7300-1.0-9/20/2005 2
IMPORTANT NOTICE
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.
SOFTWARELICENSE
The software described in this document is furnished under the terms of Elitecore’s software license agreement. Please read these terms and conditions carefully before using the software. By using this software, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused software and manual (with proof of payment) to the place of purchase for a full refund. LIMITEDWARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers
exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions.
DISCLAIMEROFWARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.
In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore’s or its suppliers liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose.
In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages.
RESTRICTEDRIGHTS
Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to change without notice
7300-1.0-9/20/2005 3 Elitecore Technologies Ltd. Corporate Office 904 Silicon Tower, B/h Pariseema Building, Off. C.G. Road, Ahmedabad-380 006. INDIA Telphone: +91-79-26405600 Fax: +91-79-26462200 U.S.A Office 600 Meadowland Parkway, Suite 270, Secaucus, New Jersey 07094 U.S.A. Telphone: 201-422-9200 Fax: 201-422-9715 Banglore Office
3rd floor, 19/1 Infantry Road Cross Behind Medinova Diagnostic Centre Banglore-560 001. INDIA Telphone: +91-80-51517880/81 Delhi Office 606 Mahatta Tower, ‘B’ Block Community Centre, Janakpuri, New Delhi-110058. INDIA Telphone: 25529638/40, +91-11-51589761/62 Fax: +91-11-51589760 Mumbai Office
Office 4, B/65, Stanford Plaza, Off. New Link Road,
Andheri (W) Mumbai-400 058. INDIA
7300-1.0-9/20/2005 4
Guide Sets
Guide Describes
Installation & Registration Guide Installation & registration process User Guide
Part I – Getting Started How to start using Cyberoam
Part II – Management Management and Customization of Cyberoam Detailed statistics – Reports Detailed reports
Console Guide Console Management
Windows Client Guide Installation & configuration of Cyberoam Windows Client Linux Client Guide Installation & configuration of Cyberoam Linux Client HTTP Client Guide Installation & configuration of Cyberoam HTTP Client Analytical Tool Guide Using the Analytical tool for diagnosing and
troubleshooting common problems Cyberoan - LDAP Integration
guide
Configuration for integrating LDAP with Cyberoam for external authentication
Cyberoam – ADS Integration Guide
Configuration for integrating ADS with Cyberoam for external authentication
Data transfer Management Guide
Configuration and Management of user based data transfer policy
Mail Management Configuration and Management of Mail server Multi Link Manager User Guide Configuration of Multiple Gateways, load balancing
and failover
VPN Management Implementing and managing VPN Printer Usage Management
Guide
Configuration and Management of user based printing quota policy
Printer Installation and Configuration Guide
Cyberoam – Windows Domain Controller Guide
7300-1.0-9/20/2005 5
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address:
Corporate Office eLitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-26405600 Fax: +91-79-26462200 Web site: www.elitecore.com
Cyberoam contact:
Technical support (Corporate Office): +91-79-26400707 Email: [email protected]
Web site: www.cyberoam.com
7300-1.0-9/20/2005 6
Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.
Item Convention Example
Server Machine where Cyberoam Software - Server component is installed
Client Machine where Cyberoam Software - Client component is installed
User The end user
Username Username uniquely identifies the user of the system Part titles Bold and
shaded font
typefaces
Report
Topic titles Shaded font
typefaces
Introduction
Subtitles Bold & Black
typefaces
Notation conventions
Navigation link Bold typeface Group Management → Groups → Create it means, to open the required page click on Group management then on Groups and finally click Create tab Name of a particular parameter / field / command button text Lowercase italic type
Enter policy name, replace policy name with the specific name of a policy
Or
Click Name to select where Name denotes command button text which is to be clicked
Cross references
Hyperlink in different color
refer to Customizing User database Clicking on the link will open the particular topic
Notes & points to remember
Bold typeface between the black borders
Note
Prerequisites Bold typefaces between the black borders
Prerequisite
Cyberoam – Windows Domain Controller Guide
7300-1.0-9/20/2005 7
Introduction
Cyberoam provides policy-based filtering that allows to define individual filtering plans for various users of your organization. You can assign individual policies to users (identified by IP address), or a single policy to a collection of users (Group).
Cyberoam detects users as they log on to Windows domains in your network via client machines. Cyberoam can be used with a Windows Domain controller or Active Directory.
To filter Internet requests based on policies assigned, Cyberoam must be able to identify a user making a request. There are various ways Cyberoam can receive this information:
Cyberoam can identify the user transparently, if your network uses a Active Directory service and have integrated with Cyberoam. Refer to ADS Integration and Configuration Guide for details.
Cyberoam can identify the user transparently, if your network uses a Windows Domain controller and have integrated with Cyberoam. Refer to Windows Domain Controller Integration and Configuration Guide for details.
7300-1.0-9/20/2005 8
Authentication process
When Cyberoam is installed in Windows environment with PDC (Primary Domain Controller) server, it is not necessary to create users again in Cyberoam. Cyberoam provides a facility to automatically create user(s) on first logon. Whenever the exisiting user(s) in PDC logs on for the first time after configuration, user gets automatically created in Cyberoam and is assigned to the default group.
