8e6 Technologies Enterprise Filter Authentication R3000 User Manual

Size:
6.79 Mb
Download

APPENDIX A USER/GROUPFILEFORMAT ANDRULES

APPENDIXA

User/Group File Format and Rules

The file with user/group profiles you upload to the server must be set up in a specified format, with one complete user/group profile per line. The format for the file will differ depending on whether the file contains a list of user or group profiles for an NT or LDAP server.

Each filtering profile in the file must contain the following items:

1.The username or group name.

2.Filtering profile criteria:

Rule number (Rule0, Rule1, etc.), or

rule criteria:

a.Ports to Block or Filter

b.Categories to Block or Open

c.Filter Mode

3.Redirect URL (optional).

4.Filter Options (optional). A zero should be placed at the end of a profile string with all filter options disabled.

Username Formats

NOTE: For examples of valid username entries, see File Format:

Rules and Examples in this appendix, or go to http://

www.8e6.com/r3000help/files/2group_textfile_user.html

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

209

APPENDIX A USER/GROUPFILEFORMAT ANDRULES

Rule Criteria

Rule criteria consists of selections made from the following lists of codes that are used in profile strings:

Port command codes:

A= Filter all ports

B= Filter the defined port number(s)

I= Open all ports

J= Open the defined port number(s)

Q= Block all ports

R= Block the defined port number(s)

Port Numbers:

21 = FTP (File Transfer Protocol)

80= HTTP (Hyper Text Transfer Protocol)

119= NNTP (Network News Transfer Protocol)

443= HTTPS (Secured HTTP Transmission) Other

Filter Mode Values:

1= Default, Block Mode

2= Monitoring Mode

4 = Bypassing Mode

Category command codes:

I= positioned after Category Codes designated as “blocked,” indicating that all other categories should be “open.”

J= Open the defined category/categories

J J = White list the defined category/categories

Q= Block all categories

R= Block the defined category/categories

210

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

APPENDIX A USER/GROUPFILEFORMAT ANDRULES

Category Codes:

For the list of category codes (short names) and their corresponding descriptions (long names), go to http:// www.8e6.com/r3000help/files/ 2group_textfile_cat.html#cat

NOTE: The list of library category codes and corresponding descriptions is subject to change due to the addition of new categories and modification of current categories. For explanations and examples of category items, go tohttp://www.8e6.com/ products/datab/pd_86db_r3000categories.htm

Filter Option codes:

• 0x2

=

X Strikes Blocking

• 0x4

=

Google/Yahoo! Safe Search

0x100 = Search Engine Keyword

0x200 = URL Keyword

0x1000= Extend URL Keyword Filter Control

NOTES: To enable multiple filter codes, add the codes together. For example, to enable all features for an NT/LDAP profile, add 2 + 4 + 100 + 200 + 1000 = 1306, which means that0x1306 should be entered at the end of the profile string.

To disable all filter codes for an NT/LDAP profile, enter a 0 (zero) at the end of the profile string.

See http://www.8e6.com/r3000help/files/ 2group_textfile_format_nt.htmlfor examples of NT filtering profile entries, and http://www.8e6.com/r3000help/files/ 2group_textfile_format_ldap.htmlfor examples of LDAP filtering profile entries.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

211

APPENDIX A USER/GROUPFILEFORMAT ANDRULES

File Format: Rules and Examples

When setting up the file to upload to the server, the following items must be considered:

Each profile must be entered on a separate line in the file.

Category Codes must be entered in capital letters.

Port and category command codes must be entered in capital letters.

A redirect URL cannot exceed 200 characters in length.

The string must end with a “0” (zero) if no filter options will be enabled.

212

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

APPENDIX A USER/GROUPFILEFORMAT ANDRULES

NT User List Format and Rules

When setting up the “ntuserprofile.conf” file, each entry must consist of the username, and either a rule number or rule criteria (port, category, and filter mode specifications). A redirect URL can be included, if a specific URL should be used in place of the standard block page. If a redirect URL is not included, a blank space should be entered in its place in the profile string. Segments of the profile string should be separated by commas (,). A zero (0) should be placed at the end of a profile string without any filter options enabled.

JSmith, B 80 R 21 ,J J FINAN Q, 1, http://

www.8e6.com,0

John_Doe, Q, R AUTO GENTER I, 1, ,0x104

Doe-Jane,Rule1, , 0x202

When translated, these strings of code mean:

NT profile for a user with ID “JSmith”: Filter port 80, Block port 21, White List and Open Financial Category and Block all other categories, use filter mode 1, use redirect URL http://www.8e6.com in place of the standard block page, all filter options disabled.

NT profile for a user with ID “John_Doe”: Block all ports, Block Automobile and Entertainment categories, use filter mode 1, Google/Yahoo! Safe Search and Search Engine Keyword filter options enabled.

NT profile for a user with ID “Doe-Jane”:Bypass all categories,use standard block page, X Strikes Blocking and URL Keyword filter options enabled.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

213

APPENDIX A USER/GROUPFILEFORMAT ANDRULES

NT Group List Format and Rules

When setting up the “ntgroupprofile.conf” file, each entry must consist of the group name, and either a rule number or rule criteria (port, category, and filter mode specifications). A redirect URL can be included, if a specific URL should be used in place of the standard block page. If a redirect URL is not included, a blank space should be entered in its place in the profile string. Segments of the profile string should be separated by commas (,). A zero (0) should be placed at the end of a profile string without any filter options enabled.

