® R3000 | Internet Filter
USER
GUIDE
for Authentication
Model: R3000
Release 2.1.10 • Manual Version 1.01
ii 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
R3000 INTERNET FILTER
A
UTHENTICATION USER GUIDE
© 2008 8e6 Technologies
All rights reserved.
828 W. Taft Ave., Orange, CA 92865, USA
Version 1.01, published September 2008
To be used with R3000 User Guide version 1.01 for software
release 2.1.10
Printed in the United States of America
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic
medium or machine readable form without prior written consent from 8e6 Technologies.
Every effort has been made to ensure the accuracy of this
document. However, 8e6 Technologies makes no warranties
with respect to this documentation and disclaims any implied
warranties of merchantability and fitness for a particular purpose. 8e6 Technologies shall not be liable for any error or for
incidental or consequential damages in connection with the
furnishing, performance, or use of this manual or the examples herein. Due to future enhancements and modifications of
this product, the information described in this documentation
is subject to change without notice.
The latest version of this document can be obtained from
http://www.8e6.com/docs/r3000_auth2_ug.pdf.
Trademarks
Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies
and are the sole property of their respective manufacturers.
Part# R3.2.1_AUG_v1.01-0809
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE iii
iv 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CONTENTS
C
HAPTER
About this User Guide ................................................................1
How to Use this User Guide ....................................................... 2
Filtering Elements ....................................................................... 8
1: I
Conventions ...................................................................................... 2
Terminology ...................................................................................... 3
Group Types ..................................................................................... 8
Global Group .............................................................................. 8
IP Groups . .................................................................................. 9
NT Domain Groups ................................................................... 10
LDAP Domain Groups . ............................................................. 11
Filtering Profile Types ..................................................................... 12
Static Filtering Profiles . ............................................................. 14
Master IP Group Filtering Profile......................................... 14
IP Sub-Group Filtering Profile ............................................. 14
Individual IP Member Filtering Profile ................................. 14
Active Filtering Profiles . ............................................................ 15
Global Filtering Profile......................................................... 15
NT/LDAP Group Filtering Profile ......................................... 15
NT/LDAP Member Filtering Profile...................................... 15
LDAP Container Filtering Profile ......................................... 16
Override Account Profile ..................................................... 16
Time Profile ......................................................................... 16
Lock Profile ......................................................................... 16
Filtering Profile Components ........................................................... 17
Library Categories . ................................................................... 18
8e6 Supplied Categories..................................................... 18
Custom Categories ............................................................. 18
Service Ports . ........................................................................... 19
Rules ........................................................................................ 19
Minimum Filtering Level ............................................................ 19
Filter Settings ............................................................................ 20
Filtering Rules ................................................................................. 21
NTRODUCTION
.............................................. 1
Authentication Solutions ..........................................................24
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE V
CONTENTS
R3000 Authentication Protocols ...................................................... 24
R3000 Authentication Tiers and Options ........................................ 24
R3000 authentication tiers ........................................................ 24
R3000 authentication options . .................................................. 25
Authentication Solution Compatibility .............................................. 26
Authentication System Deployment Options ................................... 27
Ports for Authentication System Access ......................................... 28
Configuring the R3000 for Authentication ....................................... 29
Configuration procedures ......................................................... 29
System section.................................................................... 29
Group section...................................................................... 32
C
HAPTER
2: N
ETWORK SETUP
........................................ 33
Environment Requirements .....................................................33
Workstation Requirements .............................................................. 33
Administrator ............................................................................ 33
End User ................................................................................... 34
Network Requirements .................................................................... 34
Set up the Network for Authentication ....................................35
Specify the operation mode ............................................................ 36
Specify the subnet mask, IP address(es) ........................................ 38
Invisible mode ........................................................................... 38
Router or firewall mode . ........................................................... 39
Enable authentication, specify criteria ............................................. 40
Net use based authentication ................................................... 42
Web-based authentication . ....................................................... 43
Enter network settings for authentication ........................................ 46
Create an SSL certificate ................................................................ 48
Create, Download a Self-Signed Certificate ............................. 49
Create, Upload a Third Party Certificate ................................... 50
Create a Third Party Certificate........................................... 50
Upload a Third Party Certificate ......................................... 52
Download a Third Party Certificate .................................... 53
View log results ............................................................................... 54
Specify block page settings ............................................................. 57
Block Page Authentication ........................................................ 58
Block page ......................................................................... 59
User/Machine frame ..................................................... 60
Standard Links.............................................................. 60
vi 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
Optional Links............................................................... 61
Options page ...................................................................... 62
Option 1 ........................................................................ 63
Option 2 ........................................................................ 64
Option 3 ........................................................................ 65
Common Customization ........................................................... 66
Enable, disable features ..................................................... 67
Authentication Form Customization .......................................... 69
Preview sample Authentication Request Form ..................71
Block Page Customization ........................................................ 73
Preview sample block page ............................................... 75
Set up Group Administrator Accounts ...................................77
Add Sub Admins to manage groups, users ..................................... 77
Add a group administrator account ........................................... 78
Update the group administrator’s password ............................. 78
Delete a group administrator account ....................................... 79
C
HAPTER
3: NT A
UTHENTICATION SETUP
........................ 80
Join the NT Domain ..................................................................80
CONTENTS
Create an NT Domain ................................................................82
Add an NT domain .......................................................................... 82
Refresh the NT branch .................................................................... 83
View or modify NT domain details ................................................... 84
Domain Settings ....................................................................... 84
Default Rule .............................................................................. 86
Delete an NT domain ...................................................................... 87
Set up NT Domain Groups, Members ......................................88
Add NT groups, members to the tree .............................................. 88
Specify a group’s filtering profile priority ......................................... 90
Manually add a user’s name to the tree .......................................... 92
Manually add a group’s name to the tree ........................................ 93
Upload a file of filtering profiles to the tree ...................................... 94
C
HAPTER
4: LDAP A
UTHENTICATION SETUP
................... 97
Create an LDAP Domain ...........................................................97
Add the LDAP domain ..................................................................... 97
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE vii
CONTENTS
Refresh the LDAP branch ............................................................... 98
View, modify, enter LDAP domain details ....................................... 99
LDAP Server Type .................................................................. 100
Group Objects ........................................................................ 101
User Objects ........................................................................... 103
Address Info ........................................................................... 104
Account Info ............................................................................ 107
SSL Settings ........................................................................... 109
Alias List ................................................................................. 111
Default Rule ............................................................................ 113
LDAP Backup Server Configuration ................................. 115
Configure a backup server.......................................... 115
Modify a backup server’s configuration ...................... 120
Delete a backup server’s configuration....................... 120
Delete a domain ............................................................................ 121
Set up LDAP Domain Groups, Members ...............................122
Add LDAP groups, users to the tree ............................................. 122
Perform a basic search ........................................................... 123
Options for search results ....................................................... 124
Apply a filtering rule to a profile .............................................. 124
Delete a rule ........................................................................... 125
Specify a group’s filtering profile priority ....................................... 126
Manually add a user’s name to the tree ........................................ 127
Manually add a group’s name to the tree ...................................... 128
Upload a file of filtering profiles to the tree .................................... 129
C
HAPTER
5: A
SSIGN/SET UP GROUPS
, M
EMBERS
.......... 132
Assign Sub Admin to NT/LDAP Entity ..................................132
Create and Maintain Filtering Profiles ...................................135
Add a group member to the tree list .............................................. 136
Add or maintain an entity’s profile ................................................. 137
Category Profile ...................................................................... 138
Redirect URL . ......................................................................... 141
Filter Options . ......................................................................... 142
Add an Exception URL to the profile ............................................. 143
URL entries ............................................................................. 144
Block URL frame . ................................................................... 145
ByPass URL frame ................................................................. 145
viii 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
Apply settings ......................................................................... 145
Create a Time Profile for the entity ............................................... 146
Add a Time Profile .................................................................. 146
Remove an entity’s profile from the tree ....................................... 151
C
HAPTER
6: A
UTHENTICATION DEPLOYMENT
................. 152
Test Authentication Settings .................................................152
Test Web-based authentication settings ....................................... 154
Step 1: Create an IP Group, “test” .......................................... 154
Step 2: Create a Sub-Group, “workstation” . ........................... 155
Step 3: Set up “test” with a 32-bit net mask ............................ 156
Step 4: Give “workstation” a 32-bit net mask .......................... 157
Step 5: Block everything for the Sub-Group . .......................... 158
Step 6: Use Authentication Request Page for redirect URL ... 159
Step 7: Disable filter options . .................................................. 160
Step 8: Attempt to access Web content . ................................ 161
Test net use based authentication settings ................................... 163
Activate Authentication on the Network ............................... 164
Activate Web-based authentication for an IP Group .....................165
Step 1: Create a new IP Group, “webauth” ............................ 165
Step 2: Set “webauth” to cover users in range . ...................... 166
Step 3: Create an IP Sub-Group . ........................................... 167
Step 4: Block everything for the Sub-Group . .......................... 169
Step 5: Use Authentication Request Page for redirect URL ... 170
Step 6: Disable filter options ................................................... 171
Step 7: Set Global Group to filter unknown traffic . ................. 172
Activate Web-based authentication for the Global Group .............177
Step 1: Exclude filtering critical equipment ............................. 177
Step 1A: Block Web access, logging via Range to Detect . .... 178
Range to Detect Settings .................................................. 178
Range to Detect Setup Wizard ......................................... 180
Step 1B: Block Web access via IP Sub-Group profile . ...........186
