Olfeo Solution Integration Guide Copyright © Olfeo
Version:1.0.14
Legal Information Copyrights © Copyright 2014 Olfeo. All rights reserved. This documentation may only be used under an Olfeo Company software
license contract. This document cannot be used as a Software License Agreement with the company Olfeo. No part of this document may be reproduced, published, stored in an electronic file system, or converted into any machine language, in any form or by any means whatsoever, without Olfeo’s prior written consent. Olfeo grants you limited permission to make hard copies or other reproductions of any computer documentation for your own use, provided that all such reproductions shall carry the Olfeo copyright notice. No other rights under copyright are granted without Olfeo’s prior written consent. The content of this documentation may be changed by Olfeo without prior notice. Trademarks Olfeo is a registered international trademark of the Olfeo Company. This document refers to names, logos, software components or materials that are the property of third-party publishers or manufacturers.This document cites names, logos, software components or materials which are the properties of thirdparty manufacturers or publishers: • Linux is a registered trademark of Linus Torvalds.Linux is a trademark from Linus Torvalds. • Microsoft, Windows, Active Directory, Hyper-V, Internet Explorer and their respective logos are registered trademarks of Microsoft Corporation. • NTLM is a protocol developed by Microsoft Corporation. • Check Point, FireWall-1, SmartDashboard, SmartCenter, OPSEC and their respective logos are registered trademarks or commercial trademarks of Check Point Software Technologies Limited. • Netasq and its logo are trademarks of Netasq (S.A). • eDirectory is a trademark of Novell, Inc. • OpenLDAP is a trademark of OpenLDAP Foundation. • ClamAV is a registered trademark of Sourcefire Inc. • Websense is a registered trademark of Websense, Inc. • WISP is a protocol developed by Websense, Inc. • Cisco, Pix, ASA are trademarks or registered trademarks of Cisco Technology, Inc. • Nagios is a registered trademark of Nagios Enterprises, Llc. • Firefox is a registered trademark of the Mozilla Foundation • HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, and Massachusetts Institute of Technology. • Squid is a proxy software distributed under the terms of the GPL (GNU General Public License). • ICAP (Internet Content Adaptation Protocol) is a protocol documented in RFC 3507. All other brand names mentioned in this guide or in all the other documentation provided with the Olfeo products are trademarks or registered trademarks of their respective owners
Contacts Olfeo 15, boulevard Poissonnière 75002 Paris France
Customer Account Management Service Whether you are an Olfeo partner or end user, the Olfeo Customer Account Management department is always available for your comments and requests. Email:
[email protected] Phone: +33 (0)1.78.09.68.07
Olfeo Technical Support Access to support is reserved to customers with a 'ISV Direct Support' agreement. If you need to speak with one of our technical engineers, we recommend you to contact first your Customer Account Management Representative. Mail:
[email protected] Tel: +33 (0)1.78.09.68.01
Referrals Are you an existing customer of Olfeo and wish to refer someone who is interested in our solution? Contact us and take advantage of our referral program. Mail:
[email protected]
URL reclassification Olfeo provides the following e-mail address to customers for requesting a URL review or reclassification. Mail:
[email protected]
Documentation Department Please use the following email address to send comments or change requests to Olfeo product documentation. Mail:
[email protected]
Contents Chapter 1: Choosing the integration architecture................................................ 9 1.1 The integration architectures........................................................................................................................10 1.1.1 Proxy integration........................................................................................................................... 10 1.1.2 Coupling-based integration............................................................................................................12 1.1.3 Capture integration........................................................................................................................ 13 1.2 Summary table: Integration architectures and features................................................................................15 1.3 Decision tree.................................................................................................................................................16
Chapter 2: Choosing your authentication/identification architecture...............17 2.1 Authentication and identification architectures............................................................................................18 2.1.1 Transparent authentication (NTLM or Kerberos)......................................................................... 18 2.1.2 Authentication through LDAP directory.......................................................................................19 2.1.3 Captive portal based authentication.............................................................................................. 20 2.1.4 Authentication through public portal............................................................................................ 23 2.1.5 Transparent identification..............................................................................................................24 2.1.6 Coupling based identification........................................................................................................25 2.1.7 Bridging based identification........................................................................................................ 26 2.1.8 Traffic duplication based identification........................................................................................ 27 2.2 Summary table: Architectures for integration and authentication/identification......................................... 28
Chapter 3: Implementing your integration......................................................... 31 3.1 Implementing a proxy integration................................................................................................................32 3.1.1 Implementing an explicit proxy integration..................................................................................32 3.1.2 Implementing a transparent proxy integration.............................................................................. 36 3.2 Implementing an integration by coupling....................................................................................................43 3.2.1 Filtering URLs with Squid (Olfeo) (Recommended)................................................................... 43 3.2.2 Filtering URLs or content with Squid (ICAP)..............................................................................46 3.2.3 Filtering URLs with Check Point (OPSEC)................................................................................. 48 3.2.4 Filtering URLs with Netasq (ICAP)............................................................................................. 52 3.2.5 Filtering URLs with Cisco (WISP)...............................................................................................55 3.3 Implementing a capture integration............................................................................................................. 57 3.3.1 Implementing a bridging based capture integration......................................................................57 3.3.2 Implementing a traffic duplication based capture integration.......................................................59
Chapter 4: Configuring authentication/identification........................................ 61 4.1 Configuring a transparent authentication..................................................................................................... 62 4.1.1 Adding an Active Directory server and synchronizing the users................................................. 62 4.1.2 Joining the Olfeo solution to the Windows domain..................................................................... 65 4.1.3 Adding transparent authentication to the HTTP or FTP over HTTP proxy..................................65 4.2 Setting up LDAP directory authentication...................................................................................................67 4.2.1 Adding an LDAP directory and synchronizing users................................................................... 67 4.2.2 Creating an authentication zone....................................................................................................69 4.2.3 Adding LDAP authentication to the HTTP proxy or FTP over HTTP proxy...............................70 4.2.4 Adding an authentication to FTP or SOCKS proxy..................................................................... 72 4.2.5 Configuring the client machine.....................................................................................................73 4.3 Setting up authentication by captive portal................................................................................................. 73
Olfeo Solution / Integration Guide / 7
4.4
4.5 4.6 4.7
4.3.1 Adding a directory.........................................................................................................................73 4.3.2 Creating an authentication zone....................................................................................................78 4.3.3 Setting up the LDAP authentication portal...................................................................................79 4.3.4 Setting up the NTLM captive portal.............................................................................................80 4.3.5 Configuring the client machine.....................................................................................................81 Setting up authentication by public portal...................................................................................................82 4.4.1 Creating custom pages.................................................................................................................. 82 4.4.2 Adding a directory.........................................................................................................................84 4.4.3 Add a public portal....................................................................................................................... 89 4.4.4 Create access rights for the operators........................................................................................... 89 4.4.5 Creating a user voucher................................................................................................................ 90 4.4.6 Enabling the public portal.............................................................................................................91 4.4.7 Configuring the client machine.....................................................................................................92 Setting up transparent identification............................................................................................................ 92 Setting up a bridging based capture identification...................................................................................... 93 Setting up traffic duplication based capture identification.......................................................................... 93
Chapter 5: High availability integration..............................................................95 5.1 Olfeo high-availability architecture..............................................................................................................96 5.1.1 The Olfeo domain......................................................................................................................... 96 5.1.2 The Olfeo cluster...........................................................................................................................96 5.1.3 Log replication server................................................................................................................... 98 5.1.4 Load balancing.............................................................................................................................. 98 5.2 Creating an Olfeo domain..........................................................................................................................102 5.3 Joining an Olfeo domain............................................................................................................................102 5.4 Creating a cluster....................................................................................................................................... 103 5.5 Adding a log replication server................................................................................................................. 104
Chapter 6: Monitoring the Olfeo solution......................................................... 105 6.1 Monitoring with Nagios (SNMP monitoring)............................................................................................106 6.1.1 Configuring the Olfeo solution to interact with SNMP..............................................................106 6.1.2 Configuring Nagios..................................................................................................................... 106
Chapter 7: Syntaxes............................................................................................. 109 7.1 The Regex Syntax...................................................................................................................................... 110
Glossaire....................................................................................................................................... 111
Olfeo Solution / Integration Guide / 8
Chapter
1 Choosing the integration architecture Topics: • • •
The integration architectures Summary table: Integration architectures and features Decision tree
1 Choosing the integration architecture
The integration architectures One of the advantages of the Olfeo solution is its great flexibility for integration within your network. For a more intuitive integration, we will first describe the different integration types and operation modes.
Proxy integration The Proxy integration mode provides a way to integrate Olfeo in your architecture using its embedded proxy. The Proxy integration mode allows for the use of an intermediary to access a different network segment or internet. This intermediary becomes a proxy as it acts as a surrogate for local computers in their network exchanges. When local computers need to access network resources (web pages, files, videos, ...), they send requests received by Olfeo proxy. The proxy then acts as a surrogate to retrieve the requested resources before returning their contents to the local computers. If you want to use the proxy integration mode, one of the following two operating modes must be selected: • Explicit proxy • Transparent proxy Note: To learn more about Olfeo features available in proxy integration mode, please refer to chapter: Summary table: Integration architectures and features on page 15.
Explicit proxy integration
Olfeo Solution / Integration Guide / 10
1 Choosing the integration architecture
The Olfeo solution embedded proxy is said to be in explicit proxy integration mode when the end user machine softwares are aware of the existence of a proxy. They must be configured to point to the explicit proxy address in order to communicate with it. Transparent proxy integration
The Olfeo solution embedded proxy is said to be in transparent integration mode when it can intercept network frames and the end-users computers are not aware they are communicating with a proxy. No specific configuration is required on the end-users computers and they behave as if they were not communicating with a proxy. A third party equipment might be required to redirect traffic to the Olfeo solution proxy acting as a transparent proxy. Note: The main advantage of a transparent proxy is that it does not require any configuration on the endusers computers. A transparent proxy integration mode can be implemented using one of the following two methods:
Olfeo Solution / Integration Guide / 11
1 Choosing the integration architecture
Table 1: Transparent proxy integration scenarios Transparent proxy by traffic rerouting
Transparent proxy by bridging
Rerouting traffic on a third party equipment (typically a firewall) is required to implement transparent proxy. The third party equipement administrator creates the necessary traffic rerouting to send traffic to the Olfeo proxy. This integration mode is available with the Olfeo Box, the Olfeo Virtual Appliance and in the Olfeo Solution software installation.
This integration is implemented using a network bridge on the Olfeo proxy. This integration mode required an Olfeo Box as it requires the use of a network bridge and the necessary hardware bypass.
Coupling-based integration Your Olfeo solution can be integrated with existing third party equipements (firewall, router, UTM, ...) on your network using the coupling-based integration mode.
Olfeo Solution / Integration Guide / 12
1 Choosing the integration architecture
In order to communicate with these third party devices, the Olfeo solution uses connectors. These connectors are interfaces used to exchange with these third party devices using their respective proprietary protocols. One of the advantages of this solution is the ability to adapt to an already existing architecture in order to: • Add features provided by the Olfeo solution. • Move some of the load managed by the third party equipments to the Olfeo solution.
Capture integration It is possible for the Olfeo solution to listen to network exchanges. The capture integration allows for traffic analysis. Based on the traffic and administrator defined rules and policies, the Olfeo solution will then interfere with the various network exchanges. The main advantage of the capture integration mode is to allow for possible integration in your architecture if there is no connector for your third party equipement or if you do not want to consider transparent or explicit proxy integration mode. Note: The capture integration is the only supported integration for protocol filtering.
Note: The capture integration mode can be implemented using one of the following architectures: • Capture integration by bridging. • Capture integration by traffic duplication
Capture integration by bridging Capture integration by bridging allows the Olfeo solution to insert itself between two parts of the network.
Olfeo Solution / Integration Guide / 13
1 Choosing the integration architecture
Capture integration by bridging lets you listen to traffic whenever it passes through the Olfeo solution. This integration is implemented using a network bridge using two physical network interfaces Note: This integration is only possible with an Olfeo Box
Capture integration by traffic duplication Capture integration by traffic duplication allows the Olfeo solution to insert itself by listening to a copy of the original traffic.
Olfeo Solution / Integration Guide / 14
1 Choosing the integration architecture
Capture integration by traffic duplication requires a manageable network switch where a port mirroring session is configured. A port mirroring session will create a copy of the network traffic in and out of a specific port to a destination port on which Olfeo will be connected. Even though the Olfeo solution analyzes a copy of the traffic, it can still perform blocking operations on the original traffic. Warning: Capture integration by traffic duplication is not possible with a virtual appliance under Hyper-V. Indeed, due to Microsoft Hyper-V not supporting virtual network interface operating in promiscuous mode, capture integration by traffic duplication is not possible on Olfeo Microsoft Hyper-V Virtual Appliance.
Summary table: Integration architectures and features Not all Olfeo solution features are available in all the supported integration modes. The following table details all the product features available in each integration mode. Proxy
Coupling
Capture
Feature/Integration
Explicit proxy
Transparent proxy
Coupling
Bridge capture
Traffic duplication capture
URL filtering
HTTP HTTPS1 FTP_over_HTTP
HTTP
HTTP HTTPS (depending on equipment)
HTTP HTTPS (but no blocking page)
Antivirus
HTTP FTP_over_HTTP FTP SOCKS RTSP TCP
HTTP RTSP
ICAP protocol only
No
Cache/QoS
HTTP FTP_over_HTTP
HTTP FTP_over_HTTP
No
No
Protocol filtering
No
No
No
Yes
Public portal
Yes
Yes
Yes
Yes
Note: More product features are available by mixing multiple integration modes. This solution circumvents any feature absence or limitation in a particular integration mode. While the proxy integration mode might be the ideal integration, it can easily be augmented with another integration mode.
1
HTTPS does not allow any interaction with the end user. For exemple, sending a blocking page or a web form based user authentication is not possible in HTTPS.
Olfeo Solution / Integration Guide / 15
1 Choosing the integration architecture
Decision tree Below is a decision tree for helping you make the best choice for your integration architecture.
Figure 1: Decision tree for choosing an integration architecture
Olfeo Solution / Integration Guide / 16
Chapter
2 Choosing your authentication/identification architecture Topics: • •
Authentication and identification architectures Summary table: Architectures for integration and authentication/identification
2 Choosing your authentication/identification architecture
Authentication and identification architectures The Olfeo solution supports different architectures enabling Olfeo to either authenticate users or to retrieve their identities from different sources. Retrieving the user identity is critical in order to collect per user statistics, for user properties (id, group, business unit) based filtering policies and to store per user browsing history. All authentication and their operating modes will be explained in further details in this chapter.