Admin, Rule1, http://www.cnn.com, ,0x4

Sales, Rule2, ,0x300

Tech, A, R CHAT KDPORN FINAN GGAMES

GPORN I, 1, , 0x6

When translated, these strings of code mean:

NT profile for a group with ID “Admin”: Bypass all categories, use redirect URL http://www.cnn.com in place of the standard block page, Google/Yahoo! Safe Search filter option enabled.

NT profile for a group with ID “Sales”: Block Porn category, use standard block page, Search Engine Keyword and URL Keyword filter options enabled.

NT profile for a group with ID “Tech”: Filter all ports, Block Chat, Child Porn, Finance, and Games categories, but leave all other categories open, use filter mode 1, use standard block page, X Strikes Blocking and Google/ Yahoo! Safe Search filter options enabled.

214

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

APPENDIX A USER/GROUPFILEFORMAT ANDRULES

LDAP User List Format and Rules

When setting up the “ldapuserprofile.conf” file, each entry must consist of the Distinguished Name (DN), with each part of the DN separated by commas (,). The DN should be followed by a semicolon (;), and then a rule number or rule criteria (port, category, and filter mode specifications). A redirect URL can be included, if a specific URL should be used in place of the standard block page. If a redirect URL is not included, a blank space should be entered in its place in the profile string. Each segment of the profile string following the semicolon for the DN should be separated by commas (,). A zero (0) should be placed at the end of a profile string without any filter options enabled. For example:

CN=Jane Doe, CN=Users, DC=qc, DC=local; R 21 A, J J FINAN Q, 1, http://www.cnn.com, 0x2

CN=Public\, Joe Q., OU=Users, OU=Sales, DC=qc, DC=local; Q, R AUTO GENTER I, 1, ,0x4

NOTE: The DN format must contain the username and user group "CN" ("common name") attribute type, and the domain and DNS suffix "DC" ("domain component") attribute type. The "OU" ("organizational unit") attribute type also can be included. Each attribute type should be followed by an equals sign (=), and separated by a comma (,).

When translated, these strings of code mean:

LDAP profile for a user with username “Jane Doe”, user group “Users”, domain “qc”, DNS suffix “.local”: Block port 21 and Filter all other ports, White List and Open Financial Category and Block all other categories, use filter mode 1, use redirect URL http://www.cnn.com in place of the standard block page, X Strikes Blocking filter option enabled.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

215

APPENDIX A USER/GROUPFILEFORMAT ANDRULES

LDAP profile for a user with username “Public\, Joe Q.”, organizational units “Users” and “Sales”, domain “qc”, DNS suffix “.local”: Block all ports, Block Automobile and Entertainment categories, use filter mode 1, use standard block page, Google/Yahoo! Safe Search filter option enabled.

216

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

APPENDIX A USER/GROUPFILEFORMAT ANDRULES

LDAP Group List Format and Rules

When setting up the “ldapgroupprofile.conf” file, each entry must consist of the Distinguished Name (DN), with each part of the DN separated by commas (,). The DN should be followed by a semicolon (;), and then a rule number or rule criteria (port, category, and filter mode specifications). A redirect URL can be included, if a specific URL should be used in place of the standard block page. If a redirect URL is not included, a blank space should be entered in its place in the profile string. Each segment of the profile string following the semicolon for the DN should be separated by commas (,). A zero (0) should be placed at the end of a profile string without any filter options enabled. For example:

CN=Sales, CN=Users, DC=qc, DC=local; Rule1, 1,

http://www.cnn.com, 0x102

NOTE: The DN format must contain the groupname—and,ifapplicable—usergroup "CN" ("common name") attribute type, and the domain and DNS suffix "DC" ("domain component") attribute type. The "OU" ("organizational unit") attribute type also can be included. Each attribute type should be followed by an equals sign (=), and separated by a comma (,).

When translated, this string of code means:

LDAP profile for group with ID “Sales”, user group “Users”, domain “qc”, DNS suffix “.local”: Bypass all categories, use filter mode 1, use redirect URL http:// www.cnn.com in place of the standard block page, X Strikes Blocking and Search Engine Keyword filter options enabled.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

217

APPENDIX B PORTS FORAUTHENTICATIONSYSTEMACCESS

APPENDIXB

Ports for Authentication System Access

The following ports should be used for authentication system access:

Type

No.

Function

 

 

 

 

 

 

TCP

8081

Used between the R3000’s transmitting inter-

 

 

face and the SSL block page for Tier 2 or Tier 3

 

 

authentication.

 

 

 

TCP

836

Used between the R3000’s Virtual IP address

 

 

and Java applet for Tier 3 authentication.

 

 

 

TCP

139

Used between the R3000 and workstations

 

 

requiring Tier 1 or Tier 3 authentication.

 

 

 

TCP/

137

Used between the R3000 and workstations

UDP

 

requiring Tier 1 authentication.

 

 

 

LDAP

389

Used for communicating with domain control-

 

 

lers in order to bind with them so that user/

 

 

group information can be queried/accessed.

 

 

 

LDAPS

636

Used for communicating with domain control-

 

 

lers in order to bind with them so that user/

 

 

group information can be queried/accessed.

 

 

 

218

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE