Olfeo Solution User guide Copyright © Olfeo Version:1.0.6 Legal information Copyrights © Copyright 2014 Olfeo. All rights reserved. This documentation cannot be used unless under a license contract with the Olfeo company. No fragment of this publication can be reproduced, transferred, transcribed, saved on an archiving system or converted to any machine language, to any format or through any means, unless you have a prior written authorization from Olfeo. Olfeo gives you limited rights, authorizing you to print or make any other type of copies of the entire documentation for your own use, as long as these copies contain the Olfeo copyright. No other right regarding copyrights is given without a prior written agreement from Olfeo. The information contained in this document is subject to change without notice. Trademarks Olfeo is an internationally registered trademark of the Olfeo company. This document contains names, logos, software components or materials that are the property of third-party editors and owners: • Java, JavaScript, and their respective logos are registered trademarks of Oracle Corporation. • MySQL is a registered trademark of MySQL AB Company. • SSH is a registered trademark of Communications Security Corp. CORPORATION FINLAND. • Linux is a registered trademark of Linus Torvalds. • Realplayer is a registered trademark of RealNetworks, Inc. • Windows Media Player, Microsoft Excel, Microsoft, Windows, Active Directory, Hyper-V, Internet Explorer and their respective logos are trademarks of Microsoft Corporation. • Check Point FireWall-1, SmartDashboard, SmartCenter, OPSEC and their respective logos are trademarks or registered trademarks of Check Point Software Technologies Limited. • Netasq and its logo are trademarks of Netasq (SA). • eDirectory is a trademark of Novell, Inc. • OpenLDAP is a trademark of the OpenLDAP Foundation. • ClamAV is a registered trademark of Sourcefire, Inc. • Websense is a registered trademark of Websense, Inc. • WISP is the protocol developed by Websense, Inc. • Cisco Pix, ASA are trademarks or registered trademarks of Cisco Technology, Inc. • Nagios is a registered trademark of Nagios Enterprises, Llc. • Firefox is a registered trademark of the Mozilla Foundation. • HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. • Squid is a proxy software distributed under the terms of the GPL (GNU General Public License). • ICAP protocol is documented in RFC 3507. All other brand names mentioned in this manual or in all the other documentation provided with the Olfeo products are trademarks or registered trademarks of their respective owners. Contacts Olfeo 15, Boulevard Poissonnière 75002 Paris France Customer Account Management Service Whether you are a partner or the end user of the Olfeo solution, the Olfeo Customer Account Management Service is at your disposal for any comments and requests. eMail: client@olfeo.com Phone: +33 (0)1.78.09.68.07 Olfeo Technical Support The access to Support is reserved for the clients with "ISV Direct Technical Support" agreement. If you would like to have direct contact with our technical engineers, please contact your Customer Account Management Representative. eMail: support@olfeo.com Phone: +33 (0)1.78.09.68.01 URL Reclassification Service This email address is made available by Olfeo. You can use it to request a possible re-categorization of a URL. eMail: reclassement@olfeo.com Documentation Departement You can send documentation comments or correction request to the following email address. eMail: documentation@olfeo.com Consulting and Training Department Use the following email address to send comments or questions regarding Olfeo Consulting and Training services. eMail: conseil@olfeo.com eMail: formation@olfeo.com Contents Chapter 1: Menu: URL Filtering......................................................................... 11 1.1 Sub-menu: Categories.................................................................................................................................. 12 1.1.1 Looking up a URL Category........................................................................................................ 13 1.1.2 Creating your own category..........................................................................................................14 1.1.3 Using a category............................................................................................................................15 1.2 Sub-menu: Categories Group....................................................................................................................... 16 1.2.1 Creating a categories group.......................................................................................................... 17 1.2.2 Using a categories group...............................................................................................................17 1.3 Sub-menu: Web 2.0 Lists.............................................................................................................................18 1.3.1 Creating a Web 2.0 list................................................................................................................. 19 1.3.2 Twitter............................................................................................................................................20 1.3.3 Dailymotion................................................................................................................................... 21 1.3.4 Setting up a Web 2.0 list.............................................................................................................. 22 1.4 Sub-menu: Policies.......................................................................................................................................23 1.4.1 Creating a URLs filtering policy.................................................................................................. 25 1.4.2 Configuring a URL filtering policy.............................................................................................. 27 Chapter 2: Menu: Protocol Filtering....................................................................29 2.1 Sub-menu: Protocols.................................................................................................................................... 30 2.2 Sub-menu: Policies.......................................................................................................................................30 2.2.1 Creating a protocol filtering policy...............................................................................................31 2.2.2 Assigning a protocol filtering policy............................................................................................ 33 Chapter 3: Menu: Proxy Cache Qos.................................................................... 35 3.1 Sub menu: HTTP......................................................................................................................................... 36 3.1.1 Configuring the HTTP proxy........................................................................................................37 3.1.2 Configuring HTTP Proxy Authentication..................................................................................... 41 3.1.3 Configuring HTTP Proxy Cache...................................................................................................46 3.1.4 Cache Statistics..............................................................................................................................50 3.1.5 Configuring the QOS.................................................................................................................... 51 3.2 Submenu : FTP.............................................................................................................................................53 3.2.1 Configuring the FTP Proxy...........................................................................................................54 3.2.2 Configuring FTP Proxy authentication......................................................................................... 55 3.3 Sub menu: RTSP..........................................................................................................................................56 3.3.1 Configuring the RTSP proxy........................................................................................................ 57 3.4 Sub menu: TCP............................................................................................................................................ 57 3.4.1 Configuring the TCP proxy.......................................................................................................... 58 3.5 Sub menu: SOCKS.......................................................................................................................................59 3.5.1 Configuring the SOCKS proxy..................................................................................................... 59 3.5.2 Configuring an authentication for the SOCKS proxy...................................................................60 Chapter 4: Menu: Antivirus..................................................................................61 4.1 Sub-menu: Parameters..................................................................................................................................62 4.1.1 Antivirus parameters......................................................................................................................63 4.1.2 Creating an ICAP connector for the antivirus.............................................................................. 65 4.1.3 Enabling the antivirus................................................................................................................... 66 Olfeo Solution / User guide / 7 4.2 Sub-menu: Log............................................................................................................................................. 68 Chapter 5: Menu: Mobility Controller................................................................ 71 5.1 Sub-menu: Portals........................................................................................................................................ 72 5.1.1 Adding a public portal.................................................................................................................. 73 5.2 Sub-menu: Voucher Types...........................................................................................................................75 5.2.1 Add a voucher type....................................................................................................................... 76 5.3 Sub-menu: Access Control Lists..................................................................................................................78 5.3.1 Add an operator to the public portal.............................................................................................78 5.4 Sub-menu: Messages.................................................................................................................................... 79 5.4.1 Creating a message set..................................................................................................................80 5.4.2 Creating a template set..................................................................................................................82 5.4.3 Previewing custom messages and template set.............................................................................84 5.4.4 Assigning your messages and template sets................................................................................. 85 5.5 Activating the public portal......................................................................................................................... 85 5.6 Operator portal..............................................................................................................................................87 5.6.1 Operator: Creating accounts..........................................................................................................89 5.6.2 Viewing existing accounts information........................................................................................ 91 5.6.3 Modifying existing account information.......................................................................................92 Chapter 6: Menu: Rules........................................................................................ 95 6.1 Sub-menu: Users.......................................................................................................................................... 96 6.1.1 rules engine....................................................................................................................................96 6.1.2 Users list...................................................................................................................................... 100 6.2 Sub-menu: Quotas...................................................................................................................................... 108 6.2.1 Creating a time quota..................................................................................................................109 6.2.2 Creating a volume quota............................................................................................................. 110 6.2.3 Using a quota.............................................................................................................................. 111 6.3 Sub-menu: Time slots................................................................................................................................ 112 6.3.1 Creating a timeslot...................................................................................................................... 112 6.3.2 Using a timeslot...........................................................................................................................113 6.4 Sub-menu: URLs lists................................................................................................................................ 114 6.4.1 Creating a URL List....................................................................................................................114 6.4.2 Using a URLs list........................................................................................................................115 6.5 Sub-menu: Messages.................................................................................................................................. 116 6.5.1 Creating a Message Set...............................................................................................................117 6.5.2 Creating a templates set.............................................................................................................. 119 6.5.3 Previewing your custom pages................................................................................................... 121 6.5.4 Assigning the message and template sets................................................................................... 122 6.6 Submenu: Internet Charters........................................................................................................................122 6.6.1 Creating an Internet Charter........................................................................................................124 6.6.2 Enabling an Internet charter........................................................................................................126 6.6.3 History of Internet charter acceptance........................................................................................ 127 Chapter 7: Menu: Analysis..................................................................................129 7.1 Submenu: Creation..................................................................................................................................... 130 7.1.1 Creating a report or analysis....................................................................................................... 132 7.1.2 Performing a time spent analysis................................................................................................ 137 7.2 Submenu: Consultation...............................................................................................................................138 7.2.1 Displaying a report......................................................................................................................139 7.2.2 Setting the report retention period.............................................................................................. 143 7.2.3 Displaying an analysis.................................................................................................................144 7.3 Submenu: Diffusion lists............................................................................................................................146 Olfeo Solution / User guide / 8 7.3.1 Creating a diffusion list...............................................................................................................147 7.4 Submenu: Coaching....................................................................................................................................149 7.4.1 Configuring coaching.................................................................................................................. 150 7.4.2 Enabling the coaching feature.....................................................................................................152 7.5 Submenu: Livelog...................................................................................................................................... 153 7.6 Submenu: Log extract................................................................................................................................ 157 7.6.1 Extracting statistics......................................................................................................................158 Chapter 8: Menu: Parameters............................................................................ 163 8.1 Submenu: Architecture............................................................................................................................... 164 8.1.1 Creating a connector................................................................................................................... 164 8.1.2 Adding a proxy.pac..................................................................................................................... 170 8.1.3 Implementing a proxy.pac...........................................................................................................171 8.2 Submenu: Authentication........................................................................................................................... 171 8.2.1 Adding an Active Directory enterprise directory and synchronizing the users...........................173 8.2.2 Adding a LDAP compatible enterprise directory and synchronizing the corresponding users....177 8.2.3 Joining the Olfeo solution to the Windows domain................................................................... 180 8.2.4 Grouping and prioritizing authentications in a mode................................................................. 181 8.3 Submenu: High Availability.......................................................................................................................182 8.3.1 Creating an Olfeo Domain.......................................................................................................... 184 8.3.2 Joining an Olfeo domain.............................................................................................................185 8.3.3 Creating a cluster.........................................................................................................................187 8.3.4 Adding a secondary logs server.................................................................................................. 188 8.4 Submenu: Administrators........................................................................................................................... 189 8.4.1 Olfeo Rights Principle.................................................................................................................190 8.4.2 Adding an administrator..............................................................................................................193 8.4.3 Adding rights to an administrator............................................................................................... 194 8.5 Sub-menu: Network....................................................................................................................................195 8.5.1 DNS Configuration......................................................................................................................196 8.5.2 Configuring SMTP...................................................................................................................... 197 8.5.3 SMS Configuration......................................................................................................................198 8.5.4 Sending a test SMS..................................................................................................................... 200 8.5.5 Configuring the HTTP proxy......................................................................................................200 8.5.6 Testing your network configuration............................................................................................201 8.6 Submenu: System....................................................................................................................................... 202 8.6.1 Stop/Start Configuration..............................................................................................................204 8.6.2 Configuring the NTP synchronization........................................................................................ 205 8.6.3 Configuring logs archiving..........................................................................................................206 8.6.4 Enabling Olfeo administration console HTTPS access.............................................................. 207 8.7 Submenu: Monitoring.................................................................................................................................208 8.7.1 Enabling email based system notifications................................................................................. 211 8.7.2 Filtering system events by type.................................................................................................. 212 8.7.3 Configuring SNMP agents' access to Olfeo................................................................................213 8.7.4 Adding a syslog server................................................................................................................213 8.7.5 Forcing execution of a scheduled task........................................................................................214 8.8 Submenu: Updates......................................................................................................................................215 8.8.1 Updating Olfeo............................................................................................................................ 217 8.8.2 Manually updating the Olfeo URL database.............................................................................. 218 8.8.3 Configuring Olfeo URL database automatic update...................................................................218 8.8.4 Entering your Olfeo license........................................................................................................ 219 8.8.5 Renewing your license................................................................................................................ 220 8.9 Submenu: Backup.......................................................................................................................................221 8.9.1 Creating a CIFS mount point in Olfeo....................................................................................... 222 8.9.2 Mounting an NFS share in Olfeo................................................................................................223 8.9.3 Configuring a Backup Destination in Olfeo............................................................................... 224 Olfeo Solution / User guide / 9 8.9.4 Creating a Backup Task.............................................................................................................. 225 8.9.5 Manually running a backup task.................................................................................................226 8.9.6 Restoring a backup......................................................................................................................227 8.9.7 Backing up legal traffic logs (RAW and NCSA)....................................................................... 227 8.10 Submenu: Advanced.................................................................................................................................228 8.10.1 Redirecting Olfeo Blocking Pages............................................................................................ 230 8.10.2 Configuring a gateway.............................................................................................................. 231 8.10.3 Auto Populating Users.............................................................................................................. 234 8.11 Submenu: Support.................................................................................................................................... 235 8.11.1 Opening a Technical Support Tunnel....................................................................................... 236 Chapter 9: Syntax.................................................................................................239 9.1 Regex Syntax..............................................................................................................................................240 Olfeo Solution / User guide / 10 Chapter 1 Menu: URL Filtering Topics: • • • • Sub-menu: Categories Sub-menu: Categories Group Sub-menu: Web 2.0 Lists Sub-menu: Policies 1 Menu: URL Filtering Sub-menu: Categories The page [URL Filtering] > [Categories] allows you to view the list of Olfeo categories and to the category a given URL belongs to.. A category is a group of URLs sorted in the Olfeo database. The categories are organized by themes and updated daily . Actually, every 15 minutes all the Olfeo solutions reassemble the unknown URLs that are encountered on a central site. A multilingual team then sorts them in order to integrate them in categories. These categories are then returned to Olfeo solutions through an update in the internal database. Through this process the database of your Olfeo solution is constantly updated, which enables you to benefit from a very performant and dynamic filtering. Note: If you want you can add your own categories or add URLs to existing categories in the Olfeo database. Olfeo Solution / User guide / 12 1 Menu: URL Filtering Looking up a URL Category 1. Go to the page containing the categories via the following menus [URL Filtering] > [Categories]. Section: Categories 2. Enter the URL for which you want to know the category in the [Search URL] field. Warning: You must enter the URL fully qualified domain name to find its Olfeo category (e.g. www.google.fr). 3. Click on the [Search] button. 4. The result of the search will be displayed in front of the label Result. Note: An unknown URL will have as a result: Others > URL Not classified. Olfeo Solution / User guide / 13 1 Menu: URL Filtering Creating your own category 1. Go to the page containing the categories via menus [URL Filtering] > [Categories]. Section: List 2. In the List section of the categories, expand the My categories tree using the icon . 3. Click on the link [Add a category]. Section: Category 4. Enter a name in the [Label] field. 5. Enter a description in the [Description] field. 6. You can also enter an alias in the [Alias] field. Note: When viewing a blocking page, the [Alias] field content will be displayed. Imagine that you did set the alias "Banned Site" for the category "Sex - Pornography". When the blocking page will be displayed, the user will be notified: This site is classified as: "Banned site". Olfeo Solution / User guide / 14 1 Menu: URL Filtering Note: In statistics, it is the name of the category that will be displayed and not the alias. Section: URLs added 7. In order to add URLs in the category you want to create, you have two options: • you can add a list of URLs from a text file by selecting it with the button [Browse] and then clicking on: • the button [Add] to import [Added URLs] field content. • the button [Replace] to replace the [List] field content. • You can manually add the URLs in the [List] field. Each line of your category should contain a single URL and then end with a "new line". You can create URLs using the REGEX syntax explained in the chapter Regex Syntax on page 240. Here is an example of a list of URLs: http://www.facebook.fr .*youtube\.fr .*google\.fr.* http://www.dailymotion.fr .*yahoo\.fr.* 8. Click on the [Create] button to create your own category. Using a category Categories are used either in a policy, or in the rule engine. • To use a category in a policy, go to the [URL Filtering ] > [Policies] page. Then edit the desired policy and set your category in the Destination column for the rule that you want to modify. • To use a category in the rule engine, go to the [Rules] > [Users] page and use your category in the Destination column for the rule you want to modify. Olfeo Solution / User guide / 15 1 Menu: URL Filtering Sub-menu: Categories Group The page [URL Filtering] > [Categories Group] enables you to create lists of categories. A category group allows you to regroup the categories of your choice. The categories group can be used in the policies ([URL Filtering] > [Policies]). Olfeo Solution / User guide / 16 1 Menu: URL Filtering Creating a categories group 1. Go to the page for categories group creation via the following menus [URL Filtering] > [Categories Group]. 2. Click on [Add group of categories]. Section: Categories group 3. Enter a name for the new categories group in the [Label] field. 4. Enter a description in the [Description] field. Section: Categories 5. Select one or more categories from the list [Categories] to create your list. To select multiple categories you will need to use the CTRL key on your keyboard. a) Press without release the CTRL key on your keyboard. b) Using the mouse click on one or more of the categories you want to include in your list. c) Release the CTRL key when the list is complete. 6. Click on [Create] to create your categories group. Using a categories group In order to use a categories group, it needs to be used in a policy, or in the rule engine. • To use a categories group in a policy, go to page [URL Filtering] > [Policies]. Then edit the policy you want and use your categories group in the Destination column of the rule you want to modify. Olfeo Solution / User guide / 17 1 Menu: URL Filtering • To use a categories group in the rule engine, go to page [Rules] > [Users] and set your categories group in the Destination column of the rule you want to modify. Sub-menu: Web 2.0 Lists The page [URL Filtering] > [Web 2.0 List] allows you to create lists detailing the content of some Web 2.0 sites you want to allow or block. The granularity of filtering operations on each of these sites offers a rich feature set and allows a more accurate and less restrictive filtering. Olfeo Solution / User guide / 18 1 Menu: URL Filtering Creating a Web 2.0 list 1. Go to the Web 2.0 list creation page via the menus [URL Filtering] > [Web 2.0 List]. 2. Click on [Add Web 2.0 list]. Section: Web 2.0 lists 3. Enter a name in the [Label] field. 4. Enter a description in the field [Description]. 5. Add a media file using the button . Window: Media 6. Select a Web 2.0 to add using the radio button from the Label column. Window: Objects 7. Select from the dropdown list [Select] the Web 2.0 site resources you want to filter on. Option Dailymotion Twitter Description • • • Native Applications: Allows you to create a filter for the Web 2.0 features of the Dailymotion website. Posters: Allows you to filter by Dailymotion videos posters. Videos: Allows you to filter specific videos found on DailyMotion. • Natives Applications: Allows you to create a filter specific Twitter Web 2.0 features. Warning: Olfeo reserves the right to change the features available for each media/Web 2.0 site at any time based on the changes underlying of the respective websites. 8. Configure the filtering operations based on the media above. Olfeo Solution / User guide / 19 1 Menu: URL Filtering Option Description Dailymotion The documentation needed for Dailymotion configuration is here: Dailymotion on page 21. Twitter The documentation needed for Twitter configuration is here: Twitter on page 20. 