PureSight Content Filtering Server Installation Manual for use with

Microsoft ISA Server

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

ii

PureSight Content Filtering Server Installation Manual — ISA

Copyright Notice Copyright  2003 iCognito Technologies Ltd. All rights reserved. Any technical documentation that is made available by iCognito is the copyrighted work of iCognito and is owned by iCognito. NO WARRANTY: This technical documentation is delivered to you as-is, and iCognito makes no warranty as to its accuracy or use. Any use of the technical documentation, or the information contained therein, is at the user’s risk. Technical or other inaccuracies, as well as typographical errors, may occur in this document. iCognito reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of iCognito, 7 Imber St., Petach Tikva 49130, Israel.

Trademark The iCognito logo is a trademark of iCognito Technologies Ltd. All rights reserved. Other company and brand products, as well as service names, are trademarks or registered trademarks of their respective holders.

Technical Support If you require technical support services, contact us at [email protected].

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

About This Manual

About This Manual This manual provides instructions for installing PureSight Content Filtering Server on a Microsoft Internet and Security Acceleration (ISA) Server platform. It contains the following chapters: Chapter 1, Introduction, introduces PureSight and describes its main features. Chapter 2, Integrating PureSight with ISA Server, describes how PureSight is integrated with the ISA Server, and how it functions on the network. Chapter 3, Installing the PureSight Content Filtering Server, provides step-by-step instructions for the PureSight installation procedure and describes basic configuration features. Chapter 4, Uninstalling the PureSight Content Filtering Server, provides instructions for stopping, starting and removing PureSight. Chapter 5, Troubleshooting.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

iii

iv

PureSight Content Filtering Server Installation Manual — ISA

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Table of Contents

Table of Contents Chapter 1: Introduction................................................................................1-1 DisCo System Architecture ....................................................................................1-1

Chapter 2: Integrating PureSight with Microsoft ISA Server.........................2-1 How PureSight Works with ISA Server ...................................................................2-1 Network Configuration ..........................................................................................2-3 Directory Services..................................................................................................2-4 User Identification .................................................................................................2-4 Caching .................................................................................................................2-6 Logging..................................................................................................................2-7

Chapter 3: Installing the PureSight Content Filtering Server ........................3-1 System Requirements .............................................................................................3-1 Installing the PureSight Content Filtering Server.....................................................3-2 Installing PureSight ................................................................................................3-3 PureSight Configuration .........................................................................................3-8

Chapter 4: Uninstalling the PureSight Content Filtering Server....................4-1 Uninstalling PureSight Content Filtering Server......................................................4-1

Chapter 5: Troubleshooting..........................................................................5-1

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

v

vi

PureSight Content Filtering Server Installation Manual — ISA

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Introduction CHAPTER 1

Chapter 1

Introduction PureSight was created especially for the complex requirements of the modern online corporation or institution. PureSight combines precision Internet filtering capabilities with powerful management tools to offer a highly accurate and reliable Internet content-filtering solution. PureSight is suitable for small, medium, and large organizations, as well as service providers. PureSight is based on iCognito’s proprietary Artificial Content Recognition (ACR) technology. Using Artificial Intelligence (AI) algorithms, ACR enables PureSight to analyze the HTML page of each requested Web site and categorize the page based on its content. PureSight allows Internet usage policies to be defined, implemented and modified according to the changing needs of the organization.

DisCo System Architecture PureSight employs an advanced Distributed Collaborative (DisCo) System architecture. This modular system architecture is designed to maximize management investments by providing flexible integration, improved performance and scalability. Designed to simplify management of a high availability network, PureSight’s distributed architecture utilizes three basic modules: PureSight Management Server, PureSight Content Filtering Server and PureSight Log Server.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

1-1

1-2

PureSight Content Filtering Server Installation Manual — ISA

This next generation architecture provides for: Centralized management and configuration of all PureSight Content Filtering Servers by a single PureSight Management Server. This also enables large organizations to manage remote branch office sites using the same Management Server, and thereby implementing a centralized policy throughout the organization regardless of physical location. Automatic, unified distribution of configuration changes to all Content Filtering Servers, eliminating the need to configure each server individually. Scalability. One or more additional Content Filtering Servers can be installed as new gateways are added or increased performance is required. PureSight is easily deployed in systems where load-balancing is used to distribute traffic between multiple Content Filtering Servers. Reduced risk for single point of failure. The distributed modular structure enables the PureSight Content Filtering servers to continue filtering, even if the PureSight Management Server or the PureSight Log Server fails or other PureSight Content Filtering Servers are down for maintenance. Cross platform support. Each module can be installed on a different operating system (Windows or Linux) and each PureSight Content Filtering Server can be installed on a different platform (Squid, MSProxy, or ISA). The selected platform is transparent to the other modules installed. The role of each of the system modules is described in the next section.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Introduction CHAPTER 1

System Modules The basic system architecture is comprised of three modules that interact to provide a complete content-filtering solution. The functionality of each of the modules is clearly defined as follows: PureSight Management Server - responsible for configuring and managing all PureSight modules and functions, including the PureSight Log Server and the PureSight Content Filtering Server(s). The PureSight Management Server features an intuitive user-interface that allows the administrator to define and manage the users and filtering policies that support the organization’s Internet Acceptable Use Policy. PureSight Content Filtering Server(s) - responsible for analyzing all Internet traffic on the network. PureSight Content Filtering Servers can be installed on platforms located in the organization’s Server Farm or on remote machines. The PureSight Content Filtering Server analyzes all HTTP traffic on the gateway where it is installed, and categorizes the content in real-time. According to the Internet Acceptable Use Policy defined on the PureSight Management Server, the PureSight Content Filtering Server then executes an Allow, Block, Monitor or Warn response, as required. All PureSight Content Filtering Servers on the network, regardless of their location, are configured by the PureSight Management Server. This system-wide configuration includes the users and filtering policies that support the organization’s Internet Acceptable Use Policy. The PureSight Content Filtering Servers also interact with a single PureSight Log Server, which is responsible for logging all of the filtering activity that takes place in the network. PureSight Log Server - provides real-time tracking, monitoring and accounting information for all Internet activity - the details of all HTTP requests and replies, including time, users and the resulting filtering actions (allow/block/warn).

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

1-3

1-4

PureSight Content Filtering Server Installation Manual — ISA

The PureSight Management Server accesses the data on the PureSight Log Server to generate reports on the sites that were visited, the users that access those sites and other information that helps managers to evaluate employee productivity, bandwidth consumption and Internet usage. A single PureSight Log Server logs the activity for all PureSight Content Filtering Servers in the network, regardless of location or platform to enable generating unified reports for all activity. The PureSight Log Server supports logging to the file system or to an SQL database (MySQL). These independent modules can be installed together on one machine or on separate machines, on varying combinations of platforms and operating systems. This architecture is highly flexible and customizable, allowing the systems administrator to easily adapt the deployment to the organization’s network environment.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Introduction CHAPTER 1

Network Architecture Diagram One possible implementation of the PureSight network architecture is shown in the following diagram:

This example shows PureSight deployed in a network with a headquarters and two remote branch offices. This network includes one PureSight Management Server for the system-wide configuration of five PureSight Content Filtering Servers and one PureSight Log Server. This system-wide configuration includes the users and filtering policies that support the organization’s Internet Acceptable Use Policy.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

1-5

1-6

PureSight Content Filtering Server Installation Manual — ISA

Internet traffic originating in the Headquarters’ workstations is monitored by one of three PureSight Content Filtering Servers located in the PureSight Server Farm. Internet traffic originating in the remote branch workstations is monitored by the PureSight Content Filtering Server located on the branch gateway routers. The PureSight Log Server generates logs, the contents of which are stored in a file system or in an SQL database (MySQL) on a separate server.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Integrating PureSight with Microsoft ISA Server CHAPTER 2

Chapter 2

Integrating PureSight with Microsoft ISA Server PureSight Content Filtering Server for ISA is installed on the same machine as the ISA Server, either on the network, or as part of the DMZ (Demilitarized Zone) connecting directly to the router. PureSight communicates with Microsoft ISA Server via the PureSight web filter, to provide Internet Access Management according to the specific policy defined for the requesting user.

How PureSight Works with ISA Server The following components are installed during the PureSight installation: PureSight ACR: The "brain" behind PureSight. Its function is to analyze and categorize the request, and determine how the ISA Server handles user URL requests. PureSight Web Filter: This ISAPI filter handles all outgoing requests and incoming data (including HTML text), and enables communication between PureSight’s ACR and the ISA Server.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

2-1

2-2

PureSight Content Filtering Server Installation Manual — ISA

URL Cache: This component stores previously classified URLs. This allows PureSight to block or allow requested URLs without having to process and classify them more than once via ACR, and thus enhances performance. Configuration Data Storage: This component includes a local installation of OpenLDAP that is used for storing configuration settings retrieved from the PureSight Management Server.

Figure 2-1: PureSight Operation on the ISA Platform An HTTP or browser request sent from a workstation to the ISA Server prompts the ISA to activate the PureSight web filter. The request information is then forwarded by the web filter to PureSight’s ACR. When the reply to the request is received from the Internet, it is processed by the PureSight filter, which allows the ACR to analyze the content of the incoming data.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Integrating PureSight with Microsoft ISA Server CHAPTER 2

According to the specific predefined policy for that user, PureSight’s ACR will then carry out one of the following actions: Allow the user access to the site. Deny the user access to the site, and return a message saying that the site is blocked. Return a warning message informing the user that although access is permitted, the site contains inappropriate material. This filtering process is transparent to the user when requesting approved URLs.

Network Configuration To ensure successful PureSight operation, the gateway and workstations on the network should be configured properly.

Gateway Configuration To prevent users from bypassing the PureSight filtering mechanism, it is advisable to configure the network gateway (firewall or Internet router) to allow outgoing HTTP and HTTPS requests only from the ISA Server.

Workstation Configuration To enable the PureSight filtering mechanism, the Web browser on each workstation must be configured to gain Internet access only via the ISA Server. If a browser is not configured to always pass via the ISA, the user’s request bypasses PureSight, thus allowing the user direct access to the Internet.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

2-3

2-4

PureSight Content Filtering Server Installation Manual — ISA

Directory Services PureSight supports the assigning of filtering policies to individual members of the organization. The assigning of policies can be to users based on IP addresses, or subnets of IP addresses. If the network in your organization includes a Windows directory service (Windows NTLM directory or Windows Active Directory), then policies can be assigned to individual users or groups with accounts in the directory service.

User Identification To enforce directory users policies, for each request, the requesting user must be identified. In order to support user identification ISA authentication must be enabled.

ISA Authentication Microsoft ISA Server offers four types of user authentication methods: Basic, Digest, Integrated Windows, and Client Certificate. Microsoft Internet Explorer version 5.0 and above support all four authentication methods. However, other browsers may support only Basic authentication. ISA server is by default, configured to enable Integrated Windows Authentication. The following sections provide information on the impact of setting an ISA authentication method on the user identification capabilities of PureSight.

No Authentication When ISA is set to work with no authentication, PureSight does not receive from the ISA any user information, apart from the requesting IP address. Therefore, PureSight will not be able to support directory user based policies and reports.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Integrating PureSight with Microsoft ISA Server CHAPTER 2

Basic Authentication When ISA is set to work with basic authentication, ISA prompts for user information, each time the user opens a new browser. After receiving the username and password credentials of the user, the ISA server verifies the user information on the ISA server computer or in a trusted domain of the ISA server. After authentication, PureSight receives the user information from the ISA server, and can filter based on directory object policies. If basic authentication is enabled in combination with Integrated Windows Authentication, users with Microsoft Internet Explorer 5.0 and higher browsers will be transparently authenticated, and users with other browsers will be prompted to authenticate.