Transparent authentication (NTLM or Kerberos) Transparent authentication by NTLM or Kerberos is achieved by integrating the Olfeo solution in a Windows domain. In contrast to other types of authentication, it is carried out without the user’s knowledge because the Olfeo solution will attempt to check if the end user does have a valid session on the Windows domain. If a domain user has previously opened a Windows session on his machine, Olfeo automatically validates the authentication. Using a transparent authentication may make sense in the following cases if you want to: • Use your Windows domain’s centralized security database. • Simplify user administration by using a single database of common accounts. • Have an easy-to-use solution that cuts down on the number of authentication requests. Warning: Olfeo solution can manage several directories, yet it can be included in only one Windows domain at a time. However, it is possible to use several domains by establishing interdomain trust relationships. Note: Implementation of the Microsoft Kerberos prevents functioning of the Kerberos authentication mode in Olfeo clusters. If you require high availability functions in Kerberos authentication mode, we recommend you to use a proxy.pac for configuring your proxies and to define your different proxies in your proxy.pac in order to implement a fail-over mechanism. Here are the steps that the Olfeo solution goes through during the authentication phase:
Olfeo Solution / Integration Guide / 18
2 Choosing your authentication/identification architecture
Figure 2: NTLM or Kerberos based transparent authentication
Step
Description
0 (Previous step)
When the user opens his Windows session he authenticates himself on the Windows domain Active Directory directory server
1
User tries to access the internet.
2
The Olfeo solution responds with a request for authentication.
3
The user’s machine sends the proof of its Windows authentication to the Olfeo solution with NTLM. If the user has an open session on the domain, this happens automatically. If the user has no open session on the domain, the browser displays a popup form to request a domain login and password from the end user.
4
The Olfeo solution validates the credentials with the Active Directory directory server .
5
Active Directory validates the credentials.
6
The user can now access the internet.
Warning: Prerequisite: The Olfeo solution must be integrated with the domain.
Authentication through LDAP directory. The Olfeo solution can perform users authentication by interfacing with a LDAP directory. Using an authentication method through the LDAP directory may make sense in the following cases: • You already manage your users through an LDAP directory. • You have an Active Directory server but wish to manage the users of the Olfeo solution separately. Here are the steps that the Olfeo solution goes through during the authentication phase:
Olfeo Solution / Integration Guide / 19
2 Choosing your authentication/identification architecture
Figure 3: Authentication through LDAP directory.
Step
Description
1
User tries to access the internet.
2
The Olfeo solution responds with a request for authentication.
3
The user sends his login and password to the Olfeo solution.
4
The Olfeo solution validates the login and password with the LDAP directory.
5
The LDAP server validates the authentication.
6
The user can now access the internet.
Captive portal based authentication. The Olfeo solution allows for the configuration, activation and personnalization of a captive portal. The captive portal enforces user authentication using a web based form generated by the Olfeo solution. The user authenticates himself by entering his login and password which are then validated against one or more directory servers. Note: In the Olfeo solution, the captive portals are configurable and customizable by the administrator. Using a captive portal based authentication may make sense if you have : • A client application that can display a web page (typically a web browser.) • A client application which can display a web page but does not control the authentication mechanism. • An authentication web page that you want to customize for your company. To use captive portal based authentication, you must first choose between two authentication modes: • Captive portal with LDAP authentication. • Captive portal with NTLM authentication.
Olfeo Solution / Integration Guide / 20
2 Choosing your authentication/identification architecture
Authentication by LDAP captive portal The authentication by LDAP captive portal lets you send a web page for authentication purposes to the user. Here are the steps the Olfeo solution goes through during the authentication phase:
Figure 4: Identification by LDAP captive portal
Step
Description
1
User tries to access the internet.
2
The Olfeo solution responds with an authentication web page.
3
The user enters login and password in the web page form which is then sent to the Olfeo solution.
4
The Olfeo solution validates the login and password with the LDAP directory.
5
The LDAP server validates the authentication.
6
The user can now access the internet.
Authentication by NTLM captive portal Authentication by NTLM captive portal lets you send an authentication web page to the user exactly like with the LDAP captive portal. However, the captive portal page will only be displayed in case of transparent NTLM authentication failure. Note: In order to get the NTLM captive portal to work, you must have joined the Olfeo solution to the Windows domain beforehand. Here are all the steps that the Olfeo solution goes through during the authentication phase Considering the Olfeo solution can manage several directories, we will distinguish two cases: • The case of a user with an account on the domain.
Olfeo Solution / Integration Guide / 21
2 Choosing your authentication/identification architecture
•
The case of a user with an account on a directory server different from the domain's one. Warning: If the end user machine does not know how to handle NTLM transparent authentication, it will never present the NTLM authentication popup. The Olfeo solution reacts to this condition by sending a captive portal authentication web page. The captive portal authentication page will then allow for the user to authenticate himself against the domain Active Directory server or any other directory server.
Figure 5: User with an account on the domain
Step 0 (Previous step)
Description When the user opens his Windows session he authenticates himself on the Windows domain Active Directory directory server
1
User tries to access the internet.
2
The Olfeo solution responds with a request for authentication.
3
If the user opened a session on the domain (step 0), the user’s machine sends the Windows credentials to the Olfeo solution.
4
The Olfeo solution validates the credentials with the Active Directory directory server .
5
Active Directory validates the credentials.
6
The user can now access the internet.
Olfeo Solution / Integration Guide / 22
2 Choosing your authentication/identification architecture
Figure 6: User has an account on a directory server different from the domain's one.
Step
Description
1
User tries to access the internet.
2
The Olfeo solution responds with a request for authentication.
3
If the user does not have a valid account on the domain, an authentication popup is displayed to request the user for domain account credentials. The user may choose to cancel the domain authentication (or fails to authenticate against the domain).
4
Olfeo solution responds with a captive portal authentication web page.
5
The user enters his login and password on the web page form. The credentials are then sent to the Olfeo solution.
6
The LDAP server validates the authentication.
7
The user can now access the internet.
Authentication through public portal. From Olfeo solution v.5.75 on, it is now possible for authentication to be performed using a captive portal tailored to places with desktops available to the public. Like the captive portal, this portal presents an authentication page to the user. However, unlike any other types of authentication, Olfeo manages public portal user accounts internally via an operator using a dedicated user interface. Using this dedicated administration console, the operator creates tickets that are attributed to users. A ticket is a right to use internet containing a login/password pair along with specific properties (time quota, volume quota, authorized timeslots, length of validity etc.) sent to the user. The number of public portals as well as associated tickets types is unlimited and at the Olfeo Administrator discretion. The following describes the different steps taking place during the authentication phase with Olfeo public portal. Using an authentication method by public portal can make sense in the following cases if you: • Want to delegate creation and management of access to an operator.
Olfeo Solution / Integration Guide / 23
2 Choosing your authentication/identification architecture
• •
Want an account management system that is internal to the Olfeo solution. Want to set specific specific properties / limitations to user accounts (time quota, volume quota, authorized timeslots, validity etc.).
Figure 7: Authentication via public portal.
Step
Description
0
The operator creates a ticket on the operator portal and sends the generated login/password to the user.
1
User attempts to access the internet.
2
The Olfeo solution responds with an authentication web page.
3
The user enters the login/password couple received from the operator to the Olfeo solution.
4
The Olfeo solution validates the "login/password" pair as well as the ticket properties against its internal base.
5
The user can now access the internet.
Transparent identification Transparent identification is implemented using an Olfeo agent on end-user desktops. When the end user initiates his interactive Windows session, the Olfeo agent send the user identity information and the IP address of the end user desktop to the Olfeo solution. Using a transparent identification may make sense if you: • Do not need your users to be authenticated. • Can easily deploy the Olfeo agent on the client machines by GPO or any other mechanism. • Have only one Windows session per end-user machine. The following steps happen during the retrieval of the user identity.
Olfeo Solution / Integration Guide / 24
2 Choosing your authentication/identification architecture
Figure 8: Transparent identification
Step
Description
0a (Previous step)
When the Windows session opens, the user authenticates against the domain’s Active Directory server.
0a (Previous step)
The Olfeo agent sends the user’s identity to the Olfeo solution together with the name of the machine on which the interactive Windows session was opened.
1
User attempts to access the internet.
2
The solution matches the IP address of the user with his identity and allows the user to access the Internet.
Warning: The Olfeo solution must be integrated beforehand with the domain and the Olfeo agent must be installed on the end users machines.
Coupling based identification The Olfeo solution can capture user identities by interfacing with a third party machine. Depending on the later, it may send the user's identity to the Olfeo solution using its own proprietary protocol. For example, a Squid proxy can send the user identity to the Olfeo solution through the ICAP protocol. Check Point’s Firewall-1 can send the user identity via the OPSEC protocol. Using coupling based identification may make sense if you: • Already have a third-party machine doing user authentication. • Do not wish to modify your network architecture by replacing the third party machine therefore requiring the use of coupling based integration. The following steps happen during the retrieval of the user identity.
Olfeo Solution / Integration Guide / 25
2 Choosing your authentication/identification architecture
Figure 9: Coupling based identification
Step
Description
1
User attempts to access the internet.
2
The third party machine contacts Olfeo and sends it the user’s identity.
3
The Olfeo machine responds to the third party machine.
4
The user can now access the internet.
Note: Prerequisites: The Olfeo solution is integrated with the third party machine by coupling.
Bridging based identification The Olfeo solution can capture the identity of users when it is positioned as a network bridge. If placed in front of a third-party proxy, the Olfeo solution observes NTLM authentication exchanges between the third-party proxy and the end user machine. The Olfeo solution is then able to capture the user identity when it is sent to the third party proxy. Using bridging based identification may make sense if you: • Already have a third-party proxy doing user authentication. • Do not wish to modify your network architecture by replacing the third-party proxy and require transparent capture of user identities. Warning: Note that bridging based identification works only if NTLM over HTTP is being used as the authentication mechanism on the third party machine. The following steps happen during the retrieval of the user identity.
Olfeo Solution / Integration Guide / 26
2 Choosing your authentication/identification architecture
Figure 10: Bridging based identification
Step
Description
1
User attempts to access the internet.
2
The third party machine responds with an NTLM or LDAP request for authentication.
3
The user sends his login and password to the third-party machine. The login information is captured by the Olfeo solution.
4
The third party machine verifies the login and password against the Active Directory or LDAP directory.
5
The LDAP or Active Directory server validates the authentication.
6
The user can now access the internet.
Note: In the case of NTLM authentication, the Olfeo solution does not need to be integrated to the Windows domain. However, it must be linked to the directory for the list of user accounts to be synchronized.
Traffic duplication based identification In traffic duplication integration, the Olfeo solution can capture the user’s identity when authenticating him against a third-party machine. Using traffic duplication based identification may make sense if you: • Already have a third-party proxy doing user authentication. • Do not wish to modify your network architecture by replacing the third party machine and require capturing the identity of users in a transparent manner. • Do not want to place the Olfeo solution as bridge. Warning: Note that traffic duplication based identification only works if NTLM over HTTP is being used as the authentication mechanism on the third party machine.
Olfeo Solution / Integration Guide / 27
2 Choosing your authentication/identification architecture
The following steps happen during the retrieval of the user identity.
Figure 11: Traffic duplication based identification
Step
Description
1
User attempts to access the internet.
2
The third party machine responds with an NTLM or LDAP request for authentication.
3
The user sends his login and password to the third-party machine. The Olfeo solution receives a copy of the arriving traffic therefore capturing the user identity.
4
The third party machine validates the login and password against the Active Directory or LDAP directory.
5
The LDAP or Active Directory server validates the authentication.
6
The user can now access the internet.
Summary table: Architectures for integration and authentication/ identification Below is the list of available authentication or identification options, depending on which type of integration you choose. Olfeo solution supports different types of authentication or identification mechanisms. Some of them may not be supported or conflict when used in specific integrations. Please refer to the following table for an exhaustive list of authentication or identification mechanisms available for each supported integration mode.
Olfeo Solution / Integration Guide / 28
2 Choosing your authentication/identification architecture
Proxy
Coupling
Listen
Integration/Feature
Explicit proxy
Transparent NTLM or Kerberos Yes authentication (with Active HTTP Directory server) FTP_over_HTTP
Transparent proxy
Coupling
Bridge capture
Traffic duplication capture
No
No (done by third party machine)
N.A.
N.A.
No
No (done by third party machine)
N.A.
N.A.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
HTTPS
Authentication directory.
Captive portal based authentication.
through
LDAP Yes HTTP HTTPS FTP_over_HTTP FTP SOCKS
By captive portal (classic authentication)
Yes
Yes
HTTP FTP_over_HTTP
HTTP FTP_over_HTTP
By captive portal (NTLM Authentication)
Yes
Yes
HTTP FTP_over_HTTP
HTTP FTP_over_HTTP
Yes
Yes
HTTP FTP_over_HTTP
HTTP FTP_over_HTTP
Authentication via public portal.
Transparent Identification Yes (identification by Olfeo agent)
Yes
Yes
Yes
Yes
(relation login = IP client)
(relation login = IP client)
(relation login = IP client)
(relation login = IP client)
(relation login = IP client)
Identification without Olfeo agent
N.A.
N.A.
Yes
Yes
Yes
OLFEO ICAP OPSEC
NTLM Basic
NTLM Basic
Olfeo Solution / Integration Guide / 29
Chapter
3 Implementing your integration Topics: • • •
Implementing a proxy integration Implementing an integration by coupling Implementing a capture integration
3 Implementing your integration
Implementing a proxy integration Implementing an explicit proxy integration Implementing an explicit HTTP proxy integration 1. Go to the HTTP proxy configuration page by following the [Proxy Cache QoS] > [HTTP] . Section: Listening ports 2.
In the section Listening ports add a listening port using the
button.
a) Enter the IP address and the interface port on which you will configure the proxy for listening. The syntax used to specify the TCP listening port allows you to restrict listeing on a specific IP addresse. Use the following syntax: adresseIp:portTcp
Note: If you want to listen to all of the local machine’s IP addresses, enter the IP address as 0.0.0.0 Example of how to specify the IP address and listening port: 0.0.0.0:3129
b) In order to setup an explicit proxy verify that the checkbox Transparent proxy at the end of your proxy listening port is not checked. c) If you do not want the proxy to pass the end user private IP addresses to the destination server, check [Anonymize access] . Note: This option helps to avoid the generation of HTTP headers of the type "X-Forwarded-For" which generally includes the IP address of the end user machine for which the proxy carries out an action. For security reasons, it is generally preferable not to disclose information concerning your local network, therefore turning on this option is recommended.
Section: Type of queries allowed by the destination port 3.
Add a request type using the icon
.
Olfeo Solution / Integration Guide / 32
3 Implementing your integration
The section "Allowed query types by destination port" lets you define the destination ports and the corresponding protocols allowed on each of these destinations ports. a) Enter a destination port in the field under the Port column. Note: Enter a range of ports between the start and end ports with "-". Example: 1025-65535.
Note: To enter multiple ports in a query, separate them with a space. Example: 70 210 280.
b) Select the protocols you want to authorize on the destination ports by enabling the corresponding checkboxes in the columns headed Browsing, FTP over HTTP, WebDAV or Raw/SSL. There are four possible protocols: • Browsing: Authorizes the standard HTTP browsing. • FTP over HTTP: Authorizes use of the FTP protocol encapsulated in HTTP (FTP over HTTP) and thus allows file downloads. This protocol can only be used if the client application supports it. Internet browsers typically do when you specify an HTTP proxy for the FTP protocol. • WebDAV: Authorizes the HTTP-based collaboration protocol allowing management of files shared and stored on a web server. • Raw/SSL: Allows SSL-type traffic. c) To allow for use of extended passive mode in the FTP over HTTP protocol enable the [FTP over HTTP makes use of extended passive mode] checkbox. In this mode, the Olfeo proxy can use the EPSV command and thus make FTP requests that are IPv6 compatible. Please refer to NWG’s RFC 2428 FTP Extensions for IPv6 and NATs for more information. Warning: Use of the EPSV command and of IPv6 may result in this option being incompatible with older firewalls.
Section: Proxy chaining 4. If the Olfeo solution’s proxy needs to be chained to a parent proxy, select the [Use parent proxy] checkbox in the Proxy Chaining section. Then provide the following information: a) The IPv4 address of the parent proxy in the [Host] field. b) The TCP port of the parent proxy in the [Port] field. c) The user name for authentication with the parent proxy in the [Login] field. d) The user's password for authentication with the parent proxy in the [Password] field. Section: URL filtering 5. To filter URLs, enable the [Filter URL] checkbox in the URL Filtering section. Fill in the following fields as required: a) [Disable Olfeo caching]. For performance reasons, the Olfeo solution stores the authorizations obtained by your users’ various browsing sessions. This optimization makes it possible to avoid authorization checks for the same website (Internet domain) previously authorized. Enabling this checkbox will force an automatic authorization check, even for sites previously visited.
Olfeo Solution / Integration Guide / 33
3 Implementing your integration
b) [Redirector number]. This field controls the number of Olfeo internal processes, responsible for managing the HTTP browsing authorizations. The default value 70 should suffice for most Olfeo solution installations. Changing this value is generally not recommended unless explicitely requested by Olfeo Technical Support. c) [Bypass if the filtering service is unavailable]. This checkbox allows you to control the Olfeo HTTP proxy’s behavior in the event the URL filtering service is not reachable. Browsing will be blocked by default if you enable the checkbox. d) [Delay before next connection attempt upon error]. This field controls the timeout that may be inserted at the Olfeo HTTP proxy level in case there is an error connecting with a website. The default 30- second delay 30 seconds is suitable for most cases. 6. Click [OK] to save the changes. Implementing an FTP proxy integration Note that the Olfeo FTP proxy only supports the passive mode of this protocol due to the unsecure nature of the active mode. 1. Go to the FTP proxy configuration page via the [Proxy Cache QoS] > [FTP]. Section: Proxy list 2.
In the section [Proxy list] add a listening port using the
button.
a) In the newly created proxy, enter a name in the Label field. b) Enter TCP in a listening port for the newly created FTP proxy. 3. In the column Active, verify that the FTP proxy added is indeed enabled. An active proxy appears, identified by the:
icon.
4. Click [OK] to save the changes. 5. Go to the page with options for your newly created FTP proxy by clicking on the link in the [Options] column. 6. If necessary enter a maximum authorized number of outgoing connections for the proxy in the [Connections limit] field. The default value 0 indicates unlimited connections. 7. If the Olfeo proxy must be chained to a parent proxy, place a checkmark in the [Enabled] checkbox in the section Parent proxy. Next, fill the following fields: a) The IPv4 address of the parent proxy in the [Host] field. b) The TCP port of the parent proxy in the [Port] field. c) The authentication type in the [Authentication] dropdown menu. • Same as the client: The usernames and passwords given to the Olfeo FTP proxy will be transferred to the parent proxy. • None: The parent proxy does not require any authentication. • [Defined below]: This configuration allows you to enter a specific username and password for authenticating the Olfeo FTP proxy against its parent proxy. If you choose this configuration, enter the login and the password to be used for authentication with the parent proxy in the [Login] field. d) The manner in which the FTP protocol initiates its connection phase with the proxy and the remote site.
Olfeo Solution / Integration Guide / 34
3 Implementing your integration
•
SITE initiates the connection sequence as follows: • USER "proxy user" • PASSWORD "proxy user password" • SITE "ftp remote site" • USER "ftp remote user" • PASSWORD "remote ftp user password"
•
USER@HOST initiates the connection sequence as follows: • USER "proxy user" • PASSWORD "proxy user password" • USER "ftp remote user"@"ftp remote site" • PASSWORD "remote ftp user password"
•
OPEN initiates the connection sequence as follows: • USER "proxy user" • PASSWORD "proxy user password" • OPEN "ftp remote site" • USER "ftp remote user" • PASSWORD "remote ftp user password"
•
Same as client adapts itself to the sequence used by the client program.
8. Click [OK] to save the changes. Implementing an RTSP proxy integration 1. Go to the RTSP proxy configuration page via the [Proxy Cache QoS] > [RTSP]. Section: Proxy list 2.
In the section [Proxy list] add an RTSP proxy using the
button.
a) In the newly created RTSP proxy, enter a name in the field under the Label column. b) Enter a TCP listening port in the newly created RTSP proxy. 3. In the Active column, check that the RTSP proxy just added is indeed enabled. An active proxy appears, identified by the:
icon.
4. Click [OK] to save the changes. Implementing a TCP proxy integration 1. Go to the TCP proxy configuration page via the [Proxy Cache QoS] > [TCP] . Section: Proxy list 2.
In the section [Proxy list] add a TCP proxy using the
button.
a) Enter a name for the newly created TCP proxy in the [Label] field b) Enter a TCP listening port for the newly created TCP proxy.
Olfeo Solution / Integration Guide / 35
3 Implementing your integration
3. In the Active column, verify that the FTP proxy added is indeed enabled. An active proxy appears, identified by the :
icon
4. Click [OK] to save the changes. 5. Go to the page with options for your newly created TCP proxy by clicking on the link in the [Options] column 6. Add the IP address and the destination port to which the information will be sent. Note: Use this format: ip:port.
7. Click [OK] to save the changes. Implementing a SOCKS proxy integration 1. Go to the SOCKS proxy configuration page via the [Proxy Cache QoS] > [SOCKS] menu. Section: Proxy list 2.
In the section [Proxy list] add a SOCKS proxy using the
button.
a) Enter a name for the newly created SOCKS proxy in the [Label] field. b) Enter a TCP listening port for the newly created SOCKS proxy. 3. In the Active column, verify that the SOCKS proxy added is indeed enabled. An active proxy appears, identified by the:
icon.
4. Click [OK] to save the changes.
Implementing a transparent proxy integration Transparent proxy by traffic rerouting Transparent proxy integration by traffic rerouting works by inserting the Olfeo proxy into the network traffic. This insertion is made possible by rerouting traffic to the Olfeo proxy from a third-party machine, generally a firewall. The main advantage of this approach is its availability for the Olfeo Box, Olfeo virtual appliance and the Olfeo software solution.
Olfeo Solution / Integration Guide / 36
3 Implementing your integration
Figure 12: Transparent proxy integration by rerouting traffic
Note: The administrator decides to redirect the traffic he wishes to go through the Olfeo proxy in a transparent manner. The traffic rerouting rule can, for example, only cover the traffic received on port 80 (HTTP) of the third-party machine and exclude the traffic received on port 21 (FTP). In any case a transparent proxy integration cannot handle HTTPS traffic. Implementing traffic rerouting There is no particular recommandation on how to perform traffic rerouting as it depends on your equipment. Log in on your third party machine and add the rerouting rules to redirect HTTP traffic to your Olfeo proxy destination IP address and port you setup during the configuration procedure (Creation of a transparent HTTP proxy integration on page 37). Generally, traffic rerouting is implemented using port rerouting (port forwarding or port mapping.) Creation of a transparent HTTP proxy integration 1. Go to the HTTP proxy configuration page by following the [Proxy Cache QoS] > [HTTP] . Section: Listening ports 2.
In the section Listening ports add a listening port using the
button.
a) Enter the IP address and the interface port on which you will configure the proxy for listening. The syntax used to specify the TCP listening port allows you to restrict listeing on a specific IP addresse. Use the following syntax: adresseIp:portTcp
Note: If you want to listen to all of the local machine’s IP addresses, enter the IP address as 0.0.0.0
Olfeo Solution / Integration Guide / 37
3 Implementing your integration
Example of how to specify the IP address and listening port: 0.0.0.0:3129
b) To install a transparent proxy enable the Transparent checkbox at the end of your newly created proxy TCP port. c) If you do not want the proxy to pass the end user private IP addresses to the destination server, check [Anonymize access] . Note: This option helps to avoid the generation of HTTP headers of the type "X-Forwarded-For" which generally includes the IP address of the end user machine for which the proxy carries out an action. For security reasons, it is generally preferable not to disclose information concerning your local network, therefore turning on this option is recommended.
Section: Allowed query types by destination port 3.
Add a request type using the icon
.
The section "Allowed query types by destination port" lets you define the destination ports and the corresponding protocols allowed on each of these destinations ports. a) Enter a destination port in the field under the Port column. Note: Enter a range of ports between the start and end ports with "-". Example: 1025-65535.
Note: To enter multiple ports in a query, separate them with a space. Example: 70 210 280.
b) Select the protocols you want to authorize on the destination ports by enabling the corresponding checkboxes in the columns headed Browsing, FTP over HTTP, WebDAV or Raw/SSL. There are four possible protocols: • Browsing: Authorizes the standard HTTP browsing. • FTP over HTTP: Authorizes use of the FTP protocol encapsulated in HTTP (FTP over HTTP) and thus allows file downloads. This protocol can only be used if the client application supports it. Internet browsers typically do when you specify an HTTP proxy for the FTP protocol. • WebDAV: Authorizes the HTTP-based collaboration protocol allowing management of files shared and stored on a web server. • Raw/SSL: Allows SSL-type traffic.
Olfeo Solution / Integration Guide / 38
3 Implementing your integration
c) To allow for use of extended passive mode in the FTP over HTTP protocol enable the [FTP over HTTP makes use of extended passive mode] checkbox. In this mode, the Olfeo proxy can use the EPSV command and thus make FTP requests that are IPv6 compatible. Please refer to NWG’s RFC 2428 FTP Extensions for IPv6 and NATs for more information. Warning: Use of the EPSV command and of IPv6 may result in this option being incompatible with older firewalls.
Section: Proxy chaining 4. If the Olfeo solution’s proxy needs to be chained to a parent proxy, select the [Use parent proxy] checkbox in the Proxy Chaining section. Then provide the following information: a) The IPv4 address of the parent proxy in the [Host] field. b) The TCP port of the parent proxy in the [Port] field. c) The user name for authentication with the parent proxy in the [Login] field. d) The user's password for authentication with the parent proxy in the [Password] field. Section: URL filtering 5. To filter URLs, enable the [Filter URL] checkbox in the URL Filtering section. Fill in the following fields as required: a) [Disable Olfeo caching]. For performance reasons, the Olfeo solution stores the authorizations obtained by your users’ various browsing sessions. This optimization makes it possible to avoid authorization checks for the same website (Internet domain) previously authorized. Enabling this checkbox will force an automatic authorization check, even for sites previously visited. b) [Redirector number]. This field controls the number of Olfeo internal processes, responsible for managing the HTTP browsing authorizations. The default value 70 should suffice for most Olfeo solution installations. Changing this value is generally not recommended unless explicitely requested by Olfeo Technical Support. c) [Bypass if the filtering service is unavailable]. This checkbox allows you to control the Olfeo HTTP proxy’s behavior in the event the URL filtering service is not reachable. Browsing will be blocked by default if you enable the checkbox. d) [Delay before next connection attempt upon error]. This field controls the timeout that may be inserted at the Olfeo HTTP proxy level in case there is an error connecting with a website. The default 30- second delay 30 seconds is suitable for most cases. 6. Click [OK] to save the changes. Bridging based transparent proxy Bridging based transparent proxy integration is possible using an Olfeo Box as a bridge on your network. The traffic going through the Olfeo Box network bridge is then proxyfied. Warning: This integration is only possible with an Olfeo Box
Olfeo Solution / Integration Guide / 39
3 Implementing your integration
Figure 13: Bridging based transparent proxy integration
The transparent proxy integration is carried out in two steps: • 1) configure the transparent proxy. • 2) Configure the Olfeo Box network bridge. Creation of a transparent HTTP proxy integration 1. Go to the HTTP proxy configuration page by following the [Proxy Cache QoS] > [HTTP] . Section: Listening ports 2.
In the section Listening ports add a listening port using the
button.
a) Enter the IP address and the interface port on which you will configure the proxy for listening. The syntax used to specify the TCP listening port allows you to restrict listeing on a specific IP addresse. Use the following syntax: adresseIp:portTcp
Note: If you want to listen to all of the local machine’s IP addresses, enter the IP address as 0.0.0.0 Example of how to specify the IP address and listening port: 0.0.0.0:3129
Olfeo Solution / Integration Guide / 40
3 Implementing your integration
b) To install a transparent proxy enable the Transparent checkbox at the end of your newly created proxy TCP port. c) If you do not want the proxy to pass the end user private IP addresses to the destination server, check [Anonymize access] . Note: This option helps to avoid the generation of HTTP headers of the type "X-Forwarded-For" which generally includes the IP address of the end user machine for which the proxy carries out an action. For security reasons, it is generally preferable not to disclose information concerning your local network, therefore turning on this option is recommended.
Section: Allowed query types by destination port 3.
Add a request type using the icon
.
The section "Allowed query types by destination port" lets you define the destination ports and the corresponding protocols allowed on each of these destinations ports. a) Enter a destination port in the field under the Port column. Note: Enter a range of ports between the start and end ports with "-". Example: 1025-65535.
Note: To enter multiple ports in a query, separate them with a space. Example: 70 210 280.
b) Select the protocols you want to authorize on the destination ports by enabling the corresponding checkboxes in the columns headed Browsing, FTP over HTTP, WebDAV or Raw/SSL. There are four possible protocols: • Browsing: Authorizes the standard HTTP browsing. • FTP over HTTP: Authorizes use of the FTP protocol encapsulated in HTTP (FTP over HTTP) and thus allows file downloads. This protocol can only be used if the client application supports it. Internet browsers typically do when you specify an HTTP proxy for the FTP protocol. • WebDAV: Authorizes the HTTP-based collaboration protocol allowing management of files shared and stored on a web server. • Raw/SSL: Allows SSL-type traffic. c) To allow for use of extended passive mode in the FTP over HTTP protocol enable the [FTP over HTTP makes use of extended passive mode] checkbox. In this mode, the Olfeo proxy can use the EPSV command and thus make FTP requests that are IPv6 compatible. Please refer to NWG’s RFC 2428 FTP Extensions for IPv6 and NATs for more information.
Olfeo Solution / Integration Guide / 41
3 Implementing your integration
Warning: Use of the EPSV command and of IPv6 may result in this option being incompatible with older firewalls.
Section: Proxy chaining 4. If the Olfeo solution’s proxy needs to be chained to a parent proxy, select the [Use parent proxy] checkbox in the Proxy Chaining section. Then provide the following information: a) The IPv4 address of the parent proxy in the [Host] field. b) The TCP port of the parent proxy in the [Port] field. c) The user name for authentication with the parent proxy in the [Login] field. d) The user's password for authentication with the parent proxy in the [Password] field. Section: URL filtering 5. To filter URLs, enable the [Filter URL] checkbox in the URL Filtering section. Fill in the following fields as required: a) [Disable Olfeo caching]. For performance reasons, the Olfeo solution stores the authorizations obtained by your users’ various browsing sessions. This optimization makes it possible to avoid authorization checks for the same website (Internet domain) previously authorized. Enabling this checkbox will force an automatic authorization check, even for sites previously visited. b) [Redirector number]. This field controls the number of Olfeo internal processes, responsible for managing the HTTP browsing authorizations. The default value 70 should suffice for most Olfeo solution installations. Changing this value is generally not recommended unless explicitely requested by Olfeo Technical Support. c) [Bypass if the filtering service is unavailable]. This checkbox allows you to control the Olfeo HTTP proxy’s behavior in the event the URL filtering service is not reachable. Browsing will be blocked by default if you enable the checkbox. d) [Delay before next connection attempt upon error]. This field controls the timeout that may be inserted at the Olfeo HTTP proxy level in case there is an error connecting with a website. The default 30- second delay 30 seconds is suitable for most cases. 6. Click [OK] to save the changes. Creating a network bridge 1. Go to the configuration page via the [Parameters] > [Network] > [Interfaces]. 2. Click on the [br(x)] interface corresponding to the two physical interfaces used on your Olfeo Box.
For example, see the two physical ports used by the bridge br0 on the front of the Olfeo Box Section: Information 3. Enable the [Enabled] checkbox.
Olfeo Solution / Integration Guide / 42
3 Implementing your integration
Section: Configuration ipv4 4. To implement your transparent proxy integration, you must assign an IP address to your network bridge. Consequently, choose either the [Dhcp] configuration mode, or the [Static] configuration mode in the Mode field. • [Dhcp]: The bridge IP address will be sent by your Dhcp server. • [Static]: For this choice, enter the IP address, the Netmask and the Gateway . Section: Rerouting configuration 5. To reroute your incoming traffic to your transparent Olfeo proxy, select the TCP 3129 port in the [Port Rerouting] field, then locate the ports which will be reoriented toward the proxy. For example, to reroute ports 80 to 81, 8080 and 8000, use the following syntax: 80-81, 8080, 8000. 6. Click [OK] to save the changes.
Implementing an integration by coupling Filtering URLs with Squid (Olfeo) (Recommended) The integration with a Squid proxy is done with the Olfeo protocol. This type of filtering is recommended because the traffic generated by the Olfeo protocol is significantly less than the traffic generated by the ICAP protocol. The processing is therefore much more efficient resulting in less load on the corresponding machines. Note: Note that the Olfeo protocol is also compatible with Squid proxy versions 2 or 3. Here is an example of simple integration of the Olfeo solution with a Squid proxy. Using one of its interfaces, the Squid proxy contacts the Olfeo solution for filtering traffic originating from the end user.
Figure 14: Integration architecture for using a Squid proxy with the Olfeo protocol.
Olfeo Solution / Integration Guide / 43
3 Implementing your integration
Configuring the Olfeo solution for integration with the Olfeo protocol 1. Go to the configuration page via the [Parameters] > [Architecture] > [Integration] menu. 2. Click on the link [Add connector] in the Label column 3. Select [I use my own equipment] in the [Integration Choice] menu. 4. Enter a name describing the integration mode in the [Label] field. 5. Click on the [Next] button. Section: Parameters 6. Choose the Squid connection type in the menu [Type of connection]. Section: Connector parameters 7. Choose the transport mode as Tcp Mode in the [Mode] menu. 8. Enter the number of a port that will be used to connect with Squid. The default value :5555 9. Click on the [Finish] button to save the changes. Copy Olfeo squid_wrapper program To communicate with the Olfeo solution, the Squid proxy calls an Olfeo-developed binary; it will initiate communications with the Olfeo solution using the Olfeo protocol. The binary named squid_wrapper must therefore be copied to the server that will execute Squid. 1. Connect to your Squid server. 2. Copy the squid_wrapper executable to your server’s /usr/bin/ directory. One of simplest methods for copying squid_wrapper is to use scp (a command utility based on ssh.) Note: The squid_wrapper binary developed by Olfeo can be found under the Olfeo solution in the following directories: • /opt/olfeo5/chroot/opt/olfeo5/bin/ if your Olfeo solution is a virtual appliance. • /opt/olfeo5/bin/ if your Olfeo solution is the Olfeo Box. Sample command line to be executed on the Squid server: scp login@OlfeoIpAdress:/squidWrapperPath /usr/bin/
Here is the command line to execute on the Squid server to copy the squid_wrapper from an Olfeo virtual appliance: scp
[email protected]:/opt/olfeo5/chroot/opt/olfeo5/bin/squid_wrapper /usr/bin/
Here is the command line to execute on the Squid server to copy the squid_wrapper from an Olfeo Box. scp
[email protected]:/opt/olfeo5/bin/squid_wrapper /usr/bin/
Olfeo Solution / Integration Guide / 44
3 Implementing your integration
Configuring Squid to filter traffic with squid_wrapper To communicate with the Olfeo solution, the Squid proxy calls an Olfeo-developed binary called squid_wrapper. . After squid_wrapper has been copied to the Squid server, the Squid server must be configured to allow the call to the squid_wrapper binary. 1. Connect to your Squid server. 2. Editing the Squid configuration file. By default the file is found in : • /etc/squid3/squid3.conf • /etc/squid/squid.conf 3. Enter the reference to the Olfeo squid_wrapper binary. url_rewrite_program /usr/bin/squid_wrapper --squid25 --host 10.5.1.178
Squid directives description: • url_rewrite_program /usr/bin/squid_wrapper --host 10.5.1.178 • url_rewrite_program: Call a URL rewriting program • --host adresseIpOlfeo: squid_wrapper parameter specifying the Olfeo solution’s IP address. 4. Create the directory /opt/olfeo5/data/ on your Squid server. mkdir /opt/olfeo5/data/
5. Copy the dictionnary file from the Olfeo solution’s /opt/olfeo5/data/ directory to the /opt/olfeo5/ data/ directory on the Squid server. olfeo@olfeo: scp /opt/olfeo5/data/dictionnary root@serveurSquid:/opt/olfeo5/data/
Warning: Olfeo may change the content of this file in patches or minor updates. You will then be required to repeat the copy operation for the dictionnary file after each update.
6. Enter the number of squid_wrapper processes to automatically start. url_rewrite_children 70
Warning: If the number of squid_wrapper processes is too low, Squid handling of URL filtering request may slow down as Squid will be unable to execute enough calls to the Olfeo solution in parallel. On the other hand, starting too many squid_wrapper processes may consume additionnal memory. The default value is 70.
7. Save the changes made in the Squid configuration file. 8. Reload the Squid proxy configuration to apply the changes. /etc/init.d/squid reload
Olfeo Solution / Integration Guide / 45
3 Implementing your integration
Filtering URLs or content with Squid (ICAP) Starting with of Squid version 3, integration with the Olfeo solution can be done using the ICAP protocol. Here is an example of a simple integration of the Olfeo solution with a Squid proxy. Using one of its interfaces, the Squid proxy contacts the Olfeo solution for filtering traffic originating from the end user.
Figure 15: Integration architecture with a Squid proxy using the ICAP protocol
Warning: Squid only supports the ICAP protocol starting with version 3. Verify that you have Squid v.3 or above before proceeding.
Configuring the Olfeo solution for ICAP integration 1. Go to the configuration page via the [Parameters] > [Architecture] > [Integration] menu. 2. Click on the link [Add connector] in the Label column 3. Select [I use my own equipment] in the [Integration Choice] menu. 4. Enter a name describing the integration mode in the [Label] field. 5. Click on the [Next] button. Section: Parameters 6. Choose the ICAP-->Other connection type in the [Type of connection] menu. Section: Connector parameters 7. Choose the transport mode as Tcp Mode in the [Mode] menu. 8. Enter the number of a port that will be used to connect with Squid. The default value is :1344
Olfeo Solution / Integration Guide / 46
3 Implementing your integration
9. Click on the [Finish] button to save the changes. Setting Squid for filtering URLs or contents with ICAP Configure the Squid configuration file to be able to communicate with the Olfeo solution using ICAP. The following configuration file is based on Squid v.3 of. As a reminder, only the Squid v.3.0 or above of will work. 1. Connect to the Proxy server executing Squid. 2. Edit the Squid configuration file. By default the file is found in : • /etc/squid3/squid3.conf • /etc/squid/squid.conf 3. Enter the ICAP module activation in the configuration file. icap_enable on
Squid directives description: • icap_enable on: Activate the ICAP module. 4. If needed, enable content filtering. icap_preview_enable on
Squid directives description: • icap_preview_enable on: Enables the preview mode. The preview mode is essential for implementing content filtering in the Olfeo solution. 5. Enable end user identification icap_send_client_ip on icap_send_client_username on icap_client_username_encode on icap_client_username_header X-Authenticated-User
Squid directives description: • icap_send_client_ip on: Send the IP address of the end user machine to the Olfeo solution. • icap_send_client_username on: Send the username authenticated by Squid to the Olfeo solution. • icap_client_username_encode on: Send the username coded in base64 to the Olfeo solution. Activating this configuration is recommended for better security. • icap_client_username_header X-Authenticated-User: Send the username by positioning the field XAuthenticated-User in the HTTP request header. 6. Enter the information for activation of the ICAP service. # ----------------------------------------------# Activation service # ----------------------------------------------icap_service service_reqmod reqmod_precache 0 bypass=0 icap://10.5.1.178:1344/reqmod adaptation_service_set class_reqmod service_reqmod
Squid directives description:
Olfeo Solution / Integration Guide / 47
3 Implementing your integration
•
icap_service service_reqmod reqmod_precache 0 bypass=0 icap://adresseIpOlfeo:portOlfeo/reqmod • service_reqmod: Name given to the service. • reqmod_precache 0: Specifies that the request must be sent to the Olfeo solution before being cached. • bypass=0: Set at 0, the service cannot be bypassed even if the Olfeo solution cannot be contacted. Setting it to 1 deactivates the service when the Olfeo solution cannot be contacted (the Squid proxy continues to function but without filtering by the Olfeo solution).
•
adaptation_service_set class_reqmod service_reqmod • adaptation_service_set: Activate the configuration of class_reqmod and de service_reqmod.
7. Save the changes made in the Squid configuration file. 8. Reload the Squid proxy configuration to apply the changes. /etc/init.d/squid reload
Filtering URLs with Check Point (OPSEC) The integration with a Check Point firewall requires an OPSEC protocol. Here is an example of a simple integration of the Olfeo solution with CheckPoint’s FireWall-1. Using one of its interfaces, CheckPoint FireWall-1 can contact the Olfeo solution or filtering traffic originating from the end user.
Figure 16: Integration architecture for a Check Point Firewall.
Configuring the Olfeo solution to integrate it with OPSEC 1. Go to the configuration page via the [Parameters] > [Architecture] > [Integration] menu. 2. Click on the link [Add connector] in the Label column 3. Select [I use my own equipment] in the [Integration Choice] menu. 4. Enter a name describing the integration mode in the [Label] field.
Olfeo Solution / Integration Guide / 48
3 Implementing your integration
5. Click on the [Next] button. Section: Parameters 6. In the [Type of connection] menu, choose the Check Point connection type.. Section: Connector parameters 7. Choose the transport mode as Tcp Mode in the [Mode] menu. 8. Enter 18182 for the number of the port which will be used for connecting to Check Point. 9. Click on the [Finish] button to save the changes. Adding the Olfeo solution in SmartCenter 1. Connect to the Smartdashboard utility. 2. Go to the page for managing service objects' via the menu [Manage] > [Servers and OPSEC Applications]. Windows: Services 3. Click on the [New...] > [OPSEC Application...] button. Screen: OPSEC Application Properties / Tab: General 4. Enter a name describing the application object of the Olfeo solution in the [Name] field. Example:Olfeo_OPSEC 5. Briefly describe the Olfeo solution application the in the [Comment] field. For example: Olfeo filtering application 6. Create a new host for the machine executing the Olfeo solution by clicking on the [New...] button. a) Enter a name for the machine executing the Olfeo solution in the [Name] field. Example: Olfeo b) Enter the Olfeo solution’s IP address the in the IP address field. c) Briefly describe the machine executing the Olfeo solution in the [Comment] field. d) Click on the [OK] to save the changes. Window: OPSEC Application Properties / Tab: General 7. In the [Vendor] menu, select the entry User Defined 8. Enable the [UFP] checkbox ("URL Filtering protocol") in the Server Entities list. 9. Go to the [UFP Options] tab that has just appeared. Window: OPSEC Application Properties / Tab: UFP Options 10. In the [Service] menu, select the TCP FW1_ufp service. 11. Enable the checkbox labeled [Use early versions compatibility mode]. 12. Enable the [Clear (opsec)] option.
Olfeo Solution / Integration Guide / 49
3 Implementing your integration
13. Click on the [Get dictionary...] button to obtain the UFP server’s list of categories . 14. Click on the [OK] to save the changes. Window: OPSEC Application Properties / Tab: General 15. Click on the [Close] button to return to the principal screen. Add the URLs blocked by Olfeo in Smartcenter 1. Connect to the Smartdashboard utility. 2. Go to the page for managing service objects via the [Manage] > [Resources] menu. Window: Resources 3. Click on the [New...] > [URI...] button. Window: URI Resources Properties / Tab: General 4. Enter a name describing the URI resource in the [Name] field. Example: Olfeo_blocked_URIs 5. Enter comments describing the URI resource in the [Comment] field. For example: Olfeo filtering application 6. Confirm the option [Enforce URI capabilities]. 7. Tick the [Transparent] and [Proxy] checkboxes in the section Connection Methods. 8. Confirm the [None] option in the section Exception Track. 9. Enable the [UFP] checkbox in the URI section Match Specification Type. 10. Click on the [Match] tab. URI Resources Properties / Tab: Match 11. On the [UFP Server]menu, select the OPSEC server created previously in chapter Adding the Olfeo solution in SmartCenter on page 49 Example:Olfeo_OPSEC 12. In the [UFP caching control] menu, select No caching . 13. In the list of categories, enable the checkbox for the [Blocked] category. 14. Enable the checkbox [Ignore UFP server after connection failure]. 15. Enter the value 3 in the field [Number of failures before ignoring the UFP server] for the number of attempts before ignoring the UFP server. 16. Enter the timeout value of 60 seconds in the field [Timeout before reconnect to UFP server]. 17. Click on the [OK] to save the changes. Window: Resources 18. Click on the [Close] button to return to the main screen.
Olfeo Solution / Integration Guide / 50
3 Implementing your integration
Configuring the Check Point firewall for traffic filtering. In order to enable filtering with the Olfeo solution, you must create two filtering rules in the Check Point firewall using the Smartdashboard utility. The first rule is used to trigger end user machines HTTP filtering with the Olfeo solution. The second authorizes HTTP traffic from end user machines. 1. Connect to the Smartdashboard utility. 2. Go to the page for managing service objects via the [Manage] > [Network Objects] menu. Window: Network Objects 3. Click on the [New...] > [Network] button to add an object describing the network that contains the client machines. Window: Network Properties / Tab: General 4. Enter a name describing the network containing the client machines in the [Name] field. For example: web_clients_network 5. In the [Network Address] field, enter the network address of the network containing the client machines. For example: 192.168.17.0 6. Enter the network mask containing the client machines in the [Net Mask] field. Example: 255.255.255.0 7. Click on the [OK] button to save the changes. Window: Network Objects 8. Click on the [Close] button to return to the main screen. Window: Main To make the Olfeo solution’s filtering work by coupling it with the Check Point solution, we will create two firewall rules as shown below: Table 2: Firewall rules NO.
Name
Source
1
Destination
VPN
Service
Action
Track
* Any
* Any Traffic
dns
accept
None
Network_internal_interface 2
web_filtering_1
Network_internal_interface
* Any
* Any Traffic
http->Olfeo_blocked_URIs
reject
Log
3
web_filtering_2
Network_internal_interface
* Any
* Any Traffic
http
accept
Log
* Any
* Any
* Any Traffic
* Any
reject
Log
4
9. Open the Firewall tab in the main screen. 10. Select the rule from which you wish to add the URL filtering rule managed by the Olfeo solution. 11. Add a filtering rule via the [Rules] > [Add rule] > [Below] menu.
Olfeo Solution / Integration Guide / 51
3 Implementing your integration
a) In the newly created rule, enter a name describing the filtering rule in the NAME column Example: web_filtering b) Click on the SOURCE column of the newly created rule and press the
button next.
c) Select the network of client machines created previously. For example: web_clients_network d) Click on the SERVICE column of the newly created rule, then [Right click] to select the [Add With Resource...] menu. e) Select the field http in the [Service] field. f) Enter the previously created resource in the [Resource] field. Example: Olfeo_blocked_URIs g) Click on the ACTION column of the newly created rule, [Right click] and select [Reject]. h) Click on the [OK] button to save the changes. 12. Add a filtering rule via the [Rules] > [Add rule] > [Below] menu. a) In the newly created rule, enter a name describing the filtering rule in the NAME column For example: web_allow_rule b) Click on the SOURCE column of the newly created rule and then press the
button.
c) Select the network of client machines created previously. For example: web_clients_network d) Click on the SERVICE column of the newly created rule and press the
button.
e) Select the field http in the [Service] field. f) Click on the ACTION column of the newly created rule, [Right click] and select [Accept]. 13. Save the new configuration via the [File] > [Save] menu. 14. Install the policy created on your Check Point Firewall via the [Policy] > [Install...] menu. Window: Install policy 15. Select your firewall in the list of possible destinations. 16. Click on the [OK] button to deploy the firewall rules. 17. Click on the [Close] button to return to the main screen.
Filtering URLs with Netasq (ICAP) Integration with a Netasq box requires the ICAP protocol. Warning: The Netasq proxy is used in this integration mode. To be able to apply policies based users, groups, etc., it is then necessary to perform users authentication via Netasq and the SPNEGO configuration.
Olfeo Solution / Integration Guide / 52
3 Implementing your integration
Note: In the case where Netasq is only used as firewall, and you rely on the Olfeo proxy, use of the ICAP integration is not necessary. The Olfeo proxy will be responsible for the authentication (transparent NTLM with AD, eDirectory, open Lap, etc.). If you wish to implement an proxy integration, please refer to chapter Implementing a proxy integration on page 32. Here is an example of a simple integration of the Olfeo solution with a Netasq firewall. Using one of its interfaces, the Netasq firewall queries the Olfeo solution for filtering the traffic originating from the end user.
Figure 17: Netasq Firewall integration Architecture
Configuring the Olfeo solution for ICAP integration 1. Go to the configuration page via the [Parameters] > [Architecture] > [Integration] menu. 2. Click on the link [Add connector] in the Label column 3. Select [I use my own equipment] in the [Integration Choice] menu. 4. Enter a name describing the integration mode in the [Label] field. 5. Click on the [Next] button. Section: Parameters 6. Choose the Netasq connection type in the [Type of connection] menu. Section: Connector parameters 7. Choose the transport mode as Tcp Mode in the [Mode] menu. 8. Enter the number of a port which will be used for connecting to Squid. For example: 1345 9. Click on the [Finish] button to save the changes.
Olfeo Solution / Integration Guide / 53
3 Implementing your integration
Setting Netasq for filtering URLs with ICAP The present procedure was carried out using a U series Netasq security device . 1. Connect to the "Netasq Unified Manager" administrative software 2. Go to the HTTP proxy configuration page via the [Proxy Cache QoS] > [Proxy HTTP] menu. Window: Configuring the HTTP Proxy 3. Select the Icap Reqmod menu. 4. Enable the checkbox [Activate the Icap reqmod module]. 5. Enter a name for the service in the field [ICAP service name]. Example: OlfeoService 6. Click the [Icap Machine] button. Window: Objects base 7. Click on the [New] button, then on the sub-menu [Machine]. Window: Creating a device 8. Enter the device name in the [Machine name] field. Example: olfeobox 9. Enter the IP address of your Olfeo solution in the [IP address] field. 10. Click on the [Next] button. 11. (Optional) Enter text in the [Description] field. Machine dedicated to filtering. 12. Click on the [Finish] button. Window: Objects base 13. Select the newly created device by selecting its name in the Objects column. 14. Click on the button [OK] button. Window: Configuring the HTTP Proxy 15. Click on [ICAP Port]. Window: Objects base 16. Click on the [New] button, then on the [Service] submenu. Window: Creating a service 17. Give the service a name, entering it in the field [Service name]. Example: icapOlfeo 18. Tick the [Port] checkbox, then enter the TCP port number in the [Value (1 to 65535)field.
Olfeo Solution / Integration Guide / 54
3 Implementing your integration
Note: The value entered should correspond to the one used in chapter Configuring the Olfeo solution for ICAP integration on page 53. For example: 1345 19. Choose TCP in the service menu [Service protocols]. 20. Click on the [Next] button. 21. (Optional) Enter text in the [Description] field. Port for the device dedicated to filtering. 22. Click on the [Finish] button. Window: Objects base 23. Select the newly created service in the Objects column 24. Click on the button [OK] button. Window: Configuring the HTTP Proxy 25. Click on the button [OK] button.
Filtering URLs with Cisco (WISP) The integration with a CISCO PIX or ASA firewall requires the Websense Company’s proprietary WISP protocol. Here is an example of simple integration of the Olfeo solution with a CISCO ASA firewall. Using one of its interfaces, the CISCO ASA firewall queries the Olfeo solution for filtering the traffic originating from the end user.
Figure 18: Architecture of integration with a Cisco ASA.
Olfeo Solution / Integration Guide / 55
3 Implementing your integration
Configuring the Olfeo solution for WISP integration 1. Go to the configuration page via the [Parameters] > [Architecture] > [Integration] menu. 2. Click on the link [Add connector] in the Label column 3. Select [I use my own equipment] in the [Integration Choice] menu. 4. Enter a name describing the integration mode in the [Label] field. 5. Click on the [Next] button. Section: Parameters 6. Choose the Cisco connection type in the [Type of connection] menu. Section: Connector parameters 7. Choose the transport mode as Tcp Mode in the [Mode] menu. 8. Enter the number of a port which will be used for connecting to Cisco. Default value:15868 9. Click on the [Finish] button to save the changes. Configuring the Cisco PIX/ASA firewall for traffic filtering. Described below are the commands to execute in order to configure your PIX/ASA firewall. The administrator should have previously configured all the interfaces necessary, namely: an incoming interface for the traffic originating from the user and an outgoing interface for the traffic intended for the Internet. The administrator uses one of them for communicating with the Olfeo solution. If necessary, the administrator can configure a third interface dedicated to communicate to the Olfeo solution. The list of following commands is based on Cisco ASA 5505 running its software v.8.0.2. 1. Connect to the Cisco ASA firewall using the command line. 2. Activate the privileged commands. asa802> enable
3. Reenter the administrator password. 4. Reenter CISCO ASA configuration mode. asa802> configure terminal
5. Add the Olfeo filtering server to the configuration. asa802(config)# url-server (interfaceOlfeo) vendor websense host adresseIpOlfeo timeout 30 protocol TCP version 4 connections 5
Example: asa802(config)# url-server (inside) vendor websense host 192.168.4.2 timeout 30 protocol TCP version 4 connections 5
Olfeo Solution / Integration Guide / 56
3 Implementing your integration
6. Define the filtering rules that will be handled by the Olfeo solution. asa802(config)# filter url PortNo IpaddressSourceToBeFiltered NetMaskIpSourceToBeFiltered IpaddressSourceToBeFiltered NetMaskIpDestinationToBeFiltered allow
Warning: The address or the network mask 0.0.0.0 stands for all IP addresses or all network masks. The allow setting is optional; it enable allowing traffic while the Olfeo solution is unavailable. Example: to request the Olfeo solution to filter all http traffic: asa802(config)# filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
7. Configure the number of HTTP responses which can be buffered while waiting for the Olfeo solution. url-block block NumberOfBlocksOfBuffer
Example: asa802(config)# url-block block 64
8. Configure the memory to be allocated to the buffer for URL processing. asa802(config)# url-block url-mempool memoryInKB
This value ranges from 2KB to 10240KB. Example: asa802(config)# url-block url-mempool 5120
9. Save the configuration. asa802(config)# copy running-config startup-config
Implementing a capture integration Implementing a bridging based capture integration In order to install a bridging based capture integration you must have an Olfeo Box. The configuration of bridging based capture integration is done in two steps: 1) creating a network bridge between two physical interfaces on the OlfeoBox; 2) creating a capture integration mode. Creating a network bridge 1. Go to the configuration page via the [Parameters] > [Network] > [Interfaces] menu. 2. Click on the [br(x)] interface corresponding to the two physical interfaces used on your Olfeo Box.
For example, see the two physical ports used by the bridge br0 on the front of the Olfeo Box
Olfeo Solution / Integration Guide / 57
3 Implementing your integration
Section: Information 3. Enable the [Enabled] checkbox. Section: Configuration ipv4 4. Choose the IPv4 configuration mode in the [Mode] field. • [Dhcp]: The bridge IP address will be sent by your DHCP server. • [Static]: For this choice, enter the IP address, the Netmask and the Gateway . • [No address]: In this case, your network bridge will operate on level 2 of the OSI layer and will not be assigned an IP address. Note: The value of having a network bridge with an IP address is that it saves a network interface. In effect, it is thus possible for the administrator to access the Olfeo administration console via this IP without having to dedicate another interface for administering the Olfeo solution.
Section: Rerouting configuration 5. In the section Rerouting configuration enter "--------" in the [Rerouting port] field to prevent rerouting. 6. Click [OK] to save the changes. Setting up capture integration 1. Go to the configuration page via the [Parameters] > [Architecture] menu 2. Click on [Add connector]. a) Enter a name for the new integration mode in the [Label]field. b) In the [Integration Choice] field, choose [I capture network traffic] . 3. Click on the [Next] button to go to the next window. Section: Connector parameters 4. In the field [Capture Link] field, choose the interface for the br(x) network bridge (for example, br(0) on which the capture will occur. 5. In the field [Injection Link], choose the network interface over which the blocking frames will be sent. 6. If you capture the packets containing the VLANs 802.1q headers and you want these headers to be generated in the injection packets, enable the checkbox labeled [copy 802.1q headers in injected packets]. Warning: Verify that you have positioned the interfaces in the corresponding VLANs.
7. In the [Source MAC] field, choose the MAC address to be used for sending blocking pages. Choose between the following two options: • [Impersonate router] lets you send the injection packets with the MAC source address as the address of the router that sends traffic to Olfeo.
Olfeo Solution / Integration Guide / 58
3 Implementing your integration
Danger: Certain switches detect having the same MAC address (the router’s) circulating on the different interfaces as an abnormal network behavior of the network or a security breach. They may respond to this abnormal behavior or security failure by deciding to block the ports in question. •
[Injection Interface] lets you send the injection packets with the MAC address as the source address of the injection interface. Note: In contrast to the previous option, this solution is not subject to blocking from your network switch since the router’s MAC address is not used.
8. If you wish to ignore the HTTP and HTTPS traffic, enable the checkbox [Don't capture url traffic]. 9. To prevent protocol filtering, enable the checkbox [Don't capture protocol traffic]. 10. Click on the [Finish] button to save the changes.
Implementing a traffic duplication based capture integration Traffic duplication based capture integration is configured in two steps: 1) Configuring a port mirroring on your network switch to send a copy of network traffic from your end users to the Olfeo solution. 2)create a capture integration mode. Configuring a capture integration 1. If you have an Olfeo Box, assign an IP address to the interface chosen for the capture via the [Parameters] > [Network] > [Interfaces] menu. Warning: With a virtual appliance or software installation, the administrator must have assigned an IP address to be used for capture. a) Click on the interface link which you will use for the capture in the Interface column. b) To activate the interface, Enabled the [Enabled] checkbox. c) Choose the type of configuration mode to be attributed to your interface in the [Mode] dropdown menu. For capture integration only the following two options exist: • Dhcp]: Use of the DHCP protocol lets you configure an IP address automatically. • [Static]: It lets you configure a static IP address. If you choose this option, also fill in the following fields: • [IP Address]. • [Netmask]. • [Gateway]. 2. Go to the configuration page via the [Parameters] > [Architecture] menu. 3. Click on [Add connector]. a) Enter a name for the new integration mode in the [Label]field. b) In the [Integration Choice] field, choose [I capture network traffic] . 4. Click on the [Next] button to go to the next window.
Olfeo Solution / Integration Guide / 59
3 Implementing your integration
Section: Connector parameters 5. In the field [Capture Link], choose the network interface over which the capture will performed 6. In the field [Injection Link], choose the network interface over which the blocking frames will be sent. 7. If you capture the packets containing the VLANs 802.1q headers and you want these headers to be generated in the injection packets, enable the checkbox labeled [Copy 802.1q headers in injected packets]. Warning: Verify that you have positioned the interfaces in the corresponding VLANs.
8. In the [Source MAC] field, choose the MAC address to be used for sending blocking pages. Choose between the following two options: • [Impersonate router] let you send the injection packets with the MAC source address as the address of the router that sends traffic to Olfeo. • [Injection Interface] let you send the injection packets with the MAC address as the source address of the injection interface. 9. If you wish to ignore the HTTP and HTTPS traffic, enable the checkbox [Don't capture url traffic]. 10. To prevent protocol filtering, enable the checkbox [Don't capture protocol traffic]. 11. Click on the [Finish] button to save the changes.
Olfeo Solution / Integration Guide / 60
Chapter
4 Configuring authentication/identification. Topics: • • • • • • •
Configuring a transparent authentication Setting up LDAP directory authentication Setting up authentication by captive portal Setting up authentication by public portal Setting up transparent identification Setting up a bridging based capture identification Setting up traffic duplication based capture identification
4 Configuring authentication/identification.
Configuring a transparent authentication Adding an Active Directory server and synchronizing the users Synchronizing the user directory allows for organizing users in group, business units, entities on which you can apply filtering rules and statistics. 1. Go to the directory configuration page via the [Parameters] > [Authentication] > [Directory] menu. 2. Click on [Add directory]. Section: Configuring the directory 3. Enter a name in the field [Directory label]. Section: Connection 4. Choose Active Directory in the [Ldap Type] list. 5. Enter the directory’s IPv4 address or the dns name in the [Host] field. 6. To encrypt exchanges between Olfeo and the directory using LDAP protocol over SSL connection, enable the [LDAPs] checkbox. 7. To have groups and users synchronized with a single query, enable the checkbox labeled [Disable Paging]. Note: By default, Olfeo uses a paginated response mode for synchronizing users and groups. Olfeo recommends keeping the pagination mode active, as this mode is more appropriate for synchronizing large enterprises directories.
8. On the specified host machine, enter the listening Port for the directory. Note: The default port for the directories is 389.
9. Click on [Test and get basedn]. This action allows not only testing the connection with the directory but also retrieving the base DN. Please note this action is only available for ActiveDirectory type of directory server. After successful execution: • The text Connection Success will appear to the right of the button labeled [Test and get basedn]. • The field [Basedn] will populate automatically with the Base DN retrieved information. 10. In the [Binddn] field, enter the user's login authorized to connect to the directory. Warning: A Binddn uses this syntax: login@domain Example:
[email protected] 11. Enter the Password of the user authorized to connect to the directory in the [Password] field.
Olfeo Solution / Integration Guide / 62
4 Configuring authentication/identification.
12. Click on [Finish] to save the directory connection settings. Result: The page is reloaded. Section: Connection 13. To specify a timeout for awaiting a response from the directory, enter the maximum waiting time in seconds in the [Time out] field. Example: 60 seconds. 14. To schedule synchronization of your directory, enable [Planning] and then enter the synchronization time or frequency. • Example 1: Nightly synchronization at 1:05 a.m.: 01: 05. • Example 2: Synchronization every 15 minutes, between 1 a.m. and 2 a.m.: 01 : */15 • Example 3: Synchronization every half hour on the hour: * : */30 FYI: the syntax is the same as that used by crontab. Please refer to the crontab manual for more information. Section: Domain This section is specific to Microsoft Active Directory domains. These fields are necessary for joining the Olfeo solution to your Active Directory domain and therefore for implementing authentication methods based on Kerberos and NTLM . 15. Enter the name of your Active Directory domain in the field [Domain]. Example: labs.mycompany.com 16. In the [Workgroup] field, enter the Netbios name of your domain in CAPITAL LETTERS. Example: LABS 17. If you use an NTP server separate from the Active Directory server, enable the checkbox [Use a separate NTP server]. Warning: The NTP server must be configured in the NTP servers field, via the [Parameters] > [System] > [Date] menu.
18. If you use a DNS server separate from an Active Directory server, enable the checkbox [Use a separate DNS server]. Section: Advanced group options 19. If you wish to restrict the groups and users synchronization to a subset of the ActiveDirectory server tree, enter a base DN in the field [Group BaseDN]. Example: ou=hq, o=Mycompany, c=FR 20. If you wish to only synchronize group objects inheriting from a specific LDAP objectclass, enter it in the field [Group Class]. Example: organizationalUnit 21. If you want to use a group label different from the standard one (CN LDAP attribute) you can specify the ldap attribute to use as the group label in the LDAP attribute Example: name 22. If your groups are also organizational units, enable the checkbox [Group is container]. Thus, the synchronized groups will be objects having this property.
Olfeo Solution / Integration Guide / 63
4 Configuring authentication/identification.
23. If user groups memberships are managed using a user attribute, enable the checkbox labeled [Group is user attribute]. Even though it is available, this option is rarely used; because generally the users and groups are represented as a classic tree. 24. If you want to use a different attribute to report group name in statistics, enter it in the field [Field to use as label for groups]. Section: Advanced (user) 25. To synchronize users from a particular subset of the LDAP tree, enter the BaseDN to use in the [Basedn user] field. 26. If your directory contains the name of the Olfeo policy to be applied in an attribute of the user object, enter the name of the attribute to use in the field [Policy Id Attribute]. 27. To synchronize user objects of a specific object class, enter the object class in the User Class field. 28. To use a different attribute as a primary key to uniquely identify users you are synchronizing, enter the attribute in the field [LDAP attribute for the primary key]. 29. To use a specific LDAP attribute for login. 30. To specify the user attribute containing the user name, enter the attribute in the field [LDAP attribute for name]. Section: Group list 31. To obtain the list of groups available in your directory based on the advanced criteria specified in the prior sections, click on the button labeled [Synchronize available groups] 32. Select the groups to synchronize users for in the available groups pane and add them to the list of [Synchronized groups]. To add or suppress a group, use the
or
buttons.
33. Specify the priority of synchronization of groups by controlling their position in the list [Synchronized groups]. To change the priority select a group and use the
or
buttons to move it up or down in the list.
Warning: The order in which groups are synchronized is important, because a user can belong to several directory groups .
Section: User list 34. Synchronize the users from the select groups in the list [Synchronized groups] using the button labeled [Synchronize users]. Result: A message indicates the number of users synchronized. 35. Click [OK] to save the changes.
Olfeo Solution / Integration Guide / 64
4 Configuring authentication/identification.
Joining the Olfeo solution to the Windows domain Joining the Olfeo solution to the domain ensures that user security information is regularly synchronized with the primary domain’s server. To join the Olfeo solution to the domain you must have a user account in the domain. Warning: Note that if you plan to join two Olfeo installations to the Windows domain, as in the case of an Olfeo cluster, make sure that they have different names! An Olfeo installation machine name is visible from the [Parameters] > [Network] > [Server] menu. If you wish to change the name, refer to the procedure in the Olfeo installation guide.
1. Go to the page for joining a Windows domain at [Parameters] > [Authentication] > [Windows domain join] menu. Section: Authentication 2. In the [AD servers] list, select the Active Directory to user for the join operation. 3. Enter the user account to use for the Windows domain join operation in the [AD Login (for joining)] field. Warning: Use the following syntax: login@domain Example:
[email protected] 4. Enter the user password in the [AD Password] field. 5. Click on the [Join domain] button. Warning: The Olfeo solution can only be part of a single Windows domain at a time. You need to use a trust relationship between domains if you need to identify/authenticate users from differents domains. Result: The status message [Status] appears, specifying the name of the LDAP server to which the Olfeo solution has been joined.
Adding transparent authentication to the HTTP or FTP over HTTP proxy. 1. Go to the page used to configure proxy authentication, via the [Proxy cache QoS] > [HTTP] > [Authentication] menu. Section: Module 2. In the [Authentication mode] menu, choose the type of authentication to be used for the HTTP proxy. The list of possible choices for transparent authentications are: • [NTLM (Active Directory)]: The Olfeo HTTP proxy supports the NTLM over HTTP authentication method specified by Microsoft. This method requires the use of Microsoft Active Directory 2003 or higher. • [Kerberos]: Lets you use Kerberos Microsoft authentication through an ActiveDirectory 2003 directory. • [Kerberos 2008]: Identical to Kerberos, but this mode applies to an ActiveDirectory directory of version 2003 or higher. 3. In the field [Number of instances], change the number of instantiated authentication processes if necessary. The number of instances correspond to the number of authentication requests which can be processed in parallel at a given instant.
Olfeo Solution / Integration Guide / 65
4 Configuring authentication/identification.
Default number of instances:15 Section: Rules 4. In the [Rules] section, in the [By default] list, select the rule that will be applied by default. Available options: • [No authentication]: No authentication query will be generated for the newly created rule. • [ip2login]: A mechanism integrated in the Olfeo solution that allows memorizing the IP address of a machine where an authentication took place. • [Authentication]: The proxy will do an authentication using the protocol chosen in step 2. Warning: The default action is to authenticate users. If you do not plan to authenticate your users, select [No authentication].
5.
Add an authentication rule using the
button.
6. In the newly created rule, click on the link in the Source column if you want to restrict this field to a specific group. a) Use the Select menu to choose the type of source to be used. If you choose a source of the type [IP Ranges], add a range of IP addresses using the enter the information about this range: • Start IP. • End IP. • Range description.
button. To complete,
b) Click [OK] to save the changes. 7. In the newly created rule, click on the User-Agent column to specify the type of client applications to which the authentication rule will apply. Note: On this screen, you can deactivate the authentication of http clients that do not support authentication. a) In the Active column, enable the checkboxes of the regular expressions corresponding to the chosen applications. Example: Mobile devices or Java applications. b) Click [OK] to save the changes. 8. In the newly created rule, click on the Proxy ports column to specify the proxy port(s) on which the authentication rule will apply. a) Select the relevant proxy ports in the Port column. b) Click [OK] to save the changes. 9. In the newly created rule, click on the link to the Destination column. a) In the [Select] menu, choose the type of destination to be processed. • If you have chosen [URL (regex)] enter a Regex regular expression in the [URL] field. • If you have chosen [URL Lists] check off your URL lists in the [Label] column. 10. In the newly created rule, click on the link in the Authentication column.
Olfeo Solution / Integration Guide / 66
4 Configuring authentication/identification.
a) Select the type of authentication to be processed in the column Label. Available options: • • • 11.
[No authentication]: No authentication request will be sent to the client application. [ip2login]: A mechanism integrated in the Olfeo solution caching the IP address of a machine where an authentication took place. [Authentication]: The type of authentication set previously as the default will apply.
Using the arrows
and
,set the order of priority in which you want your rule to be executed .
12. In the Active column, verify that the rule added is indeed active. An active rule is identified by the
icon.
13. Click [OK] to save the changes.
Setting up LDAP directory authentication Adding an LDAP directory and synchronizing users 1. Go to the directory configuration page using the [Parameters] > [Authentication] > [Directory] menu. 2. Click on [Add directory]. Section: Configure directory 3. Enter a name in the field [Directory label]. Section: Connection 4. Choose the type of directory server from the provided list [Ldap Type]. Note: If you have an OpenLDAP directory, please choose [OpenLDAP or generic server].
5. Enter the directory’s IPv4 address or the dns name in the [Host] field. 6. To have the communication between Olfeo and the directory server use the LDAP protocol over SSL connection, enable the [LDAPs] checkbox. 7. To have groups and users synchronized using a single request, enable the checkbox labeled [Disable Paging]. Note: By default, Olfeo uses a paginated response mode for synchronizing users and groups. Olfeo recommends keeping the pagination mode active, as this mode is more appropriate for synchronizing large enterprises directories.
8. On the specified host machine, enter the directory server listening Port.
Olfeo Solution / Integration Guide / 67
4 Configuring authentication/identification.
Note: The default port for the LDAP directories is 389.
9. Click on [Test and get basedn]. This action allows not only testing the connection with the directory but also retrieving the Base DN on page 111base DN. After successful execution: • The text Connection Success will appear to the right of the button labeled [Test and get basedn]. • The field [Basedn] will populate automatically with the Base DN information retrieved. 10. In the [Binddn] field, enter a user's login with at least a read-only access to the directory server. Warning: A LDAP Bind DN uses the following syntax: CN=admin,DC=olfeo-test,DC=lab
11. Enter the Password of the user with read-only access to the directory server in the [Password] field. 12. Click on [Finish] to save the directory connection settings. Result: The page is reloaded. Section: Connection 13. To specify a timeout for awaiting a response from the directory server, enter the maximum waiting time in seconds in the [Time out] field. Example: 60 seconds. 14. To schedule synchronization of your directory, enable the [Planning] and fill in the synchronization frequency using a cron(5) syntax. • Example 1: Daily synchronization at 1:05 a.m.: 01: 05. • Example 2: Synchronization every 15 minutes, between 1 a.m. and 2 a.m.: 01 : */15 • Example 3: Synchronization every half hour : * : */30 The syntax used is identical to crontab. Please refer to the crontab manual, crontab(5), for more information. Section: Advanced (group) 15. If you wish to restrict the groups and users synchronization to a subset of the ActiveDirectory server tree, enter a base DN in the field [Group BaseDN]. Example: ou=hq, o=Mycompany, c=FR 16. If you wish to only synchronize group objects inheriting from a specific LDAP objectclass, enter it in the field [Group Class]. Example: organizationalUnit 17. If you want to use a group label different from the standard one (CN LDAP attribute) you can specify the ldap attribute to use as the group label in the LDAP attribute Example: name 18. If your groups are also organizational units, enable the checkbox [Group is container]. Thus, the synchronized groups will be objects having this property.
Olfeo Solution / Integration Guide / 68
4 Configuring authentication/identification.
19. If user groups memberships are managed using a user attribute, enable the checkbox labeled [Group is user attribute]. Even though it is available, this option is rarely used; because generally the users and groups are represented as a classic tree. 20. If you want to use a different attribute to report group name in statistics, enter it in the field [Field to use as label for groups]. Section: Advanced (user) 21. To synchronize users from a particular subset of the LDAP tree, enter the BaseDN to use in the [Basedn user] field. 22. If your directory contains the name of the Olfeo policy to be applied in an attribute of the user object, enter the name of the attribute to use in the field [Policy Id Attribute]. 23. To synchronize user objects of a specific object class, enter the object class in the User Class field. 24. To use a different attribute as a primary key to uniquely identify users you are synchronizing, enter the attribute in the field [LDAP attribute for the primary key]. 25. To use a specific LDAP attribute for login. 26. To specify the user attribute containing the user name, enter the attribute in the field [LDAP attribute for name]. Section: Group list 27. To obtain the list of groups available in your directory based on the advanced criteria specified in the prior sections, click on the button labeled [Synchronize available groups] 28. Select the groups to synchronize users for in the available groups pane and add them to the list of [Synchronized groups]. To add or suppress a group, use the
or
buttons.
29. Specify the priority of synchronization of groups by controlling their position in the list [Synchronized groups]. To change the priority select a group and use the
or
buttons to move it up or down in the list.
Warning: The order in which groups are synchronized is important, because a user can belong to several directory groups .
Section: User list 30. Synchronize the users from the select groups in the list [Synchronized groups] using the button labeled [Synchronize users]. Result: A message indicates the number of users synchronized. 31. Click [OK] to save the changes.
Creating an authentication zone For any given population, there may be multiple ways to perform users authentication. In Olfeo, you can group these potential authentications in a "zone". A zone contains the list of possible server to perform users authentification in a sequential manner.
Olfeo Solution / Integration Guide / 69
4 Configuring authentication/identification.
1. Go to the page for configuring zones, via the [Parameters] > [Authentication] > [Authentication Mode] menu. Section: Authentication mode 2. Enter a name for the new URLs list in the [Label] field. 3. Enter a description in the [Description] field. Section: Properties 4.
In the Properties section, add an authentication method using the
button.
5. In the newly created entry, click on the Backend Type column. a) Select the type of authentication that you want to apply in the menu [Select a module type]. b) Enter the method of authentication chosen in the previous step. • If you chose LDAP, select the directory to be used in the field labeled [Select a directory]. • If you chose a guest account, enter the user’s name in the [User id] field. c) Click [OK] to save the changes. 6. Repeat steps 4 and 5 for each authentication backend you need to use in your authentication zone. 7. Click on the [Create] button to save the changes.
Adding LDAP authentication to the HTTP proxy or FTP over HTTP proxy. 1. Go to the page used to configure proxy authentication, via the [Proxy Cache QoS] > [HTTP] > [Authentication] menu. Section: Module 2. In the [Authentication mode] menu, choose the type of authentication to be used by the HTTP proxy. To implement an LDAP authentication: • [Basic – auth. zone ]: This authentication mode requires using Olfeo authentication zones. Depending on the number of authentication zones configured, one or more basic modes of authentication will be available for selection. Note: In basic authentication mode, the proxy will insist on authenticating the user for each connection established by the client. Caching on the client browser of the user’s credentials will allow for presenting a single authentication pop-up on the first browsing attempt or if the credentials have expired.
3. In the field [Number of instances], change the number of instantiated authentication processes if necessary. The number of instances correspond to the number of authentication requests which can be processed in parallel at a given instant. Default number of instances:15
Olfeo Solution / Integration Guide / 70
4 Configuring authentication/identification.
Section: Rules 4. In the [Rules] section, in the [By default] list, select the rule that will be applied by default. Available options: • [No authentication]: No authentication query will be generated for the newly created rule. • [ip2login]: A mechanism integrated in the Olfeo solution that allows memorizing the IP address of a machine where an authentication took place. • [Authentication]: The proxy will do an authentication using the protocol chosen in step 2. Warning: The default action is to authenticate users. If you do not plan to authenticate your users, select [No authentication].
5.
Add an authentication rule using the
button.
6. In the newly created rule, click on the link in the Source column if you want to restrict this field to a specific group. a) Use the Select menu to choose the type of source to be used. If you choose a source of the type [IP Ranges], add a range of IP addresses using the enter the information about this range: • Start IP. • End IP. • Range description.
button. To complete,
b) Click [OK] to save the changes. 7. In the newly created rule, click on the User-Agent column to specify the type of client applications to which the authentication rule will apply. Note: On this screen, you can deactivate the authentication of http clients that do not support authentication. a) In the Active column, enable the checkboxes of the regular expressions corresponding to the chosen applications. Example: Mobile devices or Java applications. b) Click [OK] to save the changes. 8. In the newly created rule, click on the Proxy ports column to specify the proxy port(s) on which the authentication rule will apply. a) Select the relevant proxy ports in the Port column. b) Click [OK] to save the changes. 9. In the newly created rule, click on the link to the Destination column. a) In the [Select] menu, choose the type of destination to be processed. • If you have chosen [URL (regex)] enter a Regex regular expression in the [URL] field. • If you have chosen [URL Lists] check off your URL lists in the [Label] column. 10. In the newly created rule, click on the link in the Authentication column. a) Select the type of authentication to be processed in the column Label.
Olfeo Solution / Integration Guide / 71
4 Configuring authentication/identification.
Available options: • [No authentication]: No authentication request will be sent to the client application. • [ip2login]: A mechanism integrated in the Olfeo solution caching the IP address of a machine where an authentication took place. • [Authentication]: The type of authentication set previously as the default will apply. 11.
Using the arrows
and
,set the order of priority in which you want your rule to be executed .
12. In the Active column, verify that the rule added is indeed active. An active rule is identified by the
icon.
13. Click [OK] to save the changes.
Adding an authentication to FTP or SOCKS proxy 1. Go to the page used to configure an FTP proxy using the [Proxy cache QoS] > [FTP] > [Authentication] menu; or, for a SOCKS proxy, using the [Proxy cache QoS] > [SOCKS] > [Authentication] menu. 2.
Add an authentication rule using the
button.
3. In the newly created rule, click on the link in the Timeslot column, then choose the intended timeslot by clicking on the link in the [Label] column. Note: Create specific timeslots by going to the [Rules] > [Time Slots] page.
4. In the newly created rule, click on the link to the Source column. a) Use the Select menu to choose the type of source to be used. If you choose a source of the type [IP Ranges], add a range of IP addresses using the enter the information about this range: • Start IP. • End IP. • Range description.
button. To complete,
b) Click [OK] to save the changes. 5. In the newly created rule, click on the link to the Mode column to specify the authentication zone to be applied. a) In the Active column validate the column of regular expressions corresponding to the chosen applications. Example: Mobile devices or Java applications. b) Click [OK] to save the changes. 6. In the newly created rule, click on the Proxy ports column to specify the proxy port(s) to which the authentication rule will apply. a) Select the relevant proxy ports in the Port column. b) Click [OK] to save the changes. 7. In the newly created rule, click on the link to the Destination column.
Olfeo Solution / Integration Guide / 72
4 Configuring authentication/identification.
a) In the [Select] menu, choose the type of destination to be processed. • If you have chosen [URL (regex)] enter a Regex regular expression in the [URL] field. • If you have chosen [URL Lists] check off your URL lists in the [Label] column. 8. In the newly created rule, click on the link in the Authentication column. a) In the menu [Select], choose the type of authentication to be processed. Available options: • [No authentication]: No authentication request will be sent to the client application. • [ip2login]: A mechanism integrated in the Olfeo solution caching the IP address of a machine where an authentication took place. • [Authentication]: The type of authentication set previously as the default will apply. 9.
Using the arrows
and
,set the order of priority in which you want your rule to be executed .
10. In the Active column, verify that the rule added is indeed active. An active rule is identified by the
icon.
11. Click [OK] to save the changes.
Configuring the client machine In the proxy integration case, the client machine must be configured to work with the Olfeo solution. For this, enter the following proxy settings in the client applications: • IP address of the Olfeo solution. • Olfeo proxy port (3129 by default).
Setting up authentication by captive portal Adding a directory Adding an LDAP directory and synchronizing users 1. Go to the directory configuration page using the [Parameters] > [Authentication] > [Directory] menu. 2. Click on [Add directory]. Section: Configure directory 3. Enter a name in the field [Directory label]. Section: Connection 4. Choose the type of directory server from the provided list [Ldap Type]. Note: If you have an OpenLDAP directory, please choose [OpenLDAP or generic server].
Olfeo Solution / Integration Guide / 73
4 Configuring authentication/identification.
5. Enter the directory’s IPv4 address or the dns name in the [Host] field. 6. To have the communication between Olfeo and the directory server use the LDAP protocol over SSL connection, enable the [LDAPs] checkbox. 7. To have groups and users synchronized using a single request, enable the checkbox labeled [Disable Paging]. Note: By default, Olfeo uses a paginated response mode for synchronizing users and groups. Olfeo recommends keeping the pagination mode active, as this mode is more appropriate for synchronizing large enterprises directories.
8. On the specified host machine, enter the directory server listening Port. Note: The default port for the LDAP directories is 389.
9. Click on [Test and get basedn]. This action allows not only testing the connection with the directory but also retrieving the Base DN on page 111base DN. After successful execution: • The text Connection Success will appear to the right of the button labeled [Test and get basedn]. • The field [Basedn] will populate automatically with the Base DN information retrieved. 10. In the [Binddn] field, enter a user's login with at least a read-only access to the directory server. Warning: A LDAP Bind DN uses the following syntax: CN=admin,DC=olfeo-test,DC=lab
11. Enter the Password of the user with read-only access to the directory server in the [Password] field. 12. Click on [Finish] to save the directory connection settings. Result: The page is reloaded. Section: Connection 13. To specify a timeout for awaiting a response from the directory server, enter the maximum waiting time in seconds in the [Time out] field. Example: 60 seconds. 14. To schedule synchronization of your directory, enable the [Planning] and fill in the synchronization frequency using a cron(5) syntax. • Example 1: Daily synchronization at 1:05 a.m.: 01: 05. • Example 2: Synchronization every 15 minutes, between 1 a.m. and 2 a.m.: 01 : */15 • Example 3: Synchronization every half hour : * : */30 The syntax used is identical to crontab. Please refer to the crontab manual, crontab(5), for more information. Section: Advanced (group) 15. If you wish to restrict the groups and users synchronization to a subset of the ActiveDirectory server tree, enter a base DN in the field [Group BaseDN]. Example: ou=hq, o=Mycompany, c=FR
Olfeo Solution / Integration Guide / 74
4 Configuring authentication/identification.
16. If you wish to only synchronize group objects inheriting from a specific LDAP objectclass, enter it in the field [Group Class]. Example: organizationalUnit 17. If you want to use a group label different from the standard one (CN LDAP attribute) you can specify the ldap attribute to use as the group label in the LDAP attribute Example: name 18. If your groups are also organizational units, enable the checkbox [Group is container]. Thus, the synchronized groups will be objects having this property. 19. If user groups memberships are managed using a user attribute, enable the checkbox labeled [Group is user attribute]. Even though it is available, this option is rarely used; because generally the users and groups are represented as a classic tree. 20. If you want to use a different attribute to report group name in statistics, enter it in the field [Field to use as label for groups]. Section: Advanced (user) 21. To synchronize users from a particular subset of the LDAP tree, enter the BaseDN to use in the [Basedn user] field. 22. If your directory contains the name of the Olfeo policy to be applied in an attribute of the user object, enter the name of the attribute to use in the field [Policy Id Attribute]. 23. To synchronize user objects of a specific object class, enter the object class in the User Class field. 24. To use a different attribute as a primary key to uniquely identify users you are synchronizing, enter the attribute in the field [LDAP attribute for the primary key]. 25. To use a specific LDAP attribute for login. 26. To specify the user attribute containing the user name, enter the attribute in the field [LDAP attribute for name]. Section: Group list 27. To obtain the list of groups available in your directory based on the advanced criteria specified in the prior sections, click on the button labeled [Synchronize available groups] 28. Select the groups to synchronize users for in the available groups pane and add them to the list of [Synchronized groups]. To add or suppress a group, use the
or
buttons.
29. Specify the priority of synchronization of groups by controlling their position in the list [Synchronized groups]. To change the priority select a group and use the
or
buttons to move it up or down in the list.
Warning: The order in which groups are synchronized is important, because a user can belong to several directory groups .
Section: User list 30. Synchronize the users from the select groups in the list [Synchronized groups] using the button labeled [Synchronize users]. Result: A message indicates the number of users synchronized.
Olfeo Solution / Integration Guide / 75
4 Configuring authentication/identification.
31. Click [OK] to save the changes. Adding an Active Directory server and synchronizing the users Synchronizing the user directory allows for organizing users in group, business units, entities on which you can apply filtering rules and statistics. 1. Go to the directory configuration page via the [Parameters] > [Authentication] > [Directory] menu. 2. Click on [Add directory]. Section: Configuring the directory 3. Enter a name in the field [Directory label]. Section: Connection 4. Choose Active Directory in the [Ldap Type] list. 5. Enter the directory’s IPv4 address or the dns name in the [Host] field. 6. To encrypt exchanges between Olfeo and the directory using LDAP protocol over SSL connection, enable the [LDAPs] checkbox. 7. To have groups and users synchronized with a single query, enable the checkbox labeled [Disable Paging]. Note: By default, Olfeo uses a paginated response mode for synchronizing users and groups. Olfeo recommends keeping the pagination mode active, as this mode is more appropriate for synchronizing large enterprises directories.
8. On the specified host machine, enter the listening Port for the directory. Note: The default port for the directories is 389.
9. Click on [Test and get basedn]. This action allows not only testing the connection with the directory but also retrieving the base DN. Please note this action is only available for ActiveDirectory type of directory server. After successful execution: • The text Connection Success will appear to the right of the button labeled [Test and get basedn]. • The field [Basedn] will populate automatically with the Base DN retrieved information. 10. In the [Binddn] field, enter the user's login authorized to connect to the directory. Warning: A Binddn uses this syntax: login@domain Example:
[email protected] 11. Enter the Password of the user authorized to connect to the directory in the [Password] field. 12. Click on [Finish] to save the directory connection settings.
Olfeo Solution / Integration Guide / 76
4 Configuring authentication/identification.
Result: The page is reloaded. Section: Connection 13. To specify a timeout for awaiting a response from the directory, enter the maximum waiting time in seconds in the [Time out] field. Example: 60 seconds. 14. To schedule synchronization of your directory, enable [Planning] and then enter the synchronization time or frequency. • • •
Example 1: Nightly synchronization at 1:05 a.m.: 01: 05. Example 2: Synchronization every 15 minutes, between 1 a.m. and 2 a.m.: 01 : */15 Example 3: Synchronization every half hour on the hour: * : */30
FYI: the syntax is the same as that used by crontab. Please refer to the crontab manual for more information. Section: Domain This section is specific to Microsoft Active Directory domains. These fields are necessary for joining the Olfeo solution to your Active Directory domain and therefore for implementing authentication methods based on Kerberos and NTLM . 15. Enter the name of your Active Directory domain in the field [Domain]. Example: labs.mycompany.com 16. In the [Workgroup] field, enter the Netbios name of your domain in CAPITAL LETTERS. Example: LABS 17. If you use an NTP server separate from the Active Directory server, enable the checkbox [Use a separate NTP server]. Warning: The NTP server must be configured in the NTP servers field, via the [Parameters] > [System] > [Date] menu.
18. If you use a DNS server separate from an Active Directory server, enable the checkbox [Use a separate DNS server]. Section: Advanced group options 19. If you wish to restrict the groups and users synchronization to a subset of the ActiveDirectory server tree, enter a base DN in the field [Group BaseDN]. Example: ou=hq, o=Mycompany, c=FR 20. If you wish to only synchronize group objects inheriting from a specific LDAP objectclass, enter it in the field [Group Class]. Example: organizationalUnit 21. If you want to use a group label different from the standard one (CN LDAP attribute) you can specify the ldap attribute to use as the group label in the LDAP attribute Example: name 22. If your groups are also organizational units, enable the checkbox [Group is container]. Thus, the synchronized groups will be objects having this property. 23. If user groups memberships are managed using a user attribute, enable the checkbox labeled [Group is user attribute]. Even though it is available, this option is rarely used; because generally the users and groups are represented as a classic tree.
Olfeo Solution / Integration Guide / 77
4 Configuring authentication/identification.
24. If you want to use a different attribute to report group name in statistics, enter it in the field [Field to use as label for groups]. Section: Advanced (user) 25. To synchronize users from a particular subset of the LDAP tree, enter the BaseDN to use in the [Basedn user] field. 26. If your directory contains the name of the Olfeo policy to be applied in an attribute of the user object, enter the name of the attribute to use in the field [Policy Id Attribute]. 27. To synchronize user objects of a specific object class, enter the object class in the User Class field. 28. To use a different attribute as a primary key to uniquely identify users you are synchronizing, enter the attribute in the field [LDAP attribute for the primary key]. 29. To use a specific LDAP attribute for login. 30. To specify the user attribute containing the user name, enter the attribute in the field [LDAP attribute for name]. Section: Group list 31. To obtain the list of groups available in your directory based on the advanced criteria specified in the prior sections, click on the button labeled [Synchronize available groups] 32. Select the groups to synchronize users for in the available groups pane and add them to the list of [Synchronized groups]. To add or suppress a group, use the
or
buttons.
33. Specify the priority of synchronization of groups by controlling their position in the list [Synchronized groups]. To change the priority select a group and use the
or
buttons to move it up or down in the list.
Warning: The order in which groups are synchronized is important, because a user can belong to several directory groups .
Section: User list 34. Synchronize the users from the select groups in the list [Synchronized groups] using the button labeled [Synchronize users]. Result: A message indicates the number of users synchronized. 35. Click [OK] to save the changes.
Creating an authentication zone For any given population, there may be multiple ways to perform users authentication. In Olfeo, you can group these potential authentications in a "zone". A zone contains the list of possible server to perform users authentification in a sequential manner. 1. Go to the page for configuring zones, via the [Parameters] > [Authentication] > [Authentication Mode] menu.
Olfeo Solution / Integration Guide / 78
4 Configuring authentication/identification.
Section: Authentication mode 2. Enter a name for the new URLs list in the [Label] field. 3. Enter a description in the [Description] field. Section: Properties 4.
In the Properties section, add an authentication method using the
button.
5. In the newly created entry, click on the Backend Type column. a) Select the type of authentication that you want to apply in the menu [Select a module type]. b) Enter the method of authentication chosen in the previous step. • If you chose LDAP, select the directory to be used in the field labeled [Select a directory]. • If you chose a guest account, enter the user’s name in the [User id] field. c) Click [OK] to save the changes. 6. Repeat steps 4 and 5 for each authentication backend you need to use in your authentication zone. 7. Click on the [Create] button to save the changes.
Setting up the LDAP authentication portal 1. Go to the page for setting up filtering via the [Rules] > [Users] menu. 2. Select the [Access] tab for controlling access to remote resources (pages, files downloaded by FTP, videos, etc.) Tab: Access 3.
Add a filtering rule using the
button.
4. To insert a timeslot in the newly created rule, click on the link to the [Timeslot] column, then select a timeslot. 5. In the newly created rule, if you wish to limit setting up a captive portal to a specific users population or a specific set of client machines click on the link to the [Source] column. Next, via the [Select] menu, choose the type of population to apply the rule to. a) To specify a range of IP addresses, select [IP Ranges]. Then enter a [Start IP] address, and [End IP] address, as well and text in the [Range description]. Note that you can add one or more IP address ranges using the button. To finish, click on [Ok]. b) If you wish to specify users population, select [Users]. Then select the users by enabling the checkboxes in the [Name] column. Finish by clicking on [Ok]. 6. In the newly created rule, if you wish to specify the type of protocol select the [Flow] column. Next, enable the checkboxes in the [Label] column to select the protocol(s) you want to apply the rule to. 7. In the newly created rule, click on the link in the [Destination] column, then click the type of destination to which your rule will apply using the [Select] menu. a) If you wish to filter the URLs through a Regex regular expression, click on [URL (regex)] then enter the regular expression in the [URL] field. Click [Ok]to finish.
Olfeo Solution / Integration Guide / 79
4 Configuring authentication/identification.
b) To filter the URLs by means of a list, click on [URL Lists] then enter one of the URL lists that you will have defined previously. Click [Ok]to finish. c) To filter URLs using a list of categories, click on [Categories Lists] then enter one of the categories lists that you have defined previously. Click [Ok] to finish. d) If you wish to filter Web 2.0, click on [Web 2.0 Lists] then enter a list of Web 2.0 categories that you have defined beforehand. Click [Ok] to finish. e) To filter categories, click on [Destination] then enter one or more categories Click [Ok] to finish. 8.
In the newly created rule, click on the image
in the [Action]column.
a) Select [Authentication portal] in the [Select] menu b) In the [Portal] menu,select the the authentication zone created in chapter Creating an authentication zone on page 69 c) Click [OK] to save the changes. Tab: Access 9. Click on the [Ok] button to save the changes in the access rules list.
Setting up the NTLM captive portal 1. Go to the page for setting up filtering via the [Rules] > [Users] menu. 2. Select the [Access] tab for controlling access to remote resources (pages, files downloaded by FTP, videos, etc.) Tab: Access 3.
Add a filtering rule using the
button.
4. To insert a timeslot in the newly created rule, click on the link to the [Timeslot] column, then select a timeslot. 5. In the newly created rule, if you wish to limit setting up a captive portal to a specific users population or a specific set of client machines click on the link to the [Source] column. Next, via the [Select] menu, choose the type of population to apply the rule to. a) To specify a range of IP addresses, select [IP Ranges]. Then enter a [Start IP] address, and [End IP] address, as well and text in the [Range description]. Note that you can add one or more IP address ranges using the button. To finish, click on [Ok]. b) If you wish to specify users population, select [Users]. Then select the users by enabling the checkboxes in the [Name] column. Finish by clicking on [Ok]. 6. In the newly created rule, if you wish to specify the type of protocol select the [Flow] column. Next, enable the checkboxes in the [Label] column to select the protocol(s) you want to apply the rule to. 7. In the newly created rule, click on the link in the [Destination] column, then click the type of destination to which your rule will apply using the [Select] menu. a) If you wish to filter the URLs through a Regex regular expression, click on [URL (regex)] then enter the regular expression in the [URL] field. Click [Ok]to finish.
Olfeo Solution / Integration Guide / 80
4 Configuring authentication/identification.
b) To filter the URLs by means of a list, click on [URL Lists] then enter one of the URL lists that you will have defined previously. Click [Ok]to finish. c) To filter URLs using a list of categories, click on [Categories Lists] then enter one of the categories lists that you have defined previously. Click [Ok] to finish. d) If you wish to filter Web 2.0, click on [Web 2.0 Lists] then enter a list of Web 2.0 categories that you have defined beforehand. Click [Ok] to finish. e) To filter categories, click on [Destination] then enter one or more categories Click [Ok] to finish. 8.
In the newly created rule, click on the image
in the [Action]column.
a) Select [Authentication portal] in the [Select] menu b) In the [Portal] menu,select the the authentication zone created in chapter Creating an authentication zone on page 69 c) If your authentication zone contains an active directory address list and you wish to use NTLM authentication, enable the [Use NTLM] checkbox. d) Click [OK] to save the changes. For transparent authentication by NTLM (automatic used of NTLM authentication token while you have an interactive Windows session on the domain), do not forget to configure your browser as explained in the chapter Setting up the NTLM captive portal on page 80.
Configuring the client machine In the a proxy integration case, the client machine must be configured to work with the Olfeo solution. For this, enter the following proxy settings in the client applications: • IP address of the Olfeo solution. • Olfeo proxy port (3129 by default). Transparent NTLM authentication For transparent NTLM authentication (authentication using NTLM token while you have a Windows interactive session opened on the domain), you must configure your browser in order for this action to occur automatically. Depending on your browser, enter the following values : Firefox
Internet explorer
•
•
•
•
Open Firefox and enter "about:config" in the configuration bar. Set the value [network.automatic-ntlm-auth.allowproxies] to True. This option allows the system to authenticate users in a transparent manner with their domain authentication. Enter the Olfeo IP address(es) in the field [network.automatic-ntlm-auth.allow-proxies]. This option lets you define the machines authorized to directly authenticate on NTLM.
• • • • •
Go to the [Tools] > [Internet options] > [Security] > [Local intranet] to finally click on the [Sites] button. Click on [Advanced]. Uncheck the checkbox [Require a secure server (https:) for all the sites in this zone]. Click on [Close]. Click [OK]. Click [OK].
Olfeo Solution / Integration Guide / 81
4 Configuring authentication/identification.
Setting up authentication by public portal Creating custom pages Adding a set of custom pages Messages sets define text strings that will be used and displayed to public portal users. They can be customized as needed for your company or business (language, page design, logo, ..). 1. Go to the settings page for public portals via the [Mobility controller] > [Messages] > [Messages] menu. 2. Click on [Add a message set]. Section: Add a message set 3. Enter a name for the message set in the [Label] field. 4. Enter a description in the [Description] field. 5. Click on the [Create] button to save the new message set. Section: Languages 6. Click on the language of your choice in the Language column. a)
If the language of your choice does not exist, click on button
to add the language of your choice.
b) Select the language to be added in the Label column. c) Click [OK] to save the changes. Section: Login Form 7. In the following fields, enter the custom texts you wish to display to your users: [Form Title], [Login Field], [Password Field], [Connect Button], [Logout Button], [Allow popups label], [Show disconnection popup label], [Disconnection confirmation label], [Redirect in ... label], [Expiration label], [Validity start label], [Login error]. Section: Printed voucher 8. In the fields [Greeting], [Introduction], [Legend], [Account information], [Message] enter the custom texts you wish to display to your users. Section: Miscellaneous 9. In the fields, [Create account], [Create button] enter the personalized texts you wish to display to your users. 10. Click [Ok] to save the changes.
Olfeo Solution / Integration Guide / 82
4 Configuring authentication/identification.
Add a set of custom templates The template set visually defining the Web page that will be displayed to public portal users. They are customizable (language used, page design, logo, etc.), to adapt them to as you see fit. 1. Go to the settings page for public portals via the [Mobility controller] > [Messages] > [Templates] menu. 2. Click on [Add a template set ]. Section: Add a template set 3. Enter a name for the message set in the [Label] field. 4. Enter a description in the [Description] field. 5. Click on the [Create] button to save the changes. 6. Click on the newly created template set in the Label column. Section: Elements 7. Click on the link in the Element column for the element you would like to customize: [Header], [Footer], [Print], and [Mobility Controller] depending on the HTML code that you want to change. Section: Header 8. Make the changes to the HTML code as needed. 9. Click on the [Ok] button to save your HTML changes. Section: Picture 10. If you wish to add an image and reference it in your code, click on the [Browse...] button. The syntax of the variable is as follows: : where the number "1" represents the image number. Here are two examples of HTML tags containing the variable corresponding to your image:
