 41.

Caution

Use caution when editing the registry keys. Pay special attention to the information in “User settings” on page 42 that specifies the keys not to change.

(46)

"Presence"="Present"

These are the common settings:

User settings

You can use this script for individual user settings:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Web Filtering\ESTPM\Session Data]

"UserName"=""

"Password"=hex:

"ProcessUploadURL"="/webfilter/services/processlist.php"

"ConnectionListURL"="/webfilter/services/connectionlist.php"

"PrimeLoginURL"="/webfilter/services/webreq.php"

"CheckUpdateURL"="/webfilter/services/update.php"

"ServiceURL"="http://dwp.ws.wssaas.com”

"RemoteProxyServerAddress"="wg.wrproxy.com"

"RemoteProxyServerPort"="3128"

Key descriptions

LoginSessionSetupWait The time DWP waits for any login scripts applied for the user.

By default, DWP waits for 180 seconds. You can use up to 300 seconds. Value is DWORD:000000b4

EnableAutoApplySettings Enables DWP to apply the settings automatically to Internet Explorer and Firefox. Can be 0 or 1. Default is 1. Value is DWORD:00000001

AutoApplySettingsDelay The number of seconds DWP waits before applying the settings to Internet Explorer and Firefox. This is a work-around to avoid conflicts with anti-virus software during restarts. Default is 0 and can be up to 300 seconds. Value is DWORD:00000000 EnableAutoUpdate Configures the DWP to auto-update when the option is enabled

on the Management Portal and a new version is available. Can be 0 or 1. Default is 1 for Yes. Value is DWORD:00000001 AutoUpdateInterval The interval in number of days that DWP periodically checks

for updates. Default is the maximum of 7 days and can be configured from 1–7 days. Value is DWORD:00000007 Presence Configures DWP availability. Values are:

• Present–DWP icon appears in the system tray (default).

• Admin–DWP options are accessible only using administrator logins.

• Cloaked–DWP options are hidden.

(47)

"EnablePrimeLogin"=dword:00000001

"EnableCyberCafeMode"=dword:00000000

"AllowProcessUpdate"=dword:00000000

"AllowUnSafeBrowsing"=dword:00000000

"UpstreamProxies"=""

"LoggingLevel"="errors"

"EnableAutoConfigScript"=dword:00000000

"AutoConfigScriptAddress"=""

These are the user settings:

Key descriptions

UserName Always leave blank. DWP gets this from the Web Security Service.

Password Always leave blank. DWP gets this from the Web Security Service.

ProcessUploadURL Use the value in the sample script. Do not change this value.

ConnectionListURL Use the value in the sample script. Do not change this value.

PrimeLoginURL Use the value in the sample script. Do not change this value.

CheckUpdateURL Use the value in the sample script. Do not change this value.

ServiceURL Use the value in the sample script.

Determines the URL of the Web Security Service Management Portal (as listed in the PND). This is usually not an editable field; in all other cases, it is populated automatically.

RemoteProxyServerAddress The proxy server address that specifies the location of the Web Security Service proxy. You can use the value in the sample script , or ask your provider if another remote proxy server address is appropriate for your location.

RemoteProxyServerPort The proxy server port address that specifies the listening port of the Web Security Service. Use either 3128 or 8080.

Default is 3128.

LocalProxyPort Any available port number between 1025 and 65535 is allowed, but DWP manages this value and prefers 3128, so there is no need to change it.

Default is 3128.

ConnectionList Leave blank. DWP polls the Web Security Service every 15 minutes for entries from the Accounts > DWP Configuration subtab.

ObtainedPrimingURLs If you provied the options RemoteProxyServerAddress, ServiceURL, and RemoteProxyServerPort on the script, use the value of 1; otherwise, use 0 so that DWP will configure.

(48)

EnablePrimeLogin Enables or disables the Automatic User Name Resolution feature. Specify 1 to enable or 0 to disable. The recommended setting is 1.

Default value: dword:00000001

EnableCyberCafeMode Enables or disables the Dynamic Hotspot Management feature.

Specify 1 to enable or 0 to disable.

AllowProcessUpdate Enables or disables the Process on Port Update feature. Specify 1 to enable or 0 to disable.

AllowUnSafeBrowsing Enables or disables the Allows Unsafe Browsing feature.

Specify 1 to enable or 0 to disable.

UpstreamProxie One or more address:port entries of internal proxy servers, if your organization requires that web traffic goes to those servers (such as ISA servers).

Separate the URL and port with a colon, and separate multiple proxies with a semicolon. For example:

proxyname:port or

proxyname1:port1;proxyname2:port2;proxyname3:port3 LoggingLevel Specifies the type of information to be logged.

Default: “errors” Values are:

• "errors" = Logs errors only.

• "errors_warnings" = Logs errors and warnings.

• "everything" = Logs information, errors, and warnings.

See “Configuring the DWP logging level” on page 38 for more information.

EnableAutoConfigScript Specifies to use the PAC file located in

AutoConfigScriptAddress. Specify 1 to enable and 0 to disable. If you specify 1, the option

AutoConfigScriptAddress must have a value.

AutoConfigScriptAddress The URL to the PAC file, provided on the Management Portal Resources tab.

Key descriptions (continued)

(49)

4: Troubleshooting

This chapter provides DWP troubleshooting tips. If you are unable to resolve issues after referring to this information, contact Technical Support.

` FAQs . . . page 46

` Viewing running processes . . . page 47

` Running diagnostics . . . page 48

` Using the DWP Latency Tester . . . page 49

` Using DWP Network Packet Capture . . . page 52

` Error messages . . . page 55

` PAC file is unavailable when user profile folders are remapped page 56

Web Security Service

Webroot