Getting Started Guide

(1)

1

Getting Started Guide

CensorNet Professional

This document is designed to provide information about the first time configuration and testing of the CensorNet Professional web content filtering software. Every effort has been made to make this document as complete and accurate as possible, but no warranty or fitness is implied. CensorNet Ltd does not accept any liability for poorly designed or malfunctioning networks.

(2)

2

Getting started ... 6

Logging in to the web control panel ... 6

Navigation and assistance ... 7

Product activation ... 8

Common problems ... 9

Cloud mode ... 10

Downloading the URL database (CSRV) ... 10

Locale settings ... 12

Time zone ... 12

Language ... 13

Parent proxy configuration ... 13

Web browser configuration ... 14

Securing the network ... 15

User authentication ... 16

Transparent Kerberos ... 17

Configuring Transparent Kerberos authentication ... 17

Verify that Transparent Kerberos is working ... 19

Common problems with Transparent Kerberos ... 20

Transparent NTLM ... 20

Configuring transparent NTLM authentication ... 21

Verify that NTLM authentication is working ... 22

Common problems with NTLM ... 23

Censornet Active Directory Agent ... 24

Installing the Censornet Active Directory Agent ... 24

Configuring the CensorNet Active Directory Agent ... 24

Verify that user identification is working with the Active Directory Agent ... 25

(3)

3

Active Directory (Kerberos) ... 25

Configuring Active Directory (Kerberos) ... 26

Verify that Active Directory (Kerberos) authentication is working... 26

Windows NT or SAMBA server ... 28

Configuring Windows NT or SAMBA server authentication ... 28

Verify that Windows NT or SAMBA server authentication is working ... 29

NetwareNDS (E-Directory) ... 30

LDAP server authentication ... 30

Internal authentication ... 31

Managing user accounts ... 32

Managing user passwords ... 33

No user authentication ... 34

Global user authentication settings ... 34

Active Directory integration ... 36

Synchronising with Active Directory ... 36

Installing the Censornet Synchronisation Service... 36

Configuring the CensorNet Synchronisation Service ... 36

Verify that the CensorNet Synchronisation Service is working ... 37

Replicating the Active Directory structure ... 37

Replicating by Organisational Unit (OU) ... 38

Replicating by Primary Group ... 40

Computer identification ... 43

Configuring the computer identification method ... 43

MAC Address method ... 44

Import computers automatically ... 44

Import computers from CSV ... 45

IP Address method ... 46

(4)

4

Hostname method ... 47

SSL Intercept mode ... 49

Enabling SSL Intercept mode ... 49

Installing web browser SSL certificate ... 49

Bypassing SSL intercept mode ... 49

Completely bypass SSL web sites... 50

Disabling SSL intercept mode ... 50

Filtering policies ... 52

Default policy ... 52

The default policy explained ... 52

Creating new policies ... 54

Applying policies to groups of users or Computers ... 55

Global filtering modules ... 56

Custom URL module ... 58

Creating a Custom URL category ... 58

Adding Custom URLs ... 58

Custom URL Patterns ... 59

Administrators ... 60

Bypassing non-proxy-aware sites / applications ... 61

Common error messages ... 62

The upstream proxy did not respond in time ... 62

Unable to retrieve MAC address of the peer ... 62

The authenticity of the web site could not be verified ... 62

Content length exceeded ... 62

YOUR REQUEST COULD NOT BE PROCESSED AT THIS TIME, THIS IS PROBABLY DUE TO NETWORK CONGESTION. ... 62

Troubleshooting ... 63

(5)

5

Single-sign-on with Transparent Kerberos prompts me to login ... 63

Allow or block instant messaging applications ... 63

Web sites such as youtube no longer stream correctly ... 63

Web pages do not load correctly – missing styles and images... 63

Problem authenticating users using Apple OSX ... 63

Intermittent access to web sites or slow web Sites ... 63

Citrix notes ... 64

Summary ... 65

Technical support ... 66

(6)

6

This document is designed to guide you through the steps needed to set up and configure CensorNet Professional for the first time. It is not meant to be an exhaustive reference to all the features and

functionality available – this can be found within the product documentation under the HELP menu or in our online KNOWLEDGE BASE.

LOGGING IN TO THE WEB CONTROL PANEL

The CensorNet product is administered using a Web based graphical user interface, known as the “CONTROL PANEL”.

To access the Control Panel, you will need to use a Web browser on a machine that is on the same network as the CensorNet server.

Open the Web browser, and in the address bar type:

HTTP://IP.OF.CENSORNET/

Where “IP.OF.CENSORNET” is replaced with the IP address you configured for the CensorNet server, e.g.

http://192.168.1.1/

You will be presented with the CONTROL PANEL LOGIN SCREEN, as shown in the figure below.

The default credentials are:-

Username admin

Password password

N.B. Case sensitivity is important

(7)

7 NAVIGATION AND ASSISTANCE

CensorNet has been designed to be easy to use and entirely manageable from a Web browser. Navigating to the various sections of the application is achieved via the drop down menu at the top of the browser window, as shown below:-

IF YOU NAVIGATE AWAY FROM A PAGE WITHOUT SAVING THE SETTINGS, THEN THE

SETTINGS WILL BE LOST. AT THE BOTTOM OF EVERY PAGE THERE IS A “SET OPTIONS”

BUTTON WHICH CAN BE USED TO SAVE CHANGES.

The product manual is integrated into the product and from each page you can click the help icon to be taken to the relevant page of the manual based on the current page you are viewing.

Tooltips are also available next to each option and provide a quick way to understand what should be entered in the required text box. Simply roll the mouse pointer over the field name to reveal the tooltip, as shown below:-

Additional help can also be found in the HELP menu where you can access the full product manual, visit the KNOWLEDGE BASE or access the LIVE SUPPORT DESK where you can speak to an operator in real time for assistance. See the Technical Support section for more details.

(8)

8 PRODUCT ACTIVATION

It is necessary to activate CensorNet with a valid license in order to start the proxy service and accept connections. You can generate an Activation Key by logging into MY ACCOUNT at www.censornet.com and choosing MANAGE ACTIVATION KEYS.

To activate the software:-

1. Enter the Activation Code which was you have created at www.censornet.com.

2. Click “ACTIVATE FOR 10 DAYS”. Activation can take up to 30 seconds.

Once activated, you will see the green dialogue box below, indicating that the 10 day license has been installed successfully.

After a few seconds you will see the CensorNet proxy service attempting to start. As there is no local URL database installed, CensorNet will attempt to contact one of the online lookup servers.

(9)

9 COMMON PROBLEMS

• If the activation fails, it may be for a number of reasons:-

1. The CensorNet server does not have access to the Internet. Please double check DNS and gateway settings by using the “SETUP” program. Refer to the Installation Guide for network configuration.

2. You have already used the activation code on a different machine. Once the activation code has been used on a particular machine, you cannot use it again on a different piece of hardware. Contact Technical Support for a new activation code.

(10)

10 CLOUD MODE

During the evaluation period CensorNet will operate in CLOUD MODE. This is a special mode that CensorNet uses when it does not have a locally installed copy of the URL database. When in CLOUD MODE, CensorNet will use DNS to rate URL's on the fly for every web request. For evaluation purposes this is acceptable however in production, it is much better to cache the most frequently visited web sites in a local URL database so that the proxy only needs to connect to the cloud when it encounters a new web site for the first time.

It is possible to exit CLOUD MODE during your evaluation period by requesting to download the URL database using the link within the green dialogue box. You will be required to complete a short form with your contact details and then a username/password will be issued to you within 24hrs.

The database is approximately 1GB and may take several hours to download depending on the speed of your Internet connection.

DOWNLOADING THE URL DATABASE (CSRV)

Once you receive your username and password, you will need to configure CensorNet to download the database. To do this:-

1. Go to the FILTERS menu and select URL DATABASE UPDATES.

2. Set the Update Mode to DOWNLOAD ALL UPDATES

3. Select the closest geographical download site from the Source list.

(11)

11

5. Select an update time for daily updates to occur. It is recommended that these updates happen outside of office hours.

6. Click SET OPTIONS and then click UPDATE NOW.

You can verify that the download has started by refreshing the System Overview page. To do this, go to the SYSTEM menu and then select OVERVIEW and scroll down to the URL DATABASE UPDATE SUBSCRIPTION panel, as shown below.

Whilst the database is downloading please do not switch off or reboot the CensorNet server. The update status will change to IDLE when successful.

COMMON PROBLEMS

• The message “Update failed” appears instead of the download status.

1. Check that the CensorNet server has Internet access – ensure DNS and gateway settings are correct.

Try pinging csrv.censornet.com and if it doesn’t reply, look again at the network configuration.

2. Double check the username and password entered and click UPDATE NOW again.

3. Do you have to use a parent / upstream proxy server for web access? If so, you must configure this under System -> Configuration -> Parent Proxy settings before attempting to download the database.

Once configured, attempt the download again.

4. If the problem persists, try a different update Source.

5. Contact Technical Support for assistance.

• The message “Download in progress” is displayed but there is no % complete. This usually happens when a parent proxy is being used because CensorNet is unable to generate a progress counter. It is working; it just cannot tell you how much has been downloaded.

(12)

12

It is important to configure the locale settings for your CensorNet server. These may have been set during installation however you should verify they are correct and make any changes that you need to now.

TIME ZONE

Time is very important to CensorNet. Everything relies on accurate time therefore you should verify the date, time and time zone is correct. To do this, go to SYSTEM -> CONFIGURATION -> TIME ZONE.

 Current Timezone – this is the time zone that CensorNet is currently using and is based on the time zone selected during installation. If this is incorrect, select the correct time zone from the drop down list and press Set Options.

 Current Server Local Time – this is the current time and date based on the clock in the CensorNet server. It is important to check that the date and time are correct and that they stay correct. If you need to change the time, alter it here and press Set Date & Time and then monitor it to ensure the clock stays correct.

COMMON PROBLEMS

 The clock keeps drifting on a virtual machine – this is common especially on Virtual Machines which do not have the required tools installed to synchronise the virtual clock with the host machine. Please see this Knowledge Base article: http://www.censornet.com/en/kb/clock_drift_and_ntp

 The clock drifts on a physical server – on some hardware, there is a problem with Linux communicating with the real time clock. Please see this Knowledge Base article:

http://www.censornet.com/en/kb/repeated_license_failure

(13)

13 LANGUAGE

CensorNet supports viewing the Web control panel in different languages. The language can be chosen when you login to the control panel or a default language can be set for all users. To select the default language, go to SYSTEM -> CONFIGURATION -> LANGUAGE.

Click SET OPTIONS to set the default language. You will need to logout and log back for the changes to take effect.

PARENT PROXY CONFIGURATION

If there is an existing proxy server on the network or a proxy server upstream at your ISP, and you are forced to use it, then you should configure the proxy server on CensorNet.

To do this, go to SYSTEM -> CONFIGURATION -> PARENT PROXY SETTINGS.

(14)

14

NOTE: IF YOU HAVE CONFIGURED CENSORNET IN “INLINE” MODE IT IS NOT NECESSARY TO

CONFIGURE YOUR WEB BROWSER PROXY SETTINGS. PLEASE IGNORE THIS SECTION.

In order to use the CensorNet proxy server you need to configure your web browser to use CensorNet. This is a straightforward step which you can do individually on each browser or automatically using Active Directory Group Policy or Web Proxy Auto Discovery (WPAD).

For the purposes of this guide, the following steps can be followed to configure Internet Explorer to use CensorNet:

 Start Internet Explorer

 Select the TOOLS menu and then INTERNET OPTIONS

 Click the CONNECTIONS tab and then LAN SETTINGS

 Tick the box to USE A PROXY SERVER and enter in the CensorNet IP address into the ADDRESS field.

Enter port 8080 into the PORT field.

 Tick the box to BYPASS PROXY SERVER FOR LOCAL ADDRESSES

 Click the ADVANCED button

 Enter the IP of CensorNet into the EXCEPTIONS box.

 Click OK, OK and OK on each dialogue box to return to the browser window.