Step 2: Modify the Global Group Profile . ................................ 189
Activate NT authentication ............................................................ 193
Step 1: Modify the 3-try login script ........................................ 193
Step 2: Modify the Global Group Profile ................................. 194
CONTENTS
C
HAPTER
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE ix
7: T
ECHNICAL SUPPORT
................................ 196
CONTENTS
Hours ........................................................................................196
Contact Information ................................................................ 196
Domestic (United States) .............................................................. 196
International .................................................................................. 196
E-Mail ............................................................................................ 196
Office Locations and Phone Numbers .......................................... 197
8e6 Corporate Headquarters (USA) ....................................... 197
8e6 Taiwan ............................................................................. 197
Support Procedures ................................................................198
A
PPENDIX
A: A
UTHENTICATION OPERATIONS
................ 199
Authentication Tier Selections ..............................................199
Tier 1: Net use based authentication ............................................ 199
Tier 2, Tier 3: Web-based authentication ...................................... 200
Tier 1: Single Sign-On Authentication ..................................201
Net use based authentication process .......................................... 201
Re-authentication process . ..................................................... 203
Tier 1 authentication methods ....................................................... 203
SMB protocol .......................................................................... 203
SMB Signing ..................................................................... 203
LDAP protocol ........................................................................ 204
Name resolution methods ............................................................. 205
Configuring the authentication server ........................................... 206
Login scripts ........................................................................... 206
Enter net use syntax in the login script ............................. 206
View login script on the server console .................................. 207
Block page authentication login scripts ............................. 207
LDAP server setup rules ............................................................... 208
Tier 2: Time-based, Web Authentication ...............................209
Tier 2 implementation in an environment ...................................... 210
Tier 2 Script . ........................................................................... 211
Tier 1 and Tier 2 Script . .......................................................... 212
Tier 3: Session-based, Web Authentication .........................214
8e6 Authenticator ....................................................................215
x 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
Environment requirements ............................................................ 215
Minimum system requirements ............................................... 215
Recommended system requirements ..................................... 216
Workstation requirements ............................................................. 216
Work flow in a Windows environment ........................................... 217
8e6 Authenticator configuration priority . ................................. 218
8e6 Authenticator configuration syntax . ................................. 219
Sample command line parameters ................................... 219
Sample configuration file ............................................ 219
Sample R3000 configuration update packet ‘PCFG’ ..219
Table of parameters ............................................................... 220
Novell eDirectory Agent .........................................................223
Environment requirements ............................................................ 223
Novell eDirectory servers ........................................................ 223
Client workstations . ................................................................ 224
Novell clients .......................................................................... 224
Novell eDirectory setup ................................................................. 224
R3000 setup and event logs ......................................................... 225
Active Directory Agent ...........................................................226
Product feature overview .............................................................. 226
Windows server requirements . ............................................... 227
Work flow in a Windows environment ..................................... 227
Set up AD Agent ........................................................................... 228
Step 1: AD Agent settings on the R3000 ................................ 228
Step 2: Configure the domain, service account ...................... 230
Step 3: AD Agent installation on Windows server .................. 231
Step 3A: Download DCAgent.msi ..................................... 231
Step 3B: Run AD Agent installation setup......................... 231
Step 3C: Run AD Agent configuration wizard ...................234
Use the Active Directory Agent console ........................................ 239
Activity tab .............................................................................. 239
Sessions tab . .......................................................................... 242
Session table spreadsheet................................................ 244
Session Properties window .............................................. 245
Workstation Interactive Probe window .............................. 246
Active Directory Agent Configuration window ......................... 248
Service page .................................................................... 250
Appliance page ................................................................. 251
Agent hosts page ............................................................. 252
CONTENTS
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE xi
CONTENTS
Add a satellite ............................................................. 253
Remove a satellite ...................................................... 253
Configure a satellite .................................................... 254
Check the status of a satellite..................................... 256
Options page .................................................................... 258
Notifications page ............................................................. 260
A
PPENDIX
SMB Signing Compatibility ....................................................262
Disable SMB Signing in Windows 2003 ................................263
A
PPENDIX
Export an Active Directory SSL Certificate ..........................268
Export a Novell SSL Certficate ..............................................276
B: D
C: O
Verify certificate authority has been installed ................................ 268
Locate Certificates folder .............................................................. 269
Export the master certificate for the domain ................................. 272
ISABLE
BTAIN
SMB S
, E
XPORT AN
IGNING REQUIREMENTS
SSL C
ERTIFICATE
.... 268
... 262
Obtain a Sun ONE SSL Certificate .........................................278
A
PPENDIX
OpenLDAP Server Scenario ...................................................279
A
PPENDIX
Username Formats ..................................................................281
Rule Criteria .............................................................................281
File Format: Rules and Examples ..........................................284
xii 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
D: LDAP S
Not all users returned in User/Group Browser ..............................279
E: U
NT User List Format and Rules ..................................................... 285
NT Group List Format and Rules .................................................. 286
NT Quota Format and Rules ......................................................... 287
LDAP User List Format and Rules ................................................ 288
SER/GROUP FILE FORMAT AND RULES
ERVER CUSTOMIZATIONS
............. 279
... 280
LDAP Group List Format and Rules .............................................. 289
LDAP Quota Format and Rules .................................................... 290
A
PPENDIX
Yahoo! Toolbar Pop-up Blocker ............................................292
Google Toolbar Pop-up Blocker ............................................ 294
AdwareSafe Pop-up Blocker .................................................. 295
Mozilla Firefox Pop-up Blocker ..............................................296
Windows XP SP2 Pop-up Blocker .........................................297
F: O
If pop-up blocking is enabled ........................................................ 292
Add override account to the white list ........................................... 292
If pop-up blocking is enabled ........................................................ 294
Add override account to the white list ........................................... 294
If pop-up blocking is enabled ........................................................ 295
Temporarily disable pop-up blocking ............................................ 295
Add override account to the white list ........................................... 296
Set up pop-up blocking ................................................................. 297
Use the Internet Options dialog box ....................................... 297
Use the IE toolbar . .................................................................. 298
Temporarily disable pop-up blocking ............................................ 298
Add override account to the white list ........................................... 299
Use the IE toolbar ................................................................... 299
Use the Information Bar .......................................................... 300
VERRIDE POP-UP BLOCKERS
Set up the Information Bar ................................................ 300
Access your override account ........................................... 300
.................. 291
CONTENTS
A
PPENDIX
Definitions ................................................................................302
I
NDEX
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE xiii
G: G
LOSSARY
.............................................. 302
........................................................................... 309
CONTENTS
xiv 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION ABOUT THIS USER GUIDE
CHAPTER 1: INTRODUCTION
The R3000 Authentication User Guide contains information
about setting up authentication on the network.
About this User Guide
This user guide addresses the network administrator desig-
nated to configure and manage the R3000 server on the
network.
Chapter 1 provides information on how to use this user
guide, and also includes an overview of filtering compo-
nents and authentication solutions.
Chapters 2, 3, and 4 describe the R3000 Administrator
console entries that must be made in order to prepare the
network for using authentication for NT and/or LDAP
domains.
NOTE: Refer to the R3000 Quick Start Guide for information on
installing the unit on the network. This document also provides
information on how to access the R3000 console to perform the
initial installation setup defined in Chapter 2: Network Setup.
After all settings have been made, authentication is ready to
be used on the network. Chapter 5 explains how to assign
groups and members for management by Sub Admin group
administrators, and how group administrators create and
maintain filtering profiles for entities in their assignment.
Chapter 6 outlines the step you need to take to test and to
activate your settings before deploying authentication on
the network.
Chapter 7 provides support information. Appendices at the
end of this user guide feature instructions on authentication
operations; steps to modify the SMB protocol to disable
SMB Signing requirements; information on how to obtain or
export an SSL certificate and upload it to the R3000; notes
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 1
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
on customizations to make on specified LDAP servers;
filtering profile file components and setup; tips on how to
override pop-up windows with pop-up blocker software
installed; a glossary on authentication terms, and an index.
How to Use this User Guide
Conventions
The following icons are used throughout this user guide:
NOTE: The “note” icon is followed by italicized text providing
additional information about the current subject.
TIP: The “tip” icon is followed by italicized text giving you hints on
how to execute a task more efficiently.
WARNING: The “warning” icon is followed by italicized text
cautioning you about making entries in the application, executing
certain processes or procedures, or the outcome of specified
actions.
2 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
Terminology
The following terms are used throughout this user guide.
Sample images (not to scale) are included for each item.
• alert box - a message box
that opens in response to
an entry you made in a
dialog box, window, or
screen. This box often
contains a button (usually
labeled “OK”) for you to click in order to confirm or
execute a command.
• button - an object in a dialog box,
window, or screen that can be clicked
with your mouse to execute a command.
• checkbox - a small square in a dialog
box, window, or screen used for indicating whether or not you wish to select an option. This
object allows you to toggle between two choices. By
clicking in this box, a check mark or an “X” is placed, indicating that you selected the option. When this box is not
checked, the option is not selected.
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
• dialog box - a box that
opens in response to a
command made in a
window or screen, and
requires your input. You
must choose an option by
clicking a button (such as “Yes” or “No”, or “Next” or
“Cancel”) to execute your command. As dictated by this
box, you also might need to make one or more entries or
selections prior to clicking a button.
• field - an area in a dialog box,
window, or screen that either
accommodates your data
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 3
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
entry, or displays pertinent information. A text box is a
type of field.
• frame - a boxed-in area in a dialog
box, window, or screen that
includes a group of objects such as
fields, text boxes, list boxes,
buttons, radio buttons, checkboxes, and/or tables. Objects within a frame belong to a
specific function or group. A frame often is labeled to indicate its function or purpose.
• grid - an area in
a frame that
displays rows
and columns of
data, as a result of various processes. This data can be
reorganized in the R3000 console, by changing the order
of the columns.
• list box - an area in a dialog box,
window, or screen that accommodates and/or displays entries of
items that can be added or removed.
• navigation panel - the panel that
displays at the left of a screen. This
panel can contain links that can be
clicked to open windows or dialog boxes
at the right of the screen. One or more
tree lists also can display in this panel.
When an item in the tree list is doubleclicked, the tree list opens to reveal
items that can be selected.
4 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
• pop-up box or pop-up
window - a box or window
that opens after you click a
button in a dialog box,
window, or screen. This box
or window may display information, or may require you to make one or more entries.
Unlike a dialog box, you do not need to choose between
options.
• pull-down menu - a field in a
dialog box, window, or screen
that contains a down-arrow to the right. When you click
the arrow, a menu of items displays from which you make
a selection.
• radio button - a small, circular object
in a dialog box, window, or screen
used for selecting an option. This object allows you to
toggle between two choices. By clicking a radio button, a
dot is placed in the circle, indicating that you selected the
option. When the circle is empty, the option is not
selected.
• screen - a main
object of an application that displays
across your
monitor. A screen
can contain panels,
windows, frames,
fields, tables, text
boxes, list boxes,
icons, buttons, and
radio buttons.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 5
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
• sub-topic - a subset
of a main topic that
displays as a menu
item for the topic. The
menu of subtopics
opens when a pertinent topic link in the left panel—the navigation panel—of
a screen is clicked. If a sub-topic is selected, the window
for that sub-topic displays in the right panel of the screen,
or a pop-up window or an alert box opens, as appropriate.
• text box - an area in a dialog box, window, or screen that
accommodates your data entry. A text box is a type of
field. (See “field”.)
• topic - a topic
displays as a
link in the left
panel—the
navigation
panel—of a
screen. By
clicking the link
for a topic, the
window for that
topic displays in
the right panel
of the screen, or a menu of sub-topics opens.
6 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION HOW TO USE THIS USER GUIDE
• tree - a tree displays in the navigation panel of a screen, and is
comprised of a hierarchical list of
items. An entity associated with a
branch of the tree is preceded by a
plus (+) sign when the branch is
collapsed. By double-clicking the
item, a minus (-) sign replaces the
plus sign, and any entity within that
branch of the tree displays. An item
in the tree is selected by clicking it.
• window - a window
displays on a screen,
and can contain
frames, fields, text
boxes, list boxes,
buttons, checkboxes,
and radio buttons. A
window for a topic or
sub-topic displays in
the right panel of the
screen. Other types
of windows include pop-up windows, login windows, or
ones from the system such as the Save As or Choose file
windows.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 7
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Filtering Elements
Filtering operations include the following elements: groups,
filtering profiles and their components, and rules for filtering.
Group Types
In the Group section of the Administrator console, group
types are structured in a tree format in the navigation panel.
There are four group types in the tree list:
• Global Group
• IP groups
• NT domain groups
• LDAP domain groups
NOTES: If authentication is enabled, the global administrator—
who has all rights and permissions on the R3000 server—will see
all branches of the tree: Global Group, IP, NT, and LDAP. If
authentication is disabled, only the Global Group and IP
branches will be seen.
A group administrator will only see entities assigned to him/her by
the global administrator.
Global Group
The first group that must be set up is the global group,
represented in the tree structure by the global icon .
The filtering profile created for the global group represents
the default profile to be used by all groups that do not have
a filtering profile, and all users who do not belong to a group.
8 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
IP Groups
The IP group type is represented in the tree by the IP icon
. A master IP group is comprised of sub-group members
and/or individual IP members .
The global administrator adds master IP groups, adds and
maintains override accounts at the global level, and establishes and maintains the minimum filtering level.
The group administrator of a master IP group adds subgroup and individual IP members, override account and
time profiles, and maintains filtering profiles of all members
in the master IP group.
Fig. 1-1 IP diagram with a sample master IP group and its members
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 9
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
NT Domain Groups
An NT domain on a network server is comprised of
Windows NT groups and their associated members (users),
derived from profiles on the network’s domain controller.
The NT group type is represented in the tree by the NT icon
. This branch will only display if authentication is
enabled. Using the tree menu, the global administrator adds
and maintains NT domains , and assigns designated
group administrators (Sub Admins) access to entities
(nodes) within that domain.
The group administrator creates and maintains filtering
profiles for groups and/or users assigned to him/
her.
If users belong to more than one group, the global administrator sets the priority for group filtering.
Fig. 1-2 NT domain diagram, with sample groups and members
10 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
LDAP Domain Groups
An LDAP (Lightweight Directory Access Protocol) domain
on a network server is comprised of LDAP groups and their
associated members (users), derived from profiles on the
network’s authentication server.
The LDAP group type is represented in the tree by the
LDAP icon . This branch will only display if authentication is enabled. Using the tree menu, the global adminis-
trator adds and maintains LDAP domains , and assigns
designated group administrators (Sub Admins) access to
specific entities (nodes) within that domain. The group
administrator creates and maintains filtering profiles for entities assigned to him/her. For Active Directory or “Other”
server types, these entities include primary or static
groups , users , or containers . For Novell eDirectory, SunOne, Sun IPlanet, or Netscape Directory server
types, these entities also include dynamic groups . If
users belong to more than one group, the global administrator sets the priority for group filtering.
Fig. 1-3 LDAP domain diagram, with sample groups and members
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 11
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Filtering Profile Types
A filtering profile is used by all users who are set up to be
filtered on the network. This profile consists of rules that
dictate whether a user has access to a specified Web site or
service on the Internet.
The following types of filtering profiles can be created,
based on the set up in the tree menu of the Group section of
the console:
Global Group
• global filtering profile - the default filtering profile positioned at the base of the hierarchical tree structure, used
by end users who do not belong to a group.
IP group (Master Group)
• master group filtering profile - used by end users who
belong to the master group.
• master time profile - used by master group users at a
specified time.
IP group member
• sub-group filtering profile - used by a sub-group
member.
• individual filtering profile - used by an individual IP
group member.
• time profile - used by a sub-group/individual IP group
member at a specified time.
Authentication filtering profiles
• NT/LDAP group filtering profile - used by an NT or
LDAP group.
• NT/LDAP member filtering profile - used by an NT or
LDAP group member.
12 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
• LDAP container filtering profile - used by an LDAP
container in an LDAP domain.
• NT/LDAP time profile - used by an NT or LDAP domain/
group/member at a specified time.
Other filtering profiles
• override account profile - set up in either the global
group section or the master group section of the console.
NOTE: An override account set up in the master IP group section
of the R3000 console takes precedence over an override account
set up in the global group section of the console.
• lock profile - set up under X Strikes Blocking in the Filter
Options section of the profile.
• Radius profile - used by end users on a Radius
accounting server if the Radius server is connected to
the R3000 and the Radius authentication feature
enabled.
• TAR profile - used if a Threat Analysis Reporter (TAR)
server is connected to the R3000 and an end user is
locked out by TAR when attempting to access blocked
content in a library category.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 13
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Static Filtering Profiles
Static filtering profiles are based on fixed IP addresses and
include profiles for master IP groups and their members.
Master IP Group Filtering Profile
The master IP group filtering profile is created by the global
administrator and is maintained by the group administrator.
This filtering profile is used by members of the group—
including sub-group and individual IP group members—and
is customized to allow/deny users access to URLs, or warn
users about accessing specified URLs, to redirect users to
another URL instead of having a block page display, and to
specify usage of appropriate filter options.
IP Sub-Group Filtering Profile
An IP sub-group filtering profile is created by the group
administrator. This filtering profile applies to end users in an
IP sub-group and is customized for sub-group members.
Individual IP Member Filtering Profile
An individual IP member filtering profile is created by the
group administrator.This filtering profile applies to a specified end user in a master IP group.
14 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Active Filtering Profiles
Active filtering profiles include the global group profile, NT/
LDAP authentication profile, override account profile, time
profile, and lock profile.
Global Filtering Profile
The global filtering profile is created by the global administrator. This profile is used as the default filtering profile. The
global filtering profile consists of a customized profile that
contains a list of library categories to block, open, add to a
white list, or assign a warn setting, and service ports that are
configured to be blocked. A URL can be specified for use
instead of the standard block page when users attempt to
access material set up to be blocked. Various filter options
can be enabled.
NT/LDAP Group Filtering Profile
An NT or LDAP group filtering profile is created by the group
administrator assigned to the NT or LDAP group. This
profile can be customized to allow/deny group users access
to URLs, or warn users about accessing specified URLs, to
redirect users to another URL instead of having the standard block page display, and to specify usage of appropriate
filter options.
If users belong to more than one group, all groups to which
they belong must be ranked to determine the priority each
filtering profile takes over another.
NT/LDAP Member Filtering Profile
An NT or LDAP member filtering profile is created by the
group administrator assigned to that member. This profile
can be customized to allow/deny a user access to URLs, or
warn a user about accessing specified URLs, to redirect the
user to another URL instead of the standard block page, and
to specify usage of appropriate filter options.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 15
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
LDAP Container Filtering Profile
An LDAP container filtering profile is created by the group
administrator assigned to that container. This profile can be
customized to allow/deny users access to URLs, or warn
users about accessing specified URLs, to redirect users to
another URL instead of the standard block page, and to
specify usage of appropriate filter options.
Override Account Profile
If any user needs access to a specified URL that is set up to
be blocked, the global administrator or group administrator
can create an override account for that user. This account
grants the user access to areas set up to be blocked on the
Internet.
Time Profile
A time profile is a customized filtering profile set up to be
effective at a specified time period for designated users.
Lock Profile
This filtering profile blocks the end user from Internet access
for a set period of time, if the end user’s profile has the X
Strikes Blocking filter option enabled and he/she has
received the maximum number of strikes for inappropriate
Internet usage.
NOTE: Refer to the R3000 User Guide for additional information
on the Override Account Profile, Time Profile, and Lock Profile.
16 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Filtering Profile Components
Filtering profiles are comprised of the following components:
• library categories - used when creating a rule, minimum
filtering level, or filtering profile for the global group or any
entity
• service ports - used when setting up filter segments on
the network, creating the global group (default) filtering
profile, or establishing the minimum filtering level
• rules - specify which library categories should be
blocked, left open, assigned a warn setting, or white
listed
• filter options - specify which features will be enabled: X
Strikes Blocking, Google/Yahoo!/Ask.com/AOL Safe
Search Enforcement, Search Engine Keyword Filter
Control, URL Keyword Filter Control
• minimum filtering level - takes precedence over
filtering profiles of entities who are using a filtering profile
other than the global (default) filtering profile
• filter settings - used by service ports, filtering profiles,
rules, and the minimum filtering level to indicate whether
users should be granted or denied access to specified
Internet content
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 17
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Library Categories
A library category contains a list of Web site addresses and
keywords for search engines and URLs that have been set
up to be blocked or white listed. Library categories are used
when creating a rule, the minimum filtering level, or a
filtering profile.
8e6 Supplied Categories
8e6 furnishes a collection of library categories, grouped
under the heading “Category Groups” (excluding the
“Custom Categories” group). Updates to these categories
are provided by 8e6 on an ongoing basis, and administrators also can add or delete individual URLs within a specified library category.
Custom Categories
Custom library categories can be added by either global or
group administrators. As with 8e6 supplied categories, additions and deletions can be made within a custom category.
However, unlike 8e6 supplied categories, a custom category can be deleted.
NOTE: 8e6 cannot provide updates to custom categories. Maintaining the list of URLs and keywords is the responsibility of the
global or group administrator.
18 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
Service Ports
Service ports are used when setting up filter segments on
the network (the range of IP addresses/netmasks to be
detected by the R3000), the global (default) filtering profile,
and the minimum filtering level.
When setting up the range of IP addresses/netmasks to be
detected, service ports can be set up to be open (ignored).
When creating the global filtering profile and the minimum
filtering level, service ports can be set up to be blocked or
filtered.
Examples of service ports that can be set up include File
Transfer Protocol (FTP), Hyper Text Transfer Protocol
(HTTP), Network News Transfer Protocol (NNTP), Secured
HTTP Transmission (HTTPS), and Secure Shell (SSH).
Rules
A rule is comprised of library categories to block, leave
open, assign a warn setting, or include in a white list.
Access to an open library category can be restricted to a set
number of minutes. Each rule that is created by the global
administrator is assigned a number. A rule is selected when
creating a filtering profile for an entity.
Minimum Filtering Level
The minimum filtering level consists of library categories set
up at the global level to be blocked or opened, and service
ports set up to be blocked or filtered. If the minimum filtering
level is created, it applies to all users in IP, NT, and LDAP
groups, and takes precedence over filtering settings made
for group and member filtering profiles.
The minimum filtering level does not apply to any user who
does not belong to a group, and to groups that do not have
a filtering profile established.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 19
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
NOTE: If the minimum filtering level is not set up, global (default)
filtering settings will apply instead.
Filter Settings
Categories and service ports use the following settings to
specify how filtering will be executed:
• block - if a category or a service port is given a block
setting, users will be denied access to the item set up as
“blocked”
• open - if a category or the filter segment detected on the
network is given an open (pass) setting, users will be
allowed access to the item set up as “opened”
NOTE: Using the quota feature, access to an open category can
be restricted to a defined number of minutes.
• always allowed - if a category is given an always
allowed setting, the category is included in the user’s
white list and takes precedence over blocked categories
• warn - If a category is given a warn setting, a warning
page displays for the end user to warn him/her that
accessing the intended URL may be against established
policies and to proceed at his/her own risk
• filter - if a service port is given a filter setting, that port will
use filter settings created for library categories (block or
open settings) to determine whether users should be
denied or allowed access to that port
• ignore - if the filter segment detected on the network has
a service port set up to be ignored, that service port will
be bypassed
20 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
Filtering Rules
Individual User Profiles - A user in an NT or LDAP domain
can have only one individual profile set up per domain.
Filtering Levels Applied:
1. The global (default) filtering profile applies to any user
under the following circumstances:
• the user does not belong to a master IP group
• the user has not been assigned a domain default
profile from an NT or LDAP authentication domain
2. If a minimum filtering level is defined, it applies to all
master IP groups (and their members) and NT/LDAP
groups who have been assigned filtering profiles after
authenticating. The minimum filtering level combines
with the user’s profile to guarantee that categories
blocked in the minimum filtering level are blocked in the
user’s profile.
3. For master IP group members:
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
a. A master IP group filtering profile takes precedence
over the global profile.
b. A master IP group time profile takes precedence over
the master IP group profile.
4. For IP sub-group members:
a. An IP sub-group filtering profile takes precedence over
the master IP group’s time profile.
b. An IP sub-group time profile takes precedence over
the IP sub-group profile.
5. For individual IP members:
a. An individual IP member filtering profile takes prece-
dence over the IP sub-group’s time profile.
b. An individual IP member time profile takes precedence
over the individual IP member profile.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 21
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
6. For NT/LDAP users, if a user is authenticated, settings
for the user’s group or individual profile from the NT/
LDAP domain are applied and take precedence over any
IP profile.
a. If the user belongs to more than one group in an
authentication domain, the profile for the user is determined by the order in which the groups are listed in the
Group Priority list set by the global administrator. The
user is assigned the profile for the group highest in the
Group Priority list.
NOTE: On an LDAP domain, if a user belongs to a container, that
profile takes precedence over the group profile for that user.
b. If a user has an individual profile set up, that profile
supercedes all other profile levels for that user. The
user can have only one individual profile in each
domain.
c. If the user has a time profile, that profile takes prece-
dence over other profiles. A group time profile takes
precedence over a domain time profile, and an individual time profile takes precedence over a group time
profile.
NOTE: A Radius profile is another type of authentication profile
and is weighted the same as NT/LDAP authentication profiles in
the precedence hierarchy.
7. An override account profile takes precedence over an
authentication profile or a time profile. This account may
override the minimum filtering level—if the override
account was set up in the master IP group tree, and the
global administrator allows override accounts to bypass
the minimum filtering level, or if the override account was
set up in the global group tree.
NOTE: An override account set up in the master IP group section
of the R3000 console takes precedence over an override account
set up in the global group section of the console.
22 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION FILTERING ELEMENTS
8. A lock profile takes precedence over all filtering profiles.
This profile is set up under Filter Options, by enabling the
X Strikes Blocking feature.
NOTE: A Threat Analysis Reporter (TAR) profile is another type
of lock profile that is weighted the same as a lock profile in the
precedence hierarchy.
Fig. 1-4 Sample filtering hierarchy diagram
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 23
CHAPTER 1: INTRODUCTION AUTHENTICATION SOLUTIONS
Authentication Solutions
R3000 Authentication Protocols
The R3000 supports two types of authentication protocols:
Windows NT LAN Manager (NTLM), and Lightweight Directory Access Protocol (LDAP).
• NTLM authentication supports NTLM authentication
running on any of the following servers: Windows NT 4.0,
Windows 2000 Mixed Mode, and Windows 2003 Mixed
Mode.
• LDAP authentication supports all versions of LDAP, such
as Microsoft Active Directory, Novell eDirectory, Sun
ONE, and OpenLDAP.
R3000 Authentication Tiers and Options
R3000 authentication tiers
The R3000 authentication architecture for NTLM and LDAP
authentication protocols is comprised of three tiers. When
using NT and/or LDAP authentication with the R3000, one
of these three tiers is selected for use on the network,
depending on the server(s) used on the network and the
preferred authentication method(s) to be employed.
• Tier 1: Single sign-on, net use based authentication for
NT or Active Directory domains.
• Tier 2: Time-based, Web authentication for NT and LDAP
authentication methods.
• Tier 3: Session-based, Web authentication for NT or
LDAP authentication method.
24 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION AUTHENTICATION SOLUTIONS
R3000 authentication options
Depending on the setup of your network, any of the
following authentication options can be enabled to ensure
the end user is authenticated when logging into his/her
workstation: 8e6 Authenticator, Active Directory Agent, and
Novell eDirectory Agent.
NOTE: See Appendix A: Authentication Operations for information on using Tier 1, Tier 2, and Tier 3 on the network, and configuring 8e6 Authenticator, Novell eDirectory Agent, and Active
Directory Agent.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 25
CHAPTER 1: INTRODUCTION AUTHENTICATION SOLUTIONS
Authentication Solution Compatibility
Below is a chart representing the authentication solution
compatibility for a single user:
Tier 1
Tier 2
Tier 3
8e6
Authenticator
eDirectory
Agent
Active
Directory
Agent
Tier1
net
use
-- Yes Yes N/R N/A N/R
Yes -- N/A Yes Ye s Ye s
Yes N/A -- Yes Ye s Ye s
N/R Yes Yes -- N/R N/R
N/A Yes Yes N/R -- N/A
N/R Yes Yes N/R N/A --
Tier 2
time
based
Tier 3
session
based
8e6
Authenticator
eDirectory
Agent
Active
Directory
Agent
KEY:
• N/A = Not Applicable
• N/R = Not Recommended
26 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION AUTHENTICATION SOLUTIONS
Authentication System Deployment Options
Below is a chart representing authentication system deployment options on a network:
Authentication System Single Sign-On (SSO)
SunOne
OpenLDAP
CommuniGate Pro (Stalker)
Windows NT 4.0 Tier 1 “net use” Tier 2 or Tier 3
Windows 2000/2003 Server
(both Mixed and Native modes)
Novell eDirectory 8e6 Authenticator
Windows 2000/2003 Server
and Novell eDirectory Mixed
environment
None Tier 2 or Tier 3
Tier 1 “net use”
8e6 Authenticator
AD Agent
Novell eDirectory Agent (for
eDirectory server version
8.7 and higher)
8e6 Authenticator
Novell eDirectory Agent
AD Agent
Force
Authentication
Tier 2 or Tier 3
Tier 2 or Tier 3
Tier 2 or Tier 3
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 27
CHAPTER 1: INTRODUCTION AUTHENTICATION SOLUTIONS
Ports for Authentication System Access
The following ports should be used for authentication
system access:
Type No. Function
TCP 8081 Used between the R3000’s transmitting inter-
face and the SSL block page for Tier 2 or Tier 3
authentication.
TCP 836 Used between the R3000’s Virtual IP address
and Java applet for Tier 3 authentication.
TCP 139 Used between the R3000 and workstations
requiring Tier 1 or Tier 3 authentication.
TCP/
UDP
LDAP 389 Used for communicating with domain control-
LDAPS 636 Used for communicating with domain control-
137 Used between the R3000 and workstations
requiring Tier 1 authentication.
lers in order to bind with them so that user/
group information can be queried/accessed.
lers in order to bind with them so that user/
group information can be queried/accessed.
28 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION AUTHENTICATION SOLUTIONS
Configuring the R3000 for Authentication
Configuration procedures
When configuring the R3000 server for authentication,
settings must be made in System and Group windows in the
Administrator console.
NOTES: If the network has more than one domain, the first one
you add should be the domain on which the R3000 resides.
The entries described in this section represent entries to be made
on a typical network.
System section
The first settings for authentication must be made in the
System section of the Administrator console in the following
windows: Operation Mode, LAN Settings, Enable/Disable
Authentication, Authentication Settings, Authentication SSL
Certificate (if Web-based authentication will be used), and
Block Page Authentication.
1. Select “Mode” from the navigation panel, and then select
“Operation Mode” from the pop-up menu.
The entries made in the Operation Mode window will vary
depending on whether you will be using the invisible
mode, or the router or firewall mode.
In the Listening Device frame, set the Listening Device to
“LAN1”.
In the Block Page Device frame:
• If using the invisible mode, select “LAN2”.
• If using the router or firewall mode, select “LAN1”.
2. Select “Network” from the navigation panel, and then
select “LAN Settings” from the pop-up menu.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 29
CHAPTER 1: INTRODUCTION AUTHENTICATION SOLUTIONS
The entries made in this window will vary depending on
whether you are using the invisible mode, or the router or
firewall mode. The LAN1 and LAN2 IP addresses usually
should be in a different subnet.
• If using the invisible mode: For the LAN1 IP address,
select 255.255.255.255 for the subnet mask.
• If using the router or firewall mode: Specify the appro-
priate IP address and subnet mask in the applicable
fields.
3. Select “Authentication” from the navigation panel, and
then select Enable/Disable Authentication from the popup menu.
Enable authentication, and then select one of three tiers
in the Web-based Authentication frame:
• Tier 1: Choose this option if you will only be using net
use based authentication for NT or Active Directory
servers.
• Tier 2: Choose this option if you wish to use timed
Web-based authentication for NT and LDAP domains.
This option gives the user a timed session for his/her
Internet access. After the timed profile expires, the
user will have to log in again if he/she wants to
continue to have Internet access.
• Tier 3: Choose this option if you wish to use persistent
Web-based authentication for NT and LDAP domains.
This option gives the user a persistent network
connection via a pop-up window that keeps the user’s
session open until the window is closed, so the user
does not have to log in repeatedly.
If you wish to use the tier you specified as a fallback
authentication solution, you have the option to enable
any of the following authentication solutions as appropriate to your environment: 8e6 Authenticator, Active
Directory Agent, Novell eDirectory Agent.
30 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 1: INTRODUCTION AUTHENTICATION SOLUTIONS
4. Select “Authentication” from the navigation panel, and
then select “Authentication Settings” from the pop-up
menu.
In the Settings frame, enter general configuration
settings for the R3000 server such as IP address entries.
From the NIC Device to Use for Authentication pull-down
menu:
• If using the invisible mode: Select “LAN2” as the
device to send traffic on the network.
• If using the router or firewall mode: Select “LAN1”.
Information should only be entered in the NT Authentication Server Details frame if the R3000 will use the NT
Authentication method to authenticate users.
5. Select “Authentication” from the navigation panel, and
then select Authentication SSL Certificate from the popup menu. This option should be used if Web-based
authentication will be deployed on the R3000 server.
Using this option, you create either a self-signed certificate or a Certificate Request (CSR) for use by the
Secure Sockets Layer (SSL). The certificate should be
placed on client machines so that these machines will
recognize the R3000 as a valid server with which they
can communicate.
6. Select “Control” from the navigation panel, and then
select “Block Page Authentication” from the pop-up
menu.
In the Block Page Authentication window, select the Reauthentication Options to be used. The items you select
will be listed as options for re-authentication on the
Options page, accessible from the standard block page.
If the “Re-authentication” (NET USE) option is selected,
enter the login script path to be used by the R3000 for reauthentication purposes.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 31
CHAPTER 1: INTRODUCTION AUTHENTICATION SOLUTIONS
7. Select “Administrator” from the navigation panel to
access the Administrator window. Add group administrator (Sub Admin) accounts in this window. Sub Admin
group administrators will later be assigned to manage
entities in the NT and/or LDAP branch(es) of the Group
tree.
Group section
In the Group section of the Administrator console, choose
NT or LDAP, and then do the following:
1. Add a domain from the network to the list of domains that
will have users authenticated by the R3000.
NOTE: If the network has more than one domain, the first one
you add should be the domain on which the R3000 resides.
2. Do either of the following as necessary:
• Assign a group administrator to oversee the newly-
added domain and to set up filtering profiles for all
groups and members within that domain
• Assign Sub Admin group administrators to specific
groups and let them create filtering profiles for their
group and its members
3. Set the group priority by designating which group profile
will be assigned to a user when he/she logs in. If a user is
a member of multiple groups, the group that is positioned
highest in the list is applied.
32 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP ENVIRONMENT REQUIREMENTS
CHAPTER 2: NETWORK SETUP
Environment Requirements
Workstation Requirements
Administrator
Minimum system requirements for the administrator include
the following:
• Windows 2000 or later operating system (not compatible
with Windows server 2003) running Internet Explorer (IE)
6.0 or later (Windows Vista running IE7)
• Macintosh OS X Version 10.5 running Safari 2.0, Firefox
2.0
• JavaScript enabled
• Java Virtual Machine
• Java Plug-in (use the version specified for the R3000
software version)
• Java Runtime Environment, if using Tier 3 authentication
NOTE: R3000 administrators must be set up with software installation privileges in order to install Java used for accessing the
interface.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 33
CHAPTER 2: NETWORK SETUP ENVIRONMENT REQUIREMENTS
End User
• Windows 98 or later operating system (not compatible
with WIndows server 2003) running Internet Explorer (IE)
5.5 or later
• Macintosh OS X running Safari 1.0 or later, Firefox 1.0 or
later
• JavaScript enabled
• Java Runtime Environment, if using Tier 3 authentication
• Pop-up blocking software, if installed, must be disabled
Network Requirements
• High speed connection from the R3000 server to the
client workstations
• HTTPS connection to 8e6’s software update server
• Internet connectivity for downloading Java Virtual
Machine—and Java Runtime Environment, if necessary—if not already installed
34 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Set up the Network for Authentication
The first settings for authentication must be made in the
System section of the console in the following windows:
Operation Mode, LAN Settings, Enable/Disable Authentication, Authentication Settings, Authentication SSL Certificate
(if Web-based authentication will be used), View Log File
(for troubleshooting authentication setup), and Block Page
Authentication. Entries for customizing the block page and/
or authentication request form are made in the Common
Customization, Authentication Form Customization, and
Block Page Customization windows.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 35
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Specify the operation mode
Click Mode and select Operation Mode from the pop-up
menu to display the Operation Mode window:
Fig. 2-1 Operation Mode window
The entries made in this window will vary depending on
whether you will be using the invisible mode, or the router or
firewall mode.
1. In the Mode frame, select the mode to be used: “Invisible”, “Router”, or “Firewall”.
2. In the Listening Device frame, set the Device to “LAN1”.
36 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
3. In the Block Page Device frame:
• If using the invisible mode, select “LAN2”.
• If using the router or firewall mode, select “LAN1”.
If using the invisible mode, the Block Page Delivery
Method frame displays. Choose from either of the two
Protocol Methods:
• “Send Block Page via ARP Table” - this option uses the
Address Resolution Protocol method to find the best
possible destination MAC address of a specified host,
usually the R3000 gateway.
• “Send Block to Specified Host MAC Address” - using
this preferred method, the block page will always be
sent to the MAC address of a specified host, usually
the R3000 gateway.
Choose from either of the two Block Page Route To
selections:
• “Default Gateway” - this option indicates that the
default gateway on your network will be used for
sending block pages.
• “Alternate IP Address” - this option should be used
if block pages are not being served.
Enter the IP address of the router or device that will
serve block pages.
4. Click Apply.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 37
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Specify the subnet mask, IP address(es)
Click Network and select LAN Settings from the pop-up
menu to display the LAN Settings window:
Fig. 2-2 LAN Settings window
The entries made in this window will vary depending on
whether you are using the invisible mode, or the router or
firewall mode.
NOTE: If the gateway IP address on the network changes, be
sure to update the Gateway IP address in this window.
Invisible mode
For the LAN1 IP address, select 255.255.255.255 for the
subnet mask, and click Apply.
38 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Router or firewall mode
1. Enter the following information:
• In the LAN1 IP field of the IP/Mask Setting frame, enter
the IP address and specify the corresponding subnet
of the “LAN1” network interface card to be used on the
network.
• In the LAN2 IP field, enter the IP address and specify
the corresponding subnet of the “LAN2” network interface card to be used on the network.
TIP: The LAN1 and LAN2 IP addresses usually should be placed
in different subnets.
• In the Primary IP field of the DNS frame, enter the IP
address of the first DNS server to be used for resolving
the IP address of the authentication server with the
machine name of that server.
• In the Secondary IP field of the DNS frame, enter the
IP address of the second DNS server to be used for
resolving the IP address of the authentication server
with the machine name of that server.
• In the Gateway IP field of the Gateway frame, enter
the IP address of the default router to be used for the
entire network segment.
2. Click Apply to apply your settings.
NOTE: Whenever modifications are made in this window, the
server must be restarted in order for the changes to take effect.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 39
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Enable authentication, specify criteria
1. Click Authentication and select Enable/Disable Authentication from the pop-up menu to display the Enable/
Disable Authentication window:
2. Click Enable to enable authentication.
3. Select one of three tiers in the Web-based Authentication
frame:
Fig. 2-3 Enable/Disable Authentication window
NOTES: See information on the following pages for details about
each of the tiers, and for steps that must be executed to enable
your tier selection.
See Appendix A: Authentication Operations for more information
about each tier and for configuring various authentication options.
40 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
4. Enable any of the following authentication options, as
pertinent to your environment:
• In the 8e6 Authenticator frame, be sure the 8e6
Authenticator is “On”—unless the Novell eDirectory
Agent option will be used instead. When enabling the
8e6 Authenticator option, and then downloading and
installing the 8e6 Authenticator (authenticat.exe) on a
network share accessible by the domain controller or a
Novell eDirectory server, the 8e6 Authenticator automatically authenticates the end user when he/she logs
into his/her workstation.
• If you have a Novell eDirectory server and the 8e6
Authenticator will not be used, turning “On” Novell
eDirectory Agent will enable end user logon and logoff
events to be logged. To use this option, the LDAP
domain must be set up and activated in the Group tree.
WARNING: When enabling Novell eDirectory Agent, the agent
will immediately begin scanning Novell eDirectory-based domain
labels.
• If using a Windows 2000 or Windows 2003 server for
authentication, the Active Directory Agent option can
be used for capturing end user logon and logoff events
and sending a session table to the R3000 so end users
receive the correct filtering profile. To use this feature,
turn “On” the AD Agent, and then specify settings for
administrator computers authorized to configure the
AD Agent via the Active Directory Agent console.
Download and install the AD Agent (DCAgent.msi) on
the administrator workstation.
5. If using Tier 1, in the Sending Keep Alive frame, click
"On" to specify that keep alives should be sent on a
connection to verify whether it is still active. Click "Off" to
specify that the end user's session will be kept alive
based on the number of minutes entered in the text box.
6. Click Apply.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 41
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Net use based authentication
Tier 1: Web-based Authentication disabled (Net Use
enabled) – Choose this option if you will be using net use
based authentication for NT or Active Directory.
1. Click “Tier 1”.
2. In the Sending Keep Alive frame, click the radio button
corresponding to the option to be used:
• “On” - This option specifies that keep alives should be
sent on a connection to verify whether it is still active.
• “Off” - This option specifies that the end user's session
will be kept alive based on the number of minutes
entered in the text box.
In the Inactive session lifetime (in minutes) field,
enter the number of minutes the end user’s session will
be kept alive.
3. Click Apply to open the alert box that confirms your
selection.
42 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Web-based authentication
Choose either Tier 2 or Tier 3 if Web-based authentication
will be used.
NOTE: If selecting either Tier 2 or Tier 3, please be informed that
in an organization with more than 5000 users, slowness may be
experienced during the authentication process. In this scenario,
8e6 recommends using an R3000 Filter with an SSL accelerator
card installed. Please contact 8e6 for more information.
Tier 2: Use time-based profiles, with time-out (in
minutes) – Choose this option if using NT and/or LDAP
authentication, and you want the user to have a time limit on
his/her Internet connection. This option uses an authentication servlet that lets the user log into either domain with no
persistent connection between the client PC and the R3000.
1. Click “Tier 2”.
2. Enter a whole number for the duration of time the user
will retain his/her Internet connection.
3. Click Apply to open the alert box that confirms your
selection.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 43
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Tier 3: Use persistent logins via a Java Applet – Choose
this option if using NT and/or LDAP authentication, and you
want the user to maintain a persistent network connection.
This option—the preferred method for NT authentication—
opens a profile window that uses a Java applet:
Fig. 2-4 Java applet
The profile window must be kept open during the user’s
session in order for the user to have continued access to the
Internet.
NOTE: Tier 3 Authentication requires a current version of Java
Runtime Environment (JRE) on end-users' PCs. In some cases, a
JRE will need to be downloaded and installed on workstations
and the R3000 will allow the JRE download at the time of login.
However some operating systems may require this action to be
performed manually.
1. Click “Tier 3”.
2. Click Apply to open the dialog box that informs you
about the requirement of a current Java Runtime Environment (JRE) to be installed on each end user’s workstation:
44 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Fig. 2-5 Tier 3 dialog box
3. To ensure that end-users are using the most current
version of JRE, choose the method for distributing the
current version to their workstations: “8e6 automatically
distributes JRE during user login” or the default selection,
“Administrator manually distributes JRE to user workstations”.
4. Click Continue to open the alert box that confirms your
selection.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 45
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Enter network settings for authentication
1. Click Authentication and select Authentication Settings
from the pop-up menu to display the Authentication
Settings window:
Fig. 2-6 Authentication Settings window
In the Settings frame, at the R3000 NetBIOS Name field
the NetBIOS name of the R3000 displays. This information comes from the entry made in the Host Name field of
the LAN Settings window.
2. In the IP Address of WINS Server field, if using a WINS
server for name resolution, enter the IP address of each
Windows DNS server to be filtered by this R3000, with a
space between each IP address.
46 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
3. In the Virtual IP Address to Use for Authentication
field,1.2.3.5 displays by default. If using Tier 1 or Tier 3,
enter the IP address that from now on will be used for
communicating authentication information between the
R3000 and the PDC. This must be an IP address that is
not being used, on the same segment of the network as
the R3000.
WARNING: If the IP address entered here is not in the same
subnet as this R3000, the net use connection will fail.
4. From the NIC Device to Use for Authentication pull-
down menu:
• if using the invisible mode, select “LAN2” for sending
traffic on the network—in particular, for transferring
authentication data.
• if using the router or firewall mode, select “LAN1”.
5. Click Apply to apply your settings.
NOTE: If using the NT authentication method, you will later return
to this window to join the domain. See the section on Join the NT
domain in Chapter 3: NT Authentication Setup for information
about these procedures.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 47
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Create an SSL certificate
Authentication SSL Certificate should be used if Web-based
authentication will be deployed on the R3000 server. Using
this feature, a Secured Sockets Layer (SSL) self-signed
certificate is created and placed on client machines so that
the R3000 will be recognized as a valid server with which
they can communicate.
Click Authentication and select Authentication SSL Certificate from the pop-up menu to display the Authentication
SSL Certificate window:
Fig. 2-7 Authentication SSL Certificate window
This window is comprised of three tabs: Self Signed Certificate, Third Party Certificate, and Download/View/Delete
Certificate. These tabs are used to create, view, and/or
delete self-signed or third party SSL certificates.
48 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Create, Download a Self-Signed Certificate
1. On the Self Signed Certificate tab, click Create Self
Signed Certificate to generate the SSL certificate.
2. Click the Download/View/Delete Certificate tab:
Fig. 2-8 Download/View/Delete Certificate tab
3. Click Download/View Certificate to open the File Down-
load dialog box where you indicate whether you wish to
Open and view the file, or open the Save As window so
that you can Save the SSL certificate to a specified folder
on your workstation.
NOTE: While the SSL certificate can be downloaded on a Macintosh computer, the best method to import the certificate is via the
Authentication Request Form, when prompted by the Security
Alert warning message to add the certificate to the trusted certificate store.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 49
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Once the certificate is saved to your workstation, it can
be distributed to client workstations for users who need
to be authenticated.
TIP: Click Delete Certificate to remove the certificate from the
server.
Create, Upload a Third Party Certificate
Create a Third Party Certificate
1. Click the Third Party Certificate tab:
Fig. 2-9 Third Party Certificate tab
NOTE: If a third party certificate has not yet been created, the
Create CSR button is the only button activated on this tab.
50 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
2. Click Create CSR to open the Create CSR pop-up
window:
Fig. 2-10 Create CSR pop-up window
The Common Name (Host Name) field should automatically be populated with the host name. This field can be
edited, if necessary.
3. Enter your Email Address.
4. Enter the name of your Organization, such as 8e6
Technologies.
5. Enter an Organizational Unit code set up on your
server, such as Corp.
6. Enter Locality information such as the name of your city
or principality.
7. Enter the State or Province name in its entirety, such as
California.
8. Enter the two-character Country code, such as US.
9. Click Create to generate the Certificate Signing Request.
NOTE: Once the third party certificate has been created, the
Create CSR button displays greyed-out and the Download/View
CSR, Upload Certificate, Delete CSR buttons are now activated.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 51
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Upload a Third Party Certificate
1. Click Upload Certificate to open the Upload Signed SSL
Certificate for R3000 pop-up window:
Fig. 2-11 Upload Signed SSL Certificate box
The Message dialog box also opens with the message:
"Click OK when upload completes."
TIP: Click Cancel in the dialog box to cancel the procedure.
2. In the Upload Signed SSL Certficate for R3000 pop-up
window, click Browse to open the Choose file window.
3. Select the file to be uploaded.
4. Click Upload File to upload this file to the R3000.
5. Click OK in the Message dialog box to confirm the upload
and to close the dialog box.
52 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Download a Third Party Certificate
1. In the Authentication SSL Certificate window, click
Download/View CSR to open a pop-up window
containing the contents of the certificate request:
Fig. 2-12 Download CSR pop-up window
2. Click the “X” in the upper right corner of the window to
close it.
TIP: Click Delete CSR to remove the certificate from the server.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 53
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
View log results
Use the View Log File window if you need to troubleshoot
any problems with the authentication setup process.
1. Click Diagnostics and select View Log File from the popup menu to display the View Log File window:
Fig. 2-13 View Log File window
NOTE: In this user guide, only authentication-related options will
be addressed. For information about all other options, see the
View Log File window in the R3000 User Guide.
54 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
2. In the Log File Details frame, select the type of Log File
to view:
• “User Name Log (usage.log)” - used for viewing the
time and date a user logged on and off the network,
along with the user's profile information.
• “Wbwatch Log (wbwatch.log)” - used for viewing
messages on attempts to join the domain via the
Authentication Settings window.
• “Authentication Log (AuthenticationServer.log)” - used
for viewing information about the authentication
process for users, including SEVERE and WARNING
error messages.
• “Admin GUI Server Log (AdminGUIServer.log)” - used
for viewing information on entries made by the administrator in the console.
• “eDirectory Agent Debug Log (edirAgent.log)” - used
for viewing the debug log, if using eDirectory LDAP
authentication.
• “eDirectory Agent Event Log (edirEvent.log)” - used for
viewing the event log, if using eDirectory LDAP
authentication.
• “Authentication Module Log (authmodule.log)” - used
for viewing information about SEVERE error
messages pertaining to LDAP authentication connection attempts.
3. Choose the Last Number of Lines to view (100-500)
from that file.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 55
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
4. Click View to display results in the Result pop-up
window:
Fig. 2-14 View Log File Result pop-up window
5. Click the “X” in the upper right corner of the pop-up
window to close it.
56 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Specify block page settings
Click Control and select Block Page Authentication from the
pop-up menu to display the Block Page Authentication
window:
Fig. 2-15 Block Page Authentication window
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 57
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Block Page Authentication
1. In the Re-authentication Options field of the Details
frame, all block page options are selected by default,
except for Web-based Authentication. Choose from the
following options by clicking your selection:
• Web-based Authentication - select this option if
using Web authentication with time-based profiles or
persistent login connections for NT or LDAP authentication methods.
• Re-authentication - select this option for the re-
authentication option. The user can restore his/her
profile and NET USE connection by clicking an icon in
a window to run a NET USE script.
• Override Account - select this option if any user has
an Override Account, allowing him/her to access URLs
set up to be blocked at the global or IP group level.
TIP: Multiple options can be selected by clicking each option
while pressing the Ctrl key on your keyboard.
NOTE: See the R3000 User Guide for information about the
Override Account feature.
2. If the “Re-authentication” option was selected, in the
Logon Script Path field, \\PDCSHARE\scripts displays
by default. In this field, enter the path of the logon script
that the R3000 will use when re-authenticating users on
the network, in the event that a user's machine loses its
connection with the server, or if the server is rebooted.
This format requires the entry of two backslashes, the
authentication server’s computer name (or computer IP
address) in capital letters, a backslash, and name of the
share path.
3. Click Apply to apply your settings.
58 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Block page
When a user attempts to access Internet content set up to
be blocked, the block page displays on the user’s screen:
Fig. 2-16 Block page
NOTES: See Block Page Customization for information on
adding free form text and a hyperlink at the top of the block page.
Appendix C: Create a Custom Block Page from the R3000 User
Guide for information on creating a customized block page using
your own design.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 59
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
User/Machine frame
By default, the following data displays in the User/Machine
frame:
• User/Machine field - The username displays for the NT/
LDAP user. This field is blank for the IP group user.
• IP field - The user’s IP address displays.
• Category field - The name of the library category that
blocked the user’s access to the URL displays. If the
content the user attempted to access is blocked by an
Exception URL, “Exception” displays instead of the
library category name.
• Blocked URL field - The URL the user attempted to
access displays.
Standard Links
By default, the following standard links are included in the
block page:
• HELP - Clicking this link takes the user to 8e6’s Technical
Support page that explains why access to the site or
service may have been denied.
• 8e6 Technologies - Clicking this link takes the user to
8e6’s Web site.
60 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Optional Links
By default, these links are included in the block page under
the following conditions:
• For further options, click here
. - This phrase and link is
included if any option was selected at the Re-authentication Options field in the Block Page Authentication
window. Clicking this link takes the user to the Options
window, described in the Options page sub-section that
follows.
• To submit this blocked site for review, click here
This phrase and link is included if an email address was
entered in the Submission Email Address field in the
Common Customization window. Clicking this link
launches the user’s default email client. In the composition window, the email address from the Submission
Email Address field populates the “To” field. The user’s
message is submitted to the global administrator.
. -
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 61
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Options page
The Options page displays when the user clicks the
following link in the block page: For further options, click
here.
Fig. 2-17 Options page
The following items previously described for the Block page
display in the upper half of the Options page:
• BACK and HELP links
• User/Machine frame contents
The frame beneath the User/Machine frame includes information for options (1, 2, and/or 3) based on settings made in
the Block Page Authentication window.
62 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Option 1
Option 1 is included in the Options page if “Web-based
Authentication” was selected at the Re-authentication
Options field in the Block Page Authentication window. The
following phrase/link displays:
Click here
for secure Web-based authentication.
When the user clicks the link, the Authentication Request
Form opens:
Fig. 2-18 Authentication Request Form
NOTE: See Authentication Form Customization for information
on adding free form text and a hyperlink at the top of the Authentication Request Form.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 63
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Option 2
The following phrase/link displays, based on options
selected at the Re-authentication Options field in the Block
Page Authentication window:
• Re-start your system and re-login - This phrase
displays for Option 1, whether or not either of the Reauthentication Options (Re-authentication, or Webbased Authentication) was selected in the Block Page
Authentication window. If the user believes he/she was
incorrectly blocked from a specified site or service, he/
she should re-start his/her machine and log back in.
• Try re-authenticating your user profile
- This link
displays if “Re-authentication” was selected at the Reauthentication Options field, and an entry was made in
the Logon Script Path field. When the user clicks this link,
a window opens:
Fig. 2-19 Re-authentication option
The user should click the logon.bat icon to run a script
that will re-authenticate his/her profile on the network.
64 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Option 3
Option 3 is included in the Options page, if “Override
Account” was selected at the Re-authentication Options
field in the Block Page Authentication window.
This option is used by any user who has an override
account set up for him/her by the global group administrator
or the group administrator. An override account allows the
user to access Internet content blocked at the global or IP
sub-group level.
The user should enter his/her Username and Password,
and then click Override to open the Profile Control window.
This window must be left open throughout the user’s
session in order for the user to be able to access blocked
Internet content.
NOTES: See Appendix F: Override Pop-up Blockers for information on how a user with an override account can authenticate if a
pop-up blocker is installed on his/her workstation.
See the R3000 User Guide for information about the Override
Account feature.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 65
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Common Customization
Common Customization lets you specify elements to be
included in block pages and/or the authentication request
form end users will see.
Click Customization and then select Common Customization from the pop-up menu to display the Common Custom-
ization window:
Fig. 2-20 Common Customization window
By default, in the Details frame all elements are selected to
display in the HTML pages, the Help link points to the FAQs
page on 8e6's public site that explains why access was
denied, and a sample email address is included for administrator contact information. These details can be modified, as
necessary.
66 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Enable, disable features
1. Click “On” or “Off” to enable or disable the following
elements in the HTML pages, and make entries in fields
to display customized text, if necessary:
• Username Display - if enabled, displays “User/
Machine” followed by the end user’s username in block
pages
• IP Address Display - if enabled, displays “IP” followed
by the end user’s IP address in block pages
• Category Display - if enabled, displays “Category”
followed by the long name of the blocked category in
block pages
• Blocked URL Display - if enabled, displays “Blocked
URL” followed by the blocked URL in block pages
• Copyright Display - if enabled, displays 8e6 R3000
copyright information at the footer of block pages and
the authentication request form
• Title Display - if enabled, displays the title of the page
in the title bar of the block pages and the authentication request form
• Help Display - if enabled, displays the specified help
link text in block pages and the authentication request
form. The associated URL (specified in the Help Link
URL field described below) is accessible to the end
user by clicking the help link.
NOTE: If enabling the Help Display feature, both the Help Link
Text and Help Link URL fields must be populated.
• Help Link Text - By default, HELP displays as the help
link text. Enter the text to display for the help link.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 67
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
• Help Link URL - By default, http://www.8e6.com/tech-
support/deniedresponse.html displays as the help link
URL. Enter the URL to be used when the end user
clicks the help link text (specified in the Help Link Text
field).
• Submission Review Display - if enabled, displays in
block pages the email address of the administrator to
receive requests for a review on sites the end users
feel are incorrectly blocked. The associated email
address (specified in the Submission Email Address
field described below) is accessible to the end user by
clicking the click here
NOTE: If enabling the Submission Review Display feature, an
email address entry of the designated administrator in your organization must be made in the Submission Email Address field.
link.
• Submission Email Address - By default, admin
@company.com displays in block pages as the email
address of the administrator to receive feedback on
content the end user feels has been incorrectly
blocked. Enter the global administrator's email
address.
2. Click Apply to save your entries.
TIP: Click Restore Default and then Apply to revert to the
default settings.
68 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Authentication Form Customization
To customize the Authentication Request Form, click
Customization and select Authentication Form from the
pop-up menu:
Fig. 2-21 Authentication Form Customization window
NOTE: This window is activated only if Authentication is enabled
via System > Authentication > Enable/Disable Authentication,
and Web-based Authentication is specified.
TIP: An entry in any of the fields in this window is optional, but if
an entry is made in the Link Text field, a corresponding entry must
also be made in the Link URL field.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 69
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
1. Make an entry in any of the following fields:
• In the Header field, enter a static header to be
displayed at the top of the Authentication Request
Form.
• In the Description field, enter a static text message to
be displayed beneath the Authentication Request
Form header.
• In the Link Text field, enter text for the link's URL to be
displayed beneath the Description in the Authentication Request Form, and in the Link URL field, enter the
corresponding hyperlink in plain text using the http:// or
https:// syntax.
Any entries made in these fields will display centered in
the Authentication Request Form, using the Arial font
type.
2. Click Apply.
TIP: Click Restore Default and then Apply to revert to the
default text in this window.
70 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Preview sample Authentication Request Form
1. Click Preview to launch a separate browser window
containing a sample Authentication Request Form,
based on entries saved in this window and in the
Common Customization window:
Fig. 2-22 Sample Customized Authentication Request Form
By default, the following data displays in the frame:
• Username field - The username displays.
• Password field - The user’s IP address displays.
• Domain field - All LDAP domain names set up on the
R3000 display in the pull-down menu.
• Alias field (optional) - All alias names associated with
the LDAP domain specified in the field above display in
the pull-down menu, if the account names were
entered for that LDAP domain.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 71
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
By default, the following standard links are included in
the Authentication Request Form:
• HELP - Clicking this link takes the user to 8e6’s Tech-
nical Support page that explains why access to the site
or service may have been denied.
• 8e6 Technologies - Clicking this link takes the user to
8e6’s Web site.
2. Click the “X” in the upper right corner of the window to
close the sample Authentication Request Form.
TIP: If necessary, make edits in the Authentication Form Customization window or the Common Customization window, and then
click Preview in this window again to view a sample Authentication Request Form.
72 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Block Page Customization
To customize the block page, click Customization and select
Block Page from the pop-up menu:
Fig. 2-23 Block Page Customization window
NOTE: See Appendix C: Create a Custom Block Page from the
R3000 User Guide for information on creating a customized block
page using your own design.
TIP: An entry in any of the fields in this window is optional, but if
an entry is made in the Link Text field, a corresponding entry must
also be made in the Link URL field.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 73
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
1. Make an entry in any of the following fields:
• In the Header field, enter a static header to be
displayed at the top of the block page.
• In the Description field, enter a static text message to
be displayed beneath the block page header.
• In the Link Text field, enter text for the link's URL to be
displayed beneath the Description in the block page,
and in the Link URL field, enter the corresponding
hyperlink in plain text using the http:// or https:// syntax.
Any entries made in these fields will display centered in
the customized block page, using the Arial font type.
2. Click Apply.
TIP: Click Restore Default and then Apply to revert to the
default text in this window.
74 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
Preview sample block page
1. Click Preview to launch a separate browser window
containing a sample customized block page, based on
entries saved in this window and in the Common
Customization window:
Fig. 2-24 Sample Customized Block Page
By default, the following data displays in the User/
Machine frame:
• User/Machine field - The username displays for the
NT/LDAP user. This field is blank for the IP group user.
• IP field - The user’s IP address displays.
• Category field - The name of the library category that
blocked the user’s access to the URL displays. If the
content the user attempted to access is blocked by an
Exception URL, “Exception” displays instead of the
library category name.
• Blocked URL field - The URL the user attempted to
access displays.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 75
CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION
By default, the following standard links are included in
the block page:
• HELP - Clicking this link takes the user to 8e6’s Tech-
nical Support page that explains why access to the site
or service may have been denied.
• 8e6 Technologies - Clicking this link takes the user to
8e6’s Web site.
By default, these links are included in the block page
under the following conditions:
• For further options, click here
. - This phrase and link
is included if any option was selected at the Reauthentication Options field in the Block Page Authentication window. Clicking this link takes the user to the
Options window, described in the Options page subsection.
• To submit this blocked site for review, click here
This phrase and link is included if an email address
was entered in the Submission Email Address field in
the Common Customization window. Clicking this link
launches the user’s default email client. In the composition window, the email address from the Submission
Email Address field populates the “To” field. The user’s
message is submitted to the global administrator.
2. Click the “X” in the upper right corner of the window to
close the sample customized block page.
TIP: If necessary, make edits in the Block Page Customization
window or the Common Customization window, and then click
Preview in this window again to view a sample block page.
. -
76 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP GROUP ADMINISTRATOR ACCOUNTS
Set up Group Administrator Accounts
The global administrator creates group administrator (Sub
Admin) accounts so that these group administrators can be
assigned to manage specific NT or LDAP entities set up in
the Group tree. Sub Admin group administrator accounts
are set up in the Administrator window from the System
section of the console.
NOTE: IP group administrator accounts are set up in the IP
branch of the Group tree when new IP groups are created. See
Chapter 2: Group screen from the Global Administrator Section of
the R3000 User Guide for information on creating IP groups.
Add Sub Admins to manage groups, users
Click Administrator to display the Administrator window:
Fig. 2-25 Administrator window
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 77
CHAPTER 2: NETWORK SETUP SET UP GROUP ADMINISTRATOR ACCOUNTS
Add a group administrator account
To add an NT/LDAP group administrator (Sub Admin)
account:
1. In the Account Details frame, enter the username in the
Username field.
2. In the Password field, enter eight to 20 characters—
including at least one alpha character, one numeric character, and one special character. The password is case
sensitive.
3. Make the same entry again in the Confirm Password
field.
4. Select “Sub Admin” from the Type pull-down menu.
5. Click Add to include the username and account type in
the Current User list box.
Update the group administrator’s password
1. Select the username from the Current User list box; this
action populates the Account Details frame with data.
2. In the Password field, enter eight to 20 characters for a
new password—including at least one alpha character,
one numeric character, and one special character. The
password is case sensitive.
3. Enter the same new password again in the Confirm
Password field.
4. Click Modify to apply your settings.
78 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 2: NETWORK SETUP SET UP GROUP ADMINISTRATOR ACCOUNTS
Delete a group administrator account
To delete an administrator account:
1. Select the username from the Current User list box.
2. Click Delete to remove the account.
NOTE: If a group administrator assigned to an NT/LDAP entity is
deleted, that group administrator must be removed from assignment to that NT/LDAP entity and another group administrator set
up for assignment to manage that entity. See Chapter 5: Assign/
Set up Groups, Members for information on assigning and reassigning an entity for management.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 79
CHAPTER 3: NT AUTHENTICATION SETUP JOIN THE NT DOMAIN
C
HAPTER
3: NT A
NOTE: If you are running a Windows 2000 or Windows 2003
Server and are using the NTLM authentication protocol, then you
need to make SMB Signing “not required.” See Appendix B:
Disable SMB Signing Requirements for steps on how to disable
SMB Signing restrictions.
UTHENTICATION
Join the NT Domain
In the System section of the console, click Authentication
and select Authentication Settings from the pop-up menu to
display the Authentication Settings window:
S
ETUP
Fig. 3-1 Authentication Settings window
Information should only be entered in the NT Authentication
Server Details frame if the R3000 will use the NT Authentication method to authenticate users.
80 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 3: NT AUTHENTICATION SETUP JOIN THE NT DOMAIN
NOTE: The following Windows servers are supported by the
current version of authentication: NT 4.0 SP4 or later, Mixed
Mode 2000, and 2003. A Windows 2003 server may require
changes to the default settings for SMB signing to allow communications.
The account that is provided for accessing the Windows
server must have the administrative rights to add a machine
account to the specified domain on the R3000. This requirement ensures the R3000 will be able to authenticate users
from the Windows domain.
1. Enter the alphanumeric Name of Domain on which this
server resides, using capital letters.
2. Using capital letters, enter up to 15 alphanumeric characters of the PDC NetBIOS Name, which is the computer
name of the authentication server, or Primary Domain
Controller.
3. Enter the PDC IP Address, which is the authentication
server's IP address.
4. Enter the Administrator Username and Administrator
Password. This account used for joining the domain
must have administrator privileges.
5. Click Join Domain to save your entries and to submit a
request for the R3000 to join the domain.
TIP: If entries in the NT Authentication Server Details frame are
modified after joining the domain, you must join the domain
again.
NOTE: Click Save if you are only pre-configuring the box. This
option lets you save credentials without re-entering the information each time the domain is joined, or if the R3000 gets out of
sync with the Primary Domain Controller.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 81
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AN NT DOMAIN
Create an NT Domain
After joining the domain, go to the Group section of the
console and add an NT domain that contains entities to be
authenticated.
Add an NT domain
1. Click NT in the navigation panel to open the pop-up
menu, and select Add Domain to open the Create
Domain Controller dialog box:
Fig. 3-2 Create Domain Controller
2. In the Domain Name field, enter the name of the domain
on which the R3000 resides, using capital letters.
NOTES: The Domain Name must be the same name entered in
the Authentication Settings window’s Name of Domain field.
The alphanumeric NT domain name must be at least two characters but less than 64 characters in length, and can contain a
hyphen (-) and underscore (_), though the hyphen cannot be the
first or last character of the name.
3. In the Domain Controller field, enter the name of the
authentication server for the domain.
4. Enter the domain controller’s IP Address.
82 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AN NT DOMAIN
5. In the UserName field, enter the username of the admin-
istrator.
6. Enter the password in the Password and Confirm Pass-
word fields.
7. Click Apply to add the domain to the tree.
Refresh the NT branch
Click NT in the navigation panel to open the pop-up menu,
and select Refresh whenever changes have been made in
this branch of the tree.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 83
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AN NT DOMAIN
View or modify NT domain details
Domain Settings
1. Double-click NT in the navigation panel to open the NT
branch of the Group tree. Select the NT domain you
added, and choose Domain Details from the pop-up
menu to display the default Settings tab of the NT
Domain Details window:
Fig. 3-3 NT Domain Details window, Settings tab
NOTE: To enter profile information for NT groups and users once
domain settings are established, see Set up NT Domain Groups,
Members.
84 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AN NT DOMAIN
2. For the Domain Settings:
• The Domain Name entered in the Create Domain
Controller dialog box displays greyed-out and cannot
be modified.
• The following fields can be modified: name of the
domain Controller, IP Address, User Name, Pass-
word, and Confirm Password.
Whenever criteria on this tab is modified:
a. The password from the Password field must be
entered in the Confirm Password field for verification.
b. Click Modify to apply your settings.
8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE 85
CHAPTER 3: NT AUTHENTICATION SETUP CREATE AN NT DOMAIN
Default Rule
1. Click the Default Rule tab to display the Default Rule
settings of the NT Domain Details window:
Fig. 3-4 NT Domain Details window, Default Rule tab
2. For the Default Rule:
• “Rule0, the Minimum Filtering Level” displays by
default as the Default Rule. If this rule is used, it will be
applied to all groups and members in the NT domain
without a filtering profile established.
• “Default Block Page” is selected by default as the
Default Redirect URL. If the default block page is
used, it will be applied to all groups and members in
the NT domain without a filtering profile established. If
“Custom URL” is selected, a URL must be entered in
the corresponding text box.
86 8E6 TECHNOLOGIES, R3000 INTERNET FILTER AUTHENTICATION USER GUIDE
Loading...