9. Click on [Create] to save the changes. Tab: Web 2.0 Lists 10. Click on [Create] to create your Web 2.0 list. Twitter Twitter is a microblogging service that allows users to blog using short messages (140 characters, one or two sentences). Besides this limitation, the main difference between a traditional blog and Twitter, is the fact that Twitter does not invite readers to comment on posts. The limitation of Twitter messages to 140 characters has fostered the emergence of content platforms, such as TwitPic that allows sending images and photos. With Olfeo you can filter Twitter content as follows: • Select [Native Apps] from the menu [Select]. Table 1: Window: Objects. Menu: Native Apps Native Apps Option Content • • • • • • • • Photos: Photos in different elements of Twitter (tweet, profile, search, etc.). Vidéos: Videos in searches, ... . Places: Places in trends. Follow: Subscription to a source of tweets. Trends: Twitter Trends. Re-tweets: Transfer of a tweet and of the access to re-tweets. Search in tweets: Search in tweets and saved searches. Suggestions: Comments of tweets and sending of comments. User Homepages • • • Settings of all options: Access to edit the general parameters (accounts, functionalities, photos, videos). Phone parameters: Display mobile phone parameters from the profile. Account parameters: Access to editing the profile parameters. Miscellaneous • • • About: Access to the About page of the Twitter site. Terms of use and contracts: Page Terms and conditions of use of the Twitter site. Help and suggestions: Section Help and Suggestion of the Twitter site. User contribution • • • About: Access to the About page of the Twitter site. Terms of use and contracts: Page Terms and conditions of use of the Twitter site. Help and suggestions: Section Help and Suggestion of the Twitter site. Third Party Sites related to Twitter • • • • Twitpic (image publishing): Access to Twitpic (twitpic.com). Twitvid (video publishing): Access to Twitvid (twitvid.com). Twitgoo (image hosting): Access to Twitgoo (twitgoo.com). Bubbletweet (image cropping): Access to Bubbletweet (www.bubbletweet.com). Olfeo Solution / User guide / 20 1 Menu: URL Filtering Dailymotion Dailymotion is a site for video sharing and hosting. In Olfeo you can filter the following content of Dailymotion: • Select [Natives Applications] from the menu [Select]: Natives Applications Option Multimedia Content: Multimedia • content (video, ...) available on Dailymotion. • • Pages: This feature groups different • pages from DailyMotion. • • • Videos: Video content. Channels: Access to thematic channels proposed by Dailymotion : News and Politics, Cooking, Video games, ... . Quick list: Access to the quick list (Quick List) associated to the Dailymotion connected account. Contests: Access to the contests section of Dailymotion. History: Access to the history page of the Dailymotion connected account. Blog: Access to the Dailymotion blog. Playlists: Access to Playlists defined for the connected user. Preferences: Access to user account preferences for the connected user. Identification: Access to the identification function of Dailymotion. This criterion allows you to block the use of a Dailymotion personal account. Subscription: Access to create a Dailymotion account. You can prevent the creation of personal accounts. User contribution: This set contains • functions of Dailymotion that are • specific to the connected user. Favorites: Access to the Favorites function of Dailymotion. Playlists: Access to playlists defined by the connected user. Miscellaneous: This set contains • various other functions/pages specific to Dailymotion. Solution Pro: Access to the professional part of Dailymotion (Dailymotion Cloud). • • Account management: This set • contains certain functions related to the management of a Dailymotion user • account. Select [Posters]: Allows applying a filtering policy on all Dailymotion content issued by one or more users. Entering posters IDs can be done by selecting Posters from the dropdown list of Dailymotion and specify the posters IDs you want to filter. Figure 1: Example of adding a poster • Select [Videos]: Filter the videos of Dailymotion according to a list of IDs/video ID numbers. These video IDs are automatically assigned by Olfeo depending on the URLs of the indicated videos. Add each URL of the videos, one by one in the text box URLs of videos to add and click on the Add button. Olfeo Solution / User guide / 21 1 Menu: URL Filtering Figure 2: Example of adding a video Setting up a Web 2.0 list To set up a Web 2.0 list you need to go to policy. To use a Web 2.0 list in a policy, go to the [URL Filtering] > [Policies] page. Edit the policy you want and then set your Web 2.0 list in the Destination column of the rule you want to modify. Olfeo Solution / User guide / 22 1 Menu: URL Filtering Sub-menu: Policies An URL filtering policy is a set of predefined rules that you can assign to an organizational unit, to a user group, to a specific user or to an IP address. The URL filtering policies can be created via the menu [URL Filtering] > [Policies]. The policies are assigned to users in the lower part of the rule engine (menu [Rules] > [Users]), more specifically in the Protocol Filtering column. Warning: The policies are executed only when the general rule engine has the field [Fallthrough rule] set to Apply user policy. Olfeo Solution / User guide / 23 1 Menu: URL Filtering Figure 3: Field [Fallthrough rule] The Olfeo solution evaluates filtering policies starting with the lowest level (the user or the IP address), and then goes upwards to the highest level (the default configuration) until it finds a filtering rule matching the request context. A URLs filtering policy can inherit a policy from a higher level. To configure inheritance of a higher policy, edit the child policy in [URL Filtering] > [Policies] and set the field [Fallthrough rule] to the value Upstream policy. A policy whose inheritance is positioned will be displayed with the icon while a policy without inheritance will be displayed with the icon . Note: To facilitate navigation, if you click on the icon policy. or you will have direct access to edit the attached Olfeo Solution / User guide / 24 1 Menu: URL Filtering Creating a URLs filtering policy 1. Go policy creation page via the menu [URL Filtering] > [Policies]. 2. Click on [Add a policy]. Section: Policy 3. Enter a name for the new policy in the [Label] field. 4. Enter a description in the [Description] field. Section: Rules 5. Add a rule using the button . Olfeo Solution / User guide / 25 1 Menu: URL Filtering 6. In the newly created rule, click on the link from the Time slot column, then click on one of the time ranges in the Label column. Note: If you want to create a timeslot go here: Sub-menu: Time slots on page 112. 7. In the newly created rule, click on the link from the Scheme column then click on the protocol(s) for which your rule will be applied. The possible protocols are: • • • ftp http https 8. In the newly created rule, click on the link from Destination column, then click on the type of destination for which you want to apply the rule via the menu [Select]. a) If you would like to filter the URLs by a regex regular expression click on [URL (regex)] then enter the regular expression in the [Url] field. To finish click on [OK]. Note: Remember that the REGEX syntax is explained here: Regex Syntax on page 240. b) If you would like to filter the URLs by URLs lists click on [URLs Lists] then confirm the lists of URLs that you want by using the checkboxes in the Label column. To finish click on [OK]. Note: If you want to create a list of URLs go here: Sub-menu: URLs lists on page 114. c) If you would like to filter the URLs by categories lists, click on [Categories Lists] then confirm the lists that you want using the checkboxes in the Label column. To finish click on [OK]. Note: If you want to create a Categories List go here Sub-menu: Categories Group on page 16. d) If you would like to filter URLs using a Web 2.0 List, click on [Web 2.0 List] then confirm the web 2.0 lists you want, using the checkboxes from the Label column. To finish click on [OK]. Note: If you want to create a Web 2.0 list go here: Sub-menu: Web 2.0 Lists on page 18 e) If you would like to filter the URLs by categories click on [Categories] then confirm the categories you want, using the checkboxes from the Label column. To finish click on [OK]. Note: If you would like to create a customized category go here: Creating your own category on page 14. 9. In the newly created rule, click on the image from the [Action] column, then click on the type of action on which you want to apply your rule, using the menu [Select]. Olfeo Solution / User guide / 26 1 Menu: URL Filtering a) If you want your filtering rule action to allow the traffic, select [Allow]. b) If you want your filtering rule action to deny the traffic, select [Deny]. In case it is needed, you can configure a "Override". In this case confirm the checkbox [Override]. You can also set a password that will be distributed to users who want to use the "override" function, by filling in the [Override Password] field. c) If you want your filtering rule action to time limit the browsing activity select [Time Quota]. Then select a time quota in the [Quota] menu. In case it is needed, you can configure an "Override". In this case confirm the checkbox Override. You can also set a password that will be distributed to users who want to use the "override" function, by filling in the [Password] field. Note: If you would like to create a time quota, go here: Sub-menu: Quotas on page 108. d) If you want the action that will be performed by your filtering rule to limit the consultation of the selected URLs by volume, select [Volume Quota]. Then select a volume quota. Note: If you would like to create a volume quota, go here: Sub-menu: Quotas on page 108. 10. Set a priority order in which you want your rules to be executed using the arrows and . 11. Following the last rule and using the menu [Fallthrough rule] select the default behavior for non covered as either [Allow], [Deny] or to defer the filtering decision to the [upstream policy]. Note: If you set the field [Fallthrough rule] to [Upstream policy] you set up an inheritance. The current policy will then inherit the rules from the policies positioned above it in the list of users of the rules engine (Users list on page 100). 12. Click on [Create] to save the changes. Configuring a URL filtering policy 1. Go to the URL filtering policy configuration page using the menu [Rules] > [Users]. 2. In the [Directories] tab or [Mobility controllers] expand the users' hierarchy in the [Name] column in order to display the organizational units, the groups or the users for which you want to apply your policy, using the icon . 3. Click on the corresponding link from the [URL Filtering] and then select the URL filtering policy that you want. Olfeo Solution / User guide / 27 1 Menu: URL Filtering Note: If you would like to edit the policies or to create a policy, go to the page [URL Filtering] > [Policies]. Olfeo Solution / User guide / 28 Chapter 2 Menu: Protocol Filtering Topics: • • Sub-menu: Protocols Sub-menu: Policies 2 Menu: Protocol Filtering Sub-menu: Protocols Similar to URL filtering, Olfeo car perform protocol filtering operations. On the [Protocol filtering] > [Protocols] you can explorer the list of protocols Olfeo is able to filter. If you are looking for a specific protocol, enter the protocol name in the lookup field [Filter] and click the button To clear the filter field and return to the whole protocol list, click on . . Sub-menu: Policies A protocol filtering policy is a set of rules you can assign to an organizational unit, a user's group, a specific user or an IP address. Olfeo Solution / User guide / 30 2 Menu: Protocol Filtering Protocol filtering policies can be created using menu [Protocol filtering] > [Policies]. Protocol filtering policies are assigned in the section at the lower end of the main rules engine (menu [Rules] > [Users]), more specifically in the Protocol filtering column. A protocol filtering policy can inherit from another protocol filtering policy higher in the users' hierarchy. In order to use this inheritance mechanism, edit the filtering policy which will be using the inheritance mechanism from [Protocol filtering] > [Policies] and set the field [Fallthrough rule] to the value Upstream policy. A non-terminal policy using the inheritance mechanism is identified with the icon as opposed to a terminal filtering policy identified using the icon . Note: As a shortcut to quickly edit a policy, you can click on the policy edit page. ou icon to directly go to the filtering Creating a protocol filtering policy 1. Go to the protocol filtering policies creation page using [Protocol filtering] > [Policies]. 2. Click on [Add a policy]. Olfeo Solution / User guide / 31 2 Menu: Protocol Filtering Section: Policy 3. Enter a name for the new policy in the [Label] field. 4. Enter a description in the [Description] field. Section: Rules 5. Add a rule using the button . 6. In the newly created rule, click on the link from the Time slot column, then click on one of the time slots in the Label column. Note: If you want to create a time slot go here: Sub-menu: Time slots on page 112. 7. In the newly created rule, click on the link from Destination column, then click on the type of destination for which you want to apply the rule via the menu [Select]. a) If you want your filtering rule to apply to all the traffic, click on the link [Any]. b) if you want to restrict the application of the rule to a set of protocols, click on the link [Protocols]. Next, select all the protocols you would like to use by enabling the corresponding checkboxes in the Label column. Then click on the [Ok] button. 8. In the newly created rule, click on the image from the [Action] column, then click on the type of action you want to apply to your rule, using the menu [Select]. a) if you want the action of you filtering rule to allow the corresponding traffic, select [Allow]. b) If you want the traffic to be blocked select [Deny]. 9. Use the up and down arrows and in order to change the priority of each rule composing your policy. 10. Last, using the menu [Fallthrough rule] select the default behavior for any traffic not matching the preceding rules. Choose if you want for the behavior to [Allow] or [Deny] or use inheritance with the value [Upstream policy]. Note: If you set the field [Fallthrough rule] to [Upstream policy] you activate the inheritance behavior. The current policy filtering will call policies above it in the list of users for any traffic not matching the current policy rules (Users list on page 100). 11. Click on [Ok] to save the changes. Olfeo Solution / User guide / 32 2 Menu: Protocol Filtering Assigning a protocol filtering policy 1. Go to the main Olfeo page used to assign filtering policy using menu [Rules] > [Users]. 2. In the [Directories] tab or [Mobility controllers], expand the users' hierarchy in the [Name] column using the icon in order to display the organizational units, the groups and users you would like to apply a filtering policy on. 3. Click on the link in the [Protocol Filtering] column and select the desired protocol filtering policy. Note: If you would like to modify existing policies or create a new policy go to the [Protocol filtering] > [Policies] page. Olfeo Solution / User guide / 33 Chapter 3 Menu: Proxy Cache Qos Topics: • • • • • Sub menu: HTTP Submenu : FTP Sub menu: RTSP Sub menu: TCP Sub menu: SOCKS 3 Menu: Proxy Cache Qos Sub menu: HTTP This menu allows for the HTTP proxy setup and configuration. The HTTP proxy configuration is done using the 5 following tabs: Olfeo Solution / User guide / 36 3 Menu: Proxy Cache Qos Table 2: The five HTTP proxy configuration tabs Tab Description [Configuration] The [Configuration] tab allows for the definition of HTTP proxy listening ports configuration and for the proxy type specification (explicit or transparent). Using this tab you can also chain the HTTP proxy with a parent proxy, configuration URL filtering behavior and perform manual configurations. [Authentication] [Authentification] tab allows for the proxy authentication mode configuration. Warning: This tab depends on your integration and authentication architecture choice which is the objective of the Olfeo Integration Guide. We recommend you to refer to this guide for more information regarding authentication. [Cache] The [Cache] tab allows for the memory cache configuration and the specification of cache behavior rules. The cache is a space dedicated to keep in memory objects most frequently used by end users in order for the objects to be served to the end users faster than a direct access connection. This Olfeo solution feature allows for internet access bandwidth reduction and for objects access time reduction. [Cache statistics] The [Cache statistics] displays cache statistics allowing you to monitor HTTP proxy cache efficiency thus providing you valuable information to tune its configuration in order to maximize its efficiency. [QOS] The [QOS] tab allows for the HTTP proxy quality of service configuration. The quality of service allows for the attribution of resources to a specified traffic in order to maximize bandwidth availability and optimize bandwidth utilization and transmission. This feature is particularly interesting if you have specific traffic requiring optimal bandwidth. Configuring the HTTP proxy 1. Go to the HTTP proxy configuration using the [Proxy Cache QoS] > [HTTP] > [Configuration] tab. Olfeo Solution / User guide / 37 3 Menu: Proxy Cache Qos Section: Listening ports 2. In the section Listening ports add a listening port using the button. a) Enter the interface IP address and TCP port you would like the proxy to listen on. The syntax used to specify the TCP listening port allows you to restrict listening on a specific IP address. Use the following syntax: Ipaddress:Tcpport Note: If you want to listen to all of the local machine’s IP addresses, enter the IP address as 0.0.0.0 Example of how to specify the IP address and listening port: 0.0.0.0:3129 b) To configure a transparent proxy enable the Transparent checkbox at the end of your newly created proxy TCP port. Warning: This field is linked to the integration architecture choice which is the objective of the Olfeo Integration Guide. We recommend you to refer to this guide for more information regarding HTTP transparent proxy. c) If you do not want the proxy to pass the end user private IP addresses to the destination server, enable [Anonymize access] . Note: This option helps to avoid the generation of HTTP headers of the type "X-Forwarded-For" which generally includes the IP address of the end user machine for which the proxy carries out an action. For security reasons, it is generally preferable not to disclose information concerning your local network, therefore turning on this option is recommended. Section: Allowed query types by destination port 3. Add a request type using the icon . The section "Allowed query types by destination port" lets you define the destination ports and the corresponding protocols allowed on each of these destinations ports. a) Enter a destination port in the field under the Port column. Olfeo Solution / User guide / 38 3 Menu: Proxy Cache Qos Note: Enter a range of ports separating start and end ports with "-". Example: 1025-65535. Note: To enter multiple ports in a query, separate them with a space. Example: 70 210 280. b) Select the protocols you want to authorize on the destination ports by enabling the corresponding checkboxes in the columns headedBrowsing, FTP over HTTP, WebDAV or Raw/SSL. There are four possible protocols: • Browsing: Authorizes the standard HTTP browsing. • FTP over HTTP: Authorizes use of the FTP protocol encapsulated in HTTP (FTP over HTTP) and thus allows file downloads. This protocol can only be used if the client application supports it. Internet browsers typically do when you specify an HTTP proxy for the FTP protocol. • WebDAV: Authorizes the HTTP-based collaboration protocol allowing management of files shared and stored on a web server. • Raw/SSL: Allows SSL-type traffic. c) To allow for use of extended passive mode in the FTP over HTTP protocol enable the [FTP over HTTP makes use of extended passive mode] checkbox. In this mode, the Olfeo proxy can use the EPSV command and thus make FTP requests that are IPv6 compatible. Please refer to RFC 2428 FTP Extensions for IPv6 and NATs for more information. Warning: Use of the EPSV command and of IPv6 may result in this option being incompatible with older firewalls. Section: Proxy chaining 4. If the Olfeo solution’s proxy needs to be chained to a parent proxy, select the [Use parent proxy] checkbox in the Proxy Chaining section. Then provide the following information: a) The IPv4 address of the parent proxy in the [Host] field. b) The TCP port of the parent proxy in the [Port] field. c) The user name for authentication with the parent proxy in the [Login] field. d) The user's password for authentication with the parent proxy in the [Password] field. Section: URL filtering 5. To filter URLs, enable the [Filter URL] checkbox in the URL Filtering section. Fill in the following fields as required: a) [Disable Olfeo caching]. For performance reasons, the Olfeo solution stores the authorizations obtained by your users’ various browsing sessions. This optimization makes it possible to avoid authorization checks for the same website (Internet domain) previously authorized. Enabling this checkbox will force an automatic authorization check, even for sites previously visited. b) [Redirector number]. This field controls the number of internal processes used by the Olfeo solution to perform HTTP browsing authorization checks. The default value of 70 should be appropriate for most Olfeo solution Olfeo Solution / User guide / 39 3 Menu: Proxy Cache Qos installations. It is therefore recommended not to change this value unless explicitly requested by Olfeo Technical Support. c) [Bypass if the filtering service is unavailable]. This checkbox allows you to control the Olfeo HTTP proxy’s behavior in the event the URL filtering service is not reachable. Browsing will be blocked by default if this checkbox is not enabled. d) [Delay before next connection attempt upon error (minimum 30s)]. This field controls the timeout that may be inserted at the Olfeo HTTP proxy level in case there is an error connecting to Olfeo URL filtering service. The default value of 30- second is suitable for most cases. Section: Squid custom configuration 6. Configure your desired Squid ACLs in the fields [Start of file], [Pre Authentication], [Post Authentication] and [End of file]. Your Olfeo solution internally uses an optimized version of an Open Source proxy solution. In some cases, it might be necessary to configure advanced options that are not directly configurable using the Olfeo Administration Console. The purpose of the Squid custom configuration section is to allow for the configuration of Squid directives in the HTTP proxy. Danger: Theses directives can alter the proxy operations. Therefore it is recommended to alter the content of these fields solely under suggestions provided by Olfeo Technical Support. Here is an example of Squid directives configuration using the Squid custom configuration. Adobe Flash Player setup may not work for end users authenticating proxy. Indeed post-setup processing includes contacting various servers on the Internet in order to complete the installation. Therefore the Olfeo proxy configuration will ask for an authentication before allowing the operation. In order to bypass this authentication request, it is possible to create Squid directives allowing for an exception to this authentication mode in order to allow for the Adobe Flash Player setup to complete. Here is a Squid directive example to apply in the [Pre Authentication] field disabling authentication for domain names used by the Adobe Flash Player setup application: acl adobeflashplayer dstdomain .verisign.com .adobe.com .adobetag.com .macromedia.com http_access allow CONNECT adobeflashplayer http_access allow adobeflashplayer Once applied, this directive will allow access to domain names ending in verisign.com adobe.com adobetag.com macromedia.com to bypass the proxy authentication. 7. Click on [OK] to save changes. Olfeo Solution / User guide / 40 3 Menu: Proxy Cache Qos Configuring HTTP Proxy Authentication 1. Go to HTTP proxy authentication page configuration using the [Proxy Cache QoS] > [HTTP] > [Authentification] tab. Section: Module 2. Select the HTTP proxy authentication mode in the [Authentication mode] field. Warning: This field depends on your integration and authentication architecture choice which is the objective of the Olfeo Integration Guide. We recommend you to refer to this guide for more information regarding proxy authentication. Note: This tab is only displayed once an enterprise directory has been configured. The following choices are available: Olfeo Solution / User guide / 41 3 Menu: Proxy Cache Qos Option [NTLM (Active Directory)] Description Olfeo HTTP proxy supports NTLM over HTTP authentication method as specified by Microsoft. This authentication mode requires the use of a Microsoft ActiveDirectory 2003 or higher enterprise directory. Warning: NTLM authentication method is only available if your Olfeo installation has been joined to the Windows domain using the [Parameters] > [Authentication] > [Windows domain join]. Once selected, this authentication mode will perform the following 2 authentications: • A transparent authentication for end users using a computer member of the Windows domain and with a currently active Windows interactive session started with their end user domain account. • An explicit authentication using an authentication popup for all other end users. In order to pass the authentication step, the end user will have to enter his Windows domain end user account (format: "DOMAIN"\"login") and his password. [Kerberos] This authentication mode allows for the use of Microsoft Kerberos authentication using an ActiveDirectory 2003 enterprise directory. Similar to [NTLM (Active Directory)] authentication mode, this [Kerberos] mode allows : Warning: The [Kerberos] authentication is only available if your Olfeo installation has been joined to the Windows domain using the [Parameters] > [Authentication] > [Windows domain join] menu. • • A transparent authentication for end users using a computer member of the Windows domain and with a currently active Windows interactive session started with their end user domain account. An explicit authentication using an authentication popup for all other end users. In order to pass the authentication step, the end user will have to enter his Windows domain end user account (format: "DOMAIN"\"login") and his password. Note: On end users computers, the browser must use the Microsoft integrated authentication et must explicitly reference the Olfeo proxy using its Fully Qualified Domain Name (FQDN). Warning: Microsoft [Kerberos] implementation is incompatible with Kerberos based authentication Olfeo clusters. If you require high availability in Kerberos authentication mode with Olfeo, it is recommended to use a proxy.pac for your proxies configuration and to return multiple proxies in your proxy.pac on each return in order to benefit from a proxy.pac failover behavior. Olfeo Solution / User guide / 42 3 Menu: Proxy Cache Qos Option Description [Kerberos 2008] This authentication mode is identical to [Kerberos] but should be used only for ActiveDirectory 2008 or above enterprise directories. [Basic Zone>] This authentication mode allows for the configuration of a LDAP based basic authentication mechanism. This authentication mode requires the use of Olfeo authentication zones. Based on the number of Olfeo authentication zones configured, one or more basic authentication modes will be available. - <Authentication Note: If you want to create an authentication zone, go to the page: [Parameters] > [Authentication] > [Authentication Mode]. Danger: The [Basic - <authentication zone>] authentication mode is a weak authentication mode because it carries users credentials (login/password) in clear over the network. It's therefore recommended to use a stronger authentication mode. Olfeo HTTP proxy will not perform any authentication. [None] 3. In the field [Number of instances], change the number of instantiated authentication helper processes if necessary. The number of instances correspond to the maximum number of authentication requests which can be processed in parallel at any given time. Default number of instances:15 Section: Rules 4. Use the button to add an authentication rule. 5. In the newly created rule, click the link in the Sources column. a) Select the [IP Ranges] field in the [Select] menu if you would like to restrict a rule to one or more IP addresses ranges. b) Use the button to add an Ip address range. c) Enter the range beginning IP address in the Start IP column. d) Enter the range end IP address in the End IP column. e) optionally enter a description text for the IP adresses' range in the Range Description column. f) Once you have created all your IP addresses ranges, click the [Ok] button to save your changes. 6. In the newly created rule, if you would like to restrict the rule to specific HTTP clients click on the [User-Agent] column link. a) Select the HTTP client's identifiers you would like to restrict the rule to using the Active column checkbox. Note: This feature is very useful to disable HTTP proxy authentication for certain types of applications not compatible with authenticating proxies (audio/video player, ...). Olfeo Solution / User guide / 43 3 Menu: Proxy Cache Qos b) If you have an unreferenced application you would like to add, you can enter a regular expression in the editable field under the Regular expression column. You can then enter a description in the Description column and enable the corresponding checkbox in the Active column Note: For more information regarding regular expression (REGEX) syntax, please refer to chapter Regex Syntax on page 240. Note: If you don't know how to find the user-agent identifier for a particular HTTP client, please contact Olfeo Technical Support. 7. In the newly created rule, if you would like to restrict the rule to a particular proxy port, click on the link in the [Proxy ports] column. Note: You can discriminate your end-user population by sending them to different proxy ports. Once segmented, these end-user populations can then be attributed different authentication rules using the link in the [Proxy ports] column. 8. In the newly created rule, if you want to restrict the rule application to a particular destination you can click on the [Destination] column link. Two choices are available: • You can enter a destination using a URL or regular expression described in chapter Regex Syntax on page 240. In this case: • Click on the [URL (regex)] link and enter a URL or regular expression in the [URL] list. • To save your changes click on the [Ok] button. • You can specify a destination using A URL List that you would have previously configured using the [Rules] > [URL Lists]. In this case: • Click on the [URL Lists] and select the corresponding URL lists of your choice in the Label column. • To save your changes click on the [Ok] button. 9. In the newly created rule, click on the link in the Authentication column in order to select the desired authentication type. The followings are available choices: Option [No authentication] Description This choice allows you to disable authentication for the Olfeo HTTP Proxy. Warning: Without any authentication and any captive portal, the Olfeo HTTP proxy cannot identify the end user connecting to the proxy. Therefore, the Olfeo filtering engine would not be able to apply any specific filtering policies except for the default policy (Users list on page 100). Olfeo Solution / User guide / 44 3 Menu: Proxy Cache Qos Option Description This choice enables authentication at the Olfeo HTTP proxy level (authentiation configured at step 2 on page 41). [Authentication] Note: Following the selected authentication in step Users list on page 100, some of these authentications will be performed transparently. Refer to the Olfeo Integration guide for more information. [ip2login] This choice allows you to configure Olfeo HTTP proxy to perform authentication (authentication configured in step 2 on page 41). Once the authentication performed, the end-user computer IP address will be associated to the end-user and no further authentication will be requested by the proxy for new connections. Note: [ip2login] main advantage is to facilitate end user browsing by reducing the number of authentication requests. Warning: If you would like to configure the duration of the en user IP adress / login association, please contact Olfeo Technical Support. 10. Use the up and down arrows and in order to change the priority of each rule composing your policy. 11. After the last rule and using the [by default] menu, select the default behavior to apply among [no authentication], de [Ip2login] or [authentication]. 12. Click on [Ok] to save the changes. Olfeo Solution / User guide / 45 3 Menu: Proxy Cache Qos Configuring HTTP Proxy Cache Olfeo embedded HTTP proxy implements a cache feature. This feature allows for the optimization of browsing requests by providing contents already cached from prior similar requests. 1. Go to the HTTP Proxy configuration page using the [Proxy Cache QoS] > [HTTP] > [Cache] tab. Section: Memory cache Memory cache refers to the cache maintained in physical memory or RAM. 2. Enter the memory cache size in the [Cache size] field. Default size is: 128 Mo. Olfeo Solution / User guide / 46 3 Menu: Proxy Cache Qos Danger: An oversized cache can degrade performance. It is therefore recommended to size the cache in successive attempts incrementing its size and finding an acceptable compromise between Olfeo solution operation and the RAM size allocated to the memory cache. 3. Enter the objects maximum size that can be stored in memory cache in the [Object max size] field. The memory cache must be dedicated to small objects sizes. Indeed, a memory cache performance will be higher if filled with a large number of small objects rather than a small number of large objects. Maximizing the number of objects in memory cache generally provides better performance for a larger number of end users. Default size is: 6 ko. 4. Select the replacement policy algorithm for replacing objects in the cache using the [Replacement policy] field. • [Least recently used]: When the cache is full, objects replacement in memory cache is based on last object utilization. The least recently used objects will be the ones that will be evicted from the memory cache. This replacement policy is not the most performant one because it only takes into account the last utilization date without considering other parameters such as objects size, utilization frequency, cost of download, ... • [LRU Policy implemented using a heap]: This algorithm is similar to the Last Recently Used one but its operation used a heap. This algorithm allows for a more efficient cache management providing quicker replacements, additions or removals from the memory cache. Unfortunately this algorithm, similar the previous one, only takes into account each object last utilization date without considering other objects properties. • Least frequently used with dynamic aging: This algorithm is based on objects access frequencies in order to manage the memory cache. A replacement policy following LFU maximize hits ratio in bytes. Nevertheless this replacement policy can pollute the memory cache with very old objects because it only takes into account access frequency. The Least frequently used with dynamic aging algorithm is an evolution compared to LFU because it also takes into account objects ages in order to avoid polluting the cache with old popular objects. This replacement policy generally offers good results in terms of hits ratio in bytes. • [Greedy-Dual Size Frequency]: This algorithm is a cache management algorithm evolution. It takes into account various parameters / properties such as cost of download, object size, age and utilization frequency. This replacement policy generally provides better performances in his ratios compared to other replacement policies. Section: Disk cache. Disk cache utilization allows for objects non eligible for memory cache to be stored on disk. A disk cache is obviously slower than a memory cache. 5. In the Disk cache section enter the cache size in Mo you would to use on the disk for your disk cache in the Cache size field. Default size is : 2 000 Mo 6. Enter the minimum size for objects to be eligible for storage in disk cache in the Objects min. size field. Default size is: 254 ko 7. Enter the maximum size for objects to be eligible for storage in disk cache in the Objects max. size field. 8. Select the objects replacement policy for disk cache objects in the [Replacement policy]. As previously covered: • [Least recently used]: When the cache is full, objects replacement in memory cache is based on last object utilization. The least recently used objects will be the ones that will be evicted from the memory cache. This replacement policy is not the most performant one because it only takes into account the last utilization date without considering other parameters such as objects size, utilization frequency, cost of download, ... Olfeo Solution / User guide / 47 3 Menu: Proxy Cache Qos • • • [LRU Policy implemented using a heap]: This algorithm is similar to the Last Recently Used one but its operation used a heap. This algorithm allows for a more efficient cache management providing quicker replacements, additions or removals from the memory cache. Unfortunately this algorithm, similar the previous one, only takes into account each object last utilization date without considering other objects properties. Least frequently used with dynamic aging: This algorithm is based on objects access frequencies in order to manage the memory cache. A replacement policy following LFU maximize hits ratio in bytes. Nevertheless this replacement policy can pollute the memory cache with very old objects because it only takes into account access frequency. The Least frequently used with dynamic aging algorithm is an evolution compared to LFU because it also takes into account objects ages in order to avoid polluting the cache with old popular objects. This replacement policy generally offers good results in terms of hits ratio in bytes. [Greedy-Dual Size Frequency]: This algorithm is an evolution of cache management algorithms. It takes into account other parameters or properties such as the download cost, the object size, the age and the utilization frequency. This replacement policy generally provides the best performances in terms of hit ratio compared to other replacement policies. 