(15)

15

Please review this Knowledge Base article on securing the network so that users cannot bypass the proxy:- http://www.censornet.com/en/kb/enforce_proxy_use

(16)

16

CensorNet can identify users browsing the web, apply different policies to them and include the usernames in reports. To achieve this, you must configure a method of user authentication for CensorNet to use. The following methods are supported:-

 Transparent Kerberos – for networks with Windows Server 2003 and above with clients running Internet Explorer 7 or above. Transparent Kerberos is a single sign-on authentication method

compatible with the latest Windows Server and Windows desktop operating systems (Vista, Windows 7). Compatible with Citrix or Terminal Services environments and SIDEWAYS mode where you do not want users to be prompted to login when they open a Web browser.

 Transparent NTLM (pre Windows Server 2003) – CensorNet creates a trust relationship with the Active Domain controller and transparently authenticates users using the NTLM protocol. This is particularly useful in Citrix or Terminal Services networks and in SIDEWAYS mode where you do not want users to be prompted to login when they open a Web browser. NTLM is only supported by Internet Explorer and Firefox web browsers. This authentication method is not available when operating in Inline mode.

 CensorNet Active Directory Agent – The Agent is a small piece of software that is installed on your Active Directory domain controller(s) that provides user identification between CensorNet and the Active Directory agent. The agent runs as a system service and must be installed on all domain controllers for the domain. The agent is ideal for providing user identification when in INLINE mode, however is not suitable for Citrix or Terminal Services networks. For Citrix or Terminal Services please use Transparent NTLM. For further information about the agent please visit

http://www.censornet.com/adagent/

 Windows NT or Samba – for use with Windows NT or Samba (Linux or Apple). CensorNet will prompt for a username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode.

 Netware NDS (eDirectory) – for use with Novell NDS or eDirectory. CensorNet will prompt for a username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode.

 LDAP – for use with OpenLDAP and similar directories. CensorNet will prompt for a

username/password to be entered when the web browser is opened. This authentication method is not available when operating in INLINE mode.

 Internal Authentication – allows you to create a list of usernames and passwords on the CensorNet server which are used to login with when a web browser is opened. Useful if you require user identification but do not have a domain controller. This authentication method is not available when operating in INLINE mode.

 No User Authentication – Do not require users to authenticate to access the Web.

(17)

17 TRANSPARENT KERBEROS

Transparent Kerberos is a single sign-on authentication method compatible with Windows Server 2003 and above. This method supersedes NTLM Authentication and is compatible with the latest Windows desktop operating systems such as Vista and Windows 7. Transparent Kerberos allows users to authenticate with CensorNet without prompting to re-enter network login credentials.

In order to use Transparent Kerberos authentication your network needs to meet the following requirements:

 Windows Server 2003 or above

 Internet Explorer 7 or above, Firefox 2 or above or Safari on Mac OSX 10.4 or above on all client machines.

CONFIGURING TRANSPARENT KERBEROS AUTHENTICATION

IMPORTANT: If you have previously configured CensorNet Professional with NTLM Authentication It is important that you remove the CensorNet machine account in Active Directory on all domain controllers before attempting to configure Transparent Kerberos. You can do this from the Windows Server by running the Active Directory Users & Computers manager and then deleting the CensorNet machine account from the Computers folder. The machine account name will be same as the CensorNet servers’ hostname. To find this, login as root and type “hostname” to display the hostname.

To configure Transparent Kerberos, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Transparent Kerberos radio button.

You will need the following information:

 Server IP Address – This is the IP address of your Active Directory server or Primary Domain Controller if there are more than one domain controllers on the network.

 Server Hostname – This is the hostname of your Active Directory server or Primary Domain Controller. This is just the name of the server, not the fully qualified domain name.

 AD Domain – This is the fully qualified Active Directory domain name without the hostname or computer name at the beginning.

 Domain Admin Username – This is the username of a user account on the Active Directory server with administrator privileges (member of DOMAIN\ADMINS).

 Domain Admin Password – This is the password of the admin username specified in “Domain Admin Username”. The password cannot contain any special characters (e.g. % & $, etc). If your password does contain special characters and you do not wish to change it, create a new user account for CensorNet (e.g. username: censornet) and set its password to something in standard characters.

AFTER CREATING THE NEW USER ACCOUNT, RESET ITS PASSWORD AGAIN TO WORK AROUND A KNOWN ISSUE WITH LINUX AND ACTIVE DIRECTORY. The new account is only required to establish the trust relationship and after which can be removed if necessary.

(18)

18

After a few seconds, you should receive a SUCCESS message if CensorNet was able to establish a trust relationship with the Active Directory server (see below).

UPDATE WEB BROWSER PROXY SETTINGS

Transparent Kerberos requires that the proxy server address is specified with its fully qualified domain name (FQDN) rather than its IP address in the web browser proxy settings. You can find the FQDN by logging into the CensorNet server as ‘root’ and typing ‘hostname –f’. You should see an output similar to this:

In the above example “censornet.ad2008r2.local” is the FQDN and this should be configured in your browser proxy server settings – see Web Browser Configuration. On a network, this can be updated using a group policy object if you use Internet Explorer.

(19)

19

© 2007-2011 CensorNet Ltd Please ensure that the FQDN can be resolved to the IP address of the CensorNet server. You can verify this by typing “NSLOOKUP CENSORNET.AD2008R2.LOCAL” on a client desktop machine. If it fails to resolve to the CensorNet server IP address, you will need to create a forward facing DNS record (A) on your internal DNS server (usually the primary domain controller).

VERIFY THAT TRANSPARENT KERBEROS IS WORKING

IMPORTANT

After configuring Transparent Kerberos authentication it is important that the network user logs out and logs back into the domain. This will create a new authentication token for the user. This procedure is only required once.

You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user account from the Active Directory (the “test user”) and open a Web browser that is configured to use

CensorNet as a proxy server (see section on Web Browser Configuration and ensure if Internet Explorer that it is using the FQDN described in the note above).

Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser should not prompt the test user to login – if this happens please see Common Problems below.

If the web site loads as expected, you should now verify that CensorNet has correctly identified the test user by going to REPORTS -> WHO’S BROWSING within the CensorNet web control panel. This will list the currently active Internet users – and the test user should appear here – as shown in the example below.

Click on the test user, in this case “foo” to drill-down into the recent web site visits. Here you should see the test sites that you accessed using the web browser, e.g. www.google.co.uk.

If this is correct, then you should move on to Active Directory Integration for details on how to replicate your Active Directory structure within CensorNet.

If you do not see any user names in the WHO’S BROWSING report then please read the section Common Problems below.

(20)

20 COMMON PROBLEMS WITH TRANSPARENT KERBEROS

 If the trust relationship fails you will receive a FAILURE message (see below). This can happen for a number of reasons.

o The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 MINUTES of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please visit the Knowledge Base:

http://www.censornet.com/en/kb

o If you have previously configured NTLM on this CensorNet server, you should remove the

“censornet” machine account from all the domain controllers on the network.

o The administrator password contains special characters, e.g. å, $, _, \%, ^, £, etc. Please change the administrator password or create a new user account with administrator privileges that does not use these characters.

o If you have created a new administrator account for CensorNet, please ensure you reset its password TWICE to work around a known issue with Linux and Active Directory.

o Please ensure that the hostname on CensorNet does not use a reserved word, such as

“internet”. We recommend the CensorNet hostname stays as “cnadmin” to avoid any conflicts.

o Ensure that the hostname of your CensorNet server is not the same as your Windows domain name.

 The BROWSER HANGS whenever you try and configure Transparent Kerberos authentication.

o This can happen if there is a user or machine account with the same name as the CensorNet server in Active Directory. Please delete or rename this account and try again.

 The trust relationship is SUCCESSFUL but users are prompted to login

o Ensure that you have specified the fully qualified domain name (FQDN) in Internet Explorer’s proxy server settings (see the Important Note under Verify Transparent Kerberos is working) o Ensure that the FQDN can be resolved from client machines. Type: nslookup <FQDN> in a

Command Prompt and ensure it resolves to the CensorNet IP address. If it does not, you will need to add a forward facing A record to your internal DNS server (usually the primary domain controller).

o Ensure the user logs out of the domain and logs back in again the first time Transparent Kerberos is configured.

 The web browser hangs whilst trying to set up the trust relationship. This can happen if there is a user account with the same name as the machine account that is created by the trust relationship. Look for the name of the CensorNet machine record and then delete any user accounts with the same name, then retry creating the trust relationship.

TRANSPARENT NTLM

NTLM (NT Lan Manager) is a Microsoft authentication protocol that is supported by Internet Explorer and Mozilla Firefox as a means to transparently authenticate client browsers with a server side proxy. NTLM uses the Windows logon network credentials and encodes them within each HTTP request in a 4 way handshake

(21)

21 CONFIGURING TRANSPARENT NTLM AUTHENTICATION

To configure Transparent NTLM, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Transparent NTLM radio button.

 Server IP Address – This is the IP address of your Active Directory server or Primary Domain Controller if there are more than one domain controllers on the network.

 Server Hostname – This is the hostname of your Active Directory server or Primary Domain Controller. This is just the name of the server, not the fully qualified domain name.

 AD Domain – This is the fully qualified Active Directory domain name without the hostname or computer name at the beginning.

 NetBIOS Domain – The short domain name, often called the Pre-Windows 2000 or “workgroup style”

name. This is usually the first part of the Active Directory domain name (before the first dot), written in upper case.

 Domain Admin Username – This is the username of a user account on the Active Directory server with administrator privileges (member of DOMAIN\ADMINS).

 Domain Admin Password – This is the password of the admin username specified in “Domain Admin Username”. The password cannot contain any special characters (e.g. % & $, etc). If your password does contain special characters and you do not wish to change it, create a new user account for CensorNet (e.g. username: censornet) and set its password to something in standard characters.

AFTER CREATING THE NEW USER ACCOUNT, RESET ITS PASSWORD AGAIN TO WORK AROUND A KNOWN ISSUE WITH LINUX AND ACTIVE DIRECTORY. The new account is only required to establish the trust relationship and after which can be removed if necessary.

(22)

22

After a few seconds, you should receive a SUCCESS message if CensorNet was able to establish a trust relationship with the Active Directory server (see below).

VERIFY THAT NTLM AUTHENTICATION IS WORKING

You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user account from the Active Directory (the “test user”) and open a Web browser that is configured to use CensorNet as a proxy server (see section on Web Browser Configuration).

Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser should not prompt the test user to login – if this happens please see Common Problems below.

(23)

23

© 2007-2011 CensorNet Ltd Click on the test user, in this case “foo” to drill-down into the recent web site visits. Here you should see the test sites that you accessed using the web browser, e.g. www.google.co.uk.

If this is correct, then you should move on to Active Directory Integration for details on how to replicate your Active Directory structure within CensorNet.

If you do not see any user names in the WHO’S BROWSING report then please read the section Common Problems below.

COMMON PROBLEMS WITH NTLM

 If the trust relationship fails you will receive a FAILURE message (see below). This can happen for a number of reasons.

o The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 MINUTES of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please see the Knowledge Base:

http://www.censornet.com/en/kb

o The administrator password contains special characters, e.g. å, $, _, \%, ^, £, etc. Please change the administrator password or create a new user account with administrator privileges that does not use these characters.

o If you have created a new administrator account for CensorNet, please ensure you reset its password TWICE to work around a known issue with Linux and Active Directory.

o Please ensure that the hostname on CensorNet does not use a reserved word, such as

“internet”. We recommend the CensorNet hostname stays as “censornet” to avoid any conflicts.

(24)

24

domain name.

 If the web browser prompts you to login even though the trust was successful, it is usually due to the following:

o The clock has drifted more than 5 minutes apart from the Active Directory clock. Please see the Common Problems section above for more detail.

o The web browser is using NTLMv2 rather than NTLMv1. This is the default on Windows Vista and Windows 7 computers. You can roll back the version of NTLM using a group policy registry edit. For further information please see:

http://www.censornet.com/en/kb/windows_7_ntlm_issue

CENSORNET ACTIVE DIRECTORY AGENT

The CensorNet Active Directory Agent is a system service that sends network login credentials to CensorNet for the purposes of identifying users and computers. The software should be installed on Windows 2000, 2003 or 2008 domain controller(s) and will run as a system service with administrator rights. Currently the software supports a single domain.

The CensorNet Active Directory agent can provide user identification when CensorNet is running in Inline mode and it can also provide a faster alternative to NTLM.

NOTE: THE SERVICE IS NOT DESIGNED TO WORK IN CITRIX / TERMINAL SERVICES

ENVIRONMENTS. IN THIS CASE, PLEASE CONFIGURE TRANSPARENT KERBEROS OR

TRANSPARENT NTLM AS THE USER AUTHENTICATION OPTION WITHIN CENSORNET.