Digest Authentication Digest authentication offers the same features as basic authentication but provides a higher level of security by hashing the authentication credentials. When ISA is set to work with digest authentication, ISA prompts for user login information, username and password, each time the user opens a new browser. PureSight receives the user information from the ISA server, after authentication, and can filter based on directory object policies. If digest authentication is enabled in combination with Integrated Windows Authentication, users with Microsoft Internet Explorer 5.0 and higher browsers will be transparently authenticated, and users with other browsers will be prompted to authenticate. NOTE:

Digest authentication can be used only in Windows 2000 domains.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

2-5

2-6

PureSight Content Filtering Server Installation Manual — ISA

Integrated Windows Authentication Integrated Windows Authentication is a secure form of authentication because the username and password are not sent across the network. When ISA is set to work with Integrated Windows authentication, ISA receives user information transparently from Microsoft Internet Explorer 5 and above. PureSight receives the user information from the ISA server, and can filter based on directory object policies. If your network contains both Microsoft Internet Explorer 5.0 and above and other browsers, you may configure ISA server to work with both basic authentication and integrated windows authentication or digest authentication and integrated windows authentication. With this configuration, users with Microsoft Internet Explorer 5.0 and above will be transparently authenticated and other users will be prompted for authentication.

Client Certificate Authentication If client certificate is the chosen authentication method, then ISA requests a client certificate from the client, before allowing the request. The ISA server computer verifies that the certificate indeed belongs to a client that is allowed access, before allowing the Internet request. PureSight receives the user information from the ISA server, and can filter based on directory object policies.

Caching To improve network performance, PureSight contains a caching mechanism. When a URL request is categorized, the information is saved in the cache. If the URL is requested again, PureSight retrieves the data from the URL cache, avoiding the need to check the site classification again.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Integrating PureSight with Microsoft ISA Server CHAPTER 2

Logging The PureSight Log Server is used for storing data describing all Internet activity as it is monitored by PureSight Content Filtering Servers. The PureSight Content Filtering Servers send the log data to the PureSight Log Server, which first saves this data to the local file system and then imports this data to the MySQL database, if PureSight Log Server is running in database mode.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

2-7

2-8

PureSight Content Filtering Server Installation Manual — ISA

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Installing the PureSight Content Filtering Server CHAPTER 3

Chapter 3

Installing the PureSight Content Filtering Server This chapter describes how to install the PureSight Content Filtering Server for ISA. It also details the system requirements and introduces the basic configuration policies.

System Requirements The following minimum system requirements must be met in order to run PureSight on an ISA platform: The equivalent of Pentium II 400 mHz processor or higher; Pentium III recommended 256 MB RAM (minimum) 50 MB free disk space Microsoft Windows 2000 Server or Advanced Server with Service Pack 1 or later, or Microsoft Datacenter Server. Microsoft ISA Server 2000 Enterprise or Standard with Service Pack 1 PureSight Management Server installed and running on any machine on the network.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

3-1

3-2

PureSight Content Filtering Server Installation Manual — ISA

Installing the PureSight Content Filtering Server The PureSight Content Filtering Server for ISA is installed using a self-extracting installation file. The installation process installs the following components: OpenLDAP Server — installed as a service, this component is used for local storage of configuration settings, as set by the PureSight Management Server. ISAPI Filter — the PureSight Web Filter integrates with the ISA server to provide web filtering. PureSight Content Filtering Server data files. PureSight utilities. During the installation you will be prompted to confirm or enter various settings. You can accept the default settings or enter alternate values, as required.

Before You Begin The PureSight Management Server must be installed before you attempt to install a PureSight Content Filtering Server. In addition, the PureSight Content Filtering Server must have access to the blocking mechanism port and the OpenLDAP port of the PureSight Management Server storage. Verify that these ports are open and accessible in order to retrieve the server configuration and enable the blocking mechanism. It is recommended that you remove any previous installations of PureSight client and PureSight server products before installing new versions of PureSight. During the PureSight installation, the Web Proxy Service is interrupted. As a result, all proxy-directed Internet traffic are disabled until installation is completed. The service is activated immediately once PureSight has been installed.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Installing the PureSight Content Filtering Server CHAPTER 3

Installing PureSight The PureSight application is installed via a self-extracting installation file, PureSight_ISA_4.5_win32.exe. The installation process installs a Web filter named PureSight for Microsoft ISA Server. The filter is in the form of a .dll file named PSFilter.dll, placed in the installation directory under the subdirectory bin. To install PureSight:

1 Log in with administrator privileges to the ISA Server machine. 2 Close all open applications and windows. 3 Double-click PureSight_ISA_4.5_win32.exe to run the PureSight installation program. The Welcome window of the PureSight for ISA Setup wizard is displayed:

4 Click Next.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

3-3

3-4

PureSight Content Filtering Server Installation Manual — ISA

The License Agreement window is displayed:

5 Select I accept the terms of the license agreement to accept the licensing terms, and click Next. The User Information window is displayed:

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Installing the PureSight Content Filtering Server CHAPTER 3

6 Enter your user name and company name in the designated fields, and click Next. The Destination Folder window is displayed:

7 Click Next to accept the default location for the destination folder, or click Browse to select an alternate location and then click Next.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

3-5

3-6

PureSight Content Filtering Server Installation Manual — ISA

The PureSight Management Server window is displayed:

8 The following parameters are required to enable the PureSight Content Filtering Server to connect to the PureSight Management Server to retrieve configuration data regarding users, policies, filters, server license and other settings: Enter the IP address of the OpenLDAP server on the PureSight Management Server machine in the PureSight Management Server OpenLDAP server IP field. Enter the port of the OpenLDAP server on the PureSight Management Server machine in the PureSight Management OpenLDAP server port field. NOTE:

If the PureSight Filtering Server is installed on the same machine as the PureSight Management Server, the IP and Port will be grayed out

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Installing the PureSight Content Filtering Server CHAPTER 3

9 Click Next. The Program Folder window is displayed.

10 Select the program folder into which program icons are to be added from the list displayed and click Next. The InstallShield Wizard Compete window is displayed:

11 Click Finish. The installation process is complete.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

3-7

3-8

PureSight Content Filtering Server Installation Manual — ISA

PureSight Configuration After successfully installing PureSight, you will need to initialize the PureSight Content Filtering Server and enter a valid license key before the filtering mechanism is activated. The PureSight Management Server is responsible for configuring and managing all PureSight modules and functions, including the PureSight Log Server and the PureSight Content Filtering Server(s). Configuration of the PureSight Content Filtering Server(s) is performed using PureSight’s intuitive user-interface — the PureSight Administration Tool. For details on configuring the PureSight Content Filtering Server, please refer to Chapter 3, Configuring PureSight Content Filtering Servers in the PureSight User’s Guide.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Uninstalling the PureSight Content Filtering Server CHAPTER 4

Chapter 4

Uninstalling the PureSight Content Filtering Server This chapter describes how to uninstall PureSight Content Filtering Server for ISA.

Uninstalling PureSight Content Filtering Server The PureSight Content Filtering Server can be uninstalled and removed from the ISA Server machine. To remove PureSight:

1 Log on to the PureSight Administration Tool and select the Servers tab. 2 Mark the PureSight Content Filtering Server that you wish to uninstall and click the Delete Selected Items button. 3 On the ISA Server machine, access the Control Panel window. 4 Double-click the Add/Remove Programs icon. The Add/Remove Programs Properties window is displayed. 5 On the Install/Uninstall tab, select PureSight for Microsoft ISA Server from the displayed list of programs.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

4-1

4-2

PureSight Content Filtering Server Installation Manual — ISA

6 Click the Change/Remove button. A dialog box is displayed. 7 In the dialog box, select Remove, then click Next and follow the onscreen instructions. Microsoft Windows stops all PureSight services and uninstalls all PureSight components.

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

Troubleshooting CHAPTER 5

Chapter 5

Troubleshooting This chapter includes information to assist you in handling troubleshooting problems that may arise in the installation process. Problem

Solution

All Sites are blocked by the ISA Server

Make sure that you have set the ISA to allow outgoing traffic. Disable PureSight from the ISA: Open the ISA MMC and go to Extensions — Web Filters. Click on the PureSight Filter and set it to be disabled. See if the problem persists without PureSight.

Users are not blocked by their user specific policies

If you are working in Basic Authentication mode only, then you should install Service Pack 1 for ISA

Web Proxy Service stops responding

This is a known problem. For more information refer to the following link: http://support.microsoft.com/ default.aspx?scid=kb;EN-US;q319374 The fix for the problem can be found at: http://www.microsoft.com/downloads/ Release.asp?ReleaseID=38362

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM

5-1

5-2

PureSight Content Filtering Server Installation Manual — ISA

Last printed: 3/5/2003 12:16 PM Last saved: 3/5/2003 12:15 PM