Web Security Firewall Setup
Web Security Firewall Setup Guide
Documentation version: 1.0
Legal Notice
Legal Notice Copyright © 2013 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
Symantec Corporation 350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Clients are advised to seek specialist advice to ensure that they use the Symantec services in accordance with relevant legislation and regulations. Depending on jurisdiction, this may include (but is not limited to) data protection law, privacy law, telecommunications regulations, and employment law. In many jurisdictions, it is a requirement that users of the service are informed of or required to give consent to their email being monitored or intercepted for the purpose of receiving the security services that are offered by Symantec. Due to local legislation, some features that are described in this documentation are not available in some countries.
Configuration of the Services remains your responsibility and entirely in your control. In certain countries it may be necessary to obtain the consent of individual personnel. Symantec advises you to always check local legislation prior to deploying a Symantec service. You should understand your company’s requirements around electronic messaging policy and any regulatory obligations applicable to your industry and jurisdiction. Symantec can accept no liability for any civil or criminal liability that may be incurred by you as a result of the operation of the Service or the implementation of any advice that is provided hereto. The documentation is provided "as is" and all express or implied conditions, representations, and warranties, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement, are disclaimed, except to the extent that such disclaimers are held to be legally invalid. Symantec Corporation shall not be liable for incidental or consequential damages in connection with the furnishing, performance, or use of this documentation. The information that is contained in this documentation is subject to change without notice.
Technical support
If you need help on an aspect of the security services that is not covered by the online Help or administrator guides, contact your IT administrator or Support team. To find your Support team's contact details in the portal, click Support >
Technical support
... 3Chapter 1
Introduction to firewall configuration
... 7Firewall rules for web browsing ... 7
Firewall access for the CSP ... 8
Other guidance on Web Security ... 9
Support on firewalls ... 9
Chapter 2
Cisco firewall
... 11Cisco: DNS configuration ... 11
Cisco: setting up the HTTP proxy ... 11
Chapter 3
Juniper firewall
... 13Juniper: configuring a custom service ... 13
Juniper: configuring policies ... 13
Chapter 4
ISA Server
... 15Configuring a custom service for Microsoft ISA Server ... 15
Configuring rules for Microsoft ISA server ... 16
Chapter 5
SonicWall
... 19Creating a custom service for SonicWall ... 19
Configuring rules for SonicWall ... 19
Introduction to firewall
configuration
This chapter includes the following topics:
■ Firewall rules for web browsing
■ Firewall access for the CSP
■ Other guidance on Web Security
■ Support on firewalls
Firewall rules for web browsing
If you set up Web Security to route through us using the Client Site Proxy, or directly on port 3128, the rules in the following table are required for web browsing. In the table, the proxy address is shown as [Proxy Address] and the Port is shown as [Port]. Replace these entries with the proxy details included in your provisioning documentation.
1
Note:If you connect to Web Security using Smart Connect, you may work in an OFFLAN status. This type of connection requires communication with our NED and Web proxies on port 443 and port 80. To avoid your users bypassing our service and routing directly, we recommend one of the following methods. Either, lock down outbound traffic on port 80 and port 443 to ourIP ranges. Or lock down your Group Policy to only use Smart Connect.
Table 1-1 Firewall rules required for web browsing Notes Action
Service Destination
Source
All web traffic is directed to one address on the Internet: that of Web Security.
Allow [Port]
[Proxy Address] Client PCs
If port 80 traffic is permitted access, a user can possibly bypass the protection and control that Web Security provides. Block
Web browsing (port 80) Internet
Client PCs
This assumes that client PCs are set up to use the same proxy server as normal web browsing for these services, so the well-known ports for these services can be blocked. Block Secure web browsing (port 443) FTP (ports 20 and 21) Internet Client PCs
DNS requests are resolved in the normal way.
Allow DNS
Internet Client PCs
Firewall access for the CSP
The standalone Client Site Proxy (CSP) is simple to install and configure. Note the following:
■ The CSP should be secured behind a firewall.
■ The CSP needs to be a member of the domain against which the users will be authenticated.
■ All workstations that want to use the CSP must be able to access the server. The CSP server needs to have the following access to the Internet. These ports may need to be allowed on your firewall. In the table, the proxy address is shown as [Proxy Address] and the Port is shown as [Port]. Replace these entries with the proxy details included in your provisioning documentation.
Allow to all external addresses DNS (Domain Name System)
53/TCP,UDP
Only allow Web Security IP ranges. See your provisioning documentation for this information
HTTP used by [Proxy Address] [Port]/TCP
The CSP server must also be able to resolve names on the Internet. Ensure that the DNS setting are correct; these can be obtained from your Internet service provider .
Other guidance on Web Security
These help topics provide further guidance on the Web Security Services. Table 1-2 Help on Web Security
Help page
Web Security Configuration Smart Connect Deployment Web Firewall Configuration Web Security Deployment
Click to open the help page
Support on firewalls
We provide help for you to configure the following firewalls.
■ Cisco
■ Juniper
■ Microsoft ISA Server
■ SonicWall
The Support team cannot assist in configuring these firewall devices. For support on these systems, contact your usual third-party vendor.
9 Introduction to firewall configuration
Introduction to firewall configuration Support on firewalls
Cisco firewall
This chapter includes the following topics:
■ Cisco: DNS configuration
■ Cisco: setting up the HTTP proxy
Cisco: DNS configuration
You need to configure the Domain Name System on the Cisco Wide Area Application Engine/Content Engine for use with Web Security.
To configure DNS
1
Log on to the Content Engine in the usual way. The initial screen looks like this.The Content Engine must be able to resolve Internet names.
2
Select System > DNS3
Enter the addresses of your DNS servers and click Update. Optionally, enter the name of the local domain.Note:For further support on this firewall, contact Cisco directly (http://www.cisco.com/) or your usual reseller.
Cisco: setting up the HTTP proxy
You need to define HTTP proxy settings for the Cisco Wide Area Application Engine/Content Engine.
2
To set up the HTTP proxy
1
Select Caching > HTTP Proxy.2
Set Enable Incoming HTTP Proxy to On and enter the port(s) that browsers in your organization will use to connect to it in the box labeled IncomingHTTP Proxy Port List.
3
Enable the Outgoing HTTP Proxy and enterproxy.webscanningservice.comon port3128. Click Update.
4
Enable the HTTPS Proxy and enterproxy.webscanningservice.comon port3128. Click Update.
5
Enable the FTP Proxy and enterproxy.webscanningservice.comon port 3128. Click Update.The Content Engine configuration is complete.
6
Configure your browser to use the Content Engine as the proxy then test correct operation.7
Use Reporting > Performance to confirm that requests travel through the Content Engine.Note:Further support on this firewall, contact Cisco directly (http://www.cisco.com/) or your usual reseller.
Cisco firewall
Juniper firewall
This chapter includes the following topics:
■ Juniper: configuring a custom service
■ Juniper: configuring policies
Juniper: configuring a custom service
Before configuring the policies in Juniper, create a new custom service on the Juniper NetScreen firewall for use with Web Security.
To configure custom service
1
On the left menu, select Objects > Services > Custom2
Select New (at the top right of the screen) to set up a new custom service.3
Name itWeb Security Services(or another name of your choice), andconfigure it on TCP Destination Port 3128.
4
Select OK and the new custom service will be listed.Note:For further support on this firewall, contact Juniper directly (http://www.juniper.net/) or your usual reseller.
Juniper: configuring policies
Configure policies for the Juniper NetScreen firewall.
Before configuring your policies, first create a new customer service for Juniper. See“Juniper: configuring a custom service”on page 13.
3
To configure policies
1
On the left menu, select Policies2
Select Add (at the top right of the screen) to set up a new policy.3
Name the new policy Permit Web Access4
Set Source Address > Address Book Entry > Trusted Addresses.5
Set Destination Address > Address Book Entry > 0.0.0.0/32 using the custom service Web Security Services that you have created for Juniper.6
Select OK and the policy is shown in the list.7
You probably already had a policy to Allow normal Web access using HTTP (on port 80). You can now select this policy and change its action to Deny that traffic. All normal Web browsing is now accessed using Web Security on port 3128.This ‘Deny’ rule will now be listed. Further policies and actions:
■ Secure Web browsing (on port 443) is normally allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All secure Web browsing will now be accessed using Web Security on port 3128.
■ FTP is normally allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All normal FTP downloads will now be accessed using Web Security on port 3128.
■ Configure the Web Security service in the portal.
Note:For further support on this firewall, contact Juniper directly (http://www.juniper.net/) or your usual reseller.
Juniper firewall
ISA Server
This chapter includes the following topics:
■ Configuring a custom service for Microsoft ISA Server
■ Configuring rules for Microsoft ISA server
Configuring a custom service for Microsoft ISA Server
To configure Microsoft ISA Server (Internet Security and Acceleration Server) for use with Web Security, first you must create a new custom service. Use the New Protocol Definition wizard to set up the new custom service.
Note:The configuration described here concerns the firewall capabilities of the Microsoft server, while setting the client PCs to proxy directly to the Web Security servers. Refer to the Client Site Proxy Administrator Guide for configuration details when using the upstream proxy capabilities of the ISA server.
To configure a custom service
1
On the left menu, select Firewall Policy.2
In the right pane select Toolbox > Common Protocols3
Select New > ProtocolThis will trigger the New Protocol Definition Wizard.
4
Name the serviceWeb Security Services(or another name of your choice)and select Next.
5
Select New to define the port range to be used for this service.6
Set up the service on TCP port 3128. Select OK.4
7
Select Next.No secondary connection will be used.
8
Select Next.The service configuration should appear as below.
9
Select Finish to complete the wizard.10
Select Apply to save the changes. You can now configure the firewall rules.Note:For support on this server, contact Microsoft directly (http://www.microsoft.com/) or your usual reseller.
Configuring rules for Microsoft ISA server
Before configuring your rules, first create a new custom service for Microsoft ISA server.
See“Configuring a custom service for Microsoft ISA Server”on page 15. To configure rules
1
On the left menu, select Firewall Policy2
In the right pane select Create New Access Rule This will trigger the New Access Rule wizard.3
Name the access rule Permit Web Access (or another name of your choice) and select Next.This rule will be used to Allow the specified traffic.
4
Select Next.The rule will be applied to Selected Protocols only.
5
Select Add.6
Select User-Defined > Web Security Services (i.e. the protocol set up for the new custom service you have created), and then click Add.The Web Security Services protocol will be listed.
7
Select Next.8
Select Add to specify the source of the traffic.ISA Server
9
Select Networks > Internal > Add. The 'Internal' network will be listed.10
Select Next.11
Set up the access rule Destination in the same way: select Add > Networks >External > Add > Next.
This rule will be applied to All Users.
12
Select Next.The access rule configuration should appear as below.
13
Select Finish to complete the wizard.14
Select Apply to save the changes.The new rule will be shown in the Firewall Policy list. You will also need to ensure that a rule is in place to enable DNS, before being able to browse the Web. You probably already had a rule to allow normal Web access using HTTP (on port 80). This rule can now be selected and changed to Deny that traffic. All normal Web browsing will now be accessed using Web Security on port 3128.
Further rules to consider
■ Secure Web browsing (on port 443) will normally be allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All secure Web browsing will now be accessed using Web Security on port 3128.
■ FTP will normally be allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All normal FTP downloads will now be accessed using Web Security on port 3128.
ISA Server
SonicWall
This chapter includes the following topics:
■ Creating a custom service for SonicWall
■ Configuring rules for SonicWall
Creating a custom service for SonicWall
Before configuring the rules in SonicWall, create a new custom service on the SonicWall firewall.
To configure custom service
1
On the left menu, select Firewall > Services2
Under Custom Services, select Add to set up a new custom service using TCP protocol on port 3128. Name it Web Security Services (or another name of your choice).3
Select OK and the new service will be listed under Custom Services. Note:For support on this firewall, contact SonicWall directly(http://www.sonicwall.com/), or your usual reseller.
Configuring rules for SonicWall
Before configuring your rules, first create a new custom service for SonicWall. See“Creating a custom service for SonicWall”on page 19.
5
To configure rules
1
On the left menu, select Firewall > Access Rules2
Select Add, and set up a new rule to allow access from your network using the custom service (Web Security) that you have created.3
Select OK and the rule will be shown in the list. You will also need to ensure that a rule is in place to enable DNS, before being able to browse the Web.4
You probably already had a rule to Allow normal Web access using HTTP (on port 80). This rule can now be selected, and changed to Deny that traffic. All normal Web browsing will now be accessed using Web Security on port 3128. This ‘Deny' rule will now be listed.Further rules to consider:
■ Secure Web browsing (on port 443) will normally be allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All secure Web browsing will now be accessed using Web Security on port 3128.
■ FTP will normally be allowed using a separate rule. This rule can now be selected, and changed to Deny that traffic. All normal FTP downloads will now be accessed using Web Security on port 3128.
Note:For support on this firewall, contact SonicWall directly (http://www.sonicwall.com/), or your usual reseller.
SonicWall