9. Click on [Ok] to save the changes. If you would like to add rules to control cache operations, please refer to the Adding cache operation rules on page 48 chapter. Adding cache operation rules 1. Go to the HTTP Proxy configuration page using the [Proxy Cache QoS] > [HTTP] > [Cache] tab. Section: Caching 2. In the Caching section add a cache operation rule using button. 3. In the newly created rule, click on the icon in the [Cache] column in order to define a rule caching ( not caching ( icon) an object. icon) or 4. In the newly created rule, click on the link in the Destination column in order to define the condition that will trigger a cache or a cache exclusion operation. a) If you don't want to specify any specific condition click on [Any]. b) If you would like to specify as a condition a regular expression, click on [URL (regex)] and enter a regular expression in the [Url] field. Click on [Ok] once done. Note: Remember that the REGEX syntax is explained here: Regex Syntax on page 240. Olfeo Solution / User guide / 48 3 Menu: Proxy Cache Qos c) If you would like to specify as a caching condition a URL list, click on [URL Lists], then select the URLs lists of your choice using the checkbox in the Label column. Once done click on [Ok]. Note: If you want to create a list of URLs go here: Sub-menu: URLs lists on page 114. d) If you would like to specify a categories list as a caching condition, click on [Categories Lists] then select the categories lists of your choice using the checkbox in the Label column. Once done click on [Ok]. Note: If you want to create a Categorie List go here Sub-menu: Categories Group on page 16. e) If you would like to specify categories as a caching condition, click on [Categories] then select the categories of your choice using the checkbox in the Label column. Once done click on [Ok]. Note: If you would like to create a customized category go here: Creating your own category on page 14. 5. In the newly created rule, click on the link in the Mime type column. A MIME type is an identifier defining a standard data format on the internet. Using MIME types you can choose the types of media that you want to assign to your caching rule. a) In the Label column expand the MIME types tree using the icon. b) In the MIME types tree select the types of your choice using the checkbox from the Label column. c) Click on [Ok] to save the changes. 6. Use the up and down arrows and in order to change the priority of each rule composing your policy. 7. Following the last rule and using the [Fallthrough rule] select the behavior to apply for non-matching cases among [Use cache] or [Do not use cache]. 8. Click on [Ok] to save the changes. Configuring cache objects lifetime Cache objects lifetime allows for specifying the maximum life for objects in memory and disk cache. 1. Go to the cache lifetime configuration page using the [Proxy Cache QoS] > [HTTP] > [Cache] tab. Olfeo Solution / User guide / 49 3 Menu: Proxy Cache Qos Section: Lifetime 2. In the Lifetime add a cache lifetime rule using the button. 3. In the newly created rule, click on the link in the [Mime type] column. A MIME type identifier is associated for a date format on the internet. Using MIME types identifiers you can select the data types you want to specify cache lifetime for. a) In the Label column expand the MIME types tree using the icon. b) In the MIME types tree select the types of your choice using the checkbox from the Label column. c) Click on [Ok] to save the changes. 4. In the newly created rule, enter the maximum lifetime in the cache before expiration in the [Max age]. 5. Once done, enter the default cache lifetime maximum in the [Fallthrough max age] field. Cache Statistics The [Proxy Cache QoS] > [HTTP] > [Cache statistics] tab is divided in three sections: 1. Queries: This section provides information regarding the number of end user requests for a subset of time periods. Olfeo Solution / User guide / 50 3 Menu: Proxy Cache Qos For each predetermined time period, the following statistics are available: • Total: Total number of requests. • Hits: Total number of requests resulting in a cache operation. • Errors: Cache miss ratio. Remember that your caching rules have an influence on this ratio. • Efficiency: Cache efficiency basedd on the caching rules. 2. Network: This section provides statistics regarding Olfeo HTTP proxy cache efficiency based on data volume. The following statistics are available for each predetermined time period: • Downstream: Data volume downloaded from the cache. • Upstream: Data volume download from origin servers. • Efficiency: Cache efficiency measured as the ratio between downstream and upstream data volume. Note: Data volumes are expressed in kibibyte, or 1024 bytes. 3. Latency: This section provides statistics regarding Olfeo HTTP Proxy cache access time. The following statistics are available for each predetermined time period: • From cache: Average access time for data accessed from the cache. • Forwarded: Average access time for data retrieved from origin servers. • Efficiency: Cache efficiency measure as the ratio between average data access time from the cache and average access time from origin servers. Note: Statistics are expressed in milliseconds. Configuring the QOS The Olfeo solution provides an embedded proxy implementing a QOS (Quality Of Service) feature. This QOS feature allows for capping bandwidth utilization for some traffic in order to guarantee bandwidth availability. This feature is particularly interesting if you have on your network some traffic that cannot experience any bandwidth degradation. 1. Go to the HTTP Proxy Configuration page using the [Proxy Cache QoS] > [HTTP] > [QOS] tab. Section: General 2. Enter your maximum measured bandwidth in the [Total Bandwidth] fields in KB/s. Example: 1. You have a 10 Mbit/s connection. 2. 10 mbps = 10 000 kbit/s. 3. 10 000 kbit/s = 1250 kb/s (because 1 byte = 8 bits) You can then enter in the field [Total bandwidth] theoretical bandwidth of 1250 KB/s. Olfeo Solution / User guide / 51 3 Menu: Proxy Cache Qos Section: Rules 3. Click on the to add a QOS rule. 4. In the newly created rule, you can use timeslot as one of the condition for a QOS rule. To do so click on the link in the Timeslot column then click on one of the defined timeslots in the Label column. Note: If you want to create a time slot go here: Sub-menu: Time slots on page 112. 5. In the newly created rule, you can use the source as one of the condition for your QOS rule. To do so, click on the link in the [Source] column. Then, select the source type you want to use as a condition from the [Select] dropdown list. a) If you want to use a group of users as a condition for your QOS rule, select [Users]. Expand the users' hierarchy using the icon then select the users using the checkbox from the Name column. Once done click on [Ok]. 6. In the newly created rule, if you would like to use a destination as a condition for your QoS rule, click on the link in the Destination column. Then click on the type of destination to use using the [Select] drop-down list. a) If you would like to use a regular expression for a destination as a condition for your QOS rule, select [URL (regex)] then enter the regular expression in the [Url] field. Once done click on [Ok]. Note: Remember that the REGEX syntax is explained here: Regex Syntax on page 240. b) If you would like to use a URL List as a condition for the destination of your QOS rule, click on [URL Lists] then select the URL lists of your choice using the checkbox from the Label column. Once done click on [Ok]. Note: If you want to create a list of URLs go here: Sub-menu: URLs lists on page 114. c) If you would like to use a categories list as a destination condition for your QOS rule, click on [Categories Lists] then select the categories lists of your choice using the checkbox in the Label column. Once done click on [Ok]. Note: If you want to create a Categorie List go here Sub-menu: Categories Group on page 16. d) If you would like to filter the URLs by categories click on [Categories] then confirm the categories you want, using the checkboxes from the Label column. To finish click on [OK]. Note: If you would like to create a customized category go here: Creating your own category on page 14. 7. In the newly created rule, click on the link in the [Bandwidth] column in order to define the bandwidth properties. For information, Olfeo used the x / y syntax in the rules to display for each rule the [Global limit (KB/s)] and the [Per user limit (KB/s)]. a) Enter the maximum bandwidth in KB/s you would like to give to this rule in the field [Global limit (KB/s)]. Olfeo Solution / User guide / 52 3 Menu: Proxy Cache Qos Note: This limit must be lower or equal to the [Total Bandwidth] defined in step 2 on page 51. b) If you would like to set a maximum limit for the per user bandwidth, enable the [Enable per user limit] checkbox then enter the per user maximum bandwidth in the [Per user limit (KB/s)] field. Note: This limit must be lower than the limit defined in the [Global limit (KB/s)] field. c) Click on [OK] to save changes. 8. In the newly created rule, if you prefer setting the maximum bandwidth as a percentage of the [Total Bandwidth] defined in step 2 on page 51, enter the desired percentage in the [%] column. Warning: If you change the [Total Bandwidth] value, Olfeo automatically recalculate the [Global limit (KB/s)] defined in step 7 on page 52. Indeed the [Global limit (KB/s)] and the percentage of the [Total Bandwidth] are two ways of expressing the same bandwidth limit for your QOS rule. For example: If you would like to limit traffic for your rule to half of your [Total Bandwidth], enter 50 in the [%] column field. 9. Click on [OK] to save changes. Submenu : FTP FTP (File Transfer Protocol) is client/server file exchange protocol. The Olfeo Solution provides a native FTP proxy. Using this menu you can configure the FTP proxy and optionally configure its authentication mode. Note: The Olfeo Solution only supports this protocol passive mode because of the unsecure nature of the active mode. Olfeo Solution / User guide / 53 3 Menu: Proxy Cache Qos Configuring the FTP Proxy 1. Go to the FTP Proxy configuration page using the [Proxy Cache QoS] > [FTP] > [Configuration] tab. Section: Proxy List 2. Add an FTP proxy using the button. 3. In the newly created proxy, enter a name in the field from the Label column. 4. In the newly created proxy, enter the listening TCP port in the field from the Port column. For example: 9021 5. For the newly created proxy, if you want to specify additional options click on the link in the Options column. a) If you would like to limit the maximum number of outgoing connections for the proxy, enter this maximum number in the [Connections limit] field. b) If you want to specify a parent proxy: • Enable the [Enabled] checkbox. • Enter the parent proxy IP address in the [Host] field. • Enter the parent proxy port in the [Port] field. • Select the proxy authentication behavior using the [Authentification] dropdown list: • [None]: The parent proxy does not require any authentication. • [Same as client]: The login/password provided to the Olfeo FTP proxy will be forwarded to the parent proxy. • [Defined below]: This configuration allows for the configuration of a specific login/password pair to use with the parent FTP proxy. If you select this option, enter the login in the [Login] field and the password in the [Password]. • Click on [OK] to save changes. 6. Click on [OK] to save changes. Olfeo Solution / User guide / 54 3 Menu: Proxy Cache Qos Configuring FTP Proxy authentication 1. Go to the FTP proxy authentication configuration page using[Proxy Cache QoS] > [FTP] > [Authentification]. 2. Use the button to an authentication rule for the FTP proxy. 3. In the newly created rule, if you want to configure a type of authentication with predefined timeframes click on the link from the Timeframe column then click on the timeframes from the Label column. Note: If you want to create a time slot go here: Sub-menu: Time slots on page 112. 4. In the newly created rule, if you want to specify a source click on the link from the [Source] column. Select the type of source on which you want to make the authentication using the menu [Select]. a) If you want to specify an IP address select [IPs range]. Then enter the [Start IP] address, the [End IP] address and a [Range Description]. Note that you can add other IP address ranges using the button . To finish, click [Ok]. 5. In the newly created rule, if you want to specify an authentication mode to use, click on the link from the [Mode] column, then select an authentication mode from the Label column. Recall that an authentication mode allows for the configuration of a basic LDAP authentication. Note: If you want to create an authentication zone, go to : [Parameters] > [Authentication] > [Authentication Mode]. 6. In the newly created rule, if you want to create an association between an IP address and a login on the first authentication therefore avoiding subsequent authentication requests, enable the [IP2login] checkbox. 7. Click on [Ok] to save the changes. Olfeo Solution / User guide / 55 3 Menu: Proxy Cache Qos Sub menu: RTSP RTSP (Real Time Streaming Protocol) is a data communication protocol used for media streaming. It allows for receiving content and controlling remote media server with typical features of a video or audio player, features such as "play", "stop", "pause" or "seek" to a particular time t". RTSP does not carry data bytes but provide flow control. A RTSP player uses a data transport protocol such as RTP (Realtime Transport Protocol) or RDT (Real Data Transport), this last one being a RealNetworks proprietary protocol. With Olfeo you can configure a RTSP proxy to control and receive media flow. The implementation architecture should nevertheless consider the following limitations: • RTSP over UDP: For data transport only UDP as a transport is currently supported. Nevertheless RTSP uses TCP. • RTP Data Transport: Olfeo RTSP proxy only supports RTP as a data transport protocol. • Integrations: Olfeo RTSP proxy only support RTSP flow proxying: • In a transparent proxy configuration using a traffic redirection toward the Olfeo RTSP proxy using a firewall or third party equipment capable of traffic redirection. • In an explicit proxy configuration requiring a specific configuration for RTSP client applications. • • Supported RTSP players: The Olfeo RTSP proxy used in an explicit proxy configuration has only been certified to be used with Windows Média Player and RealPlayer. Using these players require a specific explicit proxy configuration for each one of them to use Olfeo RTSP proxy and UDP as data transport protocol. additionally any proprietary application using RTSP should, in order to use Olfeo RTSP proxy, support configuring a RTSP proxy explicitly with UDP as the data transport protocol. RTSP proxy ephemeral ports: Similar to Olfeo FTP proxy, it is not possible to specify outgoing TCP ports used by Olfeo RTSP proxy. Note: You can create rules regarding RTSP traffic in the main rules enginer on the [Access] from [Rules] > [Users]. Olfeo Solution / User guide / 56 3 Menu: Proxy Cache Qos Configuring the RTSP proxy 1. Go to the RTSP proxy configuration page via [Proxy Cache QoS] > [RTSP]. Section: Proxy List 2. Click on the to add a RTSP proxy. 3. In the newly created proxy, enter a name in the field from the Label column. 4. In the newly created proxy, enter the listening TCP port in the field on the Port column. For example: 30554 5. Click on [Ok] to save changes. Warning: Olfeo RTSP proxy is a separate system process that must be configured for automatic start from the [Parameters] > [System] > [Services] page. Sub menu: TCP The TCP proxy allows for the configuration of a generic proxy that can be used for any TCP based client/server traffic in an application not supporting any proxy. Olfeo Solution / User guide / 57 3 Menu: Proxy Cache Qos Warning: Application protocols are generally proprietary and undocumented. Therefore Olfeo TCP proxy cannot identify the destination IP addresses. Using the Olfeo TCP proxy requires a transparent proxy integration using a third party equipment, typically a firewall, and port redirection toward the Olfeo TCP proxy. Your architecture should nevertheless take into account the following limitations: • Number of TCP proxy: An Olfeo TCP proxy instance must be configured for each application you would like to proxify. Each TCP proxy will redirect its traffic toward a specific IP address and TCP port. • TCP ephemeral ports: It is not possible to restrict the Olfeo TCP proxy ephemeral ports to specific values. • Protocol recognition: The Olfeo TCP proxy cannot provide any protocol recognition considering the protocols are typically proprietary. • User identification: The Olfeo TCP proxy does not provide any user authentication or identification mechanisms. TCP proxy utilization example: A specific set of end users computers needs to access a publicly accessible server. These computers are not routed on the Internet but require access to the Olfeo solution. In this situation, configure the Olfeo solution with a TCP proxy redirecting its traffic to the application server on the internet and configure your proprietary applications to connect to the Olfeo TCP proxy as if it was the destination server. Configuring the TCP proxy 1. Go to the RTSP proxy configuration page using the [Proxy Cache QoS] > [TCP] menu. Section: Proxy List 2. Click on the button to add a TCP proxy. 3. In the newly created proxy, enter a name in the field on the Label column. 4. In the newly created proxy, enter the listening TCP port in the field on the Port column. For example: 30554 5. Click on the link on the Options column and enter the IP address and TCP port for the destination server. For example: 192.168.4.3:37141 6. Click on [Ok] to save your changes. Olfeo Solution / User guide / 58 3 Menu: Proxy Cache Qos Sub menu: SOCKS SOCKS is a network protocol allowing for applications to use a proxy if they have been developed with support for this protocol. SOCK protocol support in applications is a mandatory requirement in order to use a SOCKS proxy. Refer to your applications documentations in order to verify the SOCKS version and features supported by your applications and the various configurable options. Limitations • Supported SOCKS versions: Olfeo SOCKS proxy implements version 4 and 5 of the SOCKS protocol. • SOCKS v4 clients authentication: Olfeo SOCKS proxy does not support any user authentication in SOCKS v4. This limitation is inherited from the SOCKS v4 protocol which does not support any end-user authentication. • SOCKS v5 clients authentication: SOCKS v5 protocol supports end-user authentication on the connection to the SOCKS proxy. • TCP ports used: It is not possible to specify the outgoing TCP ports used by the Olfeo SOCKS proxy. Configuring the SOCKS proxy 1. Go to the configuration page for the SOCKS proxy via [Proxy Cache QoS] > [SOCKS] > [Configuration]. Section: Proxy List 2. Use the button to add a SOCKS proxy. Olfeo Solution / User guide / 59 3 Menu: Proxy Cache Qos 3. In the newly created proxy, enter a name in the field on the Label column. 4. In the newly created proxy, enter the listening TCP port in the field on the Port column. For example: 1038 5. Click on [Ok] to save your changes. Configuring an authentication for the SOCKS proxy 1. Go to the SOCKS proxy authentication configuration page via [Proxy Cache QoS] > [SOCKS] > [Authentication]. 2. Add an authentication rule to the SOCKS proxy using the button. 3. In the newly created rule, to configure an authentication mode with a specific timeframe condition, click on the link from the Timeslot column then click on the timeslot from the Label column. Note: If you want to create a time slot go here: Sub-menu: Time slots on page 112. 4. In the newly created rule, if you want to specify a source click on the link from the [Source] column. Select the type of source on which you want to make the authentication using the menu [Select]. a) If you want to specify an IP address range select [IP ranges]. Then enter the [Start IP] address, the [End IP] address and a [Range Description]. Note that you can add other IP address ranges using the button. To finish, click [Ok]. 5. In the newly created rule, if you want to specify an authentication mode to use, click on the link on the [Mode] column, then select an authentication mode from the Label column. Recall that an authentication mode allows for the configuration of a basic LDAP authentication. Note: If you want to create an authentication zone, go to : [Parameters] > [Authentication] > [Authentication Mode]. 6. In the newly created rule, if you want to create an association between an IP address and a login on the first authentication therefore avoiding subsequent authentication requests, enable the [IP2login] checkbox. 7. Click on [Ok] to save the changes. Olfeo Solution / User guide / 60 Chapter 4 Menu: Antivirus Topics: • • Sub-menu: Parameters Sub-menu: Log 4 Menu: Antivirus Sub-menu: Parameters The Olfeo solution provides an antivirus to scan end user browsing traffic. Activating the antivirus is done using the antivirus rules in the Olfeo rules engine. Note: To communicate with the antivirus, Olfeo internally uses an ICAP connector. Remember to create this connector if it is not defined in [Parameters] > [Architecture]. The use of the Olfeo antivirus as a perimeter antivirus is based on virus signatures detection. The Olfeo antivirus solution guarantees uninterrupted protection of your environment through regular updates of these virus signatures databases. This feature is enabled by default and requires no configuration on your side. Note: If you want to update your antivirus manually, go to the page: [Parameters] > [Updates] > [Database]. Olfeo Solution / User guide / 62 4 Menu: Antivirus Antivirus parameters 1. Go to the antivirus parameters page via [Antivirus] > [Parameters]. Section: Configuration 2. If you want Olfeo admins to be notified when a threat is detected, enable the [Enable Virus Mail alert] checkbox. To create the Olfeo admins, go to the page: [Parameters] > [Administrators]. Section: Performance 3. Enter the maximum size for the antivirus incoming connection queue in the [Maximum length for the incoming connection queue] field. This parameter controls the maximum number of concurrent connections (TCP or local) that can be sent to the Olfeo antivirus. Warning: A larger number of incoming connections can lead to errors once the incoming connection queue is full. In this case an error will be displayed in the Olfeo log. Default value: 15 4. Enter the maximum number of threads that can be executing in parallel for virus scanning, in the [Maximum number of threads] field. This parameter controls the size of the thread pool available for virus scanning. If you experience slower than usual browsing, you can try to increase this parameter if you use Olfeo antivirus and observe the behavior change. Repeat the tuning operation as necessary. Olfeo Solution / User guide / 63 4 Menu: Antivirus Warning: Tuning this parameter too larger may lead to a large number of idle threads. It is therefore recommended to perform your tuning operation in incremental steps observing the system behavior after each change. Default value: 10 5. Enter the maximum amount of data scanned by the antivirus when scanning large files in the [Maximum amount of data to scan for each file]. Default value: 100 MB Section: Analysis 6. If you would like to treat encrypted archives as viruses, enable the [Mark encrypted archives as viruses] checkbox. Default value: Disabled 7. If you would like Olfeo antivirus to treat executables (PE or ELF) with corrupted or invalid headers as viruses, enable the [Mark broken executables (PE and ELF) as viruses] checkbox. PE (Portable Executable) and ELF are header formats used in executables. PE is a type of format used by Microsoft Windows executables. You can get a description of the PE format from http://msdn.microsoft.com/library/windows/ hardware/gg463125. ELF is a header format used for Unix/Linux executables. You can get a description of the ELF format using the Unix/Linux man elf command. Default value: Disabled Section: Treatment of filed files 8. Enter the maximum depth for nested archives analysis in the [Maximum level of nested archives to inspect] field. This parameter limits Olfeo antivirus recursion when analyzing nested archives. For performance reasons you may want to limit this value. Default value: 31 9. Enter the maximum amount of data to be scanned in files in an archive in the [Maximum size to scan per file in an archive] field. Default value: 25 MB 10. Enter the maximum number of files to scan in an archives in the [Maximum number of files to scan within an archive] field. Note: You can change the default value but this value should cover most of the archives available on the Internet. Default value: 10000 Olfeo Solution / User guide / 64 4 Menu: Antivirus Creating an ICAP connector for the antivirus Note: Verify if an ICAP connector does not already exist. An ICAP connector to be used internally for virus scanning should already be defined after Olfeo installation in the [Parameters] > [Architecture] page. 1. Go to the configuration page via [Parameters] > [Architecture] > [Integration]. 2. Click on the link [Add connector] from the Label column. 3. Select [I use my own equipment] in the [Integration Choice] menu. 4. Enter a name describing the integration method in the [Label] field. 5. Click on [Next]. Olfeo Solution / User guide / 65 4 Menu: Antivirus Section: Parameters 6. Choose a connection type ICAP-->Other in the [Type of connection] drop down list. Section: Connector parameters 7. Choose the Tcp transport protocol in the [Mode] dropdown list. 8. Enter a port number to be used for the antivirus connection. The default value is: 1344 9. Click on [Finish] to save your changes. Enabling the antivirus 1. Go to the filtering setup page using the menus [Rules] > [Users]. 2. Select the [Content] tab. 3. Using the button add an analysis rule for the antivirus. 4. In the newly created rule, click on the link on the Timeslot column, then click on one of the timeslots from the Label column. Note: If you want to create a time slot go here: Sub-menu: Time slots on page 112. 5. In the newly created rule, if you want to specify a source click on the link from the [Source] column. Select the type of source on which you want to make the filtering using the menu [Select]. a) If you want to specify an IP address range select [IP Ranges]. Then enter the [Start IP] address, the [End IP] address and a [Range description]. Note that you can add one or more IP address ranges using the button . To finish, click [Ok]. Olfeo Solution / User guide / 66 4 Menu: Antivirus b) If you want to specify a group of users, select [Users]. Then select the users by enabling the checkboxes in the [Name] column. To finish, click [Ok]. 6. In the newly created rule, if you want to specify the protocol type the antivirus will perform its analysis on click on the link from the [Flow] column. Then select one or more protocols for which you want to make the filtering, by enabling the checkboxes from the [Label] column. The following choices are available: • FTP • HTTP • All these protocols. 7. In the newly created rule, click on the link from the column Destination, then click on the type of destination on which you want to apply your antivirus rule, using the menu [Select]. a) If you want to specify the URLs using a regular expression, click on [URL (regex)] then enter the regular expression in the [Url] field. To finish, click on [Ok]. Note: Refer to Regex Syntax on page 240 for more information on the regular expression syntax. b) If you want to specify the URLs using a list of URLs, click on [URL Lists], then enable the checkboxes of the lists you want to select in the Label column. Once done click on [Ok]. Note: If you want to create a list of URLs go here: Sub-menu: URLs lists on page 114. c) If you want to specify the URLs using a list of categories, click on [Categories Lists], then enable the checkboxes of the lists you want, in the Label column. Once done, click on [Ok]. Note: If you want to create a Categorie List go here Sub-menu: Categories Group on page 16. d) If you want to specify the URLs using web 2.0 lists, click on [Web 2.0 Lists], then enable the checkboxes for the lists you want to select in the Label column. Once done, click on [Ok]. Note: If you want to create a Web 2.0 list go here: Sub-menu: Web 2.0 Lists on page 18 e) If you want to specify the URLs using categories, click on [Categories], then enable the checkboxes of the categories you want to select in the Label column. Once done, click on [Ok]. Note: If you would like to create a customized category go here: Creating your own category on page 14. 8. In the newly created rule, click on the link from the Content column, to specify the size of the content type on which the antivirus rule should be applied. Olfeo Solution / User guide / 67 4 Menu: Antivirus a) If you want to apply your rule on a specific content size, choose [Size] in the [Select] menu. Then choose the [Operator] and the [Unit] and finally the content size in the [Size] field. To finish, click [Ok] to save your changes. For example: > 2 MB b) If you want to apply your rule on a specific data format, choose [Real mime-type] in the menu [Select]. In the Label column, expand the tree of MIME types desired, using the icon . Enable the checkboxes for the corresponding MIME types you want in the Label column. Once done, click [Ok] to save your changes. Note: A MIME type is an identifier defining a standard data format on the internet. Using MIME types you can choose the types of media that you want to assign to your rule. 9. To specify this is an antivirus application rule, click on the link from the [Action] column. a) Then select [Antivirus] in the [Select] menu. b) Click on [Ok] to save your changes. 10. Click on [Ok] to save your changes. Sub-menu: Log The log menu shows you the threats detected by the antivirus integrated in the Olfeo solution. Here is a description of the columns from the threats log: • Date: This column shows when the threat was detected. Olfeo Solution / User guide / 68 4 Menu: Antivirus • • • Client: Here is where you can see the user or the IP address of the computers the threat originated from. URL: The URL where the threat is. Threats: The type of threat detected Olfeo Solution / User guide / 69 Chapter 5 Menu: Mobility Controller Topics: • • • • • • Sub-menu: Portals Sub-menu: Voucher Types Sub-menu: Access Control Lists Sub-menu: Messages Activating the public portal Operator portal 5 Menu: Mobility Controller Sub-menu: Portals The public portals allow the users to authenticate through a page sent by the Olfeo solution. Unlike other types of authentication, public portal user accounts management is performed by the Olfeo solution via one or more operators through a dedicated console. Using this portal, operators create tickets for each users. A ticket is a right to use. It contains a login/password the operator will give to the end user as well as specific properties (time quota, volume quota, authorized timeframes, validity etc.). The number of portal operators and the associated tickets types, are unlimited and managed by Olfeo administrators. Using public portal based authentication can be appropriate in the following situations: • You want to delegate the creation and management of internet access to an operator. • You want the end user accounts management to be local to the Olfeo solution. • You want to link user accounts specific properties (time quota, volume quota, authorized timeslots, validity etc.). Olfeo Solution / User guide / 72 5 Menu: Mobility Controller Adding a public portal 1. Go to the public portals creation page via [Mobility controller] > [Portals]. 2. Click on the [Add portal] link to add a new public portal. Section: Portal 3. Enter a name in the [Label] field. 4. Enter a description in the field [Description]. 5. Choose the messages set for the new portal from the dropdown list [Message set]. Note: If you want to create a messages set for the public portal, go here: Sub-menu: Messages on page 79. Olfeo Solution / User guide / 73 5 Menu: Mobility Controller 6. Choose the template set for the new portal from the dropdown list [Template set]. Note: If you want to create a templates set for the public portal, go here: Sub-menu: Messages on page 79. 7. If you want to send messages containing login/password via SMS, choose the SMS Gateway in the [SMS] field. Note: If you want to create an SMS Gateway, go here: Sub-menu: Network on page 195. Section: Self-Registration Self-registration allows the user to independently generate a ticket for himself when the public portal page is displayed in the browser. Figure 4: Captive portal page in the end user computer browser As shown in the screenshot above, the user can click on the link[Send an email containing my login information] or [Send an SMS containing my login information] so that he can himself generate a login that he will receive automatically. 8. If you want the self-generated accounts information to be sent via SMS, select the type of ticket to associate for selfgenerated accounts via SMS in the [SMS] field. Note: To each ticket type is associated an account usage duration. Note: In this case, the phone number entered by the user will be used as login. The user will receive the login/password via SMS. 9. If you want the self-generated accounts to be sent by mail, select the ticket type associated to email based selfregistration in the [Email] field. Note: To each ticket type is associated an account usage duration. Olfeo Solution / User guide / 74 5 Menu: Mobility Controller Note: In this case, the email address entered by the user will be used as a login. The user will receive the login/password by email. 10. Define the reuse period that enables the user to regenerate tickets, using the [Reuse account duration] menu. Note: The reuse period defines the time period during which the user is authorized to regenerate the tickets automatically. During this period, the tickets generated are associated to a login (same mail or to same phone number). After this period of time, the existing user will be renamed and a new user account will be created. Section: Fields In this section you can define the fields that can be filled by the operator to create tickets or by end-user using the selfregistration feature. 11. Use the button to add a specific field that can be entered by the operator or end-user using the self-registration feature, then enter a title in the field from the Label column. 12. Change the fields' properties as follow: a) Choose the field type to use, via the Field type as follow. Note: The field type Auto-generated allows for the generation of random logins. b) If you want the field to be editable, enable the corresponding checkbox in the Editable column. c) If you want the field to be mandatory , enable corresponding checkbox in the Mandatory column. d) If the field can be used as a login field, enable the corresponding checkbox from the Login column. Sub-menu: Voucher Types A ticket is a right to use for a public portal user. It contains the login/password as well as specific properties (time quota, volume quota, authorized timeframes, validity etc.). The voucher types are created by the administrator and become available in the list of available vouchers for the operator in the operator portal. Olfeo Solution / User guide / 75 5 Menu: Mobility Controller Add a voucher type 1. Go to the voucher type creation page via the [Mobility controller] > [Voucher types]. 2. Click on the link [Add a voucher type] to create a new voucher type that can be used by an operator. Section: Voucher 3. Enter a name in the [Label] field. 