This reduces Administrator’s burden of creating the same users in Cyberoam or migrating all the existing users from PDC.
User has to be authenticated by Cyberoam before accessing any resources controlled by Cyberoam. Cyberoam sends the user authentication request to PDC and Windows server authenticates user as per supplied tokens. User can log on using their Windows authentication tokens. (login/user name and password).
Note
If the PDC server is down then the authentication request will always return as a message as ‘Wrong username/password’
Cyberoam – Windows Domain Controller Guide
7300-1.0-9/20/2005 9
Select User Æ Authentication Settings to open configuration page
Screen – Domain controller Integration Screen Elements Description
Configure Authentication & Integration parameters
Integrate with Select Windows Domain controller as authentication server
Cyberoam automatically adds users into the default group on first logon.
Default Group Allows to select default group for users Click Default Group list to select
Update button Updates and saves the authentication server configuration
Add button Allows to add domain controller details Refer Add Domain Controller for details Remove button Allows to remove domain controller details
Click to select the server to be removed Click Remove
Click Update
Update button Updates and saves the domain controller details
7300-1.0-9/20/2005 10
Add Domain controller
Screen – Set Domain Controller
Screen Elements Description Authentication Server Information
Server IP address Allows to add IP Address of Doamin controller More than one server can also be added Server Details Allows to add server details
OK button Adds the server details
Cancel button Cancels the current operation and returns to External Authentication page
Table – Set Domain Controller screen elements
Note
Cyberoam – Windows Domain Controller Guide
7300-1.0-9/20/2005 11
Single Sign on Client Configuration
If user is configured for Single sign on, whenever User logs on to Windows, user is automatically logged to the Cyberoam also. Single sign on also supports multiple log on facility.
Single sign on provides password synchronization for Users of Windows and Cyberoam. i.e. if the user is configured for Single sign on, whenever User logs on to Windows, user is automatically logged to Cyberoam also.
This will also enable Users to check their My Account using their windows password.
Once the Users are migrated successfully, follow the procedure to configure for Single Sign on login utility.
Step 1 Download the Cyberoam Single Sign on client as shown in the below screen shot and save SSCyberoam.exe to the NETLOGON scripts directory on the domain controller or as per your
7300-1.0-9/20/2005 12
Server OS NETLOGON default location
Windows NT %SYSTEMROOT%/system32/Repl/Import/Scripts
Windows 2000 %SYSTEMROOT%/SYSVOL/sysvol/%USERDNSDOMAIN%/Scripts
Table - Default NETLOGON directory location
Screen - Download Single sign on Client
Go to step 2 if logon scripts for the Users are already created Go to step 3 if logon scripts for the Users are not created
Note
If logon scripts for all the Users already exist, please do not download “Logon Script Updation Utility” and execute the script “defaultlogonscript.bat”,
Step 2 If the logon scripts are already created, then Update them. Edit the logon script using any of
the available Editors like Notepad and add the following line in the script and save the script:
start \\PDCServerName\netlogon\SSCyberoam.exe IP address of the Cyberoam Server E.g., start \\mypdc\netlogon\SSCyberoam.exe 192.168.1.100
Whenever the User tries to logon in Windows, the logon script will be executed. The above statement in logon script executes the Cyberoam logon program with the Windows Username and automatically logs in User to the Cyberoam.
Step 3 If the logon scripts are not created
Create a new script - “defaultlogonscript.bat” using any of the available Editor like Notepad Add line
start \\PDCServerName\netlogon\SSCyberoam.exe IP address of the Cyberoam Server
E.g., start \\mypdc\netlogon\SSCyberoam.exe 192.168.1.100
Copy the script - “defaultlogonscript.bat” to NETLOGON scripts directory. Refer to step 1 to find location of the NETLOGON scripts directory
Download Logon Script Updation Utility as shown in the below screen shot and save the script as “updatelogonscript.bat” in the root directory of the server
Cyberoam – Windows Domain Controller Guide
7300-1.0-9/20/2005 13
Screen - Download User Logon Script Updation utility
Execute “updatelogonscript.bat” at the command prompt as follows: updatelogonscript.bat defaultlogonscript.bat
This will update/add the logon script of the Users in the domain to defaultlogonscript.bat
Screen - LOGON script change utility
Whenever the User tries to logon in Windows, the script “defaultlogonscript.bat” will be executed which in turn executes the Cyberoam logon program with the Windows Username and automatically logs in User to the Cyberoam.
7300-1.0-9/20/2005 14
Some Exception Conditions
1. If the User does not exist in Cyberoam, message ‘Wrong Username/Password’ will be displayed
2. Logon script will not execute if Domain Controller is down and User will not be able to log on to Cyberoam and Internet access will not be available
Once Domain Controller is up, Users will have to re-logon
3. If Cyberoam is down or not reachable, the Cyberoam Single Sign client will continuously try to logon, and as soon as it is up Internet access will be available
Note
1. Clientless users need not logon into Cyberoam but automatically logs on at system startup 2. Clientless users are automatically relogged in at 1.00 AM everyday