INSTALLING THE CENSORNET ACTIVE DIRECTORY AGENT

Please visit http://www.censornet.com/adagent/ for download and installation instructions.

Please make a note of the secret key that you set during installation.

CONFIGURING THE CENSORNET ACTIVE DIRECTORY AGENT

After installing the Active Directory agent on each of your Windows Domain Controllers you will need to configure the “secret” within the CensorNet server.

To do this, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and enter the secret key as shown below. The secret keys must match exactly on both the Agent and the CensorNet server for the

authentication to work.

(25)

25 VERIFY THAT USER IDENTIFICATION IS WORKING WITH THE ACTIVE DIRECTORY AGENT

On the domain controllers, use the Start menu to find and open the CENSORNET AUTHENTICATION SERVICE MONITOR. The status should show as RUNNING, as shown below:-

NOTE: THE CENSORNET ACTIVE DIRECTORY AGENT ACTS AS THE PRIMARY

AUTHENTICATION METHOD FOR CENSORNET. YOU CAN ALSO CONFIGURE A SECONDARY

AUTHENTICATION METHOD USING ANY OF THE OTHER SUPPORTED METHODS (E.G. NTLM,

LDAP, ETC). IF THE AGENT FAILS FOR ANY REASON, CENSORNET WILL FALL BACK TO THE

SECONDARY METHOD OF AUTHENTICATION. PLEASE SEE THE SECTION CONFIGURING USER

AUTHENTICATION FOR THE AVAILABLE SECONDARY METHODS.

ACTIVE DIRECTORY (KERBEROS)

(26)

26

© 2007-2011 CensorNet Ltd CensorNet supports standard Kerberos authentication with Active Directory. This is useful if you require users from Active Directory to log in with a username and password when they open a web browser.

CONFIGURING ACTIVE DIRECTORY (KERBEROS)

To configure Active Directory authentication using Kerberos, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Active Directory (Kerberos) radio button.

 Server IP Address – This is the IP address of the primary Active Directory server on the network.

 Server Hostname – This is the computer name of the primary Active Directory server. This is just the computer name and not the fully qualified domain name.

 AD Domain – The full Active Directory domain name without the computer name or hostname included at the start.

Press SET OPTIONS to enable the use of Active Directory (Kerberos) authentication.

VERIFY THAT ACTIVE DIRECTORY (KERBEROS) AUTHENTICATION IS WORKING

You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user account from the Active Directory (the “test user”) and open a Web browser that is configured to use CensorNet as a proxy server (see section Web Browser Configuration).

Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser should prompt the test user to login – see below – and after you enter a valid username and password access to the Web page should be granted.

(27)

27

© 2007-2011 CensorNet Ltd If the web site loads as expected, you should now verify that CensorNet has correctly identified the test user by going to REPORTS -> WHO’S BROWSING within the CensorNet web control panel. This will list the currently active Internet users – and the test user should appear here – as shown in the example below.

Click on the test user, in this case “FOO” to drill-down into the recent web site visits. Here you should see the test sites that you accessed using the web browser, e.g. www.google.co.uk.

COMMON PROBLEMS

After entering the username and password three times you receive a LOGIN FAILED message:

(28)

28

 The most common cause of this problem (especially when using a Virtual Appliance) is that the clock on the CensorNet server is not in synch with the clock on the Active Directory server. The two clocks must be within 5 minutes of each other, otherwise the Kerberos handshake will fail. The time zone should also match on both servers. For information on how to set the clock correctly please see:

http://www.censornet.com/en/kb/clock_drift_and_ntp

 The user account on the Active Directory server has been set to “Change password on next logon”.

This will cause CensorNet to fail the authentication until the password has been reset.

 The username or password provided is actually incorrect.

WINDOWS NT OR SAMBA SERVER

CensorNet supports authentication with Windows NT or Samba servers using the SMB protocol. This should be used in legacy environments where Active Directory is not yet available or Samba does not support NTLM (some Linux and Apple networks).

CONFIGURING WINDOWS NT OR SAMBA SERVER AUTHENTICATION

To configure Windows NT or Samba Authentication, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Windows NT or Samba Server radio button

 PDC Address – This is the IP address of the Primary Domain Controller.

 BDC Address – This is the IP of the Backup Domain Controller (optional)

 Domain Name – This is the Windows Domain on your network.

Click SET OPTIONS to enable Windows NT or Samba authentication.

(29)

29 VERIFY THAT WINDOWS NT OR SAMBA SERVER AUTHENTICATION IS WORKING

You should now verify that CensorNet is correctly authenticating users. Log into the domain with a user account from the domain (the “test user”) and open a Web browser that is configured to use CensorNet as a proxy server (see section Web Browser Configuration).

Try visiting a web site (e.g. www.google.co.uk) to verify that the test user can access the Internet. The browser should prompt the test user to login – see below – and after you enter a valid username and password access to the Web page should be granted.

Click on the test user, in this case “FOO” to drill-down into the recent web site visits. Here you should see the test sites that you accessed using the web browser, e.g. www.google.co.uk.

(30)

30 NETWARENDS (E-DIRECTORY)

CensorNet supports NDS authentication against a Novell Netware directory server, such as Netware 6.5.

To configure Windows NT or Samba Authentication, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Netware NDS (e-Directory) radio button

 Server IP address – the IP address of the main Netware server used to authenticate users on your network.

Click SET OPTIONS to enable Netware NDS authentication.

LDAP SERVER AUTHENTICATION

The LDAP Server Authentication method enables the use of a vanilla (non-Active Directory) LDAP server, such as Open LDAP, as a source for user authentication.

To configure Windows NT or Samba Authentication, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the LDAP Server Authentication radio button

(31)

31

 Server IP address - The address of the server running the LDAP service.

 Server Port number - The port that the LDAP server is listening on. The default is port 389

 Base DN - This is the “root” of the directory tree. For example “dc=ldap, dc=example, dc=com”. You should enter the correct values for your LDAP server. Queries from the CensorNet server to your LDAP server will start from here.

 Bind DN - This is an entity authorised to query the LDAP tree. All queries from CensorNet to the LDAP server will use this entity. NOTE: Ensure the BINDDN entity has suitable rights on the LDAP server.