4. Enter a description in the [Description] field. Section: Voucher validity 5. Select the type of action that allows you to validate the voucher, using the radio buttons of the Start sub-section. 3 choices are available: • [At creation]: In this case the ticket validatiy starts at the voucher creation. • [At first connection]: In this case ticket validity starts at the end-user first connection. • [On]: In this case the voucher validity starts at a date and time. Section: Validity 6. Select a validity time for the voucher in the Validity section. 3 choices are available: • [Forever]: In this case the voucher has unlimited validity. • [During x days and y hours]: In this case the voucher validity corresponds to the information entered. • [Until day j and time y]: The voucher validity expires after the indicated period. Section: Filtering policy 7. Select the URL filtering policy that should be linked to the voucher type via the dropdown list [Default URL policy]. Olfeo Solution / User guide / 76 5 Menu: Mobility Controller You have 2 choices: • Either choose a URL policy that you previously created. If you want to create a policy go here: Creating a URLs filtering policy on page 25. • Or choose a URL policy of the type [Inherited policy]. In this case the vouchers will inherit the higher policy that you entered in the rules engine ([Rules] > [Users] tab [Mobility Controller] column URL Filtering). In the following example all the vouchers from the library public portal will inherit the policy: "Library policy". Figure 5: Example for setting URL filtering policy 8. Select the protocol filtering policy that should be associated to the voucher type via the [Default protocol policy] drop down. You have 2 choices: • Either choose a protocol filtering policy that you have created and which should be associated to the voucher type via the [Default protocol policy] drop-down. • Or choose a Protocol filtering policy of the type [Inherited policy]. In this case the vouchers will inherit the higher policy that you entered in public portals hierarchy ([Rules] > [Users] [Mobility Controller] under the Protocol Filtering column). Figure 6: Protocol filtering policy setup example Olfeo Solution / User guide / 77 5 Menu: Mobility Controller Sub-menu: Access Control Lists The sub-menu [Mobility Controllers] > [Access Control Lists] allows you to define the public portal operators of the public portal and their rights. Note: Once the public portals operators are created, they can log in the operator portal. Note: For more information regarding the operator portal, check: Operator portal on page 87. Add an operator to the public portal 1. Go to Access Control Lists settings page via [Mobility Controller] > [Access Control Lists]. 2. Click on the link [Add an operator profile]. Section: Operator 3. Enter a name in the [Label] field. 4. Enter a description in the [Description] field. Section: Rights selection 5. Add rights using the button. Window: Portals 6. Select the portals on which you want to give rights. a) To select the portals, expand the tree from the Label column, using the checkboxes. icon, then enable the corresponding b) Click on [Ok] to save the changes. Window: Right 7. Select the rights you want to assign to the operator profile. a) To select the rights, expand the tree from the Label column, using the checkboxes. icon, then enable the corresponding Olfeo Solution / User guide / 78 5 Menu: Mobility Controller The following rights are possible: • [User information] • • [View passwords]: Allows the operator to view users' password. [Edit a user]: Allows the operator to edit an existing voucher and make changes. • [Vouchers creation] • {List of previously created vouchers}: Allows the selection voucher types the operator can create. • [Additional URL filtering policies] • [Inherited policy]: The operator can assign the "Inherited policy". The policy will therefore be inherited from the policy defined on the main rules engine page ([Rules] > [Users] [Mobility controllers] URL filtering column). • {List of previously created URL filtering policies}: Allows the operator to assign a voucher the URL filtering policies from the list of selected URL filtering policies. • [Additional protocol filtering policies] • [Inherited policy]: The operator can assign to a voucher the "inherited policy" therefore inheriting the policy set in the main rules engine ( [Parameters] > [Users] [Mobility controllers] Protocol Filtering column). • {List of previously created protocol filtering policies}: Allows the operator to assign a voucher a protocol filtering policy among the selected protocol filtering policies. • [Notification media] • [Print]: Allows the operator to print vouchers. • [Mail]: Allows the operator to send the account information by email. • [SMS]: Allows the operator to send the account notification by SMS. b) Click on [Ok] to save the changes. Section: Selecting the users 8. Select the users who will become the public portal operators. a) To select the operators, expand the tree from the Name column, using the checkboxes. icons, then enable the corresponding 9. Click on [Create] to save your changes. Sub-menu: Messages The sub-menu [Mobility controller] > [Messages] allows you to define the texts and the design of the pages related to the public portal such as: Olfeo Solution / User guide / 79 5 Menu: Mobility Controller • • • • • • The login page. The voucher printing page. The self-registration page. The Password recovery form. The voucher email content. Etc. More precisely: • The [Messages] tab allows you to define the texts shown to the users in accordance to the users' browsers supported languages. • The [Templates] tab allows you to add images and to reorganize the pages shown to your users. • The [Message Preview] tab allows you to view the final result of your modifications. Creating a message set 1. Go to the creation page for a message set via the [Rules] > [Messages] > [Messages] menu. 2. Click on the link [Add a message set]. Section: Add a Message Set 3. Enter a name in the [Label] field. 4. Enter a description in the [Description] field. Olfeo Solution / User guide / 80 5 Menu: Mobility Controller Section: Languages 5. Set the default language for this message set using the Default column. This language will be used if no language has been assigned to users in the users list in the [Rules] > [Users] menu. 6. Click on the language of your choice by selecting it from the Language column. Note: If you want to add a new language, click on the button. Section: Login Form/Printed Voucher/Self-Registration/Password recovery/Send the voucher by mail/Send the voucher by SMS/Miscellaneous 7. Edit as needed the messages available in the various sections. Here is a set of variables that you can use in your messages: • %Req.User.Login% : Displays the user login for the associated voucher. • %Req.User.Expire.Day% : Displays the voucher expiration day. • %Req.User.Expire.Month% : Displays the voucher expiration month. • %Req.User.Expire.Year% : Displays the voucher expiration year. • %Req.User.Expire.Hours% : Displays voucher expiration hour. • %Req.User.Expire.Minutes% : Displays the voucher expiration minute. • %Req.User.ValidityStart.Day% : Displays the voucher validity start day. • %Req.User.ValidityStart.Month% : Displays the voucher validity start month. • %Req.User.ValidityStart.Year% : Displays the voucher validity start year. • %Req.User.ValidityStart.Hours% : Displays the voucher validity start hour. • %Req.User.ValidityStart.Minutes% Displays the voucher validity start minute. • %Webauth.Create.Login% : Displays the email or the phone number used to create the voucher based on the self-registration method selected. • %Webauth.Login% : Displays the login of an already authenticated user. • %Webauth.IP% : Displays the IP address of an already authenticated user. 8. Click on [Ok] to save your changes. Olfeo Solution / User guide / 81 5 Menu: Mobility Controller Creating a template set 1. Go to the creation page for a template set via the [Rules] > [Messages] > [Templates] menu. 2. Click on the link [Add a template set]. Section: Add a Template Set 3. Enter a name in the [Label] field. 4. Enter a description in the [Description] field. 5. Click on [Create] to save your changes. Olfeo Solution / User guide / 82 5 Menu: Mobility Controller Tab: Templates 6. Click on the template you want to create in the Label column. Section: Picture 1, 2 or 3 7. If you want to upload a new image click on the [Browse] button and then select the image file. a) Click [Ok] to store the newly added image. Note: The newly uploaded image can be referenced in your template using the following string: Picture 1 <?cs var:Page.Img.1 ?> Picture 2 <?cs var:Page.Img.2 ?> Picture 3 <?cs var:Page.Img.3 ?> 8. Edit the newly created templates set by clicking below the Label column. Section: Elements 9. Click on the [Footer], [Self-Registration], [Mail message], [Header], [Print] or [Mobility Controller] to modify the HTML code for the corresponding page. a) Edit as needed the displayed HTML code. Note: You can edit the variables, messages order or the pages content. Below are two code examples that you can use to insert images that you previously uploaded. <img src='<?cs var:Page.Img.1 ?>' /> <div style='background-image:url(<?cs var:Page.Img.3 ?>);'> ... </div> b) Click on [Ok] to save your changes. 10. Click on [Ok] to save your changes. Olfeo Solution / User guide / 83 5 Menu: Mobility Controller Previewing custom messages and template set 1. Go to the preview page to display your custom messages and templates via the [Rules] > [Messages] > [Message Preview] menu. Section: Option 2. Choose the language for the message set you want to display using the [Language] dropdown list. 3. Choose the message set you want to display, using the [Messages] dropdown list. 4. Choose the template set you want to display using the [Templates] dropdown list. 5. Choose the page type you want to display using the [Page type] dropdown list. Section: Preview 6. You can see the result in the preview section. Olfeo Solution / User guide / 84 5 Menu: Mobility Controller Assigning your messages and template sets 1. Go to the main rules engine page using [Rules] > [Users] > [Mobility controllers]. Section: Users list 2. In the users list section in the Name column, click on the object you want to assign a message or template set to. If needed, expand the users list hierarchy using the icon to display the enterprise directory, the groups or users. Window: Users List Configuration 3. Select the language you want to assign using the [Language] dropdown list. 4. Select the messages set you want to assign using the [Message Set] dropdown list. 5. Select the templates set you want to assign using the [Templates] dropdown list. 6. Click on [Ok] to save your changes. Note: In the users' hierarchy, next to the objet you changed, the following indicating an advanced function has been configured. icon will be displayed, Activating the public portal 1. Go to the main rules engine page via [Rules] > [Users] > [Access] tab. 2. Click the button to add a rule. Olfeo Solution / User guide / 85 5 Menu: Mobility Controller 3. In the newly created rule, you can select a timeslot condition using the link in the Timeslot column. Then you will have to select a timeslot from all the timeslots previously configured using the Label column. Note: If you want to create a time slot go here: Sub-menu: Time slots on page 112. 4. In the newly created rule, if you want to specify a source condition click on the link from the [Source] column. Select the type of source you want to use as a condition using the [Select] dropdown list. a) If you want to specify an IP address range select [IP Ranges]. Then enter the [Start IP] address, the [End IP] address and a [Range description]. Note that you can add one or more IP address ranges using the button . To finish, click [Ok]. b) If you want to specify a group of users as condition, select [Users]. Then select the users by enabling the checkboxes in the [Name] column. To finish, click [Ok]. 5. In the newly created rule, if you want to specify a protocol type as a condition click on the link from the [Flow] column. Then select one or more protocols by enabling the corresponding checkboxes from the [Label] column. The following choices are available: • • • • • FTP HTTP HTTPS RTSP All these protocols. Note: The public portal is typically used with browsers type HTTP client because it requires web page based user authentication that cannot be displayed by non browser HTTP clients. Thus supported protocols for the public portal are HTTP and HTTPS. 6. In the newly created rule, click on the link in the Destination column, then click on the type of destination for which you want to apply the rule via the [Select] menu. a) You can apply the public portal to particular destinations using a regular expression. To do so click on [URL (regex)] then enter the regex expression in the [Url] field. To finish, click [Ok]. Note: Refer to Regex Syntax on page 240 for more information on the regular expression syntax. b) If you want to apply the public portal using a URLs list, click on [URL Lists], then enable the corresponding checkboxes for the URL lists in the Label column. Once done, click on [Ok]. Note: If you want to create a list of URLs go here: Sub-menu: URLs lists on page 114. c) If you want to apply the public portal to a list of categories as destination, click on [Categories Lists], then enable the corresponding checkboxes for the desired categories lists in the Label column. Once done, click on [Ok]. Note: If you want to create a Categories List go here Sub-menu: Categories Group on page 16. Olfeo Solution / User guide / 86 5 Menu: Mobility Controller d) If you want to apply the public portal to Web 2.0 Lists as a destination, click on [Web 2.0 Lists], then enable the corresponding checkboxes for the desired Web 2.0 Lists in the Label column. Once done, click on [Ok]. Note: If you want to create a Web 2.0 list go here: Sub-menu: Web 2.0 Lists on page 18 e) If you want to apply the public portal to a set of categories as a destination, click on [Categories], then enable the corresponding checkboxes for the desired categories, in the Label column. Once done, click on [Ok]. Note: If you would like to create a customized category go here: Creating your own category on page 14. 7. In the newly created rule, click on the icon from the [Action] column. a) Select [Authentication Portal] via the [Select] menu. b) Select the desired public portal you want to use via the [Portal] menu. c) Click on [Ok] to save your changes. 8. Click on [Ok] to save your changes. Operator portal To create accounts intended for public portal end users, operators uses a specific console: The operator portal. The operator portal can be accessed via the menus [Mobility Controllers] > [Portals] then click on the [Operator's Portal] tab. Figure 7: The tab allows access to the public portal Once the operator portal page is displayed, send the displayed URL to the operator so he can create the accounts. Olfeo Solution / User guide / 87 5 Menu: Mobility Controller Figure 8: Operator portal Note: The accounts allowed to use the operator portal are defined here: Sub-menu: Access Control Lists on page 78. Olfeo Solution / User guide / 88 5 Menu: Mobility Controller Operator: Creating accounts This procedure is for operators. 1. Go to operator portal console using the URL the admin sent you. 2. Connect to the portal by entering your [Username], your [Password] and choosing your [Language]. 3. Click on the [Account creation] tab. Section: Selecting the portal 4. Select the public portal on which you want to create an account, using the radio buttons from the [Portal] list. Section: Create a user on portal: <Portal Name> 5. Enter the login for the user in the [Login] field. Note: If the login is automatically generated, you can optionally change it or keep it as is.. 6. If desired and if the Olfeo administrator has authorized the operator to edit this field, you can change the password in the [Password] field. Olfeo Solution / User guide / 89 5 Menu: Mobility Controller Warning: If you are not authorized to change the password and you want this field to be modifiable, contact your Olfeo administrator. Using the menu [Mobility controller] > [Portals], the Olfeo administrator can change the corresponding properties for the appropriate field in the fields of the corresponding public portal to make the field editable. 7. Choose a language that will be used by the user, in the [Language] field. 8. Populate the remaining fields, particularly those related to user contact information such as ([E-mail], [Phone] ...). Warning: Note the required fields are marked with an asterisk: . Section: Rights assignment 9. Choose the voucher type you want to assign to the new account by selecting on of the radio buttons from the [Profile] field. 10. Check Start and Validity values that were generated for the account you are creating. 11. If you have the appropriate authorizations, you can assign a URL filtering policy by selecting it from the [URL filtering] list. Note: If you cannot assign a URL filtering policy because you don't have the appropriate authorization, contact your Olfeo administrator. Using the menu [Mobility Controller] > [Access Control Lists], the Olfeo administrator will change your corresponding [Operator Profile] and give you right to assign URL filtering policies by modifying your operator profile [Additional URL filtering policies] property. 12. If you have the appropriate authorizations, you can assign a protocol filtering policy by selecting it from the [Protocol Filtering] list. Note: If you cannot assign a protocol filtering policy because you don't have the appropriate authorization, contact your Olfeo administrator. Using the [Mobility Controller] > [Access Control Lists], the Olfeo administrator will change your corresponding [Operator Profile] and give you the right to assign Protocol filtering policies by modifying your operator profile [Additional protocol filtering policies] property. 13. Click on [Create] to create the account or to [Start Over] to restart the account creation process. 14. If you want to print the voucher just created, click on the button [print the voucher] and follow the printing popup instructions. Note: To be able to print, your browser should allow popup windows from Olfeo. (Menu [Parameters] > [Network] > [Sms]). 15. If you want to email the voucher information click on the button [Send the voucher by email]. Note: To send the vouchers by email, the Olfeo administrator should have configured the SMTP gateway for the Olfeo solution (Menu [Parameters] > [Network] > [SMTP]). a) Once the printing popup window is displayed, click on the [Print] link in the upper left corner of the window to start printing. Olfeo Solution / User guide / 90 5 Menu: Mobility Controller b) Then give the printout to the public portal user. 16. If you want to send voucher information click on the button [Send the voucher by SMS]. Note: To send the voucher by SMS, the Olfeo administrator should have configured a SMS gateway for the Olfeo solution (Menu [Parameters] > [Network] > [SMS]). Viewing existing accounts information This procedure is for operators. 1. Go to operator portal console using the URL the Olfeo administrator sent you. 2. Connect to the operator portal by entering your [Username], your [Password] and choosing your [Language]. 3. Click on the [Account list] tab. Section: Accounts list 4. Public portal accounts information is displayed in the following columns: Option Description Creator The Creator displays the public portal operator who created the account: • The name of the operator will be displayed. • If the account was created by the end user using the self-registration process, the selfregistration method will be displayed. Portal The Portal column displays the public portal the account belongs to. Login The Login column displays the user login. It can be: • The login entered by the operator. • The phone number entered by the user during the SMS self-registration process. • The email entered by the user during the email based self-registration process. Olfeo Solution / User guide / 91 5 Menu: Mobility Controller Option Description Creation The Creation column displays the account creation date. Start The Start column displays the initial voucher validity. It can be: • A date. • First connection if the account is valid from the first connection. Validity The Validity column contains the voucher validity period: It can be: • A duration in days. • A specific date. Active The Active column indicates if an account is active. The operator can mark an account as inactive by enabling the corresponding checkbox in this column. Modifying existing account information This procedure is for operators. 1. Go to the operator portal console using the URL the Olfeo administrator sent you. 2. Connect to the operator portal by entering your [Login], your [Password] and selecting your [Language]. 3. Click on the [Account list] tab. Olfeo Solution / User guide / 92 5 Menu: Mobility Controller Section: Accounts list 4. If you want to deactivate an account, disable the corresponding checkbox from the Active column. a) Click on [Ok] to validate the confirmation popup. Once deactivated, the user cannot connect anymore using this account . The user account will be displayed with a strikethrough style in the users list and can be reactivated at any time by an operator. 5. Select the account you want to modify by clicking on one of the links from the columns Creator, Portal, Login, Creation, Start, Validity. Section: Voucher summary 6. You can modify the voucher fields such as [Password], [Login], [Language], [Phone] ... Section: Rights Grant 7. If you want to change voucher fields such as [Start], [Validity], [URL filtering] or [Protocol filtering], click on the [New Voucher] button. a) Choose the voucher type you want to assign to the account by selecting one of the radio buttons from the [Profile] field. b) If you have the appropriate authorizations, you can assign a URL filtering policy by selecting it from the [URL filtering] list. Note: If you cannot assign a URL filtering policy because you don't have the appropriate authorization, contact your Olfeo administrator. Using the menu [Mobility Controller] > [Access Control Lists], the Olfeo administrator will change your corresponding [Operator Profile] and give you right to assign URL filtering policies by modifying your operator profile [Additional URL filtering policies] property. c) If you have the appropriate authorizations, you can assign a protocol filtering policy by selecting it from the [Protocol Filtering] list. Note: If you cannot assign a protocol filtering policy because you don't have the appropriate authorization, contact your Olfeo administrator. Using the [Mobility Controller] > [Access Control Lists], the Olfeo administrator will change your corresponding [Operator Profile] and give you the right to assign Protocol filtering policies by modifying your operator profile [Additional protocol filtering policies] property. d) Click on [Modify]. 8. If you want to print the voucher just created, click on the button [print the voucher] and follow the printing popup instructions. Note: To print, your browser needs to be set up to allow popup windows. 9. If you want to email the voucher information click on the button [Send the voucher by mail]. Olfeo Solution / User guide / 93 5 Menu: Mobility Controller Note: To send the vouchers by email, the Olfeo administrator must configure a SMTP gateway for the Olfeo solution (Menu [Parameters] > [Network] > [SMTP]). a) Once the printing popup window is displayed, click on the [Print] link in the upper left corner of the window to start printing. b) Then give the printout to the public portal user. 10. If you want to send voucher information via SMS click on the button [Send the voucher by SMS]. Note: To send the voucher by SMS, the Olfeo administrator must configure a SMS gateway for the Olfeo solution (Menu [Parameters] > [Network] > [SMS]). 11. Click on the [Modify] button to edit the account or [Back to list] to cancel the account modification. Olfeo Solution / User guide / 94 Chapter 6 Menu: Rules Topics: • • • • • • Sub-menu: Users Sub-menu: Quotas Sub-menu: Time slots Sub-menu: URLs lists Sub-menu: Messages Submenu: Internet Charters 6 Menu: Rules Sub-menu: Users The [Rules] > [Users] menu contains the rules engine. This is where the filtering rules, the authentication rules (captive or public portal), as well as the internet charter activation are applied The rules engine is composed of two distinct parts: 1. The global part of the rules engine allows you to apply general filtering rules. 2. The users list. This part allows you to apply predefined rules (filtering policies) to an Organizational Unit (OU), a group of users, a specific user or an IP address. rules engine The configuration of the rules engine is done via 4 tabs ([Connection], [Access], [Preview], [Content]) in which the Olfeo admin creates filtering rules. Olfeo Solution / User guide / 96 6 Menu: Rules Table 3: The 4 tabs of the rules engine Tab Description [Connection] The [Connection] tab controls the right to connect to remote servers. This is the place the Olfeo administrator setup filtering rules controlling connection to remote servers using SOCKS and FTP. [Access] The [Access] tab controls the right to access remote resources (FTP base file download, videos, etc). In the [Access] tab, the configuration of the access restrictions can be done for HTTP, HTTPS, FTP and RTSP. The Olfeo administrator can also define rules to enable user authentication via a captive portal, a public portal or using Novell SSO. This tab also allows for the Olfeo administrator to activate an Internet charter. [Preview] The [Preview] tab provides the capability to define filtering rules applied at the start of a download process or when Olfeo is invoked by external proxy or via the ICAP protocol. More precisely the use of the preview option of the ICAP protocol. In this tab the Olfeo administrator can filtering rules for contents based on MIME type (text, picture, videos, files etc.) and sizes before receiving the whole content. The main advantage of the preview tab is to be able to filter content before downloading it and therefore consuming bandwidth. [Content] The [Content] tab provides control of contents after it was completely received via the HTTP and FTP proxy. In this tab you create filtering rules based on content MIME type (text, picture, videos, files etc.) or size after receiving the content in its entirety. In this tab you can also implement antivirus scan operation on the received content. Warning: Note the difference between [Connection] and [Access]. You can for example block a server in [Access] therefore preventing any file download but you can connect to it via the FTP proxy and be able to browse the distant tree structure. The configuration tabs for the rules engine have some common criteria: • The choice of the timeslot. • The source which can be the client IP address, the username or his group. • The destination can be a group of categories or a group of URLs. • The action to perform. The action that can be performed depends on the tab being used. The usage of the rules engine covers the following cases: • Antivirus scanning of the downloaded content. • Usage of the captive or public portal to authenticate groups of users. • Control over the type of file accessed by the user regardless of the protocol used. • Filtering operation over the size of files that can be downloaded by users. • Etc. Warning: Similar to a firewall, Olfeo rules engine applies filtering rules according to their priorities. Filtering rules are evaluated from top to bottom. Olfeo Solution / User guide / 97 6 Menu: Rules Configuring Filtering 1. Go to the main rules engine page using the [Rules] > [Users] menu. 2. Select the phase you want to apply a filtering rule to among [Connection], [Access], [Preview] or [Content]. Table 4: The 4 rules engine tab Tab Description [Connection] The [Connection] tab controls the right to connect to remote servers. This is the place the Olfeo administrator setup filtering rules controlling connections to remote servers using SOCKS and FTP. [Access] The [Access] tab controls the right to access remote resources (FTP based file download, videos, etc). In the [Access] tab, the configuration of the access restrictions can be done for HTTP, HTTPS, FTP and RTSP. The Olfeo administrator can also define rules to enable user authentication via a captive portal, a public portal or using Novell SSO. This tab also allows for the Olfeo administrator to activate an Internet charter. [Preview] The [Preview] tab provides the capability to define filtering rules applied at the start of the download process or when Olfeo is invoked by an external proxy or via the ICAP protocol. More precisely the use of the preview option of the ICAP protocol. In this tab, you can set filtering rules to filter out content based on content MIME type (text, pictures, videos, files etc.) and content size before the content is actually received. The main advantage of the preview tab is its ability to filter out content before the content is actually received therefore saving bandwidth. In the [Preview] tab you can specify the transfer method to use for ICAP based integration. The following 3 options are available: • • • [Content] [Wait for the end of the analysis]: Wait until the data has been received and analyzed before transferring to the end user. [Patience page]: While waiting for data transfer and analysis, display a patience page to the end user displaying a progress bar for data transfer and analysis. [Data trickling]: Data bytes are transferred to the user as soon as they went through the analysis phase. The [Content] tab provides the capability to filter out content after it has been entirely received. It applies to the HTTP and FTP proxy. In this tab you create rules filtering content based on MIME type (text, picture, videos, files etc.) or size after the content has been entirely received. You can also implement antivirus scanning operation on the received content. 3. Click the button to add a rule. 4. In the newly created rule, you can select a timeslot condition using the link in the Timeslot column. Then you will have to select a timeslot from all the timeslots previously configured using the Label column. Olfeo Solution / User guide / 98 6 Menu: Rules Note: If you want to create a time slot go here: Sub-menu: Time slots on page 112. 5. In the newly created rule, if you want to specify a source condition click on the link from the [Source] column. Select the type of source you want to use as a condition using the [Select] dropdown list. a) If you want to specify an IP address range select [IP Ranges]. Then enter the [Start IP] address, the [End IP] address and a [Range description]. Note that you can add one or more IP address ranges using the button . To finish, click [Ok]. b) If you want to specify a group of users as condition, select [Users]. Then select the users by enabling the corresponding checkboxes in the [Name] column. To finish, click [Ok]. 6. In the newly created rule, if you want to specify a protocol as a condition click on the link from the [Flow] column. Then select one or more protocols by enabling the corresponding checkboxes from the [Label] column. The following choices are available: • FTP • HTTP • HTTPS • RTSP • All these protocols. 7. In the newly created rule, click on the link from Destination column, then click on the type of destination for which you want to apply the rule via the menu [Select]. a) If you would like to filter the URLs by a regex regular expression click on [URL (regex)] then enter the regular expression in the [Url] field. To finish click on [OK]. Note: Remember that the REGEX syntax is explained here: Regex Syntax on page 240. b) If you would like to filter the URLs by URLs lists click on [URLs Lists] then confirm the lists of URLs that you want by using the checkboxes in the Label column. To finish click on [OK]. Note: If you want to create a list of URLs go here: Sub-menu: URLs lists on page 114. c) If you would like to filter the URLs by categories lists, click on [Categories Lists] then confirm the lists that you want using the checkboxes in the Label column. To finish click on [OK]. Note: If you want to create a Categories List go here Sub-menu: Categories Group on page 16. d) If you would like to filter URLs using a Web 2.0 List, click on [Web 2.0 List] then confirm the web 2.0 lists you want, using the checkboxes from the Label column. To finish click on [OK]. Olfeo Solution / User guide / 99 6 Menu: Rules Note: If you want to create a Web 2.0 list go here: Sub-menu: Web 2.0 Lists on page 18 e) If you would like to filter the URLs by categories click on [Categories] then confirm the categories you want, using the checkboxes from the Label column. To finish click on [OK]. Note: If you would like to create a customized category go here: Creating your own category on page 14. 8. In the newly created rule, click on the icon from the [Action] column, then click on the type of action you want to apply to your rule, using the [Select] menu. a) If you want your filtering rule to allow the corresponding traffic, select [Allow]. b) If you want your filtering rule to block the corresponding traffic, select [Deny]. c) If you want your filtering rule to apply a public or captive portal, select [Authentication portal] as action. • Then enter the captive or public portal that you want to set up, using the [Portal] dropdown list. • If your authentication mode uses an ActiveDirectory enterprise direction and want to use the NTLM authentication method, enable the [Use NTLM] checkbox. • To finish, click [Ok]. 9. Click on [Ok] to save your changes. Users list In this window, via the [Rules] > [Users] menu, you can apply filtering policies. But in order to apply a filtering policy to users or groups, you need to populate Olfeo with users from your directory using the [Parameters] > [Authentification] menu. Olfeo Solution / User guide / 100 6 Menu: Rules Note: It is possible to manually add items in the users list. Manually adding users, users groups or IP addresses can be done instantly by clicking on the container. In order to view a manually created object you need to close and expand the object container using the icon. Olfeo does not refresh these lists automatically in order to avoid delays of several seconds after each new entry for customers with thousands of users in the same group. Note: To view the Olfeo users database last sync, over over the OU name. Here is a list of icons that are used in the users list interface : • (By OU, group or user) allows you to activate an advanced feature such as access log, audit, custom message or custom model. (Do not log access, audit, custom messages or templates). • (On policies) The presence of this icon means that the policy is a non-terminal policy or policy with inheritance type. A policy is inherited when it contains the field [Fallthrough rule] set to [Upstream policy]. • (On policies) The presence of this icon means that the policy is terminal. Any context that is not included in the declared policy of this rule is either [Allow] or [Deny]. • (On OU/groups/users) allows a visual alert that an internet charter enabled. • The presence of this icon indicates that logging is enabled for the object in question. • The presence of this icon indicates that coaching is enabled for the object in question. • The presence of this icon indicates that the auditing mode is enabled for the object in question. Note: To directly edit a policy, click the icon or icon. Policies An URL filtering policy is a set of predefined rules that you can assign to an organizational unit, to a user group, to a specific user or to an IP address. Olfeo Solution / User guide / 101 6 Menu: Rules The URL filtering policies can be created via the menu [URL Filtering] > [Policies]. The policies are assigned to users in the lower part of the rule engine (menu [Rules] > [Users]), more specifically in the Protocol Filtering column. Warning: The policies are executed only when the general rule engine has the field [Fallthrough rule] set to Apply user policy. Figure 9: Field [Fallthrough rule] The Olfeo solution evaluates filtering policies starting with the lowest level (the user or the IP address), and then goes upwards to the highest level (the default configuration) until it finds a filtering rule matching the request context. Olfeo Solution / User guide / 102 6 Menu: Rules A URLs filtering policy can inherit a policy from a higher level. To configure inheritance of a higher policy, edit the child policy in [URL Filtering] > [Policies] and set the field [Fallthrough rule] to the value Upstream policy. A policy whose inheritance is positioned will be displayed with the icon while a policy without inheritance will be displayed with the icon . Note: To facilitate navigation, if you click on the icon policy. or you will have direct access to edit the attached Default configuration This object is used to define the parameters that will apply to all users filtered by the Olfeo solution. Any user who does not have a policy, or his group, or his BU, will use the default filtering policy. Assigning a default configuration policy is mandatory to ensure that unauthenticated user or user with authentication failure are filtered. You can define: • A default URL filtering policy. • A default protocol filtering policy. • A message set to use for all users for various Olfeo pages. • A template definition for Olfeo blocking pages (logo, ...). • Activate/Deactivate the coaching feature at global level. • Activate/Deactivate the audit mode at global level; Activate/Deactivate logging at global level. Danger: Some configuration uses a default policy preventing internet use for unauthenticated users. Others parameters configure a default filtering policy implementing minimal filtering ensuring legal protection and unwanted internet use for non-authenticated users or guests. Olfeo Solution / User guide / 103 6 Menu: Rules Configuring the default users list 1. Go to the filtering policies assignment page via [Rules] > [Users]. 2. In the Directories tab click on the link [Default configuration] from the Name column. 3. Enable the desired parameters: • [Don't Log Access]: This option prevent any recording of users' internet access. • [Audit]: This option enables the audit mode. users' internet access is recorded but no filtering is enforced. Even if the filtering policies are evaluated, the decision applied is always to allow the corresponding traffic. This option allows therefore to build statistics and assess the potential impact of a blocking condition. • [Coaching]: Enable the coaching feature. 4. Choose the language to apply in the [Language] field. 5. Choose the message set to apply in the [Message Set] field. 6. Choose the templates to apply in the [Templates] field. 7. Choose the internet charter to apply in the [Internet Charter] field. 8. Click on [Ok] to save the changes. Olfeo Solution / User guide / 104 6 Menu: Rules Editing an object from the users list 1. Go to the filtering policies assignment page via [Rules] > [Users]. 2. In the Directories tab click on a Organizational Unit (OU), a Group or an User from the Name column. 3. [Gateway]: If a gateway using the Olfeo solution has been configured, enter its IP address in the [Gateway] field. Note: If you did not add a gateway, go to the menu: [Parameters] > [Advanced] > [Gateways]. 4. [Redirection URL]: If an internet access is blocked by Olfeo, a blocking page is displayed to the user. It is possible to create a customized Redirection URLs to redirect the user to a custom blocking page. Note: by default on a blocking condition, Olfeo generates a redirection URL with the following format: http://%Sys.Host%:%Sys.HTTPD.Port%/%Req.Answer.WWWModule%/?SessionID= %Session.SessionID% Example 1: Send a redirect URL with an IP address different from the Olfeo local IP address. In the case of a customer contacting the Olfeo solution using a NAT based IP address, the redirection URL for the Olfeo blocking page will use the local IP address of the Olfeo which will lead to a connection failure. For the redirection to work the solution must send a redirection URL containing the NAT based IP address therefore allowing the end-user to reach the Olfeo. To setup a custom IP address (192.168.4.1) use [Redirection URL] field : http://192.168.4.1:%Sys.HTTPD.Port%/%Req.Answer.WWWModule%/?SessionID=%Session.SessionID% Example 2: Send a custom a redirect URL that contains the name or place where the users are. Imagine the case in which the customer is located in a remote branch of the parent company. When sending the redirection URL Olfeo Solution / User guide / 105 6 Menu: Rules to the blocking page, it may be interesting for the branch to display the user location (name of the branch) rather than the location of the parent company. For the redirection to work, the Olfeo solution must send a redirection URL containing the NAT based IP address and the end user location to contact Olfeo. If you want a custom redirection URL containing users' location name, enter it in the [Redirection URL] field with: http://masuccursale.monenterprise.com:%Sys.HTTPD.Port%/%Req.Answer.WWWModule%/?SessionID= %Session.SessionID% 5. [Don't log access]: If you do not want to record the corresponding users browsing activity in the Olfeo database. To enable it select Enabled in the dropdown list [Don't log access]. Warning: The corresponding end users will still be subject to Olfeo filtering policies but their browsing activity will not be record in Olfeo logs and therefore will not be visible in any analysis from the [Analysis] menu. For legal reasons, the NCSA logs are saved with the user traffic. 6. [Audit]: If you do not want to block the corresponding end users but save the browsing activity in the Olfeo database in the same manner as if it was filtered (blocking, overriding, etc...) enter Enabled in [Audit] dropdown list. Once enabled, no filtering will be performed therefore no blocking page will be displayed to the corresponding users but their browsing activity will be recorded. 7. [Coaching]: To enable the coaching feature, enter Enabled in the [Coaching] dropdown list. The coaching feature automatically sends a periodic email to users with the feature activated. This email includes a predefined set of user specific browsing activity reports. 8. 9. [Language]: In this field, select the language to associate to the corresponding users. [Message Set]: To associate a specific message set to the corresponding users, select a message set from the [Messages] dropdown list. To create a custom messages set go to [Rules] > [Messages] > [Messages]. Note: A messages set allows you to customize the texts displayed in various pages presented to end users. 10. [Templates]: If you want to associate a custom templates set to the corresponding users, select the set from the [Templates] dropdown list. You can create a custom templates set via the [Rules] > [Messages] > [Templates] menu. Note: A messages set allows you to customize the rendering of the various pages presented by the Olfeo solution to the end users. 11. [Internet Charter]: To associate an internet charter to the corresponding users, select the appropriate internet charter from the [Internet Charter] dropdown list. You can create an internet charter via the [Rules] > [Internet charters] menu. 12. Click on [Ok] to save your changes. Olfeo Solution / User guide / 106 6 Menu: Rules Configuring a URL filtering policy 1. Go to the URL filtering policy configuration page using the menu [Rules] > [Users]. 2. In the [Directories] tab or [Mobility controllers] expand the users' hierarchy in the [Name] column in order to display the organizational units, the groups or the users for which you want to apply your policy, using the icon . 3. Click on the corresponding link from the [URL Filtering] and then select the URL filtering policy that you want. Note: If you would like to edit the policies or to create a policy, go to the page [URL Filtering] > [Policies]. Assigning a protocol filtering policy 1. Go to the main Olfeo page used to assign filtering policy using menu [Rules] > [Users]. 2. In the [Directories] tab or [Mobility controllers], expand the users' hierarchy in the [Name] column using the icon in order to display the organizational units, the groups and users you would like to apply a filtering policy on. 3. Click on the link in the [Protocol Filtering] column and select the desired protocol filtering policy. Note: If you would like to modify existing policies or create a new policy go to the [Protocol filtering] > [Policies] page. Olfeo Solution / User guide / 107 6 Menu: Rules User lookup You can lookup a specific user by entering a name or substring in the [Name filter] field and then clicking on To clear the name filter, click on the button. Sub-menu: Quotas A quota is used to restrict access to categories in volume or time. When a website subject to this quota is blocked, the user may choose to use his quota. An Olfeo information page will be displayed, informing the user about the access to a category that is subject to a quota. Consider the case of a time quota: Olfeo Solution / User guide / 108 6 Menu: Rules Figure 10: Example of an information page for a time quota If the user confirms the opening of a session, a session will start therefore reducing the user time quota of the entire duration of the session. The session duration is counted minute by minute. Using session with time quota allows for limiting access in time but also in terms of number of access. For example, a daily 30 minutes quota with session duration of 15 minutes will allow the user to access the URL only twice a day. Warning: Once a quota session has been opened by a user, the total duration of the session is automatically deducted from the quota even if the user does not use the session in its entirety. Creating a time quota 1. Go to the time quota creation page via the [Rules] > [Quotas] > [Quotas]. Olfeo Solution / User guide / 109 6 Menu: Rules 2. Click on the link [Add quota]. Section: Quota 3. Enter a name in the [Label] field. 4. Enter a description in the [Description] field. Section: Configuration 5. Choose the quota frequency in the [Period] field. 6. Enter the quota duration in minutes in the [Duration] field. 7. To enforce end-users to confirm their quotas opening, enable the [Confirm to open quota] checkbox. If you do not enable this checkbox end-users will not be informed their browsing is subject to a quota. Note: The quota opening confirmation request is only displayed when there is no active quota session. 8. To assign a specific session duration, enable the [Use session] checkbox, then enter the desired session duration in minutes in the corresponding field. Note: If you do not specify a specific session duration, the default set by Olfeo is 1 minute (If the user does not generate traffic for a minute, the quota session expires). 9. Click on [Create] to save changes. Creating a volume quota 1. Go to the volume quotas page via [Rules] > [Quotas] > [QuotaVols]. 2. Click on the link [Add a volume quota]. Section: QuotaVol 3. Enter a name in the [Label] field. Olfeo Solution / User guide / 110 6 Menu: Rules 4. Enter a description in the [Description] field. Section: Configuration 5. Choose the quota frequency in the [Period] field. 6. Enter the volume quota in MB in the field [Volume]. 7. Click on [Create] to save changes. Using a quota Quotas are used in filtering policies rules. To configure a filtering policy go to the [URL filtering] > [Policies] page. Edit or create the policy you want to use a quota in and on the corresponding rule you want to apply a quota to, select your quota as an action in the Action column. Warning: While it's possible for an end-user to be subject to multiple quotas, a category cannot be subject to more than one quota. If multiple quotas have been defined for a particular category, only the highest priority rule quota will apply. Note: It is possible to restrict a quota application to a specific timeslot (quota for non-professional suites during working hours but unlimited access outside the corresponding timeslot). Olfeo Solution / User guide / 111 6 Menu: Rules Sub-menu: Time slots A time slot allows you to set the days of the week and hours you could apply a filtering policy on. You can, for example, be more lenient in your filtering for any browsing activity outside business hours, therefore allowing users to access more web sites. Time slots allow you to adjust your policies or rules in the filtering engine. Creating a timeslot 1. Go to the timeslot creation page via [Rules] > [Time Slots]. 2. Click on the link [Add timeslot]. Section: Timeslot 3. Enter a name in the [Label] field. 4. Enter a description in the [Description] field. Olfeo Solution / User guide / 112 6 Menu: Rules Section: Week 5. Enter a timeslot during workdays. The syntax for timeslots is specified in the example below. The example shows the implementation of a timeslot for professional hours. Thus, the filtering policy will be stricter from 7h to 12h and from 14h to18h. Outside of these timeframes, the filtering policy will not apply. Danger: More precise timeframes, such as "7h45-12h10" are correct and can be applied, however they cannot be used for statistics generation! In fact, displaying statistics with timeframe constraints will work with full hours only! 6. Click on [Ok] to save the changes. Using a timeslot Timeslots are used via URL filtering policy, or via rules engine. • To use a timeslot in a policy, go to the [URL filtering] > [Policies] page. Edit the desired policy and use the timeslot in the Timeslot column for the rule you want to change. Figure 11: Usage example in policies • To user a timeslot in the rules engine, go to the page [Rules] > [Users] and select the timeslot in the timeslot column of the rule engine. Olfeo Solution / User guide / 113 6 Menu: Rules Figure 12: rules engine usage example Sub-menu: URLs lists A URLs list is a container used to group a set of URLs that you want to define outside of the categories. This URLs List can then be included in a policy or the rule engine. Creating a URL List 1. Go to the URLs list creation page via [Rules] > [URL Lists]. Olfeo Solution / User guide / 114 6 Menu: Rules 2. Click on the link [Add URL List]. Section: URL List 3. Enter a name in the [Label] field. 4. Enter a description in the [Description] field. Section: Configuration 5. To add URLs to the URLs list you want to create, you have 2 options: • you can add a list of URLs from a text file by selecting it with the button [Browse] and then clicking on: • the [Add] button imports the content of the file in the [Urls added] field. • the [Replace] button to replace the content of the [Url added] field. • You can enter the manually enter URLs in the [URL added] field. Each line of your URL list will list a single URL and will end with a newline. You can also create URLs also using regular expression syntax explained in the chapter Regex Syntax on page 240. Here is an example of a URLs list: .*google\.fr.* http://www.dailymotion.fr .*yahoo\.fr 6. If you want to export your URLs list to a text file, click on the [Export] button. Once the list is displayed in your browser, click on [File] > [Save As] and save your file as a text file. 7. Click on [Ok] to save changes. Using a URLs list URL lists are used in a filtering policy, or in the main Olfeo rules engine. • To use a URLs list in a filtering policy, go to the [URL filtering] > [Policies] page. Edit the desired policy and use your URLs list in the Destination column for the rule you want to change Olfeo Solution / User guide / 115 6 Menu: Rules • . To use a URLs list in the Olfeo main rules engine, go to the [Rules] > [Users] and use the URLs list in the Destination column for the rule you want to change in the rule engine. Sub-menu: Messages The [Rules] > [Messages] submenu allows you to define the texts, the rendering of : • Blocking pages. • Quota pages. • Coaching page. Olfeo Solution / User guide / 116 6 Menu: Rules • Security alert page. More specifically: • • • The [Messages] tab allows you to define / change the texts displayed to end-users based on the users' browsers supported languages. The [Templates] tab allows you to add pictures and to adapt the rendering of the various pages presented by Olfeo to the end users. The [Message Preview] tab allows you to display the result of your modification. Creating a Message Set 1. Go to the creation page for a message set via the [Rules] > [Messages] > [Messages] menu. 2. Click on the link [Add a message set]. Section: Add a Message Set 3. Enter a name in the [Label] field. 4. Enter a description in the [Description] field. Section: Languages 5. Set the default language for this message set using the Default column. This language will be used if no language has been assigned to users in the users list in the [Rules] > [Users] menu. Olfeo Solution / User guide / 117 6 Menu: Rules 6. Click on the language of your choice by selecting it from the Language column. Note: If you want to add a new language, click on the button. Section: Block pages/Quota/Bypass/Mail/Coaching mail/Custom/Webauth/Miscellaneous 7. Edit as needed in the corresponding sections, the messages you want to change.. Messages in messages set can you various variables : • • • • • • • • • • • • • • • • • • • • • • • %Req.Category.id% : The URL category Id (useful in a javascript). %Req.Category.Label% : The URL category name with its Alias. Each category has an Alias that can be changed by clicking on the category you want in the menu [URL Filtering] > [Categories]. %Req.Category.LabelOlfeo% : Shows the original name of the Olfeo category (ignoring the alias). %Req.Category.Description% : The URL category description. %Req.Category.theme_id% : Shows theme (Security risk, Adult Content, Business Services etc.) of the Olfeo URL category. %Req.URL%: Shows the full URL. %Req.ShortURL% : Shows the truncated URL up to 50 characters. %Req.Virname% : Shows the name of the virus found. %Rule.Cond.Whitelist.Label% : Shows the label of the URL list. %Rule.Cond.Web20list.Label% : Shows the label of the Web 2.0 list. %Rule.Action.Quota.Label% : Shows the name of the quota object used. %Rule.Action.Quota.RemainingDuration% : Shows remaining quota time. %Rule.Action.Quota.TotalDuration%: Shows the initial quota duration. %Rule.Action.Quota.TotalVolume%: Shows the volume quota available. %Rule.Action.Quota.Session%: Shows the quota session duration. %Req.User%: Shows the user name. %Req.User.Login%: Shows the user login. %Req.Ip%: Show the user IP address. %Sys.Hostname%: Shows the machine name. %Req.Filename%: Shows the downloaded file name. %Licence.Company%: Shows the company the Olfeo solution is licensed to. %Coaching.Period%: Shows the coaching email frequency. %Coaching.Date%: Shows the coaching email date. 8. Click on [Ok] to save your changes. Olfeo Solution / User guide / 118 6 Menu: Rules Creating a templates set 1. Go to the template set creation page via the [Rules] > [Messages] > [Templates] menu. 2. Click on the link [Add a template set]. Section: Add a Template Set 3. Enter a name in the [Label] field. 4. Enter a description in the [Description] field. 5. Click on [Create] to save your changes. Tab: Template 6. Click on the template you want to create in the Label column. Olfeo Solution / User guide / 119 6 Menu: Rules Section: Picture 1, 2 or 3 7. If you want to upload a new picture click on the [Browse] button and then select the picture file. a) Click [Ok] to store the newly added picture. Note: The newly uploaded picture can be referenced in your template using the following string: Picture 1 <?cs var:Page.Img.1 ?> Picture 2 <?cs var:Page.Img.2 ?> Picture 3 <?cs var:Page.Img.3 ?> 8. Edit the newly created templates set by clicking on the corresponding entry in the Label column. Section: Elements 9. Click on the link [Block page], [Header], [Footer] to change the HTML code and alter the selected pages rendering. a) Edit as needed the displayed HTML code. Note: You can edit the variables, messages order or the pages content. Below are two code samples that you can use to insert images that you previously uploaded. <img src='<?cs var:Page.Img.1 ?>' /> <div style='background-image:url(<?cs var:Page.Img.3 ?>);'> ... </div> b) Click on [Ok] to save your changes. 10. Click on [Ok] to save your changes. Olfeo Solution / User guide / 120 6 Menu: Rules Previewing your custom pages 1. Go to the preview page to display your custom messages set and templates set via the [Rules] > [Messages] > [Message Preview] menu. Section: Option 2. Choose the language for the message set you want to display using the [Language] dropdown list. 3. Choose the message set you want to display, using the [Messages] dropdown list. 4. Choose the template set you want to display using the [Template] dropdown list. 5. Choose the page type you want to display using the [Page type] dropdown list. Section: Preview 6. You can see the result in the preview section. Olfeo Solution / User guide / 121 6 Menu: Rules Assigning the message and template sets 1. Go to the main rules engine page via [Rules] > [Users] > [Directories]. Section: Users list 2. In the users list section in the Name column, click on the object you want to assign a messages set or templates set to. If needed, expand the users list hierarchy using the icon to display the enterprise directory, the groups or users. Window: Users List Configuration 3. Select the language you want to assign using the [Language] dropdown list. 4. Select the messages set you want to assign using the [Message Set] dropdown list. 5. Select the templates set you want to assign using the [Templates] dropdown list. 6. Click on [Ok] to save your changes. Note: Look for the following icon to appear to the right of the just-edited object. This icon indicates that an advanced function has been set. Submenu: Internet Charters An Internet Charter is a document defining the rules governing all the enterprise’s Internet-related activities. The Internet charter identifies the rights, obligations and responsibilities of company employees. Implementing it protects against all IT tools abuse and can be used as reference in case of a dispute. In the Olfeo solution, the Internet Charter can be configured to be systematically presented to end-users for acceptance before allowing any browsing activity. It is displayed as a page in the client's browser. In order to continue browsing the Olfeo Solution / User guide / 122 6 Menu: Rules internet; the user must accept the policy presented by the page. Once accepted, no additional validation will be required as the internet charter is embodied in the filtering policies. Figure 13: Sample Internet charter Note: Note that if you want to update your internet charter, you will need to create a new charter. In fact, the charter that users previously agreed to cannot be changed. Olfeo Solution / User guide / 123 6 Menu: Rules Creating an Internet Charter 1. Go to the page for creating Internet Charters via [Rules] > [Internet Charter] > [Internet Charters] . 2. Click on the [Add an Internet chart] link. Section: Internet Charter 3. Enter a name in the [Label] field. 4. Enter a description in the [Description] field. Section: Messages 5. In the field [Introduction], enter a text describing the internet charter presentation. Olfeo Solution / User guide / 124 6 Menu: Rules Sample description: Your browsing is subject to acceptance of the company’s Internet charter. To proceed, you must accept the applicable Internet charter. 6. In the [I have read the condition message] field, enter the text that will be displayed next to the checkbox the user will have to enable to confirm reading the internet charter. Example: Confirm 7. In the [Acknowledge button] enter the text that will be displayed in the acknowledge button. Example: Accepted Section: Link to the internet charter 8. In the field [Internet charter link label], enter the text to be displayed for the link pointing to the internet charter. Example: Click this link to read the internet charter 9. If the content of your Internet charter is on a website, in the [Hypertext link] field enter the link to access it then click on the radio button to the left of this field to enable the use of this option to display the internet charter. 10. If the content of your Internet charter is in a file, enter the link to access it in the [Charter file] field. Then click the radio button located to the left of the field to specify use of this option to display the Internet policy. Note: You can use the file format of your choice (pdf, txt, etc.). Regardless, when the user clicks on the policy display link, the file will download to the client machine for display. 11. Click on the [Preview] button to see the results of your changes in a separate screen. 12. You can view the history of user acceptance of your Internet charter in the field [Internet chart validation history]. 13. Click on [Ok] to save your changes. Olfeo Solution / User guide / 125 6 Menu: Rules Enabling an Internet charter 1. Go to the main rules engine page using the [Rules] > [Users] menu. Section: Directories 2. In the user list section, click on the object in the Name column to which you want to apply the Internet charter. If necessary, expand the tree to show the directory, the user or group you want. Window: User list configuration 3. From the [Internet Charter] dropdown list, select the Internet charter to apply. 4. Click on [Ok] to save your changes. Note: To the right of the object you just edited the following charter has been associated to this object. icon will appear, indicating that an Internet Section: rules engine 5. Click on the [Access] tab of the rules engine. 6. Add a filtering rule with the button 7. In the newly created rule, click the button in the Action column. Window: Action 8. Choose Internet Charter in the [Select] field. 9. Click on [Ok] to save your changes. Section: rules engine 10. Click on [OK] to save the newly created rule. Olfeo Solution / User guide / 126 6 Menu: Rules History of Internet charter acceptance You can view the internet charter acceptance history. To view the history, go to the internet charter creation page via [Rules] > [Internet Charters] > [Internet Charters] . Then click on the desired charter and go to [Internet chart validation history] . Figure 14: Example of Internet charter acceptance history. Olfeo Solution / User guide / 127 Chapter 7 Menu: Analysis Topics: • • • • • • Submenu: Creation Submenu: Consultation Submenu: Diffusion lists Submenu: Coaching Submenu: Livelog Submenu: Log extract 7 Menu: Analysis Submenu: Creation Use [Analysis] > [Creation] to define the criteria used to graphically display end users browsing data. Two types of statistics computation can be performed: Analyses or Reports. • Use Analyses to define a set of criteria that will be used to dynamically execute users' queries in the administration console. • Use Report to define a set of criteria that the Olfeo solution computes periodically (# every three minutes by default). Results display is performed almost instantly when initiated by an Olfeo administrator. Various additional properties differentiate analysis from reports . The following table presents the pros and cons of each type: Olfeo Solution / User guide / 130 7 Menu: Analysis Choice Advantages • Analyses • • • • Reports • • • • • • • Limitations Let you dynamically browse statistics using SQL • queries. Ability to save analysis criteria for later reuse. • Ability to change filters to refine results. Possibility of keeping the last few queries in • memory. An analysis is required to create a report. Response time / request executed in real time on the database. Data retention lower than reports (10 million lines retained in the database). Cannot be sent automatically because the results are not saved. Immediate response time. • Retention for up to 3 years. • Possibility to switch back from report to analysis. Report can be sent automatically via email. Results presentation can be changed. The statistical data are defined in a database of 10 million lines by default. The data is rotated and only the results of statistical reports remain available. Reports data requires only very little space on disk because reports are stored in specific tables. Impossible to change filters. Inability to dynamically navigate the results. As a workaround, you can create an analysis from a report. The [Analysis] > [Time] menu provide a way to evaluate the time spent only by end-users. Warning: The calculated time spent is only an estimate. Indeed, a user may open several web sites either on multiple screens or in multiple tabs. Because these sites are open at the same time, a typical computation will add up the time spent on all sites. This computation makes no sense, because adding up all the time spent on each website, would result in a person spending more than 24 hours on the Internet in one day. Therefore, the Olfeo solution averages the time spent on each site when multiple sites are open simultaneously. However, it is impossible to know which site is actually being accessed by a user at a given “ time”. This computation is only provided as an estimate. The time spent computation is complex and may require some time. Therefore options on this tab are limited. Olfeo Solution / User guide / 131 7 Menu: Analysis Creating a report or analysis 1. Go to the page for reports creation page via [Analysis] > [Creation] > [Creation] menu. 2. Select the type of analysis you want to perform using the [URL], [Protocol] or [Threats] radio buttons. For information: Criteria Description [URL] To be used for the creation of URL filtering statistical analysis. [Protocol] To be used for the creation of Protocol filtering statistical analysis. [Threats] To be used for the creation of Antivirus and Web thread statistical analysis. 3. Enter a name for your report in the [Name] field. 4. Choose the criteria on which your report will be based from the [I want to see] dropdown list. • You have selected [URL] in step 2 on page 132: Olfeo Solution / User guide / 132 7 Menu: Analysis Criteria [Theme] Description Provides statistics on Olfeo categories themes (for information a theme is a group of categories in the Olfeo URL database) The list of themes in the Olfeo URL database is available from: [URL Filtering] > [Categories] [Category] menu, section List. [Category] Provides statistics by categories. A category is a grouping of URLs in the Olfeo database. The list of categories in the Olfeo database is available from [URL Filtering] > [Categories] [Category] section List . • [Domain] Provides statistics on DNS domains accessed by end users. [Action] Provides statistics on the filtering action (deny or allow) l) performed by Olfeo. [Group] Provides statistics on end users groups. [User] Provides statistics on end users. [IP] Provides statistics on source IP addresses. [Year] Provides statistics by years. [Month] Provides statistics by months. [Day] Provides statistics by days. [Hour] Provides statistics by hours. If you selected [Protocol] in step 2 on page 132: Criteria [Protocol] Description Provides statistics on protocols used. The list of protocols detected by the Olfeo solution is available from: [Protocol Filtering] > [Protocols]. • [Domain] Provides statistics on DNS domains accessed by end users. [Action] Provide statistics on filtering actions (deny or allow) performed by the Olfeo during protocol filtering. [Group] Provides statistics on end users groups. [User] Provides statistics on end users. [IP] Provides statistics on source IP addresses. [Year] Provides statistics by years. [Month] Provides statistics by months. [Day] Provides statistics by days. [Hour] Provides statistics by hours. If you selected [Threats] in step 2 on page 132: Olfeo Solution / User guide / 133 7 Menu: Analysis Criteria Description [Domain] Provide statistics on DNS domain accessed by end users and on which threats have been detected. [Threat] Provides statistics on detected threats. [Mime Type] Provides statistics on MIME types for detected threats. [Action] Provides statistics on filtering action (allow, deny) performed by the Olfeo solution on detected threats. [Group] Provide statistics on end users group for which threats have been detected. [User] Provide statistics on end users for which threats have been detected. [IP] Provide statistics on source IP addresses for which threats have been detected. [Year] Provides statistics by years. [Month] Provides statistics by months. [Day] Provides statistics by days. [Hour] Provides statistics by hours. 5. Enter a criteria to provide the first level of detail in your analysis/reports in the [I detail this result by] dropdown list. Note: The list of criterias to choose for the first level of detail is identical to the criteria presented for step 5 on page 134. 6. Select the data unit to use for displaying the data on your analysis/report in the [I put the result in]. The data unit can be selected from the following list of available choices: • [Hits]: A hit is an access to a resource (picture, HTML, JavaScript, CSS, etc.) over HTTP by an HTTP client. For example a page containing three pictures will result in 4 hits (1 for the page itself and 3 for the pictures). • [Page count]: The page count equals to the number of pages accessed by the HTTP client. • [Volume]: Volume of data transferred in bytes. 7. If you want to restrict the data displayed to a subset of the results, select the number of results to display from the [I limit the result to] dropdown list. 8. Enter the start date for the statistical computation by clicking on the link in the [From] field. 9. Enter the end date for the statistical computation by clicking the link in the [To] field Section: Filter 10. You can enter additional filters as additional criteria by clicking on the button. a) To configure a user group filter, select [Group] in the [Select a filter type] dropdown list. Next, expand the group tree in the [Name] column by clicking the button and select the groups you want to filter on. Once done, click the [Ok] button. b) To configure a DNS domain filter, select [domain] in [Select a filter type] dropdown list. Next, in the [domain] field, enter the DNS domain name you want to filter on (use the REGEX syntax described here: Regex Syntax on page 240). Once done, click the [Ok] button. Olfeo Solution / User guide / 134 7 Menu: Analysis c) To configure an IP address filter, select [IP] in the [Select a filter type] dropdown list. Next, in the [IP] field enter the IP address you want to filter on. Once done, click on the [Ok] button. d) To configure an action filter, select [Action] in the [Select a filter type] dropdown list. Choose the action you want to filter on by enabling the corresponding checkboxes in the Label column. Once done, click on the button [Ok]. e) To configure a user's filter, select [User] in the [Select a filter type] dropdown list. Next, expand the user tree in the [Name] column, using the buttons, then select the users you want to filter on. Once done, click the [Ok] button. f) To configure a categories filter, select [Categories] in the [Select a filter type] dropdown list. Next, expand the category tree in the [Label] column, using the buttons, then choose the categories you want to filter on. Once done, click the [Ok] button. 11. Enable the checkbox in the NOT column to configure an exclusion type filter. Section: Graphic display 12. Select the statistics display type to use: Warning: Clicking on the display type buttons triggers the statistical computation. A complex statistical computation can cause a high processor and I / O load. If the list of criteria specified requires processing a large volume of data, producing the results for display can take a long time. Option Description This button triggers an HTML graphical display: This button triggers a simple bars graph display: Olfeo Solution / User guide / 135 7 Menu: Analysis Option Description This button triggers a stacked bars graph display: This button triggers a pie charts display: 13. To save your statistics computation criteria, click the [Create a Report] button if you want to create a report or the [Create an Analysis] button if you want to create an analysis. Note: Go here to learn the differences between a Report and an Analysis . Submenu: Creation on page 130 Note: You can refer back to your saved report or analysis using the menu [Analysis] > [Consultation] menu. Olfeo Solution / User guide / 136 7 Menu: Analysis Performing a time spent analysis 1. Go to the time spent analysis page via [Analysis] > [Creation] > [Time] menu. 2. Select the detailing criteria to use for the analysis in from the [I detail this result by] dropdown list. 3. If you want to limit the results displayed to a subset of the results, select the number of results entries to display from the [I limit the result to] dropdown list. 4. Enter the start date for the statistical computation by clicking on the link in the [From] field. 5. Enter the end date for the statistical computation by clicking the link in the [To] field Section: Filter 6. You can enter additional filters as additional criteria by clicking on the button. a) To configure a categories filter, select [Categories] in the [Select a filter type] dropdown list. Next, expand the category tree in the [Label] column, using the buttons, then choose the categories you want to filter on. Once done, click the [Ok] button. b) To configure a user's filter, select [User] in the [Select a filter type] dropdown list. Next, expand the user tree in the [Name] column, using the buttons, then choose the users you want to filter on. Once done, click the [Ok] button. c) To configure a theme filter, select [Theme] in the [Select a filter type] dropdown list. Then select themes you want to filter on. Once done, click the [Ok] button. Olfeo Solution / User guide / 137 7 Menu: Analysis d) To configure a timeslot filter, select [Timeslot]. Then select the corresponding timeslots you want to filter on. Once done, click the [Ok] button 7. Enable the checkbox in the NOT column to configure an exclusion type filter. Section: Graphic display 8. Select the statistics display type to use: Warning: Clicking on the display type buttons triggers the statistical computation. A complex statistical computation can cause a high processor and I / O load. If the list of criteria specified requires processing a large volume of data, producing the results for display can take a long time. Note: For more information on graphic display, go here: Creating a report or analysis on page 132. Submenu: Consultation The [Analysis] > [Consultation] page let you access and display your saved reports and analysis. You can disable a report by clicking on the grayed out: . icon. A report is considered inactive when its corresponding icon appears You can also mark an analysis or a report as a favorite using the icon. Olfeo Solution / User guide / 138 7 Menu: Analysis Note: An analysis added to the currently logged Olfeo administrator favorite appears with a added to the currently logged Olfeo administrator appears with a icon icon. A report Displaying a report 1. Go to the reports consultation page via the [Analysis] > [Consultation] > [Report] menu. Tab: Report 2. Click on the report name in the Name column or select the date you want to display the report for in the Quick Access column. Olfeo Solution / User guide / 139 7 Menu: Analysis Figure 15: Date access shortcurt Note: If you select a time period in the dropdown list from the Quick Access column, the corresponding report for that time period will be displayed. The start date [From] field and end date [To] field will be set in accordance to the time period selected. Tab: Open Report 3. If required, change the fields [Name] , [I detail this result by], [I put this result in] and [I limit the result to] to refine your report display. Note: For more information about each of these fields, go here: Creating a report or analysis on page 132. 4. Select the start date for your report by selecting the date from the [Start] dropdown list. 5. Select the end date for your report by selecting the date from the [Stop] dropdown list. Section: Filter 6. Modifiable filter criteria can be changed, including the checkbox from the NOT column allowing you to set an exclusion type filter. Warning: Not all filter criteria can be changed. In fact, this is one of reports limitations as explained here: Submenu: Creation on page 130. Note: If you are limited by the number and type of modifiable criteria, you can also go back to an analysis [Creation] mode by clicking the [Create] button. In this situation, you go back to an analysis [Creation] page with all report criteria set. Section: Graphic display 7. Select the statistics display type to use: Olfeo Solution / User guide / 140 7 Menu: Analysis Warning: Clicking on the display type buttons triggers the statistical computation. A complex statistical computation can cause a high processor and I / O load. If the list of criteria specified requires processing a large volume of data, producing the results for display can take a long time. Option Description This button triggers an HTML graphical display: This button lets you display simple bar graphs This button triggers a stacked bars graph display: Olfeo Solution / User guide / 141 7 Menu: Analysis Option Description This button triggers a pie charts display: 8. The graphical representation displayed, you can use the [Print] button to print the page or the [Export] button to export the results to a csv file. Note: To print, your browser needs to be set up to allow popup windows. Note: The csv is a text format in which fields are separated by semicolons. This file can easily be imported in Excel. 9. if you changed any fields and want to save those changes, click on the [Ok] button. Otherwise, click on the [Cancel] button. Olfeo Solution / User guide / 142 7 Menu: Analysis Setting the report retention period 1. Go to the reports consultation page via the [Analysis] > [Consultation] > [Report] menu. Tab: Report 2. In the Name column, click the report you want to display. Tab: Open report 3. Click the [Parameters] button to access the page to set the report retention period. Tab: Reports retention period 4. Set the daily, weekly, or monthly reports retention periods using the corresponding [Daily Report] , [Weekly Report] and [Monthly Report] dropdown lists. 5. Click on [Ok] to save the changes. Olfeo Solution / User guide / 143 7 Menu: Analysis Displaying an analysis 1. Go to the analysis display page via the [Analysis] > [Consultation] > [Analysis] menu. Tab: Analysis 2. Click on the analysis name in the Name column for the analysis you want to display. Tab: Open Analysis 3. If required, set the [Name] , [I want to see] , [I detail this result by] , [I put this result in] and [I limit the result to] field to refine analysis. Note: For more information about each of these fields, go here: Creating a report or analysis on page 132. 4. Enter the start date by clicking on the link in the [From] field to set your analysis start date. 5. Enter the end date by clicking the link in the [To] field to set your analysis end date. Section: Filter 6. Modifiable filter criteria can be changed, including the checkbox from the NOT column allowing you to set an exclusion type filter. Olfeo Solution / User guide / 144 7 Menu: Analysis Warning: Compared to reports, all filter criteria can be change. Section: Graphic display 7. Select the statistics display type to use: Warning: Clicking on the display type buttons triggers the statistical computation. A complex statistical computation can cause a high processor and I / O load. If the list of criteria specified requires processing a large volume of data, producing the results for display can take a long time. Option Description This button lets you display an HTML graphic: This button triggers a simple bars graph display: This button triggers a stacked bars graph display: Olfeo Solution / User guide / 145 7 Menu: Analysis Option Description This button triggers a pie charts display: 8. The graphical representation displayed, you can use the [Print] button to print the page or the [Export] button to export the results to a csv file. Note: To print, your browser needs to be set up to allow popup windows. Note: The csv is a text format in which fields are separated by semicolons. This file can easily be imported in Excel. 9. If you made changes to fields and you want to keep the changes, click on the [OK] button. To discard the changes, click on the [Cancel] button. To create a new analysis based on criteria stored in the current analysis, click the [Clone] button. Submenu: Diffusion lists The [Analysis] > [Diffusion lists] page lets you configure mailing lists for your statistical reports automated distribution. Olfeo Solution / User guide / 146 7 Menu: Analysis You can configure diffusion list as follows: • A set of reports to be distributed. • A set of recipients to receive the reports. • The reports distribution frequency (daily, weekly, and monthly.) To disable a diffusion, click on the icon. A diffusion is deactivated when its icon appears grayed out: . Creating a diffusion list 1. Go to the diffusion list page via the [Analysis] > and [Diffusion lists]. Section: Diffusion 2. Enter a name describing the diffusion in the [Label] field. Section: Email 3. Enter the subject to be used when sending email in the [Subject] field Olfeo Solution / User guide / 147 7 Menu: Analysis 4. Select diffusion email [Recipients] by enabling the corresponding checkboxes in the [Send]column. Note: Recipients displayed are the list of Olfeo administrators previously created using the [Parameters] > [Administrators] > [Administrators] page. 5. Enter additional recipients for the reports diffusion in the [Additional Emails] field. Note: To enter additional email addresses, separate them with a comma. Example: tpaine@mycompany.com, wpaley@mycompany.com Section: Transmission frequency 6. Select how frequently you want to distribute your reports by enabling the corresponding [Daily] , [Weekly] or [Monthly] checkboxes. Section: Available reports 7. Select the reports you want to send by enabling corresponding checkboxes in the Send column. 8. Click on [Create] to save your changes. Warning: The automated diffusion time is specified in the [Parameters] > [Network] > [SMTP] . To change the diffusion time, go here: Configuring SMTP on page 197. Olfeo Solution / User guide / 148 7 Menu: Analysis Submenu: Coaching Use the [Analysis] > [Coaching] menu to select the coaching reports frequency and select the coaching reports to send. On this page, you can also perform coaching report send test to a particular user. This is useful for checking correct settings and validating the coaching feature is operational. Olfeo Solution / User guide / 149 7 Menu: Analysis Configuring coaching 1. Go to the coaching configuration page via the [Analysis] > [Coaching] menu. Section: Frequency 2. Enable the corresponding checkboxes to enable [Daily] , [Weekly] or [Monthly] coaching emails. Section: Report 3. Enable the various pre-defined reports you want to send as part of the coaching email. • • • • • • [By theme in page count] : the end-user will be sent a report of his browsing activity sorted by theme. [By categories in page count]: the end-user will be sent a report of his browsing activity sorted by categories in page count. [By user department categories in page count] : the end-user will be sent a report of the top 20 categories accessed by his group or service members. [Top 20 most used Internet domains]: the end-user will be sent a report of this top 20 internet domains. [Top 20 Internet domain bandwidth utilization]: the user will be sent a report of his top 20 bandwidth utilization domains (volume expressed in kilobytes.) [Most blocked Categories]: the user will receive a report of the user’s most blocked categories. Below is an example of a coaching report of type [By categories in page count] : Olfeo Solution / User guide / 150 7 Menu: Analysis Figure 16: Sample coaching report of type [By categories in page count] Section: Testing the coaching feature 4. Using the [Test user] dropdown list, select a user to send the coaching reports to. 5. Press the [Test] button to send the enabled coaching reports to selected test user. Note: For the Olfeo solution to send emails, you must have configured first an SMTP gateway. To configure an SMTP gateway, go here: Configuring SMTP on page 197. 6. Once you confirmed the coaching feature is operational, click the [Ok] button to save the changes. Olfeo Solution / User guide / 151 7 Menu: Analysis Enabling the coaching feature 1. Go to the filtering policies assignment page via [Rules] > [Users]. 2. In the Directories tab click on a Organizational Unit (OU), a Group or an User from the Name column. 3. Set coaching to Enabled in [Coaching] field. 4. Click on [Ok] to save your changes. Olfeo Solution / User guide / 152 7 Menu: Analysis Submenu: Livelog The [Analysis] > [Livelog] page displays the filtering operations performed by the Olfeo solution. More specifically, this feature let you visualize the flows of URLs, protocols and files handled by the Olfeo solution as well as the associated filtering operations. Note: The [Livelog] function is indispensable because it provides a way for Olfeo administrators to confirm the Olfeo solution filtering functions are operational with respect to a user, a group, or your entire company. The following information is displayed on the [Livelog] page: Olfeo Solution / User guide / 153 7 Menu: Analysis Column Description Date This column displays the time the user http hit was processed by the Olfeo solution. Type This column displays the type of traffic and therefore the type of filtering applied. The three possible for this column values are: • • • User URL for URL filtering. Proto for protocol filtering. File for file filtering (filtering related to the antivirus, the file size, the MIME types, etc.) This column displays the user who originated the traffic. The User column displays on these three possible values: • • • Full Name: Full users name for authenticated users. Unknown user: <Login> : An unknown user correctly authenticated by Olfeo who has not been synchronized as part of the user synchronization when configuring an enterprise directory. Empty: The value is blank for IP ranges or non authenticated users. Warning: The user authentication/identification is highly dependent on the integration and authentication choices. Both subjects are covered in detail in the Olfeo Integration Guide . We recommend referring to this guide for more information about user identification. IP This column displays the IP address of the machine originating the flow. Category The content of this column depends on the type of flow. The two possible values in this column are: • For URL filtering: Olfeo category name the URL belongs to. Note: For more information about category lists, go here:Sub-menu: Categories Group on page 16. • For protocol filtering: Name of the identified Protocol . Note: For more information about protocol lists, go here:Sub-menu: Protocols on page 30. Olfeo Solution / User guide / 154 7 Menu: Analysis Column Action Description This column displays the Olfeo filtering action applied. The possible values are: • • • Denied: The flow was denied according to your filtering policies. In case of a URL filtering the end user will receive a blocking page informing the end user of the blocking condition. Allowed: The Olfeo solution allowed the flow in accordance to your filtering policies. Audit: The audit mode simulates filtering operations while still allowing all flows . This mode allow for collecting statistics without actually enforcing filtering policies. This particular audit mode is a valuable tool to initially collect statistics and adjust your filtering policies before enabling your policies enforcement. Note: Audit mode entries are graphically displayed using strikethrough text in the Action column. Below is an example of the audit mode display from the [Analysis] > [Livelog]. Figure 17: Sample audit mode display. Note: To enable the audit mode, go here:Editing an object from the users list on page 105. Policy This column displays the filtering policy applied to the flow. Note: For more information about the user policy: • • Domain For URL Filtering, go here:Sub-menu: Policies on page 23. For protocol filtering, go here:Assigning a protocol filtering policy on page 33. This column displays: • • For URL filtering: the accessed domain name or IP address. For protocol filtering: the accessed IP address and TCP port. • • Date: This column display the date and time the Olfeo solution processed the flow.. Type : This column displays type of traffic and therefore the type of filtering applied. The three possible values are: • URL for URL filtering. • Proto for protocol filtering. • File for file filtering (filtering related to the antivirus, the file size, the MIME types, etc.) • User: This column displays the user originating the flow. The User column will display one of the three following values: • Full Name: Full users name for authenticated users. • Unknown user: <Login> : An unknown user correctly authenticated by Olfeo who has not been synchronized as part of the user synchronization when configuring an enterprise directory. • Empty: The value is blank for IP ranges or non authenticated users. Warning: The user authentication/identification is highly dependent on the integration and authentication choices. Both subjects are covered in detail in the Olfeo Integration Guide . We recommend referring to this guide for more information about user identification. Olfeo Solution / User guide / 155 7 Menu: Analysis • • IP : This column contains the IP address of the machine sending the flow. Category: The contents of this column varies depending on the type of flow. The two possible values in this column are: • For URL filtering: Olfeo category name the URL belongs to. Note: For more information about category lists, go here:Sub-menu: Categories Group on page 16. • For protocol filtering: Name of the identified Protocol . Note: For more information about protocol lists, go here:Sub-menu: Protocols on page 30. • Action: This column displays the filtering action applied to the flow. The possible values are: • Denied: The flow was denied according to your filtering policies. In case of a URL filtering the end user will receive a blocking page informing the end user of the blocking condition. • Allowed: The Olfeo solution allowed the flow in accordance to your filtering policies. • Audit: The audit mode simulates filtering operations while still allowing all flows . This mode allows for collecting statistics without actually enforcing filtering policies. This particular audit mode is a valuable tool to initially collect statistics and adjust your filtering policies before enabling your policies enforcement. Note: Audit mode entries are graphically displayed using strikethrough text style in the Action column. Below is an example of the audit mode display from the [Analysis] > [Livelog] page. Note: To enable the audit mode, go here:Editing an object from the users list on page 105. • Policy: This column displays the filtering policy applied. Note: For more information about the user policy: • For URL Filtering, go here:Sub-menu: Policies on page 23. • For protocol filtering, go here:Assigning a protocol filtering policy on page 33. • Domain : This column displays : • For URL filtering: the accessed domain name or IP address. • For protocol filtering: the accessed IP address and TCP port. Olfeo Solution / User guide / 156 7 Menu: Analysis Submenu: Log extract Use the [Analysis] > [Log extract] page to extract browing history from Olfeo RAW log file in CSV format. Olfeo RAW log files are Olfeo proprietary log files recording all traffic and filtering operations performed by the Olfeo solution. The [Analysis] > [Log extract] is essential for extracting browsing history from the Olfeo solution. The [Analysis] > [Log extract] feature let you specify various parameters, such as: • The extraction start and end dates. • The time zone the extracted dates will be converted to. • Search fields as well as filters for refining results. Olfeo Solution / User guide / 157 7 Menu: Analysis Note: Note that there are more than 150 usable fields to be used in the extraction. Examples: UserName, Url, Mac-User, User-Id, Date, Action, Virus-Name, Destination Port, Date, MIME-Type, ProtoId, etc.) ). • • The field separator required by the CSV format. The name of the CSV file to be provided by the Olfeo administration console. Note: The [Analysis] > [Log extract] feature has a preview option useful to test and adjust your search and filter criteria. Extracting statistics Olfeo Solution / User guide / 158 7 Menu: Analysis 1. Go to the statistics extraction page [Analysis] > [Log extract]. Section: Extraction settings 2. Enter the start date for your extraction in the [Date min] field. Example: • today • yesterday • today - 3 days • last week • 2011-05-16 15:06:20 3. Enter the end date for your extraction in the [Date max] field. 4. In the [Timezone] dropdown list, select the time zone to convert the browsing date and time to. Example: Paris or UTC (Coordinated Universal Time) 5. Enter your Csv file fields separator, character or characters string, in the [Separator] field. Example: ; 6. Enter the file name to use for the generated CSV file in the [Generated file] field. Section: Attributes Selection 7. Click on the button to add an attribute to the list of attributes to extract. a) In the newly created line, select the attribute from the dropdown list in the Attribute column field. Olfeo Solution / User guide / 159 7 Menu: Analysis Table 5: List of possible attributes Attribute Description Category-Id Olfeo category identifier. Date Date in a readable format generated from the UTC timestamp. Destination port Destination TCP port Domain DNS Domain. File-Name Name of the downloaded file. Group-Id Olfeo user group identifier. LogTypes Boolean informing if the request is logged or not. Monitoring Boolean informing if the audit function is enabled or not. Matched-Policy-Id Policy identifier for the applied policy. MIME-Type MIME type of the analyzed file. Name Current user name if it still exists in the database; if not, the user name at the time of the request. Peer Request source IP address. Proto-Id Qosmos protocol identifier number Proto-VolumeUpload Total packets sent by Squid. Proto-VolumeDownload Total packages downloaded through Squid. Proxy-CacheAnswer Response of Squid cache. Proxy-Id Olfeo identifier of the dynamic proxy object that handled the query. Quota-Id Olfeo identifier of the dynamic quota object constraining the application. Req-Answer-Reason Number corresponding to the type of action performed (override, quota, timeslot, allowed, denied, etc.). Req-Status Number indicating the query status if it has been allowed (1), denied (2), or redirected (3) (0, if an unknown case). Req-Type Request type (Req-Type-Url, Req-Type-Proto-Type Req-File, Req-Type-Ip). Size Squid cache size. Source-Port Source port of the packet. Timestamp Number of seconds since EPOCH in UTC. Timestamp-Tz Number of seconds since EPOCH in local time. Upload-AsUnknown Boolean indicating if recovery is done for this domain. Url URL of the request. Url-Id Squid query identifier (used to maintain an association between the different queries conveyed by squid-wrapper). User-Id Olfeo user identifier. User-Ip Query source IP address. User-Mac Query source MAC address. Olfeo Solution / User guide / 160 7 Menu: Analysis Attribute Description Username Username recovered by Squid. Virus-Name Name of the detected virus. Example: User-Mac (to extract all MAC addresses originating from users). b) In the newly created line, to set up a filter associated with the attribute set, enter the filter value in the value column field. Note: You can use the following replacement characters when writing regular expressions: Replacement character Semantic * Matches any character set. ? Matches any single character. [seq] Matches any character in seq. [!seq] Matches any character that is not contained in seq. For example, if you selected User-Mac in the Attribute column, you can enter: 00:50:56:01:05: d4. 8. Optionally, with the button, delete the lines of attributes that you do not want to use. 9. Click on the [Preview] to view a sample of the final result in the preview screen. Section: Preview 10. View sample result and as necessary change the extraction parameters, attributes or filters to improve the final result. 11. Click on the [Download] button to download the final . Csv file. Olfeo Solution / User guide / 161 Chapter 8 Menu: Parameters Topics: • • • • • • • • • • • Submenu: Architecture Submenu: Authentication Submenu: High Availability Submenu: Administrators Sub-menu: Network Submenu: System Submenu: Monitoring Submenu: Updates Submenu: Backup Submenu: Advanced Submenu: Support 8 Menu: Parameters Submenu: Architecture Warning: The [Parameters] > [Architecture] menu relates to the integration choice and authentication architecture covered in the Olfeo Integration Guide. We recommend referring to this guide for more information about integration and authentication. The [Parameters] > [Architecture] > [Integration] page lets you create connectors for the purpose of: • Interfacing with a third-party equipment using a specific protocol. • Interfacing with another feature of the Olfeo solution (e.g., antivirus.) • Capturing the network. The [Parameters] > [Architecture] > [Proxy.pac] provides a way to host one or more “ proxy.pac” files to be used by end-users desktops. The “ proxy.pac ” files can be used to automate browsers explicit proxy configurations but also to achieve the dynamic proxy selection the browser level. Note: This central “ proxy.pac ” management on the Olfeo solution eliminates the need for a web server to host these files. Warning: The Olfeo solution does not provide any way to implement proxy.pac access control. It is therefore imperative to manage / create your proxy.pac properly to prevent your users from bypassing your proxy if they can change proxy properties in their browsers. Creating a connector Create a connector for integration with OPSEC compatible equipment 1. Go to the configuration page via the [Parameters] > [Architecture] > [Integration] menu. 2. Click on the [Add connector] link from the Label column. 3. Select [I use my own equipment] in the [Integration Choice] dropdown list. Olfeo Solution / User guide / 164 8 Menu: Parameters 4. Enter a name describing the integration method in the [Label] field. 5. Click on [Next]. Section: Parameters 6. Select Check Point as a connector type from the [Type of connection] from the dropdown list. Section: Connector parameters 7. Choose the Tcp transport protocol from the [Mode] dropdown list. 8. Enter the port number 18182 that will be used as the connector listening endpoint. 9. Click on [Finish] to save your changes. Creating a connector to integrate with WISP compatible equipment 1. Go to the configuration page via the [Parameters] > [Architecture] > [Integration] menu. 2. Click on the [Add connector] link from the Label column. 3. Select [I use my own equipment] in the [Integration Choice] dropdown list. 4. Enter a name describing the integration method in the [Label] field. 5. Click on [Next]. Section: Parameters 6. Select the connection type Cisco from the [Type of connection] menu. Section: Connector parameters 7. Select the Tcp transport protocol from the [Mode] dropdown list. 8. Enter the port number that will be used as listening endpoint for your connector. Default value: 15868 9. Click on [Finish] to save your changes. Creating a connector to integrate with WISP compatible equipment 1. Go to the configuration page via the [Parameters] > [Architecture] > [Integration] menu. 2. Click on the [Add connector] link from the Label column. 3. Select [I use my own equipment] in the [Integration Choice] dropdown list. 4. Enter a name describing the integration method in the [Label] field. 5. Click on [Next]. Section: Parameters 6. Choose a connection type ICAP-->Other in the [Type of connection] drop down list. Olfeo Solution / User guide / 165 8 Menu: Parameters Section: Connector parameters 7. Select the Tcp transport protocol from the [Mode] dropdown list. 8. Enter a port number to be used as a listening endpoint by the connector. The default value is: 1344 9. Click on [Finish] to save your changes. Creating a connector to integrate with ICAP 1. Go to the configuration page via the [Parameters] > [Architecture] > [Integration] menu. 2. Click on the [Add connector] link from the Label column. 3. Select [I use my own equipment] in the [Integration Choice] dropdown list. 4. Enter a name describing the integration method in the [Label] field. 5. Click on [Next]. Section: Parameters 6. Choose a connection type Netasq in the [Connection type] menu. Section: Connector parameters 7. Select the Tcp transport protocol from the [Mode] dropdown list. 8. Enter a port number as a listening endpoint for the Netasq connector. Example: 1345 9. Click on [Finish] to save your changes. Creating a connector to integrate Olfeo protocol compatible products 1. Go to the configuration page via the [Parameters] > [Architecture] > [Integration] menu. 2. Click on the [Add connector] link from the Label column. 3. Select [I use my own equipment] in the [Integration Choice] dropdown list. 4. Enter a name describing the integration method in the [Label] field. 5. Click on [Next]. Section: Parameters 6. Choose a connection type Squid in the [Connection type] menu. Section: Connector parameters 7. Select the Tcp transport protocol from the [Mode] dropdown list. 8. Enter a port number to be used as a listening endpoint by the connector. Default value: 5555 Olfeo Solution / User guide / 166 8 Menu: Parameters 9. Click on [Finish] to save your changes. Creating an ICAP connector for the antivirus Note: Verify if an ICAP connector does not already exist. An ICAP connector to be used internally for virus scanning should already be defined after Olfeo installation in the [Parameters] > [Architecture] page. 1. Go to the configuration page via [Parameters] > [Architecture] > [Integration]. 2. Click on the link [Add connector] from the Label column. 3. Select [I use my own equipment] in the [Integration Choice] menu. 4. Enter a name describing the integration method in the [Label] field. Olfeo Solution / User guide / 167 8 Menu: Parameters 5. Click on [Next]. Section: Parameters 6. Choose a connection type ICAP-->Other in the [Type of connection] drop down list. Section: Connector parameters 7. Choose the Tcp transport protocol in the [Mode] dropdown list. 8. Enter a port number to be used for the antivirus connection. The default value is: 1344 9. Click on [Finish] to save your changes. Creating a connector for network capture 1. Got to the configuration page via the [Parameters] > [Architecture] > [Integration] menu. 2. Click on the [Add connector] link from the Label column. a) Enter a name describing the integration method in the [Label] field. b) Select [I capture network traffic] from the dropdown list [Integration Choice]. 3. Click on the [Next] button. Section: Connector parameters 4. In the [Capture Link] dropdown list, choose the interface for the br(x) network bridge (for example, br0) on which the network capture will be performed. 5. In the [Injection Link] dropdown list, select the network interface over which the blocking frames will be sent. 6. If you capture network traffic tagged with 802.1q vlans id and you want inject blocking packets with the same 802.1 q vlans ids, enable the [Copy the 802.1q headers in injected packets] checkbox. Warning: Ensure that in your network configuration you have set the interfaces in the corresponding vlans. 7. In the [Source MAC] dropdown list, select the MAC address that will be used for injected frames containing blocking pages. Choose between the following two options: • [Impersonate router] let you use the destination router MAC address as source MAC for injected frames. Danger: Some switches with port security features consider seeing the same MAC address (router) on multiple port as a security violation. Depending on their port security configuration, this detection may result in the corresponding switch ports shutdown. • [Injection Interface] lets you send the injected frames using the injection interface MAC address. Olfeo Solution / User guide / 168 8 Menu: Parameters Note: In contrast to the previous option, this mode is not subject to switch port security problem because the router's MAC address is not used. 8. If you wish to ignore HTTP and HTTPS traffic, enable the [Don't capture URL traffic] checkbox. 9. To disable protocol filtering, enable the [Don't capture protocol traffic]. 10. Click on [Finish] to save your changes. Olfeo Solution / User guide / 169 8 Menu: Parameters Adding a proxy.pac 1. Go to the configuration page via the [Parameters] > . [Architecture] > [Proxy.pac] menu. 2. Click on the link [Add proxy.pac] in the Label column. 3. Enter a name describing the integration method in the [Label] field. 4. Enter a description in the [Description] field. Olfeo Solution / User guide / 170 8 Menu: Parameters 5. In the field [Content]field, enter the JavaScript code for your proxy.pac. If you are not familiar with the proxy.pac technology and its javascript code, please refer to the following: • • Proxy.pac file format Automatic proxy configuration with Internet Explorer 6. Click on the [Create] button to save your proxy.pac Implementing a proxy.pac 1. Go to the configuration page via the [Parameters] > [Architecture] > [Proxy.pac] menu. 2. Copy the proxy.pac’s URL provided by Olfeo from the URL field. This line is to be used in the browsers configuration. Example: http://192.168.17.197:9123/proxypac/?id=576 3. Use the copied Proxy.pac URL to configure your http clients / browsers. Submenu: Authentication Warning: The [Parameters] > [Authentication] menu is related to the integration and authentication architectures you selected. Integration and authentication are the subject of the Olfeo Integration Guide. Please refer to this guide for more information on integration and authentication. The [Parameters] > [Authentication] > [Directory] menu allows you to register enterprise directories with the Olfeo solution for the purpose of authentication and users synchronization. Olfeo Solution / User guide / 171 8 Menu: Parameters If you are using an Active Directory Enterprise Directory, you can join the Olfeo solution to the corresponding Windows domain using the [Parameters] > [Authentication] > [Windows domain join] Warning: Joining the Windows domain is a requirement if your are planing to use the Microsoft (NTLM, Kerberos) proxy transparent authentication methods. You can also refer to the Olfeo Integration Guide for more information. The [Parameters] > [Authentication] > [Authentication Mode] allows you to setup Authentication Modes. The authentication modes refer to set of enterprise directories that can be used in authentication methods with Olfeo. During an authentication operation, Olfeo will sequentially query each enterprise directories that are part of an authentication mode in order to authenticate the user. In Authentication Mode you can add a default guest login account. This default login will allow you to log, for each authentication mode , traffic linked to users that are not authenticated but are allowed to browse. In order to use a guest account, it must be present or have been manually created in the corresponding directories. Note: For more information about the users list of users, go here: Users list on page 100. Olfeo Solution / User guide / 172 8 Menu: Parameters Adding an Active Directory enterprise directory and synchronizing the users Note: Synchronizing the users from the enterprise directory allows for the identification of users in order to apply a corresponding filtering policy and to record their browsing traffic in their names. 1. Go to the enterprise directory configuration page via [Parameters] > [Authentication] > [Directory]. 2. Click on [Add directory]. Section: Configuring the directory 3. Enter a name in the field [Directory label]. Section: Connection 4. Choose Active Directory in the [LDAP Type] dropdown list. 5. Enter the directory’s IPv4 address or the dns name in the [Hosts] field. Olfeo Solution / User guide / 173 8 Menu: Parameters 6. To use LDAP over SSL for communication with the enterprise directory, enable the [LDAPs] checkbox. 7. To have groups and users synchronized using a single query, enable the [Disable paging] checkbox. Note: By default, Olfeo uses a paginated response mode for synchronizing users and groups. Olfeo recommends keeping the pagination mode enabled, as this mode preferable to synchronize large enterprise directories. 8. For the specified host machine, enter the TCP listening Port. Note: The default port for LDAP directories is 389. 9. Click on the [Test and get basedn] button. This button will be available for Active Directory enterprise directories only and will not only test the connection to the enterprise directory server but will also retrieve the Base DN. If successful: • The text Connection Success will appear to the right of the [Test and get basedn] button. • The field [Basedn] will automatically populated with the retrieved base DN information. 10. In the [Binddns] field, enter the login of the user retrieve the list of users from the enterprise directory. with the appropriate authorizations to connect and Warning: A Binddn follows the syntax: login@domain Example: administrator@labs.mycompany.com 11. Enter the Password for this user in the [Password] field. 12. Click on [Finish] to save the directory connection settings. Result: The page is reloaded. Section: Connection 13. To specify a timeout for query with the directory, enter the timeout value in seconds in the [Time out] field. For example: 60 seconds 14. To schedule automatic synchronization of the enterprise directory, enable the [Planning] checkbox and enter the synchronization time. • Syntax example #1, each night at 01h05: 01 : 05 • Syntax example #2, every 15 minutes, between 1 a.m. and 2 a.m.: 01 : */15 • Syntax example #3, every half hour on the hour: * : */30 The syntax for the synchronization planning for the same syntax as crontab. Please refer to the crontab(5) manual for more information. Section: Domain Olfeo Solution / User guide / 174 8 Menu: Parameters This section is specific to Microsoft Active Directory enterprise directories. These fields are required for joining later on the Olfeo solution to your Active Directory domain and therefore to be able to use the transparent authentication methods based on Kerberos and NTLM . 15. Enter the name of your Active Directory domain in the [Domain] field. For example: mycompany.com 16. In in the [Workgroup] field, enter the Netbios name for your domain in CAPITAL LETTERS. For example: MYCOMPANY 17. If you use an NTP server separate from the Active Directory server, enable the [Use a separate NTP server] checkbox. Warning: The NTP server must be configured in the NTP servers field, using the [Parameters] > [System] > [Date] menu. 18. If you use a DNS server separate from your Active Directory server, enable the [Use a separate DNS server]. Section: Advanced (group) 19. If you want to restrict the users groups synchronization to a subset of your enterprise directory, enter a base DN in the field [Group BaseDN]. Example: ou=hq, o=Mycompany, c=FR 20. If you want to restrict the users groups synchronization to LDAP groups of a specific object type enter the LDAP objectclass in the [Group Class] field. For example: organizationalUnit 21. If you want to use a specific group object LDAP attribute different from CN as label for the group in Olfeo, enter the name of his attribute in the Group Label Attribute field. For example: name 22. If your groups are also organizational units, enable the [Group is container] checkbox. Therefore the groups synchronized will be objects with this property. 23. If groups memberships is specified for users as attribute, enable the [Group is user attribute] checkbox. Even though it is available, this option is rarely used because group membership specification using user attribute is rarely used. 24. If you want to use a specific group object attribute to be used for the group name in Olfeo statistics, enter the name of this attribute in the [Field to use as label for groups]. Section: Advanced (user) 25. To limit the scope of user objects search to a specific subset of the enterprise directory, enter the corresponding base DN in the [BaseDN user] field. 26. If the Olfeo filtering policy identifier to use for users is stored in a user object attribute, enter the attribute name in the [Policy Id Attribute] field. Olfeo Solution / User guide / 175 8 Menu: Parameters 27. To limit the synchronization of users objects to LDAP objects of a specific class, enter the object class name in the User Class field. 28. To use an LDAP attribute as a primary key to uniquely identify users, enter the attribute name in the [LDAP attribute for primary key] field. 29. To use a specific LDAP attribute as login. 30. To use a specific user LDAP object attribute as the user name, enter the attribute in the [LDAP attribute for name] field. Section: Group list 31. To retrieve the list of users groups available in your enterprise directory based on the advanced criteria defined in the prior sections, click on the [Synchronize available groups] button 32. Select the groups to be used for users synchronization from the list of available groups and add them to the [Synchronized groups] list. To add or remove a group, use the or buttons. 33. Set the synchronization priority of groups by controlling their positions in the [Synchronized groups] list. To control the synchronization priority, select a group and use the the list. or buttons to move it up or down in Warning: The order in which groups are synchronized is important because one user can belong to several directory groups. Section: User List 34. Synchronize the users belonging to the [Synchronized groups] list using the [Synchronize users] button. Result: A message indicating the number of users synchronized. 35. Click on [Ok] to save the changes. Olfeo Solution / User guide / 176 8 Menu: Parameters Adding a LDAP compatible enterprise directory and synchronizing the corresponding users 1. Go to the enterprise directory configuration page via [Parameters] > [Authentication] > [Directory]. 2. Click on [Add directory]. Section: Configuring the directory 3. Enter a name in the field [Directory label]. Section: Connection 4. Choose the type of directory you are using, in the [LDAP Type] dropdown list. Note: If you have an OpenLdap directory, choose [OpenLDAP or generic server]. 5. Enter the directory’s IPv4 address or the dns name in the [Hosts] field. 6. To use LDAP over SSL for communication with the enterprise directory, enable the [LDAPs] checkbox. 7. To have groups and users synchronized using a single query, enable the [Disable paging] checkbox. Olfeo Solution / User guide / 177 8 Menu: Parameters Note: By default, Olfeo uses a paginated response mode for synchronizing users and groups. Olfeo recommends keeping the pagination mode enabled, as this mode is preferable to synchronize large enterprise directories. 8. For the specified host machine, enter the TCP listening Port. Note: The default port for the LDAP directories is 389. 9. In the [Binddns] field, enter the login of the user retrieve the list of users from the enterprise directory. with the appropriate authorizations to connect and Warning: A Bind DN LDAP uses this syntax: CN=admin,DC=olfeo-test,DC=net 10. Enter the Password for this user in the [Password] field. 11. Enter the Base DN of the directory in the [Basedn] field. Warning: A LDAP Base DNfollows the syntax: DC=olfeo-test,DC=net 12. Click on [Finish] to save the directory connection settings. Result: The page is reloaded. Section: Connection 13. To specify a timeout for enterprise directory queries, enter the timeout value in seconds in the [Time out] field. For example: 60 seconds 14. To schedule automatic synchronization of the enterprise directory, enable the [Planning] checkbox and enter the synchronization time. • Syntax example #1, each night at 01h05: 01 : 05 • Syntax example #2, every 15 minutes, between 1 a.m. and 2 a.m.: 01 : */15 • Syntax example #3, every half hour on the hour: * : */30 The syntax for the synchronization planning for the same syntax as crontab. Please refer to the crontab(5) manual for more information. Section: Advanced (group) 15. If you want to restrict the users groups synchronization to a subset of your enterprise directory, enter a base DN in the field [Group BaseDN]. Example: ou=hq, o=Mycompany, c=FR 16. If you want to restrict the users groups synchronization to LDAP groups of a specific object type enter the LDAP objectclass in the [Group Class] field. Olfeo Solution / User guide / 178 8 Menu: Parameters For example: organizationalUnit 17. If you want to use a specific group object LDAP attribute different from CN as label for the group in Olfeo, enter the name of his attribute in the Group Label Attribute field. For example: name 18. If your groups are also organizational units, enable the [Group is container] checkbox. Therefore the groups synchronized will be objects with this property. 19. If groups memberships is specified for users as attribute, enable the [Group is user attribute] checkbox. Even though it is available, this option is rarely used because group membership specification using user attribute is rarely used. 20. If you want to use a specific group object attribute to be used for the group name in Olfeo statistics, enter the name of this attribute in the [Field to use as label for groups]. Section: Advanced (user) 21. To limit the scope of user objects search to a specific subset of the enterprise directory, enter the corresponding base DN in the [BaseDN user] field. 22. If the Olfeo filtering policy identifier to use for users is stored in a user object attribute, enter the attribute name in the [Policy Id Attribute] field. 23. To limit the synchronization of users objects to LDAP objects of a specific class, enter the object class name in the User Class field. 24. To use an LDAP attribute as a primary key to uniquely identify users, enter the attribute name in the [LDAP attribute for primary key] field. 25. To use a specific LDAP attribute as login. 26. To use a specific user LDAP object attribute as the user name, enter the attribute in the [LDAP attribute for name] field. Section: Group list 27. To retrieve the list of users groups available in your enterprise directory based on the advanced criteria defined in the prior sections, click on the [Synchronize available groups] button 28. Select the groups to be used for users synchronization from the list of available groups and add them to the [Synchronized groups] list. To add or remove a group, use the or buttons. 29. Set the synchronization priority of groups by controlling their positions in the [Synchronized groups] list. To control the synchronization priority, select a group and use the the list. or buttons to move it up or down in Warning: The order in which groups are synchronized is important because one user can belong to several directory groups. Olfeo Solution / User guide / 179 8 Menu: Parameters Section: User List 30. Synchronize the users belonging to the [Synchronized groups] list using the [Synchronize users] button. Result: A message indicating the number of users synchronized. 31. Click on [Ok] to save the changes. Joining the Olfeo solution to the Windows domain Warning: Joining the Olfeo solution to the Windows domain ensure that Olfeo will be able to send user authentication request to the Windows Domain controller required for the NTLM and Kerberos authentication. In order to join the Olfeo solution to the Windows domain you must user a user account with the necessary rights to register a workstation to the domain. Warning: If you plan to join two or more Olfeo installations to the Windows domain, you need to ensure they all use different dns names. Olfeo machine name is available from the [Parameters][Network][Server] menu. To change the name please refer to the procedure documented in the Olfeo Installation Guide. 1. To join Olfeo to a Windows domain use the [Parameters] > [Authentication] > [Windows domain join]. Section: Authentication 2. In the [AD servers] dropdown list, select the previously registered ActiveDirectory enterprise directory. 3. Enter the Windows domain account with the appropriate rights in the [AD Login (for joining)] field. Warning: Use the following syntax: login@domain Example: administrator@labs.mycompany.com 4. Enter the user password in the [AD Password] field. 5. Click on the [Join domain] button. Olfeo Solution / User guide / 180 8 Menu: Parameters Warning: An Olfeo installation can only be joined to a single Windows domain. If you want to perform authentication across Windows domain boundaries, you need to make sure you have the proper Windows domains trust relationships in place. Result: The [Status] message appears, specifying the name of the LDAP server to which the Olfeo solution has been joined. Grouping and prioritizing authentications in a mode 1. Go to the mode settings page via [Parameters] > [Authentication] > [Authentication Mode]. Section: Authentication mode 2. Enter a name that describing the authentication mode in the [Label] field. 3. Enter a description in the [Description] field. Section: Properties 4. Add an authentication solution using the button. Perform this step as many times as needed to add all the needed authentication solutions. a) In the newly created line, click on the link "---" of the Backend Type column. b) Select the [LDAP] module. c) Select the directory you want from the [Select a directory] list. d) Click on [Ok] to save your changes. 5. To add a guest account to be used as default login, add an authentication solution using the button. a) In the newly created line, click on the link "---" of the Backend Type column. Olfeo Solution / User guide / 181 8 Menu: Parameters b) Select the [Guest] module. c) Enter the guest user ID in the [User ID] field. Note: The guest account must be present in a directory or have been manually added to the list of users. For more information about the user list, go here: Users list on page 100. d) Click on [Ok] to save your changes. 6. Using the arrows and ,set the priority order for your authentication solutions. 7. To delete an authentication solution, click the button next to the corresponding line. 8. Click on [Ok] to save your changes. Submenu: High Availability Warning: The [Parameters] > [High Availability] menu is related to the notion of Olfeo domain and clusters covered in the Olfeo Integration Guide. We recommend you to refer to this guide for more information about Olfeo high availalibity concepts. The [Parameters] > [High Availability] > [Olfeo Domain Management] menu lets us create an Olfeo Domain. An Olfeo domain is a logical set of Olfeo installation with one installation identified as the Master. This Master Olfeo installation manages the global configuration for the entire Olfeo domain installations. Any modification to the global configuration is automatically propagated from the Master installation to the various Olfeo installations members of the Olfeo domain. On the non-master installations, also called slaves, many menus will be removed from their graphical user interface because the corresponding configuration will be solely managed by the Olfeo Master installation. However some menus will remain available because they pertain to local configuration elements (network, ...). The only available menus on the slave installations are: • [Analysis] • [Livelog]. • [Parameters] • [Authentication] (But only the menu for joining an Olfeo installation to the Windows domain because the enterprise directories registration page is part of the global configuration) • [Network] (DNS configuration, SMTP, SMS, outgoing HTTP proxy.) • [System] (Services start/stop, NTP configuration, Olfeo administration console's certificates configuration). Olfeo Solution / User guide / 182 8 Menu: Parameters • • • • • [Monitoring] (local log, Olfeo local state, automated tasks). [Updates]. [Backup] (Mount point configuration, backup tasks and backups list) [Advanced] (Blocking page redirection definition only) [Support]. In an Olfeo domain, the Olfeo Master centralizes the logs and statistics. When the Olfeo Master is not available, the logs and statistics information are temporarily stored on Olfeo Slaves and automatically transferred to the Olfeo Master once it becomes available. It is also possible to configure one or more logs secondary server as backups to store a replica of the logs stored on the Olfeo Master. The [Parameters] > [High availability] > [Clusters] menu lets you configure and manage Olfeo clusters. An Olfeo cluster ensures availability of Olfeo services by means of virtual IP addresses. A virtual IP address is assigned to each Olfeo cluster node. Should an Olfeo cluster node become unavailable, its virtual IP address is failed over to another node in the cluster. In normal operation, an Olfeo cluster can be used as an active/active or active/passive cluster. The submenu [parameters] > [High availability] > [Log replication] menu allows for the assignation of the secondary logs server role to one of more Olfeo domain members. Assigning the secondary logs server role to an Olfeo domain Olfeo Solution / User guide / 183 8 Menu: Parameters member will trigger the replication of all logs from the Olfeo master to each secondary logs servers. Should the Olfeo master become unavailable, the logs will remain accessible from the secondary logs servers. Once the Olfeo Master becomes available again, the secondary logs server will automatically synchronized the missing logs. In an Olfeo domain, the secondary logs servers are kept in a list distributed to all Olfeo domain members. Therefore each Olfeo domain members will run down this list to identify the server to send its logs to should the Olfeo Master become unavailable. Warning: Configuring an Olfeo secondary logs server will immediately trigger the replication of the logs stored on the Olfeo Master. Considering all the logs are replicated, you need to ensure the secondary logs servers have enough storage space for the replication to work. Warning: It is preferable to configure this during off hours or during the Olfeo solution initial deployment. Creating an Olfeo Domain 1. If the authentication architecture requires you to join your Olfeo Solution to the Windows domain, perform the procedure before creating the Olfeo domain. Note: For more information about joining the Windows domain, go here: Adding an Active Directory enterprise directory and synchronizing the users on page 173 and Joining the Olfeo solution to the Windows domain on page 180. 2. Log on the “Master” machine. 3. Go to the configuration page via [Parameters] > [High Availability] > [Olfeo Domain Management]. (Master) Section: Olfeo Domain 4. Click on the [Create a new Olfeo domain] button, then wait for the Olfeo domain to be created. Olfeo Solution / User guide / 184 8 Menu: Parameters Joining an Olfeo domain Figure 18: “Master” machine Figure 19: “Slave” machine 1. Log on the “Master” machine. 2. Go to the configuration page via [Parameters] > [High Availability] > [Olfeo Domain Management]. (Master) Section: Nodes list 3. Click on the link [Add a host to the domain]. (Master) Section: Parameters 4. Enter a name in the field [Name] to describe the new member of the Olfeo domain. 5. Enter the new member’s IP address in the [IP address] field. 6. Click on the [Create] button. (Master) Section: Nodes list 7. In the Nodes list note the member ID corresponding to the new Olfeo Domain member. (Slave) Section: Olfeo domain 8. Log in to the “Slave” machine. 9. Go to the domain configuration page via [Parameters] > [High Availability] > [Olfeo Domain Management]. Olfeo Solution / User guide / 185 8 Menu: Parameters 10. Click on the link [Join an Olfeo domain]. (Slave) Section: Join an Olfeo domain 11. Enter the [Member ID] in the corresponding file field. This member ID number also appears on the “Master” machine’s list of domain members (refer to step 7 on page 185.) Example: 81012288 12. Enter the IP address of the Master machine in the [Master's IP address] field. 13. Click on the button [join domain] then wait until the machine has joined the domain. Warning: After joining the Olfeo domain is completed, the Olfeo Administration Console will display the login page. Note: When a slave machine has been joined to an Olfeo Domain, most of the Olfeo Administration Console menus will become inaccessible. The only menus remaining are those related to the machine local configuration ([Analysis], [Parameters]). Figure 20: Example of an administration console from a slave machine joined to an Olfeo domain. (Slave) Section: Olfeo domain 14. To make sure that your Olfeo is correctly joined to an Olfeo domain, go to the Olfeo domain configuration page via [Parameters] > [High Availability] > [Olfeo Domain Management] and verify that the phrase “You are currently joined to a domain” is displayed. Note: On the Master machine’s Notes list for the Olfeo domain , the machine joined to the domain must be in the “Online” state. Olfeo Solution / User guide / 186 8 Menu: Parameters Creating a cluster 1. Log on the “Master” machine. 2. Go to the configuration page for clusters via [Parameters] > [High Availability] > [Clusters]. (Master) Section: High Availability Parameters 3. In the [Notification Email address] field, enter the Destination email address where you want to receive notification emails about cluster node failover/failback. 4. In the [Email sender] field, enter the sender email address for the failover/failback email notifications. 5. Click on the [Add cluster] link. (Master) Section: Parameters 6. Enter a name identifying your cluster in the field [Name]. 7. Enter a description for your cluster in the [Description] field. 8. Enter a password in the [Password] field. This password is a shared secret between cluster nodes allowing them to securely communicate with each other. 9. Enter a number between 1 and 254 in the [First vrrp_id] field. The first VRRP identifier is used for cluster node management. Warning: Other devices on your network are likely to use VRRP. To avoid conflicts, do not use a VRRP ID already in use. 10. Select the network interface for all cluster members that will be used to send cluster node heartbeat messages used to monitor nodes viability. The same network interface will be used on all cluster node and must be selected from the [Network Interface] dropdown list. Olfeo Solution / User guide / 187 8 Menu: Parameters Section: Selecting Cluster Members 11. Select the Olfeo Domain machines that will be used as cluster members by enabling the column. Note: For a machine part of the Olfeo cluster, the corresponding icon should be button from the Active . 12. For each machine part of the Olfeo cluster, enter a virtual IP address in the [Virtual IP] column. Note: These virtual IP addresses will be the IP addresses the end users machines will use to access the Olfeo services. Note: Remember the virtual IP address of a machine will be failed over to another node in case of a note or proxy failure. 13. Click on [Create] to save the changes. Adding a secondary logs server 1. Log on the “Master” machine. 2. Go to the secondary logs servers configuration page via [Parameters] > [High Availability] > [Log replication] menu. (Master) Section: Parameters 3. From the [Not log server] list, select one or more Olfeo domain members you want to give the secondary logs server role to. Olfeo Solution / User guide / 188 8 Menu: Parameters 4. Click on the arrow to add the selected Olfeo domain members to the [Log server] list. 5. Click on [Ok] to save the changes. Submenu: Administrators Danger: Never delete the original Olfeo administrator because he is at the root of the administrators hierarchy! For more information, see chapter Olfeo Rights Principle on page 190. The [Parameters] > [Administrators] > [Administrators] menu lets you create Olfeo Administrators and assign specific administrator rights to them. The rights to the Olfeo solution management and operation are applicable to: • The contents of BUs or Olfeo solution users groups. • The menus or submenus that can be viewed or changed from the Olfeo administration console. In the submenu[Parameters] > [Administrators] > [Administrators] menu, each administrator can view his parent administrator's name in the hierarchy in the column labeled Manager. Note: For more information, see chapter Olfeo Rights Principle on page 190. Olfeo Solution / User guide / 189 8 Menu: Parameters [Parameters] > [Administrators] > [My Preferences] menu lets view and change properties of your current administrator. This is a shortcut equivalent to using [Parameters] > [Administrators] > [Administrators] and then selecting your account. Olfeo Rights Principle Figure 21: Example of the rights hierarchy Olfeo Solution / User guide / 190 8 Menu: Parameters In Olfeo, each administrator is inserted in a tree based hierarchy each administrator is at a node and is the parent administrators of each direct descendant's nodes. In the image below: • • The admin1a and admin1b administrators were created by admin1 administrator who was created by the global admin. The admin2a and admin2b administrators were created by the admin2 administrator who was himself created by the global admin. Danger: Never delete the global administrator because he is the root of the entire hierarchy! Danger: Never delete an administrator with descendants from the hierarchy! Indeed, once deleted, the descendants administrators become orphans and can no longer be re-attached to the main hierarchy. In his daily work, an administrator is required to handle a set of objects (filtering policies, quotas, URL lists, category lists, messages, public portals and their configuration, etc.). In the Olfeo solution, an administrator can by default see only his own objects and those created by his hierarchy. For example, in the image below, admin1a can view only his objects, those of admin1 and those of the global admin. admin1a cannot view the objects of admin1b or those from the branch to which admin2 belongs. Figure 22: Objects visible to admin1a In the Olfeo solution, there is, however, an option allowing an administrator to see objects from the same branch and all administrators at the the same hierarchy level. However, this option needs to be activated at the administrator parent administrator level. In the previous example, admin1a asks admin1 to enable [Object sharing mode] using the [Parameters] > [Administrators] as shown in the following screenshot. Olfeo Solution / User guide / 191 8 Menu: Parameters Figure 23: Enabling the [Object sharing mode] by admin1 As shown in the following image, once the [Object sharing mode] enabled by admin1, admin1a will be able to view admin1b objects . Figure 24: Objects visible for admin1a because admin1 enabled [Object sharing mode] Olfeo Solution / User guide / 192 8 Menu: Parameters Adding an administrator 1. Go to the administrators management page via [Parameters] > [Administrators] > [Administrators]. 2. Click on the [Add an administrator] link. Section: Administrator 3. Enter the login of the administrator that you want to create, in the [Login] field. Example: admin2 4. Enter the name of the administrator you want to create, in the [Name] field. Example: Administrator2 5. Enter the email of the administrator that you want to create, in the [Email] field. 6. Enter the password for the administrator you are creating in the [Password] field. 7. Select the language for the Olfeo Administration Console for this administrator in the [Language] dropdown list. 8. In the [Default page] dropdown list, select the Olfeo Administration Consoleto use as a welcome page when the administrator logs in the Administration Console. Example: Live log. 9. If you want all objects from the hierarchy below this administrator to be shareable, enable the [Object sharing mode] checkbox. Olfeo Solution / User guide / 193 8 Menu: Parameters Note: For more information on the Olfeo administrator hierarchy, rights and the object sharing mode, go to : Olfeo Rights Principle on page 190. 10. Click on [Create] to create the administrator. Adding rights to an administrator 1. Open the administrator rights assignation page via [Parameters] > [Administrators] > [Administrators]. Section: Rights 2. Add a type of right using the button. a) To create an administrator with all rights click on [admin] in the Label column. • • Next, check that the [Global administrator] field it is selected, then click [Ok]. To finish, click the link [All rights] from the Label column. Warning: [Coaching]: To enable the coaching feature, enter Enabled«5» in the «6»[Coaching]«7» dropdown list. The coaching feature automatically sends a periodic email to users with the feature activated. This email includes a predefined set of user specific browsing activity reports. b) To specify rights on Organizational Units or Users Groups from the Users list from the rules engine page click on the [Groups] link. Olfeo Solution / User guide / 194 8 Menu: Parameters • • Next, expand the users' tree using the icon. Then enable all the checkboxes for the BUs and Users Groups you want to assign rights on. Confirm your selection by clicking [Ok]. Select the type of right you want to assign to the administrator by clicking on the corresponding link in the Label column. Right Description [All rights] Grants all rights. [Read only] Grants read-only rights on the users list from the rules engine page. [Modify] Grants modification rights on the users list from the rules engine page. [Analysis] Grants the right to produce statistics for the selected users' population from the users list of the rules engine page. Note: Once this right is assigned to an administrator, the [Analysis] > [Creation], [Analysis] > [Consultation] and [Analysis] > Diffusion lists] become accessible to him. [Assign a policy] Grants the right to assign filtering policies (URLs and protocols) to users in the users list of the rules engine page. c) To change the contents of the menus and submenus of the Olfeo admin console, so they can be viewed or edited click on the [Groups] link. • • Expand the tree structure using the icon then enable the corresponding checkboxes for the desired menus or submenus. Confirm your selection with [OK]. Select the type of right you want to assign to the administrator by clicking on the corresponding link from the Label column. Right Description [Read-Only] Makes a menu accessible but does not grant the right to modify its content. [Modify] Makes a menu accessible and grants the right to modify its content. 3. Click on [Create] to save the new administrator rights. Sub-menu: Network The [Parameters] > [Network] sub-menu allows you to configure your Olfeo solution network support. More precisely you, using this menu, you can configure: • The DNS server for your Olfeo. • The SMTP server for your Olfeo. Olfeo Solution / User guide / 195 8 Menu: Parameters • • The SMS Gateway for your Olfeo. The HTTP proxy to be used by your Olfeo solution in case the Olfeo solution is requiring a proxy to access the internet. Using the menu [Parameters] > [Network] > [Network Tests], you can test your network configuration. DNS Configuration 1. Go to the DNS configuration page via [Parameters] > [Network] > [DNS]. Section: DNS 2. Enter the IP addresses of the DNS servers you want Olfeo to use in priority order in the [DNS Servers list] field. Note: Use commas as the field separator. 3. Enter the DNS domain to be used by Olfeo in the [DNS Domain list]. 4. Click on [Ok] to save your changes. Olfeo Solution / User guide / 196 8 Menu: Parameters Configuring SMTP 1. Go to the SMTP configuration page via the [Parameters] > [Network] > [SMTP] menu. Section: SMTP 2. Enter the SMTP server name or IP address in the [Server Name] field. 3. Enter the TCP port of the SMTP server in the [Port] field. 4. Enter the email address that the Olfeo solution will use as sender in the [Mail from] field. Section: Diffusion 5. Enter the time at which automatic distributions are to be made in the [Send Time (UTC)] field. Note: The diffusion time applies to both statistical reports and coaching messages. Example: 03:00 6. Click on [Ok] to save your changes. Olfeo Solution / User guide / 197 8 Menu: Parameters SMS Configuration Note: Olfeo does not directly send SMS messages. Instead, to send SMS messages, Olfeo requires the configuration of a “Mail To SMS” service. Based on this configuration, Olfeo sends specially emails with a specific format to the mailtosms service and the service translate them to SMS messages. Warning: The following documentation presents a typical configuration for “Mail To SMS” service. Some operators, however, may require a more specific configuration. If needed you can adapt the SMS service configuration to your operator requirements. 1. Go to the SMS gateways configuration page via [Parameters] > [Network] > [SMS]. 2. Click on the[Add an SMS gateway] link. Olfeo Solution / User guide / 198 8 Menu: Parameters Section: Mail-SMS Gateway 3. Enter a name in the [Label] field. 4. Enter a description in the [Description] field. Section: Generated email configuration 5. In the [Sender] field, enter the email address that will be used as sender for the emails sent to your SMS service provider. Note: If this field is left empty the [Sender] field from the [Parameters] > [Network] > [SMTP] will be used instead. Example: operateur@mycompany.com 6. Enter your operator recipient email address in the [Recipient] field. Example: mail2sms@operateurtelecom.com 7. Enter the email Subject in the format requested by your operator in the [Subject] field. The syntax to use is typically the following: SMSaccount:SMSuser:Password:Sender:%sms.recipient% • • • • • SMSaccount: the account name provided by your SMS service provider. SMSuser: the user associated to the SMSaccount with SMS sending capability. Password : The SMS user password. Sender : The sender who will be displayed as the SMS sender. Enter a name or phone number. %sms.recipient% is a mandatory variable for SMS recipient’s phone number. This variable is permanent and cannot be replaced. Example: sms-oo5555-1:operator:password:MYCOMPANY:%sms.recipient% 8. In the [Reply To] field, enter the email address your SMS service provider will send messages in case of failed SMS delivery. Example: failedsms@mycompany.com 9. Enter the email content in the [Email text] field. The email content test must at least contain: • • The %sms.message% variable. This mandatory variable will be a placeholder for the SMS service provider to insert the SMS message. Predefined text that all messages will contain (such as a signature). 10. Click [Create] to save your SMS gateway configuration. Olfeo Solution / User guide / 199 8 Menu: Parameters Sending a test SMS 1. Go to the SMS gateways configuration page via [Parameters] > [Network] > [SMS]. 2. In the Label column, click on the SMS gateway link that you want to test. Section: Sending a test SMS 3. Enter the recipient’s phone number in the [Recipient] field. Note: Use international format for the phone number syntax. Example: +33612345678 (where 33 is the country prefix for France). 4. Enter the message content in the [Message] field. 5. Click on [Test] to send a test SMS. 6. Check the message was correctly sent to your SMTP server and that the result displays successful as shown in the above screenshot. Warning: The successful send of the SMS does not mean it was delivered. Check the message was correctly received in order to complete the test. Configuring the HTTP proxy If Olfeo requires a HTTP Proxy to connect to the internet, use the [Parameters] > [Network] > [HTTP] page to configure it. Note: An Internet connection is required for Olfeo automatic databases (Virus, URLs, ...) updates, URL dynamic filtering, automatic license update and software update. Olfeo Solution / User guide / 200 8 Menu: Parameters 1. Go to the HTTP Proxy configuration page via [Parameters] > [Network] > [HTTP]. Section: HTTP 2. Enable the [Use proxy] checkbox. 3. Enter the proxy’s IP address in the [Server] field. 4. Enter the HTTP proxy’s TCP port in the [Port] field. 5. If the outgoing HTTP proxy requires an authentication, enable the [Use authentication] checkbox. a) Enter the login required for proxy authentication in the [Login] field. b) Enter the corresponding password in the [Password] field. 6. Click on [Ok] to save your changes. Testing your network configuration 1. Go to the Network Test page via [Parameters] > [Network] > [Network Tests]. 2. To ping a destination server from the Olfeo solution: a) Enter the destination IP address or the server name in the field in the Test Parameter column. b) Click on the [Run Test] link from the Action column. c) Check the result is displayed as Successful in the Test Result column. 3. To perform a DNS resolution test from the Olfeo solution: a) Enter the destination FQDN name to be resolved in the corresponding Test Parameter column. b) Click on the [Run Test] link from the Action column. c) Check the result is displayed as Successful in the Test Result column. 4. To test the Olfeo solution can perform HTTP requests: a) Enter a URL in the field in the Test Parameter column. b) Click on the [Run Test] link from the Action column. Olfeo Solution / User guide / 201 8 Menu: Parameters c) Check the result is displayed as Successful in the Test Result column. 5. To test the Olfeo solution can send emails: a) Enter an email address in the field in the Test Parameter column. b) Click on the [Run Test] link from the Action column. c) Check the result is displayed as Successful in the Test Result column. Submenu: System The [Parameters] > [System] > [Services] page provides a way to start or stop Olfeo solution's services as well as automatically start those services. The [Parameters] > [System] > [Date] page provides a mechanism to synchronize your Olfeo date and time with one or more NTP servers. Olfeo Solution / User guide / 202 8 Menu: Parameters The [Parameters] > [System] > [Archive] page lets you enable both NCSA and Olfeo RAW logs format as well as remove some information from these logs. RAW logs are Olfeo proprietary binary log files grouping all browsing information and processed by Olfeo. The RAW logs include all URL, protocol and file information processed by Olfeo and the filtering operations performed. Olfeo RAW logs are essential in order to generate [Analysis]. NCSA logs are text log files, as opposed to RAW files. These NCSA logs follows the format specified by the National Center for Supercomputing Applications (NCSA) during the development of their Web NCSA HTTPd server. Olfeo supports this universal format, which is not enabled by default, therefore allowing to create logs files in text format that you can process using third-party log files processing product compatible with this NCSA format. The [Parameters] > [System] > [Console] lets you configure HTTPS access to the Olfeo Administration Console. HTTPS provide an encrypted communication channel between your Olfeo Administration machine and the Olfeo Administration Console. Olfeo Solution / User guide / 203 8 Menu: Parameters Stop/Start Configuration 1. Go to the services configuration page via [Parameters] > [System] > [Services] page. 2. To stop or start a service, click on the [Stop] or [Start] link for the corresponding service in the Action column. These are the Olfeo services • URL filtering service: Manages everything related to filtering in the Olfeo solution. • SNMP Monitoring Service: Handles SNMP queries initiated by monitoring applications. For more information about monitoring, refer to: Submenu: Monitoring on page 208. • RTSP Proxy: Proxy for RTSP flows (Real Time Streaming Protocol). For more information concerning Olfeo RTSP proxy, refer to: Sub menu: RTSP on page 56. • Logging Service: Handles Olfeo logs writing operations. If this service is stopped, the operations Submenu: Livelog on page 153 ([Analysis] > [Livelog]) will also become unavailable. • [ClamAV daemon]: Olfeo antivirus service. • [Network Time Protocol]: Handles Olfeo clock synchronization using the NTP protocol. • [Proxy service ]: Olfeo HTTP proxy service. • • A service currently start will display a [Stop] link in the Action column. A stopped service will display a [Start] link in the Action column. The other possible states for the column are:Action are: • disabled : The service is not available. • error : The service has encountered an error (When you move your mouse over the service state, a tool tip will give more information about the error). 3. To automatically start a service when Olfeo starts, enable the checkbox in the [Enable at boot] column. Olfeo Solution / User guide / 204 8 Menu: Parameters Configuring the NTP synchronization Warning: You may notice a lag of 1 to 2 hours, depending on daylight saving time, between the Olfeo time and your local time. This time difference is normal! Olfeo uses international UTC standard time in order to facilitate the use of time related objects or functions (timeslots, statistics, ...). This time difference is observable in Olfeo livelog as those logs also uses UTC time. For obvious reason, it is not recommended to alter Olfeo time because of the impact it could have on time related objects or features. For example changing Olfeo timezone to "Paris" time you could end up filtering in the time range 11 am - 8 pm if you used a timeslot specified as 9 am - 6 pm. Warning: Remember that all clocks drift: for NTLM authentication, you need to ensure your Olfeo and ActiveDirectory times do not differ by more than 5 minutes. 1. Go to the NTP configuration page via [Parameters] > [System] > [Date]. Section: Date 2. In the [NTP Servers] field, enter the addresses or fqdn of the NTP servers you want to use for time synchronization. 3. Click on [Ok] to save your changes. Olfeo Solution / User guide / 205 8 Menu: Parameters Configuring logs archiving 1. Go to the logs configuration page via [Parameters] > [System] > [Archive]. Section: Enable Statistics 2. Enable the [Enable statistics] checkbox in order to activate the generation of Olfeo proprietary RAW log files. Olfeo RAW log files are proprietary binary files grouping all information received and processed by Olfeo. The RAW log files contain all URLs, protocols and files flows sent to Olfeo and filtering decisions applied. Warning: The RAW logs files are essential for generating statistics and reports from the [Analysis] menu. 3. To prevent recording users' user names in the Olfeo RAW log files, enable the [Don't log users] checkbox. Note: If the [Don't log users] is enabled, it will be impossible to perform per user statistical analysis. 4. To prevent recording users' groups in the Olfeo RAW log files, enable the [Don't log groups] checkbox. Note: If the [Don't log groups] is enabled, it will be impossible to perform per group statistical analysis. 5. To prevent recoding users' IP addresses in the Olfeo RAW log files, enable the [Don't log ips] checkbox. Olfeo Solution / User guide / 206 8 Menu: Parameters Note: If the [Don't log ips] is enabled, it will be impossible to perform per IP ranges statistical analysis. 6. To deactivate timespent analysis in the RAW log files, enable the [Disable timespent statistics] checkbox. Note: If the [Disable timespent statistics] checkbox is enabled, it will be impossible to performe time spent statistical analysis. Section: Enable NCSA 7. To generate NCSA format log files, enable the [Enable NCSA] checkbox. NCSA logs are text log files, as opposed to Olfeo RAW log files. These NCSA log files follow the format specified by the National Center for Supercomputing Applications (NCSA) during the development of their Web NCSA HTTPd server. Olfeo supports this universal format, which is not enabled by default, therefore allowing to create additional logs files in text format that you can process using third-party log files processing products compatible with this NCSA format. 8. To prevent recording users' usernames in the NCSA log files, enable the [Don't log users] checkbox. 9. To prevent recording users' IP addresses in the NCSA log files, enable the [Don't log ips] checkbox. 10. Choose the language for the NCSA log files in the [Language] dropdown list. 11. Click on [Ok] to save your changes. Enabling Olfeo administration console HTTPS access 1. Go to the Olfeo Administration Console access mode configuration page via [Parameters] > [System] > [Console]. Section: Web Server Mode 2. To enable Olfeo Administration Console access mode to HTTPS using the Olfeo pre-generated and self-signed certificate, click on the [Switch to HTTPS mode with default key] button. 3. To use a certificate other than the Olfeo's default one: a) Select your SSL certificate in the [SSL Certificate] field, using the [Browse...] button. Olfeo Solution / User guide / 207 8 Menu: Parameters b) Select your SSL private key in the [SSL Key] field, using the [Browse...] button. 4. Click on [Ok] to save your changes. Submenu: Monitoring The [Parameters] > [Monitoring] > [Logs] page displays Olfeo system log typically composed of informational and error messages. Olfeo Solution / User guide / 208 8 Menu: Parameters The [Parameters] > [Monitoring] > [Status] page provides a way to review Olfeo solution status in terms of: • Storage list (memory buffers, physical memory utilization, swap space consumption, fixed and remote volumes available/consumer space). • System parameters (uptime, number of processes, number of TCP connections, CPU load) • Process list (Top processes with memory consumption) Olfeo Solution / User guide / 209 8 Menu: Parameters The [Parameters] > [Monitoring] > [Snmp] page provides a way to restrict access to Olfeo SNMP information to a list of SNMP clients and SNMP communities. The [Parameters] > [Monitoring] > [Syslog] page allows the Olfeo administrator to configure one or more syslog servers. Once configured, Olfeo will send entries of its events logs to the configured syslog servers. The [Parameters] > [Monitoring] > [Tasks] lets you view Olfeo automated tasks. On this page, you can view the task's: • The task name. • Tasks execution frequency (cron syntax). Note: For more information about the cron syntax, go to: Cron. • Tasks Last Start and Last End dates. The [Parameters] > [Monitoring] > [Tasks] lets manually triggers task execution. Olfeo Solution / User guide / 210 8 Menu: Parameters Enabling email based system notifications 1. Go to the system log page via [Parameters] > [Monitoring] > [Logs]. Section: Logs mails 2. If you want the currently logged in Olfeo Administration to receive system event messages, enable the [Send alert emails to ...] checkbox. 3. If you want send system event messages to other email adresses, enter their email addresses separated by a comma in the [Additional mailing lists] field. 4. Click on [Ok] to save your changes. Olfeo Solution / User guide / 211 8 Menu: Parameters Filtering system events by type 1. Go to the system log page via [Parameters] > [Monitoring] > [Logs]. 2. In the Level column, click on the message type you want to filter on. Example: info 3. To cancel and event type filter and display all event type messages again, click on the [Show all] link at the bottom of the page. Olfeo Solution / User guide / 212 8 Menu: Parameters Configuring SNMP agents' access to Olfeo 1. Got to the SNMP access configuration page via [Parameters] > [Monitoring] > [Snmp]. 2. In the [IP allowed] enter the IP addresses allowed to send SNMP queries to Olfeo. 3. Enter the SNMP community the SNMP agents must be part of to be able to send SNMP queries to Olfeo. Example: public 4. Click on [Ok] to save your changes. Adding a syslog server 1. Go to the syslog configuration page via [Parameters] > [Monitoring] > [Syslog]. Section: Syslog 2. Enter a name for your syslog server in the [Label] field. 3. Enter a description for your syslog server in the [Description] field. Olfeo Solution / User guide / 213 8 Menu: Parameters Section: Parameters 4. Enter your syslog server IP address in the [Server] field. 5. Click on [Create] to save your changes. Forcing execution of a scheduled task 1. Go to scheduled tasks page via [Parameters] > [Monitoring] > [Tasks]. Section: Tasks 2. In the [Task to execute] dropdown list, select the task you want to trigger. 3. Click on the [Run Task] button. Section: Tasks 4. Check your task last execution result status in the Tasks section. Olfeo Solution / User guide / 214 8 Menu: Parameters Submenu: Updates The [Parameters] > [Updates] > [Software] page display the list of Olfeo components packages, their versions as well as the available updates. Use this submenu to update your Olfeo installation. The [Parameters] > [Updates] > [Database] allows you to view Olfeo URL and antivirus databases versions. Olfeo Solution / User guide / 215 8 Menu: Parameters The [Parameters] > [Updates] > [Subscription] page displays the status of your Olfeo licenses as well as your technical support contract and your active or expired OlfeoBox warranties. The [Parameters] > [Updates] > [Credentials] page lets you enter your Olfeo license identifier and password in order to activate your license. Olfeo Solution / User guide / 216 8 Menu: Parameters Updating Olfeo 1. Go to the [Parameters] > [Updates] > [Software] page. 2. Click on the [Install updates] button. 3. Wait for the update to complete. 4. Once the update is complete, you will have to log back in the Olfeo Administration Console. Olfeo Solution / User guide / 217 8 Menu: Parameters Manually updating the Olfeo URL database Olfeo automatically and transparently updates its URL database every 15 minutes. To perform a manual update you can use the following procedure. 1. Go to the [Parameters] > [Updates] > [Database] page. 2. Click on the [Olfeo - URL Base] link in the Label column. 3. Click on the [Complete Update] button to perform a complete URL database update or click on [Incremental Update] button to perform an incremental update. The update will run in the background. 4. Click on the [Ok] button. Configuring Olfeo URL database automatic update Olfeo Solution / User guide / 218 8 Menu: Parameters 1. Go to the [Parameters] > [Updates] > [Database] page. Section: Parameters 2. To periodically report to Olfeo systems a list of unknown URLs your Olfeo solution recorded, enabled the [Allow information upload to Olfeo] checkbox. 3. To enable Olfeo URL database automatic and transparent update, enable the [Use automatic synchronization] checkbox. 4. Click on [Ok] to save your changes. Entering your Olfeo license 1. Go to the [Parameters] > [Updates] > [Credentials]. 2. In the [Login] and [Password] fields, enter your license identifiers you received from Olfeo. Note: Your license identifiers are typically delivered in shipping documentation in the "Code de téléchargement et de mise à jour" section of the document. 3. Click on the [Ok] button. 4. To activate your license and review your license information go to the [Parameters] > [Updates] > [Subscription] page , then click on the [Update licence] button. Olfeo Solution / User guide / 219 8 Menu: Parameters Renewing your license 1. Go to the [Parameters] > [Updates] > [Subscription] page Section: Software 2. Click on one of the [Renew ] links from the Action column. 3. An email window should popup, write down your renewal request and specifics and send your email to Olfeo customer service : When renewing one or more Olfeo products: Customer Name : Olfeo Products Requested : Requested Start Date : Requested End Date : Number of Licenses Requested : Total Number of Users : When renewing Olfeo direct Technical Support : Requested Start Date : Requested End Date : Current Number of Licenses : Olfeo Solution / User guide / 220 8 Menu: Parameters When renewing an OlfeoBox Warranty Requested Start Date : Requested End Date : OlfeoBox Model : OlfeoBox Serial Number : Submenu: Backup The [Backup] > [Destinations] page lets you define mount point, also called destinations, that will be used as backups destinations. Olfeo backups require to manually create CIFS or NFS mount point to be used as a destination before any other backup configuration. The [Backup] > [Backup tasks] page allows you to define backup tasks to be performed. Although backup tasks can be scheduled, you can also perform a manual backup using the [Backup] > [Backup tasks] page. Note: Olfeo backups are considered “hot” backups because they do not cause any service interruption. Olfeo Solution / User guide / 221 8 Menu: Parameters The [Backup] > [Backup listing] page lets you view the latest backup operations performed and to manually run a restore operation. Note: Olfeo restore operations are considered cold operations because they will trigger Olfeo services restart. Creating a CIFS mount point in Olfeo 1. Open a terminal or SSH access to Olfeo using the root username. 2. Create the directory to use as your mount point for your CIFS share. Warning: For an Olfeo virtual appliance or a software installation, the mount point directory to create must be under Olfeo chroot /opt/olfeo5/chroot/ directory. Example for Olfeo Box: root@myolfeo:~# mkdir /mnt/cifs Example for avirtual appliance or a software installation: root@myolfeo:~# mkdir /opt/olfeo5/chroot/mnt/cifs 3. Edit the /etc/fstab file with the editor of your choice root@myolfeo:~# vi /etc/fstab 4. Enter the line that permanently mounts your remote CIFS share and then save the change. Example for Olfeo Box: //server_partage/partage /mnt/cifs/ cifs credentials=/ root/.smbcredentials,iocharset=utf8,file_mode=0777,dir_mode=0777,auto 0 0 Example for a virtual appliance or a software installation: //server_partage/partage /opt/olfeo5/chroot/mnt/cifs/ cifs credentials=/ root/.smbcredentials,iocharset=utf8,file_mode=0777,dir_mode=0777,auto 0 0 Where: • server_partage is the name or IP address of the server providing CIFS share. • share is the name of the CIFS share. • /mnt/cifs/ or /opt/olfeo5/chroot/mnt/cifs/ is the directory where the CIFS file system will be mounted. • /root/.smbcredentials is the name of a hidden file that will contain the username and password for accessing the share. Note: You will need to create this file later. 5. Edit the file given in the settings for the credentials attribute provided on the /etc/fstab mount line (/ root/.smbcredentials in the preceding example). Olfeo Solution / User guide / 222 8 Menu: Parameters 6. Enter the username and password of the user authorized to access the share and then save the change. Example: username=james password=mypassw0rd 7. Remove any read and write permission on this file for any users except the root user to prevent users from accessing or changing the username/password pair. root@myolfeo:/# chmod 700 /root/.smbcredentials 8. Mount the remote files system using the mount command. Example: mount //server_partage/partage Warning: If your system does not know how to mount CIFS share, it is probably because you do not have the smbfs debian package installed. Example: apt-get install smbfs Mounting an NFS share in Olfeo 1. Open a terminal or SSH access to Olfeo using the root username. 2. Create the directory where you will mount the remote NFS share. Warning: For an Olfeo virtual appliance or a software installation, the mount point directory to create must be under Olfeo chroot /opt/olfeo5/chroot/ directory. Example for Olfeo Box: root@myolfeo:~# mkdir /mnt/nfs Example for avirtual appliance or a software installation: root@myolfeo:~# mkdir /opt/olfeo5/chroot/mnt/nfs 3. Edit the /etc/fstab file with the editor of your choice root@myolfeo:~# vi /etc/fstab 4. Enter the line required to permanently mount your NFS share and then save the change. Example for Olfeo Box: server_partage:/partage/ /mnt/nfs/ nfs defaults,user,auto,noatime,intr 0 0 Example for a virtual appliance or a software installation: server_partage:/partage/ /opt/olfeo5/chroot/mnt/nfs/ nfs defaults,user,auto,noatime,intr 0 0 Olfeo Solution / User guide / 223 8 Menu: Parameters Where: • server_partage is the name or IP address of the server providing the NFS share. • shareis the name of the NFS share. • /mnt/nfs/ or /opt/olfeo5/chroot/mnt/nfs/: Directory where the NFS file system will be mounted. 5. Mount the remote filesystem using the mount command. Example: mount server_partage:/partage/ Configuring a Backup Destination in Olfeo 1. Go to the [Backup] > [Destinations] page. Section: Destination 2. Enter a name in the [Label] field. 3. Enter a description in the [Description] field. Section: Parameters 4. Enter the directory for your CIFS or NFS mount point in the [Location] field. Note: If you have a virtual appliance or a software solution you need to enter the directory within Olfeo chroot. Example: If you have entered /opt/olfeo5/chroot/mnt/cifs/ in /etc/fstab, you need to enter /mnt/cifs in the [Location] field. Or if you have entered /opt/olfeo5/chroot/mnt/nfs/ in /etc/fstab, you need to enter / mnt/nfs in the [Location] field. 5. Click on [Create] to save your changes. Olfeo Solution / User guide / 224 8 Menu: Parameters Creating a Backup Task 1. Go to the [Backup] > [Backup tasks] page. Section: Task 2. Enter a name in the [Label] field. 3. Enter a description in the [Description] field. Section: Parameters 4. Using the checkboxes in the [module] field, select the data you want to save as part of your Olfeo backup: You can choose from the following types of data: • Global data: Global data refers to the data of a machine that is not part of an Olfeo domain or those of a Master machine in the Olfeo domain. Olfeo Solution / User guide / 225 8 Menu: Parameters Backup Description Statistics data All the RAW and NCSA logs (traffic data and processed data) used for statistics. Charter and Parameters Internet charter configured by the Olfeo Administrators and the corresponding global settings. Statistics configuration • All reports and analysis defined by Olfeo Administrators. Local data: Local data pertain to Olfeo domain machines specific data. Backup Local configuration Description Olfeo local configuration elements (IP address, DNS, domain, ...) 5. Select a previously configured destination from the [Destination] dropdown list. Section: Planning 6. Select the time of day (UTC time) for the backup task in the [Hour (UTC)] field. Example: 23:00 7. Select your backup frequency. • • • None: No frequency. Daily Weekly • For a weekly backup frequency, select the day of the week you want your backup task to run. Use the checkboxes from the [Periodicity] field to select the day of the week. • Monthly • For a monthly backup, select the day of the month you want your backup task to run. Enter the date in the [Every ... of the month] (e.g.: 5) field. 8. To configure a retention for your backup tasks, enable the [Cleaning] checkbox. a) Then enter the number of backup tasks to keep in the [maximum kept backups]. 9. Click [Create] to save your backup task. Manually running a backup task 1. Go to the [Backup] > [Backup tasks] page. 2. Identify the backup task you want to run and click on the corresponding [Execute] link from the Action column. 3. Wait for the backup operation to complete. Olfeo Solution / User guide / 226 8 Menu: Parameters 4. Verify the backup task completed successfully using the [Backup] > [Backup listing] page. Restoring a backup 1. Go to the [Backup] > [Backup listing] page. 2. Identify the backup you want to restore and click on the [Restore] link. Warning: The elements Charter and parameters and Local Configuration can be restored independently; however, it is recommended to restore the Statistics data and Statistics configuration together because of their inherent dependency. 3. Verify the information from the [Label], [Date (UTC)] and [Elements to restore]. Danger: A restore is a cold and destructive operation. Any restore operation will overwrite existing data. 4. Click [Ok] to start the restore process. Note: The restore operation may require restarting some Olfeo services. Consequently, the Administration Console may become unavailable and require and reconnection. Backing up legal traffic logs (RAW and NCSA) The RAW and NCSA log files contains all users traffic. Olfeo RAW log files are proprietary and binary logs while NCSA log files contains a subset of the information available in the RAW log files but follow a text file format. Warning: Because of their inherent size, the RAW and NCSA log files are never saved using Olfeo backups. However the following can be implement to perform this kind of backup operation. 1. Mount a new CIFS or NFS share directory using procedures Creating a CIFS mount point in Olfeo on page 222 or Mounting an NFS share in Olfeo on page 223. 2. Open a terminal or SSH session to your Olfeo. 3. If your Olfeo is a virtual appliance or software installation, enter the Olfeo chroot. chroot /opt/olfeo5/chroot/ Olfeo Solution / User guide / 227 8 Menu: Parameters 4. Edit the cron table using the following command: crontab -e 5. Enter a task to be executed every 3 minutes used to synchronize the Olfeo log files directory with your mount point. You can for example use the rsync command to perform this synchronization. If your mount point was CIFS based type step 1: */3 * * * * rsync -avz /opt/olfeo5/data/log/ /mnt/cifs/ >> /var/log/rsync_raw.log If your mount point was NFS based type step 1: */3 * * * * rsync -avz /opt/olfeo5/data/log/ /mnt/nfs/ >> /var/log/rsync_raw.log Note: If you enabled the creation of NCSA log files and also want to backup them up, create a new share at step 1 and create an automated task in the crontab using /opt/olfeo5/data/ncsa/ as the source directory for synchronization. If your mount point was CIFS based type step 1: */3 * * * * rsync -avz /opt/olfeo5/data/ncsa/ /mnt/cifs_ncsa/ >> /var/log/ rsync_ncsa.log If your moint point was NFS based type step 1: */3 * * * * rsync -avz /opt/olfeo5/data/ncsa/ /mnt/nfs_ncsa/ >> /var/log/ rsync_ncsa.log 6. Save your crontab changes as in vi using "Esc"+":wq!". Your automated backup task is now in place. Submenu: Advanced Olfeo Solution / User guide / 228 8 Menu: Parameters The [Parameters] > [Advanced] > [Redirection] page provides a way for you to store blocking pages on an server different from Olfeo and to redirect your end users to this server to retrieve the blocking pages. The [Parameters] > [Advanced] > [ICAP] allows you to specify additional parameters to use for integration with third party product using the ICAP protocol. Danger: Any change on this page should not be done without recommendations from Olfeo Support. The [Parameters] > [Advanced] > [Gateways] page lets you define gateways to be used to define URL filtering policy for a central filtering Olfeo and multiple remote sites accessing the central filtering solution via gateways. This page allows you to define a gateway for each remote site and associate a URL filtering policy and specific blocking page redirection to each one. The [Parameters] > [Advanced] > [Auto Populate User] page should be used for automatic creation of Olfeo users when encountering unknown users or IP addresses. The Olfeo Solution / User guide / 229 8 Menu: Parameters Menu[Parameters] > [Advanced] > [Support] provides technical support tunnel management operations. The technical support tunnel offers the capability for Olfeo Technical Support personnel to remotely access your Olfeo providing them a way to access Olfeo via a terminal session, using the Olfeo Administration Console and also to be able to perform filtering test using your Olfeo. Redirecting Olfeo Blocking Pages 1. Go to blocking pages redirection configuration page via [Parameters] > [Advanced] > [Redirection]. Olfeo Solution / User guide / 230 8 Menu: Parameters Section: Redirection 2. Select the redirection method from the [Redirection Mode] dropdown list. Two options are available: • Automatic: The default redirection mode. The automatic redirection mode configure Olfeo to handle blocking pages requests. • Static: This redirection mode configures Olfeo to redirect end users to an external server to handle blocking pages requests. The external server IP address and TCP port should be entered in the [Static host] and [Port] fields. a) If [Static] is selected as the [Redirection Mode] enter the external server IP address in the [Static host] field and the external server TCP port to use in the [Port] field. 3. The redirection URL returned by Olfeo on a blocking condition can be changed. If so desired, enable the [Redirection URL] checkbox and enter the redirection URL in the [Redirection URL] field. Configuring a gateway In a distributed architecture with end users on remote sites and a centralized filtering, it may be interesting to define a URL filtering policy for each remote site. The gateway feature can then be used for such purpose. The [Parameters] > [Advanced] > [Gateways] page provides a way to define multiple gateways, one for each remote site and associate a URL filtering policy and a blocking pages redirection setting for each one of them. 1. Go to the gateways creation page via [Parameters] > [Advanced] > [Gateways]. 2. Click on the [Add gateway] link. Section: Gateway This section applies exclusively to integrations using connectors (coupling or capture integration types). Refer to the Olfeo Integration Guide for more information). Olfeo Solution / User guide / 231 8 Menu: Parameters Figure 25: Coupling based Integration Figure 26: Bridging based Capture Integration Olfeo Solution / User guide / 232 8 Menu: Parameters Figure 27: Port Mirroring based Capture Integration In a coupling based integration type, Olfeo can integrate with third party products using different protocols such as ICAP, OPSEC, WISP or even the Olfeo protocol. Communicating with Olfeo, the third party product can potentially send various types of information, such as: • Its IP address. • The login used by the third party product (in the case of an Olfeo connector). In the case of capture integration, Olfeo receives the traffic’s VLAN. 3. Enter a name in the [Label] field. 4. In the [Server] field, enter the IP address, the login used by the third party product, or the VLAN to create your gateway, This information will let you define your gateway in order to limit access to your BUs or to your groups by inserting this gateway in the list of users (refer to Editing an object from the users list on page 105 for more information). Example: 192.168.3.4 Section: Configuration Once the gateway configured, two situations may occur: • The third party product uses a good IP address or login; or, in the case of capture integration, it uses the appropriate VLAN. In this situation, Olfeo will apply the URL filtering associated to the gateway as all as the underlying users URL filtering policy. • The third party product uses an unhandled IP address or login; or, in the case of a capture integration, a VLAN not handled by any configured gateways. In this situation, Olfeo will not apply any gateway URL filtering policy or the underlying user's policy list. It will only apply the URL filtering policy raking higher or at the same hierarchical level than the gateway in the users list. 5. In the [URL Policy] dropdown list, select the URL filtering policy to associate to the gateway. Note: To create a URL filtering policy, go here: Creating a URLs filtering policy on page 25. Olfeo Solution / User guide / 233 8 Menu: Parameters 6. If you want your blocking pages to be serviced by an external server for your gateway, enable the [Redirection IP] checkbox and enter the IP address. 7. Click [Create] to save your gateway. 8. Add your gateway in the users list as explained in Editing an object from the users list on page 105. Auto Populating Users Note: This page allows you to configure Olfeo behavior when it encounters unknown users or IP addresses. 1. Go to the Users Auto Populating configuration page via [Parameters] > [Advanced] > [Auto Populate User]. Section: Automatic creation 2. If you want Olfeo to auto-populate users for unknown users, enable the [Automatic creation by login] checkbox. 3. If you want Olfeo to auto-populate IP addresses for unknown IP addresses, enable the [Automatic creation by IP] checkbox. 4. Auto-populated users and IP addresses will be created in the Olfeo users list. To configure the Organizational Unit (OU) Olfeo will use for auto-populate users and IP addresses, enter the OU in the Default Bu field. 5. You can also configure the group to be used when auto-populating users and IP addresses. Enter the group in the Default Group field. 6. Click on [Ok] to save the changes. Olfeo Solution / User guide / 234 8 Menu: Parameters Submenu: Support The [Parameters] > [Support] provides Olfeo Administrator the capability to configure and manage an SSH based Technical Support tunnel. The tunnel can only be used by Olfeo Technical Support personnel to gain remote access over an encrypted tunnel to your Olfeo. Olfeo Solution / User guide / 235 8 Menu: Parameters Opening a Technical Support Tunnel Section: Olfeo Technical Support 1. To configure an SSH based tunnel allowing Olfeo Technical Support to remotely access your Olfeo: a) Enter the Olfeo Technical Support Server public IP address in the [Support IP address] field. This IP address should have been communicated to you by Olfeo Technical Support. b) In [Outgoing port] field, enter the outgoing source TCP port number Olfeo will use to communicate with its Technical Support public Server. c) Enter the destination TCP port number to use on the Olfeo Technical Support server. This TCP port should be communicated to you by your Olfeo Technical Support contact and should be entered in the [Remote port] field. d) Click on the [Connection] to initiate the Olfeo Technical Support tunnel connection. If the connection is correctly established, the [Status] field should display Activated. Section: Partner Technical Support Tunnel 2. To configure a Technical Support SSH based tunnel to be used exclusively your Olfeo partner: a) Enter the IP address provided to you by your Olfeo partner in the [Support IP address] field. Olfeo Solution / User guide / 236 8 Menu: Parameters b) Enter the outgoing TCP source port to be used when establishing a connection with your Olfeo partner server in the [Outgoing port] field. c) Enter the destination Olfeo partner server TCP port in the [Remote port] field. d) Click on the [Connect] button to initiate the connection to the Olfeo partner Technical Support tunnel server. If the connection is correctly established, the [Status] field should display Activated. 3. Click on the [Information feedback] button to display information about your Olfeo installation. Note: This information can be provided, if requested, to your Olfeo or Olfeo Partner Technical Support. Olfeo Solution / User guide / 237 Chapter 9 Syntax Topics: • Regex Syntax 9 Syntax Regex Syntax Regex or regular Expression can be used to create patterns according to your needs. Regex use the following syntax like this: • . : Refers to any symbol. • [abc] : Refers to letter a or b or c. • * : Refers to a repetition (0, 1 or more times the symbol before). • + : Refers to a repetition (1 or more times the symbol before). • ? : Refers to a repetition (0 or 1 of the symbol before). • ^ : Refers to a symbol of "beginning of char string". • $ : Refers to the end of a char string. • () : Refers to a group of symbols. • | : Refers to the logic symbol "or". • \ : Allows to protect a character. Examples: • "porte(manteau)?": Match "porte" and "portemanteau" but not "manteau". • ".*": Match any char string. • "[bB]ateau": Match "bateau" and "Bateau". • "(chaise|porte)": Match "chaise" or "porte". • "monsite\.fr" match "monsite.fr" but not "monsiteXfr.com". Warning: Beware the "." substitutes any character, it does not match the dot separator in a domain name. Examples: • ".*yahoo.*" matches all urls that contain yahoo • "www\.yahoo\..*" matches all addresses that begin with www.yahoo. (e.g.: www.yahoo.fr, www.yahoo.com, ...). Olfeo Solution / User guide / 240