Howto
© 2014 Collax GmbH
Collax Web Security
This howto describes the setup of a Web proxy server as Web content filter.
Requirements
Collax Business Server Collax Security Gateway
Collax Platform Server including Collax Web Security module
Optional
Collax Surf Protection powered by Cobion Collax Virus Protection powered by Kaspersky Collax AntiVir Protection powered by Avira
Objective
If various user groups in a network are to be granted different permissions for Internet access and content, it is necessary to define Web content filter rules. Depending on the needs, these filter rules can be expanded into complex rule sets.
Based on a practical example, this document demonstrates the basic creation of such rule sets on a Collax Business Server.
Task
A medium-sized enterprise wants to implement different Web page access rules for its employees. The management and the administrators are to have full access to all Web pages. For the employees, certain categories are to be excluded. The trainees' access is to be limited to wikipedia.org and the company Web site. Moreover, all HTTP traffic is to be screened for viruses. The anti-virus solution Collax Virus Protection powered by Kaspersky serves this purpose.
Solution
Basically, the rule set can be configured in three different ways:
1. Authentication directly with the Web proxy by entering the login and password of the user on the CBS. 2. Authentication with the Active Directory (AD) server. The client logs on to the Windows domain.
The CBS must be a member of the Windows domain. Three groups containing all users of the network must be created on the AD server (for our example), i.e. the Windows domain must not contain any users that do not belong to one of these three groups. Otherwise, such users would have the same permissions as the administrator group.
3. Distinction on the basis of the IP addresses of the individual clients. This method does not require any authentication.
This howto only explains the solution of option 1.
First, create three groups: Proxy_Management Proxy_Employees Proxy_Trainees
Distribute the created users to the groups. Please note that users that do not belong to any proxy group will be granted the permissions of one of these groups. It is not possible to determine exactly which one this will be.
Important: For this reason, every user must be allocated to one of these groups.
The "LocalNet" must be allocated to at least one group.
Subsequently, activate the Web proxy under "Services Infrastructure Web Proxy Web Proxy Server" and configure the basic settings.
E-mail address of the proxy admin If an error occurs, the proxy server will display a Web page with an error message. This Web page shows the e-mail address of the local administrator. Specify the e-mail address in this field.
Basic Settings
The image below shows the basic configuration of the Web proxy server.
Maximum cache size (MB) Use this parameter to set the maximum size of the cache on the hard disk. The value should be larger than 128 MB. The maximum value is 10240 MB (10 GB). Depending on the speed of the disk system, there is a limit after which the cache becomes slower. Normally, a value between 512 MB and 2 GB should be suitable.
Note: Enter the numeric value in MB without specifying the unit.
Additional SSL/TLS ports As a general rule, the HTTP proxy cannot cache HTTPS requests, as it is unable to read the encrypted data. However, the CONNECT method can be used to forward HTTPS data over the proxy; this method enables a client to establish an indirect connection to an HTTPS server.
However, the HTTP proxy cannot verify whether the connection really is an HTTPS connection. Therefore, only certain ports are permitted for the CONNECT method, namely 443, 563, and 8443.
In this field, you can specify additional ports for use with the CONNECT method. For example, to access other Collax servers over the proxy, "8001" must be entered here additionally.
Maximum request size (kB) This setting limits the size of individual requests to a Web server. In this way, you can limit the size of files that may be sent to a Web server.
By default, this field is blank, i.e. the size of requests is not limited.
Maximum reply size (kB) This setting limits the size of files that may be downloaded over the proxy. By default, this field is blank, i.e. the size is not limited.
Note: If the value is too small, the proxy may be unable to reply. If an error message of the proxy is larger than the maximum reply size, no message will be displayed in the event of an error. For this reason, entries smaller than 10 kB will be set to 10 kB.
Log proxy activity If you enable this option, all requests will be logged. The date, time, client IP number, and the requested URL will be stored in the log file. If user authentication is enabled, the login will also appear in the log file.
Note: These user-specific data may be subject to legal provisions and privacy laws. If applicable laws prohibit logging, do not enable this function.
Enable log analysis Enable this option to generate a statistical analysis from the log files. The analysis is anonymized, i.e. URLs are not clearly associated with users. However, it provides information about the entire traffic of a user or system. Anonymize HTTP header If you enable this option, the proxy will remove certain HTTP headers from the requests forwarded to the outside.
Number of redirector programs In this field, enter the number of processes that the Web proxy starts for processing URL requests. The redirect program is started several times in order to be able to process incoming URL requests concurrently. The number can be increased if the processing of requests is delayed.
The respective log messages can be viewed by specifying the "squid" program under "Status/Maintenance Status System System Log Files". Example:
Consider increasing the number of redirector processes to at least ## in your config file.
Enable BASIC authentication The simplest method for authenticating users is the BASIC method. When a user wants to access Internet pages through the Web proxy, the user details are queried via a pop-up. No further settings are required on the workstation.
Enable NTLM authentication This method will only work if the SMB/CIFS service is activated and can be used to implement single sign-on with older operating systems and Web browsers. The workstations must have joined an NT domain or AD (does not apply to Windows Server 2008).
Enable Kerberos authentication (SPNEGO) This method enables Windows, Linux, and MacOS users to log in to the Web proxy via single sign-on in a Kerberos realm. With this method, Windows workstations within an Active Directory are automatically authenticated via single sign-on.
Activate parent proxy Enable this option to use a parent proxy. Proxy servers can be connected in series. The client sends the request to a proxy in the local network, which in turns queries another proxy server, e.g. the provider's proxy server. The parent proxy is such a superordinate system.
In the last section, you can enter networks and domains for which the proxy is not to be used.
Browsers with JavaScript support can automatically be configured for proxy use. For this purpose, the URL of a JavaScript file must be specified in the browser configuration. The configuration file "proxy.pac" is generated from the settings in this dialog and saved to the directory of the Web server.
No proxy for names without domain Enable this option in order not to use a proxy if the host name does not contain any domain, i.e. when addressing a server in the local domain.
No proxy for these domains Here you can specify a list of domains for which no proxy is to be used. The domains in the list are separated by spaces.
No proxy for these networks Here you can select the networks for which no proxy is to be used.
Rules
This dialog is located under "Services Infrastructure Web Proxy Web Security Rules".
The filter rules for the Web-proxy server are defined in this dialog. A rule determines which URL lists are valid at what times and whether the URLs in the lists are blocked or allowed.
The groups for which the rules are to be valid can be defined in the usage policy. Several rules may apply to one group. The sequence of the rules is governed by different priorities. If a URL matches several rules, the rule with the highest priority will be used. Normally, you should either allow everything and block only specific URLs or block everything and allow specific URLs. This policy should be set in the existing "All" rule. The "All" rule should be the last rule with the lowest priority.
The Collax Surf Protection and Dansguardian lists are used to make it easier for the administrator to configure the rules. In these lists, many URLs are grouped by subjects. The administrator can select the categories that are to be prohibited for the employees. To activate the Collax Surf Protection, you need a license key that can be obtained from Collax. After the activation, create your individual Cobion lists under "Services Infrastructure Web Proxy Web Security Cobion Lists".
To use the Dansguardian lists, install them under "Status/Maintenance Software Licenses and Modules". To perform the installation, click the plus after "Dansguardian".
For the trainees, define a "Custom List" with the two URLs "collax.com" and "wikipedia.org" under "Services Infrastructure Web Proxy Web Security Custom Lists".
Next, create the needed rules under "Services Infrastructure Web Proxy Web Security Rules". Use descriptive names. Under the "Policy Settings" tab, you can select the groups to which this rule is to apply. Perform this step for each defined proxy group.
The overview shows the list of rules, sorted by priority.
For each group (except for the Proxy_Management group in this example), at least one group that implements restrictions (priority 2, 4, and 5) must be created. Finally (for each group), there is a global rule (3, 6, and 7) that allows or prohibits everything. The rules should always be created in such a way (or, if created retroactively, they should be moved in such a way) that all rules for the first group are listed consecutively, then all rules for the second group, etc. The field "Process further rules" must be set to "Yes" for all rules above the concluding global rule.
For example, consider the rules for the employees.
1. Rule 4 contains the whitelist of domains that should always be allowed, e.g. the home page. As further rules for this group will follow, check "Process further rules".
2. Rule 5 contains the Dansguardian and Cobion lists that should always be prohibited for the employees. Here too, check "Process further rules".
3. Rule 6: Concluding global rule. This rule applies to "all domains" and allows access to pages not prohibited by the previous rules. For this group, no further rules need to be processed.
Access Alert
Typical message for a prohibited page:
Access denied
The access to the document under http://www.cnn.com/ is included in the "none ()" list. The URLs in this list are currently blocked for all members of your group due to the rule "Trainees_Prohibited_group ()".
Please contact your administrator if you believe that an error has occurred. To eliminate the problem, the following details may be required:
User Trainee_1 Host
Host IP 172.16.16.10 URL list none
Virus Protection
First of all, a license needs to be obtained for Collax Virus Protection and Avira AntiVir Protection. Install the software via "Status/Maintenance Software Licenses and Modules".
Moreover, you can use the free Web filter from ClamAV.
Now simply activate the virus protection under "System Infrastructure Web Proxy Web Security Anti-Virus Web Filtering" to automatically apply it to all accessed HTTP pages as long as the Web proxy is used.
SSL Interception
This dialog is located under "Services Infrastructure Web Proxy Web Proxy Server" in the options.
Normally, the content of encrypted HTTP traffic (HTTPS) cannot be evaluated or filtered, as encryption is used between the Web server and the browser. In this section, you can configure settings that enable the Web proxy to intercept this encrypted traffic, e.g. to analyze the content for malware or unwanted contents.