 Bind DN Password - The password associated with the Bind DN entity.

 Login Attribute - This attribute within the LDAP tree specifies the username. Most Unix installations use the uid attribute, though it is possible to configure an alternate one. Consequently, CensorNet permits a choice of which attribute is to be used to define the users. NOTE: This attribute must be correct in order for CensorNet to retrieve users from the tree.

 Object Class Filter - In most installations, this field can safely be left blank. It is provided for those users who have a more complex LDAP configuration.

INTERNAL AUTHENTICATION

Internal Authentication allows CensorNet to store a list of usernames and passwords to authenticate users when they attempt to browse the web. This is useful for environments where there is no central domain controller or other suitable user authentication source.

When in Internal Authentication mode, CensorNet also provides a portal for users themselves to manage their own passwords.

To configure Internal Authentication, go to SYSTEM -> CONFIGURATION -> USER AUTHENTICATION and select the Internal Authentication radio button.

Click SET OPTIONS to enable Internal Authentication.

(32)

32 MANAGING USER ACCOUNTS

You must create user accounts on the CensorNet server for each of the users that require access to the Internet.

To create a new user account, go to OBJECTS -> USERS -> NEW USER.

You will be prompted for the following information:

(33)

33

 Username – this is a unique username for the account.

 Group – this is the group that the new user account will belong to. If there are no groups defined, you will be asked to create one.

 Password – this is the password for the new account.

 Confirm Password – this is the password for the new account.

Click ADD USER to create the new user account. You should then test that you can access the Web by entering the new username and password when prompted.

To change the password or delete the user, go to OBJECTS -> USERS -> MANAGE USERS and find the username in the list of accounts, e.g.

To delete the account, click the tick box and click COMMIT CHANGES.

To move the account, select the new group from the groups drop down list and then click COMMIT CHANGES.

To change the password, click the CHANGE PASSWORD button and enter a new password.

MANAGING USER PASSWORDS

CensorNet includes a self-service password management page, which makes managing passwords easier. To access the password page, point a web browser at:

HTTP://X.X.X.X/CENSORNET/PASSWORD.PHP

Where X.X.X.X is the IP address or hostname of the CensorNet server.

(34)

34

This page can be used by a user to reset their own password without needing to contact the network administrator. Furthermore, only users that have an existing account that know their own password can use this page.

NO USER AUTHENTICATION

It is possible to configure CensorNet without any user authentication or identification at all. In this mode, filtering policies will be applied based on the computer information. The reports will not contain any user details.

To enable this mode, go to System -> CONFIGURATION -> USER AUTHENTICATION and click the “No User Authentication” radio button and then click SET OPTIONS.

GLOBAL USER AUTHENTICATION SETTINGS

CensorNet has two global authentication settings which are enabled by default:

(35)

35

 Multiple Login Detection – selecting this option prevents the same username from being used to browse the Internet from more than one computer at once. There is a 5 minute timeout, so after finishing a browsing session on one computer users must wait 5 minutes before browsing from another computer.

 Anonymous Browsing on Inline Intercepted Connections – applies to Inline mode only. Selecting this option allows anonymous browsing which effectively disables all the authentication options except for the CensorNet Active Directory Agent. For further information please refer to this Knowledge Base article:

http://www.censornet.com/en/kb/anonymous_browsing_on_in_line_intercepted_connections

(36)

36

CensorNet is compatible with Active Directory running on:

 Windows 2000 Server

 Windows 2003, 2003r2 Server

 Windows 2008, 2008r2 (64-bit) Server

It is possible to synchronise or replicate your Active Directory structure with CensorNet.

 Synchronise (Windows Server 2003 and above) – this requires the CensorNet Synchronisation Service to be installed on your domain controller and the structure of your Active Directory will be

automatically imported and then kept synchronised on CensorNet. If you create, delete or move user accounts on your Active Directory, CensorNet will automatically update with the changes.

 Replicate – this does not require any software installing on the domain controller. Replication is a manual process of importing the Active Directory structure into CensorNet. Each time a change is made to the Active Directory, you should replicate the structure within CensorNet again.

SYNCHRONISING WITH ACTIVE DIRECTORY

The CensorNet Synchronisation Service is a system service that runs on Windows Server 2003 and above. The purpose of the service is to synchronise the Active Directory structure with the CensorNet server, specified during installation. With the service running, you do not need to manually update CensorNet with changes to the Active Directory (users, groups, etc).

The service can synchronise based on Organisational Unit (OU) or Primary Group.

INSTALLING THE CENSORNET SYNCHRONISATION SERVICE

Please visit http://www.censornet.com/adsync/ for download and installation instructions.

CONFIGURING THE CENSORNET SYNCHRONISATION SERVICE

After installing the CensorNet Synchronisation Service on your domain controller you will need to configure a shared secret key on the CensorNet server.

To do this, go to OBJECTS -> SYNCHRONISE -> WITH ACTIVE DIRECTORY and enter a secret key as shown below. The secret keys must match exactly on both the Synchronisation Service and the CensorNet server for the synchronisation to work.

Press SET OPTIONS to enable the use of the CensorNet Synchronisation Service.

(37)

37

Enter the IP address of the CensorNet server, the shared secret key (exactly as you set it on the CensorNet server), select the domain to synchronise and the method to group users by. Then press START SERVICE.

If the service fails to start, check the IP address and shared secret are correct and try again.

VERIFY THAT THE CENSORNET SYNCHRONISATION SERVICE IS WORKING

After a few seconds, the service will synchronise CensorNet with Active Directory. Please check the user manager under OBJECTS -> USERS -> MANAGE GROUPS to verify that the Active Directory structure has been synchronised. Any changes that are made to the Active Directory server will be visible within CensorNet a few seconds later.

You are now ready to apply filtering policies to the group or make changes to the group name and/or its members if required.

REPLICATING THE ACTIVE DIRECTORY STRUCTURE

It is possible to replicate your Active Directory structure within CensorNet. This makes it easy to apply policies to your existing groups. If you change the structure, move users between groups or add new users to groups, you should re synchronise with CensorNet. For automatic synchronization please see Synchronising with Active Directory.

You should configure an appropriate User Authentication method before attempting to import user and group information from Active Directory.

(38)

38 REPLICATING BY ORGANISATIONAL UNIT (OU)

Go to OBJECTS -> IMPORT -> USERS FROM ACTIVE DIRECTORY BY OU.

You will be prompted to enter the following details:

 Server Address – this is the IP address of the primary Active Directory server on your network.

 Active Directory Domain – this is the full Active Directory domain for the network excluding the hostname or server name of the Active Directory.

 Admin Username – this is a username that has administrator rights on the Active Directory server.

 Admin Password – this is the password for the username specified in Admin Username.

Press SYNCHRONISE USER LIST to start the replication.

(39)

39

© 2007-2011 CensorNet Ltd If the credentials have been entered correctly, CensorNet will display a list of OU groups and users within those groups. Review the list and ensure they are correct and then press CREATE/MOVE USERS AS ABOVE. If the list is empty, try using the Import by Primary Group method instead.

You will be prompted to confirm this action, which will create new groups and users as per the structure shown above.

The replication may take several seconds depending on the size and complexity of your Active Directory server. You will receive a confirmation message, like the one below, once the replication has completed.

(40)

40 REPLICATING BY PRIMARY GROUP

Go to OBJECTS -> IMPORT -> USERS FROM ACTIVE DIRECTORY BY PRIMARY GROUP.

You will be prompted to enter the following details:

 Server Address – this is the IP address of the primary Active Directory server on your network.

 Active Directory Domain – this is the full Active Directory domain for the network excluding the hostname or server name of the Active Directory.

 Admin Username – this is a username that has administrator rights on the Active Directory server.

 Admin Password – this is the password for the username specified in Admin Username.

Press SYNCHRONISE USER LIST to start the replication.

(41)

41

© 2007-2011 CensorNet Ltd If the credentials have been entered correctly, CensorNet will display a list of Primary Groups and users within those groups. Review the list and ensure they are correct and then press CREATE/MOVE USERS AS ABOVE. If the list is empty, try using the Import by OU method instead.

You will be prompted to confirm this action, which will create new groups and users as per the structure shown above.

The replication may take several seconds depending on the size and complexity of your Active Directory server. You will receive a confirmation message, like the one below, once the replication has completed.

(42)

42

(43)

43

CensorNet is capable of logging and filtering based on the computer credentials as well as the user credentials.

A computer can be identified in a number of ways and it is worthwhile deciding on the best method to use up front, as changing the mode later will require you to import the computers again. CensorNet can identify computers in three ways:-

Method When to use

MAC Address (default) On a LAN when using DHCP

IP Address On a WAN or with multiple subnets

Hostname On a LAN/WAN with DNS to resolve computers to hostname

The COMPUTER IDENTIFICATION methods are described in detail in this section.

CONFIGURING THE COMPUTER IDENTIFICATION METHOD

To set the Computer Identification method, go to SYSTEM -> CONFIGURATION -> COMPUTER IDENTIFICATION.

Press SET OPTIONS to enable the specified Identification Method.

NOTE: CHANGING THE COMPUTER IDENTIFICATION MODE WILL REMOVE ANY EXISTING

COMPUTER OBJECTS FROM CENSORNET

(44)

44 MAC ADDRESS METHOD

By default, CensorNet is configured to identify computers by their MAC address.

In order for computer details to appear in the reports and to apply filtering rules specifically to computers, you must tell CensorNet about the computers on your network.

There are two ways you can do this. The first is an automatic PROBE LAN which will scan the entire subnet and attempt to auto-detect any computers that are connected to the network and add their MAC address and hostname. The second way is to import the computer information from a compatible file, such as CSV.

IMPORT COMPUTERS AUTOMATICALLY

You must have at least one computer group defined. To create a new group, go to OBJECTS -> COMPUTERS ->

NEW GROUP.

 Group Name – this should be a plain text name for the group, e.g. Computers.

 Require User Authentication – Select “Yes” to force authentication when accessing the Internet from computers in this group (if you have enabled User Authentication, see section User Authentication).

Select “No” if you do not require authentication for this group of computers, for example, if it is a suite of guest computers or public access computers.

Click ADD GROUP to create the new computer group.

To probe the network for computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN.

 Scan on interface – select the network Interface to use for scanning the network. If your CensorNet server has more than one NIC then you can select which one to use for the probe.

 Import into group – select the group to import computer information into. All automatically discovered computers will appear in this group. Later, you can move the computers into different groups if you require different filtering rules for different groups of machines.

Click RUN PROBE to start the automatic detection. The progress bar will be shown on the screen:

(45)

45 AND MAY CAUSE AN UNEXPECTED PEAK IN NETWORK TRAFFIC.

After the probe has completed you will be able to view the computers that have been detected.

Go to OBJECTS ->COMPUTERS -> MANAGE COMPUTER page to make changes to the hostnames, MAC address information and group membership for the imported computers.

IMPORT COMPUTERS FROM CSV

CensorNet supports a number of CSV formats for importing computer information.

 HOSTNAME,MAC ADDRESS – this is a simple CSV format containing the hostname and MAC address separated by a comma, one per line, without any header. E.g.

samurai,00:0C:29:7F:5F:6F sword,00:02:E3:0A:8F:72

 ANGRYIP – AngryIP is a free network scanner that can probe the network for connected devices and export the contents to CSV. This CSV file can be imported directly into CensorNet.

 CSVDE – CSVDE is a tool provided by Microsoft to export user and computer information from Active Directory. The exported file can be imported directly into CensorNet.

COMMON PROBLEMS

 The Probe LAN option does not detect all of the computers on the network – this can happen for a number of reasons:

(46)

46

probe.

o If the computers do not respond to NetBIOS requests then the Probe cannot detect them.

You will need to enter the hostname and MAC address manually or import them from CSV (see Import Computers from CSV).

o If the computers have a secure firewall running this may block the NetBIOS requests.

 The Probe LAN takes too long – If your subnet is larger than 255.255.252.0 then we recommend that you import computer information via CSV.

IP ADDRESS METHOD

IP address mode can be used if you have a network topology consisting of multiple routers, VLANs, VPNs or you identify computers based on static IP addresses rather than DHCP.

In order for computer information to appear in the reports you must import all or part of the subnet into CensorNet.

IMPORT COMPUTERS AUTOMATICALLY

To automatically import computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN.

You can import by IP address range or by subnet. This allows you to import different ranges into different groups if required. Optionally, CensorNet can attempt to resolve the IP address to a hostname using NetBIOS.

If this is selected, the import will take slightly longer.

PLEASE NOTE: IF YOU TICK TO USE NETBIOS AND THE IP ADDRESS CANNOT BE RESOLVED IT

WILL NOT BE ADDED TO CENSORNET.

(47)

47 HOSTNAME METHOD

The Hostname method should be used on networks with single or multiple subnets where the internal DNS servers are configured to return a hostname for each IP address on the network. If the IP address does not resolve to a hostname, CensorNet will deny access to the Internet from this computer as a security measure.

In order for computer information to appear in the reports you must import all or part of the subnet into CensorNet.

IMPORT COMPUTERS AUTOMATICALLY

To automatically import computer information, go to OBJECTS -> IMPORT -> COMPUTERS FROM LAN.

You can import by IP address range or by subnet. This allows you to import different ranges into different groups if required. CensorNet will attempt to resolve all IP addresses to a hostname.

(48)

48 IF CENSORNET CANNOT RESOLVE THE IP ADDRESS TO A HOSTNAME IT WILL NOT

IMPORT IT AND THE COMPUTER MAY BE DENIED ACCESS TO THE INTERNET UNTIL THERE IS

A VALID PTR RECORD, OR YOU MANUALLY ADD THE INFORMATION TO CENSORNET

(49)

49

CensorNet has the ability to intercept, decrypt and filter secure SSL web sites. This option is off by default when CensorNet is configured in SIDEWAYS mode and on by default when CensorNet is configured in INLINE mode.

SSL sites can harbour web based threats such as anonymous proxy servers and malware. They are also used legitimately to transfer confidential and secure information. You should decide whether you wish to allow SSL completely with no filtering (bypass), block it completely, or allow CensorNet to intercept and filter it

regardless of the type of content on the site.

ENABLING SSL INTERCEPT MODE

To enable SSL Intercept mode, go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT MODE. Select “Enabled”

and press SET OPTIONS.

INSTALLING WEB BROWSER SSL CERTIFICATE

The act of SSL interception replaces the requested Web server certificate with a certificate signed by the CensorNet server. This causes a browser warning to appear when viewing SSL web sites.It is necessary for you to install the CensorNet root certificate authority (CA) into each of the browsers on your network to avoid the browser warning from appearing. This can be achieved in one of two ways:

 Using an Active Directory group policy update to install the certificate (see Knowledge Base article)

 Manual installation

Please refer to the guide “SSL Certificate Installation” for detailed information and installation instructions.

http://www.censornet.com/pdf/SSL-Certificate-Installation.pdf

BYPASSING SSL INTERCEPT MODE

If you do not want to filter any SSL web sites you can configure CensorNet to completely ignore any SSL enabled web requests (e.g. https://). This is a global setting and will apply to all users and computers. It is also possible to allow or deny SSL sites on a per policy basis, please see the section on Policies.

(50)

50 COMPLETELY BYPASS SSL WEB SITES

First of all, you should disable the SSL Intercept Mode. Go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT MODE, select “Disabled” and press SET OPTIONS.

Next, you need to create a Bypass rule to ignore SSL sites. GO TO FILTERS -> FILTER BYPASS MODULE ->

BYPASS CATEGORIES.

WARNING: This will allow all HTTPS/SSL enabled web sites regardless of their content which may be legitimate or harmful.

Create a new category called “SSL Bypass” and click ADD.

Click on the category name from the EXISTING CATEGORIES list.

Add the pattern: “:443” to the new category (without the quotes) and press ADD URL, as shown below:

DISABLING SSL INTERCEPT MODE

Disabling SSL mode will prevent CensorNet from intercepting and filtering SSL enabled web sites. As a result, by default, CensorNet will block all SSL web sites unless you specifically allow access to them in a filtering policy.

To disable SSL Intercept, go to SYSTEM -> CONFIGURATION -> SSL INTERCEPT MODE, select “Disabled” and press SET OPTIONS.

(51)

51

© 2007-2011 CensorNet Ltd NOTE: If you disable SSL Intercept Mode, SSL web sites will be blocked by default unless you bypass filtering for SSL or add explicit URL’s to allow in the Custom URL module.

(52)

52

CensorNet provides a powerful and granular way of filtering Web content in the form of policies. Policies are sets of rules which instruct the filtering modules to act in a certain way (ALLOW / IGNORE / BLOCK) and these policies can be applied to user groups or computer groups. The filtering modules are plug-in components that provide a specific type of filtering, e.g. URL matching, image filtering, real time classification, streaming content, etc. By building a policy, you can control what can be accessed online, by whom and at what time.

Policies can operate in one of five modes. The modes decide the base functionality of the policy and, depending on the mode, can be further customised by the administrator.

The five filtering modes are:

 OPEN – An open mode policy provides unfiltered, but logged, access to the Web.

 CLOSED – The closed mode policy prevents access to the Web.

 RESTRICTED – The restricted mode policy creates a “walled garden” and only allows access to a specified list of Web sites or web site categories.

 FILTERED – The filtered mode policy allows you to specify granular filtering rules for each of the filter modules.

 ADVISORY – This is the same as the filtered mode but any web site that is blocked can be overridden by the user. This is a “coaching” mode.

A policy can be applied to more than one group of users or computers, but only one policy can be active at any one time for any particular group. Combinations of policies can be scheduled to activate and deactivate at certain times during the week for a specified group.

DEFAULT POLICY

At least one policy must exist on the CensorNet server. CensorNet comes pre-configured with a default policy.

This policy operates in the filtered mode and contains common rules, which you should use as a basis to customise to meet your exact requirements as an organisation. The default policy is meant to be an example from which you can build rules to match your requirements.

The default policy is applied to any user or computer that does not already have a policy assigned to their group or to an unknown user or computer trying to use CensorNet. It is a useful “catch all” policy that will provide the minimum level of filtering on the network.

THE DEFAULT POLICY EXPLAINED

The default policy is a good starting point to familiarise yourself with how filtering policies work within CensorNet. Go to POLICIES -> MANAGE POLICIES and click on the “Default Policy” entry.

After a few moments, the rules will load and you will be able to make changes to the policy if you require.

Under the “Policy Details” section there are several import configuration options for the policy, as